Applies To:
Show VersionsBIG-IP AAM
- 14.1.2
BIG-IP APM
- 14.1.2
BIG-IP Analytics
- 14.1.2
BIG-IP Link Controller
- 14.1.2
BIG-IP LTM
- 14.1.2
BIG-IP PEM
- 14.1.2
BIG-IP AFM
- 14.1.2
BIG-IP FPS
- 14.1.2
BIG-IP DNS
- 14.1.2
BIG-IP ASM
- 14.1.2
BIG-IP Release Information
Version: 14.1.2.5
Build: 3.0
BIG-IP version 14.1.2.5 contains all the fixes from v14.1.2.4, without the issue that necessitated replacement of the v14.1.2.4 release.
Cumulative fixes from BIG-IP v14.1.2.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.6 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release
Known Issues in BIG-IP v14.1.x
Functional Change Fixes
None
Cumulative fixes from BIG-IP v14.1.2.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
866013 | CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 |
K78234183 | Linux Kernel Vulnerabilities: CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 |
852445-3 | CVE-2019-6477 | K15840535 | Big-IP : CVE-2019-6477 BIND Vulnerability |
839453-4 | CVE-2019-10744 | K47105354 | lodash library vulnerability CVE-2019-10744 |
838677-3 | CVE-2019-10744 | K47105354 | lodash library vulnerability CVE-2019-10744 |
830401-3 | CVE-2020-5877 | K54200228 | TMM may crash while processing TCP traffic with iRules |
819197-4 | CVE-2019-13135 | K20336394 | BIGIP: CVE-2019-13135 ImageMagick vulnerability |
819189-3 | CVE-2019-13136 | K03512441 | BIGIP: CVE-2019-13136 ImageMagick vulnerability |
805837-2 | CVE-2019-6657 | K22441651 | REST does not follow current design best practices |
802261-2 | CVE-2020-5875 | K65372933 | TMM may crash while processing SSL traffic via an HTTP/2 full-proxy |
794561-1 | CVE-2020-5874 | K46901953 | TMM may crash while processing JWT/OpenID traffic. |
780601-2 | CVE-2020-5873 | K03585731 | SCP file transfer hardening |
769589-2 | CVE-2019-6974 | K11186236 | CVE-2019-6974: Linux Kernel Vulnerability |
767373-1 | CVE-2019-8331 | K24383845 | CVE-2019-8331: Bootstrap Vulnerability |
762453-2 | CVE-2020-5872 | K63558580 | Hardware cryptography acceleration may fail |
745377-1 | CVE-2020-5871 | K43450419 | TMM cores in certain scenarios with HTTP virtual server |
739971 | CVE-2018-5391 | K95343321 | Linux kernel vulnerability: CVE-2018-5391 |
873469-1 | CVE-2020-5889 | K24415506 | APM Portal Access: Base URL may be set to incorrectly |
864109-3 | CVE-2020-5889 | K24415506 | APM Portal Access: Base URL may be set to incorrectly |
838881-3 | CVE-2020-5853 | K73183618 | APM Portal Access Vulnerability: CVE-2020-5853 |
832021-1 | CVE-2020-5888 | K73274382 | Port lockdown settings may not be enforced as configured |
832017-1 | CVE-2020-5887 | K10251014 | Port lockdown settings may not be enforced as configured |
829121-3 | CVE-2020-5886 | K65720640 | State mirroring default does not require TLS |
829117-3 | CVE-2020-5885 | K17663061 | State mirroring default does not require TLS |
810537-2 | CVE-2020-5883 | K12234501 | TMM may consume excessive resources while processing iRules |
805557-2 | CVE-2020-5882 | K43815022 | TMM may crash while processing crypto data |
789921-2 | CVE-2020-5881 | K03386032 | TMM may restart while processing VLAN traffic |
775833-2 | CVE-2020-5880 | K94325657 | Administrative file transfer may lead to excessive resource consumption |
887637-1 | CVE-2019-3815 | K22040951 | Systemd-journald Vulnerability: CVE-2019-3815 |
868097-1 | CVE-2020-5891 | K58494243 | TMM may crash while processing HTTP/2 traffic |
823893-2 | CVE-2020-5890 | K03318649 | Qkview may fail to completely sanitize LDAP bind credentials |
748122-1 | CVE-2018-15333 | K53620021 | BIG-IP Vulnerability CVE-2018-15333 |
746091-1 | CVE-2019-19151 | K21711352 | TMSH Vulnerability: CVE-2019-19151 |
760723-2 | CVE-2015-4037 | K64765350 | Qemu Vulnerability |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
870389-1 | 3-Major | Increase size of /var logical volume to 1.5 GiB for LTM-only VE images | |
859089-5 | 3-Major | TMSH allows SFTP utility access | |
858229-3 | 3-Major | XML with sensitive data gets to the ICAP server | |
837837-3 | 3-Major | SSH Client Requirements Hardening | |
738330-3 | 3-Major | /mgmt/toc endpoint issue after configuring remote authentication |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
872673-3 | 2-Critical | TMM can crash when processing SCTP traffic | |
819009-3 | 2-Critical | Dynamic routing daemon mribd crashes if 'mrib debug all' is enabled in high availability (HA) config with Floating Self IP configured for PIM protocol. | |
814953-3 | 2-Critical | TMUI dashboard hardening | |
792285-2 | 2-Critical | TMM crashes if the queuing message to all HSL pool members fails | |
777993-2 | 2-Critical | Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same | |
775897-1 | 2-Critical | High Availability failover restarts tmipsecd when tmm connections are closed | |
769169-3 | 2-Critical | BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring | |
767689-1 | 2-Critical | F5optics_install using different versions of RPM★ | |
749388-3 | 2-Critical | 'table delete' iRule command can cause TMM to crash | |
748205-3 | 2-Critical | SSD bay identification incorrect for RAID drive replacement★ | |
699515-2 | 2-Critical | nsm cores during update of nexthop for ECMP recursive route | |
882557-4 | 3-Major | TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher) | |
873877 | 3-Major | Kernel page allocation failure seen on VIPRION B2250 Blade★ | |
866925-3 | 3-Major | The TMM pages used and available can be viewed in the F5 system stats MIB | |
852001-3 | 3-Major | High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously | |
849405-1 | 3-Major | LTM v14.1.2.1 does not log after upgrade★ | |
842125-4 | 3-Major | Unable to reconnect outgoing SCTP connections that have previously aborted | |
812981-4 | 3-Major | MCPD: memory leak on standby BIG-IP device | |
811789-2 | 3-Major | Device trust UI hardening | |
810957-2 | 3-Major | Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core | |
802281-1 | 3-Major | Gossip shows active even when devices are missing | |
800185-4 | 3-Major | Saving a large encrypted UCS archive may fail and might trigger failover | |
795685-2 | 3-Major | Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer | |
772117-3 | 3-Major | Overwriting FIPS keys from the HA peer with older config leads to abandoned key on FIPS card | |
759735-2 | 3-Major | OSPF ASE route calculation for new external-LSA delayed | |
759172-1 | 3-Major | Read Access Denied: user (gu, guest) type (Certificate Order Manager) | |
758387-2 | 3-Major | BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it | |
751573-1 | 3-Major | Updates to HSL pool members may not take effect | |
749785-2 | 3-Major | nsm can become unresponsive when processing recursive routes | |
749690-1 | 3-Major | MOS_Image2Disk_Installation- kjournald service error★ | |
746861-1 | 3-Major | SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated★ | |
641450-7 | 3-Major | K30053855 | A transaction that deletes and recreates a virtual may result in an invalid configuration |
755317-1 | 4-Minor | /var/log logical volume may run out of space due to agetty error message in /var/log/secure |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
715032-2 | 1-Blocking | iRulesLX Hardening | |
868349-3 | 2-Critical | TMM may crash while processing iRules with MQTT commands | |
860881-1 | 2-Critical | TMM can crash when handling a compressed response from HTTP server | |
853329-4 | 2-Critical | HTTP explicit proxy can crash TMM when used with classification profile | |
839401-3 | 2-Critical | Moving a virtual-address from one floating traffic-group to another does not send GARPs out. | |
831325-2 | 2-Critical | K10701310 | HTTP PSM detects more issues with Transfer-Encoding headers |
799649-2 | 2-Critical | TMM crash | |
757391-2 | 2-Critical | Datagroup iRule command class can lead to memory corruption | |
755134-1 | 2-Critical | HTTP/2 connections may leak memory if server-side connection not established | |
879025-4 | 3-Major | When processing server-side TLS traffic, LTM may not enforce certificate chain restrictions | |
868889 | 3-Major | BIG-IP may reset a stream with an empty DATA frame as END_STREAM | |
853613-2 | 3-Major | Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp | |
851789-3 | 3-Major | SSL monitors flap with client certs with private key stored in FIPS | |
848405-4 | 3-Major | TMM may consume excessive resources while processing compressed HTTP traffic | |
847325-1 | 3-Major | Changing a virtual server that uses a oneconnect profile can trigger persistence misbehavior. | |
843105-1 | 3-Major | Adding multicast stats for multicast bridging over L2 wire transparent VLAN-group (LACP STP LLDP) | |
834257-3 | 3-Major | TMM may crash when processing HTTP traffic | |
809729-2 | 3-Major | When HTTP/2 stream is reset by a client, BIG-IP may not respond properly | |
795261-2 | 3-Major | LTM policy does not properly evaluate condition when an operand is missing | |
788741-2 | 3-Major | TMM cores in the MQTT proxy under rare conditions | |
777269-1 | 3-Major | Gratuitous ARP may be sent for self IPs from incorrect MAC address at startup | |
770477-2 | 3-Major | SSL aborted when client_hello includes both renegotiation info extension and SCSV | |
761030-2 | 3-Major | tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route | |
758631-4 | 3-Major | ec_point_formats extension might be included in the server hello even if not specified in the client hello | |
757827-1 | 3-Major | Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution | |
755997-2 | 3-Major | Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address | |
755727-2 | 3-Major | Ephemeral pool members not created after DNS flap and address record changes | |
755213-1 | 3-Major | TMM cores in certain scenarios with HTTP/2 virtual server | |
751052-1 | 3-Major | HTTP iRule event HTTP_REJECT broken | |
746078-1 | 3-Major | Upgrades break existing iRulesLX workspaces that use node version 6 | |
745923-2 | 3-Major | Connection flow collision can cause packets to be sent with source and/or destination port 0 | |
743257-3 | 3-Major | Fix block size insecurity init and assign | |
705112-4 | 3-Major | DHCP server flows are not re-established after expiration | |
636842-2 | 3-Major | K51472519 | A FastL4 virtual server may drop a FIN packet when mirroring is enabled |
601189-4 | 3-Major | The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode | |
599567-4 | 3-Major | APM assumes SNAT automap, does not use SNAT pool | |
859113-3 | 4-Minor | Using "reject" iRules command inside "after" may causes core | |
852373-2 | 4-Minor | HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error | |
830833-2 | 4-Minor | HTTP PSM blocking resets should have better log messages | |
760683-1 | 4-Minor | RST from non-floating self-ip may use floating self-ip source mac-address | |
757777-3 | 4-Minor | bigtcp does not issue a RST in all circumstances | |
746077-4 | 4-Minor | If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
807177-2 | 2-Critical | HTTPS monitoring is not caching SSL sessions correctly | |
704198-4 | 2-Critical | K29403988 | Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance |
802961-2 | 3-Major | The 'any-available' prober selection is not as random as in earlier versions | |
772233-4 | 3-Major | IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV. | |
754901-1 | 3-Major | Frequent zone update notifications may cause TMM to restart | |
750213-4 | 3-Major | K25351434 | DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records. |
744280-2 | 4-Minor | Enabling or disabling a Distributed Application results in a small memory leak |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
858025-3 | 2-Critical | Proactive Bot Defense does not validate redirected paths | |
852437-1 | 2-Critical | K25037027 | Overly aggressive file cleanup causes failed ASU installation |
883717-3 | 3-Major | BD crash on specific server cookie scenario | |
882377-1 | 3-Major | ASM Application Security Editor Role User can update/install ASU | |
871905-1 | 3-Major | Incorrect masking of parameters in event log | |
854177-3 | 3-Major | ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality | |
850673-3 | 3-Major | BD sends bad acks to the bd_agent for configuration | |
681010-3 | 3-Major | K33572148 | 'Referer' is not masked when 'Query String' contains sensitive parameter |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
838709-1 | 2-Critical | Enabling DoS stats also enables page-load-time | |
828937-3 | 2-Critical | K45725467 | Some systems can experience periodic high IO wait due to AVR data aggregation |
870957-1 | 3-Major | "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage | |
863161-3 | 3-Major | Scheduled reports are sent via TLS even if configured as non encrypted | |
835381-1 | 3-Major | HTTP custom analytics profile 'not found' when default profile is modified | |
830073-3 | 3-Major | AVRD may core when restarting due to data collection device connection timeout | |
817649-2 | 3-Major | AVR statistics for NAT cannot be shown on multi-bladed machine | |
865053-1 | 4-Minor | AVRD core due to a try to load vip lookup when AVRD is down | |
863069-3 | 4-Minor | Avrmail timeout is too small |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
879401-3 | 2-Critical | Memory corruption during APM SAML SSO | |
871761-4 | 2-Critical | Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS | |
858349-1 | 2-Critical | TMM may crash while processing SAML SLO traffic | |
788593-2 | 2-Critical | K43404365 | APM logs may contain additional data |
884797-2 | 3-Major | Portal Access: in some cases data is not delivered via WebSocket connection | |
866685-3 | 3-Major | Empty HSTS headers when HSTS mode for HTTP profile is disabled | |
866161-3 | 3-Major | Client port reuse causes RST when the security service attempts server connection reuse. | |
852313-2 | 3-Major | VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured | |
832569-2 | 3-Major | APM end-user connection reset | |
831781-5 | 3-Major | AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode | |
798261-2 | 3-Major | APMD fails to create session variables if spanning is enabled on SWG transparent virtual server | |
771905-2 | 3-Major | JWT token rejected due to unknown JOSE header parameters | |
768025-4 | 3-Major | SAML requests/responses fail with "failed to find certificate" | |
749036-2 | 3-Major | Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM | |
747725-3 | 3-Major | Kerberos Auth agent may override settings that manually made to krb5.conf | |
747624-2 | 3-Major | RADIUS Authentication over RSA SecureID is not working in challenge mode |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
811105-1 | 2-Critical | MRF SIP-ALG drops SIP 183 and 200 OK messages | |
781725-2 | 2-Critical | BIG-IP systems might not complete a short ICAP request with a body beyond the preview | |
882273 | 3-Major | MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow | |
876077-3 | 3-Major | MRF DIAMETER: stale pending retransmission entries may not be cleaned up | |
868381-3 | 3-Major | MRF DIAMETER: Retransmission queue unable to delete stale entries | |
866021-3 | 3-Major | Diameter Mirror connection lost on the standby due to "process ingress error" | |
853545-3 | 3-Major | MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event | |
824149-3 | 3-Major | SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured | |
815877-1 | 3-Major | Information Elements with zero-length value are rejected by the GTP parser | |
811033-2 | 3-Major | MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used | |
788093 | 3-Major | MRF iRule command MR::restore with no argument causes tmm to crash | |
859721-3 | 4-Minor | Using GENERICMESSAGE create together with reject inside periodic after may cause core | |
836357-3 | 4-Minor | SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2 | |
788005-2 | 4-Minor | Bypass MRF SIP LB restriction of conversion from reliable transport (TCP) to unreliable transport (UDP) |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
778869-3 | 2-Critical | K72423000 | ACLs and other AFM features (e.g., IPI) may not function as designed |
751292-1 | 2-Critical | mcpd core after changing parent netflow to use version9 | |
852289-2 | 3-Major | DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector | |
771173-3 | 3-Major | FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.★ |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
857725 | 3-Major | Anti-Fraud/DataSafe Logging Settings page not found |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
761199-1 | 2-Critical | Wr_urldbd might crash while system is in a restarting loop. | |
816529-2 | 3-Major | If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart. |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
839597-4 | 3-Major | Restjavad fails to start if provision.extramb has large value | |
837773-2 | 3-Major | Restjavad Storage and Configuration Hardening | |
815649-1 | 3-Major | Named.config entry getting overwriting on SSL Orchestrator deployment |
Cumulative fixes from BIG-IP v14.1.2.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
846365-3 | CVE-2020-5878 | K35750231 | TMM may crash while processing IP traffic |
818709-2 | CVE-2020-5858 | K36814487 | TMSH does not follow current best practices |
818429-4 | CVE-2020-5857 | K70275209 | TMM may crash while processing HTTP traffic |
808301-2 | CVE-2019-6678 | K04897373 | TMM may crash while processing IP traffic |
757357-3 | CVE-2019-6676 | K92002212 | TMM may crash while processing traffic |
782529-2 | CVE-2019-6685 | K30215839 | iRules does not follow current design best practices |
761144-4 | CVE-2019-6684 | K95117754 | Broadcast frames may be dropped |
761112-3 | CVE-2019-6683 | K76328112 | TMM may consume excessive resources when processing FastL4 traffic |
725551-2 | CVE-2019-6682 | K40452417 | ASM may consume excessive resources |
846157-3 | CVE-2020-5862 | K01054113 | TMM may crash while processing traffic on AWS |
817917-1 | CVE-2020-5856 | K00025388 | TMM may crash when sending TCP packets |
789893-2 | CVE-2019-6679 | K54336216 | SCP file transfer hardening |
749324-1 | CVE-2012-6708 | K62532311 | jQuery Vulnerability: CVE-2012-6708 |
738236-7 | CVE-2019-6688 | K25607522 | UCS does not follow current best practices |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
819397-1 | 1-Blocking | TMM does not enforce RFC compliance when processing HTTP traffic | |
769193-5 | 3-Major | Added support for faster congestion window increase in slow-start for stretch ACKs | |
760234-1 | 4-Minor | Configuring Advanced shell for Resource Administrator User has no effect |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
806093-1 | 2-Critical | Unwanted LDAP referrals slow or prevent administrative login | |
789169-2 | 2-Critical | Unable to create virtual servers with port-lists from the GUI★ | |
780817-5 | 2-Critical | TMM can crash on certain vCMP hosts after modifications to VLANs and guests. | |
762385 | 2-Critical | Wrong remote-role assigned using LDAP authentication after upgrade to 14.1.x and later★ | |
762205-2 | 2-Critical | IKEv2 rekey fails to recognize VENDOR_ID payload when it appears | |
809205 | 3-Major | CVE-2019-3855: libssh2 Vulnerability | |
794501-2 | 3-Major | Duplicate if_indexes and OIDs between interfaces and tunnels | |
785741-1 | 3-Major | K19131357 | Unable to login using LDAP with 'user-template' configuration |
778125-1 | 3-Major | LDAP remote authentication passwords are limited to fewer than 64 bytes | |
760439-4 | 3-Major | After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status | |
760259-3 | 3-Major | Qkview silently fails to capture qkviews from other blades | |
759654-1 | 3-Major | LDAP remote authentication with remote roles and user-template failing | |
759499-2 | 3-Major | Upgrade from version 12.1.3.7 to version 14.1.0 failing with error★ | |
758781-3 | 3-Major | iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates | |
758527-2 | 3-Major | K39604784 | BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode |
757519-1 | 3-Major | Unable to login using LDAP authentication with a user-template | |
756450-1 | 3-Major | Traffic using route entry that's more specific than existing blackhole route can cause core | |
754691-1 | 3-Major | During failover, an OSPF routing daemon may crash. | |
750318-3 | 3-Major | HTTPS monitor does not appear to be using cert from server-ssl profile | |
746266-3 | 3-Major | Vcmp guest vlan mac mismatch across blades. | |
738943-3 | 3-Major | imish command hangs when ospfd is enabled |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
816273-2 | 1-Blocking | L7 Policies may execute CONTAINS operands incorrectly. | |
826601-5 | 2-Critical | Prevent receive window shrinkage for looped flows that use a SYN cookie | |
817417-1 | 2-Critical | Blade software installation stalled at Waiting for product image★ | |
816625-1 | 2-Critical | The TMM may crash in a rare scenario involving HTTP unchunking, and plugins. | |
800369-2 | 2-Critical | The fix for ID 770797 may cause a TMM crash | |
800305-2 | 2-Critical | VDI::cmp_redirect generates flow with random client port | |
791057-1 | 2-Critical | MCP may crash when traffic matching criteria is updated | |
770797-1 | 2-Critical | HTTP2 streams may get stuck in rare situations | |
836661 | 3-Major | Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet. | |
834373-3 | 3-Major | Possible handshake failure with TLS 1.3 early data | |
830797-2 | 3-Major | Standby high availability (HA) device passes traffic through virtual wire | |
815449-2 | 3-Major | BIG-IP closes connection when an unsized response is served to a HEAD request | |
797977-1 | 3-Major | Self-IP traffic does not preserve the TTL from the Linux host | |
789365-1 | 3-Major | pkcs11d CPU usage increases after running nethsm self validation test | |
772545-3 | 3-Major | Tmm core in SSLO environment | |
765517-1 | 3-Major | Traffic Match Criteria validation fails when create Virtual server with address list with overlapping address space but a different ingress VLAN | |
761185-2 | 3-Major | K50375550 | Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic |
760771-1 | 3-Major | FastL4-steered traffic might cause SSL resume handshake delay | |
758992-2 | 3-Major | The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address | |
758872-3 | 3-Major | TMM memory leak | |
758655-1 | 3-Major | TMC does not allow inline addresses with non-zero Route-domain. | |
753514-3 | 3-Major | Large configurations containing LTM Policies load slowly | |
749689-2 | 3-Major | HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart | |
726176-2 | 3-Major | Platforms using RSS hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve | |
712919-2 | 3-Major | Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server. | |
687887-3 | 3-Major | Unexpected result from multiple changes to a monitor-related object in a single transaction | |
824365-3 | 4-Minor | Need informative messages for HTTP iRule runtime validation errors | |
806085-2 | 4-Minor | In-TMM MQTT monitor is not working as expected | |
791337-1 | 4-Minor | Traffic matching criteria fails when using shared port-list with virtual servers | |
769309-2 | 4-Minor | DB monitor reconnects to server on every probe when count = 0 | |
754003-3 | 4-Minor | K73202036 | Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate |
747628-1 | 4-Minor | BIG-IP sends spurious ICMP PMTU message to server | |
744210-2 | 4-Minor | DHCPv6 does not have the ability to override the hop limit from the client. |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
776133-1 | 2-Critical | RSS hash is not used on VE resulting in performance impact on non-SR-IOV devices |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
761032-2 | 3-Major | K36328238 | TMSH displays TSIG keys |
760471-3 | 3-Major | GTM iQuery connections may be reset during SSL key renegotiation. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
813945-3 | 2-Critical | PB core dump while processing many entities | |
813389-1 | 2-Critical | TMM Crashes upon failure in Bot Defense Client-Side code | |
791669 | 2-Critical | TMM might crash when Bot Defense is configured for multiple domains | |
790349-2 | 2-Critical | merged crash with a core file | |
756108-1 | 2-Critical | BD crash on specific cases | |
754109-1 | 2-Critical | ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive | |
832857 | 3-Major | Support ID on AJAX CAPTCHA popup (SPA) does not match the Support ID in log | |
832205 | 3-Major | ASU cannot be completed after Signature Systems database corruption following binary Policy import | |
831661-2 | 3-Major | ASMConfig Handler undergoes frequent restarts | |
824101-1 | 3-Major | Request Log export file is not visible for requests including binary data | |
824037-2 | 3-Major | Bot Defense whitelists do not apply for IP 'Any' when using route domains | |
812341-2 | 3-Major | Patch or Delete commands take a long time to complete when modifying an ASM signature set. | |
805353-1 | 3-Major | ASM reporting for WebSocket frames has empty username field | |
800453-3 | 3-Major | False positive virus violations | |
793017-1 | 3-Major | Files left behind by failed Attack Signature updates are not cleaned | |
786913-2 | 3-Major | Upgrade failure from 13.0.x or earlier when using LTM Policies with DOSL7 | |
783513-2 | 3-Major | ASU is very slow on device with hundreds of policies due to logging profile handling | |
781021-2 | 3-Major | ASM modifies cookie header causing it to be non-compliant with RFC6265 | |
778681-2 | 3-Major | Factory-included Bot Signature update file cannot be installed without subscription★ | |
754841-1 | 3-Major | Policy updates stall and never complete | |
754425-1 | 3-Major | Exported requests cannot be opened in Internet Explorer or Edge browser | |
734228 | 3-Major | False-positive illegal-length violation can appear | |
795769-3 | 4-Minor | Incorrect value of Systems in system-supplied signature sets | |
789817-1 | 4-Minor | In rare conditions info fly-out not shown | |
760462-1 | 4-Minor | Live update notification is shown only for provisioned/licensed modules | |
758459-1 | 4-Minor | Cross origin AJAX requests are blocked Cross-Origin Resource Sharing (CORS) protection | |
620301-1 | 4-Minor | Policy import fails due to missing signature System in associated Signature Set |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
833113-3 | 3-Major | Avrd core when sending large messages via https | |
787677-3 | 3-Major | AVRD stays at 100% CPU constantly on some systems | |
781581-3 | 3-Major | Monpd uses excessive memory on requests for network_log data |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
757782-1 | 2-Critical | OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default | |
825805-1 | 3-Major | NTLM Auth may fail due to incorrect handling of EPM response★ | |
766577-2 | 3-Major | APMD fails to send response to client and it already closed connection. | |
756363-1 | 3-Major | SSLO or SWG connections using proxy chaining to Explicit Proxy can get reset | |
741222-2 | 3-Major | Install epsec1.0.0 into software partition.★ | |
643935-4 | 3-Major | Rewriting may cause an infinite loop while processing some objects |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
833213-3 | 3-Major | Conditional requests are served incorrectly with AAM policy in webacceleration profile |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
802865-1 | 3-Major | The iControl REST query request returning empty list for DoS Protected Objects | |
761345-3 | 3-Major | Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode | |
738284-2 | 3-Major | Creating or deleting rule list results in warning message: Schema object encode failed |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
821133-2 | 3-Major | Wrong wildcard URL matching when none of the configured URLS include QS |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
748813-3 | 2-Critical | tmm cores under stress test on virtual server with DoS profile with admd enabled | |
767045-2 | 3-Major | TMM cores while applying policy |
Protocol Inspection Fixes
ID Number | Severity | Solution Article(s) | Description |
787845 | 4-Minor | Tmsh command 'show running-config' fails when Protocol Inspection is not licensed. |
Cumulative fixes from BIG-IP v14.1.2.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
741163-3 | CVE-2018-3693 | K54252492 | RHEL7: Kernel CVE-2018-3693 |
740755-6 | CVE-2018-3620 | K95275140 | Kernel vulnerability: CVE-2018-3620 |
721319-1 | CVE-2018-3639 | K29146534 | CVE-2018-3639 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
815689-3 | 3-Major | Azure walinuxagent has been updated to v2.2.42. | |
760574 | 3-Major | Updating BIG-IP 14.1.x Linux kernel to RHEL7.5 |
Cumulative fixes from BIG-IP v14.1.2.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
795437-4 | CVE-2019-6677 | K06747393 | Improve handling of TCP traffic for iRules |
795197-1 | CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 | K26618426 | Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 |
781377-2 | CVE-2019-6681 | K93417064 | tmrouted may crash while processing Multicast Forwarding Cache messages |
778077-3 | CVE-2019-6680 | K53183580 | Virtual to virtual chain can cause TMM to crash |
771873-5 | CVE-2019-6642 | K40378764 | TMSH Hardening |
767653-1 | CVE-2019-6660 | K23860356 | Malformed HTTP request can result in endless loop in an iRule script |
636400-3 | CVE-2019-6665 | K26462555 | CPB (BIG-IP->BIGIQ log node) Hardening |
810657-2 | CVE-2019-6674 | K21135478 | Tmm core while using service chaining for SSLO |
809165-2 | CVE-2020-5854 | K50046200 | TMM may crash will processing connector traffic |
808525-2 | CVE-2019-6686 | K55812535 | TMM may crash while processing Diameter traffic |
795797-2 | CVE-2019-6658 | K21121741 | AFM WebUI Hardening |
788773-2 | CVE-2019-9515 | K50233772 | HTTP/2 Vulnerability: CVE-2019-9515 |
788769-2 | CVE-2019-9514 | K01988340 | HTTP/2 Vulnerability: CVE-2019-9514 |
788033 | CVE-2020-5851 | K91171450 | tpm-status may return "Invalid" after engineering hotfix installation |
781449-2 | CVE-2019-6672 | K14703097 | Increase efficiency of sPVA DoS protection on wildcard virtual servers |
777737-3 | CVE-2019-6671 | K39225055 | TMM may consume excessive resources when processing IP traffic |
773673-2 | CVE-2019-9512 | K98053339 | HTTP/2 Vulnerability: CVE-2019-9512 |
768981-2 | CVE-2019-6670 | K05765031 | vCMP Hypervisor Hardening |
761014-2 | CVE-2019-6669 | K11447758 | TMM may crash while processing local traffic |
758018-5 | CVE-2019-6661 | K61705126 | APD/APMD may consume excessive resources |
756458-3 | CVE-2018-18559 | K28241423 | Linux kernel vulnerability: CVE-2018-18559 |
756218-1 | CVE-2019-6654 | K45644893 | Improve default management port firewall |
751152-1 | CVE-2018-5407 | K49711130 | OpenSSL Vulnerability: CVE-2018-5407 |
751143-1 | CVE-2018-5407 | K49711130 | OpenSSL Vulnerability: CVE-2018-5407 |
745103-6 | CVE-2018-7159 | K27228191 | NodeJS Vulnerability: CVE-2018-7159 |
798249-2 | CVE-2019-6673 | K81557381 | TMM may crash while processing HTTP/2 requests |
779177-2 | CVE-2019-19150 | K37890841 | Apmd logs "client-session-id" when access-policy debug log level is enabled |
759536-2 | CVE-2019-8912 | K31739796 | Linux kernel vulnerability: CVE-2019-8912 |
757617-1 | CVE-2018-16864 CVE-2018-16865 |
K06044762 | Systemd vulnerabilities: CVE-2018-16864, CVE-2018-16865 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
759135-2 | 3-Major | AVR report limits are locked at 1000 transactions | |
714292-3 | 3-Major | Transparent forwarding mode across multiple VLAN groups or virtual-wire | |
788269-3 | 4-Minor | Adding toggle to disable AVR widgets on device-groups |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
793045-2 | 2-Critical | File descriptor leak in net-snmpd while reading /shared/db/cluster.conf | |
770953 | 2-Critical | 'smbclient' executable does not work | |
767877-3 | 2-Critical | TMM core with Bandwidth Control on flows egressing on a VLAN group | |
765533-2 | 2-Critical | K58243048 | Sensitive information logged when DEBUG logging enabled |
760475-1 | 2-Critical | Apache spawns more processes than the configured limit, causing system low memory condition | |
755575-1 | 2-Critical | In MOS, the 'image2disk' utility with the '-format' option does not function properly | |
726240-1 | 2-Critical | 'Cannot find disk information' message when running Configuration Utility★ | |
788557-5 | 3-Major | BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior | |
788301-5 | 3-Major | K58243048 | SNMPv3 Hardening |
777261-4 | 3-Major | When SNMP cannot locate a file it logs messages repeatedly | |
766873 | 3-Major | Omission of lower-layer types from sFlow packet samples | |
761993-2 | 3-Major | The nsm process may crash if it detects a nexthop mismatch | |
761933-1 | 3-Major | Reboot with 'tmsh reboot' does not log message in /var/log/audit | |
761160-2 | 3-Major | OpenSSL vulnerability: CVE-2019-1559 | |
760998-1 | 3-Major | F5.ip_forwarding iAPP fails to deploy | |
759814-1 | 3-Major | Unable to view iApp component view★ | |
758119-6 | 3-Major | K58243048 | qkview may contain sensitive information |
747592-1 | 3-Major | PHP vulnerability CVE-2018-17082 | |
724109-2 | 3-Major | Manual config-sync fails after pool with FQDN pool members is deleted | |
648621-6 | 3-Major | SCTP: Multihome connections may not expire | |
776073-1 | 4-Minor | OOM killer killing tmm in system low memory condition as process OOM score is high | |
760680-1 | 4-Minor | TMSH may utilize 100% CPU (single core's worth) when set to be a process group leader and SSH session is closed. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
759968-3 | 1-Blocking | Distinct vCMP guests are able to cluster with each other. | |
803845-2 | 2-Critical | When in HA, the Standby device is forwarding traffic causing a loop and subsequent network shutdown | |
787825-2 | 2-Critical | K58243048 | Database monitors debug logs have plaintext password printed in the log file |
774913-1 | 2-Critical | IP-based bypass can fail if SSL ClientHello is not accepted | |
760078-1 | 2-Critical | Incorrect source MAC used when the BIG-IP in L2 transparent mode generates a TCP RST packet. | |
758714-1 | 2-Critical | Virtual wire on a BIG-IP does not pass traffic when configured over two terminating link aggregation/trunk ports. | |
757578-2 | 2-Critical | RAM cache is not compatible with verify-accept | |
757441-4 | 2-Critical | Specific sequence of packets causes Fast Open to be effectively disabled | |
755585-1 | 2-Critical | mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction | |
747858-2 | 2-Critical | OSPF packets are duplicated in the BIG-IP in L2 transparent mode using virtual wires | |
746710-1 | 2-Critical | Use of HTTP::cookie after HTTP:disable causes TMM core | |
737985-2 | 2-Critical | BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode. | |
734551-3 | 2-Critical | L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server | |
801497-2 | 3-Major | Virtual wire with LACP pinning to one link in trunk. | |
798105-1 | 3-Major | Node Connection Limit Not Honored | |
794581 | 3-Major | Transfer might stall for an object served from WAM cache | |
788325-2 | 3-Major | K39794285 | Header continuation rule is applied to request/response line |
787433-3 | 3-Major | SSL forward proxy: OCSP signer certificate isn't refreshed or regenerated when forward proxy CA key/cert is changed | |
784713-3 | 3-Major | When SSL forward proxy is enabled, AKID extension of the OCSP signer certificate on the clientside is not correct | |
773821-1 | 3-Major | Certain plaintext traffic may cause SSLO to hang | |
773421-1 | 3-Major | Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied | |
769801-1 | 3-Major | Internal tmm UDP filter does not set checksum | |
761385-1 | 3-Major | Without a virtual server, responses from server to client are dropped in a BIG-IP system when the latter is deployed in L2 transparent mode using virtual wire. | |
761381-1 | 3-Major | Incorrect MAC Address observed in L2 asymmetric virtual wire | |
754525-1 | 3-Major | Disabled virtual server accepts and serves traffic after restart | |
748891-2 | 3-Major | Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system. | |
742237-4 | 3-Major | CPU spikes appear wider than actual in graphs | |
719300-3 | 3-Major | ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address | |
689361-4 | 3-Major | Configsync can change the status of a monitored pool member | |
751586 | 4-Minor | http2 virtual does not honour translate-address disabled | |
747585-3 | 4-Minor | TCP Analytics supports ANY protocol number |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
783849-2 | 3-Major | DNSSEC Key Generations are not imported to secondary FIPS card |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
781637-2 | 3-Major | ASM brute force counts unnecessary failed logins for NTLM | |
781605-3 | 3-Major | Fix RFC issue with the multipart parser | |
781069-2 | 3-Major | Bot Defense challenge blocks requests with long Referer headers | |
773553-2 | 3-Major | ASM JSON parser false positive. | |
769997-1 | 3-Major | ASM removes double quotation characters on cookies | |
769981-2 | 3-Major | bd crashes in a specific scenario | |
764373-3 | 3-Major | 'Modified domain cookie' violation with multiple enforced domain cookies with different paths | |
753711-1 | 3-Major | Copied policy does not retain signature staging | |
751710-4 | 3-Major | False positive cookie hijacking violation | |
746394-1 | 3-Major | With ASM CORS set to 'Disabled' it strips all CORS headers in response. | |
745802-1 | 3-Major | Brute Force CAPTCHA response page truncates last digit in the support id | |
727107-4 | 3-Major | Request Logs are not stored locally due to shmem pipe blockage | |
803445-3 | 4-Minor | When adding several mitigation exceptions, the previously configured actions revert to the default action | |
772473-3 | 4-Minor | Request reconstruct issue after challenge | |
761088-1 | 4-Minor | Remove policy editing restriction in the GUI while auto-detect language is set | |
695878-2 | 4-Minor | Signature enforcement issue on specific requests |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
761749-2 | 2-Critical | Security pages unavailable after switching RT mode on off few times | |
797785-2 | 3-Major | AVR reports no ASM-Anomalies data. | |
792265-3 | 3-Major | Traffic logs does not include the BIG-IQ tags | |
773925-2 | 3-Major | Sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB tables files | |
765785-3 | 3-Major | Monpd core upon "bigstart stop monpd" while Real Time reporting is running |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
811145-2 | 2-Critical | VMware View resources with SAML SSO are not working | |
797541-1 | 2-Critical | K05115516 | NTLM Auth may fail when user's information contains SIDS array |
784989-2 | 2-Critical | TMM may crash with panic message: Assertion 'cookie name exists' failed | |
777173-2 | 2-Critical | Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error | |
821369 | 3-Major | Incomplete Action 'Deny' does not take effect for HTTP-Connect | |
788417-2 | 3-Major | Remote Desktop client on macOS may show resource auth token on credentials prompt | |
787477-2 | 3-Major | Export fails from partitions with '-' as second character | |
786173-1 | 3-Major | UI becomes unresponsive when accessing Access active session information | |
783817-2 | 3-Major | UI becomes unresponsive when accessing Access active session information | |
782569-1 | 3-Major | SWG limited session limits on SSLO deployments | |
775621-2 | 3-Major | urldb memory grows past the expected ~3.5GB | |
769853-2 | 3-Major | K24241590 | Access Profile option to restrict connections from a single client IP is not honored for native RDP resources |
756777-1 | 3-Major | VDI plugin might crash on process shutdown during RDG connections handling | |
750823-1 | 3-Major | Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD | |
749161-2 | 3-Major | Problem sync policy contains non-ASCII characters | |
746768-4 | 3-Major | APMD leaks memory if access policy policy contains variable/resource assign policy items | |
697590-2 | 3-Major | APM iRule ACCESS::session remove fails outside of Access events | |
781445-1 | 4-Minor | named or dnscached cannot bind to IPv6 address | |
759579-1 | 4-Minor | Full Webtop: 'URL Entry' field is available again | |
756019-1 | 4-Minor | OAuth JWT Issuer claim requires URI format |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
811745-2 | 3-Major | Failover between clustered DIAMETER devices can cause mirror connections to be disconnected | |
804313-2 | 3-Major | MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded. | |
761685-3 | 3-Major | Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set | |
750431-1 | 3-Major | Persistence record is deleted in MRF SIP after updating timeout value with the iRule 'SIP::persist timeout' | |
748253-1 | 3-Major | Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection | |
786565-2 | 4-Minor | MRF Generic Message: unaccepted packets received by GENERIC MESSAGE filter causes subsequent messages to not be forwarded |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
800209-1 | 3-Major | The tmsh recursive list command includes DDoS GUI-specific data info | |
780837-1 | 3-Major | Firewall rule list configuration causes config load failure | |
761234-2 | 3-Major | Changing a virtual server to use an address list should be prevented if the virtual server has a security policy with a logging profile attached | |
760355 | 4-Minor | Firewall rule to block ICMP/DHCP from 'required' to 'default'★ |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
760438-3 | 3-Major | PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions | |
759192-3 | 3-Major | TMM core during display of PEM session under some specific conditions | |
756311-4 | 3-Major | High CPU during erroneous deletion | |
753163-4 | 3-Major | PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
804185-2 | 3-Major | Some WebSafe request signatures may not work as expected | |
783565-2 | 3-Major | Upgrade support for DB variable to attach AJAX payload to vToken cookie should be consistent with config in MCP | |
775013-2 | 3-Major | TIME EXCEEDED alert has insufficient data for analysis |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
803477-2 | 3-Major | BaDoS State file load failure when signature protection is off |
Cumulative fixes from BIG-IP v14.1.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
773649-6 | CVE-2019-6656 | K23876153 | APM Client Logging |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
771705-1 | 3-Major | You may not be able to log into BIG-IP Cloud Edition if FSCK fails | |
754875-1 | 3-Major | Enable FIPS in prelicensed VE images without requiring a reboot |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
753485-1 | 2-Critical | AVR global settings are being overridden by HA peers |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
757306-3 | 3-Major | SNMP MIBS for AFM NAT do not yet exist |
Protocol Inspection Fixes
ID Number | Severity | Solution Article(s) | Description |
794285 | 1-Blocking | BIG-IQ reading AFM configuration fails with status 400 |
Cumulative fixes from BIG-IP v14.1.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
807477-10 | CVE-2019-6650 | K04280042 | ConfigSync Hardening |
797885-2 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
796469-6 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
810557-8 | CVE-2019-6649 | K05123525 | ASM ConfigSync Hardening |
809377-6 | CVE-2019-6649 | K05123525 | AFM ConfigSync Hardening |
799617-2 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
799589-2 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
794389-6 | CVE-2019-6651 | K89509323 | iControl REST endpoint response inconsistency |
794413-2 | CVE-2019-6471 | K10092301 | BIND vulnerability CVE-2019-6471 |
793937-1 | CVE-2019-6664 | K03126093 | Management Port Hardening |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
744937-8 | 3-Major | K00724442 | BIG-IP DNS and GTM DNSSEC security exposure |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
798949-3 | 3-Major | Config-Sync fails when Config-Sync IP configured to management IP | |
760622-3 | 3-Major | Allow Device Certificate renewal from BIG-IP Configuration Utility | |
760363-1 | 3-Major | Update Alias Address field with default placeholder text |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
811333-2 | 3-Major | Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile★ |
Cumulative fixes from BIG-IP v14.1.0.6 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
769361-2 | CVE-2019-6630 | K33444350 | TMM may crash while processing SSLO traffic |
767401-1 | CVE-2019-6629 | K95434410 | TMM may crash while processing TLS traffic |
759343-6 | CVE-2019-6668 | K49827114 | MacOS Edge Client installer does not follow best security practices |
758909-1 | CVE-2019-6628 | K04730051 | TMM may crash will processing PEM traffic |
758065-4 | CVE-2019-6667 | K82781208 | TMM may consume excessive resources while processing FIX traffic |
757084-2 | CVE-2019-6627 | K00432398 | Bypassing SSL interception in SSL Orchestrator may crash TMM if virtual server is SNAT enabled |
757023-2 | CVE-2018-5743 | K74009656 | BIND vulnerability CVE-2018-5743 |
756538-4 | CVE-2019-6645 | K15759349 | Failure to open data channel for active FTP connections mirrored across an HA pair. |
754944-1 | CVE-2019-6626 | K00432398 | AVR reporting UI does not follow best practices |
754345-2 | CVE-2019-6625 | K79902360 | WebUI does not follow best security practices |
754103-1 | CVE-2019-6644 | K75532331 | iRulesLX NodeJS daemon does not follow best security practices |
753975-2 | CVE-2019-6666 | K92411323 | TMM may crash while processing HTTP traffic with webacceleration profile |
753776-2 | CVE-2019-6624 | K07127032 | TMM may consume excessive resources when processing UDP traffic |
748502-1 | CVE-2019-6623 | K72335002 | TMM may crash when processing iSession traffic |
737731-6 | CVE-2019-6622 | K44885536 | iControl REST input sanitization |
737574-6 | CVE-2019-6621 | K20541896 | iControl REST input sanitization★ |
737565-6 | CVE-2019-6620 | K20445457 | iControl REST input sanitization |
726393-2 | CVE-2019-6643 | K36228121 | DHCPRELAY6 can lead to a tmm crash |
726327 | CVE-2018-12120 | K37111863 | NodeJS debugger accepts connections from any host |
757455-2 | CVE-2019-6647 | K87920510 | Excessive resource consumption when processing REST requests |
753796-1 | CVE-2019-6640 | K40443301 | SNMP does not follow best security practices |
750460-1 | CVE-2019-6639 | K61002104 | Subscriber management configuration GUI |
750298-1 | CVE-2019-6638 | K67825238 | iControl REST may fail while processing requests |
750187-1 | CVE-2019-6637 | K29149494 | ASM REST may consume excessive resources |
745371-1 | CVE-2019-6636 | K68151373 | AFM GUI does not follow best security practices |
745257-1 | CVE-2018-14634 | K20934447 | Linux kernel vulnerability: CVE-2018-14634 |
742226-6 | CVE-2019-6635 | K11330536 | TMSH platform_check utility does not follow best security practices |
710857-5 | CVE-2019-6634 | K64855220 | iControl requests may cause excessive resource usage |
702469-7 | CVE-2019-6633 | K73522927 | Appliance mode hardening in scp |
673842-6 | CVE-2019-6632 | K01413496 | VCMP does not follow best security practices |
773653-6 | CVE-2019-6656 | K23876153 | APM Client Logging |
773641-6 | CVE-2019-6656 | K23876153 | APM Client Logging |
773637-6 | CVE-2019-6656 | K23876153 | APM Client Logging |
773633-6 | CVE-2019-6656 | K23876153 | APM Client Logging |
773621-6 | CVE-2019-6656 | K23876153 | APM Client Logging |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
749704-2 | 4-Minor | GTPv2 Serving-Network field with mixed MNC digits |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
774445-1 | 1-Blocking | K74921042 | BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2 |
789993-1 | 2-Critical | Failure when upgrading to 15.0.0 with config move and static management-ip. | |
773677-1 | 2-Critical | K72255850 | BIG-IP 14.1.0 system-journald write to /run/log/journal cause SWAP usage increase★ |
769809-4 | 2-Critical | The vCMP guests 'INOPERATIVE' after upgrade | |
765801 | 2-Critical | WCCP service info field corrupted in upgrade to 14.1.0 final★ | |
760573-1 | 2-Critical | K00730586 | TPM system integrity check may return invalid status when booting into BIG-IP 14.1.0★ |
760508-1 | 2-Critical | K91444000 | On systems with multiple versions of BIG-IP in use, the 'invalid' System Integrity Status may persist★ |
760408-3 | 2-Critical | K23438711 | System Integrity Status: Invalid after BIOS update★ |
760164-1 | 2-Critical | BIG-IP VE Compression Offload HA action requires modification of db variable | |
757722-2 | 2-Critical | Unknown notify message types unsupported in IKEv2 | |
756402-2 | 2-Critical | Re-transmitted IPsec packets can have garbled contents | |
756071-3 | 2-Critical | MCPD crash | |
755254-1 | 2-Critical | Remote auth: PAM_LDAP buffer too small errors★ | |
753650-2 | 2-Critical | The BIG-IP system reports frequent kernel page allocation failures. | |
750586-2 | 2-Critical | HSL may incorrectly handle pending TCP connections with elongated handshake time. | |
743803-1 | 2-Critical | IKEv2 potential double free of object when async request queueing fails | |
741503-1 | 2-Critical | The BIG-IP system fails to load base config file when upgrading with static IPv4★ | |
726487-4 | 2-Critical | MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change. | |
648270-1 | 2-Critical | mcpd can crash if viewing a fast-growing log file through the GUI | |
766365-1 | 3-Major | Some trunks created on VE platform stay down even when the trunk's interfaces are up | |
766329-2 | 3-Major | SCTP connections do not reflect some SCTP profile settings | |
765033 | 3-Major | Upgrades to versions that restrict resource-admin users from accessing bash may fail under certain conditions★ | |
760597-1 | 3-Major | System integrity messages not logged | |
760594 | 3-Major | On BIG-IP VE, 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details. | |
758879 | 3-Major | BIG-IP VE with ixlv devices does not reliably pass some traffic after hard-boot | |
748206-1 | 3-Major | Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position | |
748187-4 | 3-Major | 'Transaction Not Found' Error on PATCH after Transaction has been Created | |
746657-1 | 3-Major | tmsh help for FQDN node or pool member shows incorrect default for fqdn interval | |
740543-1 | 3-Major | System hostname not display in console | |
725791-6 | 3-Major | Potential HW/HSB issue detected | |
718405-2 | 3-Major | RSA signature PAYLOAD_AUTH mismatch with certificates | |
581921-5 | 3-Major | K22327083 | Required files under /etc/ssh are not moved during a UCS restore |
754500-2 | 4-Minor | GUI LTM Policy options disappearing | |
726317-6 | 4-Minor | Improved debugging output for mcpd |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
759723-1 | 2-Critical | Abnormally terminated connections on server side may cause client side streams to stall | |
758465-1 | 2-Critical | TMM may crash or iRule processing might be incorrect | |
756356-2 | 2-Critical | External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long | |
753912-4 | 2-Critical | K44385170 | UDP flows may not be swept |
752930-3 | 2-Critical | Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state | |
747727-1 | 2-Critical | HTTP Profile Request Header Insert Tcl error | |
747239-1 | 2-Critical | TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection | |
745533-6 | 2-Critical | NodeJS Vulnerability: CVE-2016-5325 | |
741048-1 | 2-Critical | iRule execution order could change after editing the scripts | |
766293-1 | 3-Major | Monitor logging fails on v14.1.0.x releases | |
760550-5 | 3-Major | Retransmitted TCP packet has FIN bit set | |
758311-1 | 3-Major | Policy Compilation may cause MCPD to crash | |
757985-1 | 3-Major | K79562045 | TMM memory leak |
757698-1 | 3-Major | TMM crashes in certain situations of which iRule execution interleaves client side and server side flows | |
756270-4 | 3-Major | SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle | |
754985-1 | 3-Major | Standby mirrored server SSL connections fail, and tmm may crash while processing mirrored TLS traffic | |
752078-2 | 3-Major | Header Field Value String Corruption | |
749414-4 | 3-Major | Invalid monitor rule instance identifier error | |
747907-2 | 3-Major | Persistence records leak while the HA mirror connection is down | |
742078-6 | 3-Major | Incoming SYNs are dropped and the connection does not time out. | |
740959-4 | 3-Major | User with manager rights cannot delete FQDN node on non-Common partition | |
740345-3 | 3-Major | TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled. | |
696755-3 | 3-Major | HTTP/2 may truncate a response body when served from cache | |
696735-2 | 3-Major | TCP ToS Passthrough mode does not work correctly | |
504522-4 | 3-Major | Trailing space present after 'tmsh ltm pool members monitor' attribute value | |
747968-3 | 4-Minor | DNS64 stats not increasing when requests go through DNS cache resolver |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
777937-3 | 1-Blocking | AWS ENA: packet drops due to bad checksum |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
759721-2 | 3-Major | K03332436 | DNS GUI does not follow best practices |
749508-1 | 3-Major | LDNS and DNSSEC: Various OOM conditions need to be handled properly | |
749222-1 | 3-Major | dname compression offset overflow causes bad compression pointer | |
748902-5 | 3-Major | Incorrect handling of memory allocations while processing DNSSEC queries | |
746877-1 | 3-Major | Omitted check for success of memory allocation for DNSSEC resource record | |
744707-2 | 3-Major | Crash related to DNSSEC key rollover | |
723288-4 | 3-Major | DNS cache replication between TMMs does not always work for net dns-resolver | |
748177-1 | 4-Minor | Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
759360-2 | 2-Critical | Apply Policy fails due to policy corruption from previously enforced signature | |
749912-1 | 2-Critical | [BIG-IQ Integration] Deadlock occurs when adding multiple hostnames with transparent enforcement | |
723790-3 | 2-Critical | Idle asm_config_server handlers consumes a lot of memory | |
765449-1 | 3-Major | Update availability status may be inaccurate | |
763001-1 | 3-Major | K70312000 | Web-socket enforcement might lead to a false negative |
761941-1 | 3-Major | ASM does not remove CSRT token query parameter before forwarding a request to the backend server | |
761194-2 | 3-Major | param data type violation on an Integer parameter, if an integer value is sent via websocket JSON | |
760878-3 | 3-Major | Incorrect enforcement of explicit global parameters | |
759483-1 | 3-Major | Message about HTTP status code which are set by default disappeared from the UI | |
758085-1 | 3-Major | CAPTCHA Custom Response fails when using certain characters | |
756418-1 | 3-Major | Live Update does not authenticate remote users | |
742558-1 | 3-Major | Request Log export document fails to show some UTF-8 characters | |
687759-3 | 3-Major | bd crash | |
774941-1 | 4-Minor | GUI misspelling in Bot Defense logging profile | |
768761-2 | 4-Minor | Improved accept action description for suggestions to disable signature/enable metacharacter in policy | |
766357-1 | 4-Minor | Two simultaneously manual installations can cause live-update inconsistency | |
765413-1 | 4-Minor | ASM cluster syncs caused by PB ignored suggestions updates | |
761921-1 | 4-Minor | avrd high CPU utilization due to perpetual connection attempts | |
761553-2 | 4-Minor | Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic | |
761549-2 | 4-Minor | Traffic Learning: Accept and Stage action is shown only in case entity is not in staging | |
761231-2 | 4-Minor | K79240502 | Bot Defense Search Engines getting blocked after configuring DNS correctly |
759462-1 | 4-Minor | Site names and vulnerabilities cannot be retrieved from WhiteHat server | |
755005-1 | 4-Minor | Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations | |
750689-3 | 4-Minor | Request Log: Accept Request button available when not needed | |
749184-2 | 4-Minor | Added description of subviolation for the suggestions that enabled/disabled them | |
747560-5 | 4-Minor | ASM REST: Unable to download Whitehat vulnerabilities | |
769061-2 | 5-Cosmetic | Improved details for learning suggestions to enable violation/sub-violation |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
763349-3 | 2-Critical | AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out | |
756205-1 | 2-Critical | TMSTAT offbox statistics are not continuous | |
756102-2 | 2-Critical | TMM can crash with core on ABORT signal due to non-responsive AVR code | |
771025-3 | 3-Major | AVR send domain names as an aggregate | |
764665-2 | 3-Major | AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change | |
763005-3 | 3-Major | Aggregated Domain Names in DNS statistics are shown as random domain name | |
760356-2 | 3-Major | Users with Application Security Administrator role cannot delete Scheduled Reports |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
770557-3 | 2-Critical | Per-Session RADIUS Acct STOP message is forged based on pool route domain, but is sent through default one | |
769281-1 | 2-Critical | Per-request Acess Policy may show user interface pages incorrectly i nlanguages other than English | |
755447-1 | 2-Critical | SSLO does not deliver content generated/originated from inline device | |
753370-3 | 2-Critical | RADIUS auth might not be working as configured when there is change in RADIUS auth config name. | |
774633-2 | 3-Major | Memory leak in tmm when session db variables are not cleaned up | |
774213-1 | 3-Major | SWG session limits on SSLO deployments | |
760410-1 | 3-Major | Connection reset is seen when Category lookup agent is used in per-req policy | |
760250 | 3-Major | 'Unsupported SSO Method' error when requests sharing the same TCP session | |
759868-1 | 3-Major | TMM crash observed while rendering internal pages (like blocked page) for per-request policy | |
758764-2 | 3-Major | APMD Core when CRLDP Auth fails to download revoked certificate | |
758701-1 | 3-Major | APM fails to handle Remote Desktop Gateway connections from standalone RDP clients after fresh install | |
757992-3 | 3-Major | RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup | |
757360-1 | 3-Major | Category lookup returns wrong category on subsequent traffic following initial HTTP CONNECT traffic through SSLO | |
755475-1 | 3-Major | Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync | |
755047-1 | 3-Major | Category lookup returns wrong category on CONNECT traffic through SSLO | |
754542-2 | 3-Major | TMM may crash when using RADIUS Accounting agent | |
752875-2 | 3-Major | tmm core while using service chaining for SSLO | |
751807-1 | 3-Major | SSL Orchestrator may not activate service connectors if traffic is an HTTP tunnel | |
751424-1 | 3-Major | HTTP Connect Category Lookup not working properly | |
749057-1 | 3-Major | VMware Horizon idle timeout is ignored when connecting via APM | |
745574-1 | 3-Major | URL is not removed from custom category when deleted | |
738430-3 | 3-Major | APM is not able to do compliance check on iOS devices running F5 Access VPN client | |
734291-1 | 3-Major | Logon page modification fails to sync to standby | |
695985-4 | 3-Major | Access HUD filter has URL length limit (4096 bytes) | |
766761-2 | 4-Minor | Ant-server does not log requests that are excluded from scanning |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
766405-2 | 2-Critical | MRF SIP ALG with SNAT: Fix for potential crash on next-active device | |
754615-2 | 2-Critical | Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup. | |
763157-2 | 3-Major | MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped | |
760370-2 | 3-Major | MRF SIP ALG with SNAT: Next active ingress queue filling | |
759077-2 | 3-Major | MRF SIP filter queue sizes not configurable | |
755630-1 | 3-Major | MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes | |
752822-1 | 3-Major | SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type | |
751179-1 | 3-Major | MRF: Race condition may create to many outgoing connections to a peer | |
746825-1 | 3-Major | MRF SIP ALG with SNAT: Ephemeral listeners not created for unsubscribed outgoing calls | |
745947-2 | 3-Major | Add log events for MRF SIP registration/deregistration and media flow creation/deletion | |
745590-1 | 3-Major | SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added | |
760930-2 | 4-Minor | MRF SIP ALG with SNAT: Added additional details to log events | |
747909-5 | 4-Minor | GTPv2 MEI and Serving-Network fields decoded incorrectly |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
757524 | 1-Blocking | Data operation attempt on object that has not been loaded | |
757359-1 | 2-Critical | pccd crashes when deleting a nested Address List | |
754805 | 2-Critical | K97981358 | Possible tmm crash when AFM DoS badactor or attacked-dst or endpoint vector configured |
753028-2 | 3-Major | AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule | |
745809-2 | 3-Major | The /var partition may become 100% full requiring manual intervention to clear space | |
756477-2 | 5-Cosmetic | Drop Redirect tab incorrectly named as 'Redirect Drop' |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
744516-4 | 2-Critical | TMM panics after a large number of LSN remote picks |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
748121-3 | 2-Critical | admd livelock under CPU starvation | |
653573-6 | 2-Critical | ADMd not cleaning up child rsync processes | |
756877-1 | 3-Major | Virtual server created with Guided Configuration is not visible in Grafana |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
752803-1 | 2-Critical | CLASSIFICATION_DETECTED running reject can lead to a tmm core | |
752047-1 | 2-Critical | iRule running reject in CLASSIFICATION_DETECTED event can cause core |
Cumulative fixes from BIG-IP v14.1.0.5 that are included in this release
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
755817 | 3-Major | v14.1.0.5 includes Guided Configuration 4.1 | |
751824-1 | 3-Major | Restore old 'merge' functionally with new tmsh verb 'replace' |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
663819-1 | 3-Major | APM NTLM Authentication for RDP Client Gateway and Microsoft Exchange Proxy are incompatible with Microsoft workaround for MS17-010 (Wannacry / Eternalblue) |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
761173-1 | 2-Critical | tmm crash after extended whitelist modification | |
751869-2 | 2-Critical | Possible tmm crash when using manual mode mitigation in DoS Profile | |
760393 | 3-Major | GARP is not sent from newly active device after failover for FW NAT policy rule's dest prefixes | |
750477-1 | 3-Major | LTM NAT does not forward ICMP traffic | |
737035-2 | 3-Major | New and improved infrastructure for BDoS to share learned traffic characteristics within the device group/cluster setup. |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
757088-1 | 2-Critical | TMM clock advances and cluster failover happens during webroot db nightly updates | |
758536 | 3-Major | Traffic Intelligence IM pkg for 14.1.0 fails to install on base build version 14.1.0.x |
Protocol Inspection Fixes
ID Number | Severity | Solution Article(s) | Description |
737558-1 | 2-Critical | Protocol Inspection user interface elements are active but do not work | |
774881 | 3-Major | Protocol Inspection profiles can be added to a virtual server without Protocol Inspection being licensed. |
Cumulative fixes from BIG-IP v14.1.0.4 that are included in this release
Functional Change Fixes
None
Cumulative fixes from BIG-IP v14.1.0.3 that are included in this release
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
745783-1 | 3-Major | Anti-fraud: remote logging of login attempts |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
758667-1 | 2-Critical | BIG-IP VE high availability (HA) actions are not invoked when offload hardware hangs | |
754541-2 | 2-Critical | Reconfiguring an iApp that uses a client SSL profile fails | |
760222 | 3-Major | SCP fails unexpected when FIPS mode is enabled | |
725625-1 | 3-Major | BIG-IP VE Cryptographic Offload updated to Intel QAT 1.7 v4.4.0 SDK |
Cumulative fixes from BIG-IP v14.1.0.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
757025-1 | CVE-2018-5744 | K00040234 | BIND Update |
750292-2 | CVE-2019-6592 | K54167061 | TMM may crash when processing TLS traffic |
749879-2 | CVE-2019-6611 | K47527163 | Possible interruption while processing VPN traffic |
744035-6 | CVE-2018-15332 | K12130880 | APM Client Vulnerability: CVE-2018-15332 |
757027-1 | CVE-2019-6465 | K01713115 | BIND Update |
745713-4 | CVE-2019-6619 | K94563344 | TMM may crash when processing HTTP/2 traffic |
745165-1 | CVE-2019-6617 | K38941195 | Users without Advanced Shell Access are not allowed SFTP access |
737910-4 | CVE-2019-6609 | K18535734 | Security hardening on the following platforms |
703835-5 | CVE-2019-6616 | K82814400 | When using SCP into BIG-IP systems, you must specify the target filename |
702472-7 | CVE-2019-6615 | K87659521 | Appliance Mode Security Hardening |
713806-8 | CVE-2018-0739 | K08044291 | CVE-2018-0739: OpenSSL Vulnerability |
699977-3 | CVE-2016-7055 | K43570545 | CVE-2016-7055: OpenSSL Vulnerability in NodeJS ILX |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
755641-1 | 2-Critical | Unstable asm_config_server after upgrade, 'Event dispatcher aborted' | |
744685-2 | 2-Critical | BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension | |
744188-1 | 2-Critical | First successful auth iControl REST requests will now be logged in audit and secure log files | |
745387-1 | 3-Major | Resource-admin user roles can no longer get bash access | |
739432 | 3-Major | F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems | |
738108-1 | 3-Major | SCTP multi-homing INIT address parameter doesn't include association's primary address | |
698376-5 | 3-Major | Non-admin users have limited bash commands and can only write to certain directories |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
753642-1 | 2-Critical | iHealth may report false positive for Critical Malware | |
752835-2 | 2-Critical | K46971044 | Mitigate mcpd out of memory error with auto-sync enabled. |
750580-1 | 2-Critical | Installation using image2disk --format may fail after TMOS v14.1.0 is installed★ | |
724680-6 | 2-Critical | OpenSSL Vulnerability: CVE-2018-0732 | |
707013-3 | 2-Critical | vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest | |
668041-4 | 2-Critical | K27535157 | Config load fails when an iRule comment ends with backslash in a config where there is also a policy.★ |
621260-2 | 2-Critical | mcpd core on iControl REST reference to non-existing pool | |
757026-1 | 3-Major | BIND Update | |
753564-1 | 3-Major | Attempt to change password using /bin/passwd fails | |
751011-3 | 3-Major | ihealth.sh script and qkview locking mechanism not working | |
751009-3 | 3-Major | Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out | |
750661 | 3-Major | URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied. | |
750447-3 | 3-Major | GUI VLAN list page loading slowly with 50 records per screen | |
749382-1 | 3-Major | Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater | |
746873-1 | 3-Major | Non-admin users are not able to run the tmsh list command due to permissions error for LTM message-routing | |
745825-1 | 3-Major | The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading | |
737536-2 | 3-Major | Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others. | |
721585-1 | 3-Major | mcpd core processing ltm monitors with deep level of inheritance | |
639619-7 | 3-Major | UCS may fail to load due to Master key decryption failure on EEPROM-less systems★ | |
751636-1 | 4-Minor | Downgrading from v14.1.0 to a previous release leaves two directories with improper ownership★ | |
737423-2 | 4-Minor | Binutils vulnerabilities: CVE-2018-7569 CVE-2018-10373 CVE-2018-13033 |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
754143-1 | 2-Critical | TCP connection may hang after finished | |
747617-2 | 2-Critical | TMM core when processing invalid timer | |
742184-3 | 2-Critical | TMM memory leak | |
738945-4 | 2-Critical | SSL persistence does not work when there are multiple handshakes present in a single record | |
716714-4 | 2-Critical | OCSP should be configured to avoid TMM crash. | |
750200-3 | 3-Major | DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode | |
749294-4 | 3-Major | TMM cores when query session index is out of boundary | |
746131-4 | 3-Major | OpenSSL Vulnerability: CVE-2018-0732 | |
744686-2 | 3-Major | Wrong certificate can be chosen during SSL handshake | |
743900-1 | 3-Major | Custom DIAMETER monitor requests do not have their 'request' flag set | |
739963-4 | 3-Major | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup | |
739349-3 | 3-Major | LRO segments might be erroneously VLAN-tagged. | |
724327-2 | 3-Major | Changes to a cipher rule do not immediately have an effect | |
720219-3 | 3-Major | K13109068 | HSL::log command can fail to pick new pool member if last picked member is 'checking' |
717896-4 | 3-Major | Monitor instances deleted in peer unit after sync | |
717100-1 | 3-Major | FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member | |
716167-2 | 3-Major | The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp | |
704450-5 | 3-Major | bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration | |
703593-1 | 3-Major | TMSH tab completion for adding profiles to virtual servers is not working as expected |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
756774-6 | 2-Critical | Aborted DNS queries to a cache may cause a TMM crash | |
756094-2 | 2-Critical | DNS express in restart loop, 'Error writing scratch database' in ltm log |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
752942-1 | 2-Critical | Live Update cannot be used by Administrator users other than 'admin' and 'root' | |
750922-1 | 2-Critical | BD crash when content profile used for login page has no parse parameters set | |
749136-1 | 2-Critical | Disk partition /var/log is low on free disk space | |
748321-1 | 2-Critical | bd crash with specific scenario | |
744347-4 | 2-Critical | Protocol Security logging profiles cause slow ASM upgrade and apply policy | |
721741-4 | 2-Critical | BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative | |
754420-1 | 3-Major | Missing policy name in exported ASM request details | |
754066-1 | 3-Major | Newly added Systems are not added as part of installing a Server Technologies update file | |
753295-1 | 3-Major | ASM REST: All signatures being returned for policy Signatures regardless of signature sets | |
750973-1 | 3-Major | Import XML policy error | |
750793-2 | 3-Major | Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition | |
750686-1 | 3-Major | ASE user cannot create or modify a bot signature. | |
750683-1 | 3-Major | REST Backwards Compatibility: Cannot modify enforcementMode of host-name | |
750668-1 | 3-Major | Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition | |
750666-1 | 3-Major | Impossible to create Bot Signature/Bot Category Signature in user partition different from 'Common' | |
750356-2 | 3-Major | Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted | |
749500-1 | 3-Major | Improved visibility for Accept on Microservice action in Traffic Learning | |
749109-3 | 3-Major | CSRF situation on BIGIP-ASM GUI | |
748999-3 | 3-Major | invalid inactivity timeout suggestion for cookies | |
748848-2 | 3-Major | Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers | |
748409-2 | 3-Major | Illegal parameter violation when json parsing a parameter on a case-insensitive policy | |
747977-1 | 3-Major | File manually uploaded information is not synced correctly between blades | |
747777-3 | 3-Major | Extractions are learned in manual learning mode | |
747550-3 | 3-Major | Error 'This Logout URL already exists!' when updating logout page via GUI | |
746750-1 | 3-Major | Search Engine get Device ID challenge when using the predefined profiles | |
746298-1 | 3-Major | Server Technologies logos all appear as default icon | |
745813-1 | 3-Major | Requests are reported to local log even if only Bot Defense remote log is configured | |
745624-1 | 3-Major | Tooltips for OWASP Bot Categories and Anomalies were added | |
745607-1 | 3-Major | Bot Defense : Bot Traffic - 3 month/last year filter not displayed correctly | |
745531-2 | 3-Major | Puffin Browser gets blocked by Bot Defense | |
742852-1 | 3-Major | Bot Defense protection blocks Safari browser requests while using cross site redirect protection by 'Location' header | |
739945-4 | 3-Major | JavaScript challenge on POST with 307 breaks application | |
738676-1 | 3-Major | Errors when trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests | |
737866-2 | 3-Major | Rare condition memory corruption | |
754365-5 | 4-Minor | Updated flags for countries that changed their flags since 2010 | |
721724-1 | 4-Minor | LONG_REQUEST notice print incorrect in BD log |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
746941-2 | 2-Critical | avrd memory leak when BIG-IQ fails to receive stats information | |
753446-2 | 3-Major | avrd process crash during shutdown if connected to BIG-IQ | |
749464-2 | 3-Major | Race condition while BIG-IQ updates common file | |
749461-2 | 3-Major | Race condition while modifying analytics global-settings | |
745027-2 | 3-Major | AVR is doing extra activity of DNS data collection even when it should not | |
744595-3 | 3-Major | DoS-related reports might not contain some of the activity that took place | |
744589-3 | 3-Major | Missing data for Firewall Events Statistics | |
715110-1 | 3-Major | AVR should report 'resolutions' in module GtmWideip |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
752592-1 | 2-Critical | VMware Horizon PCoIP clients may fail to connect shortly after logout | |
754346-2 | 3-Major | Access policy was not found while creating configuration snapshot. | |
746771-3 | 3-Major | APMD recreates config snapshots for all access profiles every minute | |
745654-4 | 3-Major | Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server | |
743437-3 | 3-Major | Portal Access: Issue with long 'data:' URL |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
749603-1 | 3-Major | MRF SIP ALG: Potential to end wrong call when BYE received | |
749227-1 | 3-Major | MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE | |
748043-2 | 3-Major | MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP | |
747187-2 | 3-Major | SIP falsely detects media flow collision when SDP is in both 183 and 200 response | |
745715-2 | 3-Major | MRF SIP ALG now supports reading SDP from a mime multipart payload | |
745628-1 | 3-Major | MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message | |
745514-1 | 3-Major | MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message | |
745404-4 | 3-Major | MRF SIP ALG does not reparse SDP payload if replaced | |
744949-1 | 3-Major | MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix | |
744275-1 | 3-Major | BIG-IP system sends Product-Name AVP in CER with Mandatory bit set | |
742829-1 | 3-Major | SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0 |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
747104-1 | 1-Blocking | K52868493 | LibSSH: CVE-2018-10933 |
752363-2 | 2-Critical | Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled | |
749331-3 | 2-Critical | Global DNS DoS vector does not work in certain cases | |
747922-3 | 2-Critical | With AFM enabled, during bootup, there is a small possibility of a tmm crash | |
748176-1 | 3-Major | BDoS Signature can wrongly match a DNS packet | |
748081-1 | 3-Major | Memory leak in Behavioral DoS module | |
747926-2 | 3-Major | Rare TMM restart due to NULL pointer access during AFM ACL logging |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
726647-5 | 3-Major | PEM content insertion in a compressed response may truncate some data |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
752782-1 | 3-Major | 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe' | |
741449-3 | 4-Minor | alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts | |
738677-1 | 4-Minor | Configured name of wildcard parameter is not sent in data integrity alerts |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
755378-1 | 2-Critical | HTTPS connection error from Chrome when BADOS TLS signatures configured | |
727136-1 | 3-Major | One dataset contains large number of variations of TLS hello messages on Chrome |
Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
745629 | 2-Critical | Ordering Symantec and Comodo certificates from BIG-IP | |
713817-1 | 3-Major | BIG-IP images are available in Alibaba Cloud | |
738891-1 | 4-Minor | TLS 1.3: Server SSL fails to increment key exchange method statistics |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
746424 | 2-Critical | Patched Cloud-Init to support AliYun Datasource | |
745851 | 3-Major | Changed Default Cloud-Init log level to INFO from DEBUG | |
742251-1 | 4-Minor | Add Alibaba Cloud support to Qkview |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
749774-5 | 3-Major | EDNS0 client subnet behavior inconsistent when DNS Caching is enabled | |
749675-5 | 3-Major | DNS cache resolver may return a malformed truncated response with multiple OPT records |
Cumulative fix details for BIG-IP v14.1.2.5 that are included in this release
887637-1 : Systemd-journald Vulnerability: CVE-2019-3815
Solution Article: K22040951
884797-2 : Portal Access: in some cases data is not delivered via WebSocket connection
Component: Access Policy Manager
Symptoms:
If a client browser opens a WebSocket connection, Portal Access may not send data to the client if the first message in the new connection comes from the server.
Conditions:
- Web application with WebSocket connection
- First data in WebSocket connection is sent from server to client
Impact:
Data is not delivered to the client browser via the WebSocket connection.
Fix:
Now Portal Access can deliver data to the client browser via the WebSocket connection when the first data is sent from the server.
883717-3 : BD crash on specific server cookie scenario
Component: Application Security Manager
Symptoms:
BD crash.
Conditions:
Server sends many domain cookies with different domains or paths.
Impact:
Traffic distraction, failover.
Workaround:
There is no workaround, except changing the server's cookies.
Fix:
BD does not crash when server sets many different attributes.
882557-4 : TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)
Component: TMOS
Symptoms:
If the underlying virtio platform specifies RX and/or TX queue sizes that are 4096 or larger, the BIG-IP system cannot allocate enough contiguous memory space to accommodate this. Errors similar to these are seen in the tmm log files:
ndal Error: Failed to allocate 2232336 (2228224 + 4096 + 16) bytes
virtio[0:7.0]: Error: Failed to allocate descriptor chain
virtio[0:7.0]: Error: Failed allocate indirect rx buffers
Conditions:
-- Using a BIG-IP Virtual Edition (VE) with virtio drivers.
-- The underlying platform specifies RX and/or TX queue sizes of 4096 or larger.
Impact:
TMM continually restarts.
Workaround:
Use the sock driver instead of virtio.
In your BIG-IP VE VM execute the lspci command to determine which virtio driver is present:
# lspci -nn | grep -i eth | grep -i virtio
00:03.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:04.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:0b.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
Configure a socket driver:
echo "device driver vendor_dev 1af4:1000 sock" > /config/tmm_init.tcl
Reboot the instance
882377-1 : ASM Application Security Editor Role User can update/install ASU
Component: Application Security Manager
Symptoms:
Live Update modifications are allowed for Application Security Editor Role.
Conditions:
Login as Application Security Editor user and try to install ASU.
Impact:
Application Security Editor Role role is permitted to update Attack Signatures when it shouldn't be.
882273 : MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow
Component: Service Provider
Symptoms:
Memory leak can cause tmm to crash and memory usage to grow.
Conditions:
-- Diameter transmission setting is enabled and action should be retrans.
-- auto-init should be enabled.
-- And server is down.
Impact:
Memory corruption will lead to tmm crash in longer run and memory leak make memory usage to grow in linear order. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
When server is down BIG-IP keeps creating new connection to it. there is memory leak need to be fixed.
879401-3 : Memory corruption during APM SAML SSO
Component: Access Policy Manager
Symptoms:
During processing of SAML SSO single logout (SLO) requests, a block of tmm memory may become corrupted.
Conditions:
- BIG-IP system is configured as SAML SP.
- External SAML IdP sends SLO request.
Impact:
Various possible negative effects, including TMM core. Traffic disrupted while tmm restarts.
Fix:
BIG-IP as SAML SP no longer causes memory corruption when handling certain traffic.
879025-4 : When processing server-side TLS traffic, LTM may not enforce certificate chain restrictions
Component: Local Traffic Manager
Symptoms:
When processing server-side TLS traffic, LTM may not enforce certificate chain restrictions as expected. TLS traffic is encrypted as expected but under certain conditions certificate authentication restrictions are not enforced
Conditions:
-Server-side SSL profile.
-Certificate chain validation enabled.
Impact:
LTM may not enforce TLS certificate chain restrictions as expected.
Workaround:
None.
Fix:
LTM now processes server-side TLS traffic as expected.
876077-3 : MRF DIAMETER: stale pending retransmission entries may not be cleaned up
Component: Service Provider
Symptoms:
DIAMETER router messages queued for retransmission may not be deleted until the connection closes.
Conditions:
-- Diameter transmission setting is enabled and a DIAMETER message is queued for retransmission.
-- The retransmission for the message is not triggered
Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.
Workaround:
None.
Fix:
Stale pending retransmission entries are cleaned up properly.
873877 : Kernel page allocation failure seen on VIPRION B2250 Blade★
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file:
warning kernel: : [7673174.106142] swapper/6: page allocation failure: order:2, mode:0x104020
Conditions:
This issue is known to occur on the following VIPRION blade models:
- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.
It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades).
-- 48 MB (49152 KB for B4300 blades).
-- 128 MB (131072 KB for 4450 blades).
You must do this on each blade installed in the system.
When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
873469-1 : APM Portal Access: Base URL may be set to incorrectly
Solution Article: K24415506
872673-3 : TMM can crash when processing SCTP traffic
Component: TMOS
Symptoms:
Under certain conditions, TMM may crash while processing SCTP traffic.
Conditions:
-- SCTP listener enabled.
Impact:
TMM crash, leading to a failover event.
Workaround:
None.
Fix:
TMM now processes SCTP traffic as expected.
871905-1 : Incorrect masking of parameters in event log
Component: Application Security Manager
Symptoms:
When using CSRF protection, sensitive parameters values can be masked incorrectly in the event log.
Conditions:
The request contains a CSRF token and sensitive parameters.
Impact:
Sensitive parameters values can be masked incorrectly in the event log.
Workaround:
None.
Fix:
Sensitive parameters values are now correctly masked in the event log when request contains CSRF token.
871761-4 : Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS
Component: Access Policy Manager
Symptoms:
APM virtual server user's GUI (e.g., 'Logon page') cannot be rendered by browsers.
Conditions:
This issue is encountered when an XML profile is configured for the APM virtual server.
Impact:
APM end users are unable to get a logon page.
Workaround:
Disable the XML profile for the APM virtual server.
Fix:
There is no unexpected traffic interruption from the APM virtual server when the XML profile is configured for the virtual server.
870957-1 : "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage
Component: Application Visibility and Reporting
Symptoms:
TMM CPU utilization around 100 percent under Security ›› Reporting : ASM Resources : CPU Utilization.
Conditions:
No special conditions. Only viewing at the stats of TMM CPU in 'Security ›› Reporting : ASM Resources : CPU Utilization'. They will always be in wrong scale, but when the TMM has ~1% CPU usage, it will be presented as 100% CPU usage.
Impact:
Wrong scale is presented and might cause machine's state to be interpreted wrongly.
Workaround:
1. Backup /etc/avr/monpd/monp_asm_cpu_info_measures.cfg file.
2. Run the following:
$ sed -i 's|tmm_avg_cpu_util)/(count(distinct time_stamp)|tmm_avg_cpu_util)/(count(distinct time_stamp)*100|g' /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
3. Compare the backup file to /etc/avr/monpd/monp_asm_cpu_info_measures.cfg:
Make sure that there are two lines modified, and that the modification is multiplying with 100 the denominator (i.e., actually dividing the TMM value with 100).
4. To make those changes take affect, run the following command:
$ bigstart restart monpd
Fix:
Dividing the TMM value with 100 to fit correct scale.
870389-1 : Increase size of /var logical volume to 1.5 GiB for LTM-only VE images
Component: TMOS
Symptoms:
The /var logical volume size of 950 MiB for LTM-only BIG-IP Virtual Edition (VE) images may be too small for some deployments. This can result in result in loss of SSH access.
Conditions:
This applies to deployments that use declarative onboarding for configuration.
Impact:
Complex declarative onboarding configurations may fill the /var logical volume. You are locked out because of the too-small volume.
Workaround:
The workaround is to manually extend the /var logical volume.
For more information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952.
Fix:
The size of the /var logical volume was increased from 950 MiB to 1.5 GiB for LTM-only VE images.
Behavior Change:
The size of the /var logical volume was increased from 950MiB to 1.5GiB for LTM-only Virtual Edition images.
868889 : BIG-IP may reset a stream with an empty DATA frame as END_STREAM
Component: Local Traffic Manager
Symptoms:
HTTP/2 defines END_STREAM flag in a frame as an end of a stream. A peer can send an empty (with no payload) DATA frame to designate a last one in a stream. When BIG-IP receives an empty DATA frame, it handles it incorrectly, sending RST_STREAM to a client.
Conditions:
-- The BIG-IP system has a virtual server configured with an HTTP/2 profile on the client side.
-- The client sends a request containing a payload over a stream, ending the stream with empty DATA frame.
Impact:
The BIG-IP system may reset the stream.
Workaround:
A client should resend the request handling more data.
Fix:
When empty DATA frame with END_STREAM flag is handled by the BIG-IP system, it terminates the stream accordingly.
868381-3 : MRF DIAMETER: Retransmission queue unable to delete stale entries
Component: Service Provider
Symptoms:
DIAMETER messages queued for retransmission that do not receive answer responses may be missed by the sweeper logic and not be deleted until the connection closes.
Conditions:
-- A DIAMETER message is queued for retransmission without a timeout to tigger retransmission.
-- No answer response is received.
Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.
Workaround:
None.
Fix:
The retransmission queue has been fixes so all stale messages are deleted as expected.
868349-3 : TMM may crash while processing iRules with MQTT commands
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing iRules for MQTT profiles.
Conditions:
-MQTT profile.
-MQTT iRule.
Impact:
TMM crash, leading to a failover event.
Workaround:
None.
Fix:
TMM now processes MQTT iRules as expected.
868097-1 : TMM may crash while processing HTTP/2 traffic
Solution Article: K58494243
866925-3 : The TMM pages used and available can be viewed in the F5 system stats MIB
Component: TMOS
Symptoms:
The memory pages available and in use are tracked with system statistics. Previously those statistics were available only with the tmctl command in the shell.
Conditions:
When system resource decisions are being made, the information about memory usage is important.
Impact:
It is not feasible to query each BIG-IP device separately.
Workaround:
None.
Fix:
You can query these statistics with SNMP through the F5-BIGIP-SYSTEM-MIB::sysTmmPagesStat table.
866685-3 : Empty HSTS headers when HSTS mode for HTTP profile is disabled
Component: Access Policy Manager
Symptoms:
HTTP Strict-Transport-Security (HSTS) headers have an empty value for some APM Access Policy-generated responses.
Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS mode=disabled (which it is by default).
-- HTTP requests for APM renderer content, including CSS, JS, and image files from the webtop.
Impact:
Some audit scanners can consider the empty value of Strict-Transport-Security headers as a vulnerability. For browsers, the empty HSTS value equals no HSTS in response.
Workaround:
1. Enable HSTS mode for the HTTP profile.
2. Use an iRule to remove the empty HSTS header from responses:
when HTTP_RESPONSE_RELEASE {
if { [HTTP::header value "Strict-Transport-Security"] eq "" } {
HTTP::header remove "Strict-Transport-Security"
}
}
Fix:
When the HTTP profile is configured with HSTS mode=disabled, responses from APM renderer content are now sent without an HSTS header.
866161-3 : Client port reuse causes RST when the security service attempts server connection reuse.
Component: Access Policy Manager
Symptoms:
If the security service attempts server connection reuse, client port reuse causes RST on new connections.
Conditions:
-- Service profile is attached to virtual server.
or
-- SSL Orchestrator (SSLO) is licensed and provisioned and Service chain is added in the security policy.
-- Security service reuses server-side connection.
-- Client reuses the source port.
Impact:
The BIG-IP system or SSLO rejects new connection from clients when a client reuses the port.
Workaround:
None.
Fix:
The BIG-IP system or SSLO no longer rejects the client connection when the service tries to the reuse server connection and the client reuses the port.
866021-3 : Diameter Mirror connection lost on the standby due to "process ingress error"
Component: Service Provider
Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.
Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.
Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.
Fix:
Diameter mirror connection no longer lost due to "process ingress error" when there is high mirror traffic.
866013 : Linux Kernel Vulnerabilities: CVE-2019-11477 CVE-2019-11478 CVE-2019-11479
Solution Article: K78234183
865053-1 : AVRD core due to a try to load vip lookup when AVRD is down
Component: Application Visibility and Reporting
Symptoms:
AVRD cores during startup.
Conditions:
Avrd receives a SIGTERM while it is starting.
Impact:
This can lead to an AVRD core.
Fix:
Added some more checks while loading new configuration. Suppose to reduce the frequent of these occurrences. Still can happen in very rare occasions.
864109-3 : APM Portal Access: Base URL may be set to incorrectly
Solution Article: K24415506
863161-3 : Scheduled reports are sent via TLS even if configured as non encrypted
Component: Application Visibility and Reporting
Symptoms:
The scheduled report email is sent from BIG-IP using TLS even if configured to not use encryption. When the mail server TLS is outdated it may lead to failure of the mail delivery.
Conditions:
The scheduled reports are enabled and configured to use a mail server which reports TLS capability.
Impact:
The minor impact is unexpected behaviour. In rare cases it may lead to malfunction of the scheduled reports.
Fix:
The automatic TLS connection was introduced via udate of the phpmailer module. The current fix disables automatic behaviour such that encryption will be used according to BIG-IP configuration.
863069-3 : Avrmail timeout is too small
Component: Application Visibility and Reporting
Symptoms:
AVR report mailer times out prematurely and reports errors:
AVRExpMail|ERROR|2019-11-26 21:01:08 ECT|avrmail.php:325| PHPMailer exception while trying to send the report: SMTP Error: data not accepted.
Conditions:
Configure reports, which will be sent to e-mail
Impact:
Error response from SMTP server, and the report is not sent
Workaround:
Increase timeout in avrmail.php via bash commands
Fix:
The timeout was increased in avrmail.php
860881-1 : TMM can crash when handling a compressed response from HTTP server
Component: Local Traffic Manager
Symptoms:
TMM crashes while handling HTTP response
Conditions:
HTTP virtual server performing decompression of response data from a server, e.g. because a rewrite profile is attached to the virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable compression on the server.
859721-3 : Using GENERICMESSAGE create together with reject inside periodic after may cause core
Component: Service Provider
Symptoms:
In iRules, when "GENERICMESSAGE::message create" is called after "reject" command inside "after -periodic", it may cause core. Below is an example iRules.
when CLIENT_ACCEPTED {
... omitted ...
after 1000 -periodic {
... omitted ...
reject
GENERICMESSAGE::message create "test"
}
}
This relates to ID 859113.
Conditions:
GENERICMESSAGE::message create" is called after "reject" inside "after -periodic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event
Fix:
Using GENERICMESSAGE create together with reject inside periodic after no longer cause core
859113-3 : Using "reject" iRules command inside "after" may causes core
Component: Local Traffic Manager
Symptoms:
In iRules, when "reject" is used inside "after -periodic" and it is followed by "GENERICMESSAGE::message create". It may trigger a tmm core. Below is an example iRule.
when CLIENT_ACCEPTED {
... omitted ...
after 1000 -periodic {
... omitted ...
reject
GENERICMESSAGE::message create "test"
}
}
This relates to ID 859721
Conditions:
- "reject" is used inside "after -periodic"
- it is followed by "GENERICMESSAGE::message create"
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event
Fix:
Using "reject" iRules command inside "after" no longer cause core.
859089-5 : TMSH allows SFTP utility access
Component: TMOS
Symptoms:
The TMSH configuration shell allows users with the Resource Administrator role access to the SFTP command-line utility.
Conditions:
Administrative users with TMSH access and the Resource Administrator role.
Impact:
Resource Administrators have access to the SFTP utility.
Workaround:
None.
Fix:
TMSH no longer allows users with the Resource Administrator role to access the SFTP utility.
Behavior Change:
TMSH users in the Resource Administrator role no longer have access to the SFTP utility. Users may be granted to the Administrator role to provide SFTP access from inside TMSH.
858349-1 : TMM may crash while processing SAML SLO traffic
Component: Access Policy Manager
Symptoms:
Under certain conditions, TMM may crash while processing SAML SLO traffic.
Conditions:
-SAML SLO configured.
Impact:
TMM crash, leading to a failover event.
Workaround:
None.
Fix:
TMM now processes SAML SLO traffic as expected.
858229-3 : XML with sensitive data gets to the ICAP server
Component: Application Security Manager
Symptoms:
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.
Conditions:
XML profile is configured with sensitive elements on a policy.
ICAP server is configured to inspect file uploads on that policy.
Impact:
Sensitive data will reach the ICAP server.
Workaround:
No immediate workaround except policy related changes
Fix:
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.
Behavior Change:
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1.
When this is changed to 0 (using this command):
/usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0
XML requests with sensitive data will not be sent to ICAP.
858025-3 : Proactive Bot Defense does not validate redirected paths
Component: Application Security Manager
Symptoms:
Under certain conditions, Proactive Bot Defense may redirect clients to an unvalidated path.
Conditions:
-Proactive Bot Defense enabled.
Impact:
Clients may be redirected to an unvalidated path.
Workaround:
None.
Fix:
Proactive Bot Defense now validates redirected paths as expected.
857725 : Anti-Fraud/DataSafe Logging Settings page not found
Component: Fraud Protection Services
Symptoms:
When navigating to Security :: Fraud Protection Service : Anti-Fraud Logging Settings, a 404 error is shown instead of the actual page.
Conditions:
- Provision Fraud Protection Service.
- License DataSafe or Fraud Protection Service.
- Enable the 'antifraud.riskengine.reportlogins' database variable.
Impact:
'Anti-Fraud Logging Settings' page is not found.
Workaround:
Configure logging setting using the Traffic Management Shell (tmsh) utility.
Fix:
'Anti-Fraud Logging Settings' page is shown correctly.
854177-3 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
Component: Application Security Manager
Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.
Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.
Impact:
Latency is introduced to ASM handling.
Workaround:
Set the fast changing nodes to static updates every hour.
Fix:
ASM now correctly ignores pool member updates that do not affect remote logging.
853613-2 : Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp
Component: Local Traffic Manager
Symptoms:
A TCP connection hangs occasionally.
Conditions:
-- The TCP connection is on the clientside.
-- sys db tm.tcpsendrandomtimestamp is enabled (default is disabled).
-- A virtual server's TCP's Verified Accept and Timestamps are both enabled.
Impact:
TCP connections hangs, and data transfer cannot be completed.
Workaround:
You can use either of the following workarounds:
-- Disable tm.tcpsendrandomtimestamp.
-- Disable either the TCP's Verified Accept or Timestamps option.
Fix:
This release provides improved interaction between TCP's Verified Accept and Timestamps options and the tm.tcpsendrandomtimestamp setting.
853545-3 : MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event
Component: Service Provider
Symptoms:
For each message dropped during GENERICMESSAGE_INGRESS, memory is leaked.
Conditions:
Usage of GENERICMESSAGE::message drop iRule command during GENERICMESSAGE_INGRESS event will leak memory.
Impact:
As more memory is leaked, less memory is available for message processing, eventually leading to a core.
Workaround:
Use MR::message drop during MR_INGRESS event instead to drop a message.
Fix:
Usage of GENERICMESSAGE::message drop iRule command no longer leaks memory.
853329-4 : HTTP explicit proxy can crash TMM when used with classification profile
Component: Local Traffic Manager
Symptoms:
The BIG-IP system may serve HTTP traffic as forward proxy and use DNS resolver objects to provide a server to connect to for request processing. When a classification profile is attached to the virtual server, it may result in a TMM crash with regards to some HTTP requests.
Conditions:
-- PEM is provisioned.
-- HTTP explicit proxy is configured on a virtual server.
-- A classification profile attached to the virtual server.
Impact:
TMM crashes, causing failover. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release prevents a condition causing this TMM crash.
852445-3 : Big-IP : CVE-2019-6477 BIND Vulnerability
Solution Article: K15840535
852437-1 : Overly aggressive file cleanup causes failed ASU installation
Solution Article: K25037027
Component: Application Security Manager
Symptoms:
Directory cleanup for for failed Attack Signature Updates (ASU) is too aggressive and may delete needed files in the middle of installation itself, which causes the update to fail.
Conditions:
An ASU runs at the same time as the file cleanup task.
Impact:
The ASU fails to complete successfully.
Workaround:
The default clean interval is 300 seconds (5 minutes).
1. Run the following command to monitor the clean activity:
#tailf /var/log/ts/asmcrond.log | grep CleanFiles
2. Watch for following message in the log:
asmcrond|INFO|Mar 20 21:54:44.389|24036|F5::PeriodicTask::Base::run,,Running Task: CleanFiles
3. Upgrade the ASU immediately.
If 5 minutes is not enough, you can increase the clean interval.
1. Adjust the interval in the /etc/ts/tools/asmcrond.cfg file:
From:
[CleanFiles]
Interval=300
To:
[CleanFiles]
Interval=3000
Important: Do not set Interval too high. 50 minutes (3000 seconds) should be enough.
2. Restart the asmcrond by killing the process. It respawns after several seconds.
ps -ef | grep asmcrond
kill <pid>
3. Monitor the asmcrond.log until you see another Cleanfiles log message.
# tailf /var/log/ts/asmcrond.log | grep CleanFiles
4. Install the ASU; the temp files can stay in the folder for 50 minutes.
5. After the ASU is installed, change the interval back to 300 and restart asmcrond.
6. Make sure asmcrond has been started correctly.
# ps -ef | grep asmcrond
# tailf /var/log/ts/asmcrond.log
Fix:
The directory cleanup does not clean up files that are being actively used for an installation.
852373-2 : HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error
Component: Local Traffic Manager
Symptoms:
HTTP/2 connection breaks and Tcl error is logged in /var/log/ltm similar to the following:
TCL error: /Common/http2_disable <CLIENT_ACCEPTED> - Unknown error (line 1) (line 1) invoked from within "HTTP2::disable".
Conditions:
Any of the following Tcl commands are used in any iRule event: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside.
Impact:
HTTP/2 traffic is not passed to the serverside.
Workaround:
Do not use the following Tcl commands: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside
Fix:
When the previously mentioned Tcl commands are used in appropriate HTTP iRule events, such as CLIENT_ACCEPTED, HTTP/2 filter is put into passthrough mode and traffic is delivered to the server.
852313-2 : VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured
Component: Access Policy Manager
Symptoms:
VMware Horizon clients cannot ,connect to APM and /var/log/apm contains hte following error:
... err tmm3[12345]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_BOUNDS. File: ../modules/hudfilter/access/access.c, Function: access_do_internal_retry, Line: 16431
Conditions:
-- Access Policy has 'VMware View Logon Page' agent configured with 'Kerberos Authentication'.
-- The policy has been in use for some time.
Impact:
VMware Horizon client cannot connect to APM after some time.
Workaround:
None.
Fix:
Fixed an issue, where 'VMware View Logon Page' agent configured with 'Kerberos Authentication' does not process logon requests after some time.
852289-2 : DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector
Component: Advanced Firewall Manager
Symptoms:
DNS over TCP packet is not rate-limited accurately by DoS device sweep and flood vector.
Conditions:
-- Setting the correct DNS pkt type in the DoS device sweep or flood vector.
-- Sending DNS over TCP.
Impact:
DNS over TCP is DDoS attack is not mitigated correctly.
Workaround:
Using DNS DoS vector to mitigate the attack.
Fix:
The attack mitigation by sweep and flood vector is accurate.
852001-3 : High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously
Component: TMOS
Symptoms:
When using more than 4 BIG-IP devices connected in a device cluster, and adding 2 more devices to the trust domain, the mcpd processes of each device may get into a sync loop. This causes mcpd to reach up to 90% CPU utilization during this time, and causes other control-plane functionality to halt. This state may last 10-20 minutes in some cases, or continuous in other cases.
Conditions:
-- More than 4 BIG-IP devices are configured in a trust domain configuration.
-- Adding at least 2 more devices to the trust domain, one after the other, without waiting for the full sync to complete.
-- ASM, FPS, or DHD (DOS) is provisioned.
Impact:
High CPU utilization, GUI, TMSH, and REST API not responding or slow-responding, other system processes halted.
Workaround:
When adding a BIG-IP device to the trust domain, before adding any other device, wait a few minutes until the sync is complete, and no more sync logs display in /var/log/ltm.
Fix:
MCPD no longer utilizes high CPU resources when adding simultaneously 4 or more devices to CMI.
851789-3 : SSL monitors flap with client certs with private key stored in FIPS
Component: Local Traffic Manager
Symptoms:
Bigd reporting 'overload' or 'overloaded' in /var/log/ltm.
SSL monitors flapping while the servers are available.
Conditions:
-- FIPS-enabled platform.
-- HTTPS monitors using client-cert authentication where the key is stored in FIPS HSM.
-- Large number of monitors or low interval.
Impact:
Periodic service interruption depending on which monitors are flapping. Reduced number of available servers.
Workaround:
-- Increase the interval on the monitors.
-- Switch the monitors to use software keys.
Fix:
Optimized FIPS API calls to improve performance of SSL monitors.
850673-3 : BD sends bad acks to the bd_agent for configuration
Component: Application Security Manager
Symptoms:
The bd_agents stops sending configuration in the middle of startup or a configuration change.
The policy maybe incomplete in the bd causing a wrong enforcement.
Conditions:
This is a rare issue and the exact conditions that trigger it are unknown.
Impact:
Bd_agent hangs or restarts which may cause a complete asm restart (and failover).
A partial policy may exist in bd causing improper enforcement.
Workaround:
Export and import the policy in case the policy is enforced incorrectly and un-assigning / re-assigning does not help.
Fix:
Fixed inconsistency scenario between bd and bd_agent.
849405-1 : LTM v14.1.2.1 does not log after upgrade★
Component: TMOS
Symptoms:
After upgrading to v14.1.2.1, logs are not generated and sysstat.service is not running.
Conditions:
-- Upgrade from BIG-IP v12.1.x (which uses CentOS 6) to BIG-IP v14.1.2.1 or later (which uses CentOS 7).
-- The issue is momentary and is not always reproducible.
Impact:
Logs are not generated and sysstat.service is not running.
Workaround:
Once the BIG-IP system starts up, check for failed services:
systemctl list-units --failed
If results show sysstat.service as FAILED, run the following command:
restorecon -Rv /var/log/sa6 && systemctl start sysstat
848405-4 : TMM may consume excessive resources while processing compressed HTTP traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may consume excessive resources while processing compressed HTTP traffic.
Conditions:
-- At least one virtual server with an http-compression profile is configured on BIG-IP.
Impact:
Excessive resource consumption, potentially leading to a failover event.
Workaround:
By removing the compression profile from the virtual servers, possible interruptions of service may be avoided.
Fix:
TMM now processes compressed HTTP traffic as expected.
847325-1 : Changing a virtual server that uses a oneconnect profile can trigger persistence misbehavior.
Component: Local Traffic Manager
Symptoms:
High tmm CPU utilization.
Stalled connection.
Incorrect persistence decisions
Conditions:
A oneconnect profile is combined with certain persist profiles on a virtual server.
The virtual server configuration is changed while there is an ongoing connection to the virtual server. Any connections that make a request after the configuration change can be affected.
The persistence types that are affected are
Source Address (but not hash-algorithm carp)
Destination Address (but not hash-algorithm carp)
Universal
Cookie (only cookie hash)
Host
SSL session
SIP
Hash (but not hash-algorithm carp)
Impact:
High tmm CPU utilization.
Stalled connection.
Incorrect persistence decisions
846365-3 : TMM may crash while processing IP traffic
Solution Article: K35750231
846157-3 : TMM may crash while processing traffic on AWS
Solution Article: K01054113
843105-1 : Adding multicast stats for multicast bridging over L2 wire transparent VLAN-group (LACP STP LLDP)
Component: Local Traffic Manager
Symptoms:
The BIG-IP system can now be configured to collect multicast statistics for LACP, STP, and LLDP. It is controlled by a sys db variable:
l2.virtualwire.multicast.stats
It is enabled by default.
Conditions:
This is encountered when L2 wire transparent VLAN groups are configured.
Impact:
The ability to collect and read multicast statistics makes it easier to debug l2 wire setups.
Multicast statistics can be viewed in the following tmctl table:
tmctl -w250 tmm/l2_mcast_stat
Workaround:
None.
Fix:
Added new stats available like:
tmctl -w250 tmm/l2_mcast_stat
842125-4 : Unable to reconnect outgoing SCTP connections that have previously aborted
Component: TMOS
Symptoms:
When an outgoing SCTP connection is created using an ephemeral port, the connection may appear to be open after an SCTP connection halt. This prevents new connections to the same endpoint, as the connection appears to already exist.
Conditions:
-- A virtual server configured with an SCTP profile.
-- An outgoing SCTP connection after an existing connection to the same endpoint has halted.
Impact:
New connections are unable to be created resulting in dropped messages.
Workaround:
None.
Fix:
SCTP connections can now be halted and recreated to the same endpoint.
839597-4 : Restjavad fails to start if provision.extramb has large value
Component: Device Management
Symptoms:
Rolling restarts of restjavad every few seconds typically due to failure to start and reports messages in daemon log:
daemon.log: emerg logger: Re-starting restjavad
The system reports similar message at the command line.
No obvious cause is logged in rest logs.
Conditions:
-- System DB variable provision.extramb has an unusually high value*:
+ above ~2700-2800MB for v12.1.0 and earlier.
+ above ~2900-3000MB for v13.0.0 and later.
-- On v13.0.0 and later, sys db variable restjavad.useextramb needs to have the value 'true'
*A range of values is shown. When the value is above the approximate range specified, constant restarts are extremely likely, and within tens of MB below that point may be less frequent.
To check the values of these system DB varaiables use:
tmsh list sys db provision.extramb
tmsh list sys db restjavad.useextramb
Impact:
This impacts the ability to use the REST API to manage the system
Workaround:
If needing sys db restjavad.useextramb to have the value 'true', keep sys db provision.extramb well below the values listed (e.g., 2000 MB work without issue).
To set that at command line:
tmsh modify sys db provision.extrammb value 2000
If continual restarts of restjavad are causing difficulties managing the unit on the command line:
1. Stop restjavad (you can copy this string and paste it into the command line on the BIG-IP system):
tmsh stop sys service restjavad
2. Reduce the large value of provision.extramb if necessary.
3. Restart the restjavad service:
tmsh start sys service restjavad
839453-4 : lodash library vulnerability CVE-2019-10744
Solution Article: K47105354
839401-3 : Moving a virtual-address from one floating traffic-group to another does not send GARPs out.
Component: Local Traffic Manager
Symptoms:
Gratuitous ARPs (GARPs) are not sent out when moving a virtual-address from one floating traffic-group to another (e.g., from traffic-group-1 to traffic-group-2).
Conditions:
-- Moving a virtual-address from one floating traffic-group to another.
-- The traffic-groups are active on different devices.
Impact:
Application traffic does not immediately resume after the virtual-address is moved. Instead, the surrounding network devices have to ARP out for the IP address after reaching a timeout condition.
Workaround:
After moving the virtual-address, disable and then re-enable the ARP setting for the virtual-address. This forces GARPs to be sent out.
Fix:
GARPs are sent out as expected.
838881-3 : APM Portal Access Vulnerability: CVE-2020-5853
Solution Article: K73183618
838709-1 : Enabling DoS stats also enables page-load-time
Component: Application Visibility and Reporting
Symptoms:
If collect-all-dos-statistic is enabled, AVR 'promises' to the client a JavaScript injection in the response by adding the expected length of the JavaScript to the Content-length header.
Conditions:
Security :: reporting : settings : collect-all-dos-statistic is enabled.
Impact:
In addition to collecting DoS statistics, JavaScript injection also occurs.
Workaround:
Can use iRules to control which pages should get the JavaScript injection.
For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.
Fix:
Changed the condition that insert the JavaScript injection in case that "collect all dos stats" is enabled.
838677-3 : lodash library vulnerability CVE-2019-10744
Solution Article: K47105354
837837-3 : SSH Client Requirements Hardening
Component: TMOS
Symptoms:
In some configurations, BIG-IP systems allow the use of DSA keys for SSH authentication.
Conditions:
Terminal Access (SSH) enabled for users with DSA keys.
Impact:
DSA keys are allowed for authentication, exposing BIG-IP to the limitations of this key format, including potential compromise of the authenticated session.
Workaround:
For ssh key based authentications, DSA keys should not be used.
Fix:
ssh-dss is disabled from supported authentication methods. It can be enabled under BIGIP using command tmsh modify sys sshd { include '"HostKeyAlgorithms +ssh-dss"' }
Behavior Change:
ssh-dss is now disabled by default from supported SSH authentication methods. It can be explicitly enabled under BIG-IP using command: tmsh modify sys sshd { include '"HostKeyAlgorithms +ssh-dss"' }
837773-2 : Restjavad Storage and Configuration Hardening
Component: Device Management
Symptoms:
The restjavad component does not follow current best coding practices.
Conditions:
-REST endpoints in use
Impact:
The restjavad component does not follow current best coding practices.
Workaround:
None.
Fix:
The restjavad component now follows current best coding practices.
836661 : Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet.
Component: Local Traffic Manager
Symptoms:
Packet with unexpected source MAC is seen on the adjacent node to the BIG-IP system.
Conditions:
-- The BIG-IP system is configured in an L2 transparent mode using virtual wires.
-- Traffic forwarded between client and server in an asymmetric manner across virtual wires.
Impact:
Incorrect source MAC is used. Possible impacts to services on nodes adjacent to the BIG-IP system if policy decisions on those nodes are made with the source MAC of the received packet as input.
Workaround:
None.
836357-3 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2
Component: Service Provider
Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.
Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.
Impact:
This causes the BIG-IP system to abort the flow that originates the message.
Workaround:
None.
Fix:
SIP MBLB correctly initiates a new flow from a virtual IP to the client when an existing flow is in the FIN-wait2 stage.
835381-1 : HTTP custom analytics profile 'not found' when default profile is modified
Component: Application Visibility and Reporting
Symptoms:
Adding SMTP config to default HTTP analytics profile results in config parsing failures for child profiles that are assigned to virtual servers. Removing SMTP config resolves the issue. The 'tmsh load sys config' command fails with the following error:
-- 01020036:3: The requested profile (/Common/child-analytics) was not found.
-- Unexpected Error: Validating configuration process failed.
Conditions:
-- Child analytics profile applied to virtual server.
-- Parent analytics profile contains SMTP config.
Impact:
Loading configuration might fail.
Workaround:
None.
Fix:
The system now avoids setting SMTP field for child profiles on MCP validation when in load/merge phase.
834373-3 : Possible handshake failure with TLS 1.3 early data
Component: Local Traffic Manager
Symptoms:
During TLS 1.3 early data handshake, a code alert and handshake failure may occur
Conditions:
TLS 1.3 with early data resumption.
Impact:
Handshake failure.
Workaround:
Turn off early data.
Fix:
Fixes a possible TLS 1.3 early data handshake failure and code alert.
834257-3 : TMM may crash when processing HTTP traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing HTTP traffic.
Conditions:
A virtual with standard HTTP profile is configured.
Impact:
When TMM crashes it causes a failover event and may interrupt traffic processing.
Workaround:
None.
Fix:
TMM now processes HTTP traffic as expected.
833213-3 : Conditional requests are served incorrectly with AAM policy in webacceleration profile
Component: WebAccelerator
Symptoms:
HTTP 1.1 allows a conditional request with header If-Modified-Since or If-Unmodified-Since to determine whether a resource changed since a specified date and time. If AAM is provisioned and its policy is assigned to a virtual server, it may incorrectly respond with 304 Not Modified, even after the resource was updated.
Conditions:
-- AAM is provisioned and webacceleration policy is attached to a virtual server.
-- Client sends a conditional request with If-Modified-Since or If-Unmodified-Since header.
-- The BIG-IP system responds from AAM cache.
Impact:
Client does not receive an updated resource.
Workaround:
Use webacceleration profile without AAM policy for resources that require conditional checks falling back into Ramcache.
Fix:
The BIG-IP system now respects If-Modified-Since or If-Unmodified-Since header and provides an appropriate response for the requested resource when compared to the date supplied in either header.
833113-3 : Avrd core when sending large messages via https
Component: Application Visibility and Reporting
Symptoms:
When sending large messages (>4KB) via HTTPs may cause avrd to core.
Conditions:
This typically happens when BIG-IP is managed by BIG-IQ and configuration is large and complex or traffic capturing is enabled.
Impact:
Messages to BIG-IQ are lost. In severe cases, analytics functionality may be unavailable due contiguous AVRD cores.
Workaround:
None.
Fix:
Fixed an avrd crash
832857 : Support ID on AJAX CAPTCHA popup (SPA) does not match the Support ID in log
Component: Application Security Manager
Symptoms:
The Support ID shown to the ASM end user does not appear in the logs.
Conditions:
-- ASM provisioned.
-- Bot Defense profile attached to a virtual server.
-- Single Page Application (SPA) is enabled in the Bot Defense profile.
-- AJAX request is blocked by bot defense, and CAPTCHA is shown to the ASM end user.
Impact:
ASM end user might complain about CAPTCHA and provide their Support ID to the BIG-IP administrator, but the BIG-IP administrator will not be able to find the Support ID in the logs.
Workaround:
None.
Fix:
Bot defense has been fixed so that the Support ID shown to the ASM end user matches the Support ID in the logs.
832569-2 : APM end-user connection reset
Component: Access Policy Manager
Symptoms:
When the URL being accessed exceeds a length of 8 KB, the BIG-IP resets the connection.
Conditions:
-- APM deployed with a per-request policy.
-- The per-request policy includes a category lookup.
Impact:
The APM end-user connection is reset, and the system posts an error message in /var/log/apm:
-- crit tmm[23363]: 01790601:2: [C] 10.62.118.27:65343 -> 65.5.55.254:443: Maximum URL size exceeded.
Workaround:
None.
832205 : ASU cannot be completed after Signature Systems database corruption following binary Policy import
Component: Application Security Manager
Symptoms:
Signatures cannot be updated after signature systems have become corrupted in the configuration database, after a binary policy containing a user-defined Signature Set using an unknown System was imported.
Conditions:
Signature systems are corrupted in configuration database, because a binary policy containing a user-defined Signature Set using an unknown System was imported.
Impact:
Signatures cannot be updated.
Workaround:
Delete signature systems with an ID greater than 38, and re-add them by performing a signature update. You can delete these signature systems by running the following command:
mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "DELETE FROM PLC.NEGSIG_SYSTEMS WHERE system_group = ''"
832021-1 : Port lockdown settings may not be enforced as configured
Solution Article: K73274382
832017-1 : Port lockdown settings may not be enforced as configured
Solution Article: K10251014
831781-5 : AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode
Component: Access Policy Manager
Symptoms:
Both AD Query and LDAP Auth/Query fails.
Conditions:
-- AD Query Agent, LDAP Auth Agent, or LDAP Query Agent is configured in Per-Session or Per-Request Policy.
-- These agents are configured in Direct mode.
-- The AD and LDAP server address is configured as IPv6 address.
Impact:
Users may not be able to login to APM, and hence service is disrupted.
Workaround:
None.
Fix:
Users are now able to login to APM.
831661-2 : ASMConfig Handler undergoes frequent restarts
Component: Application Security Manager
Symptoms:
Under some settings and load the RPC handler for the Policy Builder process restarts frequently, causing unnecessary churn and slower learning performance.
Conditions:
Configure one or more policies with automatic policy building enabled and learn traffic with violations
Impact:
Control Plane instability and poor learning performance on the device.
Fix:
The Policy Builder handler is now restored to a more robust process lifecycle.
831325-2 : HTTP PSM detects more issues with Transfer-Encoding headers
Solution Article: K10701310
Component: Local Traffic Manager
Symptoms:
HTTP PSM may not detect some invalid Transfer-Encoding headers.
Conditions:
HTTP PSM is used to detect HTTP RFC violations. A request with an invalid Transfer-Encoding header is sent.
Impact:
Traffic is not alarmed/blocked as expected.
Workaround:
None.
Fix:
HTTP PSM detects new cases of invalid Transfer-Encoding headers.
830833-2 : HTTP PSM blocking resets should have better log messages
Component: Local Traffic Manager
Symptoms:
When reset-cause logging is turned on, or when RST packet logging is used, the reset reason used when rejecting bad HTTP PSM traffic is not descriptive.
Conditions:
This occurs under either of these conditions:
-- HTTP PSM is used, and a request is blocked.
-- Reset cause or RST packet logging is enabled.
Impact:
The reset reason given is not descriptive, making troubleshooting difficult.
Workaround:
None.
Fix:
The reset reason used when rejecting HTTP PSM traffic is more descriptive.
830797-2 : Standby high availability (HA) device passes traffic through virtual wire
Component: Local Traffic Manager
Symptoms:
Virtual wire is forwarding traffic on standby resulting in traffic loops and potential network outage.
Conditions:
-- High availability (HA) configured.
-- Virtual wire configured.
Impact:
Standby device is passing traffic, which may create traffic loops and bring down the network.
Workaround:
Do not configure virtual wire on standby devices.
Fix:
Although you can create this configuration, the standby no longer forwards any traffic, which prevents the traffic loop and potential network outage.
830401-3 : TMM may crash while processing TCP traffic with iRules
Solution Article: K54200228
830073-3 : AVRD may core when restarting due to data collection device connection timeout
Component: Application Visibility and Reporting
Symptoms:
Avrd crashes, one or more core avrd files exist in /var/core
Conditions:
-- A BIG-IP system is managed by BIG-IQ via secure channel
-- Avrd is restarted.
Impact:
Avrd cores as it is shutting down. During avrd shutdown, the BIG-IQ data collection device (DCD) is unreachable for 10 minutes
Workaround:
None.
Fix:
The AVRD HTTPS module now stops any connection attempts when shutdown sequence is in progress, so this issue no longer occurs.
829121-3 : State mirroring default does not require TLS
Solution Article: K65720640
829117-3 : State mirroring default does not require TLS
Solution Article: K17663061
828937-3 : Some systems can experience periodic high IO wait due to AVR data aggregation
Solution Article: K45725467
Component: Application Visibility and Reporting
Symptoms:
Systems with a large amount of statistics data collected in the local database (i.e., systems not working with BIG-IQ) can have high IO Wait CPU usage, peaking at 10 minutes, 1 hour, and 24 hours. This is caused by the data aggregation process that is running on the local database.
Conditions:
-- The BIG-IP system is collecting statistics locally (i.e., not sending data to BIG-IQ or another external device).
-- There is a large amount of statistics data.
Impact:
High IO can impact various processes on BIG-IP systems. Some of them can experience timeouts and might restart.
Workaround:
The most effective workaround is to lower the amount of data collected by setting the 'avr.stats.internal.maxentitiespertable' DB variable to a lower value. The recommended values are 20000 (on larger, more powerful systems with more than 16 cores) or 2148 (on smaller systems).
Note: After you lower the database value, continue to monitor the BIG-IP system for long I/O wait times and high CPU usage. If symptoms persist and the system continues to experience resource issues, you may need to reset the BIG-IP AVR statistics. For information about resetting BIG-IP AVR statistics, refer to K14956: Resetting BIG-IP AVR statistics :: https://support.f5.com/csp/article/K14956.
Fix:
Set default value of avr.stats.internal.maxentitiespertable DB variable to 20000. Set it to 2148 on systems with fewer than or equal to CPU 16 cores.
826601-5 : Prevent receive window shrinkage for looped flows that use a SYN cookie
Component: Local Traffic Manager
Symptoms:
TMM cores.
Conditions:
-- VIP to VIP (looped flow) configuration.
-- SYN cookie is used.
-- Initial receive window is greater than 3.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
-- Set the initial receive window value of the VIP to 3.
Fix:
Receive window shrinkage is prevented for looped flows using SYN cookies.
825805-1 : NTLM Auth may fail due to incorrect handling of EPM response★
Component: Access Policy Manager
Symptoms:
NTLM passthrough authentication may stop working after upgrade.
Conditions:
-- NTLM authentication configured.
-- Upgraded to a BIG-IP software version that contains the implementation for the Microsoft Internet Explorer feature, 'Enhanced protected mode' (EPM).
-- There are more than two protocol sequence towers included in the EPM response.
Impact:
APM end users cannot login.
Workaround:
None.
Fix:
The system can now parse EPM response as expected.
824365-3 : Need informative messages for HTTP iRule runtime validation errors
Component: Local Traffic Manager
Symptoms:
For HTTP iRule runtime validation errors, an ERR_NOT_SUPPORTED error message is appended (with rule name and event) to /var/log/ltm, but the message is not informative about the cause of the validation error:
err tmm1[20445]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri".
The system should post a more informative message, in this case:
err tmm[10662]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - can't call after responding - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri"
Conditions:
-- HTTP filter and HTTP iRules are used by a virtual server.
-- An HTTP iRule runtime validation error happens. For example, HTTP::uri is called after HTTP::respond () which is not supported.
Impact:
With no informative error messages, it is difficult to identify the validation error.
Workaround:
There is no workaround at this time.
Fix:
Informative messages are provided for HTTP iRule runtime validation errors.
824149-3 : SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured
Component: Service Provider
Symptoms:
In SIP ALG virtual with source-nat-policy assigned, if traffic processed by the virtual server does not match source-nat-policy, or if it matches source-nat-policy that does not have source-translation configured, tmm cores and restarts.
Conditions:
-- SIP ALG virtual server with an assigned source-nat-policy.
-- Traffic does not match the source-nat-policy, or traffic matches a source-nat-policy that has no source-translation configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure SIP ALG virtual so that the condition never happens. For example, apply a source attribute to the virtual server that filters out traffic that will not match the source-nat-policy. Never use a source-nat-policy that has no source-translation.
824101-1 : Request Log export file is not visible for requests including binary data
Component: Application Security Manager
Symptoms:
Request Log export file is not visible.
Conditions:
Request Log export file contain request with binary data
Impact:
Cannot get data from Request Log export file.
Workaround:
None.
824037-2 : Bot Defense whitelists do not apply for IP 'Any' when using route domains
Component: Application Security Manager
Symptoms:
When defining whitelists in bot defense profiles, when the IP is set to 'Any' and route domains are in use, whitelists are not applied.
Conditions:
-- Bot Defense profile is enabled.
-- Whitelist is configured for IP 'Any' (for URL or GEO),
-- Sending a request that matches the whitelist using route domains.
Impact:
Request will be mitigated.
Workaround:
For url whitelist only:
Add micro service to the bot defense profile, configure:
1. Add required URL.
2. Specify service type 'Custom Microservice Protection'.
3. Set the 'Mitigation and Verification' setting as required (relevant for logging only).
4. In 'Automated Threat Detection', set 'Mitigation Action' to 'None'.
5. Set the microservice 'Enforcement Mode' to 'Transparent'.
This causes the associated URL to never be blocked (but no 'whitelist' will be seen in reporting).
Fix:
Enabling IP 'Any' on route domains now works as expected.
823893-2 : Qkview may fail to completely sanitize LDAP bind credentials
Solution Article: K03318649
821369 : Incomplete Action 'Deny' does not take effect for HTTP-Connect
Component: Access Policy Manager
Symptoms:
Per-request policy's incomplete-action 'Deny' does not take effect for HTTP-Connect request.
Conditions:
-- SSL Orchestrator (SSLO) or APM is licensed and provisioned.
-- Per-request policy is created and attached to a virtual server.
-- Incomplete Action value of per-request policy is set to 'Deny'.
Impact:
The BIG-IP system does not reject the HTTP-Connect request when incomplete-action is set to 'Deny'.
Workaround:
None.
Fix:
Incomplete Action 'Deny' now takes effect for HTTP-Connect request.
821133-2 : Wrong wildcard URL matching when none of the configured URLS include QS
Component: Fraud Protection Services
Symptoms:
Wildcard URLs has a flag (include_query_string) which indicates if the matching should include traffic URL's QS or not
For example, if the traffic URL is '/path?a=b' and configured URL is '/path*b':
1. if include QS enabled, URL is matched
2. otherwise, no match (since matching against '/path' only)
if there are no configured URLs with "Include Query String" enabled, matching may be wrong
Conditions:
1. Wildcard URL configured in anti-fraud profile (URL name contains an asterisk)
2. None of the configured URLs has "Include Query String" enabled
3. Traffic URL contains a query-string
Impact:
URL is incorrectly matched (when it either shouldn't be matched at all or should match another configured URL). Features/signatures might not work as expected.
Workaround:
Configure at least one URL with "Include Query String" enabled
Fix:
FPS should match query string correctly (according to configuration)
819397-1 : TMM does not enforce RFC compliance when processing HTTP traffic
Component: Local Traffic Manager
Symptoms:
TMM does not require RFC compliance when processing HTTP traffic. This does not impact the performance or security of BIG-IP systems, but may impact connected systems if they expect only compliant traffic to be forwarded.
Conditions:
-- HTTP virtual server
-- Non-compliant HTTP request from client
Impact:
Pool members may be exposed to non-compliant HTTP requests.
Workaround:
None.
Fix:
The HTTP filter now optionally performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.
Behavior Change:
A new BigDB variable has been added.
The new 'Tmm.HTTP.RFC.Enforcement' option may be enabled or disabled. It is disabled by default.
If enabled, the HTTP filter performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.
The checks performed are a subset of those described within the HTTP PSM module. If a blocking page is required, or more detailed control over which checks are performed, configure HTTP PSM or ASM on the virtual server.
If either HTTP PSM or ASM are configured on a virtual server, the state of the 'Tmm.HTTP.RFC.Enforcement' BigDB variable is ignored on that virtual server.
819197-4 : BIGIP: CVE-2019-13135 ImageMagick vulnerability
Solution Article: K20336394
819189-3 : BIGIP: CVE-2019-13136 ImageMagick vulnerability
Solution Article: K03512441
819009-3 : Dynamic routing daemon mribd crashes if 'mrib debug all' is enabled in high availability (HA) config with Floating Self IP configured for PIM protocol.
Component: TMOS
Symptoms:
The multicast routing protocols are implemented by pimd and mribd daemons. mribd daemon crashes in a specific configuration when debug logging is enabled for this daemon.
Conditions:
1) Dynamic Routing bundle is enabled and PIM protocol is enabled on a route domain.
2) High availability (HA) group/pair with floating self IP address is configured.
3) PIM neighbors are configured for each peer in high availability (HA) group/pair.
4) One of the peers in high availability (HA) is configured to use floating self IP address as an IP address for PIM protocol.
This is done using the 'ip pim use-floating-address' command in the PIM configuration in imish:
# ip pim use-floating-address
5) Multicast routing is configured in imish:
# ip multicast-routing
6) Debug logging for mribd is enabled:
# debug ip mrib all
# debug ipv6 mrib all
---
Note: Although steps 3 and 4 are optional, a practical configuration makes no sense without them.
Impact:
Dynamic routing daemon mribd crashes. Advanced routing not available while mribd restarts.
Workaround:
None.
Fix:
Dynamic routing daemon mribd no longer crashes when mribd debug logging is enabled.
818709-2 : TMSH does not follow current best practices
Solution Article: K36814487
818429-4 : TMM may crash while processing HTTP traffic
Solution Article: K70275209
817917-1 : TMM may crash when sending TCP packets
Solution Article: K00025388
817649-2 : AVR statistics for NAT cannot be shown on multi-bladed machine
Component: Application Visibility and Reporting
Symptoms:
The system presents an error messagewhen trying to get AVR statistics for NAT:
Data Input Error: Database is unavailable.
Conditions:
Using AVR reports for NAT on a multi-bladed BIG-IP device.
Impact:
Cannot view AVR statistics for NAT.
Workaround:
1. Back up the file /etc/avr/monpd/monp_tmstat_fw_nat_entities.cfg
2. Run the following command:
sed -i 's/measures=/measures=period,/' /etc/avr/monpd/monp_tmstat_fw_nat_entities.cfg
3. Verify that the only change made to 'sed -i 's/measures=/measures=period,/' /etc/avr/monpd/monp_tmstat_fw_nat_entities.cfg' was adding a 'period,' to the list of measures (can be compared against the backup file).
4. Restart monpd (to pick up the changes):
bigstart restart monpd
Fix:
Fixed formula for statistics to allow using it on a multi-bladed BIG-IP device.
817417-1 : Blade software installation stalled at Waiting for product image★
Component: Local Traffic Manager
Symptoms:
On a chassis system where the active/primary blade is running version 14.1.0 or later and a new blade is inserted that has version 14.0.0 or lower, the secondary blades fail to receive the updated images and the installation stalls. The primary blade reports 'Waiting for product image' when running the tmsh show sys software status command.
Conditions:
Primary blade running version 14.1.0 or above.
Secondary running an earlier version is inserted.
Impact:
Newly inserted blade does not synchronize volumes with the primary blade and cannot be used.
The tmsh show sys software status command reports that one or more blades are in 'waiting for product image' status indefinitely.
Workaround:
Ensure all blades are running the same version. This can be accomplished manually by running the following command at the command prompt (this example is for new blade inserted at slot #3):
scp /shared/images/* slot3:/shared/images
816625-1 : The TMM may crash in a rare scenario involving HTTP unchunking, and plugins.
Component: Local Traffic Manager
Symptoms:
The TMM crashes while passing traffic.
Conditions:
This occurs rarely on a Virtual Server configured with an HTTP profile that has HTTP response chunking enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The TMM no longer crashes in a rare scenario involving HTTP unchunking and plugins.
816529-2 : If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart.
Component: Traffic Classification Engine
Symptoms:
URLCAT lookups to Custom DB return Unknown result.
Conditions:
-- URL is being looked up against Custom DB
-- wr_urldbd is restarted at the same time
Impact:
Queries will likely fail in highly loaded environments if wr_urldbd is restarted for any reason.
Workaround:
None.
Fix:
Wr_urldbd restores connection to Custom DB after restart.
816273-2 : L7 Policies may execute CONTAINS operands incorrectly.
Component: Local Traffic Manager
Symptoms:
L7 Policies involving CONTAINS operands may execute incorrectly in some cases.
The policy compiler may incorrectly combine some internal states, 'forgetting' degrees of partial evaluation of a CONTAINS operation.
Conditions:
Multiple CONTAINS conditions are used on the same virtual server.
Impact:
The wrong policy actions may be triggered.
Workaround:
It may be possible to reorder the rules in a policy to restore correct operation. However, the more complex the policy, the less likely this is.
Fix:
L7 Policy CONTAINS operations are compiled correctly. Policies with CONTAINS operations no longer trigger the wrong rule actions.
815877-1 : Information Elements with zero-length value are rejected by the GTP parser
Component: Service Provider
Symptoms:
When processing a GTP message containing zero-length IEs (which are allowed by the 3GPP Technical Specification), the message might get rejected.
Conditions:
Virtual server with GTP profile enabled processing GTP traffic.
Impact:
Well-formed GTP messages might get rejected.
Workaround:
Avoid sending GTP messages containing zero-length IEs.
Fix:
Zero-length IEs are now processed correctly.
815689-3 : Azure walinuxagent has been updated to v2.2.42.
Component: TMOS
Symptoms:
Some onboarding features are not available in the current version of walinuxagent.
Conditions:
Attempting to use a feature that is not available in the current version of the Azure walinuxagent that is included in the BIG-IP release.
Impact:
Cannot use new features in the Azure walinuxagent until the Azure walinuxagent is updated.
Workaround:
None.
Fix:
The Azure walinuxagent has been updated to v2.2.42.
815649-1 : Named.config entry getting overwriting on SSL Orchestrator deployment
Component: Device Management
Symptoms:
When topology or general settings are re-deployed, named.config is modified, and entries which do not belong to SSL Orchestrator are overwritten.
Conditions:
This occurs when topology or system settings are re-deployed.
Impact:
Content of named.conf file is lost/overwritten.
Workaround:
Modify named.conf manually or using zoneRunner (DNS :: Zones : ZoneRunner : named Configuration) after SSL orchestrator deployment.
815449-2 : BIG-IP closes connection when an unsized response is served to a HEAD request
Component: Local Traffic Manager
Symptoms:
When HTTP response has neither Content-Length nor Transfer-Encoding and has a body, BIG-IP closes a connection to designate end of the response body. HTTP protocol allows to send HEAD request instead of GET request to obtain a response headers only (without). BIG-IP erroneously closes a connection when a response to HEAD request lacks both Content-Length and Transfer-Encoding.
Conditions:
BIG-IP has a virtual server configured to use an HTTP profile.
The server response does not include the Content-Length or Transfer-Encoding headers in response to a HEAD request, and both client and server sides expects the communication to continue over the same connection.
Impact:
Connection closes and a client may not repeat the corresponding GET request on another connection.
Fix:
Connection keeps opened when an unsized response provided to a HEAD request.
814953-3 : TMUI dashboard hardening
Component: TMOS
Symptoms:
The TMUI dashboard does not comply with current best practices.
Conditions:
TMUI dashboard accessed by authenticated administrative user.
Impact:
The TMUI dashboard does not comply with current best practices.
Workaround:
None.
Fix:
The TMUI dashboard now complies with current best practices.
813945-3 : PB core dump while processing many entities
Component: Application Security Manager
Symptoms:
PB core dump.
Conditions:
This may happen when the system is strained and PB is processing large policies (updating many entities may happen during periodic processing, response analysis).
This is a very rarely occurring scenario.
Impact:
PB core dump and restart.
Workaround:
None.
Fix:
PB core dump no longer occurs.
813389-1 : TMM Crashes upon failure in Bot Defense Client-Side code
Component: Application Security Manager
Symptoms:
On some cases, when Bot Defense Client-Side code is running on the browser, it causes TMM to crash.
Conditions:
-- Bot Defense is enabled with any JS browser verification (before or after access).
-- Surfing using a browser to an html page.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Adding sanity test so TMM will not crash.
812981-4 : MCPD: memory leak on standby BIG-IP device
Component: TMOS
Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.
Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically
Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.
Fix:
MCPD on standby BIG-IP device does not take more memory than the same daemon on active BIG-IP device.
812341-2 : Patch or Delete commands take a long time to complete when modifying an ASM signature set.
Component: Application Security Manager
Symptoms:
When modifying an ASM signature set that is not attached to any security policy using iControl REST Patch or Delete commands, the command takes a long time to complete.
Conditions:
-- ASM provisioned.
-- Using REST API Patch or Delete command to modify an ASM signature set.
Impact:
Command takes longer (several seconds) to process on detached ASM signature sets than it takes to complete on attached signature sets.
Workaround:
None.
Fix:
Changes to signatures and signatures sets now only recompile policies that are affected by the change.
811789-2 : Device trust UI hardening
Component: TMOS
Symptoms:
Improved device trust UI input sanitization
Conditions:
-ConfigSync in use
Impact:
Improved device trust UI input sanitization
Workaround:
None
Fix:
Improved device trust UI input sanitization
811745-2 : Failover between clustered DIAMETER devices can cause mirror connections to be disconnected
Component: Service Provider
Symptoms:
When using DIAMETER with certain settings, a failover might cause mirror connections to get disconnected.
Conditions:
-- Two or more BIG-IP systems in a high availability (HA) configuration.
-- Aggressive settings for the DIAMETER watchdog timeout and max failures.
Impact:
Loss of mirroring between BIG-IP systems.
Workaround:
None.
Fix:
Mirror connections no longer disconnect during a failover.
811333-2 : Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile★
Component: Local Traffic Manager
Symptoms:
After upgrade, configuration load fails and the following error is present in /var/log/ltm log:
01070312:3: Invalid keyword 'sslv2' in ciphers list for profile /Common/serverssl-insecure-compatible
Unexpected Error: Loading configuration process failed.
Conditions:
-- BIG-IP system with SSLv2 as ciphers option in SSL profile running software v12.x/v13.x.
-- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.
Impact:
The config is not loaded, and upgrade fails.
Workaround:
If you are encountering this after upgrading, run the following commands from the bash prompt:
1. Backup the configuration:
#cp /config/bigip.conf /config/bigip_backup.conf
2. List the occurrences of 'sslv2' in the bigip.conf:
#more bigip.conf | grep -i sslv2
3. Remove the SSLv2 references:
#sed -i "s/\!SSLv2://g" /config/bigip.conf
4. Check to ensure there are no 'sslv2' references:
#more bigip.conf | grep -i sslv2
5. Verify the configuration:
#tmsh load sys config verify
6. Try loading the configuration:
#tmsh load sys config
Fix:
SSLv2 validation is removed from the configuration and upgrade succeeds.
811145-2 : VMware View resources with SAML SSO are not working
Component: Access Policy Manager
Symptoms:
Connections to SAML-enabled VMware View resources fail with following error in /var/log/apm:
err vdi[18581]: 019cffff:3: /pathname: {a7.C} Failed to handle View request: Can't find 'artifact' parameter.
Conditions:
VMware View resource is configured with SAML SSO method.
Impact:
Users cannot launch VMware View apps/desktops via SAML-enabled resource.
Workaround:
None.
Fix:
Can now successfully use VMware View resources with SAML SSO.
811105-1 : MRF SIP-ALG drops SIP 183 and 200 OK messages
Component: Service Provider
Symptoms:
SIP 183 and 200 OK messages are dropped after an INVITE in MRF SIP-ALG when media info is present in the Session Description Protocol.
Conditions:
- MRF SIP-ALG default configuration
- INVITE sent with media info in SDP
- Media info contains an rtcp without an IP address
Impact:
SIP calls are unable to establish media connections.
Workaround:
Ensure all RTCP attributes in the SDP have IP addresses.
Example: Change "a=rtcp:29974\r\n" to "a=rtcp:29974 IN IP4 10.10.10.10\r\n"
Fix:
Calls are able to establish media connections in MRF SIP-ALG when media info contains an RTCP with no IP information.
811033-2 : MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used
Component: Service Provider
Symptoms:
If a message is routed from one transport protocol (for example TCP) to another transport protocol (for example UDP), messages traveling from the destination to the source of the persistence entry are incorrectly delivered to the destination.
Conditions:
-- A message is routed from one transport protocol (for example TCP) to another transport protocol (for example UDP).
-- Messages are traveling from the destination to the source of the persistence entry.
Impact:
Messages are forwarded to an incorrect endpoint.
Workaround:
None.
Fix:
For all bi-directional persistence records the transport protocol of the connection is not used in the key used to store the record.
810957-2 : Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core
Component: TMOS
Symptoms:
When using dynamic routing, changing a virtual server's address from IPv6 to IPv4 can cause tmrouted to core.
Conditions:
-- Using dynamic routing.
-- Changing a virtual server's destination address from IPv6 to IPv4.
-- The virtual server's state changes.
Impact:
Tmrouted cores and restarts, which causes a temporary interruption of dynamic routing services.
Workaround:
Use TMSH to modify both the destination address and the netmask at the same time, e.g.:
tmsh modify ltm virtual <virtual server name> destination <destination address> mask <netmask>
Fix:
Now preventing tmrouted from coring when a virtual server's address is changed from IPv6 to IPv4.
810657-2 : Tmm core while using service chaining for SSLO
Solution Article: K21135478
810557-8 : ASM ConfigSync Hardening
Solution Article: K05123525
810537-2 : TMM may consume excessive resources while processing iRules
Solution Article: K12234501
809729-2 : When HTTP/2 stream is reset by a client, BIG-IP may not respond properly
Component: Local Traffic Manager
Symptoms:
When a client resets the HTTP/2 stream, the BIG-IP system may have several DATA frames ready to send. It drops these frames but does not account back those in a connection-send window. It can reduce this window to the value when no DATA frames are sent over this connection until the client updates the send window.
Conditions:
-- BIG-IP system has a virtual server.
-- HTTP/2 profile is assigned to it.
Impact:
For any subsequent request after the send window loses enough size, DATA frames with payload are not sent to the client over the affected HTTP/2 connection.
Workaround:
None.
Fix:
BIG-IP systems correctly handle dropping DATA frames accounting back their lengths in a connection-send window.
809377-6 : AFM ConfigSync Hardening
Solution Article: K05123525
809205 : CVE-2019-3855: libssh2 Vulnerability
Component: TMOS
Symptoms:
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server.
Conditions:
-- Authenticated administrative user with Advanced Shell Access.
-- Use of cURL from the command line to connect to a compromised SSH server.
Impact:
A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
Workaround:
None.
Fix:
libcurl updated
809165-2 : TMM may crash will processing connector traffic
Solution Article: K50046200
808525-2 : TMM may crash while processing Diameter traffic
Solution Article: K55812535
808301-2 : TMM may crash while processing IP traffic
Solution Article: K04897373
807477-10 : ConfigSync Hardening
Solution Article: K04280042
807177-2 : HTTPS monitoring is not caching SSL sessions correctly
Component: Global Traffic Manager (DNS)
Symptoms:
In situations where a cached SSL session cannot be used, there are conditions where the information for old and new SSL sessions are not properly updated, and valid SSL sessions are not terminated in an orderly fashion.
Conditions:
When using GTM HTTPS monitoring.
Impact:
Information for old and new SSL sessions are not properly updated, and valid SSL sessions are not terminated in an orderly fashion.
Workaround:
Restart big3d by running the following command:
bigstart restart big3d
806093-1 : Unwanted LDAP referrals slow or prevent administrative login
Component: TMOS
Symptoms:
On a BIG-IP system configured with remote LDAP/Active Directory authentication, attempting to login to the Configuration Utility or to the command-line interface may proceed very slowly or fail.
Conditions:
-- LDAP/Active Directory 'system-auth' authentication configured.
-- The Active Directory enables LDAP referral chasing (the default).
-- There are a number of Active Directory servers in the enterprise, or the BIG-IP system does not have complete network connectivity to all Active Directory servers (caused by firewalls or special routes).
Impact:
The BIG-IP system may chase LDAP referrals that reference LDAP servers that are unreachable, resulting in authentication timeouts/failures.
Workaround:
Which workaround to use to temporarily disable referrals chasing depends on the version you have.
-- For BIG-IP 14.1.0 - 14.1.2.2, and 15.0.0 - 15.0.1.0
1. Edit the configuration files
-- /etc/nslcd.conf
2. Add add the following line to the end of the file:
referrals no
3. Restart nslcd service to apply change:
systemctl restart nslcd
Important: This change is not persistent, and will be lost whenever MCPD reloads the BIG-IP configuration (tmsh load sys config), or when other changes are made to system-auth configuration values.
-- For BIG-IP 14.1.2.3 (and later 14.1.x releases), and 15.0.1.1 (and later 15.0.x.x releases), a db key has been added to allow this setting to be controlled. After making the db key change, the BIG-IP configuration must be saved and then loaded again, in order to update nslcd.conf
tmsh modify sys db systemauth.referrals value no
tmsh save sys config
tmsh load sys config
Fix:
Changes to LDAP referrals value in configuration are now saved, so this issue no longer occurs.
806085-2 : In-TMM MQTT monitor is not working as expected
Component: Local Traffic Manager
Symptoms:
The monitoring probes are not being sent out to the network. Regardless of the monitor config and sys db variable.
Conditions:
Configuring the in-TMM MQTT monitor.
Impact:
Pool members with attached MQTT monitor state is incorrectly shown as DOWN.
Workaround:
None.
Fix:
In-TMM MQTT monitor now works as expected.
805837-2 : REST does not follow current design best practices
Solution Article: K22441651
805557-2 : TMM may crash while processing crypto data
Solution Article: K43815022
805353-1 : ASM reporting for WebSocket frames has empty username field
Component: Application Security Manager
Symptoms:
When using ASM to inspect and report WebSocket frames, the username field is always reported as empty or absent.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- WebSocket profile attached to a virtual server.
-- ASM logging profile attached to a virtual server.
-- WebSocket traffic inspected by ASM and logged as event log message or remote logger message.
Impact:
Poor visibility of current logged-in user in the event log for WebSocket frames.
Workaround:
None.
Fix:
ASM populates username field for logged WebSocket frames
804313-2 : MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.
Component: Service Provider
Symptoms:
The mirrored-message-sweeper-interval configuration option has no effect on the BIG-IP.
Conditions:
MRF in use, high availability configured, and a SIP profile is configured to use a specific Mirrored Message Sweeper Interval setting.
Impact:
On a system under high load, the next active device in a high availability (HA) pair could run out of memory.
Workaround:
None
Fix:
Message sweeper interval value now loads correctly.
804185-2 : Some WebSafe request signatures may not work as expected
Component: Fraud Protection Services
Symptoms:
Request signatures are part of the WebSafe signature mechanism. The request signature is achieved by configuring an FPS-protected URL and a corresponding custom-alert. If the URL is a wildcard, a priority must be assigned to determine the order of matching. URL matching by priority is not working properly. As a result, the signature do not work as expected
Conditions:
There is at least one wildcard URL configured by the request signature update file.
Impact:
A portion of WebSafe request signature do not work as expected:
-- An alert is sent, though it should not be (false-positive).
-- An alert was not sent, though it should be (false-negative).
Workaround:
Configure the same signature manually in the BIG-IP system's GUI/tmsh.
Fix:
FPS now correctly handles signature-based wildcard URL's priority.
803845-2 : When in HA, the Standby device is forwarding traffic causing a loop and subsequent network shutdown
Component: Local Traffic Manager
Symptoms:
Standby is passing traffic when a virtual wire is configured.
Conditions:
-- Virtual wire configured in high availability (HA).
Impact:
Standby device is forwarding traffic traffic when it should not, causing a loop and subsequent network shutdown.
Workaround:
None.
Fix:
The Standby device no longer passes traffic through virtual wire when it should not.
803477-2 : BaDoS State file load failure when signature protection is off
Component: Anomaly Detection Services
Symptoms:
Behavioral DoS (BADoS) loses its learned thresholds.
Conditions:
Restart of admd when signature protection is off.
Impact:
The system must relearn the thresholds, BADoS protection is not available during the learning time.
Workaround:
Turn on signatures detection.
Fix:
BADoS State file successfully loads after admd restart, even without signatures detection.
803445-3 : When adding several mitigation exceptions, the previously configured actions revert to the default action
Component: Application Security Manager
Symptoms:
After adding a new item to the mitigation exception list, you can also change its mitigation action. If you do not save the changes and then add more new exception items, the mitigation actions of the previously added items return to their default value actions.
Conditions:
-- Add mitigation exception to the Bot Configuration.
-- Change mitigation action on that new exception.
-- Add new items to exception list without first saving.
Impact:
Mitigation action exceptions might be saved with their default value actions instead of the actions you configured.
Workaround:
After adding a group of exception items and editing their actions, save the Bot Configuration properties before adding any new mitigation exception items.
Fix:
When adding several mitigation exceptions, the previously configured actions no longer revert to the default action.
802961-2 : The 'any-available' prober selection is not as random as in earlier versions
Component: Global Traffic Manager (DNS)
Symptoms:
Some big3d instances can be periodically busier than other big3d instances.
Conditions:
-- When 'any-available' is selected for either the prober-preference or prober-fallback options.
-- A large number of monitors are defined.
Impact:
When the 'any-available' prober option is used, the selection of big3d probers may not be as random as in BIG-IP software versions prior to v13.0.0.
Workaround:
None.
802865-1 : The iControl REST query request returning empty list for DoS Protected Objects
Component: Advanced Firewall Manager
Symptoms:
DoS Protection profiles are not displayed in the GUI, but they are visible when using the tmsh command:
tmsh list security dos profile | grep "security dos profile"
Conditions:
This is encountered in Security :: DoS Protection : Protection Profiles.
Impact:
DoS Protected Objects are not included in the REST endpoint /mgmt/tm/security/presentation/tmui/virtual-list, so the GUI cannot display the DoS Protected Objects
Workaround:
Use tmsh.
Fix:
DoS Protected Objects are now visible in the GUI
802281-1 : Gossip shows active even when devices are missing
Component: TMOS
Symptoms:
Gossip appears Active even when one or more devices go missing from device group. 'restcurl shared/gossip' shows active on both devices, even when the devices are not listed in 'restcurl shared/resolver/device-groups/tm-shared-allBIG-IPs/devices'.
Conditions:
The conditions under which this issue occurs are unknown. This is an intermittent issue.
Impact:
Gossip reports that it is working when it is not.
Workaround:
-- If the missing device is the active device, run the following command on the Active DSC Device:
restcurl -X POST -d '{}' tm/shared/bigip-failover-state
-- If the missing device is the standby device, reboot the device, make it active, and then run the following command:
restcurl -X POST -d '{}' tm/shared/bigip-failover-state
802261-2 : TMM may crash while processing SSL traffic via an HTTP/2 full-proxy
Solution Article: K65372933
801497-2 : Virtual wire with LACP pinning to one link in trunk.
Component: Local Traffic Manager
Symptoms:
A virtual-wire that uses interface trunks may use a single interface on egress.
Conditions:
Virtual-wire configured across multi-interface trunks.
Impact:
This may lead to unexpected link saturation.
Workaround:
None.
800453-3 : False positive virus violations
Component: Application Security Manager
Symptoms:
False positive ASM virus violations.
Conditions:
Specific connection characteristics between ASM and the antivirus server may cause replies from the antivirus server to be missed by the ASM. ASM reports a virus when the antivirus reply is timed out.
Impact:
False positive blocking or violation reporting.
Workaround:
The EnableASMByPass internal parameter setting can be configured to allow the antivirus server to not reply, so it won't issue a violation when it occurs.
/usr/share/ts/bin/add_del_internal add EnableASMByPass 1
bigstart restart asm
Notes:
When the internal is enabled, asm will also bypass huge HTTP requests (when they come on multiple connections) instead of reseting them.
800369-2 : The fix for ID 770797 may cause a TMM crash
Component: Local Traffic Manager
Symptoms:
In rare situations the TMM may crash after the original fix for ID 770797 is applied.
Conditions:
HTTP2 is used on the client-side of a virtual server without an MRF http_router profile.
The original fix for ID 770797 is used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The fix for ID 770797 has been altered to prevent the TMM from crashing in rare situations.
800305-2 : VDI::cmp_redirect generates flow with random client port
Component: Local Traffic Manager
Symptoms:
The VDI::cmp_redirect iRule command generates a flow with a randomly-assigned client port.
Conditions:
-- VDI::cmp_redirect iRule command used
Impact:
Client port is not the same as the original client port.
Fix:
The VDI::cmp_redirect iRule command now uses the same port.
800209-1 : The tmsh recursive list command includes DDoS GUI-specific data info
Component: Advanced Firewall Manager
Symptoms:
DDoS GUI-specific data is included when running the command: tmsh recursive list. This irrelevant information might cause confusion.
Conditions:
This occurs when the AFM module is enabled
Impact:
Extra, irrelevant data is provided in output, which can cause confusion.
Workaround:
This always happens as long as AFM is enabled. You can deprovision the AFM module to disable this command.
Fix:
DDoS GUI-specific data is now filtered out when running the command: tmsh recursive list.
800185-4 : Saving a large encrypted UCS archive may fail and might trigger failover
Component: TMOS
Symptoms:
-- When saving a very large encrypted UCS file, you may encounter an error:
# tmsh save /sys ucs my_ucs passphrase <mysecret>
Saving active configuration...
Can't fork at /usr/local/bin/im line 305.
/var/tmp/configsync.spec: Error creating package
-- If saving UCS is automated you may find related errors in /var/log/audit:
err scriptd[45342]: 014f0013:3: Script (/Common/f5.automated_backup__backup) generated this Tcl error: (script did not successfully complete: (UCS saving process failed. while executing "tmsh::save /sys ucs $fname ))
-- Other services might be restarted due to lack of memory, which might result in failover.
--System management via config utility or command line may be sluggish while UCS saves.
Conditions:
-- Large encrypted UCS files and low free host memory.
-- UCS file sizes in hundreds of MB are much more likely to encounter this issue, along with free memory less than 1 GB.
Impact:
The operation uses at least 1.3 times the UCS file size of RAM. The UCS may not get saved correctly, and if not enough memory is available, low free-memory symptoms become apparent.
The latter may result in services being killed to free memory, resulting in service impact and failover, though it is quite typical for the overly large process saving the UCS to be terminated with no other impact.
Workaround:
A mitigation is to minimise UCS file size. UCS files large enough to encounter this issue typically contain very large files, some of which may not be needed or are no longer necessary.
Remove unnecessary large files from directories that contribute to UCS archives, for example, stray, large files such as packet captures in /config or its subdirectories. (For help understanding what is in UCS archives, see K12278: Removing non-essential files from a UCS when disk space errors are encountered :: https://support.f5.com/csp/article/K12278.)
If using APM, remove unnecessary EPSEC ISO files. (For more information, see K21175584: Removing unnecessary OPSWAT EPSEC packages from the BIG-IP APM system :: https://support.f5.com/csp/article/K21175584.
Fix:
Saving a large UCS file no longer fails.
799649-2 : TMM crash
Component: Local Traffic Manager
Symptoms:
TMM SIGSEGV crash due to memory corruption.
Conditions:
HTTP Security profile attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove the HTTP Security profile.
Fix:
HTTP Security profile does not cause TMM crash.
799617-2 : ConfigSync Hardening
Solution Article: K05123525
799589-2 : ConfigSync Hardening
Solution Article: K05123525
798949-3 : Config-Sync fails when Config-Sync IP configured to management IP
Component: TMOS
Symptoms:
Device Group Sync Fails with error in the GUI: 01070712:3: Caught configuration exception (0), Failed to sync files.
Conditions:
Config-Sync IP configured to management IP:
sys db configsync.allowmanagement value enable
Impact:
Config-Sync of file objects such as SSL certificates fails.
Workaround:
None.
Fix:
Config-Sync has been updated to allow synchronization of file objects over the mgmt port.
798261-2 : APMD fails to create session variables if spanning is enabled on SWG transparent virtual server
Component: Access Policy Manager
Symptoms:
The following logs showed up in APM log and user session was terminated.
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_finish_set_pipeline()" line: 720 Msg: Error: Set pipeline: While receiving response to 0 cmd set /.*/tmm.session.6833364e.session.assigned.uuid 0 0 32 s
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_server_disconnect()" line: 2533 Msg: Error: bad memcache connection (tmm:1), (fd:205)
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.
The SET command failed because it incorrectly attempted to create session variable in all traffic groups.
Conditions:
1. Virtual address for SWG transparent is 0.0.0.0
2. Spanning on the virtual address is enabled.
Impact:
User sessions will be terminated
Workaround:
Disable virtual address spanning.
Fix:
N/A
798249-2 : TMM may crash while processing HTTP/2 requests
Solution Article: K81557381
798105-1 : Node Connection Limit Not Honored
Component: Local Traffic Manager
Symptoms:
Connection limits on nodes are not honored.
Conditions:
A node with connection limits set.
Impact:
More traffic will pass to the node than the limit is supposed to allow.
Workaround:
Modify the node's limit after the node is created and it will start honoring the limit.
Fix:
The node's limit is now honored.
797977-1 : Self-IP traffic does not preserve the TTL from the Linux host
Component: Local Traffic Manager
Symptoms:
The Egress traffic from TMM has IP TTL set to 255 instead of keeping the TTL from the Linux host.
Conditions:
IP/IPv6 TTL for host traffic.
Impact:
Tools like traceroute do not work because Linux host rejects the packets.
Workaround:
Adjust TTL verification restrictions
Fix:
IP TTL is preserved.
797885-2 : ConfigSync Hardening
Solution Article: K05123525
797785-2 : AVR reports no ASM-Anomalies data.
Component: Application Visibility and Reporting
Symptoms:
AVR collects data for ASM-Anomalies, which include Brute-Force and Web-Scraping activities. When reported, all metrics and dimensions are hidden. AVR output looks like this:
errdefs_msgno=\"22282253\",Entity=\"ASM_ANOMALIES\
Conditions:
When gathering statistics reporting a Brute-Force or Web-Scraping attack.
Impact:
AVR reports no ASM-Anomalies data.
Workaround:
None.
797541-1 : NTLM Auth may fail when user's information contains SIDS array
Solution Article: K05115516
Component: Access Policy Manager
Symptoms:
NTLM authentication fails when the authentication response contains a nonempty sid_and_attributes array. This will most likely occur when a user is a member of universal groups from a trusted domain.
Conditions:
- NTLM front-end authentication is configured.
- The authentication response contains nonempty sid_and_attributes array (most likely user is a member of universal groups from trusted domain)
Impact:
Users are unable to log in through the BIG-IP.
Warning messages similar to the following can be found in /var/log/apm logfile:
warning eca[11436]: 01620002:4: [Common] 192.168.0.1:60294 Authentication with configuration (/Common/server1.testsite.com) result: user01@USER01 (WORKSTATION): Fail (UNEXP_006C0065)
warning nlad[11472]: 01620000:4: <0x2b4d27397700> client[46]: DC[172.29.67.112]: schannel[0]: authentication failed for user 'user01', return code: 0x006c0065
NOTE: the return code is not necessary 0x006c0065 or 0x00000007. It can be any value. However, the larger the size of SIDS and Attributes array. The more likely the error value will be 0x00000007
Workaround:
None.
796469-6 : ConfigSync Hardening
Solution Article: K05123525
795797-2 : AFM WebUI Hardening
Solution Article: K21121741
795769-3 : Incorrect value of Systems in system-supplied signature sets
Component: Application Security Manager
Symptoms:
In properties of system-supplied Attack Signature Sets, the field "Systems" is always displayed with value All.
For example, for Generic Detection Signatures the "Systems" field should be: System Independent, General Database, Various systems
Instead, "Systems" is set to "All".
Conditions:
Only for system-supplied signature sets, while user-defined signatures sets are displayed with correctly assigned Systems.
Impact:
Misleading value of Systems
Workaround:
N/A
Fix:
Correct value of "Systems" is displayed for system-supplied signature sets
795685-2 : Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer
Component: TMOS
Symptoms:
If the BIG-IP system receives a BGP notification for OUT_OF_RESOURCES from its BGP peer, then displaying the peer information on the BIG-IP system causes bgpd to crash (running show ip bgp neighbor).
Conditions:
-- Receive a BGP notification for OUT_OF_RESOURCES from the BGP peer.
-- Run the 'show ip bgp neighbor' command to display the BGP peer information.
Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.
Workaround:
None.
Fix:
All the supporting BGP notification now have the corresponding message to display in show commands.
795437-4 : Improve handling of TCP traffic for iRules
Solution Article: K06747393
795261-2 : LTM policy does not properly evaluate condition when an operand is missing
Component: Local Traffic Manager
Symptoms:
The BIG-IP system provides an LTM policies mechanism to process traffic based on a set of rules. A rule may include a number of conditions and a number of actions to execute when the conditions are satisfied. Conditions use operands to evaluate. When an operand is missing, the BIG-IP system may fail to properly evaluate the condition.
Conditions:
-- A virtual server is configured with an LTM policy.
-- The policy contains a rule with a condition which has an operand and a negative matching type like 'not equals' or 'not starts-with', etc. (e.g., http-referer host not contains { www.example.com }).
-- A processing entity (like HTTP request, etc.) is missing an operand or has an empty value (e.g., header 'Referer' is missing from the request).
Impact:
The policy is improperly evaluated on the processing entity and may produce incorrect results when load balancing a request and/or serving a response.
Workaround:
You can use either workaround:
-- Convert rules into a 'positive' (lacking of negative matching type) whenever possible.
-- Use iRules instead of a policy (might impact performance).
Fix:
The BIG0IP system no longer incorrectly evaluates conditions in LTM policy rules when their operands are missing in a processing entity.
795197-1 : Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Solution Article: K26618426
794581 : Transfer might stall for an object served from WAM cache
Component: Local Traffic Manager
Symptoms:
When HTTP response is served from cache, a transfer stalls due to incorrect value in Content-Length header.
Conditions:
- Virtual server with HTTP profile that has standard chunking settings.
- Web acceleration profile is configured on the virtual server.
- HTTP response is served from AAM cache.
Impact:
Transfer stalls as the client is expecting more bytes from peer (due to Content-Length header being advertised as greater than than object's actual size).
Workaround:
For the HTTP profile used, set request-chunking to selective.
Fix:
Transfer completes for an object served from WAM cache.
794561-1 : TMM may crash while processing JWT/OpenID traffic.
Solution Article: K46901953
794501-2 : Duplicate if_indexes and OIDs between interfaces and tunnels
Component: TMOS
Symptoms:
In certain instances, having a configuration with both tunnels and interfaces can result in duplicate if_indexes between a tunnel and an interface, which also results in duplicate OIDs for SNMP.
Conditions:
There is no completely predictable trigger, but at a minimum, a configuration with at least one interface and at least one tunnel is needed.
Impact:
Duplicate if_indexes and duplicate OIDs. SNMP logs error messages:
# tmsh list net interface all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net vlan all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net tunnel all-properties | egrep "(^net)|(if-index)"
net interface 0.10 {
if-index 64 <-------------------------------
net interface mgmt {
if-index 32
net vlan external {
if-index 96
net vlan internal {
if-index 112
net vlan test {
if-index 128
net vlan tmm_bp {
if-index 48
net tunnels tunnel http-tunnel {
if-index 64 <-------------------------------
net tunnels tunnel socks-tunnel {
if-index 80
# snmpwalk -c public -v 2c localhost >/dev/null; tail /var/log/ltm
-- notice sod[4258]: 010c0044:5: Command: running disable zrd bigstart.
-- notice zxfrd[6556]: 01530007:5: /usr/bin/zxfrd started
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID ZXFRD_Publisher and filterType 1024
-- info bigd[11158]: 0114002b:6: high availability (HA) daemon_heartbeat bigd enabled.
-- info cbrd[6106]: 0114002b:6: high availability (HA) daemon_heartbeat cbrd enabled.
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID cbrd and filterType 1152921504606846976
-- info runsm1_named[6104]: 0114002b:6: high availability (HA) proc_running named enabled.
=========================
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if_x.c:289
Workaround:
No workaround currently known.
Fix:
Duplicate if_indexes are no longer assigned to tunnels and interfaces. The resulting duplicate SNMP OIDs are prevented.
794413-2 : BIND vulnerability CVE-2019-6471
Solution Article: K10092301
794389-6 : iControl REST endpoint response inconsistency
Solution Article: K89509323
794285 : BIG-IQ reading AFM configuration fails with status 400
Component: Protocol Inspection
Symptoms:
When the BIG-IQ tries to read the AFM configuration, using REST, the operations fails with status 400, if AFM is provisioned but the Protocol Inspection module is not licensed.
Conditions:
-- AFM provisioned on BIG-IP system.
-- Protocol Inspection module is not licensed.
Impact:
The operations fails with status 400. BIG-IQ cannot read AFM configuration if Protocol Inspection module is not licensed.
Workaround:
License Protocol Inspection.
793937-1 : Management Port Hardening
Solution Article: K03126093
793045-2 : File descriptor leak in net-snmpd while reading /shared/db/cluster.conf
Component: TMOS
Symptoms:
Net-snmpd is leaking the file descriptors during the SNMP traps add/delete via tmsh.
Observe that the file descriptors used by snmpd increase using 'ls -l /proc/$(pidof snmpd)/fd'
Following error is logging into /var/log/daemon.log
err snmpd[5160]: /proc/stat: Too many open files
Conditions:
Perform add/delete on SNMP traps via tmsh.
Impact:
Failure of snmpd operations on BIG-IP systems.
Workaround:
None.
Fix:
No longer leaks file descriptors in net-snmpd while reading /shared/db/cluster.conf.
793017-1 : Files left behind by failed Attack Signature updates are not cleaned
Component: Application Security Manager
Symptoms:
If an Attack Signature update encounters an error during installation, files that are meant to be temporary are left behind on disk and a not subject to a periodic cleanup. This can eventually lead to disk space issues.
Conditions:
Attack Signature update encounters an error during installation.
Impact:
This can eventually lead to disk space issues.
Workaround:
Old sigfile.tmp.* directories under /var/ts/var/tmp can be safely removed.
Fix:
These directories are now included in the periodic file cleanup task.
792285-2 : TMM crashes if the queuing message to all HSL pool members fails
Component: TMOS
Symptoms:
When a system uses a High Speed Logging (HSL) configuration with the HSL pool, TMM is crashing if the queuing message to all HSL pool members fails.
Conditions:
-- Two-member pool configured as remote-high-speed-log destination.
-- Data-Plane logging using for example but not limited to: iRule HSL::send.
Impact:
TMM crash. Traffic disrupted while tmm restarts.
Workaround:
None.
792265-3 : Traffic logs does not include the BIG-IQ tags
Component: Application Visibility and Reporting
Symptoms:
AVR collects traffic data. When that data is reported to BIG-IQ, it omits the BIG-IQ tags which are required by BIG-IQ.
Conditions:
When AVR collects traffic data and sending it BIG-IQ.
Impact:
There are no BIG-IQ tags in the traffic logs. BIG-IQ is unable to map traffic-capturing logs to applications.
Workaround:
None.
Fix:
Traffic logs now include the BIG-IQ tags.
791669 : TMM might crash when Bot Defense is configured for multiple domains
Component: Application Security Manager
Symptoms:
TMM might crash and generate a core file when using a Bot Defense profile that is configured for multiple domains.
Conditions:
Bot Defense is configured with multiple 'Related Site Domains' and attached to a virtual server.
Impact:
TMM crash with core. Traffic disrupted while tmm restarts.
Workaround:
None,
Fix:
TMM no longer crashes when Bot Defense is configured for multiple domains.
791337-1 : Traffic matching criteria fails when using shared port-list with virtual servers
Component: Local Traffic Manager
Symptoms:
The system reports an error:
01b90011:3: Virtual Server /Common/vs1's Traffic Matching Criteria /Common/vs1_tmc_obj illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs2 destination address, source address, service port.
Conditions:
-- Creating virtual servers with shared object port-list.
-- Using the same port in another virtual server with different protocol with overlapping sources and destination IP address.
Impact:
Config validation failure prevents configuration changes.
Workaround:
Use different IP addresses and ports.
791057-1 : MCP may crash when traffic matching criteria is updated
Component: Local Traffic Manager
Symptoms:
MCP may crash when traffic matching criteria is updated, either directly or as the result of a configuration sync operation.
Conditions:
The specific root cause is unknown, although the crash is related to the update of traffic matching criteria.
Impact:
mcpd restarts. This results in a failover (when DSC is in use) or a halt to traffic processing (when DSC is not in use) while mcpd is restarting.
Workaround:
None.
790349-2 : merged crash with a core file
Component: Application Security Manager
Symptoms:
merged crash and restart.
Conditions:
A tmstat sync operation is occurring in the background.
Impact:
Statistical data is not available for system utilities/graphs while merged restarted. There is no other impact beside the appearance of the core file.
Workaround:
None.
Fix:
merged core scenario fix.
789993-1 : Failure when upgrading to 15.0.0 with config move and static management-ip.
Component: TMOS
Symptoms:
Upgrade to 15.0.0 from earlier version fails.
Conditions:
This happens when upgrading to 15.0.0 from earlier versions with static management-ip (dhclient.mgmt set to disabled).
Impact:
As the config move fails, the Management IP address might not be correct on the newly installed 15.0.0 device.
Workaround:
Keep DHCP enabled before upgrading or reset the management-ip after upgrade.
Fix:
Failure when upgrading to 15.0.0 with config move and static management-ip.
789921-2 : TMM may restart while processing VLAN traffic
Solution Article: K03386032
789893-2 : SCP file transfer hardening
Solution Article: K54336216
789817-1 : In rare conditions info fly-out not shown
Component: Application Security Manager
Symptoms:
When the question mark icon ('?') is close to the right upper corner of the page, the info fly-out is not shown when the question mark icon is clicked.
Conditions:
This can occur under the following conditions:
-- On Security :: Application Security screens that display a question mark for a help icon.
-- The ? icon is close to the right upper corner of the page.
-- Clicking the question mark icon to open the fly-out menu.
Impact:
Info fly-out not shown.
Workaround:
Change page size so that the ? icon is not in the right upper corner.
Fix:
Fly-out is shown correctly in all cases.
789365-1 : pkcs11d CPU usage increases after running nethsm self validation test
Component: Local Traffic Manager
Symptoms:
pkcs11d CPU usage rises from less than 5% to more than 80% after running 'tmsh run sys crypto nethsm-test' command.
Conditions:
pkcs11d is up when running nethsm self-validation test.
Impact:
pkcs11d CPU usage is higher than expected.
Workaround:
Restart pkcs11d to recover CPU usage.
Fix:
Do not subscribe to MCPD for nethsm self=validation test. Instead, use one-time MCPD message passing routine.
789169-2 : Unable to create virtual servers with port-lists from the GUI★
Component: TMOS
Symptoms:
Using the GUI to create a virtual server with a port-list or address-list fails with the following error:
01070096:3: Virtual server <virtual server name> lists profiles incompatible with its protocol.
Conditions:
- The virtual server is created with an ip-protocol set to a value other than 'any'.
- A port-list or address-list is used.
Impact:
Virtual server creation fails.
Workaround:
Create the configuration in tmsh.
1. Create an LTM traffic-matching-criteria object to define the port-list and/or address list. The protocol on the traffic-matching-criteria must be set to the protocol that the virtual server will use.
2. Create the LTM virtual server, and set the traffic-matching-criteria to the name of the traffic-matching-criteria object.
Fix:
While creating virtual server with port-list from the GUI, a traffic-matching-criteria is created internally and mapped to the virtual server. This ensures that the traffic-matching-criteria object uses the same ip-protocol as the virtual server.
788773-2 : HTTP/2 Vulnerability: CVE-2019-9515
Solution Article: K50233772
788769-2 : HTTP/2 Vulnerability: CVE-2019-9514
Solution Article: K01988340
788741-2 : TMM cores in the MQTT proxy under rare conditions
Component: Local Traffic Manager
Symptoms:
TMM may core in the MQTT proxy under unknown conditions.
Conditions:
-- MQTT proxy in use.
-- It is not known what other conditions are required to cause this issue.
Impact:
TMM cores. Failover or outage. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores in the MQTT proxy.
788593-2 : APM logs may contain additional data
Solution Article: K43404365
Component: Access Policy Manager
Symptoms:
Under certain conditions, APM logs may include more information than was requested.
Conditions:
-APM licensed and enabled.
-ACCESS::log iRule in use.
Impact:
Additional data recorded in the APM log, potentially disrupting log filters or logging unrequested data.
Workaround:
None.
Fix:
APM logs now contain the expected information.
788557-5 : BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior
Component: TMOS
Symptoms:
GRST - BGP graceful reset.
The problem occurs when the routing daemon bgpd restarts/starts (e.g., by terminating the bgpd daemon) its distribution of a process and is not supported. Another way we've found is to call "bigstart restart" command on a primary blade on chassis with more than one blade.
After the new primary blade takes over, BGP and BFD sessions are recreated at around the 'graceful restart' timeout interval.
Conditions:
-- BGP and BFD are configured.
-- BGP router's 'graceful restart' option is configured, enabled (set to 120 by default).
-- The bgpd daemon is terminated.
Another way to trigger the issue is to run 'bigstart restart' on a primary blade on a chassis with more than one blade.
Impact:
If BGP peering is reset, it causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocol from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decisions come from networks learnt by affected routing protocol when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system, typically, the routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
None.
Fix:
BGP and BFD peering is not recreated in GRST timeout anymore.
788417-2 : Remote Desktop client on macOS may show resource auth token on credentials prompt
Component: Access Policy Manager
Symptoms:
APM uses the 'username' attribute to pass auth token for SSO enabled native RDP resources on macOS. In case Windows policy forces the user to provide credentials, or if Single Sign-on fails, the end user may see a credentials prompt containing the base 64-encoded auth token in the username field.
This behavior is observed only with Remote Desktop Client v10.x for macOS.
Conditions:
-- APM Webtop is configured with Single Sign-on enabled native RDP resource.
-- Try to access the RDP resource from macOS using RDP client v10.x.
Note: This issue is known to occur when Microsoft Group Policy 'Always prompt for password upon connection' is enabled on the target RDP server: Computer Configuration \ Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Security \ Always prompt for password upon connection.
Impact:
Prompt for credentials (contains auth token in username field) causing APM end user confusion.
Workaround:
Apply the following iRule:
Note: With the following iRule implemented, users running RDP client v8 for macOS may see an empty credentials prompt when launching APM native RDP resources.
when HTTP_RESPONSE_RELEASE {
catch {
set locationUri [HTTP::header Location]
if { [HTTP::status] == 302 && $locationUri starts_with "rdp://" &&
$locationUri contains "username=s:f5_apm"} {
HTTP::header Location \
[string map {"username=s:f5_apm" "gatewayaccesstoken=s:"} $locationUri]
}
}
}
Fix:
Remote Desktop client on macOS does not show resource auth token on credentials prompt.
788325-2 : Header continuation rule is applied to request/response line
Solution Article: K39794285
Component: Local Traffic Manager
Symptoms:
When a browser communicates with a server over HTTP, it can split a long header into several lines, prepending continuation lines with leading whitespace symbols. This rule does not apply to request or response line, so having leading whitespace in a first header line is invalid. The BIG-IP system parses such line a header with empty value.
Conditions:
A virtual server is configured on the BIG-IP system with HTTP profile.
Impact:
The BIG-IP system can hide some important HTTP headers either passing those to the pool member or failing to properly handle the request (or response) or failing to correctly load balance a connection (or request in case of OneConnect profile).
Workaround:
None.
Fix:
Now, when the BIG-IP system receives an invalid request or response with leading whitespace in first header line, it properly parses the header and handles it correctly.
788301-5 : SNMPv3 Hardening
Solution Article: K58243048
Component: TMOS
Symptoms:
SNMPv3 agents do not follow current best practices.
Conditions:
SNMPv3 agents enabled.
Impact:
SNMPv3 agents do not follow current best practices.
Fix:
SNMPv3 features now follow current best practices.
788269-3 : Adding toggle to disable AVR widgets on device-groups
Component: Application Visibility and Reporting
Symptoms:
Devices on device-group get into state of not-synced when AVR-related widgets are created or modified.
It occurs more frequently when manual config sync is enabled.
It can also occur when visiting a widgets page for the first time that automatically creates default widgets on the first page visit, such as Security :: Overview : Application : Traffic. This can make it appear that a 'read-only' user visiting the page has triggered the need for a config sync.
Conditions:
-- Two or more devices are in a device-group.
-- AVR-related widgets are created or modified.
Impact:
Devices go into a non-synced state.
Workaround:
None.
Fix:
A DB-variable called avr.gui.widgets.sync has been added to disable widgets syncing. Possible values are 'disable' or 'enable', it is enabled by default.
Behavior Change:
This release adds a DB-variable, avr.gui.widgets.sync, to disable widget syncing. Possible values are 'disable' or 'enable'. It is enabled by default.
788093 : MRF iRule command MR::restore with no argument causes tmm to crash
Component: Service Provider
Symptoms:
Executing MRF iRule command MR::restore with no arguments intended to restore all variables saved previously with MR::store causes tmm to crash.
Conditions:
Using iRule command MR::restore with no arguments intended to restore all variables saved previously with MR::store.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use MR::restore command with explicitly mentioned variables intended to be restored.
Fix:
MR:restores works as intended: when no variable is given it brings back all variables saved previously with MR::store.
788033 : tpm-status may return "Invalid" after engineering hotfix installation
Solution Article: K91171450
788005-2 : Bypass MRF SIP LB restriction of conversion from reliable transport (TCP) to unreliable transport (UDP)
Component: Service Provider
Symptoms:
The SIP RFC states that if converting a message from a reliable transport to an unreliable transport, the proxy must guarantee delivery.
Conditions:
A adminstator required conversion of SIP messages from TCP to UDP and was willing to forgo the delivery requirement.
Impact:
A system db variable was added to disable the TCP to UDP protection.
Workaround:
None
Fix:
A DB variable has been added, Tmm.Sp.Sip.AllowTcpUdpConversion, possible values are enable|disable, the default value is disable. Enabling the DB variable enables the protection blocking TCP to UDP conversion for SIP messages.
787845 : Tmsh command 'show running-config' fails when Protocol Inspection is not licensed.
Component: Protocol Inspection
Symptoms:
If the Protocol Inspection feature is not licensed then tmsh command 'show running-config' fails with 'Protocol Inspection feature not licensed.' message.
Conditions:
- AFM Protocol Inspection feature is not licensed.
Impact:
'tmsh show running-config' command returns an error: 'Protocol Inspection feature not licensed.'
Workaround:
None.
Fix:
'tmsh show running-config' command works as expected.
787825-2 : Database monitors debug logs have plaintext password printed in the log file
Solution Article: K58243048
Component: Local Traffic Manager
Symptoms:
When monitor instance is in "debug" logging enabled mode for certain monitor types, the resulting monitor instance logs may contain sensitive details like password
Conditions:
When debug mode is enabled for following monitoring types
1. mssql
2. mysql
3. oracle
4. postgresql
Impact:
The user-account password configured in the health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors/.
Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected monitor types. 2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes , remove the resulting log files from the BIG-IP system after troubleshooting is completed.
Fix:
The password filed for monitor will now be redacted by external monitors when monitor debugging is enabled.
787677-3 : AVRD stays at 100% CPU constantly on some systems
Component: Application Visibility and Reporting
Symptoms:
One thread of the avrd process spontaneously starts to consume 100% CPU.
Conditions:
The exact conditions under which this occurs are unknown, but might occur only on vCMP configurations.
Impact:
System performance degrades.
Workaround:
Restart TMM:
bigstart restart tmm
Fix:
Added processing that prevents AVRD from entering endless loops.
787477-2 : Export fails from partitions with '-' as second character
Component: Access Policy Manager
Symptoms:
Attempting to export a profile/policy from partition using the hyphen/dash (-) as the second character results in error message:
'Incorrect arguments: <partition> is not specified' error.
Conditions:
Partition with '-' as second character in the name.
Impact:
Unable to export policy from given partition
Workaround:
Rename partition without '-' as the second character.
Fix:
Export is working as expected in this scenario.
787433-3 : SSL forward proxy: OCSP signer certificate isn't refreshed or regenerated when forward proxy CA key/cert is changed
Component: Local Traffic Manager
Symptoms:
When stapling the OCSP response (and hence OCSP certificate) to the SSL client, the issuer that appears on the OCSP certificate mismatches with what is configured in the client SSL profile as the forward proxy CA cert.
Conditions:
The issue is seen when all the below conditions are met.
-- The BIG-IP system is using SSLO or SSL forward proxy.
-- The client hello sent from the SSL client includes the status request extension. This means that it requests BIG-IP system to staple the OCSP response.
-- The forward proxy CA cert in the client SSL profile is modified.
Impact:
In SSLO or SSL forward proxy mode, the server cert and the OCSP response the BIG-IP system sends to the SSL client should be both signed (issued) by the forward proxy CA cert configured at the client SSL profile. If they are signed by different issuers, it may not pass some of the validation check performed by the SSL client and might lead to SSL client's terminating the SSL handshake.
Workaround:
To updates and regenerates the OCSP signer information, after modifying the forward proxy CA cert, run the command:
bigstart restart tmm
Fix:
The issuer appearing on the OCSP response always matches the forward proxy CA cert configured at the client SSL profile.
786913-2 : Upgrade failure from 13.0.x or earlier when using LTM Policies with DOSL7
Component: Application Security Manager
Symptoms:
Upgrade fails when upgrading from 13.0.x or under if the config includes an LTM Policy (CPM) which modifies a DoS Application Profile.
Conditions:
-- LTM Policy is configured to specify a DoSL7 profile name.
-- Upgrade is from version 13.0.x or earlier.
Impact:
Upgrade failure.
Workaround:
1. Manually edit the /config/bigip.conf file, and place all of the 'security dos profile' objects before any 'ltm policy' objects.
2. Load the config.
Fix:
Upgrade no longer fails when using an LTM Policy which specifies a DoSL7 profile name.
786565-2 : MRF Generic Message: unaccepted packets received by GENERIC MESSAGE filter causes subsequent messages to not be forwarded
Component: Service Provider
Symptoms:
When a message is created using the GENERICMESSAGE::message create iRule command during the CLIENT_DATA event, if the TCP payload buffer is not cleared before the event completes, the data in the payload buffer is forwarded to the generic message filter disrupting its statemachine.
Conditions:
-- A message is created using GENERICMESSAGE::message create iRule command during CLIENT_DATA event.
-- TCP payload buffer is not cleared before the event completes.
Impact:
The data in the payload buffer is forwarded to the generic message filter disrupting its statemachine. Subsequent messages are not forwarded.
Workaround:
To fix the problem, add the following to CLIENT_DATA:
TCP::payload replace 0 [TCP::payload length] ""
Fix:
Data left in the TCP payload buffer is now ignored and does not negatively impact the filter.
786173-1 : UI becomes unresponsive when accessing Access active session information
Component: Access Policy Manager
Symptoms:
When accessing Admin UI Access :: Overview :: Active Sessions page, the page status is stuck in 'Receiving configuration data from your device'. TMSH command 'show apm access-info' also hangs.
Conditions:
-- Two vCMP guests or two chassis are set up in high availability mode.
-- If Network Mirroring is toggled between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.
Impact:
Some session variables may be lost, which results in the GUI becoming unresponsive. The Access :: Overview :: Active Sessions page in the Admin UI becomes unusable.
Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.
Fix:
The solution for the reported issue is handled by the fix provided for ID 783817. ID 786173 fixes a null pointer exception that might occur in the specific case of a certain missing session variable, which is relevant only in BIG-IP releases 14.1.0 or later.
785741-1 : Unable to login using LDAP with 'user-template' configuration
Solution Article: K19131357
Component: TMOS
Symptoms:
Unable to login as remote-user.
Conditions:
When the following are true:
-- LDAP remote-auth configured with user-template.
-- Remote-user configured to permit login.
Impact:
Unable to login with remote-user.
Workaround:
Use bind-dn for authentication.
784989-2 : TMM may crash with panic message: Assertion 'cookie name exists' failed
Component: Access Policy Manager
Symptoms:
TMM crashes with SIGFPE panic
panic: ../modules/hudfilter/http/http_cookie.c:489: Assertion 'cookie name exists' failed.
Conditions:
-- Virtual server with remote desktop or VDI profile attached.
-- VDI logging level is set to Debug.
-- iRule that modifies/reads HTTP cookies.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Increase the log-level for VDI from 'Debug' to a higher level.
Fix:
Fixed TMM crash, which occurred when remotedesktop/VDI profile was used together with custom iRule and Debug level logging.
784713-3 : When SSL forward proxy is enabled, AKID extension of the OCSP signer certificate on the clientside is not correct
Component: Local Traffic Manager
Symptoms:
When SSL forward proxy is configured, or for SSLO, if OCSP or CRL is set on the serverside, the certificate that signs the OCSP response on the clientside does not have the correct Authority Key Identifier (AKID).
Conditions:
Configure SSL forward proxy or enable SSLO and enable OCSP or CRL on serverside/server SSL profiles.
Impact:
Incorrect AKID X509 extension for the OCSP signer certificate on the clientside. Depending on browsers/clients, this may result in the browsers/clients to not be able to use the stapled OCSP response.
Workaround:
None.
Fix:
After the fix, the OCSP signer certificate has the correct AKID X509 extension.
783849-2 : DNSSEC Key Generations are not imported to secondary FIPS card
Component: Global Traffic Manager (DNS)
Symptoms:
When new DNSSEC Key Generations are generated by FIPS card, the Generation is not imported to secondary FIPS card.
Conditions:
BIG-IP has a GTM sync group with FIPS cards in sync. New DNSSEC Key Generation is created.
Impact:
New DNSSEC Key Generation is not imported to secondary FIPS card, but the generation is synced within GTM sync group.
Workaround:
N/A
Fix:
DNSSEC Key Generation is not imported to secondary FIPS card over creation
783817-2 : UI becomes unresponsive when accessing Access active session information
Component: Access Policy Manager
Symptoms:
When accessing Admin UI Access :: Overview :: Active Sessions page, the page status is stuck in 'Receiving configuration data from your device'. TMSH command 'show apm access-info' also hangs.
The following error messages shows up in TMM log:
-- notice mcp error: 0x1020002 at ../mcp/db_access.c:831
-- notice mcp error: 0x1020031 at ../mcp/mcp_config.c:588
Conditions:
-- Two vCMP guests or two chassis are set up in high availability mode.
-- If Network Mirroring is toggled between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.
Impact:
Some session variables may be lost, which results in UI hang. Admin UI becomes unusable.
Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.
783565-2 : Upgrade support for DB variable to attach AJAX payload to vToken cookie should be consistent with config in MCP
Component: Fraud Protection Services
Symptoms:
Upgrade support for DB variable to attach AJAX payload to vToken cookie sets 'send in alerts' flag configured on parameters without checking whether automatic transaction detection is turned on on the URL.
Conditions:
-- BIG-IP version 13.1.x or 14.0.x
-- A protected URL is configured with automatic transaction detection turned off.
-- A parameter on that URL is configured with all flags turned off.
-- The DB variable antifraud.internalconfig.flag1 is set to 'enabled' value.
-- Upgrade to 13.1.x or later (with load config) started.
Impact:
After upgrade, the configuration fails to load due to an error during schema change validation
Workaround:
-- Set the DB variable antifraud.internalconfig.flag1 value to 'disabled' before the upgrade.
-- Configure 'send in alerts' flag on the parameters manually.
Fix:
Now upgrade support takes into consideration the automatic transaction detection flag on URL and sets 'send in alerts' flag on URL parameters only for URLs with automatic transaction detection turned on.
783513-2 : ASU is very slow on device with hundreds of policies due to logging profile handling
Component: Application Security Manager
Symptoms:
Signature Update (ASU) is very slow on devices with hundreds of policies due to logging profile handling.
Conditions:
-- There are hundreds of ASM policies on the device.
-- ASU is performed.
-- The BIG-IP is configured for logging profile handling.
Impact:
The ASU process takes hours to complete.
Workaround:
None.
782569-1 : SWG limited session limits on SSLO deployments
Component: Access Policy Manager
Symptoms:
SWG limited session limits are enforced on SSLO deployments that enable Explicit proxy authentication.
Conditions:
-- SSLO with Explicit proxy authentication is deployed.
-- Many concurrent SSLO connections that use custom category lookup (beyond the SWG limited session limit).
Impact:
SSLO fails to connect when the SWG limited session limit is reached.
Workaround:
None.
Fix:
If there is an SSLO profile paired with either an APM or SSLO per-request policy on a virtual server, and the operation has done a custom category only lookup, an SWG limited license is no longer consumed. This answers the case where there is auth (APM) on one virtual server, and the transparent virtual server is SSLO with custom category lookup only.
782529-2 : iRules does not follow current design best practices
Solution Article: K30215839
781725-2 : BIG-IP systems might not complete a short ICAP request with a body beyond the preview
Component: Service Provider
Symptoms:
An ICAP request (REQMOD or RESPMOD) body goes out to the ICAP server as far as a preview. If the server responds 100-continue, only a single chunk of the remaining payload might be sent to the server. Eventually the connection times out.
Conditions:
-- An ICAP profile is configured with a preview.
-- The HTTP request or response to be modified has a body that is more than one chunk longer than the preview length, yet short enough to be completely buffered in BIG-IP system before the preview is sent to the ICAP server.
-- The ICAP server responds with 100-continue.
Impact:
Only the first chunk of payload is sent after the preview, and eventually the connection times out.
Workaround:
None.
Fix:
The BIG-IP system now sends the complete ICAP request to the server, and the transaction completes normally.
781637-2 : ASM brute force counts unnecessary failed logins for NTLM
Component: Application Security Manager
Symptoms:
False positive brute force violation raised and login request is blocked
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM Brute force protection enabled for NTLM login type
Impact:
login request blocked by asm policy
Workaround:
Define higher thresholds in brute force protection settings
Fix:
asm code has been fixed and do not count unnecessary failed logins for NTLM
781605-3 : Fix RFC issue with the multipart parser
Component: Application Security Manager
Symptoms:
false positive or false negative attack signature match on multipart payload.
Conditions:
very specific parsing issue.
Impact:
A parameter specific excluded signature may be matched or un-matched.
Workaround:
N/A
Fix:
Multi part parser issue was fixed.
781581-3 : Monpd uses excessive memory on requests for network_log data
Component: Application Visibility and Reporting
Symptoms:
Monpd allocates excessive memory on multi-blade devices, and in some cases the kernel may kill monpd. The following log signature may be encountered in /var/log/kern.log:
err kernel: : [1537424.588160] Out of memory: Kill process 28371 (monpd) score 117 or sacrifice child
Conditions:
This can occur in a multi-blade BIG-IP environment when you are displaying pages that query for network_log data, for example Bot Defense requests in the event log, or realtime AVR data.
Impact:
Large fluctuations in host memory usage, occasionally leading to OOM events.
Workaround:
None.
Fix:
A db variable has been added: avr.eventlogsreportrownumber, which controls the number of logs displayed. The db variable default is 10000, and supports a range from 100 through 1000000.
Note: Using the maximum value may trigger the behavior described here. The system behavior depends on the specific machine hardware.
781449-2 : Increase efficiency of sPVA DoS protection on wildcard virtual servers
Solution Article: K14703097
781445-1 : named or dnscached cannot bind to IPv6 address
Component: Access Policy Manager
Symptoms:
In some scenarios, the named process cannot bind to IPv6 addresses. This occurs because the dnscached process listens to the wildcard IPv6 address port 53 (i.e., :::53) so it cannot respond to queries sent to IPv6 addresses.
Following message is reported in ltm log:
err named[16593]: binding TCP socket: address in use.
Conditions:
-- The named and dnscached processes are not running.
-- The dnscached process is started first.
-- The named process is started later.
Impact:
The named process does not respond to the queries that are sent to IPv6 addresses at port 53.
Workaround:
1) Stop both named and dnscached process.
2) Edit the startup script for dnscached to start in IPv4-only mode.
2a) On BIG-IP system, open the file /etc/bigstart/startup/dnscached.
2b) Add "-4" to the command line option of dnscached.
3) Restart the processes:
bigstart restart named dnscached
Fix:
The dnscached startup script has been modified to start in IPv4-only mode, so it does not listen on any IPv6 address.
781377-2 : tmrouted may crash while processing Multicast Forwarding Cache messages
Solution Article: K93417064
781069-2 : Bot Defense challenge blocks requests with long Referer headers
Component: Application Security Manager
Symptoms:
The Bot Defense challenge may block the client if the Referer header is between about 1400 characters and 3072 characters long.
This client may get blocked by TCP RST, or suffer from a challenge loop.
Conditions:
-- Bot Defense with Verify before Access, or Proactive Bot Defense are configured
-- Request has a Referer header that is between ~1400 and 3072 characters long
Impact:
Legitimate browsers may get blocked or suffer from a challenge loop
Workaround:
Use an iRule to override the Referer header from the HTTP_REQUEST event, to make it shorter.
Fix:
Challenges with long Referer headers no longer block legitimate clients.
781021-2 : ASM modifies cookie header causing it to be non-compliant with RFC6265
Component: Application Security Manager
Symptoms:
When ASM strips the cookie header from the ASM cookies, it leaves the cookie header in a way that is not compliant with RFC6265 on two aspects:
-- No space after the semicolon
-- A cookie with no value is sent without the equals sign
Conditions:
-- ASM Security Policy is used.
-- Request includes an ASM cookie.
Impact:
Some web servers may refuse to handle non-compliant Cookie headers, causing the application flow to break.
Workaround:
Disable the cookie stripping by modifying the DB variable as follows:
tmsh modify sys db asm.strip_asm_cookies value false
Fix:
ASM now strips the ASM cookies from the request in a way that is compliant with RFC6265.
780837-1 : Firewall rule list configuration causes config load failure
Component: Advanced Firewall Manager
Symptoms:
'tmsh load sys config' reports a syntax error.
The syntax error is reported on 'security firewall rule-list rule' configuration.
Conditions:
This occurs only if any of the rule-list rule ip-protocol contains one of the following protocols:
Note: You can see the mismatched protocol names in the /etc/protocols listing file (column 1 and column 3 differ):
bbn-rcc 10 BBN-RCC-MON # BBN RCC Monitoring
nvp 11 NVP-II # Network Voice Protocol
dcn 19 DCN-MEAS # DCN Measurement Subsystems
ospf 89 OSPFIGP # Open Shortest Path First IGP
crdup 127 CRUDP # Combat Radio User Datagram
Impact:
The system fails to load the configuration.
Workaround:
Manually edit the configuration file: /config/bigip_base.conf
1. Replace the ip-protocol name from rule-list configuration:
-- Change BBN-RCC-MON to bbn-rcc.
-- Change NVP-II to nvp.
-- Change DCN-MEAS to dcn.
-- Change OSPFIGP to ospf.
-- Change CRUDP to crudp.
2. Save the file.
3. Issue the command:
tmsh load sys config.
The configuration now loads without syntax errors.
780817-5 : TMM can crash on certain vCMP hosts after modifications to VLANs and guests.
Component: TMOS
Symptoms:
TMM crashes and produces a core file. TMM logs show the crash was of type SIGFPE, with the following panic message:
notice panic: ../base/vcmp.c:608: Assertion "guest has vlan ref" failed.
Conditions:
-- The vCMP host is a platform with more than one tmm process per blade or appliance.
+ VIPRION B4300, B4340, and B44xx blades.
+ BIG-IP iSeries i15x00 platforms
-- A VLAN is assigned to a vCMP guest.
-- The TAG of the VLAN is modified.
-- The VLAN is removed from the vCMP guest.
Impact:
While TMM crashes and restarts on the host, traffic is disrupted on all the guests running on that system.
Guests part of a redundant pair may fail over.
Workaround:
None.
Fix:
TMM no longer crashes on certain vCMP hosts after modifications to VLANs and guests.
780601-2 : SCP file transfer hardening
Solution Article: K03585731
779177-2 : Apmd logs "client-session-id" when access-policy debug log level is enabled
Solution Article: K37890841
778869-3 : ACLs and other AFM features (e.g., IPI) may not function as designed
Solution Article: K72423000
Component: Advanced Firewall Manager
Symptoms:
Under certain conditions, ACLs, IPI and other AFM features may not function as designed.
Conditions:
AFM provisioned and configured.
TCP mitigations active.
Impact:
AFM features do not function as designed.
Workaround:
None.
Fix:
ACLs and other AFM rules (e.g., IPI) features now function as designed.
778681-2 : Factory-included Bot Signature update file cannot be installed without subscription★
Component: Application Security Manager
Symptoms:
After upgrade, the factory-included Bot Signature update file cannot be installed without subscription, even if it is already installed.
Conditions:
Device is upgraded to 14.1.0 from previous version, and does not have a Bot Signatures subscription.
Impact:
The factory-included Bot Signature update file cannot be installed.
778125-1 : LDAP remote authentication passwords are limited to fewer than 64 bytes
Component: TMOS
Symptoms:
The LDAP remote authentication password is limited to fewer than 64 bytes.
Conditions:
Configured for remote authentication with a password is longer than or equal to 64 bytes.
Impact:
Unable to login as remote-user with long password.
Workaround:
Set password that is shorter than 64 bytes.
778077-3 : Virtual to virtual chain can cause TMM to crash
Solution Article: K53183580
777993-2 : Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same
Component: TMOS
Symptoms:
Egress TCP/UDP traffic with same L4 source port and destination port to an external trunk is pinned to one link only.
Conditions:
This happens on BIG-IP hardware platforms with broadcom switch chip, so BIG-IP 2000/4000 and i2000/i4000 series are not impacted.
Impact:
Performance degradation as only a portion of the trunk bandwidth is utilized.
Workaround:
None.
Fix:
Egress TCP/UDP traffic with same L4 source port and destination port is now evenly distributed among trunk ports.
777937-3 : AWS ENA: packet drops due to bad checksum
Component: Performance
Symptoms:
-- Lower throughput and tps.
-- High availability (HA) heartbeat is getting dropped, resulting in an active-active configuration.
Conditions:
AWS Elastic Network Adapter (ENA) NIC is in use.
Impact:
Performance degradation and invalid HA configuration.
Workaround:
On the BIG-IP system, turn off checksum offloading in on TX as follows:
modify sys db tm.tcpudptxchecksum value Software-only
Important: This workaround negatively affects NICs other than ENA. Therefore, the workaround is recommended exclusively when ENA is the only dataplane NICs in use in the BIG-IP system.
Fix:
AWS ENA: no packet drops due to bad checksum.
777737-3 : TMM may consume excessive resources when processing IP traffic
Solution Article: K39225055
777269-1 : Gratuitous ARP may be sent for self IPs from incorrect MAC address at startup
Component: Local Traffic Manager
Symptoms:
The Address Resolution Protocol is used to allow IP endpoints to advertise their L2 (Ethernet MAC) addresses, and to query their network peers to request needed associations. Typically, TMM will immediately broadcast an ARP announcing its IP-MAC association (sometimes called a "gratuitous" ARP), so that switches can begin directing traffic to the self-ip immediately.
When BIGIP-VE starts with interfaces provided by some hypervisors, it may not immediately know the MAC address assigned to the interface until several milliseconds after the interface is created. In these cases, the gratuitous ARP will contain the MAC address 00:98:76:54:32:10, which is a valid but incorrect MAC address.
Normally, this is harmless, because the correct MAC address is immediately announced once it is known. However, it may be possible for a L2 switch upstream from multiple BIGIP-VE instances to believe a L2 loop has developed, and block one or both ports through which it saw the gratuitous ARPs.
Conditions:
BIG-IP VE, version 13.0.0 or later, running with the virtio driver on an OpenStack-compatible hypervisor.
Impact:
If an upstream switch sees gratuitous ARPs from multiple downstream BIG-IP instances on the same L2 LAN, it might block connectivity to one or more ports through which the gratuitous ARPs are seen. The self IP may appear to have connectivity for some time after it comes up, before connectivity is blocked at the upstream switch.
Fix:
Gratuitous ARPs sent with an incorrect MAC address are no longer broadcast.
777261-4 : When SNMP cannot locate a file it logs messages repeatedly
Component: TMOS
Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.
Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.
Impact:
This can fill up the log with errors.
Fix:
The SNMP daemon has been fixed to log this error once.
777173-2 : Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error
Component: Access Policy Manager
Symptoms:
When administrator runs Citrix vdi iApp in APM standalone deployment (LTM is not licensed), iApp fails with the following error:
01070356:3: HTTP header transformation feature not licensed
This is result of a license check added for HTTP header transformation.
Conditions:
- APM is licensed as stand alone (no LTM license)
- Admin tries to run Citrix vdi iApp
Impact:
Administrator is not able to use the iApp to configure Citrix vdi access
Workaround:
Adding LTM module license will resolve the error.
Fix:
Citrix vdi iApp now can be used to configure Citrix vdi access in an APM standalone deployment.
776133-1 : RSS hash is not used on VE resulting in performance impact on non-SR-IOV devices
Component: Performance
Symptoms:
RSS hash is not used on BIG-IP Virtual Edition (VE).
You can run the following command to see the 'n' (no) for RSS results:
tmctl -d blade -i tmm/ndal_dev_status
Example:
iface device pci if_up link_up rcso lro sw_lro lro_no_md rvho rss tcso tso
1.1 vmxnet3 11:0.0 n n y:n y:n n y y:n n y:y y
Conditions:
This is encountered on BIG-IP VE.
Impact:
Performance degradation on non-SR-IOV devices.
Workaround:
None.
776073-1 : OOM killer killing tmm in system low memory condition as process OOM score is high
Component: TMOS
Symptoms:
When BIG-IP system running under low memory situation, Out-Of-Memory killer more likely selects tmm to kill and release the resources.
Conditions:
BIG-IP version 13.0.x or later installed and system running with low memory.
AFM provisioned makes the tmm process more likely to be selected by the oom killer
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Adjust OOM score of "tmm" process through oom_score_adj proc setting.
echo "-500" > /proc/<pid_of_tmm>/oom_score_adj
Fix:
OOM score for "tmm" process is adjusted such that OOM killer will not prioritize "tmm" during system low memory condition.
775897-1 : High Availability failover restarts tmipsecd when tmm connections are closed
Component: TMOS
Symptoms:
All security associations (SAs) can be deleted when tmipsecd restarts as a result of closing tmm connections during failover from active to standby.
Conditions:
When failover happens for high availability (HA), tmipsecd aims to close tmm connections when on standby, because tmm must connect instead to the daemon running in the active system. But a side effect of this restarts tmipsecd, resulting in deletion of all SAs when tmipsecd came back up.
Impact:
tmipsecd restarts. All IPsec tunnels experience an interruption of service until new SAs are negotiated.
Workaround:
None.
Fix:
Now tmipsecd no longer restarts when the tmm connections are closed in response to failover from active to standby.
775833-2 : Administrative file transfer may lead to excessive resource consumption
Solution Article: K94325657
775621-2 : urldb memory grows past the expected ~3.5GB
Component: Access Policy Manager
Symptoms:
When using the categorization engine (urldb), memory may increase when real-time update databases are downloaded (once every ten minutes, as available).
Conditions:
-- SWG provisioned.
-- Using urldb.
-- Real-time database updates occurring.
Impact:
Memory increases, and if there is not enough room on the BIG-IP system, urldb can core.
Workaround:
None.
Fix:
The system no longer preloads the database into memory, so memory no longer grows past what is expected.
775013-2 : TIME EXCEEDED alert has insufficient data for analysis
Component: Fraud Protection Services
Symptoms:
The time-exceeded alert does not include sufficient alert details to troubleshoot the process. It is difficult to determine whether or not the alert is valid, or how long past the request time the alert occurred.
Conditions:
Viewing alert logs for time-exceeded messages.
Impact:
Makes troubleshooting and/or analysis difficult.
Workaround:
None.
Fix:
All encryption failures alert now provides additional details to assist in troubleshooting the process.
774941-1 : GUI misspelling in Bot Defense logging profile
Component: Application Security Manager
Symptoms:
There is a misspelling in the logging profile for Bot Defense: Log Requests by Classificaiton.
Conditions:
Go to Security :: Event Logs : Logging Profiles :: Logging Profile :: Bot Defense :: Request Log.
Impact:
GUI shows misspelled word. There is no functional impact to this issue.
Workaround:
None needed. This is a cosmetic issue only.
Fix:
The text has been corrected: Log Requests by Classification.
774913-1 : IP-based bypass can fail if SSL ClientHello is not accepted
Component: Local Traffic Manager
Symptoms:
IP-based bypass can fail for SSL stream if the client sends a ClientHello that is not accepted by the BIP-IP system.
Conditions:
Client's SSL ClientHello message is not accepted by the BIG-IP system.
Impact:
Connection drop.
Workaround:
None.
Fix:
Check SSL bypass policy before parsing ClientHello message.
774881 : Protocol Inspection profiles can be added to a virtual server without Protocol Inspection being licensed.
Component: Protocol Inspection
Symptoms:
Protocol Inspection profiles can be added to a virtual server but are not applied to traffic.
To add a Protocol Inspection profile now it is required to have an AFM standalone license or to have an add-on AFM license, which includes Protocol Inspection module. Otherwise a error message is shown.
Conditions:
-- AFM is licensed as an add-on module without Protocol Inspection feature.
-- Protocol Inspection profile is configured and added to a virtual server or referenced in a firewall rule.
Impact:
It might appear that the configured Protocol Inspection profile attached to a virtual server or referenced in a firewall rule should work, but in fact, it is not applied to the actual traffic.
Workaround:
None.
Fix:
An error message is shown when trying to apply a Protocol Inspection profile to a virtual server or to a firewall rule having no Protocol Inspection license.
774633-2 : Memory leak in tmm when session db variables are not cleaned up
Component: Access Policy Manager
Symptoms:
There are some session db variables created as part of the split session proxy that have an indefinite timeout. If there is an error path or a failure with an inline service, the delete never gets called and these session keys build up over time, causing memory to leak in tmm.
Conditions:
SSLO setup with a service connector that fails.
Impact:
tmm eventually runs out of memory and generates a core file.
Workaround:
None.
Fix:
Variables have been set with a timeout so that they don't leak memory if the inline service fails.
774445-1 : BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2
Solution Article: K74921042
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) does not pass traffic when deployed on ESXi 6.7 Update 2 hypervisors, when the VE is using VMXNET 3 network interfaces (VMXNET 3 interfaces are the default).
Conditions:
-- BIG-IP VE running on VMware ESXi 6.7 Update 2 (build number 13006603) hypervisor.
-- VMXNET 3 NICs.
Impact:
Traffic does not pass through non-mgmt interfaces.
Workaround:
You can use the following workarounds:
-- Until this issue is fixed in a Point-Release for your software branch, you can contact F5 Networks Technical Support to obtain an Engineering Hotfix to address the issue. This workaround allows TMM to continue to use the VMXNET3 driver, which is preferable.
-- On BIG-IP version 14.1.0, you can switch to the 'sock' driver.
-- On BIG-IP versions earlier than 14.1.0, you can switch to the 'unic' driver.
Note: The workarounds that switch driver must be applied individually to devices, as they do not synchronize via ConfigSync.
IMPORTANT: The driver must be configured the same way on all devices in a sync-failover device group.
To switch driver:
1. Add a line to /config/tmm_init.tcl that reads 'device driver vendor_dev 15ad:07b0 DRIVER' (replacing DRIVER with 'unic' or 'sock', as appropriate). For example:
echo "device driver vendor_dev 15ad:07b0 sock" >> /config/tmm_init.tcl
2. Restart tmm for the changes to take effect (restarting tmm disrupts traffic):
bigstart restart tmm
3. After tmm restarts, confirm the driver in use by examining the output of:
tmctl -d blade tmm/device_probed
Fix:
BIG-IP VE now passes traffic on ESXi 6.7 Update 2.
774213-1 : SWG session limits on SSLO deployments
Component: Access Policy Manager
Symptoms:
SWG session limits are enforced on SSLO deployments that enable Explicit proxy authentication.
Conditions:
-- SSLO with Explicit proxy authentication is deployed.
-- Many concurrent SSLO connections (beyond the SWG session limit).
Impact:
SSLO fails to connect when the SWG session limit is reached.
Workaround:
None.
Fix:
If there is an SSLO profile paired with either an APM or SSLO per-request policy on a virtual server, and the operation has done a hostname only lookup, an SWG license is no longer consumed. This answers the case where there is auth (APM) on one virtual server, and the transparent virtual server is SSLO with hostname Category Lookup only.
773925-2 : Sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB tables files
Component: Application Visibility and Reporting
Symptoms:
For unknown reasons, sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB table files. MySQL starts reporting error 24 in its error log:
190228 8:21:17 [ERROR] mysqld: Can't open file: './AVR/AVR_STAT_FW_NAT_TRANS_DEST_H.frm' (errno: 24)
190228 8:45:36 [ERROR] mysqld: Can't open file: './AVR/AVR_STAT_ASM_NETWORK_T.frm' (errno: 24)
190228 9:12:22 [ERROR] mysqld: Can't open file: './AVR/AVR_STAT_ASM_NETWORK_T.frm' (errno: 24)
Conditions:
-- Statistics are collected locally on the BIG-IP system (that is, the BIG-IP system is not associated with a BIG-IQ device).
-- There is a considerable amount of traffic.
Impact:
Statistic reports stop working. In some cases DB becomes corrupted.
Workaround:
In /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter from 2500 to 5000.
2. Add the following parameter (right after 'open_files_limit'):
table_open_cache=2000
3. Restart MySQL:
bigstart restart mysql
Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.
Fix:
Embed MariaDB configuration change into the standard BIG-IP versions.
773821-1 : Certain plaintext traffic may cause SSLO to hang
Component: Local Traffic Manager
Symptoms:
SSLO relies on SSL hudfilter to detect non-SSL traffic; but certain plaintext can be mistaken as SSL traffic, which can cause a hang.
Conditions:
Initial plaintext traffic resembles SSLv2 hello message or has less than enough bytes for SSL to process.
Impact:
SSLO hangs, unable to bypass traffic.
Workaround:
None.
Fix:
Improve SSL hello parser.
773677-1 : BIG-IP 14.1.0 system-journald write to /run/log/journal cause SWAP usage increase★
Solution Article: K72255850
Component: TMOS
Symptoms:
The system-journald process writes to temporary storage /run/log/journal when storage mode is set to 'auto'. The persistent directory /var/log/journal that controls where the log goes (temporary or persistent memory) is usually created during BIG-IP system reboot. In some cases, /var/log/journal is not created. In the absence of this, system-journald writes to temporary storage /run/log/journal.
Conditions:
BIG-IP upgraded from versions prior to v14.1.0 to version 14.1.0 or later.
Impact:
As it writes to temporary memory, system SWAP memory usage increases, impacting overall system performance and may result in the kernel out-of-memory killer running and killing system processes.
Workaround:
Perform these steps while running the upgraded 14.1.x system.
1. Create system-journald persistent log directory manually:
mkdir /var/log/journal
chown root:systemd-journal /var/log/journal
chmod 2755 /var/log/journal
chcon system_u:object_r:var_log_t:s0 /var/log/journal
2. Reboot the system.
Fix:
The system-journald persistent directory is always created during reboot or when the system-journald storage option is set to 'persistent'.
773673-2 : HTTP/2 Vulnerability: CVE-2019-9512
Solution Article: K98053339
773653-6 : APM Client Logging
Solution Article: K23876153
773649-6 : APM Client Logging
Solution Article: K23876153
773641-6 : APM Client Logging
Solution Article: K23876153
773637-6 : APM Client Logging
Solution Article: K23876153
773633-6 : APM Client Logging
Solution Article: K23876153
773621-6 : APM Client Logging
Solution Article: K23876153
773553-2 : ASM JSON parser false positive.
Component: Application Security Manager
Symptoms:
False positive JSON malformed violation.
Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.
Impact:
HTTP request is blocked or an alarm is raised.
Workaround:
There is no workaround other than disabling the JSON profile.
Fix:
JSON parser has been fixed as per RFC8259.
773421-1 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
Component: Local Traffic Manager
Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.
Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).
-- OneConnect is applied.
-- proxy-mss is enabled (the default value starting in v12.0.0).
Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.
Workaround:
Disable proxy-mss in the configured TCP profile.
Fix:
OneConnect prevents sending ICMP fragmentation needed messages to servers.
772545-3 : Tmm core in SSLO environment
Component: Local Traffic Manager
Symptoms:
Unexpected SSL events can occur in SSLO configuration, possibly resulting in tmm core.
Conditions:
SSLO environment which can cause serverside ssl to become enabled during clientside handshake causing unexpected events.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Enabling SSL forward proxy verified-handshake setting available in 14.0.
772473-3 : Request reconstruct issue after challenge
Component: Application Security Manager
Symptoms:
False positive on Content-Type header in GET request.
Conditions:
After challenge is completed, the server responds to the reconstructed request with a 302-redirect.
Impact:
The BIG-IP adds to the next request (GET request) a Content-Type header.
Workaround:
There is no workaround at this time.
Fix:
The BIG-IP no longer reconstructs the next request after a redirect.
772233-4 : IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.
Component: Global Traffic Manager (DNS)
Symptoms:
When probing DNS Path, the metric round trip time (RTT) is not set correctly if the collection protocols used are NDS_DOT or DNS_REV.
The problem occurs only if the Path involves an IPv6 address; IPv4 address works fine.
Conditions:
-- Path involves IPv6 addresses.
-- Collection protocol used is either DNS_DOT or DNS_REV.
Impact:
RTT metric is not set at all.
Workaround:
Use collection protocols - ICMP instead.
Fix:
The problem for both collection protocols - DNS_DOT and DNS_REV no longer occurs, and the RTT is set correctly.
772117-3 : Overwriting FIPS keys from the HA peer with older config leads to abandoned key on FIPS card
Component: TMOS
Symptoms:
A key being overwritten is not removed from the FIPS card, so it becomes an abandoned key in the FIPS card, which cannot be used and properly tracked by the BIG-IP system.
An abandoned key appears similar to the following:
[root@big8:Active:Standalone] config # tmsh show sys crypto fips
-------------------------------------------
FIPS 140 Hardware Device
-------------------------------------------
=== private keys (1)
ID MOD.LEN(bits)
d3d8ecc5a489c64b8dfd731945d59950 2048 <==== properly tracked and configured key in BIG-IP
/Common/fffff.key
e35e900af8b269d2f10b20c47e517fd1 2048 <==== no name, abandoned
Conditions:
The issue is seen when all the following conditions are met:
1. High availability (HA) setup formed by multiple BIG-IP systems with FIPS cards.
2. An Administrator of one of the BIG-IP systems deletes its FIPS key, and creates another FIPS key using the same name.
3. HA sync occurs from another BIG-IP system (with the older config) back to the first BIG-IP system (i.e., the operation overwrites the newly created FIPS key with the old FIPS key).
Impact:
It leads to orphan keys on the FIPS card, meaning that the keys are not present in the BIG-IP configuration as a configured key, so the key cannot be used by the BIG-IP system.
Workaround:
Manually delete the abandoned key from the FIPS card using the following command.
tmsh delete sys crypto fips key <key-id>
For example, for the abandoned key specified earlier, use the following command:
tmsh delete sys crypto fips key "e35e900af8b269d2f10b20c47e517fd1"
Fix:
Now, the overwritten key is successfully removed, so there is no longer an abandoned key present on the FIPS card.
771905-2 : JWT token rejected due to unknown JOSE header parameters
Component: Access Policy Manager
Symptoms:
JWT token rejected and OAuth Scope Agent fails.
Conditions:
When JWT access token contains unregistered JSON Object Signing and Encryption (JOSE) header parameters (e.g., nonce).
Impact:
Unregistered JOSE header parameters causes JWT access token to be rejected. OAuth Scope Agent fails.
Workaround:
None.
Fix:
If an unregistered parameter in the JOSE header is present in the JWT token, the system ignores the parameter instead of rejecting the token.
771873-5 : TMSH Hardening
Solution Article: K40378764
771705-1 : You may not be able to log into BIG-IP Cloud Edition if FSCK fails
Component: TMOS
Symptoms:
During BIG-IP Cloud Edition bootup, if FSCK fails and requires manual intervention to recover, you may not be able to proceed. This occurs because login requires the password for root, which is not typically set.
Conditions:
-- BIG-IP Cloud Edition.
-- FSCK failure on bootup requires manual intervention to recover.
Impact:
Cannot log in to BIG-IP Cloud Edition.
Important: There is no way to recover if the FSCK failure has already occurred. You must begin the BIG-IP Cloud Edition configuration again. You should implement the Workaround to prevent the issue from occurring.
Workaround:
To prevent the issue from occurring, run the following command for every filesystem:
tune2fs -i 0 <file system>
Following is a list of file systems (replace '1' with the relevant slot number if the active slot is not 1):
/dev/vg-db-vda/set.1.root
/dev/mapper/vg--db--vda-set.1._var
/dev/mapper/vg--db--vda-set.1._usr
/dev/mapper/vg--db--vda-set.1._config
/dev/mapper/vg--db--vda-dat.share
/dev/mapper/vg--db--vda-dat.log
/dev/mapper/vg--db--vda-dat.appdata
Fix:
FSCK is disabled BIG-IP Virtual Edition (VE) for both cloud and hypervisor configurations, so this issue no longer occurs.
Note: Disabling FSCK in virtual machines is considered standard operating procedure. In BIG-IP VE, FSCK is disabled upon the image creation and during live install of the full ISO. It is disabled for all file systems on all slots (boot locations). Although it is not recommended, you can manually reenable FSCK in Linux, in particular, using tune2fs to set the FSCK schedule, and updating /etc/fstab to allow it.
Behavior Change:
FSCK is now disabled in BIG-IP Virtual Edition (VE) for both cloud and hypervisor, preventing failure during bootup. FSCK disablement also persists during a downgrade. F5 Networks does not recommend reenabling FSCK. However, you can reenable it in Linux by updating /etc/fstab, so you can use tune2fs to set the FSCK schedule.
771173-3 : FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.★
Component: Advanced Firewall Manager
Symptoms:
The system does not roll forward the FastL4 profile syn-cookie-enable attribute after upgrading from 12.x to 13.x and beyond.
Conditions:
This happens when upgrading from 12.x to 13.x and beyond.
Impact:
If syn cookies are explicitly disabled on a FastL4 profile prior to upgrading, they may be enabled.
Workaround:
You can fix the configuration by modifying it manually after upgrading.
In tmsh:
tmsh modify ltm profile fastl4 <profile_name> syn-cookie-enable <enabled|disabled>
771025-3 : AVR send domain names as an aggregate
Component: Application Visibility and Reporting
Symptoms:
AVR sends domain name as an aggregate of a number of domain names.
Conditions:
-- AVR receives more than the number of domain names it can handle.
-- After AVR gets DNS calls with different domain name, it no longer clears the domain name.
-- When AVR receives the maximum number of total domain names, it start to aggregate all the new domain names.
Impact:
Cannot see the correct domain name.
Workaround:
None.
Fix:
AVR now removes old domain names, so it can add new ones and send the actual domain names it collected.
770953 : 'smbclient' executable does not work
Component: TMOS
Symptoms:
Service Message Block (SMB) monitor is not functional.
Conditions:
This occurs under all conditions.
Impact:
SMB monitors fail. This occurs because the 'smbclient' executable is not functional.
Workaround:
None.
Fix:
'smbclient' executable is runnable and SMB monitoring is working.
770797-1 : HTTP2 streams may get stuck in rare situations
Component: Local Traffic Manager
Symptoms:
If HTTP2 is used in a 'gateway' configuration on a virtual server, without the use of an MRF http_router profile, HTTP connections are used to connect to the back-end servers.
The HTTP connections are pooled, and may be reused between streams. In rare situations, an HTTP connection is reused whilst it is in the process of shutting down. This may cause the corresponding HTTP2 stream to get into an unexpected state, and get 'stuck'.
The stuck streams persist until the client closes the HTTP2 connection. If a client keeps opening new streams on the affected connection, it may eventually run out of the total allowed streams limited by the HTTP2 profile. The client may then deadlock, waiting for streams to close.
Conditions:
An HTTP2 profile is used on a virtual server without an MRF http_router profile.
Impact:
The impact depends on client behavior. Some clients will open new connections for stuck streams, so the impact will be minimal. Others will show loss of performance or hang waiting for resources that will never be delivered.
Workaround:
None.
Fix:
HTTP2 streams no longer get stuck in rare situations.
770557-3 : Per-Session RADIUS Acct STOP message is forged based on pool route domain, but is sent through default one
Component: Access Policy Manager
Symptoms:
The per-Session RADIUS Acct STOP message is forged based on the pool route domain, but is sent through the default one.
Conditions:
1. Deploy the BIG-IP system with two route domains
2. Under each route domains you have a path to the RADIUS server.
3. Create Access Policy with a Logon Page, RADIUS Acct agent fallback-to-Deny ending.
4. Attach it to the virtual server.
5. Run tcpdump -i any port 1813 -ne on the BIG-IP system.
5. Navigate to the virtual server.
6. Wait 20 seconds till STOP packets arrive.
Impact:
The BIG-IP system sends the STOP packets according to the default routing table instead of the configured route domain RADIUS server.
Workaround:
None.
Fix:
The BIG-IP system now sends the STOP packets according to the configured route domain RADIUS server.
770477-2 : SSL aborted when client_hello includes both renegotiation info extension and SCSV
Component: Local Traffic Manager
Symptoms:
Client SSL reports an error and terminates handshake.
Conditions:
Initial client_hello message includes both signaling mechanism for secure renegotiation: empty renegotiation_info extension and TLS_EMPTY_RENEGOTIATION_INFO_SCSV.
Impact:
Unable to connect with SSL.
Workaround:
None.
Fix:
Allow both signaling mechanism in client_hello.
769997-1 : ASM removes double quotation characters on cookies
Component: Application Security Manager
Symptoms:
ASM removes the double quotation characters on the cookie.
Conditions:
Cookie sent that contains double quotation marks.
Impact:
The server returns error as the cookie is changed by ASM.
Workaround:
Set asm.strip_asm_cookies to false using the following command:
tmsh modify sys db asm.strip_asm_cookies value false
Fix:
ASM no longer removes the double quotation characters on the cookie.
769981-2 : bd crashes in a specific scenario
Component: Application Security Manager
Symptoms:
bd crash with a core file.
Conditions:
-- XML profile with schema validation is attached to a security policy.
-- The bd.log shows out-of-memory messages relating to XML.
Impact:
Failover; traffic disruption.
Workaround:
Increase the memory XML uses by using the internal parameters total_xml_memory and/or additional_xml_memory_in_mb. For more information, see K10803: Customizing the amount of memory allocated to the BIG-IP ASM XML processing engine available at https://support.f5.com/csp/article/K10803
769853-2 : Access Profile option to restrict connections from a single client IP is not honored for native RDP resources
Solution Article: K24241590
Component: Access Policy Manager
Symptoms:
When launching a native RDP resource (desktop/application) from APM Webtop, APM provides an RDP file to the browser and the browser invokes the native RDP client to launch the resource with the parameters specified in the RDP file.
When Access profile option 'Restrict to Single Client IP' option is enabled, user should only be allowed to launch the resource from the client that initiated the request.
Conditions:
-- APM Webtop is configured with native RDP resource.
-- 'Restrict to Single Client IP' option is enabled in Access Profile.
Impact:
RDP file provided by APM can be used for launching the RDP resource on a client machine that did not initiate the APM session.
Workaround:
None.
Fix:
When Access Profile option 'Restrict to Single Client IP' is enabled, APM restricts native RDP resource launch from the client that initiated the APM session.
769809-4 : The vCMP guests 'INOPERATIVE' after upgrade
Component: TMOS
Symptoms:
After upgrading the host or creating new vCMP guests, the prompt in the vCMP guests report as INOPERATIVE.
Conditions:
-- The system truncates the unit key. (Note: This occurs because the unit key is designed to be a certain length, and the internally generated unit key for the guest has a NULL in it.)
-- Upgrading the host.
-- Creating new guests.
Impact:
The vCMP guests are sent a truncated unit key and fail to decrypt the master key needed to load the config. vCMP Guests report 'INOPERATIVE' after upgrade.
Workaround:
Note: Upgrading vCMP hosts from an affected version to an unaffected version may not clear issue.
Upon encountering this issue, it may be best to roll back to the previously used, unaffected version on the vCMP host, and then install a version unaffected by this issue (i.e., versions later than 12.1.4.1 or later than 13.1.1.5).
Fix:
The system now handles a guest unit key that has a NULL in it, so vCMP guests are no longer 'INOPERATIVE' after upgrade
769801-1 : Internal tmm UDP filter does not set checksum
Component: Local Traffic Manager
Symptoms:
An internal tmm UDP filter does not set checksum for outgoing UDP packets.
Conditions:
-- An internal tmm UDP filter is in use.
Impact:
Even though a UDP packet with no checksum is permitted, it could cause some problems with some firewalls/servers.
Workaround:
For internal tmm udp filters, add the following to the UDP profile in use:
no_cksum 0
Fix:
Internal tmm UDP filters set checksum for outgoing UDP packets.
769589-2 : CVE-2019-6974: Linux Kernel Vulnerability
Solution Article: K11186236
769361-2 : TMM may crash while processing SSLO traffic
Solution Article: K33444350
769309-2 : DB monitor reconnects to server on every probe when count = 0
Component: Local Traffic Manager
Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.
Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).
Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.
Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.
Fix:
The LTM database monitor keeps the network connection to the monitored database server open indefinitely when configured with the default 'count' value of 0 (zero).
769281-1 : Per-request Acess Policy may show user interface pages incorrectly i nlanguages other than English
Component: Access Policy Manager
Symptoms:
If per-request Access Policy contains a user interface page (logon page, message box, etc.), this page may not be shown correctly in the browser if English is not the preferred language.
Conditions:
-- Browser with preferred language other than English.
-- Per-request Access Policy with support of this language.
-- Access Policy Agent with user interface included in the policy (logon page, message box, decision box, various forms of Rejected Ending Agent).
Impact:
The browser shows incorrect items on the response page presented to the APM end user (e.g., the page displays incorrect language strings).
Workaround:
None.
Fix:
Now, user interface pages in non-English languages are shown correctly by per-request Access Policy Agents.
769193-5 : Added support for faster congestion window increase in slow-start for stretch ACKs
Component: Local Traffic Manager
Symptoms:
When Appropriate Byte Counting is enabled (the default), TCP's congestion window increases slower in slow-start when the data receiver sends stretch ACKs.
Conditions:
-- TCP data sender receives stretch ACKs (ACKs that acknowledges more than 2*MSS bytes of data).
-- Appropriate Byte Counting (ABC) is enabled in slow-start.
Impact:
ABC limits the increase of congestion window by 2*MSS bytes per ACK. TCP's congestion window is increased slower in slow-start, which may lead to longer transfer times.
Workaround:
There is no workaround at this time.
Fix:
A new sys db (TM.TcpABCssLimit) is provided to set TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received. If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.
Behavior Change:
There is a new db variable, TM.TcpABCssLimit for specifying TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received.
Note: If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.
769169-3 : BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring
Component: TMOS
Symptoms:
BIG-IQ sends a lot of request to the BIG-IP system to collect the stats it makes the BIG-IP slow and eventually GUI goes unresponsive.
Conditions:
-- BIG-IQ monitoring a large BIG-IP configuration.
-- With a very large number of requests, and with resource-expensive requests.
Impact:
ICRD requests wait longer in the ICRD queue, which can make the BIG-IP system becomes unresponsive. Policy Creation, Device Overview, and stats pages take more time to respond, and eventually, the GUI becomes unresponsive on these three pages.
Lot of process terminated/re-created messages in restjavad logs.
Workaround:
Remove the BIG-IP device from the BIG-IQ and restart the mcpd.
Fix:
The system now handles the queue so that there is time for BIG-IP system to recover and become responsive.
769061-2 : Improved details for learning suggestions to enable violation/sub-violation
Component: Application Security Manager
Symptoms:
The title for the entity in suggestions to enable violation/sub-violation is 'Match violation'/'Matched HTTP Check', though these suggestions are created when there is no match in the observed traffic.
Conditions:
There are learning suggestions to enable violations/sub-violation in the policy
Impact:
Misleading suggestion details.
Workaround:
None.
Fix:
The misleading word 'Matched' was removed from the title.
768981-2 : vCMP Hypervisor Hardening
Solution Article: K05765031
768761-2 : Improved accept action description for suggestions to disable signature/enable metacharacter in policy
Component: Application Security Manager
Symptoms:
It is difficult to understand the description for suggestions to disable signature or enable metacharacter on parameter/URL alternative action (accept for all entities).
Conditions:
There are suggestions to disable signature or enable metacharacter on parameter/URL.
Impact:
Action description can be difficult to understand.
Workaround:
None.
Fix:
'Accept for Any Entity' action has been renamed to 'Accept Globally'. The 'Charset' type is now mentioned in the action description for better understanding of the applied action.
768025-4 : SAML requests/responses fail with "failed to find certificate"
Component: Access Policy Manager
Symptoms:
BIG-IP as SP and BIG-IP as IdP fail to generate signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after the certificate that is used for signing is modified.
Conditions:
The certificate used for signing SAML requests/responses or SAML SLO requests/responses is modified or re-imported.
Impact:
When this issue occurs, SAML services are impacted when BIG-IP is configured as SP or IdP. Subsequent SAML/SAML SLO requests/responses fail with the error 'failed to find certificate'.
-- When BIG-IP is configured as IdP, then SAML Authentication fails and SAML/SAML SLO services do not work.
-- When BIG-IP is configured as SP, resources that need SAML Authentication cannot be accessed. Also, SAML SLO service does not work.
Workaround:
-- When BIG-IP as IdP is affected, configure a different certificate associated with SAML IdP configuration that is used for signing, change it back to the original certificate, and then the apply policy.
-- Similarly, when BIG-IP as SP is affected, configure a different certificate associated with SAML SP configuration that is used for signing, change it back to the original certificate, and then apply the policy.
Fix:
BIG-IP as SP and BIG-IP as IdP works as expected while generating signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after certificate that is used for signing is modified.
767877-3 : TMM core with Bandwidth Control on flows egressing on a VLAN group
Component: TMOS
Symptoms:
TMM cores during operation.
Conditions:
Known condition:
1. BWC attached to serverside connflow
2. Serverside traffic traversing/egressing VLAN group
Impact:
Traffic disrupted while tmm restarts.
767689-1 : F5optics_install using different versions of RPM★
Component: TMOS
Symptoms:
Symptoms have been observed only in one case: A bare metal install to BIG-IP 14.1.0. In this case, a messages indicating the RPM database under /shared is corrupted.
Conditions:
Bare metal installation via PXE boot or USB install.
Impact:
The /shared/lib/rpm database must be recreated and f5optics manually installed.
Workaround:
1. Backup the current Packages file:
cp /shared/lib/rpm/Packages /shared/tmp/
2. Remove all the files from the database directory"
rm -f /shared/lib/rpm/*
3. Initiate the database by using the old version RPM:
/opt/bin/rpm --dbpath /shared/lib/rpm --initdb
4. Restore the Packages file (Press 'y' when promoted by 'cp: overwrite'):
cp /shared/tmp/ /shared/lib/rpm/Packages
Now you should be able to install the package.
Fix:
With these changes, the corruption of the /shared/lib/rpm database is no longer observed.
767653-1 : Malformed HTTP request can result in endless loop in an iRule script
Solution Article: K23860356
767401-1 : TMM may crash while processing TLS traffic
Solution Article: K95434410
767373-1 : CVE-2019-8331: Bootstrap Vulnerability
Solution Article: K24383845
767045-2 : TMM cores while applying policy
Component: Anomaly Detection Services
Symptoms:
TMM core and possible cores of other daemons.
Conditions:
The exact conditions are unknown.
Occurrences have been seen during specialized internal testing and while applying a copied and edited ASM policy.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
766873 : Omission of lower-layer types from sFlow packet samples
Component: TMOS
Symptoms:
The packet samples transmitted from BIG-IP to an sFlow receiver may contain only 'http' samples, with no 'vlan' or 'interface' FLOW samples appearing. sFlow will continue to transmit CNTR (counter) telemetry packets.
Conditions:
When the BIG-IP system is configured with one or more sFlow receivers, with non-zero sampling-rate configured for 'vlan' or 'interface' types.
Impact:
External network-monitoring or management systems, which may depend on sFlow packet samples from BIG-IP systems and from other equipment, are unable properly to characterize the flow of data throughout the network.
Workaround:
None.
Fix:
This issue no longer occurs.
766761-2 : Ant-server does not log requests that are excluded from scanning
Component: Access Policy Manager
Symptoms:
Based on Request/Response Analytics agent 'Exclude Types' settings, the requests that are excluded from scanning should log a message that states, 'Response content is in excluded content list'.
Conditions:
Response or Request Analytics agent in the Per-Request Policy.
Impact:
These particular logs are not available.
Workaround:
None.
Fix:
Appropriate messages now get logged.
766577-2 : APMD fails to send response to client and it already closed connection.
Component: Access Policy Manager
Symptoms:
APMD fails to send response to client and produces error message:
err apmd[8353]: 01490085:3: /pt-qp-campus/apm-cdp-qp-qa:pt-qp-campus:bb651ae6: Response could not be sent to remote client. Socket error: Connection reset by peer
APMD does most of its action with backend authentication servers (e.g., AD, LDAP, RADIUS). If the backend server response is very slow (because of various reasons such as network issues), it might cause slow apmd client response. Sometimes, the client has already closed the connection to the virtual server, so the client connection is no longer valid.
Conditions:
Backend server is slow, causing longer-than-usual response times.
Impact:
This causes the client to close the connection. APMD fails to respond to the client.
The cumulative slowness of the backend server causes delay in response. Most of the time, the client connection is already closed. As a result, the request queue gets full. When apmd starts processing the request from the queue, the client connection is already closed for some of them, and processing those requests still continues, which is unnecessary and causes more delay.
Fix:
The system now tests the client connection after picking up the request from the request queue and before processing.
-- If the connection is already closed, the system drops the request.
-- If the request is already in progress, the system checks the client connection before saving the session variables and sending the response to client.
766405-2 : MRF SIP ALG with SNAT: Fix for potential crash on next-active device
Component: Service Provider
Symptoms:
The next active device may crash with a core when attempting to create media flows.
Conditions:
The names for the LSN pool and router profile are longer than expected.
Impact:
The TMM on the next active device may core. Traffic disrupted while tmm restarts; If the next-active device was not carrying traffic for a traffic group, traffic is not disrupted.
Workaround:
None.
Fix:
Device no longer cores.
766365-1 : Some trunks created on VE platform stay down even when the trunk's interfaces are up
Component: TMOS
Symptoms:
Trunk configured on BIG-IP Virtual Edition (VE) does not pass traffic because it is in 'down' state
Conditions:
Trunk is created on VADC for NICs that use XNet drivers.
Note: In this release, XNet drivers are used by Mellanox and AWS ENA NICs on the VE platform only
Impact:
Trunk marked 'down'; traffic does not pass through the trunk.
Workaround:
None.
Fix:
Drivers that suffered from this problem now set speed correctly for the interface.
766357-1 : Two simultaneously manual installations can cause live-update inconsistency
Component: Application Security Manager
Symptoms:
When running two manual installations of the same update type simultaneously from different browser instances, live-update may encounter inconsistencies, and one of the installations gets stuck in the 'installing' state.
Conditions:
-- Two different installations of the same update type exists.
-- Manual installation occurs both at the same time from different browser instances.
Impact:
-- One of the installations stays in the 'installing' state.
-- Cannot install other installations (.im files).
Workaround:
Run the following command:
bigstart restart tomcat
Live-update changes the status of the installation from 'installing' to 'error' and allows subsequent installation operations.
Fix:
Live-update now queues all manual installations, so they start one after another. After all installations end, only one installation has the 'installed' status.
766329-2 : SCTP connections do not reflect some SCTP profile settings
Component: TMOS
Symptoms:
The effective receive-chunks, transmit-chunks, in-streams, and out-streams parameters in SCTP traffic do not match the settings from the configured SCTP profile:
-- The in-streams setting alters both the in-streams parameter and the tx-chunks parameter.
-- The out-streams setting alters both the out-streams parameter and the rx-chunks parameter.
-- The tx-chunks setting has no effect.
-- The rx-chunks setting has no effect.
Conditions:
An SCTP virtual server is configured.
Impact:
Unexpected SCTP parameters are negotiated on SCTP connections.
Workaround:
None.
Fix:
The SCTP profile settings are now used during SCTP connection negotiation.
766293-1 : Monitor logging fails on v14.1.0.x releases
Component: Local Traffic Manager
Symptoms:
With a fresh install of v14.1.0.x, you attempt to enable monitor logging for a node or pool member, an error message appears in /var/log/ltm. Also the log file to be created fails to be created.
This behavior is due to SELinux changes. /var/log/auditd/audit.log show the SELinux violations logs.
System reports messages similar to the following in /var/log/ltm:
-- info bigd[12457]: Couldn't open logging file /var/log/monitors/Common_Splunk_HTTP_monitor-Common_node1-8088.log for monitor /Common/Splunk_HTTP_monitor on node /Common/node1.
Conditions:
-- Clean installation of v14.1.0.x software.
-- Enable monitor logging for a node or pool member.
Impact:
Monitor logging fails. Error messages logged.
Workaround:
None.
Fix:
Updated bigd SELinux rules to allow the monitor log file creations.
765801 : WCCP service info field corrupted in upgrade to 14.1.0 final★
Component: TMOS
Symptoms:
WCCP 'Here I am' packets from BIG-IP to routers have corrupted service info. No 'I see you' response received from routers due to mismatched service flags information.
Conditions:
No specific condition other than WCCP configuration on BIG-IP 14.1.0.x version.
Impact:
Unable to deploy WCCP on BIG-IP in version 14.1.0.x.
Workaround:
None.
Fix:
Corrected WCCP service flags during initialization.
765785-3 : Monpd core upon "bigstart stop monpd" while Real Time reporting is running
Component: Application Visibility and Reporting
Symptoms:
Monpd cores upon "bigstart stop monpd" while Real Time reporting is running
Conditions:
Real Time UI view is active.
Impact:
None.
Workaround:
None.
Fix:
Fixed a monpd core.
765533-2 : Sensitive information logged when DEBUG logging enabled
Solution Article: K58243048
Component: TMOS
Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048
Conditions:
For more information see: https://support.f5.com/csp/article/K58243048
Impact:
For more information see: https://support.f5.com/csp/article/K58243048
Workaround:
For more information see: https://support.f5.com/csp/article/K58243048
Fix:
For more information see: https://support.f5.com/csp/article/K58243048
765517-1 : Traffic Match Criteria validation fails when create Virtual server with address list with overlapping address space but a different ingress VLAN
Component: Local Traffic Manager
Symptoms:
When two virtual servers are created and they have same address list but different incoming VLANs, Traffic Match Criteria validation fails.
Conditions:
Create 2 virtual servers and they have same address list but different incoming VLANs.
Impact:
System validation fails.
Workaround:
Use non-overlapping address lists.
765449-1 : Update availability status may be inaccurate
Component: Application Security Manager
Symptoms:
Under certain condition the UI may indicate that attack signature updates are available.
Conditions:
ASM provisioned.
Impact:
Attack signature updates are listed as available when the latest signatures are already installed.
Workaround:
An accurate status for availability of updates is available in System::Software Management::Live Update
Fix:
The UI now displays an accurate availability status for attack signatures.
765413-1 : ASM cluster syncs caused by PB ignored suggestions updates
Component: Application Security Manager
Symptoms:
Frequent syncs occurring within an ASM device group.
Conditions:
Several (updating) suggestions are marked 'ignored'.
Impact:
Syncs appear in the logs (no actual performance degradation).
Workaround:
-- Remove the Ignored Suggestions. (Note: These might be re-added and you must refrain from clicking the Ignore button).
-- Remove the Ignored Suggestions and uncheck the Learn flag for the violation that causes it. (Note: The impact is that the system does not learn this violation anymore, so any future suggestions to amend the policy for that violation will not be created.)
Fix:
Policy Builder (PB) no longer updates Ignored Suggestions, so unnecessary sync operations no longer occur.
765033 : Upgrades to versions that restrict resource-admin users from accessing bash may fail under certain conditions★
Component: TMOS
Symptoms:
Some versions of BIG-IP software have removed the ability to access bash from users that have resource-admin roles. Upgrades to one of these versions may fail to load the configuration on the upgraded volume with a message in /var/log/ltm similar to:
err mcpd[14994]: 01070825:3: Access denied - Administrators only: Custom shells only available to administrators, not testuser.
Conditions:
-- Users with the resource-admin role also have bash access.
-- Upgrading to an affected version from certain versions.
Impact:
The upgraded volume's configuration does not load.
Workaround:
You can use either of the following workarounds:
-- Ensure that all users with the resource-admin role do not have bash access prior to upgrading.
-- Hand-edit the bigip_user.conf to remove bash from any users with the resource-admin role and reload the configuration using the following command:
tmsh load sys config
Fix:
Upgrades no longer fail under these conditions.
764665-2 : AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change
Component: Application Visibility and Reporting
Symptoms:
When BIG-IP is registered on BIG-IQ system, sometimes avrd crashes with core.
Conditions:
-- BIG-IP is registered at BIG-IQ.
-- BIG-IQ sends configuration update to BIG-IP.
Impact:
Avrd cores and restarts. Functionality is not impacted, stats data are sent to BIG-IQ.
Workaround:
None.
Fix:
Corrected issue in setting value for internal flag.
764373-3 : 'Modified domain cookie' violation with multiple enforced domain cookies with different paths
Component: Application Security Manager
Symptoms:
When the server sends enforced cookies with the same name for different paths, a false-positive 'Modified domain cookie' violation is reported.
Conditions:
Server sends enforced cookies with the same name but with different paths.
Impact:
A valid request might be rejected.
Workaround:
None.
Fix:
The system now checks all enforced cookies correctly, so this issue no longer includes.
763349-3 : AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out
Component: Application Visibility and Reporting
Symptoms:
avrd application on BIG-IP crashes; core is generated.
Conditions:
-- The BIG-IP is configured to send data to BIG-IQ DCD node via the HTTPS protocol.
-- Connection to DCD is established but response does not arrive within the timeout interval, so the connection times out.
Impact:
avrd crashes, and a core is generated.
Workaround:
None.
Fix:
avrd now reconnects to BIG-IQ DCD in a different sequence so this issue no longer occurs.
763157-2 : MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped
Component: Service Provider
Symptoms:
Processing the response to an outbound request at the same time as an inbound request message on the same connection could cause internal state generated to be confused and the inbound request to be dropped.
Conditions:
Processing the response to an outbound request at the same time as an inbound request message on the same connection.
Impact:
The inbound request will be dropped.
Workaround:
None.
Fix:
The internal state generated is no longer confused so the inbound request is no longer dropped.
763005-3 : Aggregated Domain Names in DNS statistics are shown as random domain name
Component: Application Visibility and Reporting
Symptoms:
Many DNS queries (e.g., 50000) with different query domain names are sent and AVR aggregates data it shows aggregated names using a random name taken from the first lookup table record.
Conditions:
-- Run 50000 DNS queries, all with different domain names.
-- View Statistics :: Analytics :: DNS, and choose View By : Domain Names.
Impact:
There is one random domain name with a high counter value, other domains are shown with counter 1.
Workaround:
None.
763001-1 : Web-socket enforcement might lead to a false negative
Solution Article: K70312000
Component: Application Security Manager
Symptoms:
A request that should be blocked will be passed to server.
Conditions:
Parse parameters flag in json profile is enabled.
Requests are sent in json websocket.
Impact:
Bad requests may be passed to the server
Workaround:
Disable parse parameters flag in json profile
Fix:
Web-socket enforcement now filters requests as expected.
762453-2 : Hardware cryptography acceleration may fail
Solution Article: K63558580
762385 : Wrong remote-role assigned using LDAP authentication after upgrade to 14.1.x and later★
Component: TMOS
Symptoms:
When multiple attributes in a list match multiple roles, the wrong role may be assigned. Alternatively, authentication may fail when check-roles-group is disabled.
Conditions:
LDAP server replies with a list of attributes (e.g., list of memberOf) where more than one match existing role.
Impact:
BIG-IP assigns the user to the last attribute in the list that matches a role, potentially yielding a more restrictive set of permissions.
Authentication may fail when check-roles-group is disabled.
Workaround:
None.
Fix:
The correct remote-role is now assigned using LDAP authentication.
762205-2 : IKEv2 rekey fails to recognize VENDOR_ID payload when it appears
Component: TMOS
Symptoms:
Rekey with non BIG-IP systems can fail when a response contains a VENDOR_ID payload.
Conditions:
- IKEv2 Responder sends VENDOR_ID payload in rekey response.
- The ipsec.log misleadingly reports:
[I] [PROTO_ERR]: unexpected critical payload (type 43)
Note: This message may be correctly present under other conditions, with different type constants not equal to 43.
Impact:
BIG-IP as the initiator of rekey drops the rekey negotiation without making further progress when the responder included a VENDOR_ID payload in a response. This will result in deleting the SA for good when the hard lifetime expires, causing a tunnel outage.
Workaround:
No workaround is known at this time.
Fix:
Handling of payload types during rekey will now ignore VENDOR_ID when it appears, the same way we ignore VENDOR_ID in other messages during IKE negotiation.
761993-2 : The nsm process may crash if it detects a nexthop mismatch
Component: TMOS
Symptoms:
If there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop, nsm may crash and restart.
Conditions:
-- Dynamic routing is in use.
-- A mismatch between tmrouted and nsm for the interface index or gateway of a nexthop exists.
Impact:
There is a temporary interruption to dynamic routing while nsm is restarted.
Workaround:
None.
Fix:
Prevented nsm crashing when there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop.
761941-1 : ASM does not remove CSRT token query parameter before forwarding a request to the backend server
Component: Application Security Manager
Symptoms:
CSRT query parameter observed in tcpdump on the BIG-IP system's server side.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- CSRF enabled in ASM policy.
Impact:
Backend app gets CSRT parameter, which might impact its business logic.
Workaround:
You can remove a CSRT query parameter using a URI modification iRule on the server side.
Fix:
The system now removes the csrt query parameter before forwarding a request to the backend server
761933-1 : Reboot with 'tmsh reboot' does not log message in /var/log/audit
Component: TMOS
Symptoms:
The tmsh reboot command is missing from /var/log/audit.
Conditions:
-- Reboot a system using the command 'tmsh reboot'.
-- View the /var/log/audit log.
Impact:
The system does not log the tmsh reboot operation in the /var/log/audit log. A message similar to the following should be reported:
notice tmsh[19115]: 01420002:5: AUDIT - pid=19115 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=reboot.
Workaround:
None.
761921-1 : avrd high CPU utilization due to perpetual connection attempts
Component: Application Security Manager
Symptoms:
avrd shows high CPU utilization. Repeated retries on auth token client failed connection attempts.
Conditions:
-- The BIG-IQ system is not available (even though it is configured).
-- Frequent connection retries.
Impact:
avrd consumes a large amount of CPU.
Workaround:
Correct BIG-IQ availability and restart avrd.
Fix:
avrd now waits between connection retries, so this issue does not occur.
761749-2 : Security pages unavailable after switching RT mode on off few times
Component: Application Visibility and Reporting
Symptoms:
Security dashboard and analytics pages display "Unable to load application" and no statistics available.
Conditions:
A BIG-IP configured to collect statistics from security modules and new statistics are generated periodically.
The problem may appear when a user switches real-time mode on off few times.
Impact:
Security dashboard and analytics pages unavailable for at least few hours and some real-time statistics are lost.
Fix:
Added timeout for fetching data from statistics module.
761685-3 : Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set
Component: Service Provider
Symptoms:
Systems desiring to create a unique connection per connection client may silently end up with clients sharing an outgoing connection if routing uses a virtual server as the outgoing connection transport definition, and the virtual server has the source-port attribute set to preserve-strict.
Conditions:
-- Routing using a virtual server as the transport definition for the outgoing connection.
-- The virtual server has the source-port attribute set to preserve-strict.
Impact:
Systems desiring to create a unique connection per connection client may silently end up sharing an outgoing connection.
Workaround:
None.
Fix:
Per-client mode is now maintained when routing to a virtual server, even when preserve-strict is selected.
761553-2 : Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic
Component: Application Security Manager
Symptoms:
Text for analyzed requests might be misleading for suggestions that are created as result of an absence of violations in traffic:
X requests triggered this suggestion from date:time until date:time.
Actually:
-- 'X requests' did not trigger a violation, and no sampled are requests provided.
-- The format of the time in 'from date:time until date:time' is difficult to parse.
Conditions:
There are suggestions that were created as result of an absence of violations in traffic in the policy.
Impact:
Text might be misleading.
Workaround:
None.
Fix:
Improved text for analyzed requests for suggestions that were created as result of absence of violations in traffic
761549-2 : Traffic Learning: Accept and Stage action is shown only in case entity is not in staging
Component: Application Security Manager
Symptoms:
Accept and Stage action is available, even for entities that are in staging already.
Conditions:
Create suggestion for the entity (e.g., Attack signature on parameter) that is in staging.
Impact:
Action that is not relevant is shown.
Workaround:
None.
Fix:
Accept and Stage action is available only for suggestions on entities that are not in staging
761385-1 : Without a virtual server, responses from server to client are dropped in a BIG-IP system when the latter is deployed in L2 transparent mode using virtual wire.
Component: Local Traffic Manager
Symptoms:
Responses from a server are not received by the client.
Conditions:
-- BIG-IP system deployed in L2 transparent mode using virtual wire.
-- No virtual server is configured.
Impact:
Responses from server to client are dropped. Loss of service.
Workaround:
None.
Fix:
Set the L2 transparent flag for the server-side flow if the client-side flow has this flag set.
761381-1 : Incorrect MAC Address observed in L2 asymmetric virtual wire
Component: Local Traffic Manager
Symptoms:
Incorrect MAC Address observed in L2 asymmetric virtual wire for ICMP unreachable on UDP traffic.
Conditions:
L2 asymmetric virtual wire is configured.
Impact:
Incorrect MAC Address in teh packet when the BIG-IP system sends ICMP unreachable on UDP traffic
Workaround:
None.
Fix:
The correct MAC address is seen in the packet that is flowing from the BIG-IP system.
761345-3 : Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode
Component: Advanced Firewall Manager
Symptoms:
When manual config-sync mode is enabled for a HA setup, additional config-sync may be required after firewall blob compilation.
Conditions:
Firewall rule configuration modified on a high availability (HA) setup with manual config-sync mode enabled.
Impact:
Additional config-sync may be required after compilation completion.
A warning may be given: "There is a possible change conflict between <device1> and <device2>.", and full sync may be forced.
Workaround:
Enable auto config-sync instead of manual config-sync.
Fix:
Additional config-sync is not required in these conditions.
761234-2 : Changing a virtual server to use an address list should be prevented if the virtual server has a security policy with a logging profile attached
Component: Advanced Firewall Manager
Symptoms:
If you create a virtual server with a single address ('Host' in the GUI) for both its source and destination, then configure the virtual server's security policy with a logging profile, and then (after creating the virtual server) modify the source or destination to use a traffic matching condition, the system reports no error when updating the configuration.
Conditions:
Attempting to use a virtual server with a security policy attached that uses a logging profile with an address list as the virtual server's source or destination.
Impact:
An invalid configuration is not caught. When later loading the configuration, the system reports a validation error, and the configuration does not load.
Workaround:
None.
Fix:
An error is now generated under these conditions.
761231-2 : Bot Defense Search Engines getting blocked after configuring DNS correctly
Solution Article: K79240502
Component: Application Security Manager
Symptoms:
Bot Defense performs a reverse DNS for requests with User-Agents of known Search Engines.
A cache is stored for legal / illegal requests to prevent querying the DNS again.
This cache never expires, so in case of an initial misconfiguration, after fixing the DNS configuration, or routing or networking issue, the Search Engines may still be blocked until TMM is restarted.
Conditions:
-- Initial misconfiguration of DNS or routing or networking issue.
-- Cache stores requests to prevent future queries to DNS.
-- Correct the misconfiguration.
Impact:
Cache does not expire and is never updated, so it retains the misconfigured requests. As a result, valid Search Engines are getting blocked by Bot Defense.
Workaround:
Restart TMM by running the following command:
bigstart restart tmm
Fix:
The internal DNS cache within Bot Defense and DoSL7 now expires after five minutes.
761199-1 : Wr_urldbd might crash while system is in a restarting loop.
Component: Traffic Classification Engine
Symptoms:
Webroot daemon (wr_urldbd) crashes if it gets back to back SIGTERM signals. Subsequent SIGTERM is handled by default signal handler instead of registered one.
As a result wr_urldbd's threads are not prevented from starting if wr_urldbd is in the process of shutting down.
Conditions:
-- System configuration is changing
-- wr_urldbd is restarting continuously at the same time
Impact:
Wr_urldbd crashes during restart and generates core file.
Workaround:
None.
Fix:
Wr_urldbd handles all signals with registered handler and does not crash.
761194-2 : param data type violation on an Integer parameter, if an integer value is sent via websocket JSON
Component: Application Security Manager
Symptoms:
A false positive occurs with 'Illegal parameter data type' violation on an integer parameter, on websocket messages
Conditions:
An explicit parameter with type integer is configured.
Impact:
A false positive can occur, 'Illegal parameter data type' is reported.
Workaround:
N/A
Fix:
Fixed a false positive with integer values
761185-2 : Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic
Solution Article: K50375550
Component: Local Traffic Manager
Symptoms:
For more information please see: https://support.f5.com/csp/article/K50375550
Conditions:
For more information please see: https://support.f5.com/csp/article/K50375550
Impact:
For more information please see: https://support.f5.com/csp/article/K50375550
Workaround:
For more information please see: https://support.f5.com/csp/article/K50375550
Fix:
For more information please see: https://support.f5.com/csp/article/K50375550
761173-1 : tmm crash after extended whitelist modification
Component: Advanced Firewall Manager
Symptoms:
tmm might crash and restart.
Conditions:
Modifying the whitelist extended entry in tmsh.
Impact:
Tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The tmm process no longer crashes when modifying the whitelist extended entry in tmsh.
761160-2 : OpenSSL vulnerability: CVE-2019-1559
Component: TMOS
Symptoms:
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).
Conditions:
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).
Impact:
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).
Workaround:
None.
Fix:
Update OpenSSL to 1.0.2s.
761144-4 : Broadcast frames may be dropped
Solution Article: K95117754
761112-3 : TMM may consume excessive resources when processing FastL4 traffic
Solution Article: K76328112
761088-1 : Remove policy editing restriction in the GUI while auto-detect language is set
Component: Application Security Manager
Symptoms:
While policy language was set to auto-detect, the policy editing was not allowed.
Conditions:
Create a new policy and set the language to auto-detect.
Impact:
While policy language was set to auto-detect, the policy editing was not allowed.
Workaround:
The policy language must be set to something other than auto-detect to allow user to edit the policy from GUI. However, policy editing is possible using REST API.
Fix:
The GUI restriction was removed. User can modify the policy while the language is set to auto-detect.
761032-2 : TMSH displays TSIG keys
Solution Article: K36328238
Component: Global Traffic Manager (DNS)
Symptoms:
TSIG key is displayed when related configuration is listed in TMSH.
Conditions:
Authenticated administrative user.
Listing TSIG keys using TMSH.
Impact:
Displaying TSIG keys is a security exposure.
Workaround:
None.
Fix:
TMSH no longer displays TSIG keys when listing configuration.
761030-2 : tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route
Component: Local Traffic Manager
Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not shown using the show net route lookup command.
Conditions:
-- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.
-- Dynamic Routing protocols such as OSPFv3 configured.
Impact:
Cannot see any dynamic routes added while IPv4-mapped IPv6 addresses are configured.
Workaround:
None.
Fix:
The query for IPv4-mapped IPv6 addresses now shows dynamic routes added while IPv4-mapped IPv6 is configured.
761014-2 : TMM may crash while processing local traffic
Solution Article: K11447758
760998-1 : F5.ip_forwarding iAPP fails to deploy
Component: TMOS
Symptoms:
F5.ip_forwarding iApp fails to deploy due to a syntax error in the tmsh command for syn-cookie-enable.
Conditions:
Deployment of the f5.ip_forwarding iApp fails unless you specify an existing FastL4 profile.
Impact:
Cannot deploy the f5.ip_forwarding iApp template.
Workaround:
To deploy the f5.ip_forwarding iApp, select 'Advanced' configuration mode and choose an existing FastL4 profile for the question 'What Fast L4 profile do you want to use?'
Fix:
The f5.ip_forwarding iApp template deploys the recommended FastL4 profile without error.
760930-2 : MRF SIP ALG with SNAT: Added additional details to log events
Component: Service Provider
Symptoms:
Subscriber name is not included in debug log events for temporary subscriber registration creation and deletion.
Conditions:
debug log events for temporary subscriber registration creation and deletion.
Impact:
No functional impact, but the associated MRF SIP ALG with SNAT issue might be difficult to debug.
Workaround:
None.
Fix:
Subscriber ID is now included in the log events.
760878-3 : Incorrect enforcement of explicit global parameters
Component: Application Security Manager
Symptoms:
A false positive or false negative enforcement of explicit global parameter.
Conditions:
-- A configuration with more than 255 security policies.
-- Policies configured with an explicit parameter that is unique (for example, 'static', a disabled signature, etc.).
-- Attempt to enforce that parameter.
Impact:
Wrong blocking/violations. The parameter is not found, and the wildcard * parameter is enforced instead.
Workaround:
Make the explicit parameters a wildcard parameter.
Fix:
Explicit parameters are enforced correctly on all parameters.
760771-1 : FastL4-steered traffic might cause SSL resume handshake delay
Component: Local Traffic Manager
Symptoms:
When a FastL4 virtual server steers traffic to another SSL-enabled virtual server, there can be a delay on SSL session resumption because SSL is unable to identify the connection flow.
Additionally, it has been observed that if fallback persistence is configured, the BIG-IP system might fail to start the connection serverside.
Conditions:
-- FastL4 virtual server.
-- iRule is used to steer traffic to another virtual server with client SSL enabled.
-- Multiple tmm's.
Impact:
-- Potential impact to SSL performance.
-- Possible connection failure.
Workaround:
To workaround this issue:
-- Disable FastL4.
-- Enable OneConnect.
Fix:
FastL4-steered traffic no longer causes SSL resume handshake delay.
760723-2 : Qemu Vulnerability
Solution Article: K64765350
760683-1 : RST from non-floating self-ip may use floating self-ip source mac-address
Component: Local Traffic Manager
Symptoms:
A RST from non-floating self-ip may use floating self-ip source mac-address when AFM or ASM is enabled.
Conditions:
-- AFM or ASM is enabled.
-- RST generated from non-floating self-ip address.
Impact:
An L2 switch may update the fwd table incorrectly.
Workaround:
None.
Fix:
The system now uses the correct source mac-address under these conditions.
760680-1 : TMSH may utilize 100% CPU (single core's worth) when set to be a process group leader and SSH session is closed.
Component: TMOS
Symptoms:
TMSH does not correctly handle absence of input stream after closing an interactive SSH session and remains active in an infinite loop using 100% CPU.
Conditions:
If TMSH is a process group leader, it is not killed when the parent shell is terminated upon SSH session close.
This is a rare case, as TMSH must be deliberately promoted to a process group leader, e.g., with the 'setsid' command.
Usually the shell process is a group leader and, when it is terminated upon SSH session close, it kills its child processes, including TMSH.
Impact:
The equivalent of one CPU core is utilized to 100% by the TMSH process. It may be mostly scheduled on one core or spread over multiple control plane cores.
Workaround:
TMSH should not be intentionally promoted to a process group leader.
You can kill all TMSH processes using the command:
killall -9 tmsh
Warning: This command kills both abandoned and in-use TMSH processes. The latter can include other users' TMSH shells, and even system-level processes invoking the TMSH utility internally. Killing all TMSH processes can lead to various unexpected failures. You can use the 'top' command to see which TMSH process is using high CPU (e.g., 90% or more), and kill just those, as those are the likely zombie processes. pstree may also show the problem TMSH processes with no sshd ancestor.
You can kill specific TMSH processes using the command:
kill -9 <pid>
Where <pid> is the process ID of the TMSH instance to kill.
Possible mitigation
===================
Set a CLI idle timeout to a value lower than the sshd idle timeout (which is not set by default):
tmsh modify cli global-settings idle-timeout <timeout in minutes>
Fix:
I/O error handling in TMSH has been corrected, so it no longer ignores absence of input stream, which led to infinite loop.
760622-3 : Allow Device Certificate renewal from BIG-IP Configuration Utility
Component: TMOS
Symptoms:
Unable to renew Device Certificate from System :: Certificate Management : Device Certificate Management : Device Certificate :: server.crt in non-English BIG-IP configurations.
Conditions:
Attempting to renew a device certificate on the System :: Certificate Management : Device Certificate Management : Device Certificate :: using the server.crt-equivalent on a non-English BIG-IP system.
Impact:
Unable to renew Device Certificate from the BIG-IP Configuration Utility.
Workaround:
Use a command of the following syntax, replacing key name, cert name, and # of days with your values:
openssl req -new -x509 -key ../ssl.key/server.key -days <# of days> -out server.crt
For example, to renew the siteserver.key and siteserver.crt for 90 days, use the following command:
openssl req -new -x509 -key ../ssl.key/siteserver.key -days 90 -out siteserver.crt
Fix:
The system now allows Device Certificate renewal from BIG-IP Configuration Utility.
760597-1 : System integrity messages not logged
Component: TMOS
Symptoms:
On TPM-equipped platforms, log messages indicating recovery from a very rarely triggered condition, where the TPM chip needs to be cleared, are not being recorded in the logs on boot.
Conditions:
-- TPM-equipped platforms.
-- Rarely triggered condition in which the TPM chip needs to be cleared.
Impact:
No message indicating the need to clear the TPM.
Note: The need to clear the TPM does not affect the subsequent operation of system integrity checks.
Workaround:
None. The TPM is automatically cleared on boot. Once cleared, it operates normally.
Using remote attestation by submitting a QKview file to iHealth and checking the System Integrity status in the resulting report will reliably indicate any tampering in the BIOS or system startup files.
Fix:
TPM needing to be cleared message is now logged.
760594 : On BIG-IP VE, 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details.
Component: TMOS
Symptoms:
Executing 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details.
Conditions:
BIG-IP Virtual Edition
Impact:
The snmpwalk command shows the details of all partitions on previous versions. It now shows only the '/appdata' details.
Workaround:
No workaround exists for this issue currently.
760574 : Updating BIG-IP 14.1.x Linux kernel to RHEL7.5
Component: TMOS
Symptoms:
The kernel for the BIG-IP 14.1.x Linux kernel needs updating to RHEL7.5.
Conditions:
Using the most current version of the BIG-IP software.
Impact:
The Linux kernel update is a typical function of ongoing BIG-IP software development.
Workaround:
None.
Fix:
Below are the advantages of kernel update:
-- Ease of maintenance.
-- Security fixes part of RHEL 7.5.
-- New / Enhanced feature support.
760573-1 : TPM system integrity check may return invalid status when booting into BIG-IP 14.1.0★
Solution Article: K00730586
Component: TMOS
Symptoms:
The Trusted Platform Module (TPM) system integrity check may return an invalid status.
As a result of this issue, you may encounter one or more of the following symptoms:
-- While the system boots to BIG-IP 14.1.0, you observe an error message that appears similar to the following example:
tpm-status-check[5025]: System Integrity Status: Invalid
-- After rebooting the system to different volumes, you continue to observe the previous error message.
Conditions:
This issue occurs when the following condition is met:
You reboot a system running either BIG-IP 13.1.x or 14.0.0 (including their point releases) to BIG-IP 14.1.0.
Impact:
The BIG-IP system reports an invalid TPM status and TPM is non-functional.
Workaround:
To recover from this issue, you must delete the grub configuration file and reboot the system twice for an automatic repair to occur. To do so, perform the following procedure:
Impact of workaround: The system will not be available while performing multiple reboots. F5 recommends that you perform this procedure during an appropriate maintenance window.
1. Log in to the command line of the affected system.
2. Mount the boot partition by typing the following command:
mkdir -p /mnt/boot; mount /dev/mapper/$(ls /dev/mapper | grep boot) /mnt/boot
3. Delete the grub.multiboot.cfg file by typing the following command:
rm -f /mnt/boot/grub2/grub.multiboot.cfg
4. Reboot the system by typing the following command:
reboot
Note: The system software fixes the grub.multiboot.cfg file automatically upon booting.
5. When the system has completed booting, log in to the command line and reboot the system again by typing the following command:
reboot
This final step properly boots the system with TPM enabled.
Fix:
Rebooting a system no longer returns the TPM error.
760550-5 : Retransmitted TCP packet has FIN bit set
Component: Local Traffic Manager
Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.
Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.
Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.
Workaround:
Set Nagle to disabled in the TCP profile.
Fix:
The incorrect FIN bit is removed.
760508-1 : On systems with multiple versions of BIG-IP in use, the 'invalid' System Integrity Status may persist★
Solution Article: K91444000
Component: TMOS
Symptoms:
The system security state reported by the shell utility 'tpm-state' may report 'Invalid'.
Conditions:
-- The system contains a volume running BIG-IP software version that does not support Trusted Platform Module (TPM).
-- You install a version that does support TPM.
-- The system is rebooted, from the old (non-TPM-capable) BIG-IP version to the new, TPM-capable version.
Impact:
The BIG-IP system reports an invalid TPM status upon the first boot of the upgraded BIG-IP 14.1.0 slot.
Workaround:
Rebooting the system again into 14.1.0 after initially booting into 14.1.0 resolves the issue.
760475-1 : Apache spawns more processes than the configured limit, causing system low memory condition
Component: TMOS
Symptoms:
Apache (httpd) process count MaxClients on BIG-IP systems is set to '10' in the configuration. When more requests are received, Apache spawns more processes than 10, consuming more memory.
Conditions:
Numerous clients trying to connect simultaneously to the BIG-IP GUI.
Impact:
System low memory condition can severely impact application/system performance, and sometimes triggers Out-Of-Memory (OOM) Killer, so critical applications might be terminated.
Workaround:
Complete the following procedure:
1. Modify /etc/httpd/conf/httpd.conf to have the following configuration outside of the prefork module (global):
MaxClients 10
2. Run the following command:
bigstart restart httpd
760471-3 : GTM iQuery connections may be reset during SSL key renegotiation.
Component: Global Traffic Manager (DNS)
Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.
Conditions:
This occurs occasionally during routine renegotiation.
Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.
Workaround:
There is no workaround.
Fix:
GTM iQuery renegotiations no longer cause the error that reset the connection.
760462-1 : Live update notification is shown only for provisioned/licensed modules
Component: Application Security Manager
Symptoms:
Live update notification in the left top corner of the screen was shown even when you cannot install updates, e.g., no permissions or no license/provisioning.
Conditions:
-- There is update for non-provisioned/licensed module.
-- Attempt to install the update.
Impact:
A notification appears and it cannot be removed.
Workaround:
None.
Fix:
Live update notification is now shown only for provisioned/licensed modules.
760439-4 : After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status
Component: TMOS
Symptoms:
After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status (e.g., transitions to standby or active).
Conditions:
Installing UCS that was taken in forced-offline state on clean installed unit.
Impact:
Unit may become active/standby before intended (e.g., during maintenance).
Workaround:
After installing the UCS, ensure that the unit is in forced-offline state as intended. If not in forced-offline state, force the unit offline before proceeding.
760438-3 : PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions
Component: Policy Enforcement Manager
Symptoms:
tmm coredump
Conditions:
-- Using an iRule to apply a referential policy in a rigorous loop.
-- This is a rarely occurring timing issue.
Impact:
Traffic impact due to tmm coredump. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The BIG-IP system now validates session presence before applying the policy.
760410-1 : Connection reset is seen when Category lookup agent is used in per-req policy
Component: Access Policy Manager
Symptoms:
The BIG-IP system sends reset to client when Category Lookup agent is used in per-req policy.
Conditions:
-- APM or SSLO is licensed and provisioned.
-- URLDB and SWG are not provisioned.
-- Category Lookup agent is used in the policy to process custom categories.
Impact:
Connection reset is seen on client from APM/SSLO box.
Workaround:
Modify Category Lookup agent 'lookup-type' property to 'custom-only' via TMSH, for example, by using a command similar to the following:
modify apm policy agent category-lookup example_prp_act_category_lookup_ag lookup-type custom-only
Fix:
Category lookup agent in per-req policy now successfully processes custom categories, so the reset no longer occurs.
760408-3 : System Integrity Status: Invalid after BIOS update★
Solution Article: K23438711
Component: TMOS
Symptoms:
When BIG-IP system boots, it performs a System Integrity Check. The System Integrity Status may return one of three states: Valid, Unavailable, or Invalid.
This issue causes the System Integrity Status to return a value of 'Invalid'.
Conditions:
-- BIG-IP systems that have been manufactured using a earlier BIOS version.
-- Updating to a newer BIOS version.
Impact:
The System Integrity Status returns a status of Invalid, which may falsely indicate that the system BIOS or OS has been compromised.
Workaround:
Install the new BIOS, which fixes the issue that causes the 'Invalid' status to be reported, and, on systems where the BIOS and OS have not been compromised, returns a status of 'Valid'.
Fix:
The System Integrity Status check now return 'Valid' for systems that have not been compromised.
760393 : GARP is not sent from newly active device after failover for FW NAT policy rule's dest prefixes
Component: Advanced Firewall Manager
Symptoms:
After failover, there is no GARP from the newly active device for FW NAT policy rule's dest prefixes.
Conditions:
Configure FW NAT policy rules with proxy arp enabled for destination prefixes. After failover no GARP is sent for those destinations prefixes.
Impact:
After failover traffic can fail/degrade.
Workaround:
No workaround other than forcing the initial active HA device to be active again.
Fix:
The system now sets the high availability (HA) unit correctly for FW NAT policy.
760370-2 : MRF SIP ALG with SNAT: Next active ingress queue filling
Component: Service Provider
Symptoms:
When running MRF SIP ALG with SNAT, the ingress queue may fill, causing messages to be dropped on the next-active device.
Conditions:
-- The active device determines that an operation can be skipped because the details are already discovered processing a previous message.
-- The next-active device has not yet processed the previous message and is not able to skip the operation.
Impact:
Mirroring state is lost for the connection.
Workaround:
None.
Fix:
When the connection is mirrored, the processing operation is not skipped on either the active or next-active device.
760363-1 : Update Alias Address field with default placeholder text
Component: TMOS
Symptoms:
Unable to update Alias Address field with the default value under Local Traffic :: Monitors :: [MonitorName] after removing everything from the input field and updating again with the placeholder text.
Conditions:
-- Using a system running software in which the GUI supports Chinese characters.
-- Remove content from the Alias Address field under Local Traffic :: Monitors:: [MonitorName].
-- Enter the default placeholder text.
Impact:
Unable to update the Alias Address input field with default placeholder text after replacing the said field with blank text or a valid value.
Workaround:
Pass empty value or ::
Fix:
Allow monitors to update with default placeholder text for Alias Address
760356-2 : Users with Application Security Administrator role cannot delete Scheduled Reports
Component: Application Visibility and Reporting
Symptoms:
User accounts configured with the Application Security Administrator role cannot delete scheduled reports, while they can create/view/edit them.
Conditions:
-- Logged on with a user account configured as an Application Security Administrator.
-- Attempting to delete a scheduled report.
Impact:
Cannot complete the delete operation. Deleting scheduled reports requires root/admin intervention.
Workaround:
Use root or a user account configured as Administrator to delete scheduled reports.
Fix:
User accounts configured with the Application Security Administrator role can now delete Scheduled Reports
760355 : Firewall rule to block ICMP/DHCP from 'required' to 'default'★
Component: Advanced Firewall Manager
Symptoms:
If firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.
Conditions:
-- Firewall is configured on the management port.
-- Firewall is configured with an ICMP rule to block.
Impact:
ICMP packets cannot be blocked with a firewall rule to drop on management port. ICMP packets are allowed from the management port.
Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.
# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP
Fix:
ICMP firewall rule has been moved from the f5-required to f5-default.
760259-3 : Qkview silently fails to capture qkviews from other blades
Component: TMOS
Symptoms:
When capturing a qkview on a chassis, there are no warnings provided if the qkview utility is run to gather a qkview from other blades.
Conditions:
-- On a chassis system, rename/move the qkview binary from a given blade.
-- Execute qkview on another blade, verify that no warnings or errors are produced.
Impact:
There is no warning that the qkview failed for a given blade.
Workaround:
There is no workaround other than running the qkview on the actual blade.
760250 : 'Unsupported SSO Method' error when requests sharing the same TCP session
Component: Access Policy Manager
Symptoms:
In API Protection configurations, 'Unsupported SSO Method' error occurs when requests sharing the same TCP session, and some branch selects Single-Sign On (SSO).
Conditions:
-- On the virtual server, the OneConnect profile is selected.
-- Requests sharing the same TCP session.
Impact:
Some requests are rejected.
Workaround:
Remove the OneConnect profile from the virtual server.
Fix:
Reset the SSO selection for each request, regardless of whether requests share the same TCP connection.
760234-1 : Configuring Advanced shell for Resource Administrator User has no effect
Component: TMOS
Symptoms:
Advanced shell is present in the Terminal Access dropdown list when creating a Resource Administrator User, but the functionality is not available.
Conditions:
Configuring Advanced shell for Resource Administrator User.
Impact:
There is no warning message, but the setting has no effect. Gives the false impression that you can configure a Resource Administrator User to have Advanced shell access when the role does not support it.
Workaround:
None.
Fix:
The Advanced shell option is no longer present in the Resource Administrator User Terminal Access dropdown list.
Behavior Change:
Resource Administrator User can no longer select Advanced shell. The option has been removed from the dropdown list in the GUI for the Resource Administrator User.
760222 : SCP fails unexpected when FIPS mode is enabled
Component: TMOS
Symptoms:
Secure Copy (scp) to some locations fails with the following message:
Path not allowed.
Conditions:
-- FIPS mode is enabled.
-- Copying a file to a restricted location using SCP.
Impact:
Cannot use SCP to copy to restricted locations on the BIG-IP system.
Workaround:
None.
Fix:
This scp issue no longer occurs when FIPS cards are installed.
760164-1 : BIG-IP VE Compression Offload HA action requires modification of db variable
Component: TMOS
Symptoms:
When TMM detects a compression offload device hang it does not invoke the configured high availability (HA) action.
Conditions:
This occurs when the following conditions exist:
-- BIG-IP Virtual Edition (VE) Cryptographic Offload is licensed.
-- BIG-IP VE VM has been assigned QuickAssist Virtual Functions (VFs).
-- A QuickAssist endpoint associated with one of the VFs hangs.
-- BIG-IP VE executes compression operations.
Impact:
The configured HA action does not occur when a compression offload device hangs. Clients compression requests eventually time out.
Workaround:
Disable the pfmand by running the following commands:
tmsh modify sys db pfmand.healthstatus value disable
tmsh save sys config
The configured HA action will now occur when a compression offload device hangs.
Note: The pfmand daemon is not needed for BIG-IP VE, so disabling the db variable has no impact for BIG-IP VE configurations.
760078-1 : Incorrect source MAC used when the BIG-IP in L2 transparent mode generates a TCP RST packet.
Component: Local Traffic Manager
Symptoms:
Packet with unexpected source MAC seen on the adjacent node to the BIG-IP.
Conditions:
- BIG-IP configured in an L2 transparent mode using virtual wires
- Traffic forwarded between client and server in an asymmetric manner across virtual wires.
Impact:
Possible impacts to services on nodes adjacent to the BIG-IP if policy decisions on those nodes are made with the source MAC of the received packet as input.
759968-3 : Distinct vCMP guests are able to cluster with each other.
Component: Local Traffic Manager
Symptoms:
-- Distinct vCMP guests are able to cluster with each other.
-- Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:
clsh tmctl -d blade tmm/vcmp -w 200 -s vcmp_name,tmid,rebroad_mac
Check the 'rebroad_mac' field for duplicate mac addresses.
vcmp_name tmid rebroad_mac
--------- ---- -----------------
default 0 02:01:23:45:01:00
vcmp1 0 00:00:00:00:00:00
vcmp5 0 02:01:23:45:01:04
vcmp6 0 00:00:00:00:00:00
vcmp7 0 02:01:23:45:01:06
vcmp8 0 00:00:00:00:00:00
vcmp9 0 02:01:23:45:01:08
vcmp10 0 02:01:23:45:01:0A <--------------
vcmp11 0 02:01:23:45:01:0A <--------------
Conditions:
-- It is not yet clear under what circumstances the issue occurs.
-- One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate 'rebroad_mac' on one or more slots.
Impact:
Only the vCMP guest acting as primary will be operative.
Workaround:
-- Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:
modify sys db clusterd.communicateovertmmbp value false.
To disable the db variable on the affected guest use the following procedure:
1. stop sys service clusterd
2. modify sys db clusterd.communicateovertmmbp value false
3. start sys service clusterd
4. save sys conf
Afterwards, the affected guest may still have the wrong management IP address. To resolve that, log into the vCMP Hypervisor and force a management IP update such as changing the netmask.
Fix:
The vCMP guests no longer end up having a non-null and duplicate 'rebroad_mac' on one or more slots. Distinct vCMP guests are no longer able to cluster with each other.
759868-1 : TMM crash observed while rendering internal pages (like blocked page) for per-request policy
Component: Access Policy Manager
Symptoms:
TMM crashes.
Conditions:
-- SSLO/SWG configured.
-- Rendering internal pages (like a blocked page).
-- Per-request policy.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores while rendering internal pages (like blocked page) for per-request policy.
759814-1 : Unable to view iApp component view★
Component: TMOS
Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:
An error has occurred while trying to process your request.
Conditions:
-- Upgrade to v14.1.x.
-- Create a new iApp with an SSL, ASM, or Traffic policy profile.
-- Or, attempt to view an iApp containing ASM information
Impact:
Unable to access the iApp Component view. Cannot reconfigure the iApp directly (iApp : Application Services : application : any app).
Workaround:
To reconfigure the iApp, do the following:
1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List.
2. Click the Application Link :: Reconfigure.
Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.
759735-2 : OSPF ASE route calculation for new external-LSA delayed
Component: TMOS
Symptoms:
External link-state advertisement (LSA) update does not trigger OSPF ASE route calculation, resulting in delay for route state changes from external LSA.
Conditions:
-- OSPF enabled.
-- More than 20 updated external LSA.
-- No updated router and network LSA.
Impact:
Delay of route update from external LSA.
Workaround:
Manually clear ip ospf process.
Fix:
OSPF ASE route calculation from external LSA are happening as normal.
759723-1 : Abnormally terminated connections on server side may cause client side streams to stall
Component: Local Traffic Manager
Symptoms:
The BIG-IP system provides HTTP/2 Gateway configuration when an HTTP/2 client is served by HTTP/1.x pool members. When a server-side connection terminates abnormally, TMM may crash.
Conditions:
-- A virtual server with HTTP/2 Gateway configuration is configured on the BIG-IP system.
-- Traffic on the server side has some abnormalities, resulting in aborted or unclosed connections.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm crash when a virtual server is configured as a HTTP/2 gateway.
759721-2 : DNS GUI does not follow best practices
Solution Article: K03332436
Component: Global Traffic Manager (DNS)
Symptoms:
The DNS WebUI does not follow best security practices.
Conditions:
DNS services provisioned, enabled, and configured
Impact:
The DNS WebUI does not follow best security practices.
Workaround:
None.
Fix:
The DNS WebUI now follows best security practices.
759654-1 : LDAP remote authentication with remote roles and user-template failing
Component: TMOS
Symptoms:
The directory server that performs authentication requests refuses a query for authorization (user attributes), which prevents the BIG-IP user from logging on with remote authentication.
BAD_NAME errors are usually present in LDAP communication.
Conditions:
-- Configure LDAP remote authentication with remote roles and a user template.
-- As a remote user, attempt to logon.
Impact:
The query request sent to the directory server is refused because the password is not included in the request, and the server does not accept an anonymous bind request. The refused request prevents a lookup of the user account attributes on the directory server. As a result, the BIG-IP user cannot logon.
Workaround:
Remove user-template. bind-dn must be used to authenticate against LDAP server.
759579-1 : Full Webtop: 'URL Entry' field is available again
Component: Access Policy Manager
Symptoms:
'URL Entry' field is no longer visible from full webtop.
Conditions:
Using Portal Access full webtop screen.
Impact:
It is not possible to open Portal Access session with arbitrary URL from full webtop screen.
Workaround:
None.
Fix:
Now 'URL Entry' field can be enabled and used on full webtop.
759536-2 : Linux kernel vulnerability: CVE-2019-8912
Solution Article: K31739796
759499-2 : Upgrade from version 12.1.3.7 to version 14.1.0 failing with error★
Component: TMOS
Symptoms:
Upgrade from version 12.1.3.7 to version 14.1.0 fails. Running 'tmsh show sys software' shows the following message:
failed (Could not access configuration source; sda,n)
Conditions:
1. Install BIG-IP version 12.1.3.7 in new volume.
2. From 12.1.3.7, try to install 14.1.0 in new volume.
Impact:
Upgrade fails.
Workaround:
To work around this issue, delete the 14.1.0 volume and try the installation again.
The second installation of 14.1.0 succeeds in this scenario.
759483-1 : Message about HTTP status code which are set by default disappeared from the UI
Component: Application Security Manager
Symptoms:
When creating a new policy using the policy-creation page, there are status codes (200-399) that are enabled by default. There is no message about HTTP status codes that are set by default does not appear in the GUI.
Conditions:
Open Create a New Policy page.
Impact:
The message is not shown on Create Policy page
Workaround:
None.
Fix:
The message was added and shown always next to Allowed Response Status Codes input.
759462-1 : Site names and vulnerabilities cannot be retrieved from WhiteHat server
Component: Application Security Manager
Symptoms:
Site names and/or vulnerabilities cannot be retrieved from WhiteHat's server, and you get this error:
Failed to get site names
500 Can't connect to 63.128.163.17:443
Additionally, if configured, the HTTP/HTTPS proxy is not used.
Conditions:
You attempt to retrieve site names and/or vulnerabilities from WhiteHat's server.
Impact:
The site names and/or vulnerabilities cannot be retrieved.
Workaround:
You can manually enter site name in the field 'WhiteHat Site Name' on the Security :: Application Security :: Vulnerability Assessments :: Settings page, and vulnerabilities can be downloaded from the WhiteHat server and uploaded to ASM.
Fix:
Site names and vulnerabilities can now be retrieved directly from WhiteHat's server.
759360-2 : Apply Policy fails due to policy corruption from previously enforced signature
Component: Application Security Manager
Symptoms:
Apply Policy fails due to policy corruption in PLC database from a previously enforced signature.
Conditions:
1. Export a policy containing a signature with an enforced rule.
2. Update ASM Signatures (ASU).
3. Import that previously exported policy.
4. Apply the newly imported policy.
Impact:
Apply policy fails.
Workaround:
As a workaround, run the following SQL, and then apply the policy:
----------------------------------------------------------------------
UPDATE PLC.PL_POLICY_NEGSIG_SIGNATURES SET previous_enforced_rule_md5 = '' WHERE previous_enforced_rule = '' and previous_enforced_rule_md5 != ''
----------------------------------------------------------------------
759343-6 : MacOS Edge Client installer does not follow best security practices
Solution Article: K49827114
759192-3 : TMM core during display of PEM session under some specific conditions
Component: Policy Enforcement Manager
Symptoms:
TMM crashes during display of PEM session if the session has multiple IP addresses added under certain conditions.
Conditions:
-- Session has multiple IP addresses added.
-- When the session was created, addition of multiple IP addresses was not allowed.
Impact:
TMM restart. Traffic disrupted while tmm restarts.
Workaround:
Do not change the value of sys db variable tmm.pem.session.ip.addr.max while some sessions are already created.
Fix:
TMM core during display of PEM session no longer occurs.
759172-1 : Read Access Denied: user (gu, guest) type (Certificate Order Manager)
Component: TMOS
Symptoms:
GUI guest user is supposed to see Key properties (which includes cert order manager association details) and Certificate Order Manager object itself, but reports an error:
-- General database error retrieving information.
-- err mcpd[6586]: 01070823:3: Read Access Denied: user (gu) type (Certificate Order Manager)
Conditions:
-- BIG-IP Virtual Edition (VE).
-- Guest user attempts to view Key properties (including cert order manager association details) and Certificate Order Manager object information.
Impact:
Certificate Manager role does not allow users to create certificates. They can upload and delete certificates, but when trying to create one, the GUI stays blank and the logs show a Read Access Denied error.
Workaround:
None.
759135-2 : AVR report limits are locked at 1000 transactions
Component: Application Visibility and Reporting
Symptoms:
AVR reports are limited to 1000 transactions. This is due to a hard-coded limit.
Conditions:
Using AVR reports for more than 1000 transactions.
Impact:
Unable to create reports with more than 1000 rows.
Workaround:
None.
Fix:
A db variable avr.stats.reportrownumberlimit has been added, that can be controlled via TMSH. The variable controls the number of rows in report within the range of 1 to 100000.
For example, for a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:
tmsh modify sys db avr.stats.reportrownumberlimit value 10000
Behavior Change:
There is a new db variable avr.stats.reportrownumberlimit available in TMSH, which controls the number of rows in an AVR report. Valid values are from 1 to 100000.
For example, to create a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:
tmsh modify sys db avr.stats.reportrownumberlimit value 10000
759077-2 : MRF SIP filter queue sizes not configurable
Component: Service Provider
Symptoms:
The ingress and egress queues of the MRF SIP filter have fixed sizes that cannot be configured.
Conditions:
If the hard-coded queue size of 512 messages or 65535 bytes are exceeded, the filter enables its flow control logic.
Impact:
Messages may be dropped.
Workaround:
None.
Fix:
The max-pending-messages and max-pending-bytes values in the SIP router profile will be used as the limits for the SIP filter's queues. If the configured value is less than the existing hard-coded limits (512 bytes or 65535 bytes), the hard-coded limits will be used.
758992-2 : The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address
Component: Local Traffic Manager
Symptoms:
tmm may use a combination of the traffic-group MAC address and the per-VLAN MAC address for traffic associated with the traffic-group.
Conditions:
All of the following:
-- The traffic-group has a MAC address set.
-- The sys db variable 'tm.macmasqaddr_per_vlan' is set to true.
-- There are multiple tmm processes running on the BIG-IP system.
Note: BIG-IP Virtual Edition is not affected since there is only one tmm process.
Impact:
Incorrect MAC address used for traffic associated with the traffic-group.
Workaround:
None.
Fix:
tmm uses the proper MAC address when there is a traffic-group mac address defined and 'tm.macmasqaddr_per_vlan' is set to true.
758909-1 : TMM may crash will processing PEM traffic
Solution Article: K04730051
758879 : BIG-IP VE with ixlv devices does not reliably pass some traffic after hard-boot
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) with ixlv devices (Intel X710/XL710/XXV710 family) might not reliably pass traffic after a hard boot of the host on which it runs.
The tmm log contains messages similar to the following:
ixlv[0:8.0]: Error: AQ returned error -1 to request 10!
ixlv[0:8.0]: Error: Error -1 waiting for PF to complete operation 4
ixlv[0:8.0]: Error: WARNING: Error adding VF mac filter!
ixlv[0:8.0]: Error: WARNING: Device may not receive traffic!
The host's kernel log might contain messages similar to the following:
i40e 0000:06:00.0: VF is not trusted, switch the VF to trusted to add more functionality
Conditions:
-- BIG-IP VE with one or more virtual functions that utilize the ixlv driver within tmm.
-- Hard reboot the host and observe traffic.
Note: This issue might be dependent upon the version of the PF driver in the host, and has been observed with at least 2.1.4 and 2.4.10, but this list is incomplete.
Impact:
IPv6 and other network traffic may be handled unreliably.
Workaround:
Reboot the guest. This problem has been observed only on the very first boot after a hard boot of the host.
758872-3 : TMM memory leak
Component: Local Traffic Manager
Symptoms:
When a Clustered Multiprocessing (CMP) disabled virtual server enters syncookie mode the flows created on TMM instances other than tmm0 are not removed, resulting in a TMM memory leak.
Note: CMP-disabled virtual servers are not distributed among the available TMM processes, but instead are processed on tmm0.
Conditions:
-- Virtual server is CMP disabled.
-- The same virtual server enters syncookie mode.
Impact:
Elevated memory utilization that may impact performance. In extreme cases, it might lead to out-of-memory crash.
Workaround:
Make sure the virtual server is not CMP disabled, for example, avoid using global variables in iRules.
Fix:
Flows of CMP-disabled virtual servers are now properly removed from all TMM instances.
758781-3 : iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates
Component: TMOS
Symptoms:
The following commands take a long time to complete when there are a large number of certificates:
get_certificate_list()
get_certificate_list_v2()
get_certificate_list_v3()
Conditions:
-- Using the get_certificate_list(), get_certificate_list_v2(), and get_certificate_list_v3() commands to get certificate information.
-- A large number of certificates (typically in the thousands) are installed on the BIG-IP system.
Impact:
Slowness might cause timeouts in applications that are calling these functions.
Workaround:
Use iControl REST API corresponding to sys/file/ssl-cert.
758764-2 : APMD Core when CRLDP Auth fails to download revoked certificate
Component: Access Policy Manager
Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.
Conditions:
Empty revoked-certificate list handling.
Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.
Workaround:
None.
Fix:
The system now checks for empty revoked certificate lists (for NULL) and lets the validation OK (because there is nothing to validate against).
758714-1 : Virtual wire on a BIG-IP does not pass traffic when configured over two terminating link aggregation/trunk ports.
Component: Local Traffic Manager
Symptoms:
Traffic does not pass through the BIG-IP system.
Conditions:
- Configure two trunk/LAG ports on a BIG-IP system.
- Create a virtual wire across it.
Impact:
Loss of service across the virtual wire.
Workaround:
None.
Fix:
Corrected the faulty validation checks during configuration that were a result of collateral damage.
758701-1 : APM fails to handle Remote Desktop Gateway connections from standalone RDP clients after fresh install
Component: Access Policy Manager
Symptoms:
Remote Desktop (RD) Gateway connections from standalone RDP clients on Mac/iOS/Android fail against a fresh APM installation.
Following error is logged into /var/log/ltm:
... 01220001:3: TCL error: /Common/_sys_APM_Citrix_SmartAccess <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::path"
Conditions:
- Fresh APM installation.
- Standalone Mac/iOS/Android RDP client uses APM as RD Gateway.
Impact:
Connection can't be established.
Workaround:
Disable "tmm.http.tcl.validation" variable:
# tmsh modify sys db tmm.http.tcl.validation value disable
Fix:
Remote Desktop (RD) Gateway connections from standalone RDP clients on Mac/iOS/Android are not failing anymore against fresh APM installation.
758667-1 : BIG-IP VE high availability (HA) actions are not invoked when offload hardware hangs
Component: TMOS
Symptoms:
When TMM detects a crypto or compression offload device hang it does not invoke the configured high availability (HA) action.
Conditions:
This occurs when the following conditions exist:
-- BIG-IP Virtual Edition (VE) Cryptographic Offload is licensed.
-- BIG-IP VE VM has been assigned QuickAssist Virtual Functions (VFs).
-- A QuickAssist endpoint associated with one of the VFs hangs.
-- BIG-IP VE executes crypto or compression operations.
Impact:
Client requests eventually time out.
Workaround:
None.
758655-1 : TMC does not allow inline addresses with non-zero Route-domain.
Component: Local Traffic Manager
Symptoms:
When trying to create a traffic-matching-criteria with inline addresses with non-zero Route-domain, receive an error:
TMC(/Common/tmc333) and addresses within the address list have different route domain.
Conditions:
Attempting to creating a traffic-matching-criteria with inline address (source or destination) and non-zero route-domain, e.g.:
create ltm traffic-matching-criteria tmc333 destination-address-inline 111.111.111.194 source-address-inline 0.0.0.0 route-domain 100
Impact:
Cannot create the traffic-matching-criteria.
Workaround:
None.
Fix:
You can now create a traffic-matching-criteria with inline addresses with non-zero Route-domain.
758631-4 : ec_point_formats extension might be included in the server hello even if not specified in the client hello
Component: Local Traffic Manager
Symptoms:
RFC 5246 states that if an extension does not exist in the client hello, it must not exist in the server hello. When an EC cipher suite is selected, the server might send the ec_point_formats extension, even if none exists in the client hello.
Conditions:
-- An EC cipher suite is selected.
-- The client does not send an ec_point_formats extension.
Impact:
Some clients abort the connection in this case.
Workaround:
There is no workaround other than not configuring any EC cipher suites.
Fix:
With this change, the server does not send an unsolicited ec_point_formats extension.
758536 : Traffic Intelligence IM pkg for 14.1.0 fails to install on base build version 14.1.0.x
Component: Traffic Classification Engine
Symptoms:
Traffic Intelligence IM pkg for v14.1.0 fails to install on base build version v14.1.0.1 through v14.1.0.4. This is due to strict version check in upgrade scripts.
Conditions:
When hitless upgrade for traffic intelligence with version 14.1.0 is used on base build v14.1.0.1 through v14.1.0.4.
Impact:
The process fails to load/install. The system does not receive the latest traffic intelligence signatures.
Workaround:
There is no workaround other than requesting a purpose-built traffic intelligence IM for that particular build.
Fix:
You can now install 14.1.0 IM on any other 14.1.0.x with minor version update.
758527-2 : BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode
Solution Article: K39604784
Component: TMOS
Symptoms:
Under certain conditions BIG-IP may forward VLAN-tagged frames even if the VLAN is not defined on the ingress interface.
Conditions:
Tagged VLANs in use.
STP pass-through mode enabled.
Impact:
Frames not delivered as expected.
Workaround:
Disable global STP.
Fix:
Frames now delivered as expected.
758465-1 : TMM may crash or iRule processing might be incorrect
Component: Local Traffic Manager
Symptoms:
After modifying an iRule:
- The iRules on one or more virtual servers might fire in the wrong order.
- The iRules on one or more virtual servers might not fire at all.
- TMM might crash if the iRule event is modified again.
- TMM might crash if a virtual server is modified.
Conditions:
This occurs when all of the following conditions are met:
- An iRule is in use on more than one virtual server.
- The iRule occupies a different position in the iRule list on various virtual servers, and one or more of the other iRules define the same event.
- The iRule event is modified.
Impact:
Traffic interruption while TMM restarts.
Incorrect iRule processing.
Workaround:
None.
758459-1 : Cross origin AJAX requests are blocked Cross-Origin Resource Sharing (CORS) protection
Component: Application Security Manager
Symptoms:
When enabling Single Page Application (SPA) option in ASM, cross origin AJAX requests are resulting in the following error in the browser console, and site application might not work:
Access to XMLHttpRequest at 'https://x.com' from origin 'https://www.y.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
Conditions:
-- ASM with SPA enabled
-- App is sending cross-origin requests
Impact:
App does not work as expected.
Workaround:
Using an iRule, add the following headers to the response:
-- Access-Control-Allow-Origin with originating domain.
-- Access-Control-Allow-Credentials: true.
Fix:
This release adds the relevant CORS fields to responses.
758387-2 : BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it
Component: TMOS
Symptoms:
In STP 'passthru' mode, any packet sent to the BIG-IP system with a destination MAC of 01-80-c2-00-00-00 is treated as an STP bridge protocol data unit (BPDU), and is flooded to the VLAN.
Conditions:
-- The BIG-IP system is configured for STP 'passthru' mode
-- The BIG-IP system receives a packet with MAC 01-80-c2-00-00-00.
Impact:
A packet that is not an STP BPDU, but is sent to the same destination MAC address may be flooded as if it was a BPDU.
Workaround:
None.
758311-1 : Policy Compilation may cause MCPD to crash
Component: Local Traffic Manager
Symptoms:
If a policy has rules involving IPv6 addresses, and the addresses differ only on 32-bit boundaries, then the compilation of that policy may cause MPCD to crash.
Conditions:
-- A policy is attached to a virtual server.
-- That policy contains conditions that involve IPv6 addresses.
-- The addresses in different rules differ only on 32-bit boundaries.
Impact:
MCPD cores, and then restarts. The policy is not usable.
Workaround:
You can try either of the following:
-- It may be possible to create multiple rules from a given rule by altering the netmask.
-- Another possibility is to add a placeholder rule with no action that matches IP addresses differently.
Fix:
Policies involving matching IP addresses now compile correctly.
758119-6 : qkview may contain sensitive information
Solution Article: K58243048
Component: TMOS
Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048
Conditions:
For more information see: https://support.f5.com/csp/article/K58243048
Impact:
For more information see: https://support.f5.com/csp/article/K58243048
Workaround:
For more information see: https://support.f5.com/csp/article/K58243048
Fix:
For more information see: https://support.f5.com/csp/article/K58243048
758085-1 : CAPTCHA Custom Response fails when using certain characters
Component: Application Security Manager
Symptoms:
When setting the CAPTCHA Custom Response in the Bot Defense GUI, saving the profile fails when using certain characters.
For example, using the following response will return the error: 'black' unknown property
This question is for testing whether you are a human visitor and to prevent automated spam submission.
<p style="color: black; padding-right:20px">
<br>
%BOTDEFENSE.captcha.image% %BOTDEFENSE.captcha.change%
<br>
<b>What code is in the image\?</b>
%BOTDEFENSE.captcha.solution%
<br>
%BOTDEFENSE.captcha.submit%
<br>
<br>
Your support ID is: %BOTDEFENSE.captcha.support_id%.
Conditions:
Attempting to configure custom CAPTCHA response in the Bot Defense profile GUI.
Impact:
Cannot configure custom CAPTCHA response in the Bot Defense Profile GUI.
Workaround:
Use TMSH or REST API to configure the CAPTCHA Custom Response.
Fix:
Configuring custom CAPTCHA response page in the Bot Defense Profile no longer fails when using certain characters.
758065-4 : TMM may consume excessive resources while processing FIX traffic
Solution Article: K82781208
758018-5 : APD/APMD may consume excessive resources
Solution Article: K61705126
757992-3 : RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup
Component: Access Policy Manager
Symptoms:
RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup
Conditions:
-- Configure Floating IP with route domain.
-- Configure RADIUS accounting server with Pool Setup.
-- Configure the virtual server containing the access policy to use the RADIUS Accounting server.
-- Access the virtual server.
Impact:
-- START message is being sent through proper egress floating IP address.
-- STOP message is not sent, and the system logs the following error message:
-- err tmm1[11193]: 01490586:3: (null):Common:8a505e8c: Processing radius acct stop message failed, connection failure.
-- err tmm1[11193]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_RTE. File: ../modules/hudfilter/access/access_session.c, Function: access_session_final_callback, Line: 4439.
Workaround:
This issue is present only when the floating IP address is configured with a non-default route domain. It works fine with the default route domain. Use of default route domain is recommended.
Fix:
RADIUS Acct STOP message is now sent as expected.
757985-1 : TMM memory leak
Solution Article: K79562045
Component: Local Traffic Manager
Symptoms:
-- TMM memory utilization baseline is slowly increasing.
-- The 'allocated' column of the 'tcl' row in the memory_usage_stat tmctl table is high and is close to the 'max_allocated' value.
Conditions:
-- The header-insert option in a custom HTTP profile is configured.
-- The profile is attached to a virtual server.
Impact:
Degraded performance, and eventual out-of-memory condition that may trigger a TMM crash. Traffic disrupted while tmm restarts.
Workaround:
Instead of the profile header-insert, use HTTP::header iRule commands.
Fix:
The header-insert option can now be configured in HTTP profiles without causing a TMM memory leak.
757827-1 : Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution
Component: Local Traffic Manager
Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP reboot operation.
Conditions:
This may occur on affected BIG-IP versions when:
1. Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
2. DNS queries to resolve these FQDN names occur almost simultaneously.
3. The BIG-IP version in use contains the fix for ID 726319.
The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.
Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.
As a result, some pools may not have any active pool members, and will not pass traffic.
This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default fqdn interval value of 3600 seconds, such downtime would last approximately one hour.
Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter fqdn interval value for the FQDN nodes:
tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.
Fix:
When using FQDN nodes and pool members, ephemeral pool members will be created as expected following a configuration-load or BIG-IP reboot operation.
However, messages similar to the following may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name:
err mcpd[20479]: 01020066:3: The requested Node (****) already exists in partition ****.
err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.
757782-1 : OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default
Component: Access Policy Manager
Symptoms:
Invalid 'sub' claim in JWT access token that is generated by OAuth Authorization Server.
Conditions:
-- OAuth Authorization Server is configured to return JWT access token.
-- Subject field is configured to be a session variable other than the default '%{session.assigned.uuid}'.
Impact:
Invalid value in 'sub' claim in JWT access token. If OAuth resource server depends on the value of 'sub' claim, then that functionality does not work.
Workaround:
Add Variable assign agent after OAuth Authorization agent, and assign session.assigned.oauth.authz.token.subject with the session variable name such as the following:
session.logon.last.logonname.
Fix:
OAuth Authorization Server sends valid value in 'sub' claim in the generated JWT token when subject is configured to use a session variable.
757777-3 : bigtcp does not issue a RST in all circumstances
Component: Local Traffic Manager
Symptoms:
bigtcp does not issue a TCP reset, e.g. when using the iRule reject command on CLIENT_ACCEPTED
Conditions:
bigtcp in use, tcp connection, connection ungracefully shut down via a 'reject' command in an iRule
Impact:
TCP RST is not sent, and the SYN is silently dropped.
Workaround:
none
Fix:
bigtcp virtuals send now a TCP RST if needed.
757722-2 : Unknown notify message types unsupported in IKEv2
Component: TMOS
Symptoms:
IKE negotiation fails when an unrecognized notify payload type is seen in a message processed by IKEv2.
Conditions:
Receiving an IKE message that contains a notify payload whose numeric type value is unrecognized by IKEv2.
Impact:
Negotiation fails with an aborted connection, preventing tunnel creation.
Workaround:
A peer can suppress notification payloads with advisory values that get rejected by IKEv2 within the BIG-IP system.
Fix:
All unknown notify types are now logged and then ignored.
757698-1 : TMM crashes in certain situations of which iRule execution interleaves client side and server side flows
Component: Local Traffic Manager
Symptoms:
TMM crashes in certain situations in which iRule execution interleaves client-side and server-side flows.
Conditions:
The exact conditions that cause this issue are unknown, although appear to happen in at least one configuration: OneConnect with an iRule whose execution leads to that, inside TMM, the client-side and server-side flow operations interleave.
Impact:
TMM crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
iRule clears the right side data after execution.
757617-1 : Systemd vulnerabilities: CVE-2018-16864, CVE-2018-16865
Solution Article: K06044762
757578-2 : RAM cache is not compatible with verify-accept
Component: Local Traffic Manager
Symptoms:
The TCP profile's verify-accept option is not compatible with the RAM cache feature
Conditions:
A TCP profile is used with the 'verify-accept' option enabled, together with a Web Acceleration via RAM cache.
Impact:
There may be a log message in /var/log/tmm# describing an 'Invalid Proxy Transition'. The RAM cache feature may not handle later pipelined requests due to the proxy shutting down the connection.
Workaround:
Do not use TCP's verify-accept option together with RAM cache.
Fix:
RAM cache now works correctly when the TCP profile enables the verify-accept option.
757524 : Data operation attempt on object that has not been loaded
Component: Advanced Firewall Manager
Symptoms:
While assigning VLANs to Traffic Matching Criteria, you get an error:
01070712:3: Data operation attempt on object that has not been loaded.
Conditions:
This occurs while trying to add or modify VLANs on a Traffic Matching Criteria.
Impact:
Error is reported; unable to add or modify VLAN assignment to Traffic Matching Criteria.
Workaround:
None.
Fix:
Fixed the issue to allow configuration of VLANs to Traffic Matching Criteria object.
757519-1 : Unable to login using LDAP authentication with a user-template
Component: TMOS
Symptoms:
User cannot login using remote LDAP authentication. This occurs because LDAP with user-template uses user-template username as DN for search.
Conditions:
LDAP authentication configuration includes user-template, which is not a valid DN.
Impact:
Remote LDAP authentication users are unable to login.
Workaround:
You can use either of the following workarounds:
-- Create a specific user for bind by configuring bind-dn and bind-pw and remove user-template.
-- Switch to local authentication.
757455-2 : Excessive resource consumption when processing REST requests
Solution Article: K87920510
757441-4 : Specific sequence of packets causes Fast Open to be effectively disabled
Component: Local Traffic Manager
Symptoms:
You see this warning in the logs:
warning tmm[21063]: 01010055:4: Syncookie embryonic connection counter -1 exceeded sys threshold 64000.
Conditions:
-- TCP Fast Open and ECN are both enabled.
-- There are multiple RST segments from the receive window received in SYN_RECEIVED state.
Impact:
TCP Fast open is disabled, as the pre_established_connections becomes very large (greater than a threshold).
Workaround:
TCP ECN option can be disabled.
Fix:
TCP Fast Open is prevented from being disabled when some conditions are met.
757391-2 : Datagroup iRule command class can lead to memory corruption
Component: Local Traffic Manager
Symptoms:
When using the iRule command to access datagroups within a foreach loop, memory can be corrupted and tmm can crash.
Conditions:
A [class] command used within a foreach loop.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround aside from removing that iRule.
Fix:
tmm no longer crashes under these conditions.
757360-1 : Category lookup returns wrong category on subsequent traffic following initial HTTP CONNECT traffic through SSLO
Component: Access Policy Manager
Symptoms:
Category lookup returns the wrong category on subsequent traffic following initial HTTP CONNECT traffic through F5 SSL Orchestrator (SSLO).
Conditions:
-- Outbound deployment configured in SSLO, where SSLO behaves as a transparent proxy.
-- A policy has a branch to lookup category using HTTP Connect.
-- An HTTPS client generates HTTPS traffic via an explicit proxy on the local network with a private address through SSLO as the gateway.
Impact:
Category Match is not performed on subsequent requests, resulting in fallback branch to be taken.
Workaround:
None.
Fix:
Category lookup now works correctly in this scenario.
757359-1 : pccd crashes when deleting a nested Address List
Component: Advanced Firewall Manager
Symptoms:
When removing a nested Address List or Port List, the pccd process might crash.
Conditions:
This might occur under the following conditions:
-- Removing a nested Address List or Port List using a tmsh transaction with an incorrect tmsh command order consistently results in this crash.
-- A high availability (HA) setup with config-sync enabled and there are intermittent problems with HA-connections, or out-of-memory system state, might intermittently result in this crash.
Impact:
pccd crashes with core, restarts, and correctly compiles the new configuration. There is a resulting, small delay in applying the new configuration due to the pccd restart.
Workaround:
-- If the crash occurs as a result of incorrect tmsh commands in a transaction, reorder commands to the parent list is modified or deleted before deleting the nested list.
-- If the crash is an intermittent issue due to problems with HA-connections, or an out-of-memory system state, no action is necessary; pccd correctly compiles new configuration after it restarts.
Fix:
pccd no longer crashes under these conditions, and correctly compiles the new configuration.
757357-3 : TMM may crash while processing traffic
Solution Article: K92002212
757306-3 : SNMP MIBS for AFM NAT do not yet exist
Component: Advanced Firewall Manager
Symptoms:
SNMP MIBS for AFM NAT do not yet exist.
Conditions:
This occurs in normal operation.
Impact:
Unable to read values that do not exist in SNMP, meaning that you cannot access information that you need.
Workaround:
None.
757088-1 : TMM clock advances and cluster failover happens during webroot db nightly updates
Component: Traffic Classification Engine
Symptoms:
Webroot database mapping and unmapping takes a very long amount of time on TMM, so you might see clock advances occur. The long interval might result in a failover/state-transition in clustered environment.
Conditions:
-- Webroot database is downloaded.
-- TMM needs to swap to the new instance.
Impact:
TMM does not process traffic because of the long delay in mapping and unmapping, and failover might happen in a clustered environment.
Workaround:
You can avoid this issue by disabling BrightCloud updates, however, your environments will miss the latest updates as a result.
#vi /etc/wr_urldbd/bcsdk.cfg
DoBcap=true
DoRtu=false
DownloadDatabase=false
Fix:
Mapping/Unmapping the database is done asynchronously and the delay is reduced so that the CDP failover does not happen.
757084-2 : Bypassing SSL interception in SSL Orchestrator may crash TMM if virtual server is SNAT enabled
Solution Article: K00432398
757027-1 : BIND Update
Solution Article: K01713115
757026-1 : BIND Update
Component: TMOS
Symptoms:
Upgrade BIND to 9.11.5-P4 per recommendation from ISC
Conditions:
GTM provisioned.
Impact:
BIND not up-to-date
Workaround:
None.
Fix:
Upgrade to BIND 9.11.5-P4
757025-1 : BIND Update
Solution Article: K00040234
757023-2 : BIND vulnerability CVE-2018-5743
Solution Article: K74009656
756877-1 : Virtual server created with Guided Configuration is not visible in Grafana
Component: Anomaly Detection Services
Symptoms:
The traffic of Virtual Server created with the Guided Configuration is not visible with Grafana monitoring tool.
Statistics of this virtual server are not included in the admdb part of qkview.
Conditions:
-- Create virtual server using Guided Configuration.
-- Use the Grafana monitoring tool to view virtual server statistics.
-- Create a qkview.
Impact:
Cannot view virtual server using the Grafana monitoring tool. The resulting qkview contains no statistics for this virtual server. Lack of information for debugging and troubleshooting
Workaround:
Configure virtual server manually, without the Guided Configuration
Fix:
Virtual server created with Guided Configuration is visible in Grafana and its statistics present in qkview.
756777-1 : VDI plugin might crash on process shutdown during RDG connections handling
Component: Access Policy Manager
Symptoms:
VDI plugin might crash on process shutdown if it is stopped during handling of RDG connections.
Conditions:
VDI plugin process is stopped while new RDG connection is established via APM.
Impact:
The process will be shutdown, but generated core file might cause unnecessary confusion.
Workaround:
None.
Fix:
Fixed VDI plugin crash on process shutdown during RDG connections handling.
756774-6 : Aborted DNS queries to a cache may cause a TMM crash
Component: Global Traffic Manager (DNS)
Symptoms:
TMM may crash if an attempt is made to send a response to a TCP connection that has already been torn down.
Conditions:
TCP connections that are aborted before receiving a RESPONSE from a cache.
Impact:
Loss of service until TMM is restarted. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Aborted DNS queries to a cache no longer cause a TMM crash.
756538-4 : Failure to open data channel for active FTP connections mirrored across an HA pair.
Solution Article: K15759349
756477-2 : Drop Redirect tab incorrectly named as 'Redirect Drop'
Component: Advanced Firewall Manager
Symptoms:
Incorrect naming on navigation tabs Security :: Debug :: Drop Redirect.
Conditions:
Navigating to Security :: Debug :: Drop Redirect.
Impact:
The page name is Drop Redirect instead of Redirect Drop.
Workaround:
None.
Fix:
Drop Redirect tab is now correctly named as 'Drop Redirect'
756458-3 : Linux kernel vulnerability: CVE-2018-18559
Solution Article: K28241423
756450-1 : Traffic using route entry that's more specific than existing blackhole route can cause core
Component: TMOS
Symptoms:
TMM asserts with 'Attempting to free loopback interface'message.
Conditions:
- Using blackhole routes.
- Have a route entry that is more specific than the existing blackhole route.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use /32 blackhole routes.
Fix:
TMM no longer cores when using blackhole routes that are less specific than non-blackhole routes.
756418-1 : Live Update does not authenticate remote users
Component: Application Security Manager
Symptoms:
Remote users with Administrator or Application Security Administrator roles cannot run Live Update.
Conditions:
-- Remote user (LDAP/RADIUS).
-- Remote user logged in.
-- New installation is available.
Impact:
-- Remote users cannot manually check for updates.
-- Remote users cannot manually upload new files.
-- Remote users cannot install new update files.
Workaround:
Log in with a local user like admin, application security editor, or application security administrator.
Fix:
Authentication is directly done from MCP. Remote users are not treated like local users, so only the role of the user determines the ability to perform operations such as Live Update.
756402-2 : Re-transmitted IPsec packets can have garbled contents
Component: TMOS
Symptoms:
Before re-transmitting a packet, it is discovered to be garbled, mainly in the form of having physical length that no longer matches the logical length recorded inside the packet.
Conditions:
Possibly rare condition that might cause packet freeing while still in use.
Impact:
Likely tunnel outage until re-established.
Workaround:
No workaround is known at this time.
Fix:
This release adds checksums to verify IPsec packets are not altered between first creation and later re-transmission.
756363-1 : SSLO or SWG connections using proxy chaining to Explicit Proxy can get reset
Component: Access Policy Manager
Symptoms:
Connections get reset with reset cause "repick failed"
Conditions:
SSLO with proxy chaining to Explicit Proxy or SWG per-request policy using proxy select agent with No URI rewrite
Impact:
Connections get reset with reset cause "repick failed"
Workaround:
None
Fix:
Connections no longer get reset.
756356-2 : External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long
Component: Local Traffic Manager
Symptoms:
iRules using the command 'class match' with the 'equals' operator on long entries fail to return a positive match, even if they are in the datagroup, for example:
my_datagroup:
"abcdefghijklmnopqrstuvwxyz0123456" := "value1"
class match "abcdefghijklmnopqrstuvwxyz0123456" equals my_datagroup
Conditions:
This is encountered when all of the following conditions are met:
- Using an external datagroup of type string with keys longer than 32 characters.
- Using an iRule with the 'class match' command and the 'equals' operator on the external datagroup.
- Trying to match keys that are longer than 32 characters.
Impact:
iRules will act incorrectly
Workaround:
If none of the keys in the datagroup are prefixes of each other, the 'equals' operator can be changed to 'starts_with' or 'ends_with' (if none are suffixes of each other).
Fix:
iRules using the command 'class match' with the 'equals' operator on long entries now correctly matches external datagroup string entries which are longer than 32 characters.
756311-4 : High CPU during erroneous deletion
Component: Policy Enforcement Manager
Symptoms:
The utilization of some CPU cores increases and remains high for a long time. Rebooting just one blade can cause the high CPU usage to move to another blade in the chassis.
There might be messages similar to the following in tmm logs:
-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.10.10%0-4a89723e; Instance ID mismatch ERR_OK for subscriber id 310012348494 with 10.1.10.10-0-4a8987ea.
-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.18.10%0-4a8b850c; Look up returned err ERR_OK for subscriber id 3101512411557
Conditions:
The exact conditions under which this occurs are not fully understood, but one way it can be triggered is when a single TMM is crashing on a chassis system.
Impact:
The CPU usage is coming from an erroneous cleanup function, which is only running on a TMM when it's not busy; traffic is not expected to have a significant impact. However, recovering may result in a cluster-wide TMM restart, if the CPU usage does not subside. Traffic disrupted while tmm restarts.
Workaround:
Delete all subscribers from the CLI.
756270-4 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
Component: Local Traffic Manager
Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.
Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.
Impact:
Handshake failure.
Workaround:
None.
Fix:
This has been fixed to check for the issuer among all certificates that have the same subject name as the CRL issuer.
756218-1 : Improve default management port firewall
Solution Article: K45644893
756205-1 : TMSTAT offbox statistics are not continuous
Component: Application Visibility and Reporting
Symptoms:
When BIG-IP systems are manged by BIG-IQ, the device health statistics have gaps (missing samples).
Conditions:
BIG-IP systems managed by BIG-IQ,
Impact:
Missing data on device health, such as CPU load and memory occupancy.
Workaround:
None.
Fix:
Functionality restored - BIG-IP systems send all the data as expected.
756108-1 : BD crash on specific cases
Component: Application Security Manager
Symptoms:
BD crash on specific cases.
Conditions:
Have a feature that requires Captcha/ Client side Integrity in ASM.
Impact:
No traffic to app.
Workaround:
None.
Fix:
This release fixes the specific crash scenario.
756102-2 : TMM can crash with core on ABORT signal due to non-responsive AVR code
Component: Application Visibility and Reporting
Symptoms:
ABORT signal is sent to TMM by SOD; TMM aborts with a core.
Conditions:
Non-responsive AVR code. No other special conditions.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
756094-2 : DNS express in restart loop, 'Error writing scratch database' in ltm log
Component: Global Traffic Manager (DNS)
Symptoms:
DNS express (zxfrd) daemon gets stuck in a restart loop with the messages:
-- In /var/log/ltm:
Error writing scratch database (no error information available), serving database is unchanged. zxfrd will exit and restart.
-- The system posts the following message on the command line every few seconds:
emerg logger: Re-starting zxfrd
Conditions:
An update to an SOA record (and only an SOA) is received through a incremental zone transfer update (IXFR).
Impact:
Zone updates from the DNS master servers are not processed.
Workaround:
As a partial workaround, the DNS express cache files can be removed, forcing zxfrd to pull the entire zone using an AXFR request. To do so, use the following commands, in sequence:
bigstart stop zxfrd
rm /shared/zxfrd/*
bigstart start zxfrd
Note: DNS express will not be able to service DNS responses until the zone transfers have completed. For this reason, this procedure should be carried out on the standby device, if possible.
Fix:
The system now properly handles IXFRs that contain only starting and ending SOA RRs, and no other RRs.
756071-3 : MCPD crash
Component: TMOS
Symptoms:
mcpd crashes on out of memory.
Conditions:
MCPD experiences a memory leak under one of the following conditions:
- A tmsh command such as the following is run:
tmsh reset-stats ltm virtual
- The ASM or AVR module is provisioned.
In both circumstances, the 'cur_allocs' for one of MCPD's internal memory allocation types generally increases and becomes very high (e.g., millions):
tmctl -I --select cur_allocs memory_stat program=mcpd name=umem_alloc_40
Impact:
MCPD can run out of memory and crash. Traffic disrupted while mcpd restarts.
Workaround:
None.
Fix:
A memory leak that occurred in the MCPD process has been fixed.
756019-1 : OAuth JWT Issuer claim requires URI format
Component: Access Policy Manager
Symptoms:
APM currently expects the OAuth JSON web tokens (JWT) Issuer claim to be in the URI format:
-- JWT-Config does not allow Issuer setting unless it is in the URI format.
-- The issuer value in the incoming token is expected to be in the URI format and should match with the Issuer setting in the JWT-Config.
Conditions:
OAuth JWT Issuer claim in the URI format for JWT access token and ID token.
Impact:
As per RFC 7519, 'iss' claim value is a case-sensitive string containing a StringOrURI value. To comply with RFC 7519, basically allowing any string value in the Issuer claim, APM should ease this validation.
Workaround:
None.
Fix:
JWT config issuer Validation is removed to allow a string or URI value for the JWT issuer.
755997-2 : Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address
Component: Local Traffic Manager
Symptoms:
When IPsec traffic is processed by a FastL4 profile, which is not related to an IPsec listener, and is send out via a gateway pool or a dynamic route, the source address of this traffic can be erroneously changed to 127.0.0.x.
Conditions:
-- IPsec traffic is processed by a FastL4 profile, which is not related to an IPSEC listener.
-- The traffic is sent out via a gateway pool or a dynamic route.
Impact:
The incorrect source address is used.
Workaround:
None.
Fix:
The IPsec traffic uses now the correct IP source-address.
755817 : v14.1.0.5 includes Guided Configuration 4.1
Component: Access Policy Manager
Symptoms:
Guided Configuration is not upgraded automatically with each release; it must be manually upgraded between versions. It should be bundled into the release.
Version 14.1.0.5 includes Guided Configuration 4.1.
Conditions:
Upgrading Guided Configuration.
Impact:
Have to manually upgrade Guided Configuration.
Workaround:
Manually upgrade Guided Configuration.
Fix:
Guided Configuration v4.1 is bundled into BIG-IP software v14.1.0.5 and no longer requires manual upgrade.
Behavior Change:
Guided Configuration v4.1 is bundled into BIG-IP software v14.1.0.5. For versions earlier than 14.1.0.5 (e.g., 14.1.0.0), you had to upgrade Guided Configuration manually. That is no longer necessary.
755727-2 : Ephemeral pool members not created after DNS flap and address record changes
Component: Local Traffic Manager
Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.
Once this condition occurs, ephemeral pool members are no longer created for a given FQDN name in the affected pool.
Conditions:
This issue may occur under rare timing conditions when the following factors are present:
-- Using FQDN nodes/pool members.
-- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted.
-- There is a temporary loss of connectivity to/responsiveness from the DNS server.
Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool become unavailable and stop passing traffic.
Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by either of the following actions:
1. Restart the dynconfd daemon:
bigstart restart dynconfd
2. Delete and re-create the FQDN template pool member using the following two commands:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }
To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.
755641-1 : Unstable asm_config_server after upgrade, 'Event dispatcher aborted'
Component: Application Security Manager
Symptoms:
Ignored suggestions for Multiple decoding or HTTP Protocol Settings present after upgrading a unit to 14.1.0 can cause the asm_config_server and pabnagd processes to enter restart loops.
Conditions:
1) On a 13.1.x system send traffic that will generate suggestions for Max Decoding Passes, Maximum Headers, and/or Maximum Parameters.
2) Set those Suggestions to be Ignored.
3) Upgrade to 14.1.0.
Impact:
-- Multiple asm_config_server restarts.
-- System instability, including inability to manage ASM settings or use traffic learning.
-- No local logging.
Workaround:
You can use either of the following workarounds:
A) Delete any such ignored suggestions using the following SQL command:
> DELETE FROM PL_SUGGESTIONS WHERE element_type IN (7,193,75);
B) Delete any such ignored suggestions before upgrade using the GUI/REST/SQL.
Fix:
The system now handles removed Entity types during upgrade for Ignored Suggestions: Ignored suggestions for Multiple decoding or HTTP Protocol Settings are removed during upgrade. You must reconfigure the Ignore settings after upgrade.
Behavior Change:
Refactoring in 14.1.0 modified the functionality of the following Entity types: Max Decoding Passes, Maximum Headers, and/or Maximum Parameters. Ignored suggestions for Multiple decoding or HTTP Protocol Settings are removed during upgrade, so you must reconfigure the Ignore settings after upgrade.
755630-1 : MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes
Component: Service Provider
Symptoms:
The media flows get terminated after the UDP idle timeout expires on a Standby device.
Conditions:
-- High availability (HA) configuration.
-- SIP media calls on a SIP-ALG with SNAT feature enabled.
Impact:
SIP calls fail to deliver media when high availability (HA) failover occurs.
Workaround:
Partial mitigation is to set the UDP idle timeout to a higher value.
Fix:
Properly set SIP ALG media pinhole connection flags so that to not time out due to inactivity on the next active device.
755585-1 : mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction
Component: Local Traffic Manager
Symptoms:
On a VIPRION cluster, if a single transaction creates a policy with the name Drafts/NAME, publishes the policy, and attaches the policy to a virtual server, mcpd restarts on the secondary blades.
Conditions:
-- VIPRION chassis with more than one blade.
-- Single mcp transaction that:
* Creates a policy with 'Drafts/' as part of the policy name.
* Publishes that policy.
* Attaches that policy to a virtual server, either in the same transaction or a later transaction.
Impact:
mcpd restarts on all secondary blades of a cluster.
Workaround:
You can use either of the following workarounds:
-- Do not create policies with 'Drafts/' in the name.
-- Do not create and publish a policy in the same transaction.
755575-1 : In MOS, the 'image2disk' utility with the '-format' option does not function properly
Component: TMOS
Symptoms:
When the BIG-IP system boots, mcpd continually restarts.
Conditions:
This occurs if you issue the 'image2disk' command with the '-format' option in the MOS (Maintenance Operating System) shell.
Impact:
When the system boots, it cannot become active.
Workaround:
In the MOS shell, do not issue the 'image2disk' utility with the '-format' option. You can achieve the same result by following the shell guidance. To begin, type 'start<enter>'.
If the system is already in the defective state, use this shell command, and then reboot:
touch /.tmos.platform.init
The problem should be resolved.
Fix:
In MOS, running 'image2disk' with the '-format' option no longer causes continuous mcpd restarts.
755475-1 : Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync
Component: Access Policy Manager
Symptoms:
After making changes to the logon page agent field, performing config sync to another device and opening the logon agent in VPE on the sync target device encounters an error. Though this problem described to the logon page agent, this is applicable to any agent that is tied to customization group.
Conditions:
1. Form a failover device group with two devices.
2. On one device, create an access policy with logon page agent. Initiate config sync to sync the policy to other devices. Verify everything is correct on target device (specifically: open VPE for the policy, Logon Page is in the policy, click on the agent, and edit box appears without issue).
3. On source device, launch VPE for the policy, click on Logon Page agent, make changes to Agent (e.g., choose 'password' type for field3. Save the change and make a config sync again.
4. Go to target device, open VPE for the policy, and click on Logon Page is in the policy.
Impact:
Config is not synced properly to another device in the device group.
Workaround:
- Workaround 1:
Step1. On Standby (where the problem happens): delete the policy in question.
Step2. On Active: modify the access policy and Sync it.
* Problem with this workaround: sometimes, you cannot properly delete the access policy in question on the standby (as customization is corrupted, some related config deletion fails).
- Workaround 2:
Step 1. On Standby (where the problem happens): try to open up access policy item using VPE. Error will show the exact location of the file that is missing, for example:
"An error 'customization::getMessages: Unable to get xml dom from /config/filestore/files_d/Common_d/customization_group_d/:Common:MyAccessPolicy_act_logon_page_ag_5678_4' has occured on server... Dialogue loading has failed."
Step 2. On Standby: copy the exact file from active unit to standby unit, change the permission (ownership/group, permission flags) of the file so that it looks similar to active.
Fix:
Target device receives identical configuration as source one after config sync after user updates logon page field in logon agent editing dialog.
755447-1 : SSLO does not deliver content generated/originated from inline device
Component: Access Policy Manager
Symptoms:
If any inline service acting as a proxy generates content for the client while resetting the server side connection, then the client might not see the content, and will instead see a reset.
Conditions:
-- F5 SSL Orchestrator (SSLO) with inline services intercepting requests and replying without letting the content go to back-end server.
-- Inline services resetting the back-end connection
Impact:
Client receives a reset instead of a redirect or error page.
Workaround:
None.
Fix:
Clients now receive the content that the inline device generates.
755378-1 : HTTPS connection error from Chrome when BADOS TLS signatures configured
Component: Anomaly Detection Services
Symptoms:
HTTPS connection error occurs. The system posts the following ltm.log warnings:
-- warning tmm1[25112]: 01260009:4: Connection error: ssl_basic_crypto_cb:694: Decryption error (20)
-- warning tmm1[25112]: 01260009:4: Connection error: hud_ssl_handler:1941: codec alert (20)
Conditions:
-- BADOS TLS signatures configured.
-- DoS profile is attached to a virtual server.
-- Using Google Chrome browser.
Impact:
HTTPS virtual server is not responsive.
Workaround:
Turn off TLS signatures flag.
Fix:
HTTPS connection error no longer occurs when connecting from Chrome to virtual server with TLS signature BADOS protection.
755317-1 : /var/log logical volume may run out of space due to agetty error message in /var/log/secure
Component: TMOS
Symptoms:
An agetty error message is output to the /var/log/secure log fil every 10 seconds while the instance remains on:
agetty[<process_id>]: /dev/tty0 ttyS0: No such file or directory.
Conditions:
This agetty error message is an issue on all BIG-IP Virtual Edition and Cloud instances. It is not configuration-dependent.
Impact:
This may fill the /var/log/secure log file. When /var/log is full, certain system services may degrade or become unresponsive (e.g., DNS).
Workaround:
Manually extend the /var/log logical volume.
For more information, see Increase disk space for BIG-IP VE :: https://clouddocs.f5.com/cloud/public/v1/shared/disk_space.html.
Fix:
The issue causing the agetty error message in /var/log/secure has been resolved.
755254-1 : Remote auth: PAM_LDAP buffer too small errors★
Component: TMOS
Symptoms:
You are unable to log into the BIG-IP system using an LDAP account.
The system might log the following message in /var/log/secure:
-- crit httpd[28010]: pam_ldap(httpd:account): buffer 'buffer_size' too small.
Note: This message might not be logged for all occurrences of this issue.
Conditions:
This occurs when the following conditions are met:
-- Remote-LDAP authentication is configured.
-- There is a user account with attributes longer than 255 characters in length.
-- That user attempts a logon to the BIG-IP system.
Impact:
LDAP authentication not working properly.
Workaround:
Configure user accounts with attributes shorter than 255 characters.
Fix:
LDAP authentication and authorization now succeeds for users under these conditions.
755213-1 : TMM cores in certain scenarios with HTTP/2 virtual server
Component: Local Traffic Manager
Symptoms:
TMM cores when attempting to reset a stream. Parent connection may be resetting and going away, race conditions may lead to TMM core in HTTP MR proxy.
Conditions:
Virtual server with HTTP/2, HTTP, TCP, SSL and httprouter profiles. Race conditions when resetting connections.
Impact:
Traffic disrupted while tmm restarts.
755134-1 : HTTP/2 connections may leak memory if server-side connection not established
Component: Local Traffic Manager
Symptoms:
Xhead and xdata memory caches grow over time when HTTP/2 traffic is present. Eventual performance degradation and potential traffic outage due to memory exhaustion.
Conditions:
-- HTTP/2 configured with HTTP Router profile.
-- Configuration or network issues which prevent server-side connection from being established.
Impact:
Memory leakage over time may result in performance degradation and eventual traffic outage if TMM restarts due to memory exhaustion.
Workaround:
None.
Fix:
HTTP/2 connections no longer leak memory when server-side connection establishment fails.
755047-1 : Category lookup returns wrong category on CONNECT traffic through SSLO
Component: Access Policy Manager
Symptoms:
Category lookup returns wrong category on CONNECT traffic through F5 SSL Orchestrator (SSLO).
Conditions:
-- Outbound deployment configured in SSLO, where SSLO behaves as a transparent proxy.
-- A policy has a branch to lookup category using HTTP Connect.
-- An HTTPS client generates HTTPS traffic via an explicit proxy on local network with private address through SSLO as the gateway.
Impact:
Category Match is not performed, resulting in fallback branch to be taken.
Workaround:
None
Fix:
Category lookup now works correctly in this scenario.
755005-1 : Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations
Component: Application Security Manager
Symptoms:
Illegal Request Length uses Illegal Query String Length template and vice versa, so the incorrect titles are shown in violation details.
Conditions:
Open details of Illegal Request Length or Illegal Query String Length violation in request log.
Impact:
Illegal Request Length uses Illegal Query String Length template and vice versa. Only the titles are wrong. The actual requests are recorded correctly.
Workaround:
None.
Fix:
Correct templates are now used for Illegal Request Length and Illegal Query String Length violations, so the correct titles show.
754985-1 : Standby mirrored server SSL connections fail, and tmm may crash while processing mirrored TLS traffic
Component: Local Traffic Manager
Symptoms:
Server SSL mirrored connections fail, showing any6.any - any6.any as the server connection.
Under certain conditions, the standby TMM may crash while processing mirrored TLS traffic.
Conditions:
-- Virtual server with server-side SSL.
-- Connection mirroring enabled.
Impact:
High availability (HA) connection mirroring fails. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM now processes TLS traffic as expected.
754944-1 : AVR reporting UI does not follow best practices
Solution Article: K00432398
754901-1 : Frequent zone update notifications may cause TMM to restart
Component: Global Traffic Manager (DNS)
Symptoms:
When there are frequent zone update notifications, the watchdog for TMM may trip and TMM crash/restarts. There may also be 'clock advanced' messages in /var/log/ltm.
Conditions:
- Using DNS express.
- DNS zone with allow notify.
- Frequent zone NOTIFY messages resulting in zone transfers.
Impact:
TMM restart potentially resulting in failing or impacting services. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Frequent zone update notifications no longer cause TMM to restart.
754875-1 : Enable FIPS in prelicensed VE images without requiring a reboot
Component: Local Traffic Manager
Symptoms:
Must reboot a FIPS-enabled PAYG-Best BIG-IP Virtual Edition (VE) image to see the FIPS prompt.
Conditions:
-- Using FIPS.
-- Using PAYG-Best.
-- Using VE.
Impact:
Must reboot the system to see the FIPS prompt.
Workaround:
Reboot the system to see the FIPS prompt.
Fix:
This release enables FIPS in prelicensed VE images without requiring a reboot.
Behavior Change:
You no longer need to reboot a FIPS-enabled PAYG-Best VE image to see the FIPS prompt.
754841-1 : Policy updates stall and never complete
Component: Application Security Manager
Symptoms:
When applying new or updated ASM policies, the update process stalls and never returns.
This error is logged in /var/log/asm:
crit perl[7333]: 01310027:2: ASM subsystem error (bd_agent,F5::BdAgent::start): No ack received from BD after 600 seconds -- aborting.
Conditions:
This can occur intermittently when making policy updates.
Impact:
The policy update is not applied, and you are unable to make configuration changes.
Workaround:
Restart ASM:
bigstart restart asm
Fix:
The system now handles the application of new or updated ASM policies so that the issue no longer occurs.
754805 : Possible tmm crash when AFM DoS badactor or attacked-dst or endpoint vector configured
Solution Article: K97981358
Component: Advanced Firewall Manager
Symptoms:
tmm might crash and restart.
Conditions:
When AFM DoS badactor or attacked dst is configured on a vector, there is a race condition which can cause tmm to crash. The same race condition is present when single endpoint vectors are configured.
Impact:
Tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The race condition is now fixed.
754691-1 : During failover, an OSPF routing daemon may crash.
Component: TMOS
Symptoms:
With a specific OSPF configuration, during a failover, a peer which is changed from standby to active may experience an ospfd daemon crash.
Conditions:
High availability configuration with a routing configuration:
1) access-list with 0.0.0.0/0 filtering:
access-list 199 remark test
access-list 199 deny ip host 0.0.0.0 host 0.0.0.0
access-list 199 permit ip any any
2) OSPF router with this access-list:
router ospf 1
ospf router-id 10.14.0.11
bfd all-interfaces
network 10.14.0.0/16 area 0.0.0.1
distribute-list 199 in
!
-- The device with this configuration is in the standby state.
-- A failover occurs.
Impact:
An OSPF daemon crashes, losing routing information and OSPF dynamic routes for a moment while ospfd daemon restarts.
Workaround:
None.
Fix:
An ospfd daemon no longer crashes during a failover.
754615-2 : Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup.
Component: Service Provider
Symptoms:
tmm crashes.
Conditions:
-- SIP calls under load.
-- MRF-SIP-ALG setup.
-- Most of the calls re-use the conn flow.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fix:
If connections reach a threshold value of 64500, the connection is dropped, drop stats are updated, and a log message is reported: Message handling threshold reached on flow.
754542-2 : TMM may crash when using RADIUS Accounting agent
Component: Access Policy Manager
Symptoms:
TMM may crash when using RADIUS Accounting agent in either per-session or per-request policy.
Conditions:
- APM is provisioned and licensed.
- RADIUS Accounting agent is used in either per-session or per-request policy.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when RADIUS Accounting agent is used in the access policy.
754541-2 : Reconfiguring an iApp that uses a client SSL profile fails
Component: TMOS
Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:
-- A virtual server is created but no client SSL profile is applied.
-- In the /var/log/ltm file, the system logs messages similar to the following example:
err mcpd[6434]: 01b4002b:3: Client SSL profile (/Common/Example.app/Example_client-ssl): the profile has no RSA cert/key pair that can be modified. To add RSA cert/key, please use [cert-key-chain add]
Conditions:
This issue occurs when the following conditions are met:
-- Attempting to reconfigure an iApp.
-- The iApp contains a client SSL profile.
Impact:
The system fails to create and apply the client SSL profile to the virtual server.
Workaround:
To work around this issue, you can temporarily disable SSL in the iApp, and then enable it again.
Impact of workaround:
Reconfiguring your iApp reconfigures all BIG-IP objects associated with the iApp. This might cause service disruptions to the application the iApp has been deployed for.
1. Navigate to the impacted iApp in GUI:
iApps :: Application Services : Applications :: Example.
2. Find the setting associated with the client SSL profile, often titled "How should the BIG-IP system handle SSL traffic?"
3. Change the associated setting to one that does not imply the use of SSL, for example: "Plain text to and from both clients and servers."
4. Press the Reconfigure button.
5. Return to the same question and change the field back to its original setting.
6. Press the Reconfigure button once more.
Fix:
Reconfiguring an iApp that uses a client SSL profile now succeeds as expected.
This issue is resolved in the following release candidates:
f5.microsoft_exchange_2016.v1.0.3rc5.tmpl
f5.microsoft_exchange_2016.v1.0.3rc6.tmpl
Issues resolved:
- Corrected an issue that caused TCL iApps using client-ssl profiles to break when the iApp was reconfigured. This issue only affected iApps running on BIG-IP 14.1.
754525-1 : Disabled virtual server accepts and serves traffic after restart
Component: Local Traffic Manager
Symptoms:
Disabled virtual servers accept traffic after being upgraded to an affected version, or after restarting.
Conditions:
1. A virtual server is configured on pre-v14.1.0.
2. Disable the virtual server.
3. Either upgrade to an affected version, or restart the system.
Impact:
The virtual server remains 'Disabled', but it accepts and processes traffic.
Workaround:
To correct the behavior, manually enable/disable the virtual server.
Fix:
Disabled virtual servers no longer process traffic after a restart.
754500-2 : GUI LTM Policy options disappearing
Component: TMOS
Symptoms:
Listed policies disappear under 'Do the following when traffic is matched' in Local Traffic :: Policies : Policy List :: {Rule Name} when pressing Cancel or Save and opening the list again.
Conditions:
Click the Cancel or Save button on the Local Traffic :: Policies : Policy List :: /Common/policy1:rule1 properties page.
Here are some specific steps to reproduce this issue (this procedure assumes you have at least one policy with at least one rule defined):
1. Navigate to Local Traffic :: Policies : Policy List :: /Common/policy1:rule1 to open the rule1 properties page.
2. In the section 'Do the following when the traffic is matched', click to open the first dropdown menu.
- The system lists all of the items.
3. Click Cancel.
4. Click to reopen the properties page, and click the first dropdown menu.
- The system lists fewer of the options.
5. Repeat steps 3 and 4.
Impact:
Options disappear from the list each time you click Cancel or Save. Cannot select options because they are no longer visible in the list.
Workaround:
To return all options to the list, use the refresh button in the browser.
You can also use the following the tmsh command:
modify ltm policy Drafts/<policy name> modify { <rule name> { actions add { ...
Fix:
Policies no longer disappear under these conditions.
754425-1 : Exported requests cannot be opened in Internet Explorer or Edge browser
Component: Application Security Manager
Symptoms:
Any exported report (requests/correlation/learning) cannot be opened in Microsoft Internet Explorer (IE) or Edge brower due to javascript error
Conditions:
Viewing an exported report using IE or Edge.
Impact:
Unable to view the exported report.
Workaround:
Use a different browser.
Fix:
Exported files are now visible in all officially supported browsers.
754420-1 : Missing policy name in exported ASM request details
Component: Application Security Manager
Symptoms:
No Policy name in exported ASM Request details.
Conditions:
This is encountered when viewing the Security Events Report.
Impact:
Missing policy name in request details.
Workaround:
None.
Fix:
Policy name is now displayed in exported ASM request details.
754365-5 : Updated flags for countries that changed their flags since 2010
Component: Application Security Manager
Symptoms:
Old flags for countries that changed their flags since 2010.
Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya
Impact:
Old flag is shown.
Workaround:
None.
Fix:
The three flags are now updated in ASM.
754346-2 : Access policy was not found while creating configuration snapshot.
Component: Access Policy Manager
Symptoms:
APMD fails to create configuration snapshot with the following error:
--err apmd[16675]: 01490000:3: AccessPolicyProcessor/AccessPolicyProcessor.cpp func: "dispatchEvent()" line: 1195 Msg: EXCEPTION AccessPolicyProcessor/ProfileAccess.cpp line:234 function: snapshotConfigVariables - AccessPolicy ("/Common/myPolicy") not found while creating configuration snapshot!!!!
If you attempt to modify the policy in question, the system reports a second error:
-- err apmd[16675]: 01490089:3: 00000000: Configuration change notification received for an unknown access profile: /Common/myPolicy
Conditions:
If TMM restarts and new access policy is added before TMM is fully up and running.
Impact:
Configuration snapshot is not created, and users cannot log on.
Workaround:
Recreate the access profile when TMM is stable.
754345-2 : WebUI does not follow best security practices
Solution Article: K79902360
754143-1 : TCP connection may hang after finished
Component: Local Traffic Manager
Symptoms:
TCP connections hang. Memory usage increases. TMM restarts.
Numerous hanging connections reported similar to the following:
-- config # tmsh show sys conn protocol tcp
Sys::Connections
10.0.0.1:5854 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5847 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5890 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5855 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5891 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
Conditions:
Pool member fails to respond with an ACK to BIG-IP system serverside FIN. The BIG-IP system serverside connection eventually times out, and the clientside connection is orphaned.
Impact:
Those connections hang indefinitely (even past the idle timeout). Memory increases, eventually leading to a possible TMM out-of-memory condition, requiring a TMM restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TCP connections no longer hang under these conditions.
754109-1 : ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive
Component: Application Security Manager
Symptoms:
When the backend server sends a content-security-policy header where source-src and default-src directives are missing, ASM will modify the header when it does its own JavaScript injection, which might cause a csp policy violation for inline JavaScript code.
Conditions:
-- ASM provisioned.
-- ASM or Bot-Defense/DoS attached on a virtual server.
-- ASM or Bot/Dos does inline injections, like CSRF/CSHUI.
Impact:
Inline JavaScript does not run. The Browser reports a content-security-policy violation.
Workaround:
You can use either of the following workarounds:
-- Disable csp in ASM by running the following commands:
/usr/share/ts/bin/add_del_internal add csp_enabled 0
bigstart restart asm
-- Disable csp in Bot/DoS using an iRule:
when HTTP_REQUEST {
set csp 0
}
when HTTP_RESPONSE {
if { [HTTP::header exists Content-Security-Policy] } {
set csp "[HTTP::header values Content-Security-Policy]"
}
}
when HTTP_RESPONSE_RELEASE {
if { $csp != 0 } {
HTTP::header replace Content-Security-Policy $csp
}
set csp 0
}
Fix:
ASM/Bot/DoSL7 no longer modifies the csp header when both source-src and default-src directives are missing.
754103-1 : iRulesLX NodeJS daemon does not follow best security practices
Solution Article: K75532331
754066-1 : Newly added Systems are not added as part of installing a Server Technologies update file
Component: Application Security Manager
Symptoms:
Newly added Systems are not added as part of installing a Server Technologies update file, which prevents acceptance of Server Technology suggestion.
Conditions:
A Server Technology update file contained newly added Systems is installed.
Impact:
A suggestion to add a Server Technology using a newly added System cannot be accepted.
Workaround:
The corresponding ASM Signature update file must be loaded first.
Fix:
Newly added Systems are added correctly after installing Server Technology update file.
754003-3 : Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate
Solution Article: K73202036
Component: Local Traffic Manager
Symptoms:
For more information please see: https://support.f5.com/csp/article/K73202036
Conditions:
For more information please see: https://support.f5.com/csp/article/K73202036
Impact:
For more information please see: https://support.f5.com/csp/article/K73202036
Workaround:
None.
Fix:
For more information please see: https://support.f5.com/csp/article/K73202036
753975-2 : TMM may crash while processing HTTP traffic with webacceleration profile
Solution Article: K92411323
753912-4 : UDP flows may not be swept
Solution Article: K44385170
Component: Local Traffic Manager
Symptoms:
Some UDP connection flows do not show in connection table but do show up in stats. This might occur with datagram_lb mode is enabled on the UDP profile under heavy load.
Conditions:
-- UDP profile with datagram_lb mode enabled.
-- System under heavy load.
Impact:
Increased memory utilization of TMM.
Workaround:
None.
Fix:
The system now correctly manages all expired flows.
753796-1 : SNMP does not follow best security practices
Solution Article: K40443301
753776-2 : TMM may consume excessive resources when processing UDP traffic
Solution Article: K07127032
753711-1 : Copied policy does not retain signature staging
Component: Application Security Manager
Symptoms:
When copying a modified policy or a policy that has never been applied, all signatures are set to staging enabled.
Conditions:
Copying a modified policy or policy that has never been applied.
Impact:
All signatures in the copied policy are set to staging enabled.
Workaround:
Export the policy (either as binary or XML) and re-import.
Fix:
Signature staging settings are retained correctly after the policy is copied.
753650-2 : The BIG-IP system reports frequent kernel page allocation failures.
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:
swapper/16: page allocation failure: order:2, mode:0x104020
After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This issue is known to occur on the following VIPRION blade models:
- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)
Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.
It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades)
-- 48 MB (49152 KB for B4300 blades)
-- 128 MB (131072 KB for 4450 blades).
You must do this on each blade installed in the system.
When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
Fix:
The BIG-IP system no longer experiences kernel page allocation failures.
753642-1 : iHealth may report false positive for Critical Malware
Component: TMOS
Symptoms:
A minor change in the way qkview reports executable filenames may cause iHealth to interpret the presence of malware.
Conditions:
qkview files produced by 14.1.0 when uploaded to ihealth.f5.com
Impact:
iHealth may report a false positive for malware.
Workaround:
Ignore critical errors for malware reported by iHealth for version 14.1.0 only.
Fix:
This is fixed in 14.1.0.1
753564-1 : Attempt to change password using /bin/passwd fails
Component: TMOS
Symptoms:
When we run /bin/passwd as root:
passwd.bin: unable to start pam: Critical error - immediate abort
Failed to change user's password. Exiting.
If we then do /bin/ausearch -m avc -ts recent, we see a lot of selinux denials for passwd.bin.
Conditions:
No special conditions needed
Impact:
Root/admin user cannot change password using the standard /bin/passwd executable.
Workaround:
The workaround would be to disable selinux, change the password and re-enable selinux:
# setenforce Permissive
# passwd
# setenforce Enforcing
Alternatively, one can use the tmsh commands to change the passwords: tmsh modify auth password root
Lastly, if one wishes to modify the selinux policy, there is the standard way of doing this
# ausearch -c passwd.bin --raw | audit2allow -M mypasswd
# semoduile -i mypasswd.pp
Fix:
With fix, we have no issues with /bin/passwd.bin being denied by selinux and /bin/passwd works as expected.
753514-3 : Large configurations containing LTM Policies load slowly
Component: Local Traffic Manager
Symptoms:
Very slow performance when loading a configuration, for example, at system start up. During this time, the tmsh process shows high CPU usage.
Conditions:
Big IP 13.1.x, 14.x. Large configuration (1 MB or larger) and at least one, but more likely tens or hundreds of LTM policies defined in the configuration.
Impact:
Slow configuration loading, or in cases with very large configurations, full config load may fail after a long wait. Slowness increases with overall configuration size and number of LTM policies defined.
Workaround:
None.
Fix:
Large configurations containing LTM Policies load normally.
753485-1 : AVR global settings are being overridden by HA peers
Component: Application Visibility and Reporting
Symptoms:
Configuration of AVR global settings is being overridden by high availability (HA) peers, and thus report incorrectly to BIG-IQ Data Collection Devices (DCDs).
Conditions:
Configuring HA for systems connected to BIG-IQ.
Impact:
Configuration of BIG-IP systems in HA configuration can override each other. This might result in the following behavior:
-- A common symptom is the 'Stats Last Collection Date' shows up as Dec 31, 1969 or Jan 01, 1970, depending the timezone configuration of the device
-- The 'Stats Last Collection Date' shows up as '--'
-- The BIG-IP systems incorrectly identify themselves to BIG-IQ.
-- The BIG-IP systems report to the wrong DCD.
-- The BIG-IP systems report to DCD, even if they are not configured to report at all.
-- The BIG-IP systems do not report at all, even if they are configured to report.
Note: This bug is tightly related to BIG-IQ Bug ID 757423.
Workaround:
None.
Fix:
Synchronization of relevant fields on AVR global settings are disabled, so this issue no longer occurs.
753446-2 : avrd process crash during shutdown if connected to BIG-IQ
Component: Application Visibility and Reporting
Symptoms:
During shutdown of BIG-IP, if it is connected to BIG-IQ then avrd might crash.
Conditions:
BIG-IP is set to shutdown and configured to send statistics to BIG-IQ.
Impact:
No serious impact, since the BIG-IP is already instructed to shutdown, so the process crash is not causing any damage.
Workaround:
N/A
Fix:
Issue is fixed, avrd does not crash during shutdown
753370-3 : RADIUS auth might not be working as configured when there is change in RADIUS auth config name.
Component: Access Policy Manager
Symptoms:
RADIUS auth might not be working as configured when there is change in RADIUS auth config name. You might also see an error:
err apmd[14182]: 01490108:3: /Common/:Common:cc55b9e2: RADIUS module: authentication with 'testuser@example' failed: no response from server (0).
Conditions:
In an LTM pool that uses APM AAA RADIUS to authenticate, change (modify/delete) the name of the RADIUS authentication server in config file.
Impact:
When using tmm.default version, intermittently MCP error messages in tmm logs indicate that the RADIUS server cannot be found, and RADIUS authentication does not work as expected.
Workaround:
None.
753295-1 : ASM REST: All signatures being returned for policy Signatures regardless of signature sets
Component: Application Security Manager
Symptoms:
By default, only signatures that are included in the Security Policy enforcement via the Policy's Signature Sets are included in the response to /tm/asm/policies/<ID>/signatures.
Additionally, there should be the capability to $filter for either signatures that are in the policy or not in the policy.
These filters are not working
Conditions:
ASM REST/GUI is used to determine the number of signatures enabled on a Security Policy
Impact:
More data that expected will be returned to REST clients which may cause confusion.
Learning statistics/graphs may have confusing/incorrect numbers.
Workaround:
None
Fix:
inPolicy $filter works again, and the default behavior only returns the signatures that are in the policy.
753163-4 : PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days
Component: Policy Enforcement Manager
Symptoms:
No connection request with PCRF/OCS if high availability (HA) failover occurs after 26 days. tmm crash
Conditions:
-- Using PEM.
-- high availability (HA) failover occurs after 26 days.
Impact:
PEM does send the reconnect request within the configured reconnect, so there is no connection initiated with PCRF/OCS.
Workaround:
To restart the connection, restart tmm restart using the following command:
tmm restart
Note: Traffic disrupted while tmm restarts.
Fix:
PEM now initiates the connection with PCRF/OCS under these conditions.
753028-2 : AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule
Component: Advanced Firewall Manager
Symptoms:
When Proxy ARP is enabled for destination addresses in an FW NAT rule performing destination NAT (static-nat/static-pat), forwarding ICMP traffic matching that rule is incorrectly dropped by AFM instead of being forwarded through the BIG-IP system.
Conditions:
-- Proxy ARP is enabled for destination addresses in an FW NAT rule.
-- The BIG-IP system (AFM) receives forwarding ICMP traffic for these (untranslated) destination addresses.
Impact:
Forwarding ICMP traffic is dropped by the BIG-IP system.
Workaround:
You can disable Proxy ARP functionality for FW NAT rules to cause the BIG-IP system (AFM) to handle forwarding ICMP traffic correctly and pass it through the system to the backend.
However, this causes the BIG-IP system to not respond to ARP requests anymore for destination addresses in such rules. As a further mitigation action, you can configure static ARP entries to handle this.
Fix:
The BIG-IP system (AFM) now correctly forwards ICMP traffic through to the backend when Proxy ARP is enabled on destination addresses in the matching FW NAT rule.
752942-1 : Live Update cannot be used by Administrator users other than 'admin' and 'root'
Component: Application Security Manager
Symptoms:
When users configured with the Administrator role log into the system, they are not allowed to install security update files on the new live-update page:
System :: Software Management : Live Update
Conditions:
Logged in BIG-IP user is not 'admin' (the built-in Administrator account for the TMUI) or 'root' (the built-in Administrator account for the TMSH).
Impact:
Cannot apply security updates.
Workaround:
To install the security updates, log in as 'admin' or a BIG-IP user configured as a web-application-security-administrator or web-application-security-editor (role must be configured on all partitions or at least on the Common partition).
Fix:
Any BIG-IP user configured as Administrator can now apply security updates.
752930-3 : Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
Component: Local Traffic Manager
Symptoms:
Virtual Servers left in unknown state. Blade keeps restarting.
Conditions:
Change default route domain (RD) of partition with wildcard Virtual Servers.
Impact:
-- Cannot persist the wildcard virtual server RD configuration.
-- Changing virtual server description after moving route-domain fails.
-- Secondary blade in constant reboot loop or mcpd process restarting loop.
Workaround:
1. Delete wildcard virtual servers before changing default route-domain on partition.
2. Execute the following commands, in sequence, substituting your values for the configuration-specific ones in this example:
# ssh slot2 bigstart stop
# modify auth partition pa-1098-blkbbsi0000csa21ad1142 default-route-domain 109
# save sys config
# clsh rm -f /var/db/mcpdb.bin
# ssh slot2 bigstart start
Note: This recovery method might have to be executed multiple times to restore a working setup.
752875-2 : tmm core while using service chaining for SSLO
Component: Access Policy Manager
Symptoms:
tmm cores when using security services (service connect agent in per-request policies) for SSLO deployment.
Conditions:
-- Service connect agent in per-request policy.
-- SSLO deployment.
Impact:
tmm cores. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm no longer cores when using security services (service connect agent in per-request policies) for SSLO deployment.
752835-2 : Mitigate mcpd out of memory error with auto-sync enabled.
Solution Article: K46971044
Component: TMOS
Symptoms:
If auto-sync is enabled and many configuration changes are sent quickly, it is possible for a peer system to fall behind in syncs. Once it does, it will exponentially get further behind due to extra sync data, leading to the sending mcpd running out of memory and core dumping.
Conditions:
-- Auto-sync enabled in an high availability (HA) pair.
-- High volume of configuration changes made in rapid succession. Typically, this requires hundreds or thousands of changes per minute for several minutes to encounter this condition.
Impact:
Mcpd crashes.
Workaround:
There are no workarounds other than not using auto-sync, or reducing the frequency of system configuration changes.
Fix:
This is not a complete fix. It is still possible for mcpd to run out of memory due to a peer not processing sync messages quickly enough. It does, however, make it more difficult for this scenario to happen, so configuration changes with auto-sync on can be sent somewhat more quickly without crashing mcpd as often.
752822-1 : SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type
Component: Service Provider
Symptoms:
SIP ALG calls that fail translation during ingress are not cleaned up by the system, which might result in memory being leaked inside the TMM processes.
Conditions:
SIP ALG calls that fail translation during ingress.
Impact:
TMM leaks memory, which can slow down performance and eventually cause TMM to run out of memory and restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now cleans up SIP ALG calls that fail translation during ingress, so this issue no longer occurs.
752803-1 : CLASSIFICATION_DETECTED running reject can lead to a tmm core
Component: Traffic Classification Engine
Symptoms:
When the CLASSIFICATION_DETECTED event is run on a serverside flow, and then an iRule command (e.g., to reject a flow) is run, tmm crashes.
Conditions:
-- CLASSIFICATION_DETECTED event runs on a serverside flow.
-- An iRule command runs (e.g., reject a flow).
Impact:
tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm no longer crashes under these conditions.
752782-1 : 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'
Component: Fraud Protection Services
Symptoms:
The 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.
Conditions:
FPS Provisioning and a DataSafe license.
Impact:
The menu name has changed in this release.
Workaround:
None.
Fix:
'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.
752592-1 : VMware Horizon PCoIP clients may fail to connect shortly after logout
Component: Access Policy Manager
Symptoms:
Sometimes if user closes opened PCoIP desktop and logs out and then logs in again, he can't launch the same desktop anymore.
Conditions:
PCoIP UDP VS has "vdi" profile assigned.
Impact:
User can't open PCoIP remote desktop during short time period (1 minute).
Workaround:
Remove "vdi" profile and assign "remotedesktop" profile to the PCoIP UDP VS:
# tmsh modify ltm virtual <PCoIP UDP VS> profiles delete { vdi }
# tmsh modify ltm virtual <PCoIP UDP VS> profiles add { remotedesktop }
In admin UI the assignment of "remotedesktop" profile can be controlled via "Application Tunnels (Java & Per-App VPN)" checkbox (right under "VDI Profile" dropdown).
Fix:
Assignment of "vdi" profile to PCoIP UDP VS does not cause intermittent connection problems anymore.
752363-2 : Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled
Component: Advanced Firewall Manager
Symptoms:
Client request fails, due to being dropped on the BIG-IP system.
Conditions:
-- The BIG-IP AFM L4 BDoS feature is enabled.
-- Virtual server setup is such that the client-facing virtual server's destination is forwarded through another virtual server, which is an internally forwarded flow.
Impact:
Client request gets dropped due to BIG-IP AFM dropping the flow.
Workaround:
Disable BDoS feature. The feature can be disabled using the following commands:
-- To disable BDoS globally, run the following command:
modify security dos device-config dos-device-config dynamic-signatures { network { detection disabled mitigation none }}
To disable BDoS globally per-profile, run the following command:
modify security dos profile <profile-name> dos-network modify { test { dynamic-signatures { detection disabled mitigation none } } }
modify security dos profile test protocol-dns modify { test { dynamic-signatures { detection disabled mitigation none } } }
Fix:
The system now handles the looped flows properly, so the BDoS module does not incorrectly cause the packet to be dropped.
752078-2 : Header Field Value String Corruption
Component: Local Traffic Manager
Symptoms:
This is specific to HTTP/2.
In some rare cases, the header field value string can have one or more of its prefix characters removed by the BIG-IP system.
Conditions:
-- The header field value string is exceptionally long, and has embedded whitespace characters.
-- HTTP/2 is used.
Impact:
A header such as:
x-info: very_long_string that has whitespace characters
may be sent to the client as:
x-info: ery_long_string that has whitespace characters
Workaround:
None.
Fix:
The BIG-IP system no longer removes the prefix characters from very long HTTP/2 header field value strings containing embedded whitespace characters.
752047-1 : iRule running reject in CLASSIFICATION_DETECTED event can cause core
Component: Traffic Classification Engine
Symptoms:
The CLASSIFICATION_DETECTED iRule event can run very early when classification happens in the classification database (srdb). If the iRule then issues a reject command, tmm cores.
Conditions:
CLASSIFICATION_DETECTED on L4 executing reject command.
Impact:
tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
iRule running reject in CLASSIFICATION_DETECTED event no longer causes tmm core.
751869-2 : Possible tmm crash when using manual mode mitigation in DoS Profile
Component: Advanced Firewall Manager
Symptoms:
tmm crash and restart is possible when using manual mode mitigation in DoS Profile.
Conditions:
When manual mode mitigation is used for any vector that is enabled in the DoS Profile that is attached to a Protected Object.
Impact:
tmm crash and restart is possible. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm crash and restart no longer occurs when using manual mode mitigation in DoS Profile.
751824-1 : Restore old 'merge' functionally with new tmsh verb 'replace'
Component: TMOS
Symptoms:
Prior to v12.1.3.4, the 'merge' command merged a specified config with the existing config, replacing certain conflicting values. In this release, the merge command operates differently, so there is a new command, 'replace', to now perform the operation previously accomplished with 'merge'.
Conditions:
Running the following command:
tmsh load /sys config file <scf-filename> merge
Impact:
Operation does not work like it did in previous releases.
Workaround:
None.
Fix:
This release restores the merge functionally from v12.x and earlier with a new tmsh verb: replace. The new TMSH command is as follows:
tmsh load sys config file <filepath> replace
Behavior Change:
This release restores the merge functionally from v12.x and earlier with a new tmsh verb: replace. The new TMSH command is as follows:
tmsh load sys config file <filepath> replace
The merge command now operates as follows:
-- Previously: if a top-level object (virtual server) existed in the config and also in the merge file, the top-level object was replaced.
-- Now: if a top-level object (virtual server) exists in both, the top-level object is recursively merged. (Pool members are merged together. LTM virtual server profiles are merged together (appended vs. replace-all-with)).
751807-1 : SSL Orchestrator may not activate service connectors if traffic is an HTTP tunnel
Component: Access Policy Manager
Symptoms:
Decrypted traffic is not forwarded to services despite even though a matching rule action in security policy selects a service chain.
Conditions:
-- Matching rule action in security policy selects a service chain.
-- Traffic is an HTTP tunnel (CONNECT method) is accepted by an outbound transparent proxy created by SSL Orchestrator.
Impact:
No visibility to decrypted traffic if it is an HTTP tunnel through SSL Orchestrator.
Workaround:
None.
Fix:
Decrypted traffic is forwarded as expected to services, when matching rule action in security policy selects a service chain, for HTTP tunnel traffic sent through SSL Orchestrator.
751710-4 : False positive cookie hijacking violation
Component: Application Security Manager
Symptoms:
A false positive cookie hijacking violation.
Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.
Impact:
False positive violation / blocking.
Workaround:
N/A
751636-1 : Downgrading from v14.1.0 to a previous release leaves two directories with improper ownership★
Component: TMOS
Symptoms:
Downgrading from BIG-IP version 14.1.0 to an earlier version, the group ID of /var/lock and /var/spool/mail are incorrect. This can be encountered after you boot into the earlier-versioned software image. /var/log/liveinstall.log contains the following messages:
-- info: RPM: filesystem-2.4.30-3.el6.0.0.10.i686
-- info: RPM: warning: group lock does not exist - using root
-- info: RPM: warning: group mail does not exist - using root
When running the following command:
config # rpm -V filesystem
......G.. /var/lock
......G.. /var/spool/mail
The expected results are as follows:
config # rpm -V filesystem
config # stat -c %G /var/lock
lock
config # stat -c %G /var/spool/mail
mail
In this version, the results are as follows:
config # rpm -V filesystem
config # stat -c %G /var/lock
root
config # stat -c %G /var/spool/mail
root
Conditions:
-- BIG-IP version 14.1.0 is running.
-- An earlier software version is installed.
-- The system is then booted into that earlier version.
Impact:
There is no known impact to the system if this occurs; however, running rpm -V will report these two discrepancies.
This occurs because rpm versions 4.8 and earlier have built-in recognition of exactly three group names; 'root', 'mail', and 'lock'. In v4.8, these special names appear in <src>/lib/misc.c:gnameToGid. To use the group names 'mail' and 'lock' as intended, all BIG-IP releases earlier than BIG-IP v14.1.0 rely on this special feature of rpm.
BIG-IP v14.1.0 moved to rpm version 4.11, in which the function no longer exists.
Workaround:
Using a shell command, correct the group ID of the two directories that are incorrect using the following two commands:
config # chgrp lock /var/lock
config # chgrp mail /var/spool/mail
751586 : http2 virtual does not honour translate-address disabled
Component: Local Traffic Manager
Symptoms:
translate-address disabled on a http2 virtual is getting ignored
Conditions:
http2 virtual and translate-address disabled configured
Impact:
The traffic is translated to the destination address to the pool member
Workaround:
none
Fix:
translate-address disabled is working correctly now.
751573-1 : Updates to HSL pool members may not take effect
Component: TMOS
Symptoms:
High Speed Logging (HSL) does not respect the configured pool's changes and continues to send logs to the previous state of the pool.
For example, consider the following configuration:
-- HSL configured to send logs to pool (pool-HSL) where pool-HSL has 2 members: pm-1, and pm-2.
-- There is a manual update to pool-HSL to remove pm-2, or a monitor marks pm-2 down.
-- That change is not honored, and HSL continues to send logs to pm-2.
Conditions:
-- High Speed Logging configured to log to a pool of multiple members.
-- Pool members change manually or due to a monitoring probe.
-- Running one of the known affected TMOS versions.
Impact:
HSL logs continue being forwarded according to the previous state of the configured pool. The new state is not reflected.
Workaround:
None.
Fix:
Updates to pool members used as HSL destination are correctly reflected in HSL log forwarding.
751424-1 : HTTP Connect Category Lookup not working properly
Component: Access Policy Manager
Symptoms:
1. HTTP Connect Category Lookup does not return the correct category.
2. HTTP Connect Category Lookup cannot attach the service chain correctly.
Conditions:
-- Using SSLO iApp to configure a security policy.
-- Choose conditions 'Category Lookup (All)' and '"Category Lookup (HTTP Connect)'.
Impact:
Service chain is not correctly triggered based on the SSLO iApp policy selection when HTTP Connect traffic is passed.
Workaround:
There is no workaround at this time.
Fix:
1. The Access Per-request Policy HTTP Connect Category Lookup agent now returns the correct category ID.
2. Service connector is now inserted correctly, which ensures the correct behavior when dealing with HTTP Connect tunnel traffic.
751292-1 : mcpd core after changing parent netflow to use version9
Component: Advanced Firewall Manager
Symptoms:
When making changes to netflow profile (changing between v9 and v5), mcpd CPU usage on one core goes high, and a core file is written.
The problem occurs only when modifying root netflow profile that is referenced by a child netflow. Modifying the root netflow profile works as expected when it is not being referred to by any child netflow. When the issue occurs, mcpd gets into a loop and hangs there for a long time.
Conditions:
The problem occurs only when modifying root netflow profile that is referenced by a child netflow.
Impact:
The config changes appear to have been made. However, mcpd processes the config and stops responding. While mcpd restarts, there is no traffic management functionality (e.g., cannot retrieve or update system status, cannot reconfigure system, other daemons are not functional).
Workaround:
No workaround.
751179-1 : MRF: Race condition may create to many outgoing connections to a peer
Component: Service Provider
Symptoms:
If two different connections attempt to create an outgoing connection to a peer at the same time, multiple connections may be created, even if the peer object is configured for one connection per peer. This is due to a race condition in message routing framework during connection creation.
Conditions:
-- Two different connections attempt to create an outgoing connection to a peer at the same time.
-- The peer is configured for one connection per peer.
Impact:
More than one connection to a peer is created.
Workaround:
None.
Fix:
Only one connection is created under these conditions.
751152-1 : OpenSSL Vulnerability: CVE-2018-5407
Solution Article: K49711130
751143-1 : OpenSSL Vulnerability: CVE-2018-5407
Solution Article: K49711130
751052-1 : HTTP iRule event HTTP_REJECT broken
Component: Local Traffic Manager
Symptoms:
When an action causes an HTTP_REJECT event to be triggered, the content isn't executed, and BIG-IP logs an error log message that the event aborted:
info tmm[16852]: 01220009:6: Pending rule (null) <HTTP_REJECT> aborted
Conditions:
Any actions that cause an HTTP_REJECT event to be triggered.
Impact:
iRule content is not executed and the iRule action is aborted.
Fix:
Fixed an issue with the HTTP_REJECT event
751011-3 : ihealth.sh script and qkview locking mechanism not working
Component: TMOS
Symptoms:
Two qkviews can be started up on a system at the same time, which results in conflicts for each.
Conditions:
Running qkview on one terminal and then ihealth.sh in another.
Impact:
Running of two qkviews at the same time breaks both qkviews since they compete for the same files.
Workaround:
Run either qkview or ihealth.sh, not both simultaneously.
Fix:
Starting a qkview and then running ihealth.sh halts immediately as the system detects that qkview is running.
751009-3 : Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out
Component: TMOS
Symptoms:
After generating a Qkview or collecting a tcpdump via the BIG-IP GUI, or using the 'tmsh run util ihealth' command to do the equivalent, the /var/tmp/mcpd.out file is missing.
Conditions:
-- Generating a Qkview or collecting a tcpdump via the BIG-IP GUI.
-- Using the 'tmsh run util ihealth' command to do the equivalent operation.
Impact:
The file /var/tmp/mpcd.out is a debug file used by mcpd, primarily for collecting debug-level log information from MCPD.
The file being deleted causes challenges with trying to collect diagnostic information from a BIG-IP system (turning on mcpd debug logging), because it now requires a service impact (restarting mcpd).
Additionally, may cause challenges in managing disk space on /shared filesystem, as mcpd keeps writing to a deleted file, and it cannot be truncated.
Workaround:
Generating Qkviews by invoking the 'qkview' command directly avoids this issue.
Edit the /usr/bin/ihealth.sh script to remove the corresponding line.
From a bash shell:
1. mount -o remount,rw /usr
2. /bin/cp /usr/bin/ihealth.sh{,751009.bak}
3. sed -i '/\/bin\/rm -f \/var\/tmp\/mcpd.out/d' /usr/bin/ihealth.sh
4. mount -o remount,ro /usr
Note: This workaround does not persist across software installs/upgrades, nor does it ConfigSync or replicate across blades in a VIPRION chassis.
Fix:
The problem line has been removed from the script, so this mcpd debug file is left alone (not deleted) after running ihealth.sh. Note that the GUI version of running qkview uses ihealth.sh script.
750973-1 : Import XML policy error
Component: Application Security Manager
Symptoms:
Import XML policy fails with errors:
--------
The security policy file does not conform to the schema and cannot be imported
element attack_type: Schemas validity error : Element
'attack_type': 'Web Scraping' is not a valid value
--------
Conditions:
-- A user-defined Signature Set having Attack Type 'Web Scraping' defined.
-- This Signature Set is included in an exported XML policy.
Impact:
Schema validation on XML policy import fails. Import XML policy fails with errors.
Workaround:
Use binary policy export/import.
Fix:
This release fixes the XML policy export/import process to not fail or produce Attack Type 'Web Scraping'-related errors.
750922-1 : BD crash when content profile used for login page has no parse parameters set
Component: Application Security Manager
Symptoms:
Bd crashes. No traffic goes through ASM.
Conditions:
-- A Json Login page is configured.
-- The content profile used for the login page does not have parse parameters set.
Impact:
No traffic goes through ASM. Bd crashes.
Workaround:
Set the parse parameters setting.
Fix:
BD no longer crashes when the content profile used for login page has no parse parameters set.
750823-1 : Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD
Component: Access Policy Manager
Symptoms:
Memory usage in TMM keeps going up.
Conditions:
Access::policy evaluate command fails with error message in /var/log/ltm:
TCL error: ... - Failed to forward request to apmd.
Impact:
Memory leaks in TMM, which cause a TMM crash eventually.
Workaround:
Limit the amount of data that will be forwarded to APMD.
750793-2 : Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition
Component: Application Security Manager
Symptoms:
Removing Bot/Logging/Security Service profiles that were created in a user-defined partition fails via GUI.
Conditions:
Attempting to delete Bot/Logging/Security Service profiles that were created in a user-defined partition.
Impact:
The Bot/Logging/Security Service Profile cannot be deleted via GUI.
Workaround:
Remove Bot/Logging/Cloud Security Service profiles via TMSH.
Fix:
You can now remove Bot profiles, Logging profiles, and Cloud Security Service profiles from user-defined partition.
750689-3 : Request Log: Accept Request button available when not needed
Component: Application Security Manager
Symptoms:
There are several violations that make requests unlearnable, but the Accept Request Button is still enabled.
Conditions:
This occurs in the following scenarios:
1. Request log has requests with following violations that make requests unlearnable:
- Threat Campaign detected.
- Null character found in WebSocket text message.
- Access from disallowed User/Session/IP/Device ID.
- Failed to convert character.
2. Subviolations of HTTP protocol compliance fails violation:
- Unparsable request content.
- Null in request.
- Bad HTTP version.
3. Only the following violations are detected:
- Access from malicious IP address.
- IP address is blacklisted.
- CSRF attack detected.
- Brute Force: Maximum login attempts are exceeded.
Impact:
Accept Request button is available, but pressing it does not change the policy.
Workaround:
None.
Fix:
The Accept Request button is now disabled when there is nothing to be learned from request.
750686-1 : ASE user cannot create or modify a bot signature.
Component: Application Security Manager
Symptoms:
Application Security Editor user role gets a validation exception while trying to create or modify bot defense signature either via GUI, tmsh, or REST.
Conditions:
The logged on user account is configured with an Application Security Editor role.
Impact:
Application Security Editor unable to define user-defined signatures for bot defense module.
Workaround:
Change user role to Administrator or Web Application Security Administrator to create or modify bot defense signatures.
Fix:
User accounts configured for Application Security Editor can now create/modify bot defense signatures.
750683-1 : REST Backwards Compatibility: Cannot modify enforcementMode of host-name
Component: Application Security Manager
Symptoms:
Modifying the enforcementMode value fails with the following message: Valid Host Name already exists in this policy.
In 14.1.0, the capability to treat specific domains as Transparent while the rest of the policy is in Blocking moved from Host Names to the new Microservices feature. The REST endpoint for Host Names (/mgmt/tm/asm/policies/<ID>/host-names) is meant to still support setting and modifying this attribute. However, this is not happening successfully.
Conditions:
-- Running version 14.1.0 software.
-- Using a pre-14.1.0 REST API to modify the enforcementMode of a host name (/mgmt/tm/asm/policies/<ID>/host-names).
Impact:
The value change fails.
Workaround:
You can use either workaround:
-- Change the value using the GUI.
-- Use the newer endpoint: (/mgmt/tm/asm/policies/<ID>/microservices).
Fix:
Using the backwards compatible REST to update the enforcementMode of a host name now succeeds.
750668-1 : Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition
Component: Application Security Manager
Symptoms:
Removing Bot/Logging/Security Service profiles that were created in a user-defined partition fails via GUI.
Conditions:
Attempting to delete Bot/Logging/Security Service profiles that were created in a user-defined partition.
Impact:
The Bot/Logging/Security Service Profile cannot be deleted via GUI.
Workaround:
Remove Bot/Logging/Cloud Security Service profiles via TMSH.
Fix:
You can now remove Bot profiles, Logging profiles, and Cloud Security Service profiles from user-defined partition.
750666-1 : Impossible to create Bot Signature/Bot Category Signature in user partition different from 'Common'
Component: Application Security Manager
Symptoms:
For any partition other than 'Common'(i.e., a user-defined partition), cannot create a new Bot Signature or Bot Category Signature via GUI, because the form fields and buttons are disabled (grayed out).
Conditions:
-- Creating Bot Signature/Bot Category Signature.
-- The partition is set to a user-defined partition.
Impact:
No creation of Bot Signature/Bot Category Signature can be completed through GUI in a user-defined partition.
Workaround:
Create Bot Signature/Bot Category Signature in TMSH.
Fix:
Can now create Bot Signature/Bot Category Signature in user partition different from 'Common'.
750661 : URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied.
Component: TMOS
Symptoms:
A regression in configuration processing causes LTM Rewrite profile to ignore configured URI translation rules.
Conditions:
Using LTM Rewrite profiles to ignore configured URI translation rules.
Impact:
URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied.
Workaround:
None.
Fix:
Restored functionality of LTM Rewrite URI translation rules.
750586-2 : HSL may incorrectly handle pending TCP connections with elongated handshake time.
Component: TMOS
Symptoms:
HSL may incorrectly handle TCP connections that are pending 3-way handshake completion that exceed default handshake timeout.
Conditions:
-- HSL or ReqLog configured to send logging data to pool via TCP protocol.
-- TCP 3-way handshake takes longer than 20 seconds (the default handshake timeout) to complete.
Impact:
-- Service interruption while TMM restarts.
-- Failover event.
Workaround:
None.
Fix:
HSL handles unusually long pending TCP handshakes gracefully and does not cause outage.
750580-1 : Installation using image2disk --format may fail after TMOS v14.1.0 is installed★
Component: TMOS
Symptoms:
When v14.1.0 is installed, subsequent installations of software performed using image2disk with the --format=volumes option from within a TMOS installation slot.
The failure occurs after the disks have been formatted, but before the TMOS installation slot is bootable, and the system is left without a TMOS installation slot.
While performing the installation, the system posts messages similar to the following in the serial console:
-- info: tm_install::RPM::rpm_db_find_by_namearch -- not found : MySQL-shared/i686
...
-- info: tm_install::VolumeSet::VolumeSet_install_packages -- installing package MySQL-shared (i686)
-- info: tm_install::RPM::rpm_db_find_by_namearch -- not found : openssl/x86_64
...
-- info: tm_install::VolumeSet::VolumeSet_install_packages -- installing package openssl (x86_64)
-- info: capture: status 32512 returned by command: chroot /mnt/tm_install/1258.DHwcwN rpm --rebuilddb
...
-- info: chroot: failed to run command 'rpm': No such file or directory
Conditions:
This issue occurs when all of the following conditions are met:
-- Version 14.1.0 is installed on the system, even if the system never boots into the 14.1.0 installation slot.
-- Using image2disk with the --format=volumes option specified from TMOS.
-- Installing another version of the software.
In particular, this issue affects MOS version 2.12.0-140.0, which can be checked by running this command from a bash shell on the BIG-IP system:
grub_default -d | grep -A6 'TMOS maintenance' | grep 'TIC_STATIC_VERSION'
Impact:
The installation fails, and the system is left in a state where it is not accessible on the network and has no configuration. You must use the console to access the system.
Workaround:
You can use the following workarounds:
-- Use the Software Management screens in the GUI to perform installations
-- Use the tmsh 'sys software' commands to perform software installations.
-- Do not use the image2disk --format command to install software.
750477-1 : LTM NAT does not forward ICMP traffic
Component: Advanced Firewall Manager
Symptoms:
ICMP traffic that matches LTM NAT object on a BIG-IP system, is not forwarded through but instead is dropped on the BIG-IP system.
Conditions:
-- LTM NAT object is configured on the BIG-IP system.
-- The BIG-IP system receives ICMP traffic matching the LTM NAT object.
Impact:
Client ICMP traffic (matching LTM NAT) is not forwarded to the destination causing traffic disruption.
Workaround:
None.
Fix:
ICMP traffic matching an LTM NAT object is now forwarded to the destination as expected.
750460-1 : Subscriber management configuration GUI
Solution Article: K61002104
750447-3 : GUI VLAN list page loading slowly with 50 records per screen
Component: TMOS
Symptoms:
GUI VLAN list page is loading slowly with there are 3200+ VLANs with the Records Per Screen Preference set to 50.
Conditions:
-- Using a VIPRION system.
-- Configuration containing 3200 or more VLANs.
-- System Preferences Records Per Screen set to 50.
Impact:
Cannot use the page.
Workaround:
Use tmsh or guishell tool to see the VLANs.
You can also try using a smaller value for the Records Per Screen option in System :: Preferences.
Fix:
Improved data retrieval and rendering for the VLAN list page.
750431-1 : Persistence record is deleted in MRF SIP after updating timeout value with the iRule 'SIP::persist timeout'
Component: Service Provider
Symptoms:
MRF SIP persistence records are deleted after updating the timeout value with the iRule 'SIP::persist timeout'.
Conditions:
-- MRF SIP configured with a persistence mode enabled.
-- Persistence timeout value is modified with iRule 'SIP::persist timeout'.
Impact:
Connections are not persisted as expected, causing additional processing, load balancing, and potential for misrouted messages.
Workaround:
Do not use 'SIP::persist timeout' to update timeouts. Increase initial timeout values when using custom persistence mode or switch to a non-custom persistence mode that updates timeouts automatically without iRules.
Fix:
The iRule 'SIP::persist timeout' no longer causes the persistence record to be deleted when updating the timeout value.
750356-2 : Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted
Component: Application Security Manager
Symptoms:
In any Split View page (Request Log, Learning, etc.): All user-defined filters are removed if you delete a newly created filter without reloading the page first.
Conditions:
-- Create a new filter.
-- Remove the new filter.
Impact:
The system removes all user-defined filters.
Workaround:
Before you delete a newly created filter, reload the page.
Fix:
Filter removal now completes successfully for all scenarios.
750318-3 : HTTPS monitor does not appear to be using cert from server-ssl profile
Component: TMOS
Symptoms:
An HTTPS monitor using a client certificate configured in the server-ssl profile fails to send the certificate during the SSL handshake.
A tcpdump shows a 0-byte certificate being sent.
Conditions:
-- In-tmm monitoring is disabled (default).
-- The server-ssl profile has been modified but without changing the configured certificate or key.
The resulting message passed from mcpd to bigd will contain only the incremental modification to the profile, which bigd treats as a complete profile, meaning that it is possible for the certificate and key parameters to be lost.
Impact:
SSL handshake might fail to complete and the HTTPS monitor fails.
Workaround:
Restart bigd process by running the following command:
bigstart restart bigd
Fix:
mcpd now sends the full profile configuration to bigd upon modification.
750298-1 : iControl REST may fail while processing requests
Solution Article: K67825238
750292-2 : TMM may crash when processing TLS traffic
Solution Article: K54167061
750213-4 : DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.
Solution Article: K25351434
Component: Global Traffic Manager (DNS)
Symptoms:
FPGA hardware-accelerated DNS Cache can respond improperly to DNS queries that contain EDNS OPT Records. This improper response can take several forms, ranging from not responding with an OPT record, to a query timeout, to a badvers response.
Conditions:
-- Using VIPRION B2250 blades.
-- This may occur if a client sends a query with an EDNS OPT record that has an unknown version or other values that the Hardware-accelerated Cache does not understand. These errors only occur when matching the query to a hardware cached response.
Note: If the response is not in the hardware cache, then the query should be properly handled.
Impact:
Hardware-accelerated DNS Cache drops the request. Clients will experience a timeout for that query.
This is occurring now because of the changes coming to software from certain DNS software vendors that remove specific workarounds on February 1st, 2019. This is known as DNS Flag Day.
Workaround:
None.
750200-3 : DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode
Component: Local Traffic Manager
Symptoms:
DHCP requests from the client are sent only to the first member in the DHCP server pool.
Conditions:
- BIG-IP system configured as a DHCP Relay.
- DHCP server pool contains more than one DHCP server.
Impact:
- DHCP server load balancing is not achieved.
- If the first DHCP server in the DHCP server pool does not respond or is unreachable, the DHCP client will not be assigned an IP address.
Workaround:
None.
750187-1 : ASM REST may consume excessive resources
Solution Article: K29149494
749912-1 : [BIG-IQ Integration] Deadlock occurs when adding multiple hostnames with transparent enforcement
Component: Application Security Manager
Symptoms:
Transparent enforcement by hostname has been moved from the Host Name configuration to the Microservice configuration.
REST API Clients that use the backwards-compatible, old endpoint, and send multiple requests in parallel may encounter a deadlock when configuring this element.
Conditions:
1) REST API Clients configure policy enforcement transparency by hostname.
2) They use the backwards-compatible, old endpoint to do so.
3) Multiple requests are sent in parallel.
Note: This is the case for BIG-IQ managing the BIG-IP system and configuring multiple domain names.
Impact:
Configuration calls fail due to internal DB deadlocks
Workaround:
Retry the API calls (or BIG-IQ deployment)
Fix:
Deadlocks during configuration calls are retried automatically and do not interrupt deployments.
749879-2 : Possible interruption while processing VPN traffic
Solution Article: K47527163
749785-2 : nsm can become unresponsive when processing recursive routes
Component: TMOS
Symptoms:
imish hangs, and the BIG-IP Network Services Module (nsm) daemon consuming 100% CPU.
Conditions:
-- Dynamic routing enabled
-- Processing recursive routes from a BGP peer with different prefixlen values.
Impact:
Dynamic routing, and services using dynamic routes do not operate. nsm does not recover and must be restarted.
Workaround:
None.
Fix:
nsm now processes recursive route without issues.
749774-5 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
Component: Global Traffic Manager (DNS)
Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.
Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.
Impact:
Inconsistent behavior.
Workaround:
None.
Fix:
In this release, responses are now consistent when caching is enabled.
749704-2 : GTPv2 Serving-Network field with mixed MNC digits
Component: Service Provider
Symptoms:
iRules command 'GTP::ie get value' incorrectly decodes Serving-Network field, putting the least significant digit of mobile network codes (MNC) value before the other two.
Conditions:
Using the iRule command 'GTP::ie get value' to retrieve the Serving-Network field from a GTP message (the iRule construction: GTP::ie get value -message $gtp_message 83).
Impact:
The operation returns results in which the least significant digit is inserted before the other two, resulting in incorrect data being returned.
Workaround:
None.
Fix:
The iRule command 'GTP::ie get -message $gtp_message 83' that retrieves the Serving-Network now returns the correctly ordered, three-digit values for mobile country codes (MCC) and mobile network codes (MNC) as a two-element list: {{<MCC> <MNC>} <optional data>}, where the first element is another list containing actual MCC and MNC values, while the second element is optional binary data which follows MCC and MNC. It is the same format as used for ULI field decoding.
Behavior Change:
The iRule command 'GTP::ie get -message $gtp_message 83' that retrieves the Serving-Network now returns the correctly ordered, three-digit values for mobile country codes (MCC) and mobile network codes (MNC) as a two-element list: {{<MCC> <MNC>} <optional data>}, where the first element is another list containing actual MCC and MNC values, while the second element is optional binary data which follows MCC and MNC. It is the same format as used for ULI field decoding.
749690-1 : MOS_Image2Disk_Installation- kjournald service error★
Component: TMOS
Symptoms:
Attempted local installation of BIG_IP software image via MOS. During installation, there is a procedure error:
tm_install::TMOS::TMOS_getenforce --
Command not found: /usr/sbin/getenforce.
Installation is successful, even with this error.
Conditions:
Attempted installation of a copied .iso image:
image2disk --nosaveconfig --instslot=MD1.2 BIGIP-15.0.0-0.0.1248.iso
Impact:
When the installation of packages starts, the system reports the message. Installation completes successfully. There is no functional impact on the system, so you can safely ignore this message.
Workaround:
None.
Fix:
The 'Command not found: /usr/sbin/getenforce' error no longer occurs.
749689-2 : HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart
Component: Local Traffic Manager
Symptoms:
HTTPS monitor sends different amount of cipher suites in client hello during SSL handshake and sometimes back end server fails to find a desired cipher suite from client hello. As a result, sometimes SSL handshake fails and monitor wrongly marks pool member down.
Conditions:
-- Have an SSL profile to be used by an HTTPS monitor.
-- Load the same config more than once.
Impact:
HTTPS monitor might incorrectly mark pool member down because of a failed SSL handshake.
Workaround:
Restart bigd using the following command:
bigstart restart bigd
Fix:
HTTPS monitor now sends a consistent number of cipher suites in the client hello message during the SSL handshake.
749675-5 : DNS cache resolver may return a malformed truncated response with multiple OPT records
Component: Global Traffic Manager (DNS)
Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.
Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).
Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.
Workaround:
A second query will return the cached record, which will only have one OPT record.
Fix:
DNS cache resolver now returns the correct response under these conditions.
749603-1 : MRF SIP ALG: Potential to end wrong call when BYE received
Component: Service Provider
Symptoms:
When a BYE is received, the media flows for a different call might be closed in error.
Conditions:
If the hash of the call-id (masked to 12 bits) matches the hash of another's call-id.
Impact:
The media flows for both calls will be closed when one receives a BYE command. A call may be incorrectly terminated early.
Workaround:
None.
Fix:
Entire call-id checked before terminating media flows.
749508-1 : LDNS and DNSSEC: Various OOM conditions need to be handled properly
Component: Global Traffic Manager (DNS)
Symptoms:
Some LDNS and DNSSEC out-of-memory (OOM) conditions are not handled properly.
Conditions:
LDNS and DNSSEC OOM conditions.
Impact:
Various traffic-processing issue, for example, TMM panic during processing of DNSSEC activity.
Workaround:
None.
Fix:
The system contains improvements for handling OOM conditions properly.
749500-1 : Improved visibility for Accept on Microservice action in Traffic Learning
Component: Application Security Manager
Symptoms:
Low visibility for accepted on microservice action.
Conditions:
There are suggestions that can be accepted on microservice.
Impact:
The system does not show Accept on Microservice in a suggestion.
Workaround:
None.
Fix:
Improved visibility for Accept on Microservice action and microservice-related details of suggestions.
749464-2 : Race condition while BIG-IQ updates common file
Component: Application Visibility and Reporting
Symptoms:
The file /var/config/rest/downloads/app_mapping.json is being used by two processes: BIG-IQ and avrd.
This can cause a race-condition between the two and in some rare cases can cause avrd to crash.
Conditions:
BIG-IQ updating /var/config/rest/downloads/app_mapping.json while avrd is reading it.
Impact:
avrd might read incomplete data, and can even core in some rare cases.
Workaround:
None.
Fix:
This race condition no longer occurs.
749461-2 : Race condition while modifying analytics global-settings
Component: Application Visibility and Reporting
Symptoms:
Updating the analytics global-settings might cause a core for avrd.
The avrd.log contains the following record:
AVRD_CONFIG|NOTICE... 13931|lib/avrpublisher/infrastructure/avr_mcp_msg_parser.cpp:2985| Modified Analytics Global Settings, added "0" offbox TCP addresses
Conditions:
Analytics global-settings are updated either explicitly, using a tmsh command, or implicitly, by internal process script.
Impact:
Might cause a core for avrd. After coring once, avrd is expected to start normally without any additional cores. The configuration change is expected to be applied correctly after restart is complete.
Workaround:
None.
Fix:
This represents a partial fix. See bug 764665 for an additional fix.
749414-4 : Invalid monitor rule instance identifier error
Component: Local Traffic Manager
Symptoms:
Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects.
Conditions:
-- BIG-IP system is configured with nodes, pool-members, and pools with monitors.
-- Modify one of the nodes that is in a pool.
-- Run the following command: tmsh load /sys config
-- Loading UCS/SCF file can trigger the issue also.
-- Nodes share the same monitor instance.
-- default-node-monitor is not configured.
Impact:
-- The system might delete monitor rule instances for unrelated nodes/pool-members.
-- Pool members are incorrectly marked down.
Workaround:
You can use either of the following:
-- Failover or failback traffic to the affected device.
-- Run the following command: tmsh load sys config.
749388-3 : 'table delete' iRule command can cause TMM to crash
Component: TMOS
Symptoms:
TMM SegFaults and restarts.
Conditions:
'table delete' gets called after another iRule command.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
Call 'table lookup' on any key before performing a 'table delete'.
Whether or not the key was added into the database beforehand does not matter.
Fix:
Fixed code to prevent invalid use of internal data structure.
749382-1 : Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater
Component: TMOS
Symptoms:
Running a bare-metal installation via image2disk (IE, 'image2disk --format=volumes <ISO>') may fail due to a missing command in the maintenance OS.
Conditions:
The version of MOS installed on the system is from a v14.1.0 or newer ISO, and a user attempts a bare-metal installation via the 'image2disk' command.
Impact:
Unable to perform bare-metal installations/installations from MOS in affected versions.
Workaround:
The installed version of MOS can be removed with the command '/usr/lib/bpdiag -a mos'. After doing this, installing a version older than 14.1.0 will re-install an older version of MOS without this issue. You can then reboot to MOS and manually run the installation using 'image2disk' from there.
Fix:
Fix issues with bare-metal installations via 'image2disk' failing.
749331-3 : Global DNS DoS vector does not work in certain cases
Component: Advanced Firewall Manager
Symptoms:
Global DNS DoS vector stops working under certain conditions.
Conditions:
Packets are not made to go through its entirety.
Impact:
Global DNS data structures are overwritten by subsequent incoming packets. Global DNS DoS vector does not rate-limit the packets.
Workaround:
None.
Fix:
Global DNS DoS vector checks now prevent this issue, so rate-limiting works as expected.
749324-1 : jQuery Vulnerability: CVE-2012-6708
Solution Article: K62532311
749294-4 : TMM cores when query session index is out of boundary
Component: Local Traffic Manager
Symptoms:
TMM cores when the queried session index is out of boundary. This is not a usual case. It is most likely caused by the memory corrupted issue.
Conditions:
When session index equals the size of session caches.
Impact:
TMM cores. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The index boundary check now operates correctly in this situation, so tmm no longer cores.
749227-1 : MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE
Component: Service Provider
Symptoms:
INVITE message being processed operation creates a temporary registration entry for a unregistered subscriber, this registration entry is not extended if a subsequent invite occurs. This could cause the registration to expire during a call, thus allowing the reserved translated addresses to be provided to a different subscriber.
Conditions:
An INVITE message is received when unregistered-subscriber-callout attribute in the siprouter-alg profile
Impact:
The system adds a temporary registration entry to the registration table. The lifetime for this entry is the max-session-timeout value from the siprouter-alg profile. Subsequent INVITES will not extend the lifetime.
This could cause the registration to expire during a call, allowing the reserved translated addresses to be provided to a different subscriber.
Workaround:
None.
Fix:
Subsequent INVITEs now extend the lifetime by another max-session-timeout value.
749222-1 : dname compression offset overflow causes bad compression pointer
Component: Global Traffic Manager (DNS)
Symptoms:
DNS requests receive error response:
-- Got bad packet: bad compression pointer.
-- Got bad packet: bad label type.
Conditions:
When the DNS response is large enough so that dname redirects to an offset larger than 0x3f ff.
Impact:
DNS response is malformed. Because the DNS record is corrupted, zone transfer fails.
Workaround:
None.
Fix:
dname compression offset overflow no longer causes bad compression pointer.
749184-2 : Added description of subviolation for the suggestions that enabled/disabled them
Component: Application Security Manager
Symptoms:
Missing description of subviolation for the suggestions that enabled/disabled them.
Conditions:
There are suggestions that enabled/disabled subviolations in the security policy.
Impact:
Cannot determine the subviolation for the suggestions that enabled/disabled them.
Workaround:
Open Description in an additional tab in Learning and Blocking settings screen.
Fix:
Added description of subviolation for the suggestions that enabled/disabled them.
749161-2 : Problem sync policy contains non-ASCII characters
Component: Access Policy Manager
Symptoms:
When access policy contain non-ASCII characters, policy sync either fails or the characters are not sync'ed properly on the target.
Conditions:
-- Using an access profile.
-- Access profile contains non-ASCII characters (code point greater than 0x7f), e.g.,in VPE, add an 'Advanced Resource Assign' agent and specify an expression similar to the following in addition to the resource:
expr { [string tolower [mcget -decode {session.ad.last.attr.memberOf}]] contains [string tolower "CN=Suporte_TransmissãČo,"] || [string tolower [mcget -decodde {session.ad.last.attr.memberOf}]] contains [string tolower "CN=suporte_tx,"]}
-- Start policy sync on the profile.
Impact:
Policy sync fails or does not complete properly for the non-ASCII characters.
Workaround:
None.
Fix:
Policy sync now works properly when the policy contains non-ASCII characters.
749136-1 : Disk partition /var/log is low on free disk space
Component: Application Security Manager
Symptoms:
Warning messages, such as these on system CLI:
--------------
Broadcast message from root@bigip1.test.net (Wed Nov 7 09:01:01 2018):
011d0004:3: Disk partition /var/log (slot 1) has only 0% free
--------------
Conditions:
ASM or DoS is provisioned.
Impact:
Disk partition /var/log is low on free disk space.
Workaround:
Manually delete nsyncd logs from /var/log.
Fix:
There is now stricter log rotation for nsyncd.
749109-3 : CSRF situation on BIGIP-ASM GUI
Component: Application Security Manager
Symptoms:
CSRF situation on the BIG-IP ASM GUI that might potentially lead to resource exhaustion on the device for the moment it is being run.
Conditions:
The following URL accepts a wildcard in the parameter id, making it a heavy URL:
https://BIG-IP/dms/policy/pl_negsig.php?id=*
Impact:
Once multiple requests are sent to the target GUI, it is possible to see httpd process spiking even in core 0 (VMWare).
Workaround:
None.
Fix:
If the query string parameter has a string value the query is not executed.
749057-1 : VMware Horizon idle timeout is ignored when connecting via APM
Component: Access Policy Manager
Symptoms:
VMware Horizon has an option to set idle timeout under "View Configuration\Global Settings\General\Client-dependent settings\For clients that support applications". When there is no keyboard or mouse activity for the given time, application sessions should be disconnected (desktop sessions are staying, though).
This settings has no effect when connecting via APM.
Conditions:
VMware Horizon idle timeout setting for applications is configured and remote application is launched via APM.
Impact:
VMware Horizon idle timeout setting for applications has no effect.
Workaround:
None.
Fix:
VMware Horizon idle timeout "For clients that support applications" is now honored when connecting via APM.
749036-2 : Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM
Component: Access Policy Manager
Symptoms:
Some tmsh list commands may fail while SSLO is provisioned but no urldb or APM modules are provisioned with the following message: 'Password could not be retrieved'.
Conditions:
-- SSLO is provisioned.
-- Neither APM or URLDB are provisioned.
-- Run the generic tmsh list command.
Impact:
tmsh command fails and posts the error: Unexpected Error: Password could not be retrieved.
Note: Some 'tmsh list' commands with arguments do run. For example, 'tmsh list net vlan' provides correct output, but 'tmsh list' does not.
Workaround:
There is no workaround other than provisioning APM or URLDB.
Note: You can provision APM or URLDB even if they are not licensed. Although the full feature set is not available without a license, provisioning loads the daemons needed to support the generic 'tmsh list' command.
Fix:
BIG-IP no longer requires SQL to be up with SSLO. Oauth is not needed under SSLO.
748999-3 : invalid inactivity timeout suggestion for cookies
Component: Application Security Manager
Symptoms:
ASM will report "invalid inactivity timeout" suggestions to delete a cookie, even though the cookies are being sent and are valid.
Conditions:
- Inactivity timeout feature is configured in Policy Builder
- Cookie entity is configured in the policy
- Valid, non-violating traffic containing cookies is passed
Impact:
Since non-violating traffic is not sent to the policy engine, the inactivity timeout timer is never reset, which will eventually lead to suggestions to delete the inactive cookie entities. These suggestions are erroneous because valid cookies are being sent in the traffic.
Workaround:
Ignore the inactive entity suggestions for cookies
Fix:
Inactivity learning for cookies has been deprecated, the feature does not cover cookies anymore.
748902-5 : Incorrect handling of memory allocations while processing DNSSEC queries
Component: Global Traffic Manager (DNS)
Symptoms:
tmm crashes.
Conditions:
-- Heavy DNS traffic using DNS security signatures.
-- Use of external HSM may aggravate the problem.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release corrects the handling of memory allocations while processing DNSSEC queries.
748891-2 : Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system.
Component: Local Traffic Manager
Symptoms:
Potential MAC relearning at the switches the BIG-IP system is connected to.
Conditions:
-- DB variable connection.vlankeyed set to disabled.
-- Multiple virtual-wires configured on the BIG-IP system.
-- Client to server and server to client traffic using different virtual wires on the BIG-IP system.
Impact:
Packets reach their L3 destination using an unexpected L2 path.
Workaround:
None.
Fix:
Connflow next hop and previous hop updates are now done in the correct order for virtual wires.
748848-2 : Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers
Component: Application Security Manager
Symptoms:
Multiple virtual servers are each using different cookie names for cookies 72, 74, and 76. This occurred because these cookie names are dependent on virtual server properties.
Conditions:
-- Multiple subdomains are configured to resolve to different virtual servers with different ASM policies.
-- Anti-Bot Mobile SDK attempts to connect to these virtual servers.
Impact:
Anti-Bot Mobile SDK is not able to connect to multiple virtual servers using the same cookie.
Workaround:
None.
Fix:
The relevant cookie names were changed.
The format TS00000000_7x (prefix/suffix may change according to configuration) is now used for cookies 72, 74, and 76, which results in identical cookie names for all configured virtual servers.
This will allow Anti-Bot Mobile SDK to connect to multiple virtual servers using the same cookie.
748813-3 : tmm cores under stress test on virtual server with DoS profile with admd enabled
Component: Anomaly Detection Services
Symptoms:
tmm cores
Conditions:
-- Systems under stress testing.
-- Virtual server with DoS profile with admd enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Turn off Behavioral DOS.
Fix:
This tmm core no longer occurs under these conditions.
748502-1 : TMM may crash when processing iSession traffic
Solution Article: K72335002
748409-2 : Illegal parameter violation when json parsing a parameter on a case-insensitive policy
Component: Application Security Manager
Symptoms:
An illegal parameter violation is raised although the parameter is configured
Conditions:
The policy is configured as case insensitive, and a parameter is configured with capital letters
Impact:
False positive illegal parameter violation
Workaround:
Configure violation as case sensitive
748321-1 : bd crash with specific scenario
Component: Application Security Manager
Symptoms:
BD crash
Conditions:
A specific scenario may cause bd crash.
Impact:
Failover, traffic disturbance.
Workaround:
N/A
748253-1 : Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection
Component: Service Provider
Symptoms:
Depending on the DIAMETER settings of the BIG-IP system, there can be a race condition in a mirrored device cluster where the standby BIG-IP system resets its mirror connection to the active device.
Conditions:
-- MRF DIAMETER in use.
-- The DIAMETER session profile on the BIG-IP system is configured to use a non-zero watchdog timeout.
-- The DIAMETER session profile on the BIG-IP system is configured to use Reset on Timeout.
-- This is more likely to happen if (in the DIAMETER session profile) the Maximum Watchdog Failures is set to 1, and the Watchdog Timeout is configured to be the same value as the remote DIAMETER system.
Impact:
The standby is no longer mirroring the active system, and gets out of sync with it. There may be connections lost if a failover occurs.
Workaround:
To mitigate this issue:
1. Configure the Maximum Watchdog Failures to a value greater than 1.
2. Configure the Watchdog Timeout as something different from the same timeout on the remote peer, preferably to something that will have little overlap (i.e., the two timers should fire at the exact same time very infrequently).
Fix:
Prevented the standby from sending DWR packets to the active device, so that it no longer expects DWA responses that never arrive.
748206-1 : Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position
Component: TMOS
Symptoms:
Browser becomes unresponsive.
Conditions:
Loading the network map with a virtual server that contains a forwarding rule policy in the second position.
Impact:
Browser becomes unresponsive and must be restarted.
Workaround:
Change the position of the forwarding rule policy.
Fix:
The browser now behaves as expected when loading the network map with a virtual server that contains a forwarding rule policy in the second position.
748205-3 : SSD bay identification incorrect for RAID drive replacement★
Component: TMOS
Symptoms:
On iSeries platforms with dual SSDs, the 'bay' of a given SSD indicated in the 'tmsh show sys raid' command may be incorrect. If a drive fails, or for some other reason it is intended to be replaced, and you are using the bay number listed from the tmsh command, the wrong drive could be removed from the system resulting in system failure to operate or boot.
Conditions:
iSeries platform with dual SSDs.
Impact:
Removal of the one working drive could result in system failure and subsequent failure to boot
Workaround:
If you discover that you removed the incorrect drive, you can attempt to recover by re-inserting the drive into the bay that it was in, and powering on the device.
The following steps will help to avoid inadvertently removing the wrong drive:
As a rule for systems with this issue:
-- Power should be off when you remove a drive. This makes it possible to safely check the serial number of the removed drive.
-- Power should be on, and the system should be completely 'up' before you add a new drive.
Here are some steps to follow to prevent this issue from occurring.
1. Identify the failed drive, taking careful note of its serial number (SN). You can use any of the following commands to get the serial number:
• tmsh show sys raid
• tmsh show sys raid array
• array
2. Logically remove the failed drive using the following command: tmsh modify sys raid array MD1 remove HD<>
3. Power down the unit.
4. Remove the fan tray and physically remove the failed drive.
5. Manually inspect the SN on the failed drive to ensure that the correct drive was removed.
6. Replace the fan tray.
7. Power on the unit with the remaining, single drive.
8. Once booted, wait for the system to identify the remaining (good) drive. You can confirm that this has happened when it appears in the 'array' command output.
9. Remove fan tray again (with the system running).
10. Install the new drive.
11. Use the 'array' command to determine that the new drive is recognized (Note: the tmsh commands do not show new drive at this stage.)
12. Logically add the new drive using the command command: tmsh modify sys raid array MD1 add HD<>
13. Monitor the rebuild using any of the commands shown in step 1.
Note: You must follow these steps exactly. If you insert the new drive while the system is off, and you then boot the system with the previously existing working drive and the new blank drive present, the system recognizes the blank drive as the working Array member, and you cannot add it to the array. That means system responds and replicates as if 'HD already exists'.
748187-4 : 'Transaction Not Found' Error on PATCH after Transaction has been Created
Component: TMOS
Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.
Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.
Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.
Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.
Fix:
Erroneous 'Transaction Not Found' messages no longer occur under these conditions.
748177-1 : Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character
Component: Global Traffic Manager (DNS)
Symptoms:
Multiple wildcards not matched to the most specific WideIP.
Conditions:
Two wildcard WideIPs differ on a '?' and a non-wildcard character.
Impact:
DNS request gets wrong answer.
Workaround:
There is no workaround at this time.
Fix:
Multiple wildcards are now matched to the most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character.
748176-1 : BDoS Signature can wrongly match a DNS packet
Component: Advanced Firewall Manager
Symptoms:
When using BDoS feature for DNS protocol, and when there are auto-generated DNS Signatures or if Custom DNS signatures are configured manually, it is found that at times, a valid DNS request is dropped because it wrongly matches the configured/dynamically generated DNS Signature when the box is under load, and BDoS mitigation is ongoing.
Conditions:
Configured DNS Signature (Or) there exists a Dynamically generated DNS Signature.
Such a DNS signature is found to match a DNS packet wrongly, even though the signature match criteria is different from the matched DNS packet.
Impact:
When box is under load, the configured DNS signature gets into Attack Mitigation mode (which is normal), but may wrongly drop a DNS packet that does not match the signature.
Workaround:
Disable BDoS for protocol DNS. Also, do not use Manually configured DNS Signatures.
Fix:
The parsed DNS information is cached and re-used wrongly as a performance optimization, which is corrected.
748122-1 : BIG-IP Vulnerability CVE-2018-15333
Solution Article: K53620021
748121-3 : admd livelock under CPU starvation
Component: Anomaly Detection Services
Symptoms:
Due to the resources starvation the worker thread of admd does not get CPU for more than two minutes. At the same time, the configuration thread does get CPU.
The admd heartbeat failure occurs at 120 seconds. The SOD daemon kills admd.
The system posts messages similar to the following:
-- notice sod[6783]: 01140041:5: Killing /usr/bin/admd pid 6732
-- warning sod[6783]: 01140029:4: high availability (HA) daemon_heartbeat ADMD.Anomaly0 fails action is restart.
-- warning sod[6783]: 01140029:4: high availability (HA) daemon_heartbeat ADMD.Publisher0 fails action is restart.
Conditions:
-- High CPU / memory utilization,
-- Very large configuration.
Note: There are no known special configuration requirements to have this occur.
Impact:
admd restarts.
Behavioral DoS does not work.
Workaround:
Reboot the BIG-IP system.
Fix:
admd livelock event no longer occurs in response to CPU starvation in very large configurations.
748081-1 : Memory leak in Behavioral DoS module
Component: Advanced Firewall Manager
Symptoms:
TMM runs out of memory and restarts.
The memory usage as shown in "tmctl memory_usage_stat", under module line tag "session" is noticed to be high, and keeps growing.
Conditions:
The issue is seen when BDoS feature is configured, and if there exits Custom or Auto Generated BDoS Signatures. When such signatures exist, the BDoS one second timer callback leaks memory.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
1. Disable BDoS feature.
2. Disable all configured and auto generated BDoS signatures using TMSH command:
# cd dos-common
# modify security dos dos-signature all { state disabled }
748043-2 : MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP
Component: Service Provider
Symptoms:
SIP Server sends SIP Request to the client.
The SIP Server inserts a different port, so that response are received on a different port.
The Client sends the response on the new requested port.
BIG-IP drops the packet
Conditions:
SIP Server wants the SIP Response to be coming on a different port.
Impact:
SIP Request will not receive the SIP Response
Workaround:
There is no workaround.
Fix:
Fix BIG-IP to process the SIP Response and send it to the SIP Server
747977-1 : File manually uploaded information is not synced correctly between blades
Component: Application Security Manager
Symptoms:
When you upload a file, the file is marked internally as manually uploaded. When the system downloads a file, it is marked as not being manually uploaded. This information is not passed and handled correctly on chassis.
Conditions:
-- Configuration is deployed on multiple blades
-- Fail over has occurred.
-- New update file is downloaded from ESDM on the primary blade.
Impact:
Security updates are not automatically installed on the new primary blade after failover.
Workaround:
Manually install security updates on new primary blade.
Fix:
Corrected sync/handle information about file files, whether they are manually uploaded or downloaded from ESDM.
747968-3 : DNS64 stats not increasing when requests go through DNS cache resolver
Component: Local Traffic Manager
Symptoms:
DNS64 stats are not incrementing when running the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands if responses are coming from DNS cache resolver.
Conditions:
-- DNS responses are coming from DNS cache resolver.
-- Viewing statistics using the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands.
Impact:
DNS64 stats are not correct.
Workaround:
There is no workaround at this time.
747926-2 : Rare TMM restart due to NULL pointer access during AFM ACL logging
Component: Advanced Firewall Manager
Symptoms:
Tmm crashes while performing log ACL match logging.
Conditions:
The problem can happen only with the following configuration:
1) AFM Logging for ACLs enabled.
2) Security Network Logging profile has the property "log-translation-fields enabled"
The problem happens under extremely rare circumstances.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Defensive error handling to avoid the scenario of NULL pointer access.
747922-3 : With AFM enabled, during bootup, there is a small possibility of a tmm crash
Component: Advanced Firewall Manager
Symptoms:
During bootup or re-provisioning, with AFM enabled, there is a small possibility of a tmm crash. The tmm process generates a core file and then automatically restart.
Conditions:
-- AFM enabled.
-- sPVA-capable hardware platform.
-- Boot up or re-provision the system.
Impact:
Tmm crashes, coredumps, and then restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The race-condition has been fixed, so this issue no longer occurs.
747909-5 : GTPv2 MEI and Serving-Network fields decoded incorrectly
Component: Service Provider
Symptoms:
MEI and Serving-Network vales obtained with GTP::ie get iRule command contains digits swapped in pairs, first digit missing and a random digit added at the back.
Conditions:
Processing GTP traffic with iRules.
Impact:
It is impossible to obtain correct value of MEI and Serving-Network fields of the GTPv2 packets when processing with iRules.
Workaround:
No workaround.
Fix:
Decoding of GTPv2 MEI and Serving-Network fields corrected.
747907-2 : Persistence records leak while the HA mirror connection is down
Component: Local Traffic Manager
Symptoms:
Memory might leak on the active unit while the high availability (HA) mirror connection is down.
Conditions:
-- The persistence configured that requires its state to be stored stored on the BIG-IP system.
-- Mirroring is configured on the persistence profile or the virtual server.
-- Mirror connection is down, for example, next active is down/offline/unavailable.
Impact:
Memory leak until the HA mirror connection is up. Once mirror connection is up, the system releases the memory.
Workaround:
-- Disable persistence while HA mirror connection is down (e.g., performing maintenance).
-- Disable session mirroring for iRules.
-- Use persistence that does not requires its state to be stored on the BIG-IP system.
-- Restore HA connection.
Fix:
Persistence records no longer leak memory while the HA mirror connection is down.
747858-2 : OSPF packets are duplicated in the BIG-IP in L2 transparent mode using virtual wires
Component: Local Traffic Manager
Symptoms:
OSPF packets are duplicated while traversing a virtual wire.
Conditions:
BIG-IP configured in L2 transparent mode using a virtual wire.
Impact:
OSPF unreliability can impact the overall routing domain and in turn impact services dependent on it.
Workaround:
None.
Fix:
Handle multicast packets through a virtual wire correctly.
747777-3 : Extractions are learned in manual learning mode
Component: Application Security Manager
Symptoms:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"
Conditions:
Direct cause: Policy contains parameters with dynamic type
Indirect cause: Policy Builder is configured to classify parameters as dynamic (related to bug 717525)
Impact:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"
Workaround:
- Change all dynamic parameters value types to User Input with Alpha Numeric data type
- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').
Fix:
Policy Builder does not set extractions for dynamic parameters in manual mode
747727-1 : HTTP Profile Request Header Insert Tcl error
Component: Local Traffic Manager
Symptoms:
A TMM crash.
Conditions:
When the HTTP profile Request Header Insert field contains a Tcl interpreted string, Tcl is executed to expand the string before the header is inserted into the request header block.
If a Tcl error occurs
Impact:
In some cases this can cause TMM to crash. Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following to mitigate this:
-- Verify that your Tcl executes correctly in all cases.
-- Use a static string.
Fix:
TMM no longer crashes under these conditions.
747725-3 : Kerberos Auth agent may override settings that manually made to krb5.conf
Component: Access Policy Manager
Symptoms:
when apmd starts up, it can override settings in krb5.conf file with those required for Kerberos Auth agent
Conditions:
- Kerberos Auth is configured in an Access Policy,
- administrator made changes to krb5.conf manually
to the section [realms] of the configured realm
Impact:
Kerberos Auth agent behavior is not what administrator expects with the changes.
it may also affect websso(kerberos) to behave properly
Workaround:
None
Fix:
after fix, the configuration file changes are merged.
Kerberos Auth agent adds the lines it requires and does not override existing settings
747628-1 : BIG-IP sends spurious ICMP PMTU message to server
Component: Local Traffic Manager
Symptoms:
After negotiating an MSS in the TCP handshake, the BIG-IP system then sends an ICMP PMTU message because the packet is too large.
Conditions:
-- The server side allows timestamps and the client side does not negotiate them.
-- The client-side MTU is lower than the server-side MTU.
-- There is no ICMP message on the client-side connection.
Impact:
Unnecessary retransmission by server; suboptimal xfrag sizes (and possibly packet sizes).
Workaround:
Disable timestamps or proxy-mss on the server-side TCP profile.
747624-2 : RADIUS Authentication over RSA SecureID is not working in challenge mode
Component: Access Policy Manager
Symptoms:
Cannot change/reset RSA PIN.
Conditions:
Using RADIUS Auth Agent to communicate with RSA SecurID server for user authentication.
Impact:
Users cannot change or reset RSA PIN.
Workaround:
None.
Fix:
RADIUS Authentication over RSA SecurID now works in challenge mode.
747617-2 : TMM core when processing invalid timer
Component: Local Traffic Manager
Symptoms:
TMM crashes while processing an SSLO iRules that enables the SSL filter on an aborted flow.
Conditions:
SSLO is configured and passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround
Fix:
SSL filter will no longer be enabled after connection close.
747592-1 : PHP vulnerability CVE-2018-17082
Component: TMOS
Symptoms:
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.
Conditions:
This exploit doesn't need any authentication and can be exploited via POST request. Because of 'Transfer-Encoding: Chunked' header php is echoing the body as response.
Impact:
F5 products not affected by this vulnerability. Actual impact of this vulnerability is possible XSS attack.
Workaround:
No known workaround.
Fix:
The brigade seems to end up in a messed up state if something fails in shutdown, so we clean it up.
747585-3 : TCP Analytics supports ANY protocol number
Component: Local Traffic Manager
Symptoms:
No TCP analytics data is collected for an ANY virtual server.
Conditions:
1. Provision AVR
2. Create a FastL4 server that accepts all protocols.
3. Attach a TCP Analytics profile
4. Try to run UDP traffic through it.
Impact:
No TCP analytics data is collected for TCP flows when a virtual server's protocol number is ANY.
Workaround:
There is no workaround this time.
Fix:
TCP analytics now supports both ANY and TCP protocol numbers and would collect analytics for TCP flows if protocol number is ANY or TCP.
747560-5 : ASM REST: Unable to download Whitehat vulnerabilities
Component: Application Security Manager
Symptoms:
When using the Whitehat Sentinel scanner, the REST endpoint for importing vulnerabilities (/mgmt/tm/asm/tasks/import-vulnerabilities) does not download the vulnerabilities from the server automatically when no file is provided.
Conditions:
The ASM REST API (/mgmt/tm/asm/tasks/import-vulnerabilities) is used to download vulnerabilities from the server when a Whitehat Sentinel Scanner is configured.
Impact:
Vulnerabilities from the Whitehat server are not automatically downloaded when no file is provided, and it must be downloaded manually, or the GUI must be used.
Workaround:
The ASM GUI can be used to download the vulnerabilities from the Whitehat Server, or the file can be downloaded separately, and provided to the REST endpoint directly.
Fix:
The REST endpoint for importing Scanner Vulnerabilities for the Whitehat Scanner now correctly downloads the vulnerability file automatically when no file is provided.
747550-3 : Error 'This Logout URL already exists!' when updating logout page via GUI
Component: Application Security Manager
Symptoms:
When you try to update the Logout Page, you get an error about the URL existence: Error 'This Logout URL already exists!'
Conditions:
1. Create any Logout page.
2. Try to update it.
Impact:
The properties of the Logout Page cannot be updated.
Workaround:
Delete the logout page and create a new one.
Fix:
This release addresses the issue, so that no error is reported when updating the Logout Page.
747239-1 : TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection
Component: Local Traffic Manager
Symptoms:
TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection.
Conditions:
This might occur rarely when the HTTP/2 gateway is configured on a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fix:
TMM SIGABRT no longer occurs under these conditions.
747187-2 : SIP falsely detects media flow collision when SDP is in both 183 and 200 response
Component: Service Provider
Symptoms:
A spurious error message is logged ("MR SIP: Media flow creation (...) failed due to collision") and media does not flow.
Conditions:
A SIP server responds to an INVITE with both a 183 "Session Progress" and later a "200 OK" for a single SIP call, and both responses contain an SDP with the same media info.
Impact:
Media does not flow on pinholes for which a collision was detected and reported.
Workaround:
None
Fix:
No collision is detected or logged when multiple messages with SDP recreate the same flows in the same call.
747104-1 : LibSSH: CVE-2018-10933
Solution Article: K52868493
Component: Advanced Firewall Manager
Symptoms:
For more information see: https://support.f5.com/csp/article/K52868493
Conditions:
For more information see: https://support.f5.com/csp/article/K52868493
Impact:
For more information see: https://support.f5.com/csp/article/K52868493
Fix:
For more information see: https://support.f5.com/csp/article/K52868493
746941-2 : avrd memory leak when BIG-IQ fails to receive stats information
Component: Application Visibility and Reporting
Symptoms:
AVRD has memory leak when it is failing to send statistical information to BIG-IQ.
Conditions:
BIG-IP is used by BIG-IQ version 6.0.0 or higher, and stats collection is enabled.
Plus, BIG-IQ has some malfunction that prevents it from receiving the statistical information that BIG-IP is sending (for example: all DCDs are down, or not network connection between BIG-IP and BIG-IQ).
Impact:
avrd memory is increased over time, leading to avrd restart when it is getting too large
Workaround:
Connectivity issue between BIG-IP and BIG-IQ should be fixed, not just in order to prevent this memory leak, but for more important functionality such as visibility and alerts features in BIG-IQ.
Fix:
Memory leak is fixed.
746877-1 : Omitted check for success of memory allocation for DNSSEC resource record
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM may panic from SIGABRT while logging this message:
./rdata.c:25: ldns_rdf_size: Assertion `rd != ((void *)0)' failed.
Conditions:
During memory stress while handling DNSSEC traffic.
Impact:
TMM panic and subsequent interruption of network traffic.
Workaround:
Keeping the workload within normal ranges reduces the probability of encounter.
Fix:
The system now checks for success of memory allocation for DNSSEC resource record, so this issue no longer occurs.
746873-1 : Non-admin users are not able to run the tmsh list command due to permissions error for LTM message-routing
Component: TMOS
Symptoms:
Any non-admin cannot use tmsh list commands. Running the command gives the following error:
Unexpected Error: Can't display all items, can't get object count from mcpd.
Conditions:
Run a tmsh list command when logged in as non-admin user.
Impact:
Error is posted. Non-admin users cannot use the tmsh list commands.
Workaround:
Log in as admin to execute the tmsh list command.
Fix:
Non-admin users can now run tmsh list commands, as appropriate for the Role associated with the type of user account.
746861-1 : SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated★
Component: TMOS
Symptoms:
The SFP interfaces do not come up or flap up and down repeatedly on BIG-IP 2000/4000 on boot up when both SFP interfaces are populated.
When interface flaps state changes such as those below are logged in ltm log:
info pfmand[PID]: 01660009:6: Link: 2.1 is UP
info pfmand[PID]: 01660009:6: Link: 2.1 is DOWN
Conditions:
Both SFP interfaces, 2.1 and 2.2, on BIG-IP 2000/4000 are populated.
This is typically observed after an upgrade to an affected version.
Impact:
Traffic cannot be sent/received from these interfaces.
Workaround:
None.
Fix:
The interfaces now come up successfully. Occasional link bounce may be seen on reboot.
746825-1 : MRF SIP ALG with SNAT: Ephemeral listeners not created for unsubscribed outgoing calls
Component: Service Provider
Symptoms:
When a temporary registration is created for an unsubscribed user making an outgoing call, an ephemeral listener to receive incoming messages is not created.
Conditions:
-- If nonregister-subscriber-callout attribute is enabled in the siprouter-alg profile.
-- An unregistered client device places an outgoing call. At this point, a temporary registration is created. This temporary registration lives for the life of the call.
-- During the lifetime of the temporary registration, if the connection from the client is closed, it is not possible for an external device to reach the client device.
Impact:
The callee of an outgoing call initiated by an unregistered SIP device cannot end the call.
Workaround:
There is no workaround at this time.
Fix:
When a temporary registration is created, an ephemeral listener is created to receive SIP commands to be forwarded to the client device.
746771-3 : APMD recreates config snapshots for all access profiles every minute
Component: Access Policy Manager
Symptoms:
When the access profile configurations in APMD and MCPD are out of sync, APMD detects that the config snapshot for one access profile is missing. This triggers AMPD to recreates the config snapshots for all access profiles. The detect-recreate cycle repeats every minute, posting log messages:
-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...
-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
...
-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...
-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
Conditions:
The conditions under which the access profile configurations in APMD and MCPD become out of sync is unknown.
Impact:
TMM memory usage increases due to excessive config snapshots being created.
Workaround:
Restart APMD to clear the APMD and MCPD out-of-sync condition.
Fix:
This issue has been fixed.
746768-4 : APMD leaks memory if access policy policy contains variable/resource assign policy items
Component: Access Policy Manager
Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.
Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.
Impact:
APMD's memory footprint will increase whenever the access policy is applied.
Workaround:
There is no workaround.
Fix:
Memory growth has been addressed.
746750-1 : Search Engine get Device ID challenge when using the predefined profiles
Component: Application Security Manager
Symptoms:
When using one of the pre-defined profiles, "bot-defense-device-id-generate-after-access" and "bot-defense-device-id-generate-after-access", Search Engines might get Device ID challenges (and will most likely get blocked since cannot run JS)
Conditions:
One of the pre-defined profiles ("bot-defense-device-id-generate-after-access" or "bot-defense-device-id-generate-after-access") are attached to vs, and a valid search engine sends requests.
Impact:
Search Engines may be blocked.
Workaround:
Change mitigation of "Trusted Bot" in the attached profile to "Alarm":
1. Go to
Security ›› Bot Defense : Bot Defense Profiles ›› bot-defense-device-id-generate-after-access
or
Security ›› Bot Defense : Bot Defense Profiles ›› bot-defense-device-id-generate-before-access
2. Go to tab "Mitigation Settings"
3. For "Trusted Bot" choose "Alarm".
4. Save profile.
746710-1 : Use of HTTP::cookie after HTTP:disable causes TMM core
Component: Local Traffic Manager
Symptoms:
When an iRule disables HTTP with HTTP:disable, subsequent use of HTTP::cookie for that request will cause a TMM core dump.
Conditions:
1) HTTP profile is configured on the virtual.
2) HTTP:disable is called on request.
3) HTTP:cookie is then called on that request.
Impact:
Use of iRules in the above mentioned order will result in a TMM core. Traffic disrupted while tmm restarts.
Workaround:
Do not call HTTP:cookie on requests that have had HTTP disabled by HTTP:disable
746657-1 : tmsh help for FQDN node or pool member shows incorrect default for fqdn interval
Component: TMOS
Symptoms:
The tmsh help text for LTM nodes and pools shows the incorrect default for the FQDN 'interval' value.
The default is indicated as the TTL, whereas the actual default value is 3600 seconds (1 hour).
The configured value is displayed correctly if the node or pool is displayed using the 'all-properties' keyword.
Conditions:
This occurs when viewing tmsh help text.
Impact:
FQDN nodes and pool members may be created with a different FQDN refresh interval than intended.
Workaround:
When creating an FQDN node or pool member, specify the desired FQDN 'interval' value (either TTL, or the desired number of seconds).
Fix:
The tmsh help text for LTM nodes and pools correctly shows the default value of 3600 seconds for the FQDN 'interval' value.
746424 : Patched Cloud-Init to support AliYun Datasource
Component: TMOS
Symptoms:
Shipped Cloud-Init in this version of VE has no support of Alibaba Cloud metadata service for having no support of AliYun Datasource.
Conditions:
VE for Alibaba Cloud
Impact:
Provisioning VE through Cloud-Init won't work on Alibaba cloud
Workaround:
N/A
Fix:
Patched Cloud-Init to support AliYun Datasource
746394-1 : With ASM CORS set to 'Disabled' it strips all CORS headers in response.
Component: Application Security Manager
Symptoms:
All access-control-* headers are removed by ASM, including Cross-Origin Resource Sharing (CORS) headers. This causes CORS-related JavaScript errors on the browser console, and blocks cross-domain requests that should be allowed.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Backend server sends CORS headers access-control-*.
Impact:
Any webapp that sends cross origin AJAX requests might not work.
Workaround:
Set up an iRule on a virtual server, for example:
when HTTP_RESPONSE {
array set header_list { }
foreach header_name [HTTP::header names] {
if { [string tolower $header_name] starts_with "access-control-" } {
set header_list($header_name) [HTTP::header $header_name]
}
}
}
when HTTP_RESPONSE_RELEASE {
foreach header_name [array names header_list] {
if {!([HTTP::header exists $header_name])} {
HTTP::header insert $header_name $header_list($header_name)
}
}
}
Fix:
ASM no longer removes CORS headers when the feature is set to set to 'Disabled'. This is correct behavior.
746298-1 : Server Technologies logos all appear as default icon
Component: Application Security Manager
Symptoms:
Server Technologies logos all appear as the default icon.
Conditions:
Browsing the list of available Server Technologies in an ASM policy.
Impact:
Server Technologies logos all appear as the default icon.
Workaround:
Install the most recent Server Technologies update file.
Fix:
Server Technology-specific logos appear correctly.
746266-3 : Vcmp guest vlan mac mismatch across blades.
Component: TMOS
Symptoms:
Guests running on blades in a single chassis report different MAC addresses on a single vlan upon host reboot for vcmp guest.
Conditions:
This issue may be seen when all of the following conditions are met:
- One (or more) blade(s) are turned off completely via AOM.
- Create two vlans.
- Deploy a multi-slot guest with the higher lexicographic vlan.
- Now, assign the smaller vlan to the guest.
- Reboot the host
Impact:
Incorrect MAC addresses are reported by some blades.
Workaround:
There is no workaround at this time.
746131-4 : OpenSSL Vulnerability: CVE-2018-0732
Component: Local Traffic Manager
Symptoms:
OpenSSL RSA key generation was found to be vulnerable to cache side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover parts of the private key.
Conditions:
Advanced shell access.
Impact:
OpenSSL RSA key generation was found to be vulnerable to cache side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover parts of the private key.
Workaround:
None.
Fix:
Updated to OpenSSL 1.0.2p
746091-1 : TMSH Vulnerability: CVE-2019-19151
Solution Article: K21711352
746078-1 : Upgrades break existing iRulesLX workspaces that use node version 6
Component: Local Traffic Manager
Symptoms:
When upgrading a BIG-IP with iRulesLX plugins, if those plugins are based on workspaces that use node version 6 (instead of version 0.12) they will fail to work properly after the upgrade once the plugin is reloaded from the workspace.
Errors like this will be seen in /var/log/ltm:
Oct 5 06:37:12 B7200-R14-S36 info sdmd[17582]: 018e0017:6: pid[26853] plugin[/Common/test-jt-plugin.test-jt-extension] Starting the server.....jt...after upgrade...
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: Resuming log processing at this invocation; held 233 messages.
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] /var/sdm/plugin_store/plugins/:Common:test-jt-plugin_62858_3/extensions/test-jt-extension/node_modules/f5-nodejs/lib/ilx_server.js:30
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ILXServerWrap = process.binding('ILXServerWrap').ILXServerWrap;
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ^
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] Error: No such module: ILXServerWrap
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] at Error (native)
Conditions:
Upgrading a version of BIG-IP that is using iRulesLX that has a workspace based on node version 6. Later reloading the iRulesLX plugin from the workspace.
Impact:
The iRulesLX plugin no longer works.
Workaround:
- Navigate to the workspace folder on the BIG-IP (/var/ilx/workspaces/<partition>/<workspace name>.
- Make the file "node_version" writable (chmod +w node_version).
- Edit the node_version file: change "0.12" to "6"
- Save the node_version file.
- Make the file "node_version" read-only (chmod -w node_version).
- Reload the iRulesLX plugin from the workspace.
Fix:
Prevented the node version from getting reverted to default during an upgrade.
746077-4 : If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified
Component: Local Traffic Manager
Symptoms:
DHCP-RELAY overwrites the 'giaddr' field containing a non-zero value. This violates RFC 1542.
Conditions:
DHCP-RELAY processing a message with the 'giaddr' field containing a non-zero value,
Impact:
RFC 1542 violation
Workaround:
None.
Fix:
DHCP-RELAY no longer overwrites the 'giaddr' field containing a non-zero value.
745947-2 : Add log events for MRF SIP registration/deregistration and media flow creation/deletion
Component: Service Provider
Symptoms:
Generally, only error conditions are logged for SIP. More logging is needed around SIP registration/deregistration, media flow creation/deletion, to help with debugging operations.
Conditions:
log.mrsip.level notice or above.
Impact:
Only error conditions are logged. Events helpful for debugging are not available in the logs.
Workaround:
There is no workaround at this time.
Fix:
Log information logging is available around SIP registration/deregistration and media flow creation/deletion.
745923-2 : Connection flow collision can cause packets to be sent with source and/or destination port 0
Component: Local Traffic Manager
Symptoms:
Symptoms vary based on traffic impacted:
Virtual server may reset a connection with the source and/or destination port set to 0 when the client sends an ACK after a 4-way close
UDP traffic to virtual server with UDP profile immediate timeout configured or datagram load-balancing can collide with existing connections and be incorrectly sent with source and/or destination port 0.
Conditions:
-- Conditions to trigger this issue with TCP traffic:
- 3-way handshake initiated by client to virtual server.
- Client actively closing the connection - 4-way close.
- Client continues to send ACK after 4-way close.
-- Conditions to trigger this issue with UDP traffic:
- UDP profile has timeout immediate configured or datagram load-balancing.
- UDP packet arrives that matches an expiring but still-present connection.
-- Provisioned for AFM.
Impact:
Virtual server performs an incorrect reset with source or destination port 0, or UDP proxy traffic is sent incorrectly with source and/or destination port 0.
Workaround:
None.
Fix:
Connection flow collision no longer causes packets to be sent from source port 0.
745851 : Changed Default Cloud-Init log level to INFO from DEBUG
Component: TMOS
Symptoms:
Cloud-Init services generate too many debug log lines that populate their systemd journal.
Conditions:
Any BIG-IP VE release with Cloud-Init enabled and using "systemd".
Impact:
There're too many debug log lines that might make VE admin miss any more important information and severe errors when reading it.
Workaround:
Manually change all Cloud-Init's log levels to INFO from DEBUG.
Fix:
Cloud-Init's log default levels have been changed to INFO from DEBUG.
745825-1 : The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading
Component: TMOS
Symptoms:
This message may be logged while the audit_forwarder is loading the configuration:
audit_forwarder is disabled as the configuration is incomplete. Please define the following db variables: config.auditing.forward.sharedsecret, config.auditing.forward.destination and config.auditing.forward.type. And make sure config.auditing.forward.destination is not set to "::".
These DB variables may all be actually configured correctly, but since the configuration has not loaded yet this message may be logged multiple times.
Conditions:
The audit_forwarder process is starting up and loading the configuration.
Impact:
Confusing error messages in /var/log/ltm. Logging will still work as configured.
Workaround:
There is no workaround.
Fix:
Message has been modified to indicate the possibility of loading the configuration. Message is now logged only once. A new messages is logged indicating when audit_forwarder is enabled.
745813-1 : Requests are reported to local log even if only Bot Defense remote log is configured
Component: Application Security Manager
Symptoms:
Requests are logged locally on the BIG-IP system while they supposed to be sent only to the remote logger.
Conditions:
- Bot Defense profile attached to a virtual server.
- Bot Defense remote logger profile attached to a virtual server.
Impact:
Requests logged locally on the BIG-IP system when they are not supposed to be.
Workaround:
None.
Fix:
Logging profile filter mechanism now honors remote and local logging configurations.
745809-2 : The /var partition may become 100% full requiring manual intervention to clear space
Component: Advanced Firewall Manager
Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free
Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.
Conditions:
Process traffic while DoS Dashboard is open.
Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition
Workaround:
This workaround is temporary in nature, and may need to be periodically performed either manually or from a script. While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.
Run the following commands, in sequence:
bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad
Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.
745802-1 : Brute Force CAPTCHA response page truncates last digit in the support id
Component: Application Security Manager
Symptoms:
Brute Force CAPTCHA response page shown to an end-user has a support id and the last digit is truncated.
Conditions:
- ASM Provisioned
- ASM policy attached to a virtual server
- ASM Brute Force Protection enabled in the asm policy
- ASM Brute Force sends captcha mitigation page when a website is under brute force attack.
Impact:
The support id presented to an end-user won't be matched to the one shown in the asm logs
Workaround:
There is no workaround at this time.
Fix:
The code is fixed, correct support id is shown in the captcha response page.
745783-1 : Anti-fraud: remote logging of login attempts
Component: Fraud Protection Services
Symptoms:
There is no support for logging of login attempts to a remote service.
Conditions:
Using high speed logging (HSL) to log login attempts.
Impact:
There is no support for logging of login attempts.
Workaround:
None.
Fix:
FPS now uses HSL to report login attempts using configured templates, rate-limit, and publisher to a remote service.
To enable this feature:
# via tmsh only
tmsh modify sys db antifraud.riskengine.reportlogins value enable
# via tmsh or GUI
tmsh modify sys db antifraud.internalconfig.string1 value "<login attempt log template>"
tmsh modify sys db antifraud.internalconfig.string2 value "<log-rate-exceeded log template>"
tmsh modify sys db antifraud.internalconfig.number1 value "<log-rate-exceeded threshold>"
tmsh modify security anti-fraud profile <fps profile> risk-engine-publisher <publisher>
It is recommended that you use encoding when composing an HTTP template. The default encoding level is 0, meaning 'never encode'.
To change encoding level:
tmsh modify sys db antifraud.internalconfig.number2 value <0/1/2>
Behavior Change:
FPS now includes the ability to perform High Speed Logging (HSL) of all login attempts to specific protected URLs. These events can be forwarded to remote services (e.g. SIEM Server), and, when enabled, can help indicate whether applications are under attack.
745715-2 : MRF SIP ALG now supports reading SDP from a mime multipart payload
Component: Service Provider
Symptoms:
Previously all non-SDP SIP payloads were ignored. This would cause media pinhole flows to not be created.
Conditions:
An INVITE message or its response contained a SDP section in a mime multipart payload.
Impact:
Media pinhole flows were not created
Workaround:
None.
Fix:
The SIP ALG functions can now extract and process the SDP section of a mime multipart payload.
745713-4 : TMM may crash when processing HTTP/2 traffic
Solution Article: K94563344
745654-4 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
Component: Access Policy Manager
Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.
Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.
Impact:
Low throughput and slow responses from Virtual server.
Workaround:
There is no workaround at this time.
Fix:
Increase the size of websso worker queue, so that tmm and websso process can communicate effectively. This eliminates VS slowness and hence increase throughput.
745629 : Ordering Symantec and Comodo certificates from BIG-IP
Component: TMOS
Symptoms:
This new feature enables ordering Symantec and Comodo certificates from the BIG-IP system.
Conditions:
You must have a Symantec or Comodo CA account to make certificate orders from the BIG-IP system.
Impact:
This new feature enables ordering of certificates from CAs Symantec and Comodo. CA-Approved certificates are automatically fetched and installed on the BIG-IP system.
Workaround:
None. This is a new feature.
Fix:
This release adds the capability to order/fetch and install certificates from CAs Symantec and Comodo.
Behavior Change:
You can now order/fetch and install certificates from the Symantec and Comodo Certificate Authorities.
745628-1 : MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message
Component: Service Provider
Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a NOTIFY message has been processed.
Conditions:
This occurs because the NOTIFY message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.
Impact:
Media addresses in the SDP payload are not translated.
Workaround:
There is no workaround.
Fix:
Hairpin mode is not entered when processing NOTIFY messages
745624-1 : Tooltips for OWASP Bot Categories and Anomalies were added
Component: Application Security Manager
Symptoms:
Tooltips for some OWASP Bot Categories and Anomalies are 'N/A' in GUI/REST.
Conditions:
- GUI page: Event Logs:: Bot Defense :: Bot Traffic.
- Bot classification is 'OWASP Automated Threat'.
Impact:
Tooltip shows 'N/A' instead of detailed description. You cannot see detailed description of Bot classification of traffic.
Workaround:
None.
Fix:
Tooltips for OWASP Bot Categories and Anomalies were added.
745607-1 : Bot Defense : Bot Traffic - 3 month/last year filter not displayed correctly
Component: Application Security Manager
Symptoms:
3 month/last year filters are not displayed correctly in the applied filter.
Conditions:
3 month/last year filter applied in Bot Defense : Bot Traffic.
Impact:
You cannot see which filter is currently applied.
Workaround:
None.
Fix:
3 month/last year filter is now displayed correctly in applied filter.
745590-1 : SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added
Component: Service Provider
Symptoms:
In MRF SIP ALG, the hairpin flag is part of the translation_details structure. Because a connection/translation might be used for multiple simultaneous calls, if any call is hairpinned, subsequent calls on the same connection will not translate SDP addresses.
Conditions:
-- A connection/translation using multiple simultaneous calls
-- A call is hairpinned.
Impact:
Subsequent calls on the same connection do not translate SDP addresses.
Workaround:
None.
Fix:
SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added.
745574-1 : URL is not removed from custom category when deleted
Component: Access Policy Manager
Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.
Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.
Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.
Workaround:
"bigstart restart tmm" will resolve the issue.
Fix:
Made sure that the deletion takes effect properly and SSL traffic is no longer miscategorized after removal of the URL from the custom category.
745533-6 : NodeJS Vulnerability: CVE-2016-5325
Component: Local Traffic Manager
Symptoms:
It was found that the reason argument in ServerResponse#writeHead() was not properly validated.
Conditions:
iRules LX is running at the BIG-IP.
Impact:
A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request.
Workaround:
N/A.
Fix:
NodeJS updated to patch for CVE-2016-5325
745531-2 : Puffin Browser gets blocked by Bot Defense
Component: Application Security Manager
Symptoms:
Users using the Puffin Browser are blocked when accessing the Virtual Server when it is protected with either Proactive Bot Defense (within DoSL7 profile) or with the Bot Defense profile.
This applies to all version of the Puffin Browsers: Desktop, Android, iOS.
Conditions:
- Users using the Puffin Browser on Desktop, Android, iOS
- Bot Defense Profile, or: DoSL7 profile with Proactive Bot Defense is used while the "Block Suspicious Browsers" checkbox is enabled
Impact:
Users of the Puffin Browser cannot access the website
Workaround:
None
Fix:
Users of the Puffin Browser can now access the website that is protected by Bot Defense without getting blocked.
For the fix to be applied, both BIG-IP Release and ASU must be installed which contain the fix. Also, it is recommended to enable the following DB variables:
tmsh modify sys db dosl7.proactive_defense_validate_ip value disable
tmsh modify sys db dosl7.cs_validate_ip value disable
745514-1 : MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message
Component: Service Provider
Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a SUBSCRIBE message has been processed.
Conditions:
This occurs because the SUBSCRIBE message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.
Impact:
Media addresses in the SDP payload are not translated.
Workaround:
There is no workaround.
Fix:
Hairpin mode is not entered when processing SUBSCRIBE messages
745404-4 : MRF SIP ALG does not reparse SDP payload if replaced
Component: Service Provider
Symptoms:
When a SIP message is loaded, the SDP is parsed. If modified or replaced, the system does not reparse the modified payload.
Conditions:
This occurs internally while processing SDP in a SIP message.
Impact:
Changes to the SDP are ignored when creating media pinhole flows
Workaround:
None.
Fix:
The SDP payload is now reparsed if modified or replaced.
745387-1 : Resource-admin user roles can no longer get bash access
Component: TMOS
Symptoms:
Resource-admin users with bash access may write to system files beyond the scope of their assigned access.
Conditions:
Resource-admin users configured with bash shell access.
Impact:
Resource-admin users with bash access may write to system files causing security risks.
Workaround:
Do not assign bash access for resource-admin users.
Fix:
Resource-admin users restricted to tmsh access now. If a resource-admin user had bash access in a prior version and upgrades to this version, that user will get converted to tmsh access automatically after the upgrade process.
Behavior Change:
Resource-admin roles can no longer have bash shell access. And upon upgrade, resource-admin users with bash access will get converted to tmsh shell access.
745377-1 : TMM cores in certain scenarios with HTTP virtual server
Solution Article: K43450419
745371-1 : AFM GUI does not follow best security practices
Solution Article: K68151373
745257-1 : Linux kernel vulnerability: CVE-2018-14634
Solution Article: K20934447
745165-1 : Users without Advanced Shell Access are not allowed SFTP access
Solution Article: K38941195
745103-6 : NodeJS Vulnerability: CVE-2018-7159
Solution Article: K27228191
745027-2 : AVR is doing extra activity of DNS data collection even when it should not
Component: Application Visibility and Reporting
Symptoms:
When collecting DNS data, AVR generates data that is used only for BIG-IQ, even if not connected to BIG-IQ.
Conditions:
DNS Statistics collection or DNS-DoS is configured.
Impact:
avrd process is taking more CPU cycles for activity that is not needed. There is no impact to functionality.
Workaround:
None.
Fix:
The system no longer performs extra computation that is not needed in this case.
744949-1 : MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix
Component: Service Provider
Symptoms:
SIP response messages have the wrong IP address in the FROM header when using NAT64.
Conditions:
If the client's IPv6 address does not match the virtual server's configured IPv6 prefix, the FROM header on a response message will have a different IP address that the request message.
Impact:
The SIP ALG with SNAT system will be unable to establish a call for the client.
Workaround:
There is no workaround at this time.
Fix:
The FROM header will now contain the client's IP address.
744937-8 : BIG-IP DNS and GTM DNSSEC security exposure
Solution Article: K00724442
Component: Global Traffic Manager (DNS)
Symptoms:
For more information please see: https://support.f5.com/csp/article/K00724442
Conditions:
For more information please see: https://support.f5.com/csp/article/K00724442
Impact:
For more information please see: https://support.f5.com/csp/article/K00724442
Workaround:
None.
Fix:
For more information please see: https://support.f5.com/csp/article/K00724442
Behavior Change:
Note: After installing a version of the software that includes the fix for this issue, you must set the following db variables:
-- dnssec.nsec3apextypesbitmap
-- dnssec.nsec3underapextypesbitmap.
These two db variables are used globally (i.e., not per-DNSSEC zone) to configure the NSEC3 types bitmap returned in one-off NODATA responses for apex and under-apex responses, respectively.
When the BIG-IP system is queried for a DNS name in which the DNS name exists and is not of the RR type requested, the NSEC3 types bitmap on the response reflects what you configure for the db variable, minus the queried-for type.
When using these variables:
-- Configure type values as all lowercase.
-- Enclose multiple types in quotation marks (e.g., "txt rrsig").
-- Understand that there is likely no need to change the apex type setting; do so with extreme care. The under-apex settings are what you will find helpful in addressing the negative caching issue.
744707-2 : Crash related to DNSSEC key rollover
Component: Global Traffic Manager (DNS)
Symptoms:
When running out of memory, a DNSSKEY rollover event might cause a tmm crash and core dump.
Conditions:
-- System has low memory or is out of memory.
-- DNSSKEY rollover event occurs.
Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
Fix:
Fixed an issue in DNSSEC Key Rollover event that could cause a crash.
744686-2 : Wrong certificate can be chosen during SSL handshake
Component: Local Traffic Manager
Symptoms:
If two certificates of the same type are configured in an SSL profile, one marked `usage CA' and the other not, the wrong one could be chosen during the handshake.
Conditions:
Two certificates of the same type are configured in an SSL profile.
Impact:
The wrong certificate could be chosen during the handshake.
Workaround:
Do not configure two certificates of the same type on an SSL profile.
744685-2 : BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension
Component: Local Traffic Manager
Symptoms:
An intermediate CA certificate should be considered invalid if the certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension. The BIG-IP system does not enforce this.
Conditions:
The SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop.
Impact:
The system might unexpectedly accept the SSL connection while the peer is using an inappropriate certificate.
Workaround:
None.
Fix:
With this fix, if the SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the SSL handshake if the peer's CA certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension.
Behavior Change:
When authenticating a peer's SSL certificate, the system requires a CA certificate to have the 'Basic Constraints' and 'CA:True' in its extension, like this:
X509v3 Basic Constraints: critical
CA:TRUE
If an SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the handshake if the peer's CA certificate does not satisfy this requirement.
744595-3 : DoS-related reports might not contain some of the activity that took place
Component: Application Visibility and Reporting
Symptoms:
Occasionally, some telemetry data of DoS related activity is lost.
Conditions:
No specific condition other than using the BIG-IP system anti-DDoS feature.
Impact:
DoS related reports might not contain some of the activity that takes place.
Workaround:
None.
Fix:
Issue was fixed, all telemetry data is collected without errors.
744589-3 : Missing data for Firewall Events Statistics
Component: Application Visibility and Reporting
Symptoms:
Statistical information that is collected for Firewall event, has some data that is getting lost and not reported.
When this is taking place, the following message appears at avrd log:
Some rows of load_stat_firewall_events_<some number> not loaded
Conditions:
AFM is used, no particular condition that leads to this situation of losing some of the stats, usually takes place under heavy activity.
Impact:
Statistical reports of Firewall Events are missing some the the activity that actually took place.
Workaround:
There is no workaround at this time.
Fix:
Issue with missing data was fixed.
744516-4 : TMM panics after a large number of LSN remote picks
Component: Carrier-Grade NAT
Symptoms:
TMM panics with the assertion 'nexthop ref valid' failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.
Conditions:
An LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.
Impact:
TMM restarts. Traffic is interrupted.
Workaround:
There is no workaround.
Fix:
TMM no longer panics regardless of the number of remote picks.
744347-4 : Protocol Security logging profiles cause slow ASM upgrade and apply policy
Component: Application Security Manager
Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.
Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.
Impact:
ASM upgrade and apply policy are delayed.
Workaround:
There is no workaround at this time.
744280-2 : Enabling or disabling a Distributed Application results in a small memory leak
Component: Global Traffic Manager (DNS)
Symptoms:
Enabling or disabling a Distributed Application results in an 8 byte memory leak.
Conditions:
Enabling or disabling a Distributed Application.
Impact:
8 bytes of memory are leaked every time a Distributed Application is enabled or disabled. If Distributed Applications are repeatedly programmatically enabled and disabled, over time, the system might eventually exhaust all available memory.
Workaround:
None.
Fix:
Enabling or disabling a Distributed Application no longer results in a memory leak.
744275-1 : BIG-IP system sends Product-Name AVP in CER with Mandatory bit set
Component: Service Provider
Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.
Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Product-Name AVP.
Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.
Workaround:
Configure an iRule in the MRF transport-config, for example:
ltm rule workaround {
when DIAMETER_EGRESS {
if {[serverside] && [DIAMETER::command] == "257" } {
DIAMETER::avp flags set 269 0
}
}
}
Fix:
This release always clears the Mandatory bit for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.
744210-2 : DHCPv6 does not have the ability to override the hop limit from the client.
Component: Local Traffic Manager
Symptoms:
DHCPv6 packet may be dropped by a device after the DHCP relay if the client provided hop limit is 1.
Conditions:
DHCPv6 Relay configured on the BIG-IP.
Impact:
Loss of DHCPv6 service.
Workaround:
There is no workaround at this time.
Fix:
Configurable hop limit over-ride capabilities provided for client sent DHCPv6 packets.
744188-1 : First successful auth iControl REST requests will now be logged in audit and secure log files
Component: TMOS
Symptoms:
Previously, when making a REST request from a client for the first time and it is successful, this action was not logged.
Just subsequent REST calls were logged or initial failed REST calls from a client were logged.
Conditions:
Making a successfully auth-ed initial REST request from a new client to BIG-IP.
Impact:
BIG-IP admins would not know when a new client first made a successful REST call to BIG-IP.
Workaround:
None.
Fix:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.
Here's an example of what shows in audit log:
-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user bart2 - RAW: httpd(pam_audit): user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
Here's an example of what shows in secure log:
-- info httpd(pam_audit)[26561]: user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user usr2 - RAW: httpd(pam_audit): user=usr2(usr2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
Subsequent REST calls will continue to be logged normally.
Behavior Change:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.
Subsequent REST calls will continue to be logged normally.
744035-6 : APM Client Vulnerability: CVE-2018-15332
Solution Article: K12130880
743900-1 : Custom DIAMETER monitor requests do not have their 'request' flag set
Component: Local Traffic Manager
Symptoms:
Using the technique detailed in the Article: K14536: Customizing the BIG-IP Diameter monitor https://support.f5.com/csp/article/K14536 to create custom DIAMETER monitor requests fails for any request that uses the numeric form of a DIAMETER command code, because the 'request' flag is not set in the DIAMETER packet.
Conditions:
-- Using custom DIAMETER monitor requests.
-- Using numeric DIAMETER command codes.
Impact:
The monitor probes fail because the BIG-IP system does not set the DIAMETER 'request' flag for requests it sends when using a numeric value for the command code, so the DIAMETER server thinks it is a response
Workaround:
None.
Fix:
Ensured that the 'request' flag is set for all DIAMETER monitor requests.
743803-1 : IKEv2 potential double free of object when async request queueing fails
Component: TMOS
Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.
Conditions:
When an async IPsec crypto operation fails to queue.
Impact:
Restart of tmm. All tunnels lost must be re-established.
Workaround:
No workaround known at this time.
743437-3 : Portal Access: Issue with long 'data:' URL
Component: Access Policy Manager
Symptoms:
HTML page may contain a very long 'data:' URL. Portal Access cannot handle such URLs correctly.
Conditions:
HTML page with very long 'data:' similar to the following example:
data:image/png;base64,...
Such URLs might be several megabytes long.
Impact:
The rewrite plugin cannot process HTML pages with very long URLs and restarts. The page is not sent to the end user client; web application may not work correctly.
Workaround:
There is no workaround at this time.
Fix:
Now Portal Access handles very long 'data:' URLs correctly.
743257-3 : Fix block size insecurity init and assign
Component: Local Traffic Manager
Symptoms:
After an HA failover the block size insecurity checks were creating conditions for an infinite loop. This causes tmm to be killed by sod daemon via SIGABRT.
Conditions:
Rare not reproducible.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
Fix:
The init and assign of block size insecurity were modified and debug checks added. A possible loop condition in ssl renegotiation was removed.
742852-1 : Bot Defense protection blocks Safari browser requests while using cross site redirect protection by 'Location' header
Component: Application Security Manager
Symptoms:
Bot defense blocks a request containing a TSPD101 cookie in query string. TSPD101 is sent when using the Safari browser, and cross-site redirect protection is applied on a request.
Conditions:
- ASM provisioned.
- Bot Defense profile attached to a virtual server.
- Cross-site redirection is applied on a request.
- Using the Safari browser.
Impact:
Cross-site requests are blocked during the grace period configured on the bot defense profile.
Workaround:
Disable browser verification in the bot defense profile.
Fix:
Cross-site redirect protection now works as expected when cookie is sent via query string.
742829-1 : SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0
Component: Service Provider
Symptoms:
The BIG-IP system incorrectly handles SDP media ports. UAC sends SDP message body publishing capable of handling voice, text, and video. UAS responds, publishing voice, text and video not desired by setting video port to '0'. The BIG-IP system does not honor the fact that UAS does not want video, and translates video port '0' to an ephemeral port, causing the UAC to believe it must open a video channel. When the UAC sends a video connection request, the BIG-IP system sends the request to the wrong port, i.e., to the media port for text, which causes the connection to fail.
Conditions:
RTP media port defined in the SIP message is set to 0.
Impact:
Improper media channel creation.
Workaround:
You can use an iRule workaround to remove the media attributes with ports set to 0 at the ingress, and update the message body size accordingly.
742558-1 : Request Log export document fails to show some UTF-8 characters
Component: Application Security Manager
Symptoms:
After exporting an ASM security event log, the log file exists but the characters are not visible.
Conditions:
Decoding of UTF-8 characters fails in Request Log export on small range of characters.
Impact:
The contents of the log are not human readable.
Workaround:
None.
Fix:
Request Log export document now shows UTF-8 characters correctly.
742251-1 : Add Alibaba Cloud support to Qkview
Component: TMOS
Symptoms:
Qkview has been updated to support obtaining files relevant to the Alibaba Cloud.
Conditions:
Run Qkview.
Impact:
Files related to the Alibaba Cloud were not collected.
Workaround:
None
Fix:
Files related to Alibaba Cloud are now collected.
742237-4 : CPU spikes appear wider than actual in graphs
Component: Local Traffic Manager
Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.
Conditions:
CPU usage has spikes.
Impact:
Graphs of CPU spikes appear to last longer than they actually last.
Workaround:
Perform the following procedure:
1. Run the following command to record the 5-second average rather than the 1-second average:
sed -i.bak 's/TMCOLNAME "ratio"/TMCOLNAME "five_sec_avg.ratio"/;s/TMCOLNAME "cpu_ratio_curr"/TMCOLNAME "cpu_ratio_5sec"/g' /config/statsd.conf
2. Restart statsd to load the new configuration:
bigstart restart statsd
Fix:
CPU samples for graphs are averaged over longer time to more closely represent actual time between samples.
742226-6 : TMSH platform_check utility does not follow best security practices
Solution Article: K11330536
742184-3 : TMM memory leak
Component: Local Traffic Manager
Symptoms:
-- High TMM memory utilization;
-- Aggressive sweeper activated;
-- the 'packet', 'xdata' and 'xhead' caches in the memory_usage_stat tmstat table have high 'allocated' and 'curr_allocs' numbers with a steadily increasing profile.
Conditions:
A fastL4 and a L7 profile (e.g. HTTP) are assigned to a virtual server.
Impact:
Degraded performance, possible TMM crash due to out-of-memory condition.
Workaround:
Do not add a L7 profile to a fastL4 virtual server.
Fix:
No memory leak in the TMM.
742078-6 : Incoming SYNs are dropped and the connection does not time out.
Component: Local Traffic Manager
Symptoms:
There is a hard-coded limit on the number of SYNs forwarded on a FastL4 connection. This might cause a problem when a connection is reused, for example, if a connection is not correctly closed.
Conditions:
-- SYN forwarding on FastL4 connections.
-- The number of SYNs on a single connection reaches the hard-coded limit.
Impact:
If the number of SYNs on a single connection reaches this limit, subsequent incoming SYNs are dropped and the connection might not time out.
Workaround:
There is no workaround.
Fix:
The following command enables the forwarding of an an unlimited number of SYNs:
tmsh modify sys db tm.dupsynenforce value disable
741503-1 : The BIG-IP system fails to load base config file when upgrading with static IPv4★
Component: TMOS
Symptoms:
The BIG-IP system cannot load base config when upgrading with static IPv4. By default, the configuration is not moved on previous releases during the installation, but it moves mgmt address settings and the license.
Conditions:
This occurs during upgrade when a static mgmt IPv4 address is configured.
Impact:
Configuration does not load after upgrade.
Workaround:
Manually set the mgmt-dhcp value to 'disabled' in bigip_base.conf file.
Fix:
The BIG-IP system now loads the base config file as expected when upgrading with static IPv4 as mgmt address.
741449-3 : alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts
Component: Fraud Protection Services
Symptoms:
JAVASCRIPT_THRESHOLD alert should contain 2 timestamps:
1. component-validation cookie timestamp (set on cookie creation)
2. current BIG-IP timestamp
currently, these timestamps are not available in the alert details
Conditions:
JAVASCRIPT_THRESHOLD alert is triggered
Impact:
it is impossible to analyze the alert
Workaround:
There is no workaround at this time.
Fix:
FPS should always include both timestamps when triggering the JAVASCRIPT_THRESHOLD alert
741222-2 : Install epsec1.0.0 into software partition.★
Component: Access Policy Manager
Symptoms:
On some hardware configurations, after the BIG-IP software upgrade, epsec1.0.0 install fails.
Conditions:
-- Upgrade from earlier versions to BIG-IP 14.1.0.
-- Attempting to install epsec1.0.0.
Note: This occurs on only some hardware platforms, including the following:
+ BIG-IP 4000
+ BIG-IP i2800 series
+ BIG-IP Virtual Edition
+ BIG-IP vCMP Guest
Impact:
Unable to install or use software check with APM endpoint inspection.
Workaround:
There is no workaround other than upgrading to a fixed version of the software.
Fix:
The epsec1.0.0 installation is now performed into active BIG-IP software volume (/var), so this issue no longer occurs.
741163-3 : RHEL7: Kernel CVE-2018-3693
Solution Article: K54252492
741048-1 : iRule execution order could change after editing the scripts
Component: Local Traffic Manager
Symptoms:
iRule execution order might change. For example, you have the following iRules configured on a virtual server: rule1, rule2, rule3, and they all have CLIENT_ACCEPTED. If you do not specify their priority, or if you specify the same priority to each one, when you edit one, the execution order changes. For example, if you edit the rule2 script, the execution order changes to rule2, rule1, rule3.
Conditions:
Multiple events have the same priority.
Impact:
Execution order changes.
Workaround:
Specify different priorities for iRules containing the same event.
Fix:
iRule execution order is now maintained after editing the scripts.
740959-4 : User with manager rights cannot delete FQDN node on non-Common partition
Component: Local Traffic Manager
Symptoms:
A user that has manager rights for a non-Common partition, but not for the /Common partition, may be denied delete privileges for an FQDN template node that is created on the non-Common partition for which the user does have manager rights.
This occurs because ephemeral nodes created from the FQDN template node are 'shared' in the /Common partition, so the delete transaction fails because the user has insufficient permissions to delete the dependent ephemeral nodes on the /Common partition.
Conditions:
-- A user is created with manager rights for a non-Common partition.
-- That user does not have manager rights for the /Common partition;
-- At least one ephemeral node is created from that FQDN template node (due to DNS lookup), which is not also shared by other FQDN template nodes.
-- That user attempts to delete an FQDN template node on the non-Common partition for which the user has manager rights.
Impact:
The transaction to delete the FQDN template node fails due to insufficient permissions. No configuration changes occur as a result of the FQDN template node-delete attempt.
Workaround:
You can use either of the following workarounds:
-- Perform the FQDN template node-delete operation with a user that has manager rights to the /Common partition.
-- Create the FQDN template node on the /Common partition.
Fix:
A user with manager rights for a non-Common partition that has no manager rights to the /Common partition, is now able to successfully delete an FQDN template node created on that non-Common partition.
740755-6 : Kernel vulnerability: CVE-2018-3620
Solution Article: K95275140
740543-1 : System hostname not display in console
Component: TMOS
Symptoms:
Hostname is not displayed in the shell prompt in bash and tmsh.
Conditions:
After reboot or upgrade, login to the host console, shell, or tmsh.
Impact:
Hostname is not displayed in the shell prompt.
Workaround:
Update hostname from GUI/TMSH.
Fix:
Hostname is now displayed in the shell prompt in bash and tmsh.
740345-3 : TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled.
Component: Local Traffic Manager
Symptoms:
TMM generates cores files on the device.
Conditions:
Issue is seen when connection mirroring, session mirroring and OCSP stapling is enabled.
Impact:
If a failover happens when a SSL handshake is in progress,
TMM restarts and a core file is generated on the standby device. Traffic disrupted while tmm restarts.
Workaround:
None.
739971 : Linux kernel vulnerability: CVE-2018-5391
Solution Article: K95343321
739963-4 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
Component: Local Traffic Manager
Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.
Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.
Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.
Workaround:
To restore the state of the member, remove it and add it back to the pool.
739945-4 : JavaScript challenge on POST with 307 breaks application
Component: Application Security Manager
Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.
Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.
Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.
Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.
Fix:
Having a JavaScript challenge on a POST request with 307 Response no longer prevents the application from working.
739432 : F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems
Component: Access Policy Manager
Symptoms:
F5 Adaptive Auth Configuration is a configuration required on BIG-IP systems. This allows access to F5 Adaptive Authentication Service hosted on the cloud. As the reporting feature is deprecated, the Reports associated with feature are removed from the BIG-IP system. The associated reports are now shown in the F5 Adaptive Auth Service instead.
Conditions:
Admin attempts to view F5 Adaptive Auth reports on the BIG-IP system.
Impact:
Admin cannot use F5 Adaptive Auth Reports on the BIG-IP system. This is because F5 Adaptive Auth Reports functionality has been removed from BIG-IP systems, and is no longer supported.
Workaround:
View the associated reports in the F5 Adaptive Auth Service instead.
Fix:
F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems.
Behavior Change:
The reporting feature of the F5 Adaptive Auth Configuration, which allows access to F5 Adaptive Authentication Service hosted on the cloud, is deprecated with this release, so the Reports associated with feature are removed from the BIG-IP system. The associated reports are now shown in the F5 Adaptive Auth Service instead.
739349-3 : LRO segments might be erroneously VLAN-tagged.
Component: Local Traffic Manager
Symptoms:
Segments being processed for large receive offload (LRO) (the action the system performs to aggregate multiple incoming packets within a buffer before passing them up)
might be erroneously VLAN-tagged when LRO is enabled.
Conditions:
-- TCP LRO enabled.
-- Egress VLAN untagged.
Impact:
Egress traffic might sometimes be tagged.
Workaround:
Disable TCP LRO. To enable or disable LRO functionality, you can use the following command syntax:
tmsh modify sys db tm.tcplargereceiveoffload value <enable | disable>
Fix:
The system now ensures that fragment packet flags are correctly set.
738945-4 : SSL persistence does not work when there are multiple handshakes present in a single record
Component: Local Traffic Manager
Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.
Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.
Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.
Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.
After changing or disabling persistence, the transaction succeeds and no longer hangs.
738943-3 : imish command hangs when ospfd is enabled
Component: TMOS
Symptoms:
- dynamic routing enabled
- ospfd protocol enabled
- imish hangs
Conditions:
- running imish command
Impact:
ability to show dynamic routing state using imish
Workaround:
restart ospfd daemon
738891-1 : TLS 1.3: Server SSL fails to increment key exchange method statistics
Component: Local Traffic Manager
Symptoms:
When TLS 1.3 is negotiated with a server SSL profile, the key exchange method statistics do not increment.
Conditions:
-- TLS 1.3 is configured on a server SSL profile.
-- TLS 1.3 is the protocol version negotiated.
Impact:
Missing statistics.
Workaround:
None.
Fix:
The key exchange method statistics are now correctly incremented.
Behavior Change:
When TLS 1.3 is now supported for configuration on server SSL profiles, so these statistics are now present.
738677-1 : Configured name of wildcard parameter is not sent in data integrity alerts
Component: Fraud Protection Services
Symptoms:
FPS sends a data integrity alert when a parameter is configured with 'Check Data Manipulation' enabled.
the alert includes parameter's actual-name, actual-val-crc, and expected-val-crc.
For wildcard parameters, it is difficult to tell which parameter was found and triggered the data integrity alert, since FPS sends only the actual name that was found in the request.
Conditions:
Wildcard parameter defined for integrity check.
Impact:
Alert analysis is more difficult, as the actual matched parameter is not obvious.
Workaround:
None.
Fix:
FPS now includes wildcard parameter's configured-name in the data integrity alert.
738676-1 : Errors when trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests
Component: Application Security Manager
Symptoms:
When trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests
Delete fails with error and exceptions in restjavad.log:
[WARNING][593][30 Jul 2018 14:42:26 UTC][8100/mgmt ForwarderPassThroughWorker] URI:http://localhost:8100/mgmt/tm/asm/events/bot-defense-events?$top=200000, Referrer:https://<local_IP>/dms/bot_defense/bot_requests.php, Method:DELETE, Exception:java.util.concurrent.TimeoutException: remoteSender:<remote_IP>, method:DELETE
Conditions:
This can be encountered when deleting all bot requests while traffic is passing.
Impact:
Delete fails, and there is significant memory consumption in asm_config_server.
Workaround:
None.
Fix:
This release fixes the bot-requests deletion process to not fail with errors and not cause substantial memory consumption in asm_config_server.
738430-3 : APM is not able to do compliance check on iOS devices running F5 Access VPN client
Component: Access Policy Manager
Symptoms:
Compliance check against Microsoft Intune fails when an APM end user attempts a VPN connection from a managed iOS device running the F5 Access VPN client.
Conditions:
-- APM policy is configured to use Microsoft Intune for device compliance check.
-- APM end user is attempting VPN connection using the F5 Access VPN client on an iOS device.
Impact:
APM is not able to do compliance checks on the device, and VPN connection fails.
Workaround:
None.
Fix:
APM can now check iOS devices for compliance against Microsoft Intune.
738330-3 : /mgmt/toc endpoint issue after configuring remote authentication
Component: TMOS
Symptoms:
'Invalid username or password.' error on the /mgmt/toc page after configuring remote authentication.
Conditions:
When remote auth is configured.
Impact:
Cannot configure remote authentication.
After configuring remote authentication, you can login to the mgmt/toc area with the admin user, but using a remote auth user ended up with 'You are not authorized to use this resource'.
Workaround:
On BIG-IP versions since 14.1.0.6 and 13.1.1.5:
Enable 'Fallback to Local' in the remote auth config section on the BIG-IP system:
tmsh modify auth source fallback true.
Both local BIG-IP user 'admin' and LDAP user are now able to authenticate and access https://XX.XX.XX.XX/mgmt/toc.
On other versions of BIG-IP software, there is no workaround.
Fix:
When source type is set to a remote auth method, login now succeeds. If the remote server is unavailable, authentication now falls back to local authentication, if authentication source fallback is set to true.
Behavior Change:
This release allows fallback to local authentication. When the authentication source type is set to a remote authentication source, if the remote server is unavailable, authentication now falls back to local authentication, if authentication source fallback is set to true.
738284-2 : Creating or deleting rule list results in warning message: Schema object encode failed
Component: Advanced Firewall Manager
Symptoms:
"Schema object encode failed: No foreign keys found for nested object" warning message is logged into /var/log/ltm while creating or deleting the rule list.
Jul 25 05:44:49 localhost.localdomain warning icr_eventd[4778]: 01a10008:4: Schema object encode failed: No foreign keys found for nested object with tag 17547
Conditions:
Observed when creating or deleting rule list in /var/log/ltm
tmsh create security firewall rule-list rule-list1
tmsh delete security firewall rule-list rule-list1
Impact:
The warning message has no impact on functionality and can be ignored.
Fix:
Log message has been changed to log at the debug level.
738236-7 : UCS does not follow current best practices
Solution Article: K25607522
738108-1 : SCTP multi-homing INIT address parameter doesn't include association's primary address
Component: TMOS
Symptoms:
When multihoming is enabled in an SCTP profile, the source-address of the INIT chunk was not added as an Address parameter in that INIT chunk.
Conditions:
Any SCTP profile where multi-homing is enabled.
Impact:
No impact for peers that implement SCTP in accordance with RFC 4960.
RFC does not require that the address either should or should not be included in the INIT chunk, but does require that an entity receiving an INIT chunk include the source-address in its list regardless of whether that is included in the INIT chunk.
Workaround:
No known workaround.
Fix:
BIG-IP now includes all relevant addresses in the INIT chunk.
Behavior Change:
When multihoming is enabled, the local address will now be added to the INIT chunk. Previously the local address (that is, the address that the datagram is sent from) was not listed as an Address parameter. This is permitted, but not required, by RFC 4960 section 3.3.2.1.
737985-2 : BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode.
Component: Local Traffic Manager
Symptoms:
Services that require Standard Proxy mode cannot be availed of.
Conditions:
A BIG-IP system deployed in an L2 transparent mode using VLAN groups.
Impact:
Prevents services that require Standard Proxy mode from being leveraged in an L2 transparent deployment.
Workaround:
None.
Fix:
Support standard proxy mode.
737910-4 : Security hardening on the following platforms
Solution Article: K18535734
737866-2 : Rare condition memory corruption
Component: Application Security Manager
Symptoms:
BD dameon core
Conditions:
Slow server and slow offload services.
Impact:
A bd crash, traffic distrubance
Workaround:
None.
Fix:
A memory corruption condition was solved.
737731-6 : iControl REST input sanitization
Solution Article: K44885536
737574-6 : iControl REST input sanitization★
Solution Article: K20541896
737565-6 : iControl REST input sanitization
Solution Article: K20445457
737558-1 : Protocol Inspection user interface elements are active but do not work
Component: Protocol Inspection
Symptoms:
Protocol Inspection (PI) user interface options are present, but are not applied to traffic.
Protocol Inspection (PI) now requires the presence of either an add-on subscription or an AFM standalone license for any of the features to work. A 'Good' or 'Better' license does not activate the PI features. The Configuration Utility still allows you to configure inspection profiles, compliance checks, and signatures, but they are not applied to traffic. There is no feedback that they are not applied.
Conditions:
-- AFM licensed and provisioned through 'Good' or 'Better' license, but no add-on subscription license for Protocol Inspection. Alternately, AFM licensed as an add-on module to another module (typically LTM).
-- PI profile configured and applied to a virtual server or referenced in a firewall rule in an active firewall policy.
Impact:
If you previously had Protocol Inspection configured without the add-on license installed, the features are no longer applied to traffic until the add-on license is obtained. However, the GUI options remain active.
Workaround:
None.
737536-2 : Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
Component: TMOS
Symptoms:
The use case is the following:
|OSPF 1|---|Network1|------[|OSPF process 1|---BIG-IP system---|OSPF process 2|]-----|Network2|---|OSPF 2|
Attempting to redistribute default route received from OSPF process that is peering with the Internet to OSPF process 2. However, if that route is removed (e.g., an Internet link goes down), OSPF process 2 removes the associated route and the 'default-information originate' command is the ideal choice, because as long as the OSPF process 1 default route is in the routing table, the default route is redistributed into OSPF process 2. If that route is gone, OSPF process 2 immediately removes it from routing table. Enabling 'default-information originate' on OSPF process 2 does not affect the outcome, and a default route is not injected like it should be.
Conditions:
-- On the BIG-IP system, OSPF routing protocol is enabled on a route-domain.
-- Routing configuration example:
OSPF router config examples:
***
OSPF 1:
!router ospf 1
ospf router-id 10.13.0.7
redistribute ospf
network 10.13.0.0/16 area 0.0.0.1
default-information originate
OSPF 2:
router ospf 1
ospf router-id 10.14.0.5
redistribute ospf
network 10.14.0.0/16 area 0.0.0.1
BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
***
-- Enable 'default-information originate' on BIG-IP OSPF process 2 should allow OSPF process 2 to receive advertised default route from BIG-IP OSPF process 1 if such exists.
# expected OSPF routers configuration on the BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
default-information originate
Impact:
A default route from OSPF process 1 is not advertised into OSPF process 2 routing table.
Workaround:
None.
Fix:
Enabling 'default-information originate' on OSPF process 2 forces OSPF process 2 to receive a default route from OSPF process 1 if such exists.
737423-2 : Binutils vulnerabilities: CVE-2018-7569 CVE-2018-10373 CVE-2018-13033
Component: TMOS
Symptoms:
An integer wraparound has been discovered in the Binary File Descriptor (BFD) library distributed in GNU Binutils up to version 2.30. An attacker could cause a crash by providing an ELF file with corrupted DWARF debug information.
concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by nm-new.
The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file, as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc in libbfd.c. This can occur during execution of nm.
Conditions:
Command-line usage of binutils tools by users with Advanced Shell Access
Impact:
None in default, standard and recommended configurations.
Workaround:
None.
Fix:
Upgraded binutils to an unaffected version.
737035-2 : New and improved infrastructure for BDoS to share learned traffic characteristics within the device group/cluster setup.
Component: Advanced Firewall Manager
Symptoms:
BDoS feature (AFM/DHD) needs to share learned traffic characteristics across nodes (within a cluster) and across devices (within the device group).
Previous infrastructure used by BDOS could cause spikes in disk usage due to a large number of snapshot files being saved under /config/filestore/ partition (.trash_bin_d and files_d/Common_d/l4bdos_context_d sub-directories).
Conditions:
BDOS feature is enabled on at least 1 context (either at global context or at least 1 virtual server).
Impact:
The /config partition on the BIG-IP system consistently fills up with large numbers of directories/files under /config/filestore/, eventually causing system to run out of disk space under /config partition.
Workaround:
As a workaround, manually delete files/directories filling up under /config/filestore/ partition (.trash_bin_d and files_d/Common_d/l4bdos_context_d sub-directories) to free up disk space.
Fix:
BDOS now uses a new (and improved) infrastructure for sharing data across nodes/devices (within device group/cluster setup) that does not require snapshot files to be maintained under /config/filestore/ partition.
734551-3 : L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server
Component: Local Traffic Manager
Symptoms:
Configuration overhead that requires configuration of a virtual server per VLAN group.
Conditions:
A BIG-IP system deployed in an L2 transparent mode using VLAN groups.
Impact:
Configuration overhead to configure virtual server per VLAN group.
Workaround:
None.
Fix:
Prevent the need to configure a virtual server per VLAN group.
734291-1 : Logon page modification fails to sync to standby
Component: Access Policy Manager
Symptoms:
Changes in the login page of VPE do not sync to standby.
Conditions:
1. You make changes to the logon page on the active device, making changes to the username or any other field on the login page of VPE.
2. You sync to standby, and it succeeds.
Impact:
When you access in standby device, the customization error failure message appears, and the dialog fails to open in VPE. You cannot see the changes made on the active device from standby device.
Workaround:
Do not make changes to fields on the login page.
Fix:
Changes in the login page of VPE now sync to standby.
734228 : False-positive illegal-length violation can appear
Component: Application Security Manager
Symptoms:
A false-positive illegal-length violation.
Conditions:
A chunked request where the request length is more than half of the configured max-request length.
Impact:
False-positive illegal-length violation.
Workaround:
Configure a higher max request length violation.
Fix:
Fixed a false-positive request-length violation.
727136-1 : One dataset contains large number of variations of TLS hello messages on Chrome
Component: Anomaly Detection Services
Symptoms:
Dataset of TLS fingerprints of clients of a site can consume significantly more space than needed.
Conditions:
-- BADOS with TLS signatures.
-- AFM end user clients using the Mozilla Chrome browser.
Impact:
Dataset is full, so it does not contain a full TLS fingerprints set. As result there is a risk of creating false-positive TLS signatures.
Workaround:
Turn off TLS signatures.
Fix:
Dataset of TLS fingerprints contains unique TLC fingerprints regardless GREASE ciphers.
727107-4 : Request Logs are not stored locally due to shmem pipe blockage
Component: Application Security Manager
Symptoms:
An unknown issue causes the communication layer between pabnagd and asmlogd to be become stuck. Messages similar to the following appear in pabnagd.log:
----------------------------------------------------------------------
account |NOTICE|... src/Account.cpp:183|Skipped 36 repeated messages. Request Log protobuf subscription queue is full. Message dropped.
rqlgwriter |WARNIN|... src/RequestLogWriter.cpp:137|Skipped 599 repeated messages. No space to write in shmem.
Messages similar to the following appear in pabnagd.log:
Conditions:
Request Logs are not stored locally due to shmem pipe blockage.
Impact:
Event logs stop logging locally.
Workaround:
Restart policy builder with:
killall -s SIGHUP pabnagd
Fix:
The policy builder now detects the blockage, and restarts the connection with the request logger.
726647-5 : PEM content insertion in a compressed response may truncate some data
Component: Policy Enforcement Manager
Symptoms:
HTTP compressed response with content insert action can truncate data.
Conditions:
PEM content insertion action with compressed HTTP response.
Impact:
Data might be truncated.
Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.
Fix:
HTTP compressed response with content insert action no longer truncates data.
726487-4 : MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
Component: TMOS
Symptoms:
The MCPD daemon on secondary VIPRION or vCMP blades exits and restarts, logging errors similar to the following:
-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.
-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.
Or:
--- err mcpd[8320]: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).
--- err mcpd[8320]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).... failed validation with error 17236027.
Or:
err mcpd[12620]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Invalid static route modification. A destination change from 172.25.0.1%500 to 172.25.0.1 is not supported... failed validation with error 17237812.
Conditions:
This issue occurs when all of the following conditions are met:
-- VIPRION or vCMP platform with more than one blade.
-- A partition with a non-default route domain.
-- Either:
+ Creating a pool member in that partition while a configuration save is taking place at the same time (either system- or user-initiated).
+ Modifying a route in that partition while a configuration save is taking place at the same time (either system- or user-initiated).
Impact:
If the system is Active, traffic is disrupted as the secondary blades restart. The capacity of the system will be reduced until all blades are on-line again. Additionally, depending on the system configuration, the system may fail over to its peer (if one exists).
Workaround:
There is no workaround other than not to create pool members or modify routes from one client while saving configuration changes in another client. However, this does not help if the configuration save operation was system-initiated.
Fix:
MCPD on secondary blades no longer restarts if a pool member is created or a route is modified in a partition that uses a non-default route domain at the same as the configuration is being saved.
726393-2 : DHCPRELAY6 can lead to a tmm crash
Solution Article: K36228121
726327 : NodeJS debugger accepts connections from any host
Solution Article: K37111863
726317-6 : Improved debugging output for mcpd
Component: TMOS
Symptoms:
In some cases, mcpd debugging output is insufficient for diagnosing a problem.
Conditions:
Using debugging in mcpd, specifically, setting log.mcpd.level to debug.
Impact:
None. Has no effect without log.mcpd.level set to debug.
Workaround:
None.
Fix:
New output helps F5 engineers diagnose mcpd problems more easily.
726240-1 : 'Cannot find disk information' message when running Configuration Utility★
Component: TMOS
Symptoms:
When running the Configuration Utility in the GUI, after clicking Next on the License screen, the GUI reports an error and you are unable to proceed: Cannot find disk information.
Conditions:
The conditions that trigger this are unknown; in one scenario, it was observed after running 'tmsh load sys config default', suspending the BIG-IP Virtual Edition (VE) guest, and then restarting it and running the Configuration Utility.
Impact:
You are unable to proceed through the configuration utility.
Workaround:
If this occurs, reboot the device, and the error will fix itself.
726176-2 : Platforms using RSS hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
Component: Local Traffic Manager
Symptoms:
The BIG-IP system running RSS DAG hash attempts to reuse ports while pool members remain in a TIME_WAIT state and are unable to process new connections.
Conditions:
This issue occurs when all of the following conditions are met:
-- You are running on a BIG-IP platform using RSS DAG hash, for instance, z100 and 2000 or 4000 series hardware platform
-- You have the FastL4 profile associated with a virtual server.
-- The virtual server is configured with source-port preserve.
Impact:
Traffic throughput may be degraded.
Workaround:
Set source-port to change.
Fix:
Platforms running RSS DAG hash now reuse source port at the correct rate when virtual server sets source-port preserve.
725791-6 : Potential HW/HSB issue detected
Component: TMOS
Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.
With a burst of CRC errors in the SRAM for ePVA transformation cache, it does not trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This occurs because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.
In these cases, there might be the following messages in /var/log/tmm*:
Device error: hsb_lbb* tre2_crc_errs count *
Conditions:
Traffic is offloaded to HSB hardware for acceleration.
Impact:
Hardware accelerated traffic drop.
Workaround:
Switch traffic to software acceleration.
Fix:
Including traffic-critical registers in failover triggers, helps failover happen quickly with minimum disruption to traffic in the case of SRAM hardware failures.
725625-1 : BIG-IP VE Cryptographic Offload updated to Intel QAT 1.7 v4.4.0 SDK
Component: TMOS
Symptoms:
Data compression offload to QuickAssist devices is now enabled as part of BIG-IP Virtual Edition (VE) Cryptographic Offload feature.
BIG-IP VE Cryptographic Offload uses the Intel QAT 1.7 SDK. A newer QAT 1.7 SDK v4.4.0 provides code and firmware that fixes several known QAT defects, including a compression defect specific to Lewisburg/Lewis Hill QuickAssist devices.
Conditions:
-- BIG-IP VE SSL Offload is licensed
-- The BIG-IP VE VM has been assigned QAT Virtual Functions.
Impact:
BIG-IP VE Cryptographic and Compression offload are more reliable. The QAT 1.7 v4.4.0 SDK should be installed on the hypervisor host.
Workaround:
None.
Fix:
Several Intel QuickAssist defects have been fixed for
BIG-IP VE Cryptographic and Compression Offload by
upgrading BIG-IP VE to the Intel QAT 1.7 v4.4.0 SDK.
This newer QAT SDK introduces code and firmware support to fix several defects. A new Compress and Verify mode is introduced to work around a compression defect specific to Lewisburg/Lewis Hill QuickAssist devices.
See Intel's QuickAssist Release Notes for additional details:
https://01.org/sites/default/files/downloads//336211-009qatrelnotes.pdf.
725551-2 : ASM may consume excessive resources
Solution Article: K40452417
724680-6 : OpenSSL Vulnerability: CVE-2018-0732
Component: TMOS
Symptoms:
For more information see: https://support.f5.com/csp/article/K21665601
Conditions:
For more information see: https://support.f5.com/csp/article/K21665601
Impact:
For more information see: https://support.f5.com/csp/article/K21665601
Workaround:
None.
Fix:
For more information see: https://support.f5.com/csp/article/K21665601
724327-2 : Changes to a cipher rule do not immediately have an effect
Component: Local Traffic Manager
Symptoms:
If a cipher rule is changed, and a cipher group that uses the rule is attached to an SSL profile, the change does not take effect until something else on the SSL profile changes.
Conditions:
-- A cipher group is used by an SSL profile.
-- One of its cipher rules changes.
Impact:
Unexpected behavior occurs because the cipher rule change does not take effect immediately.
Workaround:
After changing the cipher rule that's used by a cipher group, make a change to any SSL profile that uses the associated cipher group.
Fix:
Any changes to a cipher rule or cipher group now takes immediate effect.
724109-2 : Manual config-sync fails after pool with FQDN pool members is deleted
Component: TMOS
Symptoms:
If a user, deletes a fqdn pool on one BIG-IP in a cluster and then run a manual config sync with another BIG-IP, the change fails to sync with the other BIG-IPs in the cluster.
Conditions:
- Create fqdn pool in one BIG-IP
- Save sys config
- Run config sync
- Delete fqdn pool
- Save sys config
- Run config sync manually
Result: After deleting fqdn pool in BIG-IP and config sync with another BIG-IP, Manual config sync failed. Still, we can see the deleted fqdn pool in another BIG-IP
Impact:
FQDN pool delete failed in another BIG-IP and manual config sync operation is failed.
Workaround:
The workaround for this issue is to use auto-sync.
723790-3 : Idle asm_config_server handlers consumes a lot of memory
Component: Application Security Manager
Symptoms:
Idle asm_config_server handlers needlessly uses a large amount of memory.
Conditions:
This issue might result from several sets of conditions. Here is one:
Exporting a big XML ASM policy and then leaving the BIG-IP system idle. Relevant asm_config_server handler process increases its memory consumption and stays that way, holding on to the memory until it is released with a restart.
Impact:
Unnecessary memory consumption.
Workaround:
1) Lower the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server:
---------------
# perl -pi.bak -e 's/MaxMemorySize=471859200/MaxMemorySize=262144000/' /etc/ts/tools/asm_config_server.cfg
---------------
2) Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
Notes:
-- The provided workaround does not permanently fix the issue. Instead it alleviates the symptoms of memory pressure, by (1) lowering the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server, and (2) freeing up all the memory that is currently taken by all asm_config_server processes.
-- This workaround does not cause any down time; the asm_config_server processes automatically start within ~30 seconds.
723288-4 : DNS cache replication between TMMs does not always work for net dns-resolver
Component: Global Traffic Manager (DNS)
Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.
Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.
Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.
Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.
Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)
721741-4 : BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
Component: Application Security Manager
Symptoms:
bd log spits this error.
-------
ECARD_POLICY|NOTICE|May 24 04:49:42.035|4143|table.h:2408|IPTableList::del_object key not found in table
ECARD|ERR |May 24 04:49:42.035|4143|table.h:0398|KEY_UPDATE: Failed to REMOVE data will continue to add
-------
Conditions:
Configuring IP Address Exceptions in certain order - w/ and w/o route domain.
Impact:
BD and BD_Agent out-of-sync for IP Address Exception, causes false positives / false negatives
Workaround:
There is no workaround at this time.
Fix:
System no longer generates these false positive/negative log entries.
721724-1 : LONG_REQUEST notice print incorrect in BD log
Component: Application Security Manager
Symptoms:
LONG_REQUEST notice print shows incorrect memory usage.
Conditions:
-- A long request is received.
-- View the LONG_REQUEST notice in the BD log.
Impact:
LONG_REQUEST notice is seen in BD logs containing an incorrect value for total memory used by long request buffers. Incorrect logging of total memory used by long request buffers.
Workaround:
None.
Fix:
LONG_REQUEST notice print in BD log now shows correct amount of memory used by long request buffers.
721585-1 : mcpd core processing ltm monitors with deep level of inheritance
Component: TMOS
Symptoms:
If the level of ltm monitor inheritance (defaults-from) is too large, i.e 9. then mcpd will fail to send sod a heartbeat within the heartbeat timeout; therefore sod will restart mcpd.
Conditions:
LTM monitors that have 9 levels of inheritance
i.e.
mon1 defaults from mon2, which defaults from mon3, which defaults from mon4 ... to mon10
Impact:
mcpd is restarted which will cause services to failover.
Workaround:
Rework the ltm monitors so that the level of inheritance is less than 9.
721319-1 : CVE-2018-3639
Solution Article: K29146534
720219-3 : HSL::log command can fail to pick new pool member if last picked member is 'checking'
Solution Article: K13109068
Component: Local Traffic Manager
Symptoms:
This occurs in certain configurations where the HSL::log command is using a remote high speed log (HSL) pool with failing pool members. If a pool member goes into a 'checking' state and the command attempts to send the log via that pool member, it can fail to send and all future log commands from that iRule will also fail, if that pool member is actually unavailable.
Conditions:
-- Using HSL::log command.
-- iRule with a remote high speed logging configured.
Impact:
Failure to send log messages via HSL.
Workaround:
Follow this procedure:
1. Change the 'distribution' method of the remote high speed config to something else.
2. Save the configuration.
3. Change the method back.
Fix:
This issue no longer occurs. If a 'down' pool member is picked, it will eventually be bypassed to find an 'up' pool member, if possible.
719300-3 : ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address
Component: Local Traffic Manager
Symptoms:
ICMP unreachable packets sent by a server may be received by a client with the BIG-IP system's MAC address as the source MAC address.
Conditions:
BIG-IP deployed in an L2 transparent mode using VLAN groups.
Impact:
May impact services on the client that rely on source MAC address of incoming packets.
Workaround:
None.
Fix:
ICMP packets are now sent via the BIG-IP system in an L2 transparent mode.
718405-2 : RSA signature PAYLOAD_AUTH mismatch with certificates
Component: TMOS
Symptoms:
IPsec IKEv2 negotiation with other vendors may fail to establish tunnels when certificate authentication is configured, using either RSA signature or DSS.
The value of PAYLOAD_AUTH does not match when the BIG-IP system compares it with what the remote peer sends. The same certificate works when the BIG-IP system is the initiator, but not when another vendor is the initiator.
Conditions:
Interoperating with other vendors under IKEv2 while using certificates.
Impact:
IKEv2 tunnels fail to establish, failing the second IKE_AUTH exchange in the protocol.
Workaround:
Use pre-shared key authentication.
Fix:
BIG-IP systems now correctly build -- and verify -- AUTH payloads for RSA signatures and DSS, which should match other vendors and succeed, resulting in IKEv2 tunnels being created using certificates.
The DSS signature is no longer DER encoded, and the RSA signature now includes the 15-byte DER prefix (mandated by RFC3447, page 42) before the 20-byte SHA1 digest is signed by RSA.
717896-4 : Monitor instances deleted in peer unit after sync
Component: Local Traffic Manager
Symptoms:
An incremental-sync from a modified-node that was set to 'user-down' causes the target-node on the target-device to have only a single monitor instance, rather than the several monitor instances that were present on the from-node.
During the incremental sync, the system issues several messages similar to the following: err mcpd[6900]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 24913.
Conditions:
-- In high availability (HA) configurations.
-- A node is modified, and then manually set to 'user-down'.
-- That node has more than one associated monitor.
-- An incremental-sync occurs to the paired device.
Impact:
After incremental-sync, a single monitor instance exists for the node on a 'backup' unit in an HA configuration, rather than the several monitor instances that exist for that node on the 'active' unit; and that node session is 'enabled' (where the 'from-node' was 'disabled); and that node status may be 'up' (where the 'from-node' was 'user-down'), and later transition to 'down' from a monitor-fail.
Thus, after incremental-sync, the target-node may then be 'down', while the active unit in the HA configuration continues to function as expected.
Workaround:
There are several workarounds:
-- Perform a 'full-sync' (rather than an 'incremental-sync').
-- Ensure the node is 'user-up' (not 'user-down') before the incremental-sync.
-- Perform 'tmsh load sys config' on the target unit. In this case, the 'Invalid monitor rule instance identifier' messages will be seen, but the configuration will successfully load, and the target-unit will run correctly with the expected configuration.
Fix:
An incremental-sync from a modified-node that was set to 'user-down' successfully replicates the several monitor instances on that node to the target-node on the backup device in an HA configuration.
717100-1 : FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
Component: Local Traffic Manager
Symptoms:
FQDN ephemeral pool members and corresponding FQDN ephemeral nodes may not be created if multiple FQDN template pool members are created rapidly, without the corresponding FQDN template nodes being created first.
The missing FQDN ephemeral pool members may be created an hour after initial operations.
Conditions:
This may occur when all of the following conditions are true:
-- Multiple FQDN template pool members are created rapidly, such as during config load or multiple FQDN template pool members created in a single tmsh cli transaction, without the corresponding FQDN template nodes being created first.
-- The FQDN names in the newly-created FQDN template nodes all resolve to the same IP address.
Impact:
One or more FQDN ephemeral pool members may not be created, which could result in a pool with no members, and any virtual servers using that pool to fail to pass traffic.
Workaround:
The following steps, alone or in combination, may help avoid this issue:
1. Avoid rapid creation of multiple FQDN template pool members (such as by creating multiple in a single tmsh CLI transaction).
2. Create the corresponding FQDN template nodes first, before creating the FQDN template pool members.
Once this issue occurs (such as, after a config load), you can recover from this condition by deleting and recreating the FQDN template pool members that have no corresponding FQDN ephemeral pool members.
In addition, creating the corresponding FQDN template nodes first, with an FQDN 'interval' value set to a shorter timeout than the default (3600 seconds) allows automatic recovery from this condition after the configured FQDN 'interval' period (instead of after the default period of one hour).
Fix:
Ephemeral pool members are now created for each pool under these conditions.
716714-4 : OCSP should be configured to avoid TMM crash.
Component: Local Traffic Manager
Symptoms:
TMM generates a core if OCSP is not configured in the SSL profile.
Conditions:
OCSP not configured in the SSL profile.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than configuring OCSP in SSL profiles.
Fix:
In this release, TMM skips processing OCSP if it is not enabled.
716167-2 : The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp
Component: Local Traffic Manager
Symptoms:
The MTU of the tmm_bp kernel interface may be out-of-sync with the value of sys db vlan.backplane.mtu as well as out-of-sync with the MTU displayed by the following command:
tmsh show /net vlan all-properties -hidden.
Conditions:
This issue occurs on first-boot after upgrading to versions later than v12.1.1 HF1.
Impact:
From the data plane perspective, this issue can cause excessive IP fragmentation on tmm_bp VLAN and high CPU usage.
In some cases it also causes packet loss.
From the config perspective, this issue has a few smaller impacts:
-- Fragmented packets on the tmm_bp interface for those packets greater in length than the actual MTU of this interface as given by the kernel in response to the command:
ip address list dev tmm_bp | egrep -i mtu or $ifconfig tmm_bp.
Note: This has no impact to the running system. Fragmented packets are reassembled in order for TCP clients of the tmm_bp interface.
-- The sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp as given by either of the following commands:
ip address list dev tmm_bp
ifconfig tmm_bp
-- Similarly, the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the Net::Vlan tmm_bp as returned by the command:
tmsh show net vlan -hidden tmm_bp
Paraphrasing: The value of VLAN tmm_bp MTU (as found in vlan.backplane.MTU) is not applied to the corresponding kernel interface.
Workaround:
A series of subsequent restarts rolls the correct setting by issuing the following commands, in sequence:
tmsh stop sys service all
tmsh start sys service all
To verify the setting is correct, issue the command:
ip addr show dev tmm_bp ; tmsh show net vlan -hidden tmm_bp \; list sys db vlan.backplane.mtu
715110-1 : AVR should report 'resolutions' in module GtmWideip
Component: Application Visibility and Reporting
Symptoms:
AVR does not report 'resolutions' in GtmWideip module.
Conditions:
One of the following modules is provisioned: AVR, AFM, or DNS/GTM.
Impact:
There are no statistics reported on 'resolutions' in GtmWideip module.
Workaround:
There is no workaround.
Fix:
AVR now reports 'resolutions' in GtmWideip module.
715032-2 : iRulesLX Hardening
Component: Local Traffic Manager
Symptoms:
iRulesLX does not follow current best practices and should be updated to ensure layered protections.
Conditions:
-iRulesLX in use
Impact:
iRulesLX does not follow current best practices.
Workaround:
None.
Fix:
iRulesLX now follows current best practices.
714292-3 : Transparent forwarding mode across multiple VLAN groups or virtual-wire
Component: Local Traffic Manager
Symptoms:
This is a virtual-wire or vlan-group deployment scenario in which there is a BIG-IP system connecting two networks with more than one link. This scenario is referred as 'asymmetric deployment'. In this case. the outgoing packet does not have the correct VLAN configured.
Conditions:
-- Virtual-wire or vlan-group configured.
-- BIG-IP system is connecting two networks with more than one link.
-- There is more than one virtual-wire/vlan-group to handle the traffic across multiple links.
-- Packets belonging to a flow arrive on any link with a valid VLAN.
Impact:
The connectivity between the endpoints fails.
Workaround:
None.
Fix:
Transparent forwarding mode now works across multiple VLAN groups or virtual-wire.
Behavior Change:
Transparent forwarding mode now works across multiple VLAN groups or virtual-wire.
713817-1 : BIG-IP images are available in Alibaba Cloud
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) images are now available in the Alibaba International Cloud Marketplace.
Conditions:
Create virtual server instance within Alibaba International Cloud environment and select BIG-IP from the list of available images.
Impact:
New offerings for BYOL and PAYG for BIG-IP VE are now available in the Alibaba International Cloud Marketplace.
Workaround:
BIG-IP VE images are now available in Alibaba Cloud.
Fix:
BIG-IP VE images are now available in Alibaba Cloud.
Behavior Change:
BIG-IP VE now supports the Alibaba International Cloud Marketplace.
713806-8 : CVE-2018-0739: OpenSSL Vulnerability
Solution Article: K08044291
712919-2 : Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server.
Component: Local Traffic Manager
Symptoms:
When an iRule is removed from a Virtual Server, especially one with explicitly specified high priority (with "priority" keyword), other iRules on the same Virtual Server may become "invisible" i.e. they are present but some of them are no longer executed. It may affect all the events or only certain types of them. Under certain conditions the defect may even disappear upon removing another iRule, particularly if it has low priority and handles the same event as the one which introduced the problem.
Conditions:
Removing an iRule from a Virtual Server.
Impact:
Some or all iRules on given Virtual Servers stop being executed.
Workaround:
Restart or reload the configuration. If removing iRules needs to be performed in run-time and it triggers the problem, it can be prevented by having any iRule (even an empty one) for the same event, as the iRule which is going to be removed, but with higher priority e.g. with attribute "priority 1".
Fix:
Corrected scanning of iRules stored behind the one which is being deleted.
710857-5 : iControl requests may cause excessive resource usage
Solution Article: K64855220
707013-3 : vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest
Component: TMOS
Symptoms:
-- clusterd restarts on secondary blade.
-- Messages similar to the following are logged in each secondary blade's /var/log/ltm file as clusterd restarts:
Management IP (<guest_management_ip>) already in use by (vcmp guest <guest_name>)
-- Messages similar to the following are logged in the primary blade's /var/log/ltm file when clusterd restarts on a secondary blade:
notice clusterd[3676]: 013a0006:5: Hello from slot 1.
notice clusterd[3676]: 013a0006:5: Informing MCP about slot ID 1 member status.
notice clusterd[3676]: 013a0006:5: Goodbye from slot 1.
Conditions:
-- Power-cycling a blade reproduces the issue most of the time.
-- Possibly specific to platform:
+ This issue has been seen multiple hardware platforms, including B2100, B2150, B2250, and PB300.
+ Issue does not reproduce under the same conditions on a VIPRION 4800.
Impact:
Secondary slot on VIPRION hypervisor is in 'INOPERATIVE' state.
Workaround:
On the vCMP Host, copy the file /shared/db/cluster.conf from the primary to each secondary cluster members. For each secondary blade's slot, use a command similar to the following:
scp /shared/db/cluster.conf slot<slot number>:/shared/db/cluster.conf
Note: Implementing the workaround does not prevent the issue from recurring. An upgrade to an unaffected version is recommended.
705112-4 : DHCP server flows are not re-established after expiration
Component: Local Traffic Manager
Symptoms:
DHCP relay agent does not have server flows connecting to all active DHCP servers after a while.
Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds
Impact:
DHCP server traffic not load balanced.
Workaround:
None.
Fix:
A new logic to re-establish server flows is introduced to ensure a relay agent will have all DHCP servers connected.
704450-5 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
Component: Local Traffic Manager
Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').
Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.
Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.
Workaround:
Reduce the load on the system.
Fix:
'bigd' does not crash and runs with complete configuration when (re-)starting when BIG-IP runs under heavy configuration resulting in 'mcpd' delaying its configuration of 'bigd'.
704198-4 : Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance
Solution Article: K29403988
Component: Global Traffic Manager (DNS)
Symptoms:
Orphaned monitor_instance records in mcpd. Secondary blade restarting in a loop.
Conditions:
Modify the monitor for GTM objects using tmsh with replace-all-with.
Impact:
There is an leaked/extra monitor instance. Restarting the secondary slot results in a restart loop.
Workaround:
Impact of workaround: Might change the primary slot.
Restart services using the following command:
# bigstart restart
703835-5 : When using SCP into BIG-IP systems, you must specify the target filename
Solution Article: K82814400
703593-1 : TMSH tab completion for adding profiles to virtual servers is not working as expected
Component: Local Traffic Manager
Symptoms:
TMSH tab completion for adding profiles to virtual servers does not work. The list of profiles is not displayed when tab is pressed.
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm virtual asdf profiles add {
Configuration Items:
[enter profile name]
Conditions:
List of profiles is not displayed when trying to add profiles during creation of a virtual server.
Impact:
List of available profiles is not displayed.
Workaround:
None.
Fix:
TMSH tab completion for adding profiles to virtual servers now shows the list of profiles.
702472-7 : Appliance Mode Security Hardening
Solution Article: K87659521
702469-7 : Appliance mode hardening in scp
Solution Article: K73522927
699977-3 : CVE-2016-7055: OpenSSL Vulnerability in NodeJS ILX
Solution Article: K43570545
699515-2 : nsm cores during update of nexthop for ECMP recursive route
Component: TMOS
Symptoms:
The Network Services Module daemon (nsm) cores while processing updates for ECMP recursive route nexthop.
Conditions:
Dynamic routing enabled.
BGP peers provides ECMP routes with recursive nexthop.
Impact:
Failures passing traffic using the dynamic routes.
Workaround:
There is no workaround.
Fix:
nsm is able to process ECMP route updates without problem.
698376-5 : Non-admin users have limited bash commands and can only write to certain directories
Component: TMOS
Symptoms:
TMSH access to Linux utilities does not follow best security practices.
Conditions:
Users without Advanced Shell Access running Linux utilities from inside TMSH.
Impact:
TMSH does not follow best security practices
Workaround:
None.
Fix:
TMSH access to Linux utilities now follows best security practices.
Behavior Change:
Some tmsh util commands will be restricted to writing files to certain directories.
697590-2 : APM iRule ACCESS::session remove fails outside of Access events
Component: Access Policy Manager
Symptoms:
ACCESS::session remove fails
Conditions:
iRule calling ACCESS::session remove outside of Access events.
Impact:
APM iRule ACCESS::session remove fails to remove session
Workaround:
Use "ACCESS::session modify" and set the timeout/lifetime to something small, like 1 second. This should cause the session to be deleted due to timeout almost immediately, but note that it will show up in logs as timeout.
696755-3 : HTTP/2 may truncate a response body when served from cache
Component: Local Traffic Manager
Symptoms:
BIG-IP systems provide a client-side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached on the BIG-IP system with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag, causing the client to ignore the rest of the response body.
Conditions:
BIG-IP system has a virtual server for which HTTP/2 and Web Acceleration profiles are configured.
Impact:
Some clients' browsers do not retry a resource, causing incorrect rendering of an HTML page.
Workaround:
Adding the following iRule causes the body to be displayed:
when HTTP_RESPONSE_RELEASE {
set con_len [string trim [HTTP::header value Content-Length]]
HTTP::header remove Content-Length
HTTP::header insert Content-Length "$con_len"
}
Fix:
With provided fix, HTTP/2 end users no longer experience the problem of incorrect page rendering due to this issue.
696735-2 : TCP ToS Passthrough mode does not work correctly
Component: Local Traffic Manager
Symptoms:
For Standard virtual server with a TCP profile, when using ToS passthough, the ToS value is not passed from the server to the client-side.
ip-tos-to-client pass-through
link-qos-to-client pass-through
Conditions:
- Standard virtual server.
- TCP profile configured with ToS passthrough.
Impact:
ToS is not passed to the client.
Workaround:
None.
Fix:
ToS is now passed correctly from the server to the client-side.
695985-4 : Access HUD filter has URL length limit (4096 bytes)
Component: Access Policy Manager
Symptoms:
Access HUD filter cannot process a URL if it is longer than 4096 bytes.
Conditions:
Any URL with a request consisting of more than 4096 bytes.
Impact:
The URL cannot be processed, and client gets a RST.
Workaround:
None.
Fix:
In this release, the URL length limit increased to 8192 bytes.
695878-2 : Signature enforcement issue on specific requests
Component: Application Security Manager
Symptoms:
Request payload does not get enforced by attack signatures on a certain policy configuration with specific traffic.
Conditions:
-- The violation 'Request exceeds max buffer size' is turned off.
-- The request is longer than the max buffer size (i.e., a request is larger than the internal long_request_buffer_size).
Impact:
Attack signatures are not enforced on the payload of this request at all.
Workaround:
Turn on the violation in blocking 'Request exceed max buffer size'.
Fix:
The operation now looks into part of the payload for the attack signatures enforcement.
689361-4 : Configsync can change the status of a monitored pool member
Component: Local Traffic Manager
Symptoms:
It is possible for a configsync operation to incorrectly change a monitor's state. For example, it can change an 'unchecked' monitor to 'up', when that unchecked monitor references a node that does not respond to ICMP requests. This may occur when a node does not respond to ICMP requests for exactly one of two paired devices, but a configuration change made to one device causes the 'up' status to be propagated to the 'unchecked' device. Other state changes are possible.
Conditions:
Pool members are monitored and a configsync is initiated from a paired device.
Impact:
The configsync causes the monitor on the standby system to transition to an incorrect state, out of sync with the active system.
Workaround:
There is a workaround for the case described in 'Symptoms':
Ensure network configuration such that a monitored node responds to ICMP requests from both (or neither) of each paired-device. Alternatively, initiate configuration changes only from the device to which the node does not respond to ICMP requests.
Fix:
A configsync no longer causes an unexpected monitor transition on the standby system.
687887-3 : Unexpected result from multiple changes to a monitor-related object in a single transaction
Component: Local Traffic Manager
Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction will attempt to 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.
Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object, such as (delete, create, modify).
Impact:
The monitor-related object may be unchanged; or monitoring may stop for that object.
Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').
Fix:
Behavior is as-expected when a transaction executes multiple commands (such as 'delete', 'create', 'modify') upon the same monitor-related object (pool, pool_member, node_address, monitor).
687759-3 : bd crash
Component: Application Security Manager
Symptoms:
A bd crash.
Conditions:
-- A config change follows a bd crash.
-- There is a policy that is misconfigured, for example, a form-data parsing is applied on a non-form-data payload (such as XML or JSON).
Impact:
bd crashes; system fails over; traffic disturbance occurs.
Workaround:
Set the following internal parameter to 0: max_converted_length_to_cache
681010-3 : 'Referer' is not masked when 'Query String' contains sensitive parameter
Solution Article: K33572148
Component: Application Security Manager
Symptoms:
While 'Query String' contains masked sensitive parameter value the 'Referer' header sensitive parameter value is exposed.
Conditions:
-- Sensitive parameter is defined in: 'Security :: Application Security : Parameters : Sensitive Parameters'.
-- 'Query String' contains the defined sensitive parameter.
Impact:
"Referer" header contains unmasked value of the sensitive parameter.
Workaround:
Enable 'Mask Value in Logs' in: 'Security :: Application Security : Headers : HTTP Headers :: referer'.
Fix:
The 'Referer' header value is masked in case of sensitive parameter in 'Query String'.
673842-6 : VCMP does not follow best security practices
Solution Article: K01413496
668041-4 : Config load fails when an iRule comment ends with backslash in a config where there is also a policy.★
Solution Article: K27535157
Component: TMOS
Symptoms:
Config load fails when an iRule contains a commented line that ends with an escape character (backslash), and the config also contains an LTM policy. Depending on the iRule, you might also see the following error: Syntax Error:(/config/bigip.conf at line: 42078) double quotes are not balanced.
Conditions:
-- iRule contains commented line that ends with a backslash.
-- The config also contains a policy.
For example, an iRule similar to the first example, and a policy similar to the second:
ltm rule /Common/log_info {
when HTTP_RESPONSE {
#log local0. "Original Location header value: [HTTP::header value Location],\
updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"
}
}
...
ltm policy /Common/Test_Policy {
controls { forwarding }
requires { http tcp }
rules {
TestPol_Rule1 {
actions {
0 {
forward
select
node 10.2.10.20
}
}
conditions {
0 {
tcp
address
matches
values { 10.1.10.20 }
}
}
}
}
strategy /Common/first-match
}
Impact:
Config load fails.
Workaround:
You can use any of the following workarounds:
-- Delete the line of code with the comment.
-- Put the entire comment on one line of code.
-- Divide lengthy comments into a series of smaller ones, so that each comment fits within one line of code.
-- Move the iRule so that it is sequentially before the LTM policy in the config file.
Fix:
Config load no longer fails when an iRule comment ends with backslash in a config where there is also a policy.
663819-1 : APM NTLM Authentication for RDP Client Gateway and Microsoft Exchange Proxy are incompatible with Microsoft workaround for MS17-010 (Wannacry / Eternalblue)
Component: Access Policy Manager
Symptoms:
Microsoft recently released security bulletin MS17-010 (https://technet.microsoft.com/library/security/MS17-010). This bulletin announces a recommended software patch to fix multiple vulnerabilities in SMBv1. It suggests an alternate workaround to disable SMBv1. When this workaround is followed, NTLM Authentication does not work in the following APM configurations:
-- APM RDP Gateway and NTLM Auth.
-- APM Exchange (Outlook Anywhere/ActiveSync) and NTLM Auth.
-- SWG Explicit and NTLM Auth.
Conditions:
-- SMBv1 is disabled as described in the Microsoft workaround in MS17-010.
-- Together with one or more of the following APM/SWG configurations, which can be configured to use NTLM Authentication:
+ APM RDP Gateway and NTLM Auth.
+ APM Exchange (Outlook Anywhere/ActiveSync) and NTLM Auth.
+ SWG Explicit and NTLM Auth.
Impact:
Authentication for connecting clients fails.
Workaround:
Do one of the following:
-- Do not follow the Microsoft workaround to disable SMBv1; instead install the recommended security patch.
-- For Exchange: Reconfigure Exchange CAS pool to use Kerberos Constrained Delegation SSO rather than NTLM. This will ensure that NTLM Passthrough is not used.
-- For RDP Proxy: Instead of RDP Proxy, use the Native RDP resource mode in BIG-IP APM v13.0.0 and later.
-- For SWG Explicit: Reconfigure to use Kerberos Authentication.
Fix:
APM no longer uses SMBv1/v2 protocols. Beginning with BIG-IP software v15.0.0, NTLM passthrough authentication works using Netlogon protocol over TCP directly (MSRPC over TCP). All issues related to SMB protocol are not applicable anymore.
Note: The new functionality was ported to the v14.1.0.5 release as well.
653573-6 : ADMd not cleaning up child rsync processes
Component: Anomaly Detection Services
Symptoms:
ADMd daemon on the device is spinning up rsync processes and not cleaning them up properly, which can result in zombie processes.
Conditions:
The rsync process ends via exit (which might occur if there is an issue with the process).
Impact:
Although there is no technical impact, there are many zombie processes left behind.
Workaround:
Restart admd to remove all existing rsync zombies:
bigstart restart admd
Fix:
admd now handles the SIGCHLD signal from rsync, so the issue no longer occurs.
648621-6 : SCTP: Multihome connections may not expire
Component: TMOS
Symptoms:
SCTP: Multihome connections may not expire when forcibly deleted.
Conditions:
When the multi-homing connections have been forcibly deleted from tmsh command.
Impact:
The multi-homing connections won't be expired.
Workaround:
Don't manually deleted the multi-homing connections.
648270-1 : mcpd can crash if viewing a fast-growing log file through the GUI
Component: TMOS
Symptoms:
If the GUI tries to display a log file that is actively growing by thousands of log entries per second, the GUI might hang, and mcpd could run out of memory and crash.
Conditions:
The GUI tries to display a log file that is actively growing by thousands of log entries per second.
Impact:
mcpd crashes, and it and tmm restart. Traffic disrupted while tmm restarts.
Workaround:
Do not use the GUI to view a log file that is growing by thousands of log entries per second.
643935-4 : Rewriting may cause an infinite loop while processing some objects
Component: Access Policy Manager
Symptoms:
Browser might become unresponsive when the end user client attempts to access a page containing specific script constructions through Portal Access.
Conditions:
The client application code contains an object that includes a toString() method and property names similar to ones from the JavaScript builtin Location interface.
Impact:
Browser becomes unresponsive when accessing the page through Portal Access.
Workaround:
None.
Fix:
None.
641450-7 : A transaction that deletes and recreates a virtual may result in an invalid configuration
Solution Article: K30053855
Component: TMOS
Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.
Config load error:
01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.
Configuration-change-time error in /var/log/ltm:
err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>
Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).
Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.
Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
1. Delete virtual server.
2. Create virtual server (with an empty profile list).
3. Modify the virtual server's profile list.
639619-7 : UCS may fail to load due to Master key decryption failure on EEPROM-less systems★
Component: TMOS
Symptoms:
The following error:
'Symmetric Unit Key decrypt failure - decrypt failure'
is logged to /var/log/ltm when attempting to load a UCS.
Configuration fails then to load due to a secure attribute decryption failure.
Conditions:
1. UCS contains secure attributes.
2. UCS contains a '/config/bigip/kstore/.unitkey' file.
3. The current '/config/bigip/kstore/.unitkey' file does not match the '.unitkey' file within UCS.
4. System does not utilize an EEPROM for storing its unitkey. (For more information, see K73034260: Overview of the BIG-IP system Secure Vault feature :: https://support.f5.com/csp/article/K73034260.)
Impact:
The configuration fails to load.
Workaround:
Perform the following procedure:
1. Stop the system:
# bigstart stop
2. Replace the '/config/bigip/kstore/.unitkey' file with the '.unitkey' file from the UCS
3. Replace the '/config/bigip/kstore/master' file with the 'master' file from the UCS
4. Remove the mcp db to forcibly reload the keys:
# rm -f /var/db/mcpd.bin
# rm -f /var/db/mcpd.info
5. Restart the system and reload the configuration:
# bigstart start
# tmsh load sys config
or
# reboot
Fix:
The system now always reload the .unitkey from storage when loading other keys, so the UCS loads as expected.
636842-2 : A FastL4 virtual server may drop a FIN packet when mirroring is enabled
Solution Article: K51472519
Component: Local Traffic Manager
Symptoms:
A FastL4 virtual server may drop a FIN packet when mirroring is enabled.
Conditions:
- The virtual server uses the FastL4 profile.
- The virtual server performs mirroring.
- The tm.fastl4_ack_mirror db key is enabled (default).
- The client or the server sends a FIN packet, immediately followed by a RST packet.
Impact:
The BIG-IP system forwards the RST packet but not the FIN packet.
As the RST sent by one of the TCP endpoints would have its sequence number increased by 1 to account for the FIN packet, the other TCP endpoint may not accept the RST as the FIN packet was never seen.
This issue is exacerbated if the FIN packet also carries application data (for example, if it is actually a FIN,PSH,ACK packet). In this case, the other TCP endpoint never sees the application data contained within the packet, and the sequence number in the RST will be off by more than just 1.
Ultimately this can cause application failures and also the two connection flows to stall for some time.
Workaround:
To workaround this issue you can either:
1) Disable mirroring for the virtual server (but this comes with a loss of functionality, which may not be acceptable).
or
2) Disable the tm.fastl4_ack_mirror db key (but this would affect all FastL4 virtual servers performing mirroring on the box).
Fix:
A FastL4 virtual server no longer drops a FIN packet when mirroring is enabled.
636400-3 : CPB (BIG-IP->BIGIQ log node) Hardening
Solution Article: K26462555
621260-2 : mcpd core on iControl REST reference to non-existing pool
Component: TMOS
Symptoms:
MCPd cores when attempting to create a pool and a monitor reference by using a REST call such as:
curl -u admin:admin -H "Content-Type: application/json" -X POST http://localhost:8100/tm/ltm/pool -d'{"name":"test_pool","monitor":" "}'
Conditions:
The monitor reference in the REST call must be comprised of a single space character.
Impact:
MCPd restarts, causing many of the system daemons to restart as well.
Workaround:
Don't use spaces in the monitor reference name.
620301-1 : Policy import fails due to missing signature System in associated Signature Set
Component: Application Security Manager
Symptoms:
ASM policy import fails due to a missing System, used in an associated Signature Set.
Conditions:
ASM policy is imported using an export file from a device with a more recent ASM Signature Update.
Impact:
The ASM policy import fails.
Workaround:
Update the ASM Signature on the target device before importing the policy.
601189-4 : The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode
Component: Local Traffic Manager
Symptoms:
The BIG-IP system might send TCP packets out of order in Fastl4 in syncookie mode.
Conditions:
-- Fastl4 VS.
-- syncookie mode.
Impact:
TCP packet are sent out of order.
Workaround:
None.
Fix:
The BIG-IP system no longer sends TCP packets out of order in Fastl4 in syncookie mode.
599567-4 : APM assumes SNAT automap, does not use SNAT pool
Component: Local Traffic Manager
Symptoms:
When a virtual server configured to use a SNAT pool is also associated with APM (for example, when configured as a RDP gateway), the SNAT pool setting is not honored.
Also SNAT configuration of 'None' does not work. It always works as if it is configured with Automap.
Conditions:
SNAT pool configured.
-- APM configured (one example is deploying the Horizon View iApp for APM).
Impact:
The VLAN Self IP address is used instead of the SNAT pool addresses.
Workaround:
First, follow the configuration details in K03113285: Overview of BIG-IP APM layered virtual servers :: https://support.f5.com/csp/article/K03113285, to ensure everything is configured properly.
Then ensure that the appropriate SNAT pool is set on the new layered forwarding virtual sever.
Note: This workaround does not work when using a pool of VMware vCenter Server (VCS) as configured by default with the iApp.
Fix:
The system now honors the virtual server SNAT configuration.
581921-5 : Required files under /etc/ssh are not moved during a UCS restore
Solution Article: K22327083
Component: TMOS
Symptoms:
The SSH files required for SSH sign on are not transferred when performing a UCS restore operation. Further, files are not transferred even during upgrade.
Conditions:
This can happen when performing a UCS restore operation, or when upgrading from one version to the next.
Impact:
This might impact SSH operations.
Workaround:
Add the /etc/ssh directory to the UCS backup configuration. This causes all subsequent UCS backup and restore operations will now include the /etc/ssh/ directory.
To complete this procedure, refer to K4422: Viewing and modifying the files that are configured for inclusion in a UCS archive :: https://support.f5.com/csp/article/K4422.
Fix:
The correct folder is now present when performing a UCS restore operation, so that all of the files required for the operation of SSH are transferred.
504522-4 : Trailing space present after 'tmsh ltm pool members monitor' attribute value
Component: Local Traffic Manager
Symptoms:
Values returned from the tmsh command 'ltm pool pool members monitor' have a trailing space, such as returning '/Common/myhttps ' (note the trailing-space). This trailing-space is also observed for the value returned from a REST call.
Conditions:
'tmsh' or a REST call is used to return the 'monitor' for pool members.
Impact:
Scripts or custom applications processing this returned output may wish to 'trim' whitespace on the value (as a trailing space is present); or should not assume the trailing space will be present in the future (as this behavior is not guaranteed).
Workaround:
Use a script or custom applications to 'trim' trailing whitespace for returned values.
Fix:
Values returned from the tmsh command 'ltm pool pool members monitor' no longer have a trailing space.
Known Issues in BIG-IP v14.1.x
TMOS Issues
ID Number | Severity | Solution Article(s) | Description |
885949 | 1-Blocking | Untagged packet traffic does not work on vwire | |
864513-3 | 1-Blocking | ASM policies didn't load immediately after upgrade to v14.1.0.1★ | |
860245-3 | 1-Blocking | SSL Orchestrator configuration not synchronized across HA peers after upgrade from 14.1.2.x | |
858173-1 | 1-Blocking | SSL Orchestrator RPM not installed on HA-peer after upgrade from 14.1.2.1 | |
809553-4 | 1-Blocking | ONAP Licensing - Cipher negotiation fails | |
778317-1 | 1-Blocking | IKEv2 HA after Standby restart has race condition with config startup | |
896217-4 | 2-Critical | BIG-IP GUI unresponsive | |
894593 | 2-Critical | High CPU usage caused by the restjavad daemon continually crashing and restarting | |
891477 | 2-Critical | No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server | |
888341-5 | 2-Critical | HA Group failover may fail to complete Active/Standby state transition | |
886693-2 | 2-Critical | System may become unresponsive after upgrading★ | |
885961 | 2-Critical | Tagged vlan will work only if it is configured in virtual wire. | |
884921-1 | 2-Critical | Tcpdump capture with very large packet (size close to 65535 bytes) can cause tmm to core | |
882757-3 | 2-Critical | sflow_agent crash SIGABRT in the cleanup flow | |
871561-3 | 2-Critical | Hotfix installation on vCMP guest fails with '(Software compatibility tests failed.)' | |
865329-3 | 2-Critical | WCCP crashes on "ServiceGroup size exceeded" exception | |
860517-3 | 2-Critical | MCPD may crash on startup with many thousands of monitors on a system with many CPUs. | |
860349-1 | 2-Critical | Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication | |
858877-1 | 2-Critical | SSL Orchestrator config sync issues between HA-pair devices | |
856713-1 | 2-Critical | IPsec crash during rekey | |
854493-3 | 2-Critical | Kernel page allocation failures messages in kern.log | |
845629-1 | 2-Critical | Hv_netvsc vmbus_17 timeout at boot causes reduced NIC performance | |
842865-1 | 2-Critical | Add support for Auto MAC configuration (ixlv) | |
841953-5 | 2-Critical | A tunnel can be expired when going offline, causing tmm crash | |
841333-5 | 2-Critical | TMM may crash when tunnel used after returning from offline | |
837637-2 | 2-Critical | Orphaned bigip_gtm.conf can cause config load failure after upgrading★ | |
831821-3 | 2-Critical | Corrupted DAG packets causes bcm56xxd core on VCMP host | |
829677-1 | 2-Critical | .tmp files in /var/config/rest/ may cause /var directory exhaustion | |
829661-2 | 2-Critical | TCP connection fails to establish when an SFC policy is enabled | |
817709-2 | 2-Critical | IPsec: TMM cored with SIGFPE in racoon2 | |
817085-4 | 2-Critical | Multicast Flood Can Cause the Host TMM to Restart | |
811701-1 | 2-Critical | AWS instance using xnet driver not receiving packets on an interface. | |
811149-1 | 2-Critical | Remote users are unable to authenticate via serial console. | |
810593-2 | 2-Critical | K10963690 | Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade★ |
807453-1 | 2-Critical | IPsec works inefficiently with a second blade in one chassis | |
805417-1 | 2-Critical | Unable to enable LDAP system auth profile debug logging | |
797221-1 | 2-Critical | BCM daemon can be killed by watchdog timeout during blade-to-blade failover | |
796601-4 | 2-Critical | Invalid parameter in errdefsd while processing hostname db_variable | |
787285 | 2-Critical | Configuration fails to load after install of v14.1.0 on BIG-IP 800★ | |
785017-1 | 2-Critical | Secondary blades go offline after new primary is elected | |
780437-2 | 2-Critical | Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration. | |
777229-1 | 2-Critical | IPsec improvements to internal pfkey messaging between TMMs on multi-blade | |
776393-2 | 2-Critical | Memory leak in restjavad causing restjavad to restart frequently with OOM | |
774361-2 | 2-Critical | IPsec High Availability sync during multiple failover via RFC6311 messages | |
770989 | 2-Critical | Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x.★ | |
769817-3 | 2-Critical | BFD fails to propagate sessions state change during blade restart | |
769581-1 | 2-Critical | Timeout when sending many large requests iControl Rest requests | |
769341-1 | 2-Critical | HA failover deletes outstanding IKEv2 SAs along with IKEv1 SAs | |
767013-3 | 2-Critical | Reboot when B2150 and B2250 blades' HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch | |
758929-2 | 2-Critical | Bcm56xxd MIIM bus access failure after TMM crash | |
758604-2 | 2-Critical | Deleting a port from a single-port trunk does not work. | |
756830-1 | 2-Critical | BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict' | |
755716-1 | 2-Critical | IPsec connection can fail if connflow expiration happens before IKE encryption | |
751991-1 | 2-Critical | BIOS update fails with "flashrom not safe for BIOS updates yet" log message | |
751924-2 | 2-Critical | TSO packet bit fails IPsec during ESP encryption | |
750588-1 | 2-Critical | While loading large configurations on BIG-IP systems, some daemons may core intermittently. | |
749332 | 2-Critical | Client-SSL Object's description can be updated using CLI but not REST | |
749249-1 | 2-Critical | IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP | |
747203-2 | 2-Critical | Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding | |
746464-1 | 2-Critical | MCPD sync errors and restart after multiple modifications to file object in chassis | |
746122-1 | 2-Critical | 'load sys config verify' resets the active master key to the on-disk master key value | |
743946-2 | 2-Critical | Tmsh loads schema versions 12.x and earlier which are no longer supported★ | |
741676-2 | 2-Critical | Intermittent crash switching between tunnel mode and interface mode | |
737322-2 | 2-Critical | tmm may crash at startup if the configuration load fails | |
724556-3 | 2-Critical | icrd_child spawns more than maximum allowed times (zombie processes) | |
721591 | 2-Critical | Java crashes with core during a basic TLS Signature test | |
718573-1 | 2-Critical | Internal SessionDB invalid state | |
717785-2 | 2-Critical | Interface-cos shows no egress stats for CoS configurations | |
593536-7 | 2-Critical | K64445052 | Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations |
382363-5 | 2-Critical | K30588577 | min-up-members and using gateway-failsafe-device on the same pool. |
906505-4 | 3-Major | Display of LCD System Menu cannot be configured via GUI on iSeries platforms | |
905749-2 | 3-Major | imish crash while checking for CLI help string in BGP mode | |
904785 | 3-Major | Remotely authenticated users may experience difficulty logging in over the serial console | |
904041-4 | 3-Major | Ephemeral pool members are missing from pool of Common partition when reloading configuration for current partition | |
903265-1 | 3-Major | Single user mode faced sudden reboot | |
901989-4 | 3-Major | Boot_marker writes to /var/log/btmp | |
900933-2 | 3-Major | IPsec interoperability problem with ECP PFS | |
900485-4 | 3-Major | Syslog-ng 'program' filter does not work | |
899933-4 | 3-Major | Listing property groups in TMSH without specifying properties lists the entire object | |
898705-3 | 3-Major | IPv6 static BFD configuration is truncated or missing | |
898577-4 | 3-Major | Executing a command in "mgmt tm" using iControl REST results in tmsh error | |
898461-4 | 3-Major | Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context' | |
898389-3 | 3-Major | Traffic is not classified when adding port-list to virtual server from GUI | |
896817-4 | 3-Major | iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb | |
895845-3 | 3-Major | Implement automatic conflict resolution for gossip-conflicts in REST | |
895837-1 | 3-Major | Mcpd crash when a traffic-matching-criteria destination-port-list is modified | |
894545-4 | 3-Major | Creating a virtual server in the GUI with a destination address list and 'All Ports' can erroneously conflict with other virtual servers | |
893885 | 3-Major | The tpm-status command returns: 'System Integrity: Invalid' after HotFix installation | |
893341-1 | 3-Major | BIG-IP VE interface is down after upgrade from v13.x w/ workaround for ID774445 | |
892445-4 | 3-Major | BWC policy names are limited to 128 characters | |
891721-1 | 3-Major | Anti-Fraud Profile URLs with query strings do not load successfully | |
891337-3 | 3-Major | 'save_master_key(master): Not ready to save yet' errors in the logs | |
891221-4 | 3-Major | Router bgp neighbor password CLI help string is not helpful | |
889029-4 | 3-Major | Unable to login if LDAP user does not have search permissions | |
888081-1 | 3-Major | BIG-IP VE Migration feature fails for 1NIC | |
887145 | 3-Major | HSB receive failure in vCMP guest | |
886689-4 | 3-Major | Generic Message profile cannot be used in SCTP virtual | |
886649-3 | 3-Major | Connections stall when dynamic BWC policy is changed via GUI and TMSH | |
886273 | 3-Major | Unanticipated restart of TMM due to heartbeat failure | |
884989-3 | 3-Major | IKE_SA's Not mirrored of on Standby device if it reboots | |
884729-4 | 3-Major | The vCMP CPU usage stats are incorrect | |
884521 | 3-Major | OSPF External AS LSAs not adding into RIB | |
883149-4 | 3-Major | The fix for ID 439539 can cause mcpd to core. | |
882609-3 | 3-Major | ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back | |
880625-2 | 3-Major | Check-host-attr enabled in LDAP system-auth creates unusable config | |
880473-3 | 3-Major | Under certain conditions, the virtio driver may core during shutdown | |
880165-1 | 3-Major | Auto classification signature update fails | |
880013-3 | 3-Major | Config load fails after changing the BIG-IP Master key which has an encrypted key in it's configuration | |
879969-3 | 3-Major | FQDN node resolution fails if DNS response latency >5 seconds | |
879001-3 | 3-Major | LDAP data is not updated consistently which might affect authentication. | |
878893-1 | 3-Major | During system shutdown it is possible the for sflow_agent to core | |
878277 | 3-Major | Unexpected Error: Can't display all items, can't get object count from mcpd | |
877145-2 | 3-Major | Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException | |
876937-1 | 3-Major | DNS Cache not functioning | |
876809-1 | 3-Major | GUI cannot delete a cert with a name that starts with * and ends with .crt | |
871705-4 | 3-Major | Restarting bigstart shuts down the system | |
871657-2 | 3-Major | Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S | |
871045-3 | 3-Major | IP fragments are disaggregated to separate TMMs with hardware syncookies enabled | |
867793-3 | 3-Major | BIG-IP sending the wrong trap code for BGP peer state | |
867253-1 | 3-Major | Systemd not deleting user journals | |
867181-3 | 3-Major | ixlv: double tagging is not working | |
867177-1 | 3-Major | Outbound TFTP and Active FTP no longer work by default over the management port | |
867013-1 | 3-Major | Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout | |
866073-1 | 3-Major | Add option to exclude stats collection in qkview to avoid very large data files | |
865241-3 | 3-Major | Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0" | |
865177-2 | 3-Major | Cert-LDAP returning only first entry in the sequence that matches san-other oid | |
864321-1 | 3-Major | Default Apache testing page is reachable at <mgmt-ip>/noindex | |
862937-2 | 3-Major | Running cpcfg after first boot can result in daemons stuck in restart loop★ | |
862693-2 | 3-Major | PAM_RHOST not set when authenticating BIG-IP using iControl REST | |
862525-3 | 3-Major | GUI Browser Cache Timeout option is not available via tmsh | |
860317-1 | 3-Major | JavaScript Obfuscator can hang indefinitely | |
860181-3 | 3-Major | After sync failure due to lack of local self-IP on the peer, adding in the self-IP does not resolve the sync error | |
858769-4 | 3-Major | Net-snmp library must be upgraded to 5.8 in order to support SHA-2 | |
858197-1 | 3-Major | Merged crash when memory exhausted | |
856953-2 | 3-Major | IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1 | |
853617-3 | 3-Major | Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles | |
853161-1 | 3-Major | Restjavad has different behavior for error responses if the body is over 2k | |
852565-3 | 3-Major | On Device Management::Overview GUI page, device order changes | |
851785-1 | 3-Major | BIG-IP 10350V-F platform reported page allocation failures in N3FIPS driver | |
851021-3 | 3-Major | Under certain conditions, 'load sys config verify file /config/bigip.conf' may result in a 'folder does not exist' error | |
850997-3 | 3-Major | 'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page | |
850777-1 | 3-Major | BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config | |
850357-3 | 3-Major | LDAP - tmsh cannot add config to nslcd.conf | |
846141-3 | 3-Major | Unable to use Rest API to manage GTM pool members that have an pipe symbol '|' in the server name. | |
846137-3 | 3-Major | The icrd returns incorrect route names in some cases | |
844925-2 | 3-Major | Command 'tmsh save /sys config' fails to save the configuration and hangs | |
844085-3 | 3-Major | GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address | |
843661-3 | 3-Major | TMSH allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command | |
843597-3 | 3-Major | Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle | |
842669-1 | 3-Major | Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log | |
842189-2 | 3-Major | Tunnels removed when going offline are not restored when going back online | |
841721-3 | 3-Major | BWC::policy detach appears to run, but BWC control is still enabled | |
841649-2 | 3-Major | Hardware accelerated connection mismatch resulting in tmm core | |
841277-5 | 3-Major | C4800 LCD fails to load after annunciator hot-swap | |
839121-1 | 3-Major | A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade★ | |
838901-2 | 3-Major | TMM receives invalid rx descriptor from HSB hardware | |
838337-3 | 3-Major | The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST. | |
838297-1 | 3-Major | Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication | |
837481-5 | 3-Major | SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID | |
829821-3 | 3-Major | Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured | |
829317-3 | 3-Major | Memory leak observed when running ICRD child | |
829193-2 | 3-Major | REST system unavailable due to disk corruption | |
828873-2 | 3-Major | Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor | |
828789-3 | 3-Major | Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters | |
827209-2 | 3-Major | HSB transmit lockup on i4600 | |
827021-2 | 3-Major | MCP update message may be lost when primary blade changes in chassis | |
826437 | 3-Major | CSR subject fields with comma(,) are truncated during certificate renewal via the GUI. | |
826313-4 | 3-Major | Error: Media type is incompatible with other trunk members★ | |
826265-3 | 3-Major | The SNMPv3 engineBoots value restarts at 1 after an upgrade | |
824809-4 | 3-Major | bcm56xxd watchdog restart | |
821309-3 | 3-Major | After an initial boot, mcpd has a defunct child "systemctl" process | |
820845-2 | 3-Major | Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use. | |
820213-2 | 3-Major | 'Application Service List' empty after UCS restore | |
819457-3 | 3-Major | LTM high availability (HA) sync should not sync GTM zone configuration | |
819261-3 | 3-Major | Log HSB registers when parts of the device becomes unresponsive | |
818505-3 | 3-Major | Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | |
817089-1 | 3-Major | Incorrect source MAC address with hardware acceleration (ePVA) and asymmetric routing | |
816229-1 | 3-Major | Kernel Log Messages Logged Twice | |
814585-3 | 3-Major | PPTP profile option not available when creating or modifying virtual servers in GUI | |
814353-3 | 3-Major | Pool member silently changed to user-disabled from monitor-disabled | |
814273-3 | 3-Major | Multicast route entries are not populating to tmm after failover | |
814053-2 | 3-Major | Under heavy load, bcm56xxd can be killed by the watchdog | |
812929-2 | 3-Major | mcpd may core when resetting a DSC connection | |
812493-2 | 3-Major | When engineID is reconfigured, snmp and alert daemons must be restarted★ | |
811053-2 | 3-Major | REBOOT REQUIRED prompt appears after failover and clsh reboot | |
811041-5 | 3-Major | Out of shmem, increment amount in /etc/ha_table/ha_table.conf | |
810613-2 | 3-Major | GUI Login History hides informative message about max number of lines exceeded | |
810381-4 | 3-Major | The SNMP max message size check is being incorrectly applied. | |
810373-1 | 3-Major | Errors running 'config' command | |
809657-2 | 3-Major | HA Group score not computed correctly for an unmonitored pool when mcpd starts | |
809509-1 | 3-Major | Resource Admin User unable to download UCS using Rest API. | |
808485-2 | 3-Major | Add 'virtual-server' argument to 'tmsh help sys connection' for version 14.x | |
808277-4 | 3-Major | Root's crontab file may become empty | |
807945-2 | 3-Major | Loading UCS file for the first time not updating MCP DB | |
807337-3 | 3-Major | Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed. | |
807005-1 | 3-Major | Save-on-auto-sync is not working as expected with large configuration objects | |
806985 | 3-Major | Installation issues when adding new blade v12.1.3 to VPR cluster v14.1.0.1 EHF★ | |
806881-2 | 3-Major | Loading the configuration may not set the virtual server enabled status correctly | |
806073-3 | 3-Major | MySQL monitor fails to connect to MySQL Server v8.0 | |
804537-1 | 3-Major | Check SAs in context callbacks | |
804477-4 | 3-Major | Log HSB registers when parts of the device becomes unresponsive | |
803833-4 | 3-Major | On Upgrade or UCS Restore Decryption of the vCMP Guest sym-unit-key Field Fails on the Host★ | |
803457-2 | 3-Major | SNMP custom stats cannot access iStats | |
803237-4 | 3-Major | PVA does not validate interface MTU when setting MSS | |
803157-1 | 3-Major | LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots | |
802889 | 3-Major | Problems establishing HA connections on DAGv2 chassis platforms | |
802685-3 | 3-Major | Unable to configure performance HTTP virtual server via GUI | |
799001-3 | 3-Major | Sflow agent does not handle disconnect from SNMPD manager correctly | |
798885-2 | 3-Major | SNMP response times may be long due to processing burden of requests | |
797953 | 3-Major | Workaround for SSLo deployment failure from BigIQ to BIG-IP | |
797829-5 | 3-Major | The BIG-IP system may fail to deploy new iApps or to reconfigure existing iApps. | |
797609-2 | 3-Major | Creating or modifying some virtual servers to use an address or port list may result in a warning message | |
796985-1 | 3-Major | Default IPv4 IP address is assigned to Alt-Address in isolated vCMP guest; vCMP host or guest are upgraded and guest is 'Inoperative'★ | |
795649-3 | 3-Major | Loading UCS from one iSeries model to another causes FPGA to fail to load | |
793121-3 | 3-Major | Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication | |
791365-2 | 3-Major | Bad encryption password error on UCS save | |
791061-2 | 3-Major | Config load in /Common removes routing protocols from other partitions | |
789181-3 | 3-Major | Link Status traps are not issued on VE based BIG-IP systems | |
788949-3 | 3-Major | MySQL Password Initialization Loses Already Written Password | |
788645-4 | 3-Major | BGP does not function on static interfaces with vlan names longer than 16 characters. | |
786633-1 | 3-Major | Debug-level messages are being logged even when the system is not set up for debug logging | |
784733-3 | 3-Major | GUI LTM Stats page freezes for large number of pools | |
783293-1 | 3-Major | Special chars < > & displayed incorrectly in BIG-IP GUI logon banner window | |
783113-4 | 3-Major | BGP sessions remain down upon new primary slot election | |
782613-5 | 3-Major | Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp | |
781733-2 | 3-Major | SNMPv3 user name configuration allows illegal names to be entered | |
780745-2 | 3-Major | TMSH allows creation of duplicate community strings for SNMP v1/v2 access | |
778041-1 | 3-Major | tcpdump fails with an unclear message when the 'epva' option is used on non-epva platforms (directly or through 'all' option) | |
777389-1 | 3-Major | In a corner case, for PostgreSQL monitor MCP process restarts | |
776489-2 | 3-Major | Remote authentication attempts to resolve only LDAP host against the first three name servers configured. | |
775797-2 | 3-Major | Previously deleted user account might get authenticated | |
775733-1 | 3-Major | /etc/qkview_obfuscate.conf not synced across blades | |
773577-2 | 3-Major | SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted | |
773333-2 | 3-Major | IPsec CLI help missing encryption algorithm descriptions | |
773173-1 | 3-Major | LTM Policy GUI is not working properly | |
772497-5 | 3-Major | When BIG-IP is configured to use a proxy server, updatecheck fails | |
771137 | 3-Major | vCMP host reports much larger 'Virtual-disk' usage than du reports on the guest | |
770657-2 | 3-Major | On hardware platforms with ePVA, some valid traffic is blocked when in L2 transparent mode and syn cookies are enabled | |
769029-1 | 3-Major | Non-admin users fail to create tmp dir under /var/system/tmp/tmsh | |
767737-2 | 3-Major | Timing issues during startup may make an HA peer stay in the inoperative state | |
767341-3 | 3-Major | If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file. | |
767305-2 | 3-Major | If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried | |
765969-1 | 3-Major | Not able to get HSB register dump from hsb_snapshot on B4450 blade | |
764873-2 | 3-Major | An accelerated flow transmits packets to a dated, down pool member. | |
762097-1 | 3-Major | No swap memory available after upgrading to v14.1.0 and above★ | |
762073-2 | 3-Major | Continuous TMM restarts when HSB drops off the PCI bus | |
761753-2 | 3-Major | BIG-IP system incorrectly flags UDP checksum as failed on x520 NICs | |
761321-2 | 3-Major | 'Connection Rate Limit' is hidden, but 'Connection Rate Limit Mode' is not | |
760950-4 | 3-Major | Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment | |
760468 | 3-Major | Route domains cause diskmonitor errors in logs | |
759737-2 | 3-Major | Control and Analysis Plane CPU usage statistics may be inaccurate | |
759564-4 | 3-Major | GUI not available after upgrade | |
759258-2 | 3-Major | Instances shows incorrect pools if the same members are used in other pools | |
758517-1 | 3-Major | Callback for Diffie Hellman crypto is missing defensive coding | |
758516-1 | 3-Major | IKEv2 auth encryption is missing defensive coding that checks object validity | |
757862-1 | 3-Major | IKEv2 debug logging an uninitialized variable leading to core | |
757787-2 | 3-Major | Unable to edit LTM Policies that belong to an Application Service (iApp) using the WebUI. | |
757572 | 3-Major | Virtual Edition doesn't support forging MAC addresses with Mellanox ConnectX-3 virtual functions | |
756820-2 | 3-Major | Non-UTF8 characters returned from /bin/createmanifest | |
756153-3 | 3-Major | Add diskmonitor support for MySQL /var/lib/mysql | |
756139-1 | 3-Major | Inconsistent logging of hostname files when hostname contains periods | |
756088-2 | 3-Major | The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address | |
755976-3 | 3-Major | ZebOS might miss kernel routes after mcpd deamon restart | |
755197-3 | 3-Major | UCS creation might fail during frequent config save transactions | |
754971-2 | 3-Major | OSPF inter-process redistribution might break OSPF route redistribution of various types. | |
754460-2 | 3-Major | No failover on HA Dual Chassis setup using HA score | |
754335-1 | 3-Major | Install ISO does not boot on BIG-IP VE★ | |
754132-2 | 3-Major | A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command | |
753860-3 | 3-Major | Virtual server config changes causing incorrect route injection. | |
753423-6 | 3-Major | Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation | |
753001-1 | 3-Major | mcpd can be killed if the configuration contains a very high number of nested references | |
752994-1 | 3-Major | Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod | |
752228-1 | 3-Major | GUI Network Map to account for objects in a Disabled By Parent state | |
751584-1 | 3-Major | Custom MIB actions can be blocked by SELINUX permissions | |
751581-3 | 3-Major | REST API Timeout while queriying large number of persistence profiles | |
751448-1 | 3-Major | TMM, ZebOS, and Linux routing table may lose dynamic routes on a tmm restart | |
751409-1 | 3-Major | MCP Validation does not detect when virtual servers differ only by overlapping VLANs | |
751024-4 | 3-Major | i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd | |
751021-1 | 3-Major | One or more TMM instances may be left without dynamic routes. | |
748545-1 | 3-Major | Remove 'sys-unconfig' and 'rhel-configure' binaries and related systemd service | |
748443-1 | 3-Major | Higig MAC recovery mechanism may fail continuously during run time | |
748295-1 | 3-Major | TMM crashes on shutdown when using virtio NICs for dataplane | |
748044 | 3-Major | RAID status in tmsh is not updated when disk is removed or rebuild finishes | |
747676-3 | 3-Major | Remote logging needs 'localip' to set source IP properly | |
746758-3 | 3-Major | Qkview produces core file if interrupted while exiting | |
746704-2 | 3-Major | Syslog-ng Memory Leak | |
745261-2 | 3-Major | The TMM process may crash in some tunnel cases | |
744924-1 | 3-Major | Bladed unit goes offline after UCS install | |
744730-1 | 3-Major | After increasing the disk size on a VE or VCMP guest a manual reboot is required for the increase to go into effect. | |
744520-1 | 3-Major | virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface | |
744252-2 | 3-Major | BGP route map community value: either component cannot be set to 65535 | |
743234-4 | 3-Major | Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons | |
743132-6 | 3-Major | mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile | |
742753-4 | 3-Major | Accessing the BIG-IP system's WebUI via special proxy solutions may fail | |
742628-3 | 3-Major | K53843889 | Tmsh session initiation adds increased control plane pressure |
742170-2 | 3-Major | REST PUT command fails for data-group internal | |
740589-1 | 3-Major | Mcpd crash with core after 'tmsh edit /sys syslog-all-properties' | |
739820-1 | 3-Major | Validation does not reject IPv6 address for TACACS auth configuration | |
739118-1 | 3-Major | Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration | |
738881-3 | 3-Major | Qkview does not collect any data under certain conditions that cause a timeout | |
737739-1 | 3-Major | Bash shell still accessible for admin even if disabled | |
737346-1 | 3-Major | After entering username and before password, the logging on user's failure count is incremented. | |
737098-2 | 3-Major | ASM Sync does not work when the configsync IP address is an IPv6 address | |
730852-3 | 3-Major | The tmrouted repeatedly crashes and produces core when new peer device is added | |
727191-1 | 3-Major | Invalid arguments to run sys failover do not return an error | |
726416-3 | 3-Major | Physical disk HD1 not found for logical disk create | |
721020-1 | 3-Major | Changes to the master key are reverted after full sync | |
720610-2 | 3-Major | Updatecheck logs bogus 'Update Server unavailable' on every run | |
719555-5 | 3-Major | Interface listed as 'disable' after SFP insertion and enable | |
718230-1 | 3-Major | Attaching a BIG-IP monitor type to a server with already defined virtual servers is not prevented | |
718108-3 | 3-Major | It is not possible to core the icrd_child process if iControl REST requests were sent to the BIG-IP system using non-admin accounts | |
716140-2 | 3-Major | Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors | |
715379-3 | 3-Major | IKEv2 accepts asn1dn for peers-id only as file path of certificate file | |
708803-2 | 3-Major | Remote admin user with misconfigured partition fallback to "All" | |
705037-7 | 3-Major | K32332000 | System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart |
703090-5 | 3-Major | With many iApps configured, scriptd may fail to start | |
701529-2 | 3-Major | Configuration may not load or not accept vlan or tunnel names as "default" or "all" | |
701341-4 | 3-Major | K52941103 | If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts |
698933-6 | 3-Major | Setting metric-type via ospf redistribute command may not work correctly | |
692218-3 | 3-Major | Audit log messages sent from the primary blade to the secondaries should not be logged. | |
690928-1 | 3-Major | System posts error message: 01010054:3: tmrouted connection closed | |
688399-2 | 3-Major | HSB failure results in continuous TMM restarts | |
688231-4 | 3-Major | Unable to set VET, AZOT, and AZOST timezones | |
683135-1 | 3-Major | Hardware syncookies number for virtual server stats is unrealistically high | |
680917-5 | 3-Major | Invalid monitor rule instance identifier | |
679901-5 | 3-Major | The iControl REST timeout value is not configurable. | |
671372-5 | 3-Major | K01930721 | When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified. |
662301-4 | 3-Major | 'Unlicensed objects' error message appears despite there being no unlicensed config | |
661640-1 | 3-Major | Improve fast failover of PIM-based multicast traffic when BIG-IP is deployed as an Active/Standby high availability (HA) pair. | |
658850-2 | 3-Major | Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP | |
657834-5 | 3-Major | K45005512 | Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent |
652502-3 | 3-Major | snmpd returns 'No Such Object available' for ltm OIDs | |
615934-4 | 3-Major | Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. | |
606032-5 | 3-Major | Network Failover-based high availability (HA) in AWS may fail | |
605675-4 | 3-Major | Sync requests can be generated faster than they can be handled | |
601220-3 | 3-Major | Multi-blade trunks seem to leak packets ingressed via one blade to a different blade | |
591305-3 | 3-Major | Audit log messages with "user unknown" appear on install | |
587821-8 | 3-Major | vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor. | |
569859-5 | 3-Major | Password policy enforcement for root user when mcpd is not available | |
499348-9 | 3-Major | System statistics may fail to update, or report negative deltas due to delayed stats merging | |
486712-5 | 3-Major | GUI PVA connection maximum statistic is always zero | |
469724-2 | 3-Major | When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire | |
431503-3 | 3-Major | K14838 | TMSH crashes in rare initial tunnel configurations |
409062-1 | 3-Major | K20008325 | ArcSight HSL is not supported for most system daemons |
398683-3 | 3-Major | K12304 | Use of a # in a TACACS secret causes remote auth to fail |
385013-4 | 3-Major | Certain user roles do not trigger a sync for a 'modify auth password' command | |
291256-2 | 3-Major | Changing 'Minimum Length' and 'Required Characters' might result in an error | |
906449-4 | 4-Minor | Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load | |
902417-4 | 4-Minor | Configuration error caused by Drafts folder in a deleted custom partition★ | |
901669-2 | 4-Minor | Error status in "show cm failover-status" after MGMT-IP change | |
896693-2 | 4-Minor | Patch installation is failing for iControl REST endpoint. | |
896689-2 | 4-Minor | Asynchronous tasks can be managed via unintended endpoints | |
893813-1 | 4-Minor | Modifying pool enables address and port translation in TMUI | |
893093-4 | 4-Minor | An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing. | |
892677-4 | 4-Minor | Loading config file with imish adds the newline character | |
890277-2 | 4-Minor | Mcpd takes too long on full config sync to a device group when there are large amount of partitions. | |
889813-1 | 4-Minor | show net bwc policy prints bytes-per-second instead of bits-per-second | |
884953-2 | 4-Minor | IKEv1 IPsec daemon racoon goes into an endless restart loop | |
882713-1 | 4-Minor | BGP SNMP trap has the wrong sysUpTime value | |
882709 | 4-Minor | LTM v14.1.x to support tagged VLANs on Hyper-V (as was supported on v12.1.x) | |
879189-3 | 4-Minor | Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section | |
876249 | 4-Minor | Top command shows tmm 0.0% CPU usage under load | |
869237-3 | 4-Minor | Management interface might become unreachable when alternating between DHCP/static address assignment. | |
865313-2 | 4-Minor | Validation of monitor field fails in transaction | |
864757-2 | 4-Minor | Traps that were disabled are enabled after configuration save | |
860573-2 | 4-Minor | LTM iRule validation performance improvement by tracking procedure/event that have been validated | |
858549-4 | 4-Minor | GUI does not allow IPv4-Mapped IPv6 Address to be assigned to self IPs | |
857045-3 | 4-Minor | LDAP system authentication may stop working | |
851393-3 | 4-Minor | Tmipsecd leaves a zombie rm process running after starting up | |
848681-5 | 4-Minor | Disabling the LCD on a VIPRION causes blade status lights to turn amber | |
846521-5 | 4-Minor | Config script does not refresh management address entry properly when alternating between dynamic and static | |
838925-5 | 4-Minor | Rewrite URI translation profile can cause connection reset while processing malformed CSS content | |
832665-2 | 4-Minor | The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5 | |
832653 | 4-Minor | Azure scan table warnings can be ignored. | |
831293-3 | 4-Minor | SNMP address-related GET requests slow to respond. | |
828625-1 | 4-Minor | User shouldn't be able to configure two identical traffic selectors | |
826297-1 | 4-Minor | Address list as source/destination for virtual server cannot be changed from tmsh | |
826189-2 | 4-Minor | The WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask. | |
824205-1 | 4-Minor | GUI displays error when a virtual server is modified if it is using an address-list | |
822253-3 | 4-Minor | After starting up, mcpd may have defunct child "run" and "xargs" processes | |
819429-3 | 4-Minor | Unable to scp to device after upgrade: path not allowed | |
819421-3 | 4-Minor | Unable to scp/sftp to device after upgrade★ | |
818737-1 | 4-Minor | Improve error message if user did not select a address-list or port list in the GUI | |
818417-2 | 4-Minor | Flowspecd starts with message: Shm segment not found in /etc/ha_table/ha_table.conf. | |
818297 | 4-Minor | OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure | |
816353-1 | 4-Minor | Unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1 | |
807309-2 | 4-Minor | Incorrect Active/Standby status in CLI Prompt after failover test | |
805325-2 | 4-Minor | tmsh help text contains a reference to bigpipe, which is no longer supported | |
804309-2 | 4-Minor | [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument | |
800189-1 | 4-Minor | Changing log level may not increase logging to the verbosity expected | |
795429-3 | 4-Minor | Unrelated iControl REST transaction error message is returned when committing a transaction without any tasks. | |
793077 | 4-Minor | Failed SSH logins no longer log entries into the audit log file | |
779857-1 | 4-Minor | Misleading GUI error when installing a new version in another partition★ | |
774617-1 | 4-Minor | SNMP daemon reports integer truncation error for values greater than 32 bits | |
761084-3 | 4-Minor | Custom monitor fields appear editable for Auditor, Operator, or Guest | |
760570 | 4-Minor | The BIG-IP installer fails to automatically detect installation media.★ | |
759852-1 | 4-Minor | SNMP configuration for trap destinations can cause a warning in the log | |
759606-2 | 4-Minor | REST error message is logged every five minutes on vCMP Guest | |
758348-1 | 4-Minor | Cannot access GUI via hostname when it contains _ (underscore character) | |
758105-3 | 4-Minor | Drive model WDC WD1005FBYZ-01YCBB2 must be added to pendsect drives.xml | |
757167-1 | 4-Minor | TMM logs 'MSIX is not supported' error on vCMP guests | |
756401-2 | 4-Minor | IKEv2 debug logging often omits SPI values that would identify the SAs involved | |
755450-1 | 4-Minor | Memory leak when using lots of iApps | |
755018-2 | 4-Minor | Egress traffic processing may be stopped on one or more VE trunk interfaces | |
753536-2 | 4-Minor | REST no longer requires a token to login for TACACS use | |
751103-4 | 4-Minor | TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop | |
746152-1 | 4-Minor | Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column | |
745465-1 | 4-Minor | The tcpdump file does not provide the correct extension | |
743815-2 | 4-Minor | vCMP guest observes connflow reset when a CMP state change occurs. | |
742105-2 | 4-Minor | Displaying network map with virtual servers is slow | |
724994-4 | 4-Minor | API requests with 'expandSubcollections=true' are very slow | |
723833-2 | 4-Minor | IPsec related routing changes can misfire, like changing tunnel mode to interface mode | |
722647-4 | 4-Minor | The configuration of some of the Nokia alerts is incorrect | |
722230-3 | 4-Minor | Cannot delete FQDN template node if another FQDN node resolves to same IP address | |
713614-4 | 4-Minor | Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only) | |
713183-3 | 4-Minor | Malformed JSON files may be present on vCMP host | |
712241-2 | 4-Minor | A vCMP guest may not provide guest health stats to the vCMP host | |
706685-3 | 4-Minor | Unable to log into BIG-IP GUI after partition is deleted | |
689147-2 | 4-Minor | Confusing log messages on certain user/role/partition misconfiguration when using remote role groups | |
675911-6 | 4-Minor | K13272442 | Different sections of the WebUI can report incorrect CPU utilization |
673573-3 | 4-Minor | tmsh logs boost assertion when running child process and reaches idle-timeout | |
671025-3 | 4-Minor | File descriptor exhaustion can occur when state-mirroring peer-address is misconfigured | |
658943-2 | 4-Minor | Errors when platform-migrate loading UCS using trunks on vCMP guest | |
646768-2 | 4-Minor | K71255118 | VCMP Guest CM device name not set to hostname when deployed |
617636-2 | 4-Minor | K15009669 | LTM v11.6.x Errors in F5-BIGIP-LOCAL-MIB.txt prevent its compilation in NMS (Network Management System) |
591732-5 | 4-Minor | Local password policy not enforced when auth source is set to a remote type. | |
583084-8 | 4-Minor | K15101680 | iControl produces 404 error while creating records successfully |
484683-2 | 4-Minor | Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer. | |
849085-3 | 5-Cosmetic | Lines with only asterisks filling message and user.log file | |
769145-2 | 5-Cosmetic | Syncookie threshold warning is logged when the threshold is disabled | |
761621-2 | 5-Cosmetic | Ephemeral FQDN pool members in Partition shown as Common under Local Traffic > Pools > "Members" | |
714176-3 | 5-Cosmetic | UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed | |
679431-4 | 5-Cosmetic | In routing module the 'sh ipv6 interface <interface> brief' command may not show header |
Local Traffic Manager Issues
ID Number | Severity | Solution Article(s) | Description |
901033-1 | 2-Critical | TCP::respond causing memory exhaustion issue when send buffer overwhelmed available TCP window | |
879409-2 | 2-Critical | TMM core with mirroring traffic due to unexpected interface name length | |
876801-3 | 2-Critical | Tmm crash: invalid route type | |
864897-1 | 2-Critical | TMM may crash when using "SSL::extensions insert" | |
858429 | 2-Critical | BIG-IP system sending ICMP packets on both virtual wire interface | |
851857-3 | 2-Critical | HTTP 100 Continue handling does not work when it arrives in multiple packets | |
851581-1 | 2-Critical | Server-side detach may crash TMM | |
851385-4 | 2-Critical | Failover takes too long when traffic blade failure occurs | |
846217-1 | 2-Critical | Translucent vlan-groups set local bit in destination MAC address | |
842937-4 | 2-Critical | TMM crash due to failed assertion 'valid node' | |
841469-4 | 2-Critical | Application traffic may fail after an internal interface failure on a VIPRION system. | |
837617-3 | 2-Critical | Tmm may crash while processing a compression context | |
835505-2 | 2-Critical | Tmsh crash possibly related to NGFIPS SDK | |
824881-2 | 2-Critical | A rare TMM crash cause by the fix for ID 816625 | |
824437-2 | 2-Critical | Chaining a standard virtual server and an ipother virtual server together can crash TMM. | |
813561-3 | 2-Critical | MCPD crashes when assigning an iRule that uses a proc | |
811161-1 | 2-Critical | Tmm crash SIGSEGV - virtual_address_update() in ../mcp/db_vip.c:1992 | |
788813-1 | 2-Critical | TMM crash when deleting virtual-wire config | |
766509-1 | 2-Critical | Strict internal checking might cause tmm crash | |
763145-1 | 2-Critical | TMM Crash when using certain HTTP iRules with HTTP Security Profile | |
758491-1 | 2-Critical | When using Thales NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), the BIG-IP will not be able to use the keys | |
751589-1 | 2-Critical | In BIG-IP VE, some IP rules may not be created during the first boot up. | |
750702-1 | 2-Critical | TMM crashes while making changes to virtual wire configuration | |
745589-6 | 2-Critical | In very rare situations, some filters may cause data-corruption. | |
726900-1 | 2-Critical | Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters | |
726518-3 | 2-Critical | Tmsh show command terminated with CTRL-C can cause TMM to crash. | |
712534 | 2-Critical | DNSSEC keys are not generated when configured to use an external FIPS device | |
705768-1 | 2-Critical | dynconfd may core and restart with multiple DNS name servers configured | |
663925-3 | 2-Critical | Virtual server state not updated with pool- or node-based connection limiting | |
632553-4 | 2-Critical | K14947100 | DHCP: OFFER packets from server are intermittently dropped |
625807-1 | 2-Critical | tmm cored in bigproto_cookie_buffer_to_server | |
474797-4 | 2-Critical | Nitrox crypto hardware may attempt soft reset while currently resetting | |
905477-4 | 3-Major | The sdmd daemon cores during config sync when multiple devices configured for iRules LX | |
904625-4 | 3-Major | Changes to SSL.CertRequest.* DB variables cause HA devices go out of sync | |
903581-2 | 3-Major | The pkcs11d process cannot recover under certain error condition | |
901929-4 | 3-Major | GARPs not sent on virtual server creation | |
901589 | 3-Major | TMM crash occurred while generating cookie for TCP Fast Open | |
898733-1 | 3-Major | SSL handshakes fail on secondary blades for Thales keys created with fipskey.nethsm after upgrade to 14.1.x and re-import of the keys from HSM | |
898685-2 | 3-Major | Order of ciphers changes after updating cipher group | |
897185-1 | 3-Major | Resolver cache not using random port distribution | |
896245-1 | 3-Major | Inconsistency is observed in ARP behavior across releases | |
895205-4 | 3-Major | A circular reference in rewrite profiles causes MCP to crash | |
895165-4 | 3-Major | Traffic-matching-criteria with "any" protocol overlaps with explicit protocols | |
893281-1 | 3-Major | Possible ssl stall on closed client handshake | |
892801-4 | 3-Major | When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent" | |
892485-1 | 3-Major | A wrong OCSP status cache may be looked up and re-used during SSL handshake. | |
892385-2 | 3-Major | HTTP does not process WebSocket payload when received with server HTTP response | |
892073-1 | 3-Major | TLS1.3 LTM policy rule based on SSL SNI is not triggered | |
891373-4 | 3-Major | BIG-IP does not shut a connection for a HEAD request | |
890229-3 | 3-Major | Source port preserve setting is not honoured | |
889245-1 | 3-Major | Ndal ixvf driver can lock up | |
889209-1 | 3-Major | Sflow receiver configuration may lead to egress traffic dropped after TMM starts. | |
889165-1 | 3-Major | "http_process_state_cx_wait" errors in log and connection reset | |
888113-1 | 3-Major | HUDEVT_CALLBACK is queued after HUDCTL_ABORT in HTTP-MR proxy | |
887181 | 3-Major | BIG-IP is trying to establish the server side connection without VLAN tag info | |
887045-4 | 3-Major | The session key does not get mirrored to standby. | |
885325-4 | 3-Major | Stats might be incorrect for iRules that get executed a large number of times | |
883049-4 | 3-Major | Statsd can deadlock with rrdshim if an rrd file is invalid | |
882725-3 | 3-Major | Mirroring not working properly when default route vlan names not match. | |
881065-2 | 3-Major | Adding port-list to Virtual Server changes the route domain to 0 | |
881041-1 | 3-Major | BIG-IP system may forward IP broadcast packets back to the incoming VLAN interface via a forwarding virtual server. | |
879413-3 | 3-Major | Statsd fails to start if one or more of its *.info files becomes corrupted | |
878925-3 | 3-Major | SSL connection mirroring failover at end of TLS handshake | |
878253-3 | 3-Major | LB::down no longer sends an immediate monitor probe | |
876145-2 | 3-Major | Nitrox5 failure on vCMP guest results in all crypto requests failing. | |
874877-3 | 3-Major | Bigd http monitor shows misleading 'down' reason when recv does not match | |
874317-3 | 3-Major | Client-side asymmetric routing could lead to SYN and SYN-ACK on different VLAN | |
873677-5 | 3-Major | LTM policy matching does not work as expected | |
872981-3 | 3-Major | MCP crashes when deleting a virtual server and its traffic-matching-criteria in the same transaction | |
872721-1 | 3-Major | SSL connection mirroring intermittent failure with TLS1.3 | |
870309-1 | 3-Major | Ephemeral pool member not created when FQDN resolves to new IP address | |
868209-1 | 3-Major | Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection | |
868033-3 | 3-Major | SSL option "passive-close" option is unused and should be removed | |
864649-1 | 3-Major | The client-side connection of a dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server never expires from the connection table | |
863165-1 | 3-Major | Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members. | |
862597-5 | 3-Major | Improve MPTCP's SYN/ACK retransmission handling | |
862069-3 | 3-Major | Using non-standard HTTPS and SSH ports will fail under certain conditions | |
862001-3 | 3-Major | Improperly configured NTP server can result in an undisciplined clock stanza | |
860277-2 | 3-Major | Default value of TCP Profile Proxy Buffer High Low changed in 14.1 | |
860005-3 | 3-Major | Ephemeral nodes/pool members may be created for wrong FQDN name | |
858701-3 | 3-Major | Running config and saved config are having different route-advertisement values after upgrading from v12.1.x★ | |
857845-6 | 3-Major | ASSERTs in hudproxy_tcp_repick() converted into an OOPS | |
852873 | 3-Major | Proprietary Multicast PVST+ packets are forwarded instead of dropped | |
852325-3 | 3-Major | HTTP2 does not support Global SNAT | |
851477-3 | 3-Major | Memory allocation failures during proxy initialization are ignored leading to TMM cores | |
851101-2 | 3-Major | Unable to establish active FTP connection with custom FTP filter | |
851045-3 | 3-Major | LTM database monitor may hang when monitored DB server goes down | |
850873-1 | 3-Major | LTM global SNAT sets TTL to 255 on egress. | |
850349-3 | 3-Major | Incorrect MAC when virtual wire is configured with FastL4 | |
850145-3 | 3-Major | Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed | |
848777-1 | 3-Major | Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node. | |
846977-3 | 3-Major | TCP:collect validation changed in 12.0.0: the first argument can no longer be zero★ | |
846873-3 | 3-Major | Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure | |
846441-1 | 3-Major | Flow-control is reset to default for secondary blade's interface | |
845333-3 | 3-Major | An iRule with a proc referencing a datagroup cannot be assigned to Transport Config | |
844421 | 3-Major | Cipher ordering in cipher rules can be wrong | |
843317-1 | 3-Major | The iRules LX workspace imported with incorrect SELinux contexts | |
842425-3 | 3-Major | Mirrored connections on standby are never removed in certain configurations | |
842137-5 | 3-Major | Keys cannot be created on module protected partitions when strict FIPS mode is set | |
841369-1 | 3-Major | HTTP monitor GUI displays incorrect green status information | |
841341-4 | 3-Major | IP forwarding virtual server does not pick up any traffic if destination address is shared. | |
840785-3 | 3-Major | Update documented examples for REST::send to use valid REST endpoints | |
838353-3 | 3-Major | MQTT monitor is not working in route domain. | |
832133-3 | 3-Major | In-TMM monitors fail to match certain binary data in the response from the server. | |
828601-3 | 3-Major | IPv6 Management route is preferred over IPv6 tmm route | |
827441-1 | 3-Major | Changing a UDP virtual server with an immediate timeout to a TCP virtual server can cause connections to fail | |
826349-2 | 3-Major | VXLAN tunnel might fail due to misbehaving NIC checksum offload | |
825245-2 | 3-Major | SSL::enable does not work for server side ssl | |
824433-1 | 3-Major | Added HTTP2 and HTTP3 request/response statistic fields to the HTTP profile | |
823921-2 | 3-Major | FTP profile causes memory leak | |
823825-5 | 3-Major | Renaming HA VLAN can disrupt state-mirror connection | |
820333-3 | 3-Major | LACP working member state may be inconsistent when blade is forced offline | |
819329-2 | 3-Major | Specific FIPS device errors will not trigger failover | |
818853-3 | 3-Major | Duplicate MAC entries in FDB | |
818833-3 | 3-Major | TCP re-transmission during SYN Cookie activation results in high latency | |
818789-5 | 3-Major | Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile | |
818097-4 | 3-Major | Plane CPU stats too high after primary blade failover in multi-blade chassis | |
816881-1 | 3-Major | Serverside conection may use wrong VLAN when virtual wire is configured | |
816205-3 | 3-Major | IPsec passthrough scenario may not forward ICMP unreachable messages from the server-side | |
815405-4 | 3-Major | GUI update of Child FastL4 profile overwrites CLI-only customized settings (options that are not available in GUI) | |
815089-3 | 3-Major | On a system with no VLANs, you can create virtual servers or SNATs that have identical address/port combinations | |
814761-2 | 3-Major | PostgreSQL monitor fails on second ping with count != 1 | |
813701-3 | 3-Major | Proxy ARP failure | |
812497-1 | 3-Major | VE rate limit should not count packet that does not have a matched vlan or matched MAC address | |
810821-1 | 3-Major | Management interface flaps after rebooting the device | |
810533-4 | 3-Major | SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile | |
810445-2 | 3-Major | PEM: ftp-data not classified or reported | |
809597-3 | 3-Major | Memory leak observed when running ICRD child | |
808017-2 | 3-Major | When using a variable as the only parameter to the iRule persist command, the iRule validation fails | |
807821-4 | 3-Major | ICMP echo requests occasionally go unanswered | |
805017-2 | 3-Major | DB monitor marks pool member down if no send/recv strings are configured | |
803629-2 | 3-Major | SQL monitor fails with 'Analyze Response failure' message even if recv string is correct | |
803233-3 | 3-Major | Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable | |
803109-2 | 3-Major | Source-port preserve-strict configured along with OneConnect may result in zombie forwarding flows | |
802245-1 | 3-Major | When HTTP/2 is negotiated, if the provided cipher suite list cannot be matched, then the last one will be selected. | |
801541-2 | 3-Major | tmm memory growth if high availability (HA) peer is unavailable | |
800101-1 | 3-Major | BIG-IP chassis system may send out duplicated UDP packets to the server side | |
796993-1 | 3-Major | Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs | |
795933-2 | 3-Major | A pool member's cur_sessions stat may incorrectly not decrease for certain configurations | |
795501-3 | 3-Major | Possible SSL crash during config sync | |
795285 | 3-Major | Key creation on non-existing NetHSM partition stays in create-fail loop for CloudHSM | |
794505-3 | 3-Major | OSPFv3 IPv4 address family route-map filtering does not work | |
794417-1 | 3-Major | Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not | |
794385-2 | 3-Major | BGP sessions may be reset after CMP state change | |
793929-1 | 3-Major | In-TMM monitor agent might crash during TMM shutdown | |
793669-1 | 3-Major | FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value | |
790845-2 | 3-Major | An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default | |
790205-3 | 3-Major | Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core | |
788753-4 | 3-Major | GATEWAY_ICMP monitor marks node down with wrong error code | |
787973-3 | 3-Major | Potential memory leak when software crypto request is canceled. | |
787853-2 | 3-Major | BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps. | |
786517-3 | 3-Major | Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address | |
785877-2 | 3-Major | VLAN groups do not bridge non-link-local multicast traffic. | |
785701-1 | 3-Major | Changes to a Web Acceleration profile are not instantly applied to virtual servers using the profile | |
785481-2 | 3-Major | A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached | |
785361-1 | 3-Major | In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped | |
784565-2 | 3-Major | VLAN groups are incompatible with fast-forwarded flows | |
783617-1 | 3-Major | Virtual Server resets connections when all pool members are marked disabled | |
783145-4 | 3-Major | Pool gets disabled when one of its pool member with monitor session is disabled | |
781753-3 | 3-Major | WebSocket traffic is transmitted with unknown opcodes | |
781041-1 | 3-Major | SIP monitor in non default route domain is not working. | |
779633-1 | 3-Major | BIG-IP system reuses serverside TIME_WAIT connections irrespective of TMMs used | |
779137-2 | 3-Major | Using a source address list for a virtual server does not preserve the destination address prefix | |
778517-1 | 3-Major | Large number of in-TMM monitors results in delayed processing | |
776229-2 | 3-Major | iRule 'pool' command no longer accepts pool members with ports that have a value of zero | |
773229-2 | 3-Major | Replacing a virtual server's FastL4 profile can cause traffic to fail in specific circumstances | |
767217-2 | 3-Major | Under certain conditions when deleting an iRule, an incorrect dependency error is seen | |
766601 | 3-Major | SSL statistics are updated even in forward proxy bypass | |
766593-1 | 3-Major | RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20 | |
766169-2 | 3-Major | Replacing all VALN interfaces resets VLAN MTU to a default value | |
764969-3 | 3-Major | ILX no longer supports symlinks in workspaces as of v14.1.0 | |
763093-3 | 3-Major | LRO packets are not taken into account for ifc_stats (VLAN stats) | |
762137-2 | 3-Major | Ping6 with correctly populated NDP entry fails | |
761389-1 | 3-Major | Disabled Virtual Server Dropping the Virtual Wire traffic | |
760406-3 | 3-Major | HA connection might stall on Active device when the SSL session cache becomes out-of-sync | |
760050-2 | 3-Major | cwnd warning message in log | |
759056-2 | 3-Major | stpd memory leak on secondary blades in a multi-blade system | |
758599-1 | 3-Major | IPv6 Management route is preferred over IPv6 tmm route | |
758596-2 | 3-Major | Unable to associate cipher group with long name profile | |
758437-6 | 3-Major | SYN w/ data disrupts stat collection in Fast L4 | |
758436-4 | 3-Major | Optimistic ACKs degrade Fast L4 statistics | |
758041-3 | 3-Major | Pool Members may not be updated accurately when multiple identical DB monitors configured | |
757505-3 | 3-Major | peer-cert-mode set to 'always' does not work when client-ssl is enabled with session-ticket | |
757446-2 | 3-Major | Invoking the HTTP::respond iRule command when the HTTP2 profile is present can cause stalled or malformed responses. | |
757431-1 | 3-Major | mcpd process killed after upgrade from 12.1.3★ | |
757029-2 | 3-Major | Ephemeral pool members may not be created after config load or reboot | |
756812-2 | 3-Major | Nitrox 3 instruction/request logger may fail due to SELinux permission error | |
756494-3 | 3-Major | For in-tmm monitoring: multiple instances of the same agent are running on the Standby device | |
756313-2 | 3-Major | SSL monitor continues to mark pool member down after restoring services | |
755791-2 | 3-Major | UDP monitor not behaving properly on different ICMP reject codes. | |
755631-1 | 3-Major | UDP / DNS monitor marking node down | |
754604-2 | 3-Major | iRule : [string first] returns incorrect results when string2 contains null | |
753805-3 | 3-Major | BIG-IP system failed to advertise virtual address even after the virtual address was in Available state. | |
753594-2 | 3-Major | In-TMM monitors may have duplicate instances or stop monitoring | |
753526-1 | 3-Major | IP::addr iRule command does not allow single digit mask | |
753159-1 | 3-Major | Pool IP ToS/QoS settings are not preserved on mirrored FastL4 connections | |
752766-1 | 3-Major | The BIG-IP system might fail to read SFPs after a reboot | |
752530-1 | 3-Major | TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput. | |
752334-1 | 3-Major | Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation | |
751036-1 | 3-Major | Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone | |
750705-2 | 3-Major | LTM logs are filled with error messages while creating/deleting virtual wire configuration | |
750473-4 | 3-Major | VA status change while 'disabled' are not taken into account after being 'enabled' again | |
750204-3 | 3-Major | Add support for P-521 curve in the X.509 chain to SSL LTM | |
749519-1 | 3-Major | Error messages seen while running "run sys crypto nethsm-test" tool | |
748529-1 | 3-Major | BIG-IP Virtual Edition with cloudhsm integration needs to restart tmm after a fresh install | |
748052-1 | 3-Major | pkcs11 test utility is failing when running nethsm-test on BIG-IP systems configured for AWS CloudHSM | |
746922-6 | 3-Major | When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain. | |
745682-1 | 3-Major | Failed to parse X-Forwarded-For header in HTTP requests | |
745663-3 | 3-Major | During traffic forwarding, nexthop data may be missed at large packet split | |
745545-1 | 3-Major | CMP forwarded LRO host packets do not restore LRO flag | |
745291-2 | 3-Major | The BIG-IP HTTP2 filter makes inappropriate assumptions about requests and responses without content lengths | |
745285 | 3-Major | Virtual server configured with destination address list may not respond to ARP and ICMP echo | |
742838-1 | 3-Major | A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition | |
740977-1 | 3-Major | Tracert and traceroute from client does not display route path | |
738450-1 | 3-Major | Parsing pool members as variables with IP tuple syntax | |
726734-4 | 3-Major | DAGv2 port lookup stringent may fail | |
724824-3 | 3-Major | Ephemeral nodes on peer devices report as unknown and unchecked after full config sync | |
723306-1 | 3-Major | Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition | |
723112-5 | 3-Major | LTM policies does not work if a condition has more than 127 matches | |
722707-2 | 3-Major | mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall | |
720440-4 | 3-Major | Radius monitor marks pool members down after 6 seconds | |
719304-1 | 3-Major | Inconsistent node ICMP monitor operation for IPv6 nodes | |
718790-1 | 3-Major | Traffic does not forward to fallback host when all pool members are marked down | |
718288-2 | 3-Major | MCPD might crash on secondary blades when DNSSEC client-facing SOA zone serial not updated | |
714642-4 | 3-Major | Ephemeral pool-member state on the standby is down | |
714502-2 | 3-Major | bigd restarts after loading a UCS for the first time | |
714372-3 | 3-Major | Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari | |
710930-3 | 3-Major | Enabling BigDB key bigd.tmm may cause SSL monitors to fail | |
709952-2 | 3-Major | Disallow DHCP relay traffic to traverse between route domains | |
709381-2 | 3-Major | iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out. | |
700639-4 | 3-Major | The default value for the syncookie threshold is not set to the correct value | |
686059-4 | 3-Major | FDB entries for existing VLANs may be flushed when creating a new VLAN. | |
646440-1 | 3-Major | TMSH allows mirror for persistence even when no mirroring configuration exists | |
617929-2 | 3-Major | Support non-default route domains | |
608952-3 | 3-Major | MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2 | |
512490-12 | 3-Major | Increased latency during connection setup when using FastL4 profile and connection mirroring. | |
505037-5 | 3-Major | K01993279 | Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop |
898753-3 | 4-Minor | Multicast control-plane traffic requires handling with AFM policies | |
895141 | 4-Minor | HTTP::has_responded returns incorrect values when using HTTP/2 | |
880697-3 | 4-Minor | URI::query command returning fragment part, instead of query part | |
858309-1 | 4-Minor | Setting a self IP with an IPv6 Address with an embedded IPv4 address causes tmm to continually restart | |
844337-2 | 4-Minor | Tcl error log improvement for node command | |
839245-1 | 4-Minor | IPother profile with SNAT sets egress TTL to 255 | |
838405-1 | 4-Minor | Listener traffic-group may not be updated properly when spanning is in use. | |
838305-4 | 4-Minor | BIG-IP may create multiple connections for packets that should belong to a single flow. | |
834217-5 | 4-Minor | Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window. | |
832233-3 | 4-Minor | The iRule regexp command issues an incorrect warning | |
822245-4 | 4-Minor | Large number of in-TMM monitors results in some monitors being marked down | |
822025-2 | 4-Minor | HTTP response not forwarded to client during an early response | |
818721-1 | 4-Minor | Virtual address can be deleted while it is in use by an address-list. | |
814037-4 | 4-Minor | No virtual server name in Hardware Syncookie activation logs. | |
808409-3 | 4-Minor | Unable to specify if giaddr will be modified in DHCP relay chain | |
804157-1 | 4-Minor | ICMP replies are forwarded with incorrect checksums causing them to be dropped | |
802721-2 | 4-Minor | Virtual Server iRule does not match an External Data Group key that's 128 characters long | |
801705-4 | 4-Minor | When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC | |
787905-4 | 4-Minor | Improve initializing TCP analytics for FastL4 | |
783969 | 4-Minor | An invalid SSL close_notify might be sent in some cases. | |
783073 | 4-Minor | Cookie Persistence profile is not showing up in the GUI | |
781113-1 | 4-Minor | Support to enable/disable reusing serverside TIME_WAIT connections | |
774261-1 | 4-Minor | PVA client-side current connections stat does not decrease properly | |
774173-2 | 4-Minor | WebUI - Cipher Group preview causes high availability (HA) sync state to become Changes Pending | |
773253-3 | 4-Minor | The BIG-IP may send VLAN failsafe probes from a disabled blade | |
772297-2 | 4-Minor | LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade | |
758704 | 4-Minor | Excessive 'GuestInfoAddNicEntry: NIC limit (16) reached' logging | |
742603-1 | 4-Minor | WebSocket Statistics are updated to differentiate between client and server sides | |
738045-5 | 4-Minor | HTTP filter complains about invalid action in the LTM log file. | |
738032-1 | 4-Minor | BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed. | |
722534-1 | 4-Minor | load sys config merge not supported for iRulesLX | |
688397-1 | 4-Minor | Reset causes for HTTP/2 streams are not recorded | |
640374-1 | 4-Minor | DHCP statistics are incorrect | |
544958-1 | 4-Minor | Monitors packets are sent even when pool member is 'Forced Offline'. | |
898929-2 | 5-Cosmetic | Tmm might crash when ASM, AVR, and pool connection queuing are in use | |
873249-3 | 5-Cosmetic | Switching from fast_merge to slow_merge can result in incorrect tmm stats | |
666378-1 | 5-Cosmetic | A virtual server's connections per second (precision.last_value) is confusingly named. |
Performance Issues
ID Number | Severity | Solution Article(s) | Description |
850193-2 | 3-Major | Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues | |
746620-3 | 3-Major | "source-port preserve" does not work on BIG-IP Virtual Edition | |
747960-2 | 4-Minor | BIG-IP VE with 1nic does not handle fragmented traffic to webui or ssh properly |
Global Traffic Manager (DNS) Issues
ID Number | Severity | Solution Article(s) | Description |
905557-6 | 2-Critical | Tmm could core with SIGSEGV while expiring an MDS connflow for a down pool member | |
788465-2 | 2-Critical | DNS cache idx synced across HA group could cause tmm crash | |
783125-2 | 2-Critical | iRule drop command on DNS traffic without Datagram-LB may cause TMM crash | |
744743-1 | 2-Critical | Rolling DNSSEC Keys may stop generating after BIG-IP restart | |
722741-1 | 2-Critical | Damaged tmm dns db file causes zxfrd/tmm core | |
717306-1 | 2-Critical | Added ability to use Vip-targeting-Vip with DNS Cache server-side connections | |
264701-3 | 2-Critical | K10066 | GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608) |
903521-4 | 3-Major | TMM fails to sign responses from BIND when BIND has "dnssec-enable no" | |
899253-4 | 3-Major | [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist | |
890285 | 3-Major | DNS resolver cannot forward DNS query to local IPv6 virtual server | |
880125-3 | 3-Major | WideIP (A) created together with aliases (CNAME) causes missing A records in ZoneRunner | |
879301-3 | 3-Major | When importing a BIND zone file, SRV/DNAME/NAPTR RRs do not have correct $ORIGIN appended | |
864797-1 | 3-Major | Cached results for a record are sent following region modification | |
862949-1 | 3-Major | Zonerunner GUI is unable to display CAA records | |
858973-3 | 3-Major | DNS request matches less specific WideIP when adding new wildcard wideips | |
852101-3 | 3-Major | Monitor fails. | |
851341-2 | 3-Major | DNS cache responds with records exceeding cache-maximum-ttl for multiple TMMs | |
844689-3 | 3-Major | Possible temporary CPU usage increase with unusually large named.conf file | |
835209-1 | 3-Major | External monitors mark objects down | |
821589-2 | 3-Major | DNSSEC does not insert NSEC3 records for NXDOMAIN responses | |
813221-1 | 3-Major | Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync | |
803645-3 | 3-Major | GTMD daemon crashes | |
800265-2 | 3-Major | Undefined subroutine in bigip_add_appliance_helper message | |
789421-2 | 3-Major | Resource-administrator cannot create GTM server object through GUI | |
781985-1 | 3-Major | DNSSEC zone SEPS records may be wiped out from running configuration | |
781829-1 | 3-Major | GTM TCP monitor does not check the RECV string if server response string not ending with \n | |
779793-2 | 3-Major | [LC] Error Message "Cannot modify the destination address of monitor" for destination * bigip_link monitor | |
779769-2 | 3-Major | [LC] [GUI] destination cannot be modified for bigip-link monitors | |
778365-2 | 3-Major | dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service | |
777245-1 | 3-Major | DNSSEC client-facing SOA zone serial does not update when DNSSEC related RR changes | |
774481-2 | 3-Major | DNS Virtual Server creation problem with Dependency List | |
774225-3 | 3-Major | mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting | |
769385-1 | 3-Major | GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message | |
760835-1 | 3-Major | Static generation of rolling DNSSEC keys may be missing when the key generator is changed | |
760833-1 | 3-Major | BIG-IP GTM might not always sync a generation of a DNSSEC key from its partner | |
760615-2 | 3-Major | Virtual Server discovery may not work after a GTM device is removed from the sync group | |
756177-2 | 3-Major | GTM marks pool members down across datacenters | |
751540-3 | 3-Major | GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server | |
746719-1 | 3-Major | SERVFAIL when attempting to view or edit NS resource records in zonerunner | |
746348-2 | 3-Major | On rare occasions, gtmd fails to process probe responses originating from the same system. | |
746137-1 | 3-Major | DNSSEC: Creating a new DNSSEC Zone can result in gtmd attempting to sync every 10 seconds | |
745035-2 | 3-Major | gtmd crash | |
744787-4 | 3-Major | Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias | |
739553-1 | 3-Major | Setting large number for Wide IP Persistence TTL breaks Wide IP persistence | |
726164-1 | 3-Major | Rolling DNSSEC Keys can stop regenerating after a length of time on the standby system | |
679316-7 | 3-Major | iQuery connections reset during SSL renegotiation | |
665117-7 | 3-Major | K33318158 | DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping |
222220-4 | 3-Major | Distributed application statistics | |
889801-3 | 4-Minor | Total Responses in DNS Cache stats does not increment when an iRule suspending command is present under DNS_RESPONSE. | |
886145-4 | 4-Minor | The 'Reconnect' and 'Reconnect All' buttons do not work if reached via a particular section of the DNS WebUI. | |
885869-4 | 4-Minor | Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime | |
839361-4 | 4-Minor | iRule 'drop' command does not drop packets when used in DNS_RESPONSE | |
790113-2 | 4-Minor | Cannot remove all wide IPs from GTM distributed application via iControl REST | |
775801-2 | 4-Minor | [GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener | |
760117-1 | 4-Minor | Duplicate error messages in log when updating a zone through ZoneRunner GUI | |
755282-1 | 4-Minor | [GTM] bigip_add password prompt for IPv4-mapped IPv6 address | |
752216-6 | 4-Minor | K33587043 | DNS queries without the RD bit set may generate responses with the RD bit set |
712335-3 | 4-Minor | GTMD may intermittently crash under unusual conditions. | |
774257-2 | 5-Cosmetic | tmsh show gtm pool and tmsh show gtm wideip print duplicate object types |
Application Security Manager Issues
ID Number | Severity | Solution Article(s) | Description |
904593-2 | 2-Critical | Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled | |
887621-1 | 2-Critical | ASM virtual server names configuration CRC collision is possible | |
868641-1 | 2-Critical | Possible TMM crash when disabling bot profile for the entire connection | |
865981-3 | 2-Critical | ASM GUI and REST become unresponsive upon license change | |
865461-3 | 2-Critical | BD crash on specific scenario | |
857677-1 | 2-Critical | Security policy changes are applied automatically after asm process restart | |
843801-1 | 2-Critical | Like-named previous Signature Update installations block Live Update usage after upgrade★ | |
825413-2 | 2-Critical | /var/lib/mysql disk is full | |
813409-1 | 2-Critical | BD crash under certain circumstances | |
803813-2 | 2-Critical | TMM may experience high latency when processing WebSocket traffic | |
905681 | 3-Major | Incorrect enforcement of policy parameters | |
903357-3 | 3-Major | Bot defense Profile list is loads too slow when there are 750 or more Virtual servers | |
901061-4 | 3-Major | Safari browser might be blocked when using Bot Defense profile and related domains. | |
900797-4 | 3-Major | Brute Force Protection (BFP) hash table entry cleanup | |
900789-4 | 3-Major | Alert before Brute Force Protection (BFP) hash are fully utilized | |
898825-4 | 3-Major | Attack signatures are enforced on excluded headers under some conditions | |
898741-4 | 3-Major | Missing critical files causes FIPS-140 system to halt upon boot | |
893061-1 | 3-Major | Out of memory for restjavad | |
892653-2 | 3-Major | Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI | |
891181-4 | 3-Major | Wrong date/time treatment in logs in Turkey/Istambul timezone | |
890169-1 | 3-Major | URLs starting with double slashes might not be loaded when using a Bot Defense Profile. | |
888289-3 | 3-Major | Add option to skip percent characters during normalization | |
887265-1 | 3-Major | BIG-IP may fail to come online after upgrade with ASM and VLAN-failsafe configuration★ | |
886865-2 | 3-Major | P3P header is added for all browsers, but required only for Internet Explorer | |
886533-1 | 3-Major | Icap server connection adjustments | |
884425-1 | 3-Major | Creation of new allowed HTTP URL is not possible | |
883853-1 | 3-Major | Bot Defense Profile with staged signatures prevents signature update★ | |
880789-1 | 3-Major | ASMConfig Handler undergoes frequent restarts | |
876965-1 | 3-Major | Incorrect reporting by /mgmt/tm/live-update/ | |
874753-1 | 3-Major | Filtering by Bot Categories on Bot Requests Log shows 0 events | |
871881-1 | 3-Major | Apply Policy action is not synchronized after making bulk signature changes | |
868721-3 | 3-Major | Transactions are held for a long time on specific server related conditions | |
868053-1 | 3-Major | Live Update service indicates update available when the latest update was already installed | |
867825-2 | 3-Major | Export/Import on a parent policy leaves children in an inconsistent state | |
867777-2 | 3-Major | Remote syslog server cannot parse violation detail buffers as UTF-8. | |
867373-2 | 3-Major | Methods Missing From ASM Policy | |
864677-3 | 3-Major | ASM causing high mcpd CPU usage | |
863609-2 | 3-Major | Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies | |
857633-2 | 3-Major | Attack Type (SSRF) appears incorrectly in REST result | |
853989-3 | 3-Major | DOSL7 Logs breaks CEF connector by populating strings into numeric fields | |
853565-1 | 3-Major | VCMP host primary blade reboot causes security policy loss in the VCMP guest primary blade | |
850677-2 | 3-Major | Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy | |
849349-3 | 3-Major | Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db | |
846181-1 | 3-Major | Request samples for some of the learning suggestions are not visible | |
846057-2 | 3-Major | UCS backup archive may include unnecessary files | |
833685-3 | 3-Major | Idle async handlers can remain loaded for a long time doing nothing | |
829029-3 | 3-Major | Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error | |
809125-2 | 3-Major | CSRF false positive | |
802873-1 | 3-Major | Manual changes to policy imported as XML may introduce corruption for Login Pages | |
799749-1 | 3-Major | Asm logrotate fails to rotate | |
793149-3 | 3-Major | Adding the Strict-transport-Policy header to internal responses | |
792341-2 | 3-Major | Google Analytics shows incorrect stats. | |
785529-1 | 3-Major | ASM unable to handle ICAP responses which length is greater then 10K | |
783165-3 | 3-Major | Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile | |
772165-1 | 3-Major | Sync Failed due to Bot Defense profile not found | |
761565-1 | 3-Major | ASM BD core when custom captcha page configured size more than 45K with %ASM.captcha.support_id% placeholder is at the end | |
759840-1 | 3-Major | False positive 'Null in request' violation or bare byte subviolations | |
759449-1 | 3-Major | Unable to modify the application language with 'Copy ASM Policy' | |
753715-1 | 3-Major | False positive JSON max array length violation | |
751430-1 | 3-Major | Unnecessary reporting of errors with complex denial-of-service policies | |
748851-3 | 3-Major | Bot Detection injection include tags which may cause faulty display of application | |
742549-2 | 3-Major | Cannot create non-ASCII entities in non-UTF ASM policy using REST | |
739618-2 | 3-Major | When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy | |
726401-1 | 3-Major | ASM cannot complete initial startup with modified management interface on VE | |
640842-3 | 3-Major | ASM end user using mobile might be blocked when CSRF is enabled | |
580715-1 | 3-Major | ASM is not sending 64 KB remote logs over UDP | |
887625-1 | 4-Minor | Note should be bold back, not red | |
883673-1 | 4-Minor | BotDefense JavaScript browser verification can cause low score when using Google Lighthouse tool | |
882769-3 | 4-Minor | Request Log: wrong filter applied when searching by Response contains or Response does not contain | |
882729-1 | 4-Minor | Applied Blocking Masks discrepancy between local/remote event log | |
879777 | 4-Minor | Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge | |
875373-2 | 4-Minor | Unable to add domain with leading '.' through webUI, but works with tmsh. | |
841985-3 | 4-Minor | TSUI GUI stuck for the same session during long actions | |
824093-3 | 4-Minor | Parameters payload parser issue | |
807569-1 | 4-Minor | Requests fail to load when backend server overrides request cookies and Bot Defense is used | |
797821-1 | 4-Minor | Logging profiles on /Common cannot be configured with publishers on other folders | |
765365-1 | 4-Minor | ASM tries to send response cookies after response headers already forwarded - makes CSRF false positive | |
759671-1 | 4-Minor | Unescaped slash in RE2 in user-defined signature should not be allowed | |
758615-1 | 4-Minor | Reconstructed POST request is dropped after DID cookies are deleted | |
756998-1 | 4-Minor | DoSL7 Record Traffic feature is not recording traffic | |
754750-1 | 4-Minor | Policy validation error 'All blocking flags are unset' appears even when a violation is set to block | |
752797-1 | 4-Minor | BD is not correctly closing a shared memory segment |
Application Visibility and Reporting Issues
ID Number | Severity | Solution Article(s) | Description |
812993-1 | 1-Blocking | Monpd process consumes considerable amount of RAM on systems with many virtual servers | |
869049-2 | 3-Major | Charts discrepancy in AVR reports | |
838685-2 | 3-Major | DoS report exist in per-widget but not under individual virtual | |
808801-2 | 3-Major | AVRD crash when configured to send data externally | |
746837-2 | 3-Major | AVR JS injection can cause error on page if the JS was not injected | |
898373-1 | 4-Minor | Unclear message: TakesTooLong was 0.00 exceeded the lower threshold of 10000 |
Access Policy Manager Issues
ID Number | Severity | Solution Article(s) | Description |
891505-1 | 2-Critical | TMM might leak memory when OAuth agent is used in APM per-request policy subroutine. | |
867413-2 | 2-Critical | The allow-only-in-enterprise LAN feature on Mac OS not working after reboot | |
838861-2 | 2-Critical | TMM might crash once after upgrading SSL Orchestrator★ | |
789085-2 | 2-Critical | When executing the ACCESS::session iRule command under a serverside event, tmm may crash | |
783233-2 | 2-Critical | OAuth puts quotation marks around claim values that are not string type | |
766921-1 | 2-Critical | Localdbmgr process crashes and generates a core | |
760130-3 | 2-Critical | [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK | |
748572-2 | 2-Critical | Occasionally ramcache might crash when data is sent without the corresponding event. | |
725505-1 | 2-Critical | SNAT settings in network resource are not applied after FastL4 profile is updated | |
660913-3 | 2-Critical | For ActiveSync client type, browscap info provided is incorrect.★ | |
579219-3 | 2-Critical | Access keys missing from SessionDB after multi-blade reboot. | |
903501-1 | 3-Major | VPN Tunnel establishment fails with some ipv6 address | |
898381 | 3-Major | Changing the setting of apm-forwarding-fastl4 profile does not take effect | |
883577-2 | 3-Major | ACCESS::session irule command does not work in HTTP_RESPONSE event | |
853325-3 | 3-Major | TMM Crash while parsing form parameters by SSO. | |
850277-3 | 3-Major | Memory leak when using OAuth | |
844781-1 | 3-Major | [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection | |
844573-3 | 3-Major | Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret. | |
844281-1 | 3-Major | [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files. | |
831517-1 | 3-Major | TMM may crash when Network Access tunnel is used | |
828761 | 3-Major | APM OAuth - Auth Server attached iRule works inconsistently | |
815753-2 | 3-Major | TMM leaks memory when explicit SWG is configured with Kerberos authentication | |
803825-3 | 3-Major | WebSSO does not support large NTLM target info length | |
802381-2 | 3-Major | Localdb authentication fails | |
799149-2 | 3-Major | Authentication fails with empty password | |
794585-2 | 3-Major | User cannot log in after license reactivation on vCMP host | |
774301-4 | 3-Major | Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList | |
771961-1 | 3-Major | While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core | |
761303-2 | 3-Major | Upgrade of standby BIG-IP system results in empty Local Database | |
759392-2 | 3-Major | HTTP_REQUEST iRule event triggered for internal APM request | |
759356-2 | 3-Major | Access session data cache might leak if there are multiple TMMs | |
758542-3 | 3-Major | OAuth database instance appears empty after upgrade from v13.x★ | |
757848-1 | 3-Major | F5 Adaptive Authentication feature has been removed | |
757822-1 | 3-Major | Subroutine name should use partition name and policy name | |
757781-3 | 3-Major | Portal Access: cookie exchange may be broken sometimes | |
755507-4 | 3-Major | [App Tunnel] 'URI sanitization' error | |
750631-2 | 3-Major | There may be a latency between session termination and deletion of its associated IP address mapping | |
749477-1 | 3-Major | Provisioning URLDB and SWG simultaneously produces a confusing error message if neither module was originally provisioned | |
748451-3 | 3-Major | Manager users cannot perform changes in per-request policy properties | |
748070 | 3-Major | API Protection feature inadvertently allows editing of associated access policy | |
744407-3 | 3-Major | While the client has been closed, iRule function should not try to check on a closed session | |
744316-4 | 3-Major | Config sync of APM policy fails with Cannot update_indexes validation error. | |
738865-3 | 3-Major | MCPD might enter into loop during APM config validation | |
738547-3 | 3-Major | SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII | |
712857-3 | 3-Major | SWG-Explicit rejects large POST bodies during policy evaluation | |
711056-1 | 3-Major | License check VPE expression fails when access profile name contains dots | |
706782-3 | 3-Major | Inefficient APM processing in large configurations. | |
673357-1 | 3-Major | SWG puts flow in intercept mode when session is not found | |
653210-2 | 3-Major | Rare resets during the login process | |
600985-1 | 3-Major | Network access tunnel data stalls | |
578989-9 | 3-Major | Maximum request body size is limited to 25 MB | |
547692-5 | 3-Major | Firewall-blocked KPASSWD service does not cause domain join operation to fail | |
534187-5 | 3-Major | Passphrase protected signing keys are not supported by SAML IDP/SP | |
470346-2 | 3-Major | Some IPv6 client connections get RST when connecting to APM virtual | |
833049-2 | 4-Minor | Category lookup tool in GUI may not match actual traffic categorization | |
819233-5 | 4-Minor | Ldbutil utility ignores '--instance' option if '--list' option is specified | |
810825 | 4-Minor | Export, then import of pool outside of a default route domain may fail | |
778333-3 | 4-Minor | GUI/CLI max-in-progress discrepancy occurs after upgrade from v11.x to v13.x or later | |
755739-1 | 4-Minor | SAML metadata import (SP or IdP) fails if the metadata file has both SPSSODescriptor and IdPSSODescriptor | |
719589-2 | 4-Minor | GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic | |
602396-1 | 4-Minor | EPSEC Upload Package Button Is Greyed Out | |
826049-1 | 5-Cosmetic | French language spelling error in BIG-IP Edge Client message window | |
498926 | 5-Cosmetic | Client can fail to start a new session in multi-domain SSO. |
WebAccelerator Issues
ID Number | Severity | Solution Article(s) | Description |
900825-2 | 3-Major | WAM image optimization can leak entity reference when demoting to unoptimized image | |
890573-2 | 3-Major | BigDB variable wam.cache.smallobject.threshold may not pickup its value on restart | |
890401-2 | 3-Major | Restore correct handling of small object when conditions to change cache type is satisfied | |
792045-1 | 3-Major | Prevent WAM cache type change for small objects | |
761027 | 3-Major | Web Browser Hang on Reading Compressed Data from BIG-IP | |
751383-1 | 4-Minor | Invalidation trigger parameter values are limited to 256 bytes | |
748031-1 | 4-Minor | Invalidation trigger parameter containing reserved XML characters does not create invalidation rule | |
489960-4 | 4-Minor | Memory type stats is incorrect |
Enterprise Manager Issues
ID Number | Severity | Solution Article(s) | Description |
807913 | 4-Minor | The word 'ceritifcate' is misspelled in an error message |
Service Provider Issues
ID Number | Severity | Solution Article(s) | Description |
814097-2 | 2-Critical | Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event. | |
898997-4 | 3-Major | GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes | |
895801-4 | 3-Major | Changing an MRF transport-config's TCP profile does not take effect until TMM is restarted | |
891385-4 | 3-Major | Add support for URI protocol type "urn" in MRF SIP load balancing | |
842625-3 | 3-Major | SIP message routing remembers a 'no connection' failure state forever | |
825013-3 | 3-Major | GENERICMESSAGE::message's src and dst may get cleared in certain scenarios | |
815529-2 | 3-Major | MRF outbound messages are dropped in per-peer mode | |
803809-2 | 3-Major | SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled. | |
790949-2 | 3-Major | MRF Router Profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' Do Not Match Behavior. | |
782353-6 | 3-Major | SIP MRF via header shows TCP Transport when TLS is enabled | |
767977 | 3-Major | Source port unexpectedly changes on message connections | |
759370-2 | 3-Major | FIX protocol messages parsed incorrectly when fragmented between the body and the trailer. | |
755311-1 | 3-Major | No DIAMETER Disconnect-Peer-Request message sent when TMM is shutting down | |
754658-2 | 3-Major | Improved matching of response messages uses end-to-end ID | |
754617-2 | 3-Major | iRule 'DIAMETER::avp read' command does not work with 'source' option | |
753501-1 | 3-Major | iRule commands (such as relate_server) do not work with MRP SIP | |
749528-1 | 3-Major | IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap | |
749041-2 | 3-Major | MRSIP log of subscriber deletion outputs '(null)" for subscriber URI | |
748355-2 | 3-Major | MRF SIP curr_pending_calls statistic can show negative values. | |
746731-1 | 3-Major | BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set | |
696348-3 | 3-Major | "GTP::ie insert" and "GTP::ie append" do not work without "-message" option | |
844169-2 | 4-Minor | TMSH context-sensitive help for diameter session profile is missing some descriptions | |
788513-2 | 4-Minor | Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log | |
786981-3 | 4-Minor | Pending GTP iRule operation maybe aborted when connection is expired | |
793005-3 | 5-Cosmetic | 'Current Sessions' statistic of MRF/Diameter pool may be incorrect |
Advanced Firewall Manager Issues
ID Number | Severity | Solution Article(s) | Description |
802421 | 2-Critical | The /var partition may become 100% full requiring manual intervention to clear space | |
763121-3 | 2-Critical | Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM. | |
747225-1 | 2-Critical | PCCD may get into crash-loop after BIG-IP upgrade or after BIG-IP restart | |
720045-3 | 2-Critical | IP fragmented UDP DNS request and response packets dropped as DNS Malformed | |
603124-2 | 2-Critical | [FW FQDN] Lower minimum allowed refresh interval (than current min of 10 mins) | |
876805-1 | 3-Major | Modifying address-list resets the route advertisement on virtual servers. | |
872645 | 3-Major | Protected Object Aggregate stats are causing elevated CPU usage | |
871457 | 3-Major | Cannot enable logging for management firewall with LTM only provisioned | |
870385-3 | 3-Major | TMM may restart under large amount traffic load | |
867321-6 | 3-Major | Error: Invalid self IP, the IP address already exists. | |
851745-1 | 3-Major | High cpu consumption due when enabling large number of virtual servers | |
844597-2 | 3-Major | AVR analytics is reporting null domain name for a dns query | |
840809-1 | 3-Major | If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged | |
837233-1 | 3-Major | "Application Security Administrator" user role cannot manage Dos Profile GUI | |
813969-3 | 3-Major | Network DoS reporting events as 'not dropped' while in fact, events are dropped | |
813057-2 | 3-Major | False positive attack detection on DoS profile vectors for unbalanced traffic | |
812481-2 | 3-Major | HSL logging may work unreliably for Management-IP firewall rules | |
811157-2 | 3-Major | Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself | |
808893-2 | 3-Major | DNS DoS profile vectors do not function correctly★ | |
808889-2 | 3-Major | DoS vector or signature stays hardware-accelerated even when traffic rate is lower than mitigation threshold | |
793217-2 | 3-Major | HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation | |
791361-1 | 3-Major | Configured management port rules can be lost after loading UCS file and rebooting | |
787969-1 | 3-Major | Validation error regarding disabling DoS Software Mode is unclear | |
783217-1 | 3-Major | Negative numbers of received packets in DoS-sampled log messages for bad actor and attacked destination attacks | |
781425 | 3-Major | Firewall rule list configuration causes config load failure | |
757555-2 | 3-Major | Network DoS Logging Profile does not work with other logging profiles together | |
757279-1 | 3-Major | LDAP authenticated Firewall Manager role cannot edit firewall policies | |
755721-1 | 3-Major | A UDP DNS packet may incorrectly match a BDoS signature if such a packet was queued up due to ingress shaper | |
751116-1 | 3-Major | DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring | |
749761-3 | 3-Major | AFM Policy with Send to Virtual and TMM crash in a specific scenario | |
746483-2 | 3-Major | The autodosd process consumes a lot of memory and continuously restarts. | |
742120-1 | 3-Major | MCPd crash seen during load sys config | |
703165-4 | 3-Major | shared memory leakage | |
686043-1 | 3-Major | dos.maxicmpframesize and dos.maxicmp6framesize sys db variables does not work for fragmented ICMP packets | |
663946-6 | 3-Major | The vCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments | |
906889 | 4-Minor | Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows. | |
885373 | 4-Minor | Another app is currently holding the xtables lock. Perhaps you want to use the -w option? | |
811045 | 4-Minor | Tmsh load sys config from-terminal merge: error for config embedded sub profile can have only a single object of any part enabled | |
803149-1 | 4-Minor | Flow Inspector cannot filter on IP address with non-default route_domain | |
756457-2 | 4-Minor | tmsh command 'show security' returning a parsing error | |
906885 | 5-Cosmetic | Spelling mistake on AFM GUI Flow Inspector screen |
Policy Enforcement Manager Issues
ID Number | Severity | Solution Article(s) | Description |
845313 | 2-Critical | Tmm crash under heavy load | |
760518-4 | 2-Critical | PEM flow filter with DSCP attribute optimizes traffic resulting in some PEM action enforcement | |
750491-4 | 2-Critical | PEM Once-Every content insertion action may insert more than once during an interval | |
886653-3 | 3-Major | Flow lookup on subsequent packets fail during CMP state change. | |
875401-3 | 3-Major | PEM subcriber lookup can fail for internet side new connections | |
842989-7 | 3-Major | PEM: tmm could core when running iRules on overloaded systems | |
814941-1 | 3-Major | PEM drops new subscriber creation if historical aggregate creation count reaches the max limit | |
802977-2 | 3-Major | PEM iRule crashes when more than 10 policies are tried to be set for a subscriber | |
783289-1 | 3-Major | PEM actions not applied in VE bigTCP. | |
781485-4 | 3-Major | PEM with traffic group can lead to local cache leaks on STANDBY if there is an ACTIVE-ACTIVE transition | |
764901-2 | 3-Major | PEM policy filters rules memory gets leaked if policy is deleted before deleting the rules | |
753014-4 | 3-Major | PEM iRule action with RULE_INIT event fails to attach to PEM policy | |
752163-1 | 3-Major | PEM::session info cannot set subscriber type and ID | |
747065-2 | 3-Major | PEM iRule burst of session ADDs leads to missing sessions | |
741213-2 | 3-Major | Modifying disabled PEM policy causes coredump | |
726011-4 | 3-Major | PEM transaction-enabled policy action lookup optimization to be controlled by a sys db | |
670994-5 | 3-Major | There is no validation for IP address on the ip-address-list for static subscriber |
Carrier-Grade NAT Issues
ID Number | Severity | Solution Article(s) | Description |
837269 | 3-Major | Processing ICMP unreachable packets causes FWNAT/CGNAT persistence issues with UDP traffic | |
812705-1 | 3-Major | 'translate-address disabled' setting for LTM virtual server does not have any effect with iRules for NAT64 traffic | |
806825 | 3-Major | Align the behavior of NAT44 and NAT64 when translate-address is disabled under Virtual Configuration with LTM Pool and LSN Pool | |
761517-1 | 4-Minor | nat64 and ltm pool conflict |
Fraud Protection Services Issues
ID Number | Severity | Solution Article(s) | Description |
660759-1 | 3-Major | Cookie hash persistence sends alerts to application server. |
Traffic Classification Engine Issues
ID Number | Severity | Solution Article(s) | Description |
887609-3 | 2-Critical | TMM crash when updating urldb blacklist | |
874677 | 2-Critical | TC auto signature update failing from GUI on 14.1.2★ | |
787965-1 | 3-Major | URLCAT by URI does not work if it contains port number | |
761273-2 | 3-Major | wr_urldbd creates sparse log files by writing from the previous position after logrotate. | |
754257-2 | 3-Major | URL lookup queries not working |
Device Management Issues
ID Number | Severity | Solution Article(s) | Description |
720434-3 | 2-Critical | Multi-blade Chassis iAppLX Package upgrade sync is incomplete across blades | |
718796-3 | 2-Critical | IControl REST token issue after upgrade★ | |
710809-4 | 2-Critical | Restjavad hangs and causes GUI page timeouts | |
880565-3 | 3-Major | Audit Log: "cmd_data=list cm device recursive" is been generated continuously | |
767613-2 | 3-Major | Restjavad can keep partially downloaded files open indefinitely | |
760752-2 | 3-Major | Internal sync-change conflict after update to local users table | |
749383-1 | 3-Major | Audit Log: 'cmd_data=list cm device recursive' are being generated continuously even the command has not been executed | |
718033-4 | 3-Major | REST calls fail after installing BIG-IP software or changing admin passwords | |
717174-1 | 3-Major | WebUI shows error: Error getting auth token from login provider★ | |
560682-2 | 4-Minor | The REST Framework no longer works when downgrading from BIG-IP version 12.x or 13.x to 11.6.x or 11.5.x |
iApp Technology Issues
ID Number | Severity | Solution Article(s) | Description |
842193-3 | 3-Major | Scriptd coring while running f5.automated_backup script | |
818069-4 | 3-Major | GUI hangs when iApp produces error message | |
778817-2 | 3-Major | Invalid client request can cause un-captured exception on ASM container. | |
829861 | 4-Minor | iApp UI broken when referencing to iApp profile /Common/_sys_radius_proto_imsi | |
802189-2 | 4-Minor | iApps: Calling 'Package Require <PKG>' in a template with a manager role is not supported |
Protocol Inspection Issues
ID Number | Severity | Solution Article(s) | Description |
802449-1 | 2-Critical | Valid GTP-C traffic may cause buffer overflow | |
825501-1 | 3-Major | IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.★ | |
795329-2 | 3-Major | IM installation fails if 'auto-add-new-inspections' enabled on profile★ | |
778225-3 | 3-Major | vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host | |
760740-1 | 4-Minor | Mysql error is displayed when saving UCS configuration on BIG-IP system with only LTM provisioned |
Known Issue details for BIG-IP v14.1.x
906889 : Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
Component: Advanced Firewall Manager
Symptoms:
Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
Conditions:
Viewing New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
Impact:
Calculation mistake in the GUI: shows 8 times the actual values, for example:
Packets In 2 shows as 016 in the GUI
Packets Out 0 shows as 8 in the GUI
Workaround:
View statistics in tmsh.
906885 : Spelling mistake on AFM GUI Flow Inspector screen
Component: Advanced Firewall Manager
Symptoms:
On the AFM GUI Flow Inspector screen, there is a spelling mistake 'Additinal Info'. It should read 'Additional Info'.
Conditions:
You can locate the spelling error by following these steps:
1. Navigate to Security :: Debug :: Flow Inspector :: Get Flows (should be blank).
2. Select New Flows and then Get Flows.
3. Select the flow (i.e., click anywhere on the result except the hyperlink).
Impact:
There is a spelling mistake on the word 'Additional'. There is no functional impact to the system; this is a cosmetic issue only.
Workaround:
None.
906505-4 : Display of LCD System Menu cannot be configured via GUI on iSeries platforms
Component: TMOS
Symptoms:
In the BIG-IP Graphical User Interface (TMUI), display of the System Menu on the LCD front panel of most BIG-IP platforms can be enabled or disabled under System :: Configuration :: Device :: General.
However, on iSeries appliances, the 'Display LCD System Menu' option does not appear on this page.
Conditions:
This occurs on the following iSeries appliances:
-- i850
-- i2000-series (i2600/i2800)
-- i4000-series (i4600/i4800)
-- i5000-series (i5600/i5800/i5820-DF)
-- i7000-series (i7600/i7600-D/i7800/i7800-D/i7820-DF)
-- i10000-series (i10600/i10600-D/i10800/i10800-D)
-- i11000-series (i11600/i11800/i11400-DS/i11600-DS/i11800-DS)
-- i15000-series (i15600/i15800)
Impact:
The 'Display LCD System Menu' option cannot be configured via the GUI.
Workaround:
You can enable display of the LCD System Menu using the Command Line (CLI) by running the following commands, in sequence:
tmsh mod sys global-settings lcd-display [enabled|disabled]
tmsh mod sys db lcd.showmenu value [enabled|disabled]
906449-4 : Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load
Component: TMOS
Symptoms:
The text that describes the monitor state of an LTM node, pool member, or monitor instance also contains a timestamp that initially indicates when the monitor set the affected node or pool member to the indicated state. This timestamp can be affected by other actions, such as incremental or full config sync and config load.
The monitor-state description and timestamp can be viewed in the CLI (CLI/TMSH) and GUI (TMUI) as follows:
-- From the CLI/TMSH:
tmsh show ltm monitor <monitor_type> <monitor_name>
This command shows the state of ltm nodes or pool members currently monitored by the specified ltm health monitor, as in the following example:
-------------------------------------
LTM::Monitor /Common/mysql_test
-------------------------------------
Destination: 10.10.200.28:3296
State time: down for 1hr:58mins:42sec
| Last error: No successful responses received before deadline. @2020.03.25 14:10:24
-- From the GUI:
+ Navigate to Local Traffic :: Nodes : Node List :: <node_name>. The 'Availability' field shows text describing the node's monitored state with a timestamp.
+ Navigate to Local Traffic :: Pools : Pool List :: <pool_name>, under the Members tab, click the pool member name. The 'Availability' field shows text describing the pool member's monitored state with a timestamp.
Conditions:
This may occur under the following conditions:
-- If an incremental config sync occurs from one high availability (HA) member to another member or to the device group:
+ The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on HA members receiving the incremental config sync.
+ If a Node or Pool Member has been marked DOWN by a monitor, its timestamp may be updated in the GUI (Node List/Pool-Member list) on HA members receiving the incremental config sync.
-- If a full/forced config sync occurs from one HA member to another member or to the device group:
+ The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on HA members receiving the incremental config sync.
+ The timestamp for all Nodes or Pool Members may be updated in the GUI (Node List/Pool-Member list) on HA members receiving the incremental config sync.
-- If a config load occurs:
+ The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on the HA member where the config load occurred.
+ The timestamp for all Nodes or Pool Members may be updated in the GUI (Node List/Pool-Member list) on the HA member where the config load occurred.
Impact:
The timestamp indicated next to the monitored-state description for an LTM Node or Pool Member indicates when the Node or Pool Member was updated in ways other than by its configured monitor. Thus, this timestamp may not indicate the actual time of the monitor event suggested by the description text.
Workaround:
None.
905749-2 : imish crash while checking for CLI help string in BGP mode
Component: TMOS
Symptoms:
imish crashes while checking the help strings of '(no) neighbor x.x.x.x fall-over bfd ?' when Border Gateway Protocol (BGP) is configured.
Conditions:
-- Configure BGP.
-- Check for help strings in imish using the '?' (question mark) character.
Impact:
imish crash.
Although imish crashes, BGP functionality is not impacted.
Workaround:
Avoid using '?' while entering the commands.
905681 : Incorrect enforcement of policy parameters
Component: Application Security Manager
Symptoms:
A parameter is not enforced correctly (i.e., it shows as a false positive or a false negative).
Conditions:
-- The parameter is configured as a global wildcard parameter.
-- The parameter also appears as an explicit parameter on a different policy.
-- Other conditions related to the name of the parameter may apply (e.g., numerical suffix).
Impact:
Enforcement returns a false-positive or false-negative results.
Workaround:
Change the parameters to either explicit parameters or URL-level parameters assigned to all the URLs.
905557-6 : Tmm could core with SIGSEGV while expiring an MDS connflow for a down pool member
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm core with SIGSEGV.
Conditions:
-- BIG-IP DNS configured and in service.
-- A pool member is marked down.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
905477-4 : The sdmd daemon cores during config sync when multiple devices configured for iRules LX
Component: Local Traffic Manager
Symptoms:
The iRules LX workspaces belong on only one device in a Device Service Cluster (DSC). If you have the same iRules LX workspace configured on multiple devices and then perform a config sync operation, the sdmd daemon cores.
Conditions:
-- Multiple devices configured with the same iRules LX workspace in a DSC.
-- Change one of the devices such that the configuration requires a config sync.
-- Perform the config sync.
Impact:
The sdmd daemon cores. Although having multiple devices configured with the same iRules LX workspace is an incorrect configuration, sdmd should not core.
Workaround:
When the iRules LX workspace is correctly configured, i.e., on only one device in a DSC, there is no need to config sync, so this issues does not occur.
904785 : Remotely authenticated users may experience difficulty logging in over the serial console
Component: TMOS
Symptoms:
-- When a remotely authenticated user attempts login over the serial console, the username and password are accepted, but the session closes immediately thereafter.
-- Login over SSH is successful for the same user
Conditions:
-- Remote authentication (e.g., LDAP) and role mapping configured on the BIG-IP system.
-- Attempted login over the serial console for a remotely authenticated user who has been assigned a role.
Impact:
Remotely authenticated users cannot log in over the serial console.
Workaround:
Using either of the following workaround:
-- Log in over SSH instead
-- If acceptable (taking into account security considerations), enable terminal access for all remote users regardless of assigned role, using 'tmsh modify auth remote-user remote-console-access tmsh' or within the GUI.
904625-4 : Changes to SSL.CertRequest.* DB variables cause HA devices go out of sync
Component: Local Traffic Manager
Symptoms:
The GUI saves SSL certificate/CSR subject fields data into SSL.CertRequest.* DB variables to use them in pre-populating subject fields for subsequent modifications.
Conditions:
-- SSL certificate/CSR modification through GUI.
-- Changing the content of the SSL.CertRequest.* DB variables.
-- High availability (HA) configuration.
Impact:
HA devices go out of sync.
Workaround:
SSL.CertRequest.* DB variables are used only as GUI SSL certificate/CSR pre-populated suggestions.
You can still review and modify them before completing SSL certificate/CSR modification operation, so it is safe to sync them onto the HA peer.
904593-2 : Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled
Component: Application Security Manager
Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, the configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the master device, before the master has a chance to sync the configuration to the new device, causing the configuration in the master device to be overwritten.
Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.
Impact:
Configuration of all devices in the Auto Scale group is overwritten.
Workaround:
Disable ASM Live Update Automatic Download.
This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.
For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping
-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable
904041-4 : Ephemeral pool members are missing from pool of Common partition when reloading configuration for current partition
Component: TMOS
Symptoms:
-- A pool in a partition other than Common has issues when reloading the configuration of that partition when the ephemeral nodes are assigned to the Common partition instead of the partition that the ephemeral member belongs to.
-- Ephemeral pool members are missing from pool.
Conditions:
When reloading the configuration of non-"Common" partition, e.g.:
-- tmsh -c "cd /testpartition; load sys config current-partition"
Impact:
Missing pool members.
Workaround:
Reload the entire configuration instead of just the single partition.
903581-2 : The pkcs11d process cannot recover under certain error condition
Component: Local Traffic Manager
Symptoms:
When the connection between the BIG-IP system and HSM (SafeNet) is interrupted, pkcs11d is unable to recover in some case.
Conditions:
Connection between the BIG-IP system and the HSM device is interrupted.
Impact:
SSL handshake failure.
Workaround:
Restart the pkcs11d process using the following command:
restart /sys service pkcs11d
903521-4 : TMM fails to sign responses from BIND when BIND has "dnssec-enable no"
Component: Global Traffic Manager (DNS)
Symptoms:
TMM fails to sign responses from BIND.
Conditions:
BIND has "dnssec-enable no" in named.conf.
Impact:
TMM fails to sign responses from BIND.
Workaround:
Remove "dnssec-enable no" from named.conf in options section.
903501-1 : VPN Tunnel establishment fails with some ipv6 address
Component: Access Policy Manager
Symptoms:
VPN Tunnel establishment fails with some ipv6 address
Conditions:
- APM is provisioned.
- Network Access with IPv6 virtual server is configured.
Impact:
VPN Tunnel cannot be established.
Workaround:
1. Disable the DB variable isession.ctrl.apm:
tmsh modify sys db isession.ctrl.apm value disable
2. Perform 'Apply Access Policy' for the access policy attached to the virtual server.
Important: The iSession control channel is needed if optimized apps are configured, so use this workaround only when 'No optimized apps are configured' is set (available in the GUI by navigating to Access :: Connectivity / VPN : Network Access (VPN) : Network Access Lists :: {NA resources} :: 'Optimization' tab).
903357-3 : Bot defense Profile list is loads too slow when there are 750 or more Virtual servers
Component: Application Security Manager
Symptoms:
Security :: Bot Defense : Bot Defense Profiles page loading takes a long time when there are profiles configured with hundreds of virtual servers. For example: a configuration with 750 virtual servers takes about 40 seconds to load the page. Configuration with 1300 virtual servers takes more than 70 seconds.
Conditions:
At least one Bot profile attached to hundreds of virtual servers. For 750 and more virtual servers attached the slow loading is significant.
Impact:
Bot Defense list page loading time can take more than 30 seconds.
Workaround:
None.
903265-1 : Single user mode faced sudden reboot
Component: TMOS
Symptoms:
Being logged into the system in single user mode (emergency shell) causes a sudden automatic reboot after some time (~5-to-10 minutes, or longer).
Conditions:
-- Using iSeries platforms.
-- When logged into the emergency shell by appending rd.break to kernel command line.
Impact:
The device reboots after some time. Because of the automatic reboot, you cannot reliably use the emergency shell.
Workaround:
None.
902417-4 : Configuration error caused by Drafts folder in a deleted custom partition★
Component: TMOS
Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.
01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.
Conditions:
Create draft policy under custom partition
Impact:
Impacts the software upgrade.
Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.
901989-4 : Boot_marker writes to /var/log/btmp
Component: TMOS
Symptoms:
The boot_marker is written to /var/log/btmp, but /var/log/btmp is a binary file.
A message similar to:
Apr 21 09:19:52 bigip1 warning sshd[10901]: pam_lastlog(sshd:session): corruption detected in /var/log/btmp
... may be logged to /var/log/secure.
Conditions:
-- Rebooting a BIG-IP.
Impact:
Since this file is unknowingly corrupt at first boot, any potential investigation needing this data may be compromised.
Workaround:
After bootup you can truncate the file.
$ truncate --size 0 /var/log/btmp
901929-4 : GARPs not sent on virtual server creation
Component: Local Traffic Manager
Symptoms:
When a virtual server is created, GARPs are not sent out.
Conditions:
-- Creating a new virtual server.
Impact:
Traffic could be impacted if other systems have the virtual server address already in their ARP caches.
Workaround:
After creating the virtual server, disable and re-enable the ARP setting on the corresponding virtual address.
901669-2 : Error status in "show cm failover-status" after MGMT-IP change
Component: TMOS
Symptoms:
The "tmsh show cm failover-status" command shows failover connection status "Error" on one device, but manual failover is working properly.
Conditions:
-- Two or more devices configured with high availability (HA) and are in sync.
-- The management IP address is changed on one of the devices
--show cm failover-status" on peer. You will see "show cm failover-status" returns "Error" status.
Impact:
The tmsh show cm failover-status command indicates an error, even though the devices are in sync and failover communication is working.
Workaround:
tmsh restart sys service sod
901589 : TMM crash occurred while generating cookie for TCP Fast Open
Component: Local Traffic Manager
Symptoms:
TMM crash.
Conditions:
TMM core occurred while generating a cookie for TCP Fast Open.
Impact:
TMM coring causes a failover event. Traffic disrupted while tmm restarts.
Workaround:
None.
901061-4 : Safari browser might be blocked when using Bot Defense profile and related domains.
Component: Application Security Manager
Symptoms:
As a fix to ID879777 (https://cdn.f5.com/product/bugtracker/ID879777.html), when navigating to a related domain using Safari, requests might be blocked.
Conditions:
- Using Bot Defense profile, with "Cross Domain Requests" mode "Validate Upon Request"
- BIG-IP version containing fix of ID879777 (16.0 and higher or EngHF)
- Surfing the site using Safari browser.
Impact:
Some requests might be blocked.
Workaround:
None.
901033-1 : TCP::respond causing memory exhaustion issue when send buffer overwhelmed available TCP window
Component: Local Traffic Manager
Symptoms:
The test traffic is controlled and being increased with an iRule running TCP::respond . iRules operate fine until some threshold is reached, after which memory usage continually increases even though the traffic level remains stable. This memory growth increases until the reaper is activated and connections are removed.
Conditions:
A specific threshold of data is reached. The threshold varies, depending on the memory available on the BIG-IP system.
Impact:
Memory usage continually increases even though the traffic level remains stable. This memory growth increases until the reaper is activated and connections are removed. A tmm core is observed. Traffic disrupted while tmm restarts.
Workaround:
None.
900933-2 : IPsec interoperability problem with ECP PFS
Component: TMOS
Symptoms:
IPsec tunnels fails to remain established after initially working.
On the first ESP Security Associations (SAs) establishment, an IPsec tunnel works. After the expiry of the SAs causes a re-key, the keys are calculated incorrectly by the BIG-IP system. The BIG-IP system sends ESP packets to the remote peer, but the remote peer cannot decrypt the packet. Likewise, the BIG-IP system cannot decrypt packets from the remote peer.
This may also immediately present as a problem when trying to establish a second tunnel to the same peer.
Conditions:
- IPsec IKEv2 tunnel.
- A remote peer that is not another BIG-IP system.
- Elliptic curve groups (ECP) is used for Perfect Forward Secrecy (PFS).
Impact:
Multiple IPsec tunnels to the same remote peer cannot be established concurrently, or tunnels fail after a period of time.
Workaround:
Do not use ECP for PFS.
900825-2 : WAM image optimization can leak entity reference when demoting to unoptimized image
Component: WebAccelerator
Symptoms:
WAM image optimization can leak entity reference when demoting to unoptimized image.
WAM allows PNG files to be optimized to WEBP and JPG files to be optimized to JPEG XR formats, based on capabilities inferred from the client's User-Agent value. Once the optimized version is in the cache, internal check failures might cause the entity/document to be reverted to the unoptimized version. If this unoptimized version is already present in the cache, a reference to the corresponding entity is leaked, thus causing the entity to be held in memory along with attached resource/document objects and associated storage (UCI).
Conditions:
-- WAM-optimized PNG files (to WEBP) and JPG files (to JPEG XR) on tye system.
-- A policy change occurs that causes an internal check to fail.
Note: This can also occur in some cases without actual changes to the policy if the optimization step is skipped by wamd.
Impact:
WAM image optimization might leak entity reference.
Workaround:
None.
900797-4 : Brute Force Protection (BFP) hash table entry cleanup
Component: Application Security Manager
Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.
Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.
Impact:
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.
Workaround:
N/A
900789-4 : Alert before Brute Force Protection (BFP) hash are fully utilized
Component: Application Security Manager
Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
However, before reaching this scenario an alert should be sent to '/var/log/asm', currently there is no tangible warning/alert that statets the status of the hash table for the relevant virtual server.
Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.
Impact:
No alert is sent in case of reaching maximum capacity of the hash table.
Workaround:
N/A
900485-4 : Syslog-ng 'program' filter does not work
Component: TMOS
Symptoms:
The 'program' filter type does not work with the BIG-IP system's version of syslog-ng.
Conditions:
-- Using the 'program' expression in a syslog-ng filter.
Impact:
Unable to filter messages as expected.
Workaround:
None.
899933-4 : Listing property groups in TMSH without specifying properties lists the entire object
Component: TMOS
Symptoms:
When listing a property group, if you do not specify any specific properties within that group, the entire object is listed.
Conditions:
-- Using TMSH to list a property group of an object.
-- Not specifying any properties within the property group.
Impact:
Unexpected output.
Workaround:
None.
899253-4 : [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist
Component: Global Traffic Manager (DNS)
Symptoms:
Making changes to wide IP pools through GUI management do not take effect.
Conditions:
-- GTM configuration contains a sufficiently high number of pools (~ 15,000).
-- Using the GUI to assign a pool to a wide IP.
Impact:
Changes do not take effect. Unable to use the GUI to manage which pools are associated with a wide IP.
Workaround:
Use TMSH.
898997-4 : GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes
Component: Service Provider
Symptoms:
GTP message parsing fails and log maybe observed as below:
GTP:../modules/hudfilter/gtp/gtp_parser.c::242 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser_ver_2.c::153 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser.c::103 (Failing here).
Conditions:
- GTP profile is applied to virtual or GTP::parse command is used
- GTP message contains IE (information element) which is larger than 2048 bytes
Impact:
- message parsing fails, traffic maybe interupted
898929-2 : Tmm might crash when ASM, AVR, and pool connection queuing are in use
Component: Local Traffic Manager
Symptoms:
TMM crashes and generates a core file.
Conditions:
-- System is provisioned for at least ASM, AVR, and LTM.
-- An LTM pool is configured to use connection queuing.
-- The LTM pool is used on a virtual server with an analytics profile.
Impact:
Tmm might crash. Traffic disrupted while tmm restarts.
Workaround:
Disable connection queuing on the pool.
898825-4 : Attack signatures are enforced on excluded headers under some conditions
Component: Application Security Manager
Symptoms:
Attack signatures are marked as detected when they should be marked as excluded (i.e., a false positive).
Conditions:
-- A 100-continue transaction occurs in HTTP.
-- The internal parameter answer_100_continue is set to a non-default value of 0.
Impact:
False positive enforcement for header signature.
Workaround:
Set the answer_100_continue to 1 (default) on versions later than 15.0.0.
898753-3 : Multicast control-plane traffic requires handling with AFM policies
Component: Local Traffic Manager
Symptoms:
AFM virtual-server specific rules are being matched against control-plane traffic.
Conditions:
-- Broadcast OSPF configured.
-- AFM provisioned.
-- OSPF neighbor configured.
Impact:
OSPF neighborship is not formed.
Workaround:
Add an AFM route-domain policy.
898741-4 : Missing critical files causes FIPS-140 system to halt upon boot
Component: Application Security Manager
Symptoms:
After activating a FIPS 140-2 license on a device and rebooting, the device fails to boot.
Conditions:
-- Device is licensed for FIPS 140 mode
-- A critical system file is missing
Impact:
System halts during boot because of sys-eicheck.py failure.
Workaround:
Prior to rebooting into FIPS 140-2 mode, ensure that there are no missing critical files by running the sys-eicheck command.
If the missing files are due to missing signature update files:
- Manually upload the missing images in System ›› Software Management : Live Update - this will ensure that the image is associated with an installation record.
898733-1 : SSL handshakes fail on secondary blades for Thales keys created with fipskey.nethsm after upgrade to 14.1.x and re-import of the keys from HSM
Component: Local Traffic Manager
Symptoms:
SSL handshakes intermittently fail for virtual servers using HSM keys.
In /var/log/ltm you see errors:
err pkcs11d[6575]: 01680002:3: Key table lookup failed. error.
Conditions:
1. Keys were created on earlier versions of BIG-IP software with fipskey.nethsm wrapper, and the device was upgraded to 14.1.0 or later.
2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm wrapper.
3. The platform is a multi-bladed Viprion.
This can occur after applying the workaround for ID758491:
https://cdn.f5.com/product/bugtracker/ID758491.html
Impact:
SSL handshakes that arrive on the secondary blade(s) fail.
Handshakes arriving on the primary blade work fine.
Workaround:
Re-install the Thales client after the upgrade.
898705-3 : IPv6 static BFD configuration is truncated or missing
Component: TMOS
Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.
-- IPv6 static BFD configuration entries go missing during a daemon restart.
Conditions:
IPv6 static BFD configuration.
Impact:
The IPv6 static BFD configuration does not persist during reloads.
-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.
Workaround:
None.
898685-2 : Order of ciphers changes after updating cipher group
Component: Local Traffic Manager
Symptoms:
The order of cipher results may change with no modification in the cipher group.
Conditions:
Click 'Update' in a cipher group in the GUI without making any changes.
Impact:
The order of the ciphers changes. During a handshake, SSL/TLS may not be able to select ciphers in the preferred order.
Workaround:
Create a cipher rule with the preferred cipher order and include only a single rule in cipher group allow list.
898577-4 : Executing a command in "mgmt tm" using iControl REST results in tmsh error
Component: TMOS
Symptoms:
When you try to update the frequency of live-update using iControl REST, it results in a java exception being returned instead of updating the value.
Conditions:
When a command for updating the frequency of live updates is executed using iControl REST in an ASM configured BIG-IP.
Impact:
You are unable to update the frequency of live-update via iControl REST.
898461-4 : Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'
Component: TMOS
Symptoms:
The following SCTP iRule commands:
-- SCTP::mss
-- SCTP::ppi
-- SCTP::collect
-- SCTP::respond
-- SCTP::client_port
-- SCTP::server_port
Are unavailable in the following MRF iRule events:
-- GENERICMESSAGE_EGRESS
-- GENERICMESSAGE_INGRESS
-- MR_EGRESS
-- MR_INGRESS
Attempts to use these commands in these events result in errors similar to:
01070151:3: Rule [/Common/sctp_TC] error: /Common/sctp1: error: [command is not valid in current event context (GENERICMESSAGE_EGRESS)][SCTP::ppi 46].
Conditions:
-- Using MRF and SCTP.
-- Using the specified set of iRule commands within the listed iRule events.
Impact:
Unable to use these iRule commands within these iRule events.
Workaround:
None.
898389-3 : Traffic is not classified when adding port-list to virtual server from GUI
Component: TMOS
Symptoms:
Traffic is not matching to the virtual server.
Conditions:
Using the GUI to configure traffic-matching-criteria by adding port-list to the virtual server.
Impact:
Traffic loss.
Workaround:
Creating traffic-matching-criteria from the command line
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm traffic-matching-criteria tmc_name_here destination-address-inline <IP ADDR>%10 route-domain <Route domain name>
898381 : Changing the setting of apm-forwarding-fastl4 profile does not take effect
Component: Access Policy Manager
Symptoms:
Changing the setting of apm-forwarding-fastl4 profile does not take effect and is not getting applied to the last leg of client-initiated VPN traffic.
Conditions:
- APM is configured on BIG-IP
- Admin has configured a VPN tunnel.
- Admin is trying to change the TCP characteristic of last leg of VPN tunnel traffic by tuning the parameters of Fastl4 profile apm-forwarding-fastl4
Impact:
Admin cannot enforce the updated values of apm-forwarding-fastl4 profile on last leg of client imitated VPN tunnel traffic.
898373-1 : Unclear message: TakesTooLong was 0.00 exceeded the lower threshold of 10000
Component: Application Visibility and Reporting
Symptoms:
The system presents an unclear error message: TakesTooLong was 0.00 exceeded the lower threshold of 10000.
Conditions:
This occurs when the AVR page load times drop below the lower acceptable threshold.
Impact:
The message is unclear, making resolution difficult. A more accurate message might be: The AVR page load took 0.00, which is lower than the threshold of 10000.
Workaround:
None.
897185-1 : Resolver cache not using random port distribution
Component: Local Traffic Manager
Symptoms:
Outgoing queries to backend dns server use incremented port numbers instead of being distributed random ports.
Conditions:
-- Fix of ID726176 is applied (see https://cdn.f5.com/product/bugtracker/ID726176.html )
Impact:
The port numbers are incremented.
896817-4 : iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb
Component: TMOS
Symptoms:
When merging a configuration that modifies the list of iRules a virtual server uses, you may encounter an error similar to:
01070621:3: Rule priorities for virtual server (/Common/virtual1) must be unique.
Conditions:
-- Merging a configuration using the TMSH 'replace' verb.
-- Replacing a virtual server's iRule in a way that adjusts priorities of the iRules.
Impact:
Unable to replace configuration using TMSH's 'replace' verb.
Workaround:
None.
896693-2 : Patch installation is failing for iControl REST endpoint.
Component: TMOS
Symptoms:
iControl REST async endpoint /mgmt/tm/task/util/ihealth behaving inconsistently:
-- A call to VALIDATE the async task is rejected with the error message: 'Operation is not allowed on component /util/ihealth.'
-- The task can be started by calling a different endpoint (e.g., /mgmt/tm/task/cli/script). In this case, the task completes immediately, however, a qkview generating iHealth util is still running. At the end, the qkview is generated.
Conditions:
-- Use iControl REST to create an async task for creating qkview using 'ihealth' with -n option (just generate file, do not upload to iHealth).
-- Try starting the async task by changing the status to VALIDATING.
Impact:
Patch for iControl REST endpoint is not successful. Patch operation is accepted by /mgmt/tm/task/cli/script/ but rejected by /mgmt/tm/task/util/ihealth.
Workaround:
None.
896689-2 : Asynchronous tasks can be managed via unintended endpoints
Component: TMOS
Symptoms:
An asynchronous task created on one endpoint can be started using some other endpoint
Conditions:
Create an asynchronous task e.g. creating qkview using ihealth
using endpoint /mgmt/tm/task/util/ihealth
Gather the task id of the created asynchronous task and send it to a different endpoint e.g. /mgmt/tm/task/cli/script
Impact:
The asynchronous task can be started using this endpoint but this is not intended behavior.
896245-1 : Inconsistency is observed in ARP behavior across releases
Component: Local Traffic Manager
Symptoms:
Creating and deleting VLANs/self IPs might end up with a different number of GARP responses, depending on the BIG-IP software version.
You might notice the differences when comparing older and newer releases, for example, comparing v14.1.0 and earlier compared with versions older than v14.1.0.
Conditions:
This might become evident when you upgrade from an older version.
Impact:
There is no functional impact as a result of this discrepancy.
Workaround:
None.
896217-4 : BIG-IP GUI unresponsive
Component: TMOS
Symptoms:
When you try to log into the GUI via the management IP, you see only a single gray bar displayed in the middle of the window.
Conditions:
-- A GUI session expired while you were logged on.
-- The partition on which the GUI session expires is deleted.
-- You log on again.
Impact:
GUI becomes unresponsive.
Workaround:
Restart tomcat via SSH:
# bigstart restart tomcat
895845-3 : Implement automatic conflict resolution for gossip-conflicts in REST
Component: TMOS
Symptoms:
The devices in a high availability (HA) environment are out of sync in strange ways; config sync status indicates 'In Sync', but iApps such as SSL Orchestrator are out of sync.
Conditions:
-- HA environment with two or more devices.
-- Gossip used for config sync. (Note: Gossip sync is used by BIG-IQ for BIG-IP config sync by iAppLX.)
-- A gossip conflict occurs for some reason.
You can detect gossip conflicts at the following iControl REST endpoint:
/mgmt/shared/gossip-conflicts
You can check gossip sync status at the following iControl REST endpoint:
/mgmt/shared/gossip
Impact:
If there are gossip conflicts, the devices requires manual intervention to get back in sync.
Workaround:
When two devices are out of sync with different generation numbers due to gossip conflict, you can use the following guidance to resolve the conflict:
1. Update devices info to use the same generation number.
2. This info found on REST Storage worker. Storage worker uses the selflink plus a generation number as the key to a given set of data.
3. Add the data from the unit with the highest generation number to the other unit.
4. Must also take care to increase the generation number on the new data to match that of the highest generation
Commands used:
1. Look for GENERATION_MISSING and gossip-conflict objects:
tmsh list mgmt shared gossip-conflicts
2. Get the 'selflink in remoteState' attribute. This self link is same across all devices and checks on the browser with each device to discover the device that is on the highest generation number:
tmsh list mgmt shared gossip-conflicts <OBJECT_ID>
3. Now you know what device contains the most recent version of your data, run this command to get up-to-date data:
restcurl /shared/storage?key=<everything after 'https://localhost/mgmt/' on selflink>
4. Make a post to the out-of-date device that includes the info from the up-to-date device as the post body:
restcurl -X POST /shared/storage -d '{<data from above command>}'
895837-1 : Mcpd crash when a traffic-matching-criteria destination-port-list is modified
Component: TMOS
Symptoms:
Virtual server configured with:
-- Destination address in a non-default route-domain, for example:
0.0.0.0%100/0
-- The configuration uses a destination port list.
Conditions:
Modify the virtual server's port-list to a different one.
Impact:
Mcpd generates a core, and causes services to restart and failover.
Workaround:
None.
895801-4 : Changing an MRF transport-config's TCP profile does not take effect until TMM is restarted
Component: Service Provider
Symptoms:
After modifying an MRF transport-config to use a different TCP profile, TMM must be restarted for this change to take effect. tmm crash
Conditions:
-- Using MRF with a transport-config.
-- Modifying the transport-config so that it uses a different TCP profile.
Impact:
Expected changes do not take effect until TMM is restarted.
Workaround:
Restart TMM.
Note: Traffic is disrupted while tmm restarts.
895205-4 : A circular reference in rewrite profiles causes MCP to crash
Component: Local Traffic Manager
Symptoms:
MCPD crash when modifying rewrite profile.
Conditions:
-- More than one rewrite profile is configured.
-- At least two rewrite profiles are referencing each other circularly.
Impact:
MCPD crash. For a Device Service Cluster this results in a failover. For a standalone system, this results in an outage.
Workaround:
Do not create circular references with profiles.
895165-4 : Traffic-matching-criteria with "any" protocol overlaps with explicit protocols
Component: Local Traffic Manager
Symptoms:
An error like the example below when defining "any" protocol after previously defining traffic-matching-criteria with explicit protocols.
01b90011:3: Virtual Server /Common/vs-tcp's Traffic Matching Criteria /Common/vs-tcp_IP_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs-any destination address, source address, service port.
Conditions:
-- Previously defining traffic-matching-criteria with explicit protocols
-- Afterwards defining virtual server with "any" protocol
Impact:
Cannot define a valid virtual server with "any" protocol
Workaround:
N/A
895141 : HTTP::has_responded returns incorrect values when using HTTP/2
Component: Local Traffic Manager
Symptoms:
HTTP::has_responded isn't detected in an iRule when the request comes across via HTTP/2. Instead, HTTP::has_responded will always return the value false.
Conditions:
-- HTTP2 Profile.
-- iRule containing the command HTTP::has_responded
Impact:
Calls to HTTP::respond or HTTP::redirect will not be correctly identified by HTTP::has_responded when using HTTP/2.
Workaround:
None.
894593 : High CPU usage caused by the restjavad daemon continually crashing and restarting
Component: TMOS
Symptoms:
Restjavad may become unstable if the amount of memory required by the daemon exceeds the value allocated for its use.
Conditions:
The memory required by the restjavad daemon may grow significantly in system configurations with either a high volume of device statistics collection (AVR provisioning), or a with relatively large number of LTM objects managed by the REST framework (SSL Orchestrator provisioning).
Impact:
The overall system performance is degraded during the contiunous restart of the restjavad daemon due to a relatively high CPU usage.
Workaround:
Increase the memory allocated for the restjavad daemon (e.g. 2 GB), by running the following commands in a BIG-IP terminal.
tmsh modify sys db restjavad.useextramb value true
tmsh modify sys db provision.extramb value 2048
bigstart restart restjavad
894545-4 : Creating a virtual server in the GUI with a destination address list and 'All Ports' can erroneously conflict with other virtual servers
Component: TMOS
Symptoms:
If you have an existing virtual server that uses an address list for its destination and 'All Ports' configured for its port, then if you attempt to create another virtual server with a different (non-overlapping) address list with 'All Ports' configured and a protocol that overlaps (i.e., is either the same, or one of the protocols is 'All Protocols'), then creation of the virtual server will fail with an error similar to:
01b90011:3: Virtual Server /Common/test's Traffic Matching Criteria /Common/test_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/test2 destination address, source address, service port.
Conditions:
-- Using the GUI.
-- An existing virtual server that uses an address list as its destination and has its Service Port set to 'All Ports'.
-- An attempt to create another virtual server with a (non-overlapping) destination address list and 'All Ports' that has an overlapping Protocol (i.e., is either the same, or one of the protocols is 'All Protocols').
Impact:
Unable to create a valid virtual server.
Workaround:
Use TMSH to create the second virtual server instead.
893885 : The tpm-status command returns: 'System Integrity: Invalid' after HotFix installation
Component: TMOS
Symptoms:
The tpm-status command incorrectly reports system integrity status as 'Invalid' even when system software is not modified.
Conditions:
-- BIG-IP software v14.1.0 or later version.
-- EHF installed on TPM-supported BIG-IP platform.
Impact:
Incorrect presentation of system software status.
Workaround:
None.
893813-1 : Modifying pool enables address and port translation in TMUI
Component: TMOS
Symptoms:
When modifying the pool for a virtual server, address translation and port translation checkboxes are enabled irrespective of their initial state.
Conditions:
-- Creating a virtual server using the GUI
-- Advanced Configuration is selected
-- Address Translation or Port Translation checkboxes are initially unchecked
-- You modify a pool from this screen
Impact:
Virtual server is created with address and port translation enabled.
Workaround:
You can disable it by again editing the virtual server.
893341-1 : BIG-IP VE interface is down after upgrade from v13.x w/ workaround for ID774445
Component: TMOS
Symptoms:
You have BIG-IP Virtual Edition (VE) v13.1.x affected with ID 774445, and its workaround is in place.
echo "device driver vendor_dev 15ad:07b0 unic" >> /config/tmm_init.tcl
After upgrading to a newer version, interfaces are down.
Conditions:
-- VE environment affected by the ID774445.
-- Apply the workaround described in in Final - K74921042: BIG-IP VE may fail to process traffic after upgrading the VMware ESXi 6.7 host to Update 2 (or later) :: https://support.f5.com/csp/article/K74921042.
Impact:
Interfaces are down because the driver in use is empty.
This occurs because the file tmm_init.tcl is copied as part of the upgrade process. But because v15.0.0 does not have the 'unic' driver, the system interprets the value as empty.
Workaround:
1. Edit the /config/tmm_init.tcl file to remove the following line:
device driver vendor_dev 15ad:07b0 unic
2. Reboot into into the new software version.
3.Restart TMM:
tmsh restart sys service tmm
893281-1 : Possible ssl stall on closed client handshake
Component: Local Traffic Manager
Symptoms:
If a client connection closes before finishing client ssl handshake, in some cases BIG-IP ssl does not close and connection remains until idle timeout.
Conditions:
Client ssl handshake and client FIN must arrive while BIG-IP server ssl finished is in crypto.
Impact:
Some ssl client connection remain until idle timeout.
893093-4 : An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing.
Component: TMOS
Symptoms:
The intended screen does not show when you navigate in the WebUI to either of the following locations:
-- System :: Certificate Management :: Device Certificate Management->Device Trust Certificates
-- DNS :: GSLB :: Servers :: Trusted Server Certificates
The system returns the following error:
An error has occurred while trying to process your request.
Additionally, a Java stack trace is also logged to the /var/log/tomcat/catalina.out file.
Conditions:
An extraneous SSL CSR file is present in the /config/big3d or /config/gtm directory.
-- When the extraneous file is in the /config/big3d directory, the System :: Certificate Management :: Device Certificate Management :: Device Trust Certificates screen is affected.
-- When the extraneous file is in the /config/gtm directory, the DNS :: GSLB :: Servers :: Trusted Server Certificates screen is affected.
Impact:
The WebUI cannot be used to inspect those particular SSL certificate stores.
Workaround:
The /config/big3d and /config/gtm directories are meant to contain only one file each (client.crt and server.crt, respectively).
You can resolve this issue by inspecting those directories and removing any file that may have been accidentally copied to them.
For more information on those directories, refer to: K15664: Overview of BIG-IP device certificates (11.x - 15.x) :: https://support.f5.com/csp/article/K15664.
893061-1 : Out of memory for restjavad
Component: Application Security Manager
Symptoms:
REST framework not available due to Out of memory error
Conditions:
Long list of Live Update installations
Impact:
Live Update GUI is not responding.
Workaround:
1) Increase memory assigned to the Linux host: (value dependant on platform)
# tmsh modify sys db provision.extramb value 1000
2) Allow restjavad to access the extra memory:
# tmsh modify sys db restjavad.useextramb value true
3) Save the config:
# tmsh save sys config
4) The re-provisioning will trigger a restart of the services. Wait until the unit is online again.
5) Increase the restjavad maxMessageBodySize property:
# curl -s -f -u admin: -H "Content-Type: application/json" -d '{"maxMessageBodySize":134217728}' -X POST http://localhost:8100/mgmt/shared/server/messaging/settings/8100 | jq .
{
"maxMessageBodySize": 134217728,
"localhostRestnodedConnectionLimit": 8,
"defaultEventHandlerTimeoutInSeconds": 60,
"minEventHandlerTimeoutInSeconds": 15,
"maxEventHandlerTimeoutInSeconds": 60,
"maxActiveLoginTokensPerUser": 100,
"generation": 6,
"lastUpdateMicros": 1558012004824502,
"kind": "shared:server:messaging:settings:8100:restservermessagingpoststate",
"selfLink": "https://localhost/mgmt/shared/server/messaging/settings/8100"
}
Ensure the command returns output showing the limit has been increased (as shown above).
6) Reboot the unit.
892801-4 : When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent"
Component: Local Traffic Manager
Symptoms:
When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent".
Conditions:
-- An Internal Virtual Server is created without an existing 0.0.0.0 virtual address.
Impact:
The Internal Virtual Server will be considered unavailable and will not process traffic.
Workaround:
Create a 0.0.0.0 virtual address prior to creating the Internal Virtual Server.
892677-4 : Loading config file with imish adds the newline character
Component: TMOS
Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.
In particular, this affects the bigip_imish_config Ansible module.
Conditions:
Loading a config with 'imish -f <f_name>' commands.
Note: This command is used with the bigip_imish_config Ansible module.
Impact:
Regex expressions are not created properly.
Workaround:
You can use either of the following workarounds:
-- Delete and re-add the offending commands using the imish interactive shell.
-- Restart tmrouted:
bigstart restart tmrouted
892653-2 : Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI
Component: Application Security Manager
Symptoms:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.
Conditions:
This is encountered when configuring the Splunk Logging Format in the GUI
Impact:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.
Workaround:
Use tmsh to define the maximum query string size and maximum request size. For more information, see the tmsh command reference for the security log profile at https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/security/security-log-profile.html
892485-1 : A wrong OCSP status cache may be looked up and re-used during SSL handshake.
Component: Local Traffic Manager
Symptoms:
A wrong OCSP status entry in SessionDB is returned during a cache lookup due to using a wrong input parameter - certificate serial number. The result is wrong OCSP status is used in the SSL handshake.
Conditions:
If OCSP object is configured in a clientSSL or serverSSL profile.
Impact:
A wrong OCSP status may be reported in the SSL handshake.
892445-4 : BWC policy names are limited to 128 characters
Component: TMOS
Symptoms:
A 128-character limit for BWC policy object names is enforced and reports an error:
01070088:3: The requested object name <name> is invalid.
Conditions:
Attempting to create a BWC policy object with a name longer than 128 characters.
Impact:
Unable to create BWC policy objects with names that have more than 128 characters.
Workaround:
Use fewer than 128 characters when creating a BWC policy.
892385-2 : HTTP does not process WebSocket payload when received with server HTTP response
Component: Local Traffic Manager
Symptoms:
WebSocket connection hangs on the clientside if the serverside WebSocket payload is small and received in the same TCP packet with server HTTP response.
Conditions:
-- Virtual contains HTTP and WebSocket filters.
-- HTTP response and a small WebSocket payload is received in the same TCP packet from the server.
-- Small WebSocket payload is not delivered on the clientside.
Impact:
-- WebSocket connection hangs.
Workaround:
None.
892073-1 : TLS1.3 LTM policy rule based on SSL SNI is not triggered
Component: Local Traffic Manager
Symptoms:
A policy rule based on SSL SNI at SSL client hello is not triggered for a TLS1.3 connection.
Conditions:
-- LTM policy rule specifying SSL client hello SNI.
-- TLS1.3 connection.
Impact:
Policy rule not triggered for TLS1.3.
Workaround:
None.
891721-1 : Anti-Fraud Profile URLs with query strings do not load successfully
Component: TMOS
Symptoms:
When a URL containing a query string is added to an anti-fraud profile, the BIG-IP config load fails:
010719d8:3: Anti-Fraud URL '/url\?query=string' is invalid. Every protected URL should be a valid non-empty relative path specified in lower case in the case insensitive Anti-Fraud profile '/Common/antifraud'.
Unexpected Error: Loading configuration process failed.
Conditions:
Adding a query string to a URL for an anti-fraud profile.
Impact:
After a BIG-IP config save, loading of new bigip.conf fails.
Workaround:
Follow this procedure:
1. Remove the escaping characters \ (backslash) for ? (question mark) in the bigip.conf file.
2. Load the configuration.
891505-1 : TMM might leak memory when OAuth agent is used in APM per-request policy subroutine.
Component: Access Policy Manager
Symptoms:
TMM leaks memory and eventually crashes when it cannot allocate any more memory.
Conditions:
OAuth agent is used in APM per-request policy subroutine and authentication fails.
Impact:
Over a period of time, TMM crashes, as it is unable to allocate any more memory. Traffic is disrupted while tmm restarts.
Workaround:
None.
891477 : No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server
Component: TMOS
Symptoms:
When a bandwidth control policy is applied on a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.
Both static bandwidth control policies and dynamic bandwidth control policies can cause the problem.
Conditions:
This issue occurs when both of the following conditions are met:
-- Virtual server configured with a bandwidth control policy.
-- Standard type of virtual server.
Impact:
The BIG-IP system does not retransmit unacknowledged data segments.
Workaround:
None.
891385-4 : Add support for URI protocol type "urn" in MRF SIP load balancing
Component: Service Provider
Symptoms:
MRF SIP load balancing does not support the urn URI protocol type.
Conditions:
-- Using MRF SIP in LB mode.
-- Clients are using the urn protocol type in their URIs.
Impact:
SIP messages with urn URIs are rejected.
891373-4 : BIG-IP does not shut a connection for a HEAD request
Component: Local Traffic Manager
Symptoms:
When an HTTP request contains the 'Connection: close' header, the BIG-IP system shuts the TCP connection down. If a virtual server has a OneConnect profile configured, the BIG-IP system fails to close the connection for HEAD requests disregarding a client's demand.
Conditions:
-- A virtual server has HTTP and OneConnect profiles.
-- An HTTP request has the method HEAD and the header 'Connection: close'.
Impact:
Connection remains idle until it expires normally, consuming network resources.
Workaround:
None.
891337-3 : 'save_master_key(master): Not ready to save yet' errors in the logs
Component: TMOS
Symptoms:
During config sync, you see error messages in the logs:
save_master_key(master): Not ready to save yet.
Conditions:
UCS load or configuration synchronization that includes encrypted objects.
Impact:
Many errors seen in the logs.
Workaround:
None.
891221-4 : Router bgp neighbor password CLI help string is not helpful
Component: TMOS
Symptoms:
Unable to confirm the supported encryption types.
enable or add BGP routing prorotol to a route domain
imish >> enable >> conf t >> router bgp 20065004 >> neighbor 1.2.3.4 password ?
b7000.lab[0](config-router)#neighbor 1.1.1.1 password ?
WORD Encryption Type or the password
Conditions:
Configuring the bgp neighbor with encryption password.
Impact:
Unable to confirm the supported encryption types.
Workaround:
None.
891181-4 : Wrong date/time treatment in logs in Turkey/Istambul timezone
Component: Application Security Manager
Symptoms:
There is mismatch between server and GUI timezone treatment for Turkey/Istambul timezone.
Conditions:
User sets Turkey/Istambul timezone on BIG-IP
Impact:
When filtering logs by time period, results differ from set period by an hour
Workaround:
Define time period one hour earlier for filtering ASM logs
890573-2 : BigDB variable wam.cache.smallobject.threshold may not pickup its value on restart
Component: WebAccelerator
Symptoms:
BIG-IP WAM/AAM provides a faster cache store called small object cache. To get into this cache, an object must have its size below a threshold defined in BigDB variable wam.cache.smallobject.threshold. BIG-IP does not always pickup this value after a restart of TMM.
Conditions:
- WAM/AAM is provisioned;
- A virtual server is configured with a webacceleration profile having a web application.
Impact:
When small object cache has a non-default value, it may incorrectly place an object into Small Object cache (faster cache store) or MetaStor (slower cache store), causing performance impact.
Workaround:
Reset wam.cache.smallobject.threshold value.
890401-2 : Restore correct handling of small object when conditions to change cache type is satisfied
Component: WebAccelerator
Symptoms:
BIG-IP system software allows you to cache HTTP responses with WAM/AMM web applications. There is a special storage location for small-size objects. If a caching object is about to exceed a threshold limit, the BIG-IP system might change its caching storage to MetaStor. A fix for ID 792045 introduced an issue for instances in which it does not, which resulted in not serving a cached object.
Conditions:
-- WAM/AAM is provisioned.
-- Virtual server has a webacceleration profile with a web application.
-- The BIG-IP software contains a fix for ID 792045.
Impact:
The BIG-IP system resets a connection with an error, a cached object is not served, and the rendering of a client's webpage is not correct.
Workaround:
None.
890285 : DNS resolver cannot forward DNS query to local IPv6 virtual server
Component: Global Traffic Manager (DNS)
Symptoms:
The DNS resolver is not sending backend dns request to local IPV6 virtual servers.
Conditions:
DNS resolver referring to local IPV6 virtuals.
Impact:
Unable to resolve dns requests properly.
890277-2 : Mcpd takes too long on full config sync to a device group when there are large amount of partitions.
Component: TMOS
Symptoms:
When Full config sync is done to a device group with large amount of partitions
a) Mcpd is taking more time to complete config sync.
b) Spike in cpu usage in the device where config push is done
c) Mcpd is un responsive to daemons like tmsh, GUI etc. as it is busy pushing the config sync.
d) iQuery connections are getting killed due to high cpu utilization
Conditions:
Full config sync on device with large partitions.
Impact:
Impedes management of device as well as kills iQuery connections to GTM
Workaround:
Enable Manual Incremental Sync
890229-3 : Source port preserve setting is not honoured
Component: Local Traffic Manager
Symptoms:
The source port is always changed in source-port preserve mode even if the original source port with the other parameters would hash to the same TMM.
Conditions:
This issue occurs when all of the following conditions are met:
-- You are running on a BIG-IP platform using RSS DAG hash, for instance, z100 and 2000- or 4000-series hardware platforms
-- The virtual server is configured with source-port preserve.
Impact:
Applications relying on a specific, fixed source port could break.
Workaround:
Set source-port to preserve-strict.
890169-1 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
Component: Application Security Manager
Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.
Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.
Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.
Workaround:
None.
889813-1 : show net bwc policy prints bytes-per-second instead of bits-per-second
Component: TMOS
Symptoms:
The tmsh show net bwc policy is printing out bits-per-second in the value field, but the name field says "bytesPerSec".
Conditions:
Running tmsh show net bwc policy
Impact:
The stats are in bits-per-second but the label says bytesPerSec.
889801-3 : Total Responses in DNS Cache stats does not increment when an iRule suspending command is present under DNS_RESPONSE.
Component: Global Traffic Manager (DNS)
Symptoms:
Upon close inspection of the statistics of a particular DNS Cache, for example by running the command 'tmsh show ltm dns cache resolver <name>', you realize that the 'Total Responses' counter for the cache is not incrementing as much as it should be.
Specifically, by comparing the counter with packet captures or the stats of the DNS Profile, you realize the system is under-reporting 'Total Responses'.
Conditions:
The virtual server using the DNS Cache also uses an iRule which happens to include a suspending command (e.g., 'table') under the DNS_RESPONSE event.
Impact:
The incorrect DNS Cache statistics may confuse or mislead a BIG-IP Administrator.
No traffic impact exists as part of this issue. Responses are still being served from the cache even when the counter says they are not.
Workaround:
None.
889245-1 : Ndal ixvf driver can lock up
Component: Local Traffic Manager
Symptoms:
The TMM ixvf driver for the Virtual Function(VF) of an SRIOV x520 / 82599 card can under certain circumstances lockup the tx queue.
Conditions:
Unknown conditions
Impact:
No further transmit is possible.
Workaround:
None
889209-1 : Sflow receiver configuration may lead to egress traffic dropped after TMM starts.
Component: Local Traffic Manager
Symptoms:
Active Sflow receiver configuration may lead to all egress traffic getting dropped after TMM starts.
Conditions:
Enabled sflow receiver is configured.
Impact:
Egress traffic is dropped.
Workaround:
Disable Sflow receiver, save configuration, reboot.
889165-1 : "http_process_state_cx_wait" errors in log and connection reset
Component: Local Traffic Manager
Symptoms:
Large POST requests are getting occasionally reset and you see the following in /var/log/ltm:
err tmm[19279]: 011f0007:3: http_process_state_cx_wait - Invalid action:0x100011 clientside
Conditions:
-- An HTTP iRule is configured on a virtual server
-- A large POST request arrives on the virtual server
Impact:
Possible connection failure.
889029-4 : Unable to login if LDAP user does not have search permissions
Component: TMOS
Symptoms:
A user is unable to log in using remote LDAP.
Conditions:
-- BIG-IP configured to use LDAP authentication.
-- Remote user has no search permissions on directory
Impact:
Authentication does not work
Workaround:
Grant search permissions to the user in LDAP.
888341-5 : HA Group failover may fail to complete Active/Standby state transition
Component: TMOS
Symptoms:
After a long uptime interval (i.e., the sod process has been running uninterrupted for a long time), high availability (HA) Group failover may not complete despite an high availability (HA) Group score change occurring. As a result, a BIG-IP unit with a lower high availability (HA) Group score may remain as the Active device.
Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.
For example:
-- For 1 floating traffic group, after 2485~ days.
-- For 2 floating traffic groups, after 1242~ days.
-- For 4 floating traffic groups, after 621~ days.
-- For 8 floating traffic groups, after 310~ days.
-- For 9 floating traffic groups, after 276~ days.
Note: You can confirm sod process uptime in tmsh:
# tmsh show /sys service sod
Conditions:
-- high availability (HA) Group failover mode configured.
Note: No other failover configuration is affected except for high availability (HA) Group failover.
o VLAN failsafe failover.
o Gateway failsafe failover.
o Failover triggered by loss of network failover heartbeat packets.
o Failover caused by system failsafe (i.e., the TMM process was terminated on the Active unit).
Impact:
HA Group Active/Standby state transition may not complete despite high availability (HA) Group score change.
Workaround:
There is no workaround.
The only option is to reboot all BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.
888289-3 : Add option to skip percent characters during normalization
Component: Application Security Manager
Symptoms:
An attack signature is not detected.
Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.
Impact:
An attack goes undetected.
Workaround:
Turn on the bad unescape violation or the metacharacter violation.
888113-1 : HUDEVT_CALLBACK is queued after HUDCTL_ABORT in HTTP-MR proxy
Component: Local Traffic Manager
Symptoms:
TMM cores in HTTP-MR proxy.
Conditions:
-- HTTP and HTTP Router profiles are configured on the virtual server.
-- HUDEVT_CALLBACK is queued after HUDCTL_ABORT in HTTP-MR proxy.
Impact:
TMM stops processing traffic.
Workaround:
None.
888081-1 : BIG-IP VE Migration feature fails for 1NIC
Component: TMOS
Symptoms:
When a saved UCS is attempted to be restored in a new BIG-IP Virtual Edition (VE) in order to migrate the configuration, it fails.
load_config_files[28221]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- 01071412:3: Cannot delete IP (x.x.x.x) because it is used by the system config-sync setting.
Conditions:
The UCS load step might fail if the DB variable Provision.1NicAutoconfig is set to disable.
Impact:
The UCS restore fails.
Workaround:
The DB variable can be set to enable before loading the UCS.
# tmsh modify sys db provision.1nicautoconfig value enable
887625-1 : Note should be bold back, not red
Component: Application Security Manager
Symptoms:
Under Session Hijacking :: Device Session Hijacking by Device ID Tracking, the note text below the 'enable' checkbox is shown in bold red color
Note : Device-ID mode must be configured in bot profile for this option to work.
Conditions:
This always occurs.
Impact:
The Note does not indicate a hazardous situation (as might be implied by the color), so the text should be black instead of red.
Workaround:
None.
887621-1 : ASM virtual server names configuration CRC collision is possible
Component: Application Security Manager
Symptoms:
A policy add/modify/delete fails with the following error: Mar 3 03:45:24 bit21 crit g_server_rpc_handler_async.pl[19406]: 01310027:2: ASM subsystem error (asm_config_server.pl ,F5::ASMConfig::Handler::log_error_and_rollback): Failed on insert to DCC.VS_RAMCACHE (DBD::mysql::db do failed: Duplicate entry '375946375' for key 'PRIMARY')
Conditions:
This can occur when adding a policy. The chance of it occurring increases when there are many virtual servers.
Impact:
Every config update fails.
Workaround:
Figure out which virtual servers has the CRC collision (by looking into DCC.RAMCACHE_VS). Change the name of one of these virtual servers.
You can get the name of the affected virtual server by using the entry reported in the "Duplicate entry" log and running this command.
mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e 'SELECT * FROM DCC.VS_RAMCACHE WHERE vs_name_crc = 375946375'
887609-3 : TMM crash when updating urldb blacklist
Component: Traffic Classification Engine
Symptoms:
TMM crashes after updating the urldb blacklist.
Conditions:
-- The BIG-IP system is configured with URL blacklists.
-- Multiple database files are used.
Impact:
TMM restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
887265-1 : BIG-IP may fail to come online after upgrade with ASM and VLAN-failsafe configuration★
Component: Application Security Manager
Symptoms:
When booting to a boot location for the first time, the system does not come on-line.
Conditions:
-- There is a large ASM configuration.
-- VLAN failsafe is configured, and the failsafe-action is something other than failover.
-- The BIG-IP system is an appliance.
Impact:
BIG-IP processes continually restart (vlan failsafe-action failover-restart-tm) or the BIG-IP system continually reboots (vlan failsafe-action reboot)
Workaround:
Either disable VLAN failsafe or set the failsafe-action to failover during an upgrade.
887181 : BIG-IP is trying to establish the server side connection without VLAN tag info
Component: Local Traffic Manager
Symptoms:
While establishing a server connection (TCP), syns are flowing with vlan id 0.
Conditions:
Unknown
Impact:
Traffic flow will be impacted, some of the client connections will be dropped.
887145 : HSB receive failure in vCMP guest
Component: TMOS
Symptoms:
The HSB may experience a receive failure when running in a vCMP guest. This can be observed in the tmm logs:
tmm1[19405]: 01010025:2: Device error: hsb hsb interface 3 DMA lockup on receive failure
Conditions:
It is unknown under what conditions this occurs.
Impact:
The vCMP guest is unable to process any traffic.
Workaround:
There is no workaround for this issue. In order to recover from this issue, the hypervisor must be rebooted.
887045-4 : The session key does not get mirrored to standby.
Component: Local Traffic Manager
Symptoms:
When a session variable key length is 65 KB, session mirroring fails for that specific key.
Conditions:
-- APM high availability (HA) setup.
-- Access Policy is configured and synced across both devices.
-- A session variable key of ~65 KB arrives
Impact:
The session key does not get mirrored to standby.
Workaround:
None
886865-2 : P3P header is added for all browsers, but required only for Internet Explorer
Component: Application Security Manager
Symptoms:
The Bot Defense profile adds P3P headers to every response when a cookie is set, even if the client browser is something other than Microsoft Internet Explorer.
Conditions:
Bot Defense Profile is attached to a virtual server.
Impact:
Deprecated P3P header is inserted in all responses, even though it is only required for Internet Explorer.
Workaround:
The value of the P3P header is globally configurable in the DB variable dosl7.p3p_header.
It is also possible to set the value to '<null>' and thus prevent the P3P header from appearing, but this may cause legitimate Internet Explorer browsers to be be blocked from accessing the web application.
886693-2 : System may become unresponsive after upgrading★
Component: TMOS
Symptoms:
After upgrading, the system encounters numerous issues:
-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.
Conditions:
-- The configuration works in the previous release, but does not work properly in the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.
Exact conditions that trigger this issue are unknown. In the environment in which it occurred, a datagroup had been deleted, but an iRule was still referencing it, see https://cdn.f5.com/product/bugtracker/ID688629.html
Impact:
-- System down, too busy to process traffic
-- Difficulty logging in over SSH might require serial console access.
Workaround:
Reboot to an unaffected, pre-upgrade volume.
-- If the system is responsive enough, use 'tmsh reboot volume <N>' on BIG-IP Virtual Edition (VE) or switchboot to select an unaffected volume.
-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a VE from an applicable management panel, then select an unaffected volume from the GRUB menu manually.
Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch. For more information, see K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296, K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658, and K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.
886689-4 : Generic Message profile cannot be used in SCTP virtual
Component: TMOS
Symptoms:
When creating virtual server or transport config containing both SCTP and Generic Message profile, it will fail with an error:
01070734:3: Configuration error: Profile(s) found on /Common/example_virtual that are not allowed: Only (TCP Profile, SCTP Profile, DIAMETER Profile, Diameter Session Profile, Diameter Router Profile, Diameter Endpoint, SIP Profile, SIP Session Profile, SIP Router Profile, DoS Profile, profile statistics)
Conditions:
Create virtual server or transport config which contains both SCTP and Generic Message profile.
Impact:
You are unable to combine the Generic Message profile with the SCTP profile.
886653-3 : Flow lookup on subsequent packets fail during CMP state change.
Component: Policy Enforcement Manager
Symptoms:
When there is a failover event, there is a chance that some sessions will not move over to new active blade.
Conditions:
-- High availability (HA) environment
-- A CMP state change occurs
Impact:
For certain IPs which have failed to move to the new active, then a new session create request will not create/replace the current session as it is in inconsistent state.
886649-3 : Connections stall when dynamic BWC policy is changed via GUI and TMSH
Component: TMOS
Symptoms:
Connections stall when dynamic BWC policy is changed via GUI and TMSH.
Conditions:
Issue is seen when you have a dynamic bandwidth control policy configured, and you make a change to the policy via the GUI and TMSH.
Impact:
Connection does not transfer data.
Workaround:
Restart TMM. Delete the relevant configuration, create a new configuration, and apply it.
886533-1 : Icap server connection adjustments
Component: Application Security Manager
Symptoms:
Request getting to the ICAP server takes a long time to process (several seconds), which makes the whole transaction slower than expected. When testing the connection to the ICAP server itself, you determine that it is fast.
Conditions:
This happens especially with large file uploads that are mixed with smaller file uploads. The smaller uploads are waiting for the bigger upload.
Impact:
Slow responses to specific requests.
Workaround:
None.
886273 : Unanticipated restart of TMM due to heartbeat failure
Component: TMOS
Symptoms:
A tmm thread might stall while yielding the CPU, and trigger a failsafe restart of the tmm process.
Conditions:
-- Appliance platforms (i.e., non-VIPRION platforms).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None known.
886145-4 : The 'Reconnect' and 'Reconnect All' buttons do not work if reached via a particular section of the DNS WebUI.
Component: Global Traffic Manager (DNS)
Symptoms:
The 'Reconnect' and 'Reconnect All' buttons (introduced in BIG-IP version 14.1.0 to restart some or all iQuery connections) do not work when clicked.
The 'Reconnect' button does not become enabled when a server is selected from the list, and an error is logged in the browser console.
The 'Reconnect All' button is clickable but returns the error "No response action specified by the request" when clicked.
Conditions:
You have accessed the buttons via the following WebUI path:
DNS > GSLB > Data Centers > [dc name] > Servers
Impact:
The buttons do not work, making the corresponding feature unavailable from the WebUI.
Workaround:
Access the buttons via the following alternative WebUI path:
DNS > GSLB > Servers
885961 : Tagged vlan will work only if it is configured in virtual wire.
Component: TMOS
Symptoms:
Traffic drops are encountered if a vlan is not configured on a virtual wire.
Conditions:
Incoming traffic with a different vlan, that is not part of virtual wire configuration.
Impact:
Traffic drop can be observed.
Workaround:
Solution 1)
To allow the traffic on all the vlans of a virtual wire, enable 4kvlans.
tmsh modify sys db bcm56xxd.vwire.4kvlans value enable
bigstart restart bcm56xxd
solution 2)
corresponding tag must be configured on virtual wire.
885949 : Untagged packet traffic does not work on vwire
Component: TMOS
Symptoms:
Untagged packets are going out as tagged from BIG-IP systems on platforms with specific BROADCOM chipsets.
Conditions:
Issue occurs only on platforms containing the Broadcom Trident II switch series with Maverick/Firebolt5 ASICS.
Impact:
Untagged traffic is not working as expected.
Workaround:
Solution:
Enable the bcm56xxd.hgvlan_check_disable sys db variable and restart the bcm56xxd daemon.
tmsh restart /sys service bcm56xxd
885869-4 : Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime
Component: Global Traffic Manager (DNS)
Symptoms:
iQuery incorrectly interprets iQuery SSL certificate times when they are using GenericTime instead of UTCTime.
Conditions:
An iQuery certificate using GenericTime instead of UTCTime.
Note that this would only occur with a date beyond the year 2049.
Impact:
Internal years are interpreted to be much later than they should be.
Workaround:
Use SSL certificates with UTCTime instead of GenericTime.
885373 : Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Component: Advanced Firewall Manager
Symptoms:
When running iptables-restore, you get this error:
"Another app is currently holding the xtables lock. Perhaps you want to use the -w option?"
Conditions:
Creating firewall rules for the management interface but they are not created in iptables and therefore not enforced until after rebooting the box.
Impact:
Firewall Rules for Management Interface are not reliably created or enforced unless a reboot is done
Workaround:
Reboot after every management firewall rule that is created
885325-4 : Stats might be incorrect for iRules that get executed a large number of times
Component: Local Traffic Manager
Symptoms:
iRules that execute a lot can make stats counters large enough to overflow in a relatively short amount of time (e.g., a couple of months).
Conditions:
Execute an iRule a lot (e.g., make the total number of executions greater than 32 bits) and check its stats.
Impact:
After the total number exceeds 32 bits, the counter stats are no longer valid.
Workaround:
None.
884989-3 : IKE_SA's Not mirrored of on Standby device if it reboots
Component: TMOS
Symptoms:
After rebooting the standby BIG-IP device, IKE SA's are not mirrored.
Conditions:
-- IPSEC is configured in a high availability (HA) environment
-- Standby device is rebooted
Impact:
IKE_SA's will have to be renegotiated.
The performance impact is minimal.
884953-2 : IKEv1 IPsec daemon racoon goes into an endless restart loop
Component: TMOS
Symptoms:
The IKEv1 IPsec daemon racoon goes into an endless restart loop.
2020-01-02 08:36:36: ERROR: /etc/racoon/racoon.conf.BIG-IP:376: "}" duplicated sainfo: loc='ANONYMOUS', rmt='10.42.80.0/24', peer='ANY', id=0
2020-01-02 08:36:36: ERROR: fatal parse failure (1 errors)
2020-01-02 08:36:36: ERROR: failed to parse configuration file.
Conditions:
Duplicate wildcard traffic-selectors, one with ::/0 and one with 0.0.0.0/0, attached to different IPsec policies.
Impact:
IPsec IKEv1 tunnels cannot be established.
Workaround:
Configure duplicate traffic-selectors only when they are attached to interface mode IPsec policies.
884921-1 : Tcpdump capture with very large packet (size close to 65535 bytes) can cause tmm to core
Component: TMOS
Symptoms:
When tcpdump is running to capture packets flowing through tmm, and this traffic being captured involves a very large packet (size close to 65535 bytes), tmm cores.
Conditions:
-- A tcpdump capture is running.
-- The tcpdump trying to capture tmm packets (e.g., tcpdump -i 0.0).
-- The traffic involves a very large packet, close to 65525 bytes.
Impact:
Tmm cores and restarts. Traffic disrupted while tmm restarts.
Workaround:
Do not run tcpdump to capture tmm traffic if packets being captured are close to 65535 bytes in size.
884729-4 : The vCMP CPU usage stats are incorrect
Component: TMOS
Symptoms:
The vCMP CPU usage stats are incorrect when process on a secondary blade has the same PID as that of primary blade's qemu process.
Conditions:
A process on a secondary blade has the same PID as that of primary blade's qemu process.
Impact:
The vCMP CPU usage stats are intermittently incorrect.
Workaround:
None.
884521 : OSPF External AS LSAs not adding into RIB
Component: TMOS
Symptoms:
OSPF E2 Routes don't appear in "show op route ospf" although they are in OSPF database
Conditions:
Trigger is unknown
Impact:
Traffic destined to E2 routes can be routed.
884425-1 : Creation of new allowed HTTP URL is not possible
Component: Application Security Manager
Symptoms:
When pressing 'Create' button in
Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs page, the requested page is not loaded.
Conditions:
Policy with about 5000 and more parameters causes long loading time, which results in loading failure.
Impact:
The requested page (New Allowed HTTP URL...) is not loaded.
Workaround:
Use fewer parameters (less than 5000) per policy.
883853-1 : Bot Defense Profile with staged signatures prevents signature update★
Component: Application Security Manager
Symptoms:
When a trying to install a new bot defense signature, the installation fails with the following log message:
com.f5.liveupdate.update.dosbotsignatures.file.Update.applyChanges.pl|INFO|Feb 10 13:22:12.924|7347|F5::Dos::BotSignatures::load_from_xml,,Cannot send updated objects to mcp: 01070265:3: The Bot Defense Signature (/Common/Headless Chromium, Chrome) cannot be deleted because it is in use by a Bot Defense Profile Signature Staging.
Conditions:
-- A Bot Defense Profile has a staged signature.
-- The staged signature points to something that does not exist in the update file.
Impact:
The new file cannot be installed.
Workaround:
Enforce the staged signature.
883673-1 : BotDefense JavaScript browser verification can cause low score when using Google Lighthouse tool
Component: Application Security Manager
Symptoms:
Browser Verification JavaScript (type=11), can cause low score on Google Lighthouse tool on some cases.
Type=11 appears as the suggestion for 'Reduce JavaScript execution time'.
Conditions:
-- Bot Defense profile is attached to a virtual server, with 'Verify After Access' Browser Verification.
-- Using specific backend server.
-- Using Google Lighthouse tool for performance test.
Impact:
Low performance score on Google Lighthouse tool.
Workaround:
None.
883577-2 : ACCESS::session irule command does not work in HTTP_RESPONSE event
Component: Access Policy Manager
Symptoms:
When ACCESS::session irule is used in HTTP_RESPONSE event, the APM session creation fails with the following log in /var/log/ltm
No HTTP data available - command unsupported in event (line XX)session creation failed - Operation not supported (line XX)
Conditions:
Using ACCESS::session create command under HTTP_RESPONSE.
Impact:
Cannot create APM session using the ACCESS::session irule command.
Workaround:
The same irule ACCESS::session can be used under HTTP_REQUEST to create the APM session.
883149-4 : The fix for ID 439539 can cause mcpd to core.
Component: TMOS
Symptoms:
Mcpd cores during config sync.
Conditions:
This has only been observed once. The device was going from standby to active, and the connection between the BIG-IP peers stalled out.
Impact:
Mcpd cores. Traffic disrupted while mcpd restarts.
Workaround:
NA
883049-4 : Statsd can deadlock with rrdshim if an rrd file is invalid
Component: Local Traffic Manager
Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.
You may see errors:
-- err statsd[5005]: 011b0600:3: Error ''/var/rrd/endpisession' is too small (should be 15923224 bytes)' during rrd_update for rrd file '/var/rrd/endpisession'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/endpisession'.
Conditions:
Truncation of a binary file in /var/rrd.
Impact:
Stats are no longer collected. Statsd and rrdshim deadlock.
Workaround:
Remove the truncated file and restart statsd:
bigstart restart statsd
882769-3 : Request Log: wrong filter applied when searching by Response contains or Response does not contain
Component: Application Security Manager
Symptoms:
When searching by "Response contains" or "Response does not contain", an incorrect filter is applied and displayed
Conditions:
This occurs in the GUI when selecting "Response contains" or "Response does not contain" filter
Impact:
You are unable to search by response in the GUI
Workaround:
There is no way to search in GUI, but you can search using REST API
882757-3 : sflow_agent crash SIGABRT in the cleanup flow
Component: TMOS
Symptoms:
Disabling DHCP on the management port causes sflow_agent to crash.
Conditions:
This does not always occur, but when it does occur, it crashes when disabling DHCP on the management port.
Impact:
sflow_agent crashes.
Workaround:
Do not disable DHCP on the management port
882729-1 : Applied Blocking Masks discrepancy between local/remote event log
Component: Application Security Manager
Symptoms:
Applied Blocking Masks discrepancy between local/remote event log, ASM logging event logs both locally and remotely to BIG-IQ has discrepancy.
Conditions:
This occurs when "Applied Blocking Masks" logs are emitted on a device where local and remove event logging is configured.
Impact:
This is cosmetic but can lead to confusion.
882725-3 : Mirroring not working properly when default route vlan names not match.
Component: Local Traffic Manager
Symptoms:
When using two BIG-IP systems to mirror traffic, mirroring functions correctly if the default gateway VLAN names match; however, if default gateway VLAN names don't match, then the BIG-IP system does not mirror client-side packets to the peer, which causes the standby BIG-IP system to reset all client-side flows on failover.
Conditions:
-- Two BIG-IP LTM BIG-IP Virtual Edition (VE) systems configured as a high availability (HA) pair.
-- Default gateway VLAN names don't match between them.
Impact:
BIG-IP system does not mirror client-side packets to the peer, which causes the next-active device to reset all client-side flows on failover.
Upon failover all flows are being RST just like a typical failover scenario without mirroring implemented.
Workaround:
Use same VLAN name on all external VLANs that might be used for mirroring.
882713-1 : BGP SNMP trap has the wrong sysUpTime value
Component: TMOS
Symptoms:
The timestamp value of sysUpTime in SNMP traps reported by BGP is incorrect.
Conditions:
BGP connection with a peer flaps, and sends traps for the following:
bgpSnmpNotifyEstablished
bgpSnmpNotifyBackwardTransition
Impact:
The sysUpTime in the trap generated by BGP is incorrect.
Workaround:
None.
882709 : LTM v14.1.x to support tagged VLANs on Hyper-V (as was supported on v12.1.x)
Component: TMOS
Symptoms:
Tagged VLANs are supported differently on Hyper-V on v14.x than it worked with v12.x.
Conditions:
Hyper-v does not seem to correctly identify the built-in LIS installed as part of RHEL 7.3 or 7.5, while it works fine with older builds that use LIS 3.5, such as BIG-IP v12.1.2.
Impact:
Cannot upgrade to 14.x until tagging works as expected with Hyper-V on 14.x.
Workaround:
There is no known mitigation or workaround.
882609-3 : ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back
Component: TMOS
Symptoms:
After setting a device's ConfigSync IP to 'none' and then back to an actual IP address, the device remains in a disconnected state, and cannot establish ConfigSync connections to other BIG-IP systems in its trust domain.
MCPD periodically logs messages in /var/log/ltm:
err mcpd[27610]: 0107142f:3: Can't connect to CMI peer a.b.c.d, TMM outbound listener not yet created.
Conditions:
--- BIG-IP system is in a trust domain with other BIG-IP systems.
--- Local device's ConfigSync IP is set to 'none', and then back to an actual IP address.
Impact:
Devices unable to ConfigSync.
Workaround:
This workaround will disrupt traffic while TMM restarts:
1. Ensure the local ConfigSync IP is set to an IP address.
2. Restart TMM:
bigstart restart tmm
This workaround should not disrupt traffic:
Copy and paste the following command into the Advanced Shell (bash) on a BIG-IP system, and then run it. This sets the ConfigSync IP for all device objects to 'none', and then back to their correct values.
TMPFILE=$(mktemp -p /var/tmp/ ID882609.XXXXXXX); tmsh -q list cm device configsync-ip > "$TMPFILE"; sed 's/configsync-ip .*$/configsync-ip none/g' "$TMPFILE" > "$TMPFILE.none"; tmsh load sys config merge file "$TMPFILE.none"; echo "reverting back to current"; tmsh load sys config merge file "$TMPFILE"
881065-2 : Adding port-list to Virtual Server changes the route domain to 0
Component: Local Traffic Manager
Symptoms:
When attaching the port-list to virtual server dest:port-list, the route domain of the virtual server is changed to the default value of 0, and the port-list is not correctly applied. This is encountered in the GUI but not in the CLI.
Conditions:
Using port-list along with virtual server in non default route domain using the GUI.
Impact:
You are unable to use the GUI to attach a port-list that uses a non-default route domain to a virtual server.
Workaround:
Use tmsh to attach a port-list to a virtual server if the port-list uses a non-default route domain.
881041-1 : BIG-IP system may forward IP broadcast packets back to the incoming VLAN interface via a forwarding virtual server.
Component: Local Traffic Manager
Symptoms:
Some received packets are retransmitted back on the incoming VLAN interface.
Conditions:
The symptom is found with the following conditions:
1. A forwarding virtual server is configured.
2. A packet is received whose destination MAC address is its unicast VLAN MAC address and the destination IP address is the broadcast address of that subnet.
Impact:
Broadcast packets are forwarded back to the incoming VLAN interface might result in loops if there are multiple gateways on the network.
Workaround:
None.
880789-1 : ASMConfig Handler undergoes frequent restarts
Component: Application Security Manager
Symptoms:
Under some settings and load, the RPC handler for the botd process restarts frequently, causing unnecessary churn and message-cluttered logs.
Conditions:
-- Bot protection is enabled.
-- A high volume of bot attacks are handled.
Impact:
The RPC handler for the botd process restarts frequently, causing unnecessary churn and noisy logs
Workaround:
None.
880697-3 : URI::query command returning fragment part, instead of query part
Component: Local Traffic Manager
Symptoms:
The iRule URI commands are designed to parse a given URI string to each components such as scheme (URI::protocol) or authority (URI::host). The URI::query command is designed to return the query part of an URI, but the returned string contains the fragment part. For example, for the URI "foo://example.com:8042/over/there?name=ferret#nose" (an example from Section 3, RFC 3986), URI::query returns "name=ferret#nose". The "#nose" part should not be present in the return value
Conditions:
Create a test rule with URI having '#' like this.
when HTTP_REQUEST {
# from RFC 3986 Section 3
set url "foo://example.com:8042/over/there?name=ferret#nose"
log local0. "query: [URI::query $url]"
}
Impact:
URI operations that involve #fragments may fail.
Workaround:
NA
880625-2 : Check-host-attr enabled in LDAP system-auth creates unusable config
Component: TMOS
Symptoms:
When configuring system auth to use LDAP, if you set check-host-attr to enabled, the resulting /config/bigip/pam.d/ldap/system-auth.conf that is generated cannot be parsed by nslcd.
Conditions:
-- Configuring system auth to use LDAP.
-- Setting check-host-attr to enabled.
Impact:
LDAP-based auth does not function.
Workaround:
None.
880565-3 : Audit Log: "cmd_data=list cm device recursive" is been generated continuously
Component: Device Management
Symptoms:
The system generates and logs the following message continuously, at the rate of 3 times a minute, in /var/log/audit:
-- hostname.com notice tmsh[47755]: 01420002:5: AUDIT - pid=47755 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=cd / ;
-- hostname.com notice tmsh[47755]: 01420002:5: AUDIT - pid=47755 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=list cm
Conditions:
This occurs during normal operation.
Impact:
Audit log file contains numerous 'cmd_data=list cm device recursive' messages.
Workaround:
Edit the 'include' section of syslog configuration to suppress audit logs of 'cmd_data=cd /' and 'cmd_data=list cm device recursive'.
# tmsh edit /sys syslog all-properties
Replace 'include none' with following syntax.
===
sys syslog {
- snip -
include "
filter f_audit {
facility(local0) and match(AUDIT) and not match(\"cmd_data=list cm device recursive|cmd_data=cd /\");
};"
- snip -
}
880473-3 : Under certain conditions, the virtio driver may core during shutdown
Component: TMOS
Symptoms:
If the virtio driver fails to initialize, it may core during shutdown.
Conditions:
-- Using the virtio VE driver.
-- The virtio driver fails initialization and shuts down instead.
Impact:
TMM cores during driver shutdown.
880165-1 : Auto classification signature update fails
Component: TMOS
Symptoms:
During classification update, you get an error:
"Error: Exception caught in script. Check logs (/var/log/hitless_upgrade.log) for details"
An additional diagnostic is that running the command "/usr/bin/crt_cache_path" reports "none".
Conditions:
This is encountered while updating the classification signatures or the protocol inspection updates.
It can occur when something goes wrong during license activation, but license activation ultimately succeeds.
Impact:
When this issue occurs, auto classification signature update will fail.
Workaround:
You may be able to recover by re-activating the BIG-IP license.
880125-3 : WideIP (A) created together with aliases (CNAME) causes missing A records in ZoneRunner
Component: Global Traffic Manager (DNS)
Symptoms:
Creating WideIP with aliases at the same time causes ZoneRunner to create CNAME RRset without matching A RRset on the peer.
Conditions:
Creating WideIP with aliases at the same time(using GUI or tmsh) causes ZoneRunner to create CNAME RRset without matching A RRset on the peer.
Impact:
GTM peer will not respond with correct answer for DNS request.
Workaround:
Create wideip with two steps.
880013-3 : Config load fails after changing the BIG-IP Master key which has an encrypted key in it's configuration
Component: TMOS
Symptoms:
Config load fails with an error:
01071769:3: Decryption of the field (privatekey) for object (12004) failed.
Unexpected Error: Loading configuration process failed.
Conditions:
-- BIG-IP configuration has a secured attribute, for example an encrypted dynad key
-- The master key password is changed
-- The configuration is loaded before saving the changes
Impact:
"tmsh load sys config" fails.
Workaround:
After modifying the master key password, save the configuration and then perform the tmsh load sys configuration.
879969-3 : FQDN node resolution fails if DNS response latency >5 seconds
Component: TMOS
Symptoms:
When resolving FQDN names for FQDN nodes/pool members, pending DNS requests are timed out after 5 seconds with no response from the DNS server.
If there is a persistent latency of 5 seconds or greater in the DNS server responses, FQDN name resolution will fail and ephemeral nodes/pool members will not be created.
Conditions:
- BIG-IP using FQDN nodes/pool members
- Persistent latency of 5 seconds or greater in the DNS server responses
Impact:
Ephemeral pool members may not be created, thus no traffic will be sent to the intended pool members.
Workaround:
Resolve any persistent latency issues that might cause delays of 5 seconds or more in DNS server responses.
879777 : Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge
Component: Application Security Manager
Symptoms:
After configuring the "validate upon request" option in "Cross Domain Requests" in a Bot Defense profile, JS challenges continue to be sent.
Conditions:
-- Bot Defense profile is enabled
-- "Cross Domain Request":"validate upon request" option is enabled
-- A browser navigates to a qualified (HTML) page from a related domain.
Impact:
Browser receives another JS challenge, instead of retrieving the cookie from the related domain. This causes extra latency for the client.
Workaround:
Use "validate in a bulk" option.
879413-3 : Statsd fails to start if one or more of its *.info files becomes corrupted
Component: Local Traffic Manager
Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd will fail to load it and end up restarting continuously. You see the following messages in /var/log/ltm:
err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'
err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.
Conditions:
-- Corrupted *.info file in /var/rrd.
Impact:
Stats will no longer be accurate.
Workaround:
It might take multiple attempts to retain the *.info file:
found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done
... where <filename> is the actual name of the file (e.g. "throughput.info").
879409-2 : TMM core with mirroring traffic due to unexpected interface name length
Component: Local Traffic Manager
Symptoms:
TMM cores.
Conditions:
-- Platform: B4400 Blade (BIG-IP VPR-B4450N).
-- High availability (HA) mirroring is set up.
-- Provisioned modules: LTM, AFM.
-- HA mirroring messages are received with unexpected interface name length.
Impact:
Processing of invalid length can cause memory corruption. The tmm process generates a core. Traffic disrupted while tmm restarts.
Workaround:
None.
879301-3 : When importing a BIND zone file, SRV/DNAME/NAPTR RRs do not have correct $ORIGIN appended
Component: Global Traffic Manager (DNS)
Symptoms:
When importing a BIND zone file, $ORIGIN is appended for rdata from SRV and NAPTR RRs, also not appended for DNAME's owner label.
Conditions:
$ORIGIN is used in original zone files and use zone runner to import.
Impact:
Zone files are not generated correctly.
Workaround:
Do not use $ORIGIN.
879189-3 : Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section
Component: TMOS
Symptoms:
Network map shows error message: One or more profiles are inactive due to unprovisioned modules.
Conditions:
-- ASM provisioned.
-- A profile is attached to a virtual but the module supporting the profile is not provisioned
Impact:
The Network Map shows an error message.
Workaround:
Provision the module that supports the profile.
879001-3 : LDAP data is not updated consistently which might affect authentication.
Component: TMOS
Symptoms:
Change not updated in LDAP when the system auth source ('systemauth.source' DB key/'Auth Source Type') is set to Active Directory.
This change is not applied when the setting is modified (e.g., from local or LDAP to Active Directory, or from Active Directory to LDAP). Instead, the change is applied only when MCPD is rewriting the file for other reasons.
Conditions:
Changing the 'systemauth.source' DB key/'Auth Source Type':
-- From local to Active Directory.
-- From LDAP to Active Directory.
-- From Active Directory to LDAP.
Impact:
LDAP data is not updated consistently, and authentication might fail.
Workaround:
None.
878925-3 : SSL connection mirroring failover at end of TLS handshake
Component: Local Traffic Manager
Symptoms:
In some cases, HTTP requests my fail if system failover occurs immediately after the TLS handshake finishes.
Conditions:
-- System failover to standby device with SSL connection mirroring.
-- Failover occurs immediately after the TLS handshake completes but before the HTTP request.
Impact:
Connection might fail the HTTP request; in some cases, the server may reset HTTP 1.0 requests.
Workaround:
None.
878893-1 : During system shutdown it is possible the for sflow_agent to core
Component: TMOS
Symptoms:
The shutdown sequence of the sflow_agent can include a timeout waiting for a response that results in an assert and core file.
Conditions:
BIG-IP reboot can cause the sflow_agent to core.
Impact:
There is a core file in the /var/core directory after a system reboot.
878277 : Unexpected Error: Can't display all items, can't get object count from mcpd
Component: TMOS
Symptoms:
While running tmsh show running-config on the standby device, you get an mcp error:
Unexpected Error: Can't display all items, can't get object count from mcpd
Conditions:
-- High availability (HA) environment
-- A configuration sync is in progress
Impact:
The standby device will briefly display "Sync Failure" and will eventually return to "In Sync". During this time, you may get an mcp error while trying to display the running config.
878253-3 : LB::down no longer sends an immediate monitor probe
Component: Local Traffic Manager
Symptoms:
The iRule command LB::down is supposed to send an immediate monitor probe, but it does not.
Conditions:
-- Executing LB::down in an iRule.
Impact:
A monitor probe is not immediately sent, which may cause a pool member to be marked down longer than it should be.
877145-2 : Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException
Component: TMOS
Symptoms:
You are unable to log in to iControl REST via /mgmt/toc/.
Also a NullPointerException is logged to /var/log/restjavad log.
Conditions:
This can be encountered intermittently while using iControl REST.
Impact:
Login failure.
Workaround:
None.
876965-1 : Incorrect reporting by /mgmt/tm/live-update/
Component: Application Security Manager
Symptoms:
The iControl REST endpoint /mgmt/tm/live-update/ reports 'true' for isUpdateAvailable when it should report 'false'.
Conditions:
Checking for live update availability using the iControl REST endpoint /mgmt/tm/live-update/.
Impact:
Erroneous reporting of live update availability: reports 'true'; should report 'false'. For example, the message might report that three modules have updates when only one module does.
Workaround:
None.
876937-1 : DNS Cache not functioning
Component: TMOS
Symptoms:
DNS queries are not being cached on the BIG-IP device.
Conditions:
-- DNS cache is enabled (System :: Configuration : Device : DNS Cache)
-- Device receives DNS queries
Impact:
DNS queries are forwarded, but BIG-IP does not cache them.
876809-1 : GUI cannot delete a cert with a name that starts with * and ends with .crt
Component: TMOS
Symptoms:
If a cert is created with a name that begins with * (asterisk) and ending with .crt, you cannot delete it using the GUI.
Conditions:
-- Certificate with a name similar to *example.crt.
-- Select the checkbox in the GUI and click Delete.
Impact:
GUI displays the message: No records to display. The '*example' certificate is still present.
Workaround:
You can use TMSH to delete it without issue.
876805-1 : Modifying address-list resets the route advertisement on virtual servers.
Component: Advanced Firewall Manager
Symptoms:
If you modify an address list associated with a virtual server, any modifications done to virtual addresses are lost when the list itself is modified.
Conditions:
This occurs in the following scenario:
-- Create an address list.
-- Assign it to a Virtual Server.
-- Modify some or all of Virtual address
-- Modify the address list.
Impact:
Modifications done to virtual addresses are lost.
Workaround:
None.
876801-3 : Tmm crash: invalid route type
Component: Local Traffic Manager
Symptoms:
Tmm crashes. /var/log/tmm contains the log entries:
tmm1: notice panic: invalid route type
tmm1: notice ** SIGFPE **
Conditions:
The issue is intermittent.
1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. A new routing entry for child route domain is added.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
There is no way to workaround a problem, but there is a safe way to add and delete routes without putting a BIG-IP into a state where it could encounter this issue.
Safe way to add/delete a route.
1) Add routes to child route domains first, then to parent route domain.
2) Delete routes from parent route domain first, then from child route domain.
876249 : Top command shows tmm 0.0% CPU usage under load
Component: TMOS
Symptoms:
On BIG-IP Virtual Edition (VE) running in KVM, the 'top' command shows tmm as having 0.0% CPU usage.
This is a Red Hat known issue and has been fixed under the RHEL7.5 kernel.
Conditions:
-- BIG-IP KVM VE with NIC provisioned from OVS-DPDK bridge (Physical Intel 82599 10G NIC).
-- Looking at tmm CPU usage via the top command.
Impact:
Top command shows inaccurate CPU usage
Workaround:
None.
876145-2 : Nitrox5 failure on vCMP guest results in all crypto requests failing.
Component: Local Traffic Manager
Symptoms:
Nitrox5 SSL card failure on a vCMP guest deployed on i11000 platform might cause all SSL transactions to fail.
Conditions:
- i11000 platform.
- vCMP guest.
- Nitrox5 card experiences a failure.
Impact:
- SSL transactions do not complete the handshake.
- Following logs can be seen in /var/log/ltm :
01260013:4 SSL Handshake failed for TCP 10.1.1.5:55368 -> 10.1.1.55:443
01260009:4: 10.2.36.5:55384 -> 10.1.1.1:443: Connection error: ssl_hs_vfy_vfydata_cont:14608: alert(47) verify failed
875401-3 : PEM subcriber lookup can fail for internet side new connections
Component: Policy Enforcement Manager
Symptoms:
PEM subcriber lookup can fail for internet side new connections, as PEM might use the remote address to look up the session, which is not the subscriber.
Conditions:
-- PEM enabled and configured
-- Subscriber session has multiple IP's
-- Each IP lands on a different tmm
Impact:
PEM subscriber lookup can fail on the internet side
Workaround:
No workaround.
875373-2 : Unable to add domain with leading '.' through webUI, but works with tmsh.
Component: Application Security Manager
Symptoms:
It is possible to create certain domain matches with leading dot '.' in tmsh, but not in the GUI.
Conditions:
Advanced WAF bot signature configuration with domain with a leading . character.
Impact:
You are unable to use the GUI to create custom bot-defense signatures.
Workaround:
Use tmsh to add custom bot-defense signatures as follows:
tmsh create security bot-defense signature ockerdocker category Crawler domains add {.ockerdocker} rule "headercontent:\"Google_Analytics_Snippet_Validator\"; useragentonly; nocase;"
874877-3 : Bigd http monitor shows misleading 'down' reason when recv does not match
Component: Local Traffic Manager
Symptoms:
When a recv string is used with an http monitor, the http status code is collected and in the event of failure, the most recent value (from before the failure) is retrieved and used as part of the log output. This can result in a message that is misleading.
Conditions:
Configure a BIG-IP to monitor an HTTP server.
Impact:
Misleading log messages, difficulty in identifying the real cause of the monitor failure.
874753-1 : Filtering by Bot Categories on Bot Requests Log shows 0 events
Component: Application Security Manager
Symptoms:
A log that has 'Browser Automation’ as the ‘Bot Category’ exists.
When filtering for only Bot Category: Browser Automation, nothing Shows up.
Conditions:
-- ASM provisioned.
-- Filtering by Bot Categories on Bot Requests Log
Impact:
Legitimate requests being blocked but cannot filter on the category to narrow down their focus.
Workaround:
None.
874677 : TC auto signature update failing from GUI on 14.1.2★
Component: Traffic Classification Engine
Symptoms:
From v14.1.0 onwards, Traffic Classification auto signature update fails from GUI.
Conditions:
-- Traffic Classification auto signature update failing from GUI only.
-- It's working through CLI and GUI manually.
Impact:
Fail to update the classification signature from GUI automatically.
Workaround:
Traffic Classification auto signature update from CLI and manually on GUI will work.
874317-3 : Client-side asymmetric routing could lead to SYN and SYN-ACK on different VLAN
Component: Local Traffic Manager
Symptoms:
When BIG-IP is configured with at least two VLANs/interfaces, and a virtual server with auto-lasthop disabled, then when that virtual server receives a SYN from a client and sends the SYN/ACK back to the client on a different VLAN/interface, it currently expects the ACK to be received on the outgoing interface.
Conditions:
BIG-IP is configured with (at least) two VLANs/interfaces, and with a virtual server with auto-lasthop disabled.
Impact:
The mismatch could lead to connections failing to establish.
Workaround:
Use the same VLAN on the client side.
873677-5 : LTM policy matching does not work as expected
Component: Local Traffic Manager
Symptoms:
Policy matching may fail to work as expected
Conditions:
Having many conditions with the same operand may trigger an issue where the wrong transition is taken.
This may also be triggered by very complex policies with large numbers of rules.
Impact:
LTM policy matching does not work as expected.
Workaround:
None.
873249-3 : Switching from fast_merge to slow_merge can result in incorrect tmm stats
Component: Local Traffic Manager
Symptoms:
TMM stats are reported incorrectly. For example, the system may report double the number of running TMMs or an incorrect amount of available memory.
Conditions:
Changing the DB key merged.method from fast_merge to slow_merge.
Impact:
Incorrect reporting for TMM stats.
Workaround:
Remove the file /var/tmstat/cluster/blade0-performance.
These files are roll-ups and will be re-created as necessary.
872981-3 : MCP crashes when deleting a virtual server and its traffic-matching-criteria in the same transaction
Component: Local Traffic Manager
Symptoms:
MCPD crashes when deleting a virtual server and traffic-matching-criteria in the same transaction. This can happen when explicitly using a transaction, or when using a feature that uses transactions, such as when deleting an iApp instance that created these objects.
Conditions:
-- Using a virtual server that has traffic-matching-criteria (e.g., port lists or address lists) attached.
-- Deleting the virtual server and its traffic-matching-criteria in the same transaction.
Impact:
MCP cores, which causes a failover (in a high availability (HA) system) or temporary outage.
Workaround:
Delete the traffic-matching-criteria object separately from the virtual server.
872721-1 : SSL connection mirroring intermittent failure with TLS1.3
Component: Local Traffic Manager
Symptoms:
Intermittent failure of standby connection mirroring TLS1.3 handshake.
Conditions:
TLS1.3 and connection mirroring. More easily reproduces with ecdsa signature.
Impact:
Standby device fails tls handshake, active success so connection succeeds but not mirrored.
872645 : Protected Object Aggregate stats are causing elevated CPU usage
Component: Advanced Firewall Manager
Symptoms:
Due to a large number of tables containing 'Protected Object Aggregate stats', the merged daemon might cause elevated CPU usage on odd-numbered CPU cores.
Conditions:
AFM, ASM, or DoS features are provisioned.
Impact:
Elevated CPU usage on odd-numbered cores caused by merged daemon.
Workaround:
None.
871881-1 : Apply Policy action is not synchronized after making bulk signature changes
Component: Application Security Manager
Symptoms:
After an action that affects thousands of objects a subsequent Apply Policy may be missed by a peer.
Conditions:
1) Devices are in an autosync device group with ASM sync enabled
2) A bulk action that affects thousands of objects is performed (like enforcing or disabling all signatures)
3) The Apply Policy action is taken immediately afterwards
Impact:
Peer devices that are still busy processing the large request miss the Apply Policy action, and it is never resent.
Workaround:
Make a spurious change and reapply the policy.
871705-4 : Restarting bigstart shuts down the system
Component: TMOS
Symptoms:
The 'bigstart restart bigstart' command shuts down the system without displaying or informing the BIG-IP system user that this command can interrupt service. The system goes directly to the inoperative state as soon as the command is run.
Conditions:
-- Running the command bigstart restart bigstart.
-- Running 'systemctl restart systemd-bigstart' twice.
Impact:
Different versions appear to have different behavior:
-- v12.1.5: shell hangs on bigstart command, but the BIG-IP system stays Active.
-- v13.1.0.7: The BIG-IP system goes inoperative upon 'bigstart restart bigstart'.
-- 1v4.1.2.3: The 'bigstart restart bigstart' command cannot find the 'bigstart' service, but 'systemctl restart systemd-bigstart' shows this behavior.
Workaround:
None.
871657-2 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S
Component: TMOS
Symptoms:
Mcpd restarts and produces a core file.
Conditions:
This can occur while adding a pool member to a NAPTR GTM pool where the flag used is an uppercase 'A' or 'S' character.
Impact:
Mcpd crash and restart results in high availability (HA) failover.
Workaround:
Use a lowercase 'a' or 's' as the flag value.
871561-3 : Hotfix installation on vCMP guest fails with '(Software compatibility tests failed.)'
Component: TMOS
Symptoms:
Due to a known issue, software upgrade to an engineering hotfix might fail with a log message in /var/log/ltm similar to:
info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (Software compatibility tests failed.)
Conditions:
Performing a software upgrade to a hotfix release on a vCMP guest.
Impact:
Unable to perform an upgrade.
Workaround:
Option 1:
Make sure that .iso files for both base image and hotfix reside only on a vCMP guest before starting the installation.
Option 2:
Even if the hotfix installation has failed, the base image should still have been installed properly, so you can restart the vCMP guest and perform a hotfix installation on top of already installed base image.
871457 : Cannot enable logging for management firewall with LTM only provisioned
Component: Advanced Firewall Manager
Symptoms:
You cannot enable firewall logging via tmsh or the GUI when only LTM is provisioned. AFM must be licensed and provisioned in order to configure firewall logging with tmsh or the GUI.
Conditions:
-- No AFM Provisioned
-- v14.1.0 or newer.
-- Using firewall rules to protect the management interface.
Impact:
You cannot enable firewall logging to help with tracking or to aid in troubleshooting.
Workaround:
You can run the following command to view the counters from F5 rules easily with this command (output is very verbose):
# /sbin/iptables -vL f5acl
If you want to enable logging (output is very verbose), you can run the following command:
/sbin/iptables -I f5acl -j LOG --log-prefix "IPTables-Dropped: "
This will then log to /var/log/kern.log.
To remove this change:
/sbin/iptables -D f5acl -j LOG --log-prefix "IPTables-Dropped: "
871045-3 : IP fragments are disaggregated to separate TMMs with hardware syncookies enabled
Component: TMOS
Symptoms:
With hardware syncookies enabled, HTTP POST requests that are fragmented into separate segments are processed by different TMMs.
Connection is subsequently reset with a TCP RST cause reported as: No flow found for ACK.
Conditions:
-- Hardware syncookies triggered.
-- IP fragmented HTTP POST request.
Impact:
Connection is subsequently reset with TCP RST cause 'No flow found for ACK'.
Workaround:
None.
870385-3 : TMM may restart under large amount traffic load
Component: Advanced Firewall Manager
Symptoms:
TMM occasionally restarts when running heavy workload. The crash is a timing based issue between different tmm threads, and thus happens only occasionally.
Conditions:
-- AFM is provisioned with dos functionality
-- When BIG-IP is under heavy workload
Impact:
Traffic disrupted while tmm restarts.
870309-1 : Ephemeral pool member not created when FQDN resolves to new IP address
Component: Local Traffic Manager
Symptoms:
On rare occasions, when using FQDN nodes/pool members and the FQDN name resolves to a different IP address, the ephemeral pool member for the old IP address may be removed, but a new ephemeral pool member for the new IP address may not be created.
Under normal operation, the following sequence of messages is logged in /var/log/dynconfd.log when dynconfd logging is set to 'debug' level:
[D]: setFQDNPoolMembersModified: pool /Common/my_fqdn_pool node /Common/my_fqdn_node fqdn my.fqdn.com
[D]: PoolMember::scan: pool /Common/my_fqdn_pool member /Common/my_fqdn_node fqdn my.fqdn.com
But when this problem occurs, the 'setFQDNPoolMembersModified' log message is not followed by a 'PoolMember::scan' log message:
[D]: setFQDNPoolMembersModified: pool /Common/my_fqdn_pool node /Common/my_fqdn_node fqdn my.fqdn.com
Conditions:
This may occur under rare timing conditions while using using FQDN nodes/pool members, when the DNS server resolves the FQDN name to a different IP address.
Impact:
Pools configured with FQDN-based pool members may become empty, in which case no traffic will be processed by that pool.
Workaround:
To recover from this condition once it occurs, perform either of the following actions:
-- Restart the dynconfd daemon:
bigstart restart dynconfd
This temporarily interrupts queries for FQDN name resolution and updates (deletion/creation) of ephemeral nodes/pool members in response to FQDN resolution changes.
This action is not otherwise expected to affect traffic currently flowing to pools.
-- Remove the FQDN pool member, then re-add the FQDN pool member back to the pool:
tmsh modify ltm pool my_fqdn_pool { members delete { my_fqdn_node:port } }
tmsh modify ltm pool my_fqdn_pool { members add { my_fqdn_node:port <other parameters> } }
If the pool already has no ephemeral pool members, this has no effect on traffic (which is already not flowing to this pool).
If the pool has some ephemeral pool members but not the complete list of expected ephemeral members, this will interrupt traffic flowing to this pool while there are no pool members present.
In that case, temporarily adding at least one pool member with a statically-configured IP address before removing the FQDN pool member, then removing the same temporary pool members after replacing the FQDN pool member, allow straffic to continue flowing to the pool while this action is performed.
869237-3 : Management interface might become unreachable when alternating between DHCP/static address assignment.
Component: TMOS
Symptoms:
When the Management IP address assignment is changed and the IP address obtained from DHCP lease is used for static interface configuration, the management port might become unreachable after the DHCP lease expiration time, even though interface has a static IP configured.
Conditions:
-- Management IP assignment is changed from dynamic (DHCP) to static.
-- The static IP address that is configured is identical to the DHCP address that was assigned.
Impact:
Remote management access is lost after the DHCP lease expires.
Workaround:
When changing the management interface configuration from DHCP to static, first delete the old configuration, then create new configuration. This can be done with TMSH:
(tmos)# modify sys global-settings mgmt-dhcp disabled
(tmos)# del sys management-ip 10.14.30.111/24
(tmos)# create sys management-ip 10.14.30.111/24 { description configured-statically }
869049-2 : Charts discrepancy in AVR reports
Component: Application Visibility and Reporting
Symptoms:
Discrepancy in AVR reports. When filtering on the 'last month' interval, a specific number of total requests per virtual server is shown. Then when filtering to the present day from a date that encompasses that month, a lower number is reported.
Conditions:
-- Number of records in database exceeds the maximum mount of data that AVR can aggregate between different table-resolutions.
-- There are metrics on the report other than the default one (hits-count).
Impact:
Stats on DB get corrupted and incorrect.
Workaround:
None.
868721-3 : Transactions are held for a long time on specific server related conditions
Component: Application Security Manager
Symptoms:
Long request buffers are kept around for a long time in bd.
Conditions:
-- The answer_100_continue internal parameter is turned off (non default) or the version is pre 15.1
-- The server closes the connection while request packets are accumulated.
Impact:
The long request buffers are consumed. You may see a "Too many concurrent long requests" log message and requests with large content lengths will get reset.
Workaround:
There is no workaround that can be done from ASM configuration.
If possible, change the server application settings to wait longer for the request payload in 100-continue request or change the client side application to not work with 100-continue.
868641-1 : Possible TMM crash when disabling bot profile for the entire connection
Component: Application Security Manager
Symptoms:
When using an iRule to disable bot profile, and causing it to be disabled (for the entire connection) during a CAPTCHA challenge -- TMM will crash.
Conditions:
-- Bot Defense profile is attached to the Virtual Server, with a CAPTCHA mitigation.
-- An iRule is attached to the virtual server, which disables bot profile.
-- Sending a request that is responded with a CAPTCHA, then sending (in the same connection), a request that disable the bot profile, and then answering the CAPTCHA.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
When using an iRule to disable bot defense profile on certain conditions, add an "else" clause for re-enabling the profile, taking note that all ::disable iRule commands are effective for the entire connection, and not just the transaction.
868209-1 : Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection
Component: Local Traffic Manager
Symptoms:
When BIG-IP is configured with transparent vlan-group and traffic is matching a standard or fastl4 virtual-server and traffic hitting BIG-IP does not have a destination MAC address that belongs to BIG-IP - traffic will be L2 forwarded and pool member selection will not happen.
This defect will also cause active FTP data connections over vlan-group to fail.
Conditions:
All conditions must be met:
- Traffic over transparent vlan-group.
- Standard or fastl4 virtual-server.
- Traffic has a destination MAC address that does not belong to BIG-IP.
OR
- Standard virtual server with FTP profile is configured.
- Active FTP session is in use.
- Traffic flows over vlan-group.
Impact:
Server-side connections will fail.
Workaround:
Use opaque vlan-group instead.
OR
disable db variable connection.vgl2transparent (15.0+)
868053-1 : Live Update service indicates update available when the latest update was already installed
Component: Application Security Manager
Symptoms:
When downloading and installing the latest ASU file manually the Live Update indicator located at the top left of the screen still indicates that there is a new update available.
Conditions:
-- The Live Update scheduler is not in auto mode (System :: Software Management :: Live Update :: Installation of Automatically Downloaded Updates = Disabled).
-- Upload and update the latest ASU file manually.
Impact:
The Live Update indicator continues to indicate on a new update though the latest file was installed.
Workaround:
None.
868033-3 : SSL option "passive-close" option is unused and should be removed
Component: Local Traffic Manager
Symptoms:
The SSL profile "passive-close" option is available in TMSH (but not the GUI), but is not actually used.
A side-effect of this issue is: when the "passive-close" option is configured in TMSH, if the profile is later modified in the GUI, the "passive-close" option will be removed from the profile.
Conditions:
-- Modifying a client or server SSL profile in TMSH.
Impact:
The "passive-close" option is not actually used.
Workaround:
Do not use the "passive-close" option.
867825-2 : Export/Import on a parent policy leaves children in an inconsistent state
Component: Application Security Manager
Symptoms:
When overwriting a parent policy with import/replace, elements from the parent policy that were deleted remain in the child policies.
Conditions:
-- A parent policy exists with a child policy that inherits a section in which new configuration elements can be created in the parent policy (like ip address exceptions).
-- An element is deleted from the parent policy, and then the parent policy is exported.
-- The parent policy is then imported to replace a parent policy on a different device to perform the same changes on its children.
Impact:
The children on the different devices are left unexpectedly in different states.
867793-3 : BIG-IP sending the wrong trap code for BGP peer state
Component: TMOS
Symptoms:
When BGP peer is going down, the BIG-IP system sends the wrong 'bgpPeerState: 6(established)' with its SNMP trap.
Conditions:
-- BIG IP system is connected with a Cisco router to verify the traps.
-- BGP peer between the BIG-IP system and the Cisco router is going down.
-- Both devices release an SNMP trap.
Impact:
The BIG-IP system sends the wrong code with its SNMP trap. It should be 'bgpPeerState: idle(1)' when the peer is not connected.
Workaround:
None.
867777-2 : Remote syslog server cannot parse violation detail buffers as UTF-8.
Component: Application Security Manager
Symptoms:
Remote syslog server is unable to properly parse the violation detail buffers as UTF-8.
Conditions:
This occurs when the violation detail buffers contain double-byte/non-UTF characters, due to requests that contain non-ASCII UTF-8 characters.
Impact:
The syslog server cannot parse violation detail buffers as UTF-8.
Workaround:
None.
867413-2 : The allow-only-in-enterprise LAN feature on Mac OS not working after reboot
Component: Access Policy Manager
Symptoms:
Firewall feature on Mac devices does not work after reboot, if the device connects to a hotspot network immediately after reboot
Conditions:
-- End user client is using a Mac device.
-- Edge Client is in 'Always Connected' mode.
-- allow-only-in-enterprise LAN is enabled.
-- The Mac device is rebooted.
Impact:
The device is able to connect to the Internet after reboot, but not to the internal network.
Workaround:
None.
867373-2 : Methods Missing From ASM Policy
Component: Application Security Manager
Symptoms:
If the ASM http-methods are missing from the MCP configuration, importing an XML ASM policy creates a policy that has no allowed methods and will block all traffic.
Conditions:
-- BIG-IP system configuration is loaded without the required asm_base.conf.
-- An XML ASM policy is loaded.
Impact:
All traffic is blocked for the policy.
Workaround:
Recreate the required methods (GET, POST, etc.) in the policy.
867321-6 : Error: Invalid self IP, the IP address already exists.
Component: Advanced Firewall Manager
Symptoms:
When loading a configuration, the config load fails with an error:
Invalid self IP, the IP address <ip_addr> already exists.
Conditions:
-- Config contains an IPv4 SelfIP
-- Config contains an IPv4-mapped IPv6 address that is assigned to the same vlan
BIG-IP does not prevent you from creating this condition and will allow you to save it.
Impact:
During configuration load will fail:
0107176c:3: Invalid self IP, the IP address <ip_addr> already exists.
Unexpected Error: Loading configuration process failed.
Workaround:
Delete one of the SelfIP addresses and load the configuration.
867253-1 : Systemd not deleting user journals
Component: TMOS
Symptoms:
When setting "SystemMaxUse" to any value, systemd does not get honored and the specified size is exceeded
Conditions:
-- Using a Non-TMOS user account with external authentication permission.
-- Systemd-journald is configured to create a user journal for every user that logs into the BIG-IP system.
Impact:
Journald filling up file system size. These journals are allocated with a minimum size of 4MiB and are not removed when the log entries age-out.
Workaround:
Remove journal logs manually.
867181-3 : ixlv: double tagging is not working
Component: TMOS
Symptoms:
If a VLAN tag is configured on the Virtual Function in the host, and the BIG-IP guest is configured to use a tagged VLAN, packets that egress the host on this VLAN contain only the VLAN tag configured on the host (i.e. the BIG-IP's VLAN tag is lost).
Conditions:
- Using a BIG-IP VE.
- A VLAN tag is configured on both the host VF and on the BIG-IP.
Impact:
The BIG-IP's VLAN tag is lost.
867177-1 : Outbound TFTP and Active FTP no longer work by default over the management port
Component: TMOS
Symptoms:
When attempting to use TFTP or Active FTP at the BIG-IP management port to transfer files to a remote system, the connection eventually times out and the file is not transferred.
This is expected behavior resulting from the enhancement made in BIG-IP v14.1.0:
"Support for network firewall rules on the management port" :: https://techdocs.f5.com/kb/en-us/products/BIG-IP_ltm/releasenotes/product/relnote-bigip-14-1-0.html#rn_ltm-tmos_1410_new.
When attempting to use TFTP and Active FTP via tmm interfaces will work as it has the necessary Algorithm capabilities to set up return listeners.
Conditions:
- BIG-IP v14.1.0 or greater.
- Attempt to initiate TFTP or Active FTP from the BIG-IP management port through command line.
Impact:
Unable to use TFTP or Active FTP to transfer files to/from the BIG-IP system over management port
Workaround:
Consider using encrypted transport (sftp, scp, etc.) in order to avoid the exposure of sensitive data, including passwords.
Manually load connection tracking for the necessary protocol(s) from the command line with:
modprobe nf_conntrack_ftp
modprobe nf_conntrack_tftp
867013-1 : Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout
Component: TMOS
Symptoms:
You are unable to associate new ASM policies to LTM policies, due to REST timeout.
Conditions:
This can be encountered when there are a large number of policies configured in ASM.
Impact:
Unable to associate new ASM policies to LTM policies, due to rest timeout.
Workaround:
None.
866073-1 : Add option to exclude stats collection in qkview to avoid very large data files
Component: TMOS
Symptoms:
Statistics collection may cause qkview files to be too large for the iHealth service to parse, or may cause memory allocation errors:
qkview: tmstat_map_file: mmap: Cannot allocate memory
qkview: tmstat_subscribe: /var/tmstat/blade/tmm5: Cannot allocate memory at 0xa08a938
Conditions:
Qkview is executed on an appliance or chassis that has a very large configuration.
Impact:
Qkview files may not be able to be parsed by the iHealth service.
Also, memory allocation error messages may be displayed when generating qkview.
Workaround:
None.
865981-3 : ASM GUI and REST become unresponsive upon license change
Component: Application Security Manager
Symptoms:
When there is a license change at the same time as a security update (ex. Threat Campaigns or Attack Signatures), the system can reach a deadlock which blocks some operations, eventually leading to all the REST threads becoming blocked and unresponsive.
Conditions:
A license change occurs at the same time as a security update (ex. Threat Campaigns or Attack Signatures).
Impact:
ASM user interfaces are unresponsive.
Workaround:
Kill asm_config_server.pl or restart ASM
865461-3 : BD crash on specific scenario
Component: Application Security Manager
Symptoms:
BD crash on specific scenario
Conditions:
A brute force attack mitigation using captcha or client side challenge.
Impact:
BD crash, failover.
Workaround:
Add an iRule that removes the query string from the referrer header only for the login page POSTs.
865329-3 : WCCP crashes on "ServiceGroup size exceeded" exception
Component: TMOS
Symptoms:
Under general usage; WCCP crashes with a "ServiceGroup size exceeded" exception.
Conditions:
Have WCCP service groups configured.
Impact:
WCCP throws an exception and crashes.
Workaround:
None.
865313-2 : Validation of monitor field fails in transaction
Component: TMOS
Symptoms:
Validation of monitor destination/address fails if used with transactions. The transaction consists of two operations: a delete and a create (with a new destination).
This passes validation on the BIG-IP system where the change was made. However when the change is synced to the peer, it fails validation on the peer.
Conditions:
1. Create monitor destination/address in transaction.
-- Delete monitor.
-- Create monitor with destination as *:80 and *:*.
2. Sync to peer.
Impact:
It passes validation on BIG-IP but fails on config sync to the peer.
Workaround:
In order to get the devices back in sync, run config sync with force-full-load-push.
865241-3 : Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"
Component: TMOS
Symptoms:
When BGP tries to print the address of the default route's peer but there is no matching address for IPv4 or IPv6 so the system returns a NULL and attempting to print results in a crash.
Conditions:
-- Running the show command: sh bgp ipv6 ::/0.
-- There is no matching IPv4 or IPv6 address for the peer.
The conditions that cause this to occur are unknown.
Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.
Workaround:
None.
865177-2 : Cert-LDAP returning only first entry in the sequence that matches san-other oid
Component: TMOS
Symptoms:
Certificate-ldap only returns the first matching oid from the certificate file even though multiple matching san-other entries exists
Conditions:
When Certificate-ladp attribute ssl-cname-field set to san-other and certificate with multiple san-other oids
Impact:
Only the first matching oid is returned.
864897-1 : TMM may crash when using "SSL::extensions insert"
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
iRule with "SSL::extensions insert"
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
864797-1 : Cached results for a record are sent following region modification
Component: Global Traffic Manager (DNS)
Symptoms:
Changing the contents of a topology region record may result in DNS queries temporarily being directed as if the change had not happened for queries from the IP address of the last client to use topology load balancing.
Conditions:
This issue may be observed when a client at a single IP address is making multiple queries that are load balanced using topology both before and after a change to a topology region record where the change in question also changes the result that this single client would receive.
If a query from a different client IP address is received and load balanced using topology, then the issue will be corrected until the next change to a topology region record.
Impact:
After changing the contents of a topology region record, the last client to send a query before the change may receive the wrong load balancing decision if the change affected that decision. Any queries from other clients should be load balanced correctly and will cause the issue to go away until the next topology region record change.
Workaround:
This issue can be temporarily corrected by sending a DNS query that is load balanced using topology after making changes to region records.
864757-2 : Traps that were disabled are enabled after configuration save
Component: TMOS
Symptoms:
The ifLinkUpDownTrapEnable setting is not saved to config files nor UCS. If you have disabled 'link up/down' traps for an interface, save the config, and then load the config files or UCS, all interfaces will have traps enabled, even the ones that were explicitly disabled.
Conditions:
-- Disable 'link up/down' traps for an interface.
-- Save the configuration or UCS.
-- Reload the configuration or load the UCS.
Impact:
All interfaces have traps enabled, even the ones that were explicitly disabled.
Workaround:
None.
864677-3 : ASM causing high mcpd CPU usage
Component: Application Security Manager
Symptoms:
CPU utilization is high on the odd-numbered cores.
Conditions:
-- One or more virtual server have FTP/SMTP/WEBSEC profiles attached to it.
-- ASM configured.
Impact:
Elevated CPU usage.
Workaround:
-- On the BIG-IP system, edit the file /etc/ts/tools/nwd.cfg to change the value EnforcerCpuReportTimeInterval from 60 to a higher value, e.g., 3600 for once an hour, or even larger.
-- Restart ASM:
bigstart restart asm
864649-1 : The client-side connection of a dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server never expires from the connection table
Component: Local Traffic Manager
Symptoms:
The client-side connection of the dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server never expires from the connection table.
Conditions:
Configure dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server.
Impact:
Even after correcting the listener to use dhcpv4 (relay) instead of dhcpv4_fwd (forwarding) profile, the client-side connection from the dhcpv4_fwd profile remains.
Workaround:
Delete the long-standing connection from the connection table.
864513-3 : ASM policies didn't load immediately after upgrade to v14.1.0.1★
Component: TMOS
Symptoms:
ASM policies didn't load immediately after upgrade to v14.1.0.1 or later version because selinux policy was incorrect for some files after up-gradation.This is selinux issue.
Conditions:
1) Install and configure ASM including a number of active policies on virtual servers on version 13.1
2) Upgrade to version 14.1 or 15.x
Impact:
Traffic will start failing due to ASM policies not loading after upgrade.
Workaround:
Save the UCS from pre-upgrade and load it on a fresh install of 15.0.1
OR
Remove policy from the ASM profiles from the virtual servers and do the upgrade.
Apply policy after upgrade.
864321-1 : Default Apache testing page is reachable at <mgmt-ip>/noindex
Component: TMOS
Symptoms:
For BIG-IP v14.1.x and later, the default testing page of the Apache web-server is accessible at <mgmt-ip>/noindex.
Conditions:
This is encountered when navigating to the /noindex page from the web browser.
Impact:
Limited information about the Apache web server and its operating system is available to users with access to the mgmt port interface.
Workaround:
None.
863609-2 : Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies
Component: Application Security Manager
Symptoms:
After changing a parent policy's learning mode or other learning attributes in policy-builder settings, deploying the policy will result in differences in the child policies.
Conditions:
On BIG-IP and BIG-IQ:
1. Parent policy has a policy-building section that is inherited.
2. Child policy has wildcard default (*) elements such as urls.
On BIG-IQ:
3. Change parent learning mode from manual to disabled or vice versa
4. Deploy changes
Impact:
There are differences after deploy.
Workaround:
Discover and deploy again from BIG-IQ
863165-1 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
Component: Local Traffic Manager
Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.
Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.
Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.
Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.
862949-1 : Zonerunner GUI is unable to display CAA records
Component: Global Traffic Manager (DNS)
Symptoms:
DNS :: Zones :: ZoneRunner :: Resource Record List :: Search All Records :: click on record of type CAA
The page shows an error:
Resolver returned no such record.
Conditions:
Attempting to manage a CAA record via the GUI
Impact:
Unable to update CAA records via the GUI.
Workaround:
You can use either of the following workarounds:
-- Manually edit the BIND configuration.
-- Delete the record and create a new one with the desired changes.
862937-2 : Running cpcfg after first boot can result in daemons stuck in restart loop★
Component: TMOS
Symptoms:
After running cpcfg and booting into the volume, daemons such as named and gtmd are stuck restarting. Additionally the SELinux audit log contains denial messages about gtmd and named being unable to read unlabeled_t files.
Conditions:
Running cpcfg on a volume that has already been booted into.
Impact:
Services do not come up.
Workaround:
In the bash shell, force SELinux to relabel at boot time. Then reboot:
# touch /.autorelabel
# reboot
862693-2 : PAM_RHOST not set when authenticating BIG-IP using iControl REST
Component: TMOS
Symptoms:
The missing PAM_RHOST setting causes the radius packet to go out without the calling-station-id avp
Conditions:
1. Configure radius server and add it to BIG-IP
tmsh create auth radius system-auth servers add { myrad }
2. modify auth source type to radius
tmsh modify auth source { type radius }
3. try to authenticate to BIG-IP using iControl REST
Impact:
Remote authentication using iControl REST is not allowed based on calling-station-id
862597-5 : Improve MPTCP's SYN/ACK retransmission handling
Component: Local Traffic Manager
Symptoms:
- MPTCP enabled TCP connection is in SYN_RECEIVED state.
- TMM cores.
Conditions:
- MPTCP is enabled.
- SYN/ACK (with MP_JOIN or MP_CAPABLE) sent by the BIG-IP is not ACKed and needs to be retransmitted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable MPTCP option in the TCP profile.
862525-3 : GUI Browser Cache Timeout option is not available via tmsh
Component: TMOS
Symptoms:
In BIG-IP v10.x it was possible to change the browser cache timeout from bigpipe using the command:
bigpipe httpd browsercachetimeout
In 14.1.2.1 and newer, it is still possible to change the value in the GUI using "System :: Preferences :: Time To Cache Static Files.
However there is no tmsh equivalent in any version.
Conditions:
This is encountered when you try to configure the GUI browser cache timeout setting using tmsh.
Impact:
Unable to modify browser cache timeout except from GUI
Workaround:
Using GUI to configure this field. GUI System :: Preferences :: Time To Cache Static Files.
862069-3 : Using non-standard HTTPS and SSH ports will fail under certain conditions
Component: Local Traffic Manager
Symptoms:
On all versions 12.1.0 or above, if you try to change the HTTPS port (e.g. to 8443) and then expose the management UI via a self IP in a non-zero route domain, it won't work.
In versions 14.1.0 and above on VEs, attempting to manage a BIG-IP over a self IP can fail if all these conditions are met:
- Non-standard HTTPS port used.
- No TMM default route configured.
- No route to the client IP configured.
Conditions:
-- Modify the default HTTPS and/or default SSH ports.
And either:
On 12.1.0 and above:
-- Expose the management UI and/or CLI via a self IP in a non-zero route domain.
... or:
On 14.1.0 and above:
-- No TMM default route configured.
-- No route to the client IP configured.
Impact:
Unable to access BIG-IP GUI on non-standard HTTPS port, and/or unable to access BIG_IP CLI on non-standard SSH port.
862001-3 : Improperly configured NTP server can result in an undisciplined clock stanza
Component: Local Traffic Manager
Symptoms:
There can be an undisciplined clock stanza in /etc/ntp.conf, resulting in an undisciplined clock.
NTP documentation:
http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock
Conditions:
This might occur in at least the following ways:
-- No server is specified in 'sys ntp servers {}'.
-- A server does exist, but an improper method was used to configure the NTP server.
Impact:
When the LOCAL undisciplined clock is left as a valid time-source, it delays the system synchronizing time to a real NTP server. It can also result in time being adjusted incorrectly if the the remote time-source becomes unreachable.
Workaround:
Configure a dummy server via 'ntp servers {}' that does not respond.
While this removes the undisciplined local clock, it does result in ntpd having an unreachable time source, and could be flagged in diagnostics, misdirect other troubleshooting, generate unnecessary traffic, etc.
However, if the 'dummy' source starts responding, it could become a rogue time source.
860573-2 : LTM iRule validation performance improvement by tracking procedure/event that have been validated
Component: TMOS
Symptoms:
Loading (with merge) a configuration file that references some iRules results in validating every iRule and ends up validating the same procedures multiple times for every virtual server a single iRule is associated with.
Conditions:
Configuration which has 100's of virtual servers, some iRules that are assigned to all virtual servers and a few library iRules.
Impact:
Task fails (via REST) or ends up taking a really long time when run manually.
Workaround:
None.
860517-3 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.
Component: TMOS
Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.
As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash
Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.
Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.
Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.
860349-1 : Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication
Component: TMOS
Symptoms:
After upgrading BIG-IP to 14.1 the LDAP/AD remote authentication will fail .
The /var/log/secure will show :
/secure:
Dec 6 15:27:44 hostname err httpd[9402]: pam_ldap(httpd:auth): error opening connection to nslcd: No such file or directory
Dec 6 15:27:44 hostname notice httpd[9402]: pam_ldap(httpd:auth): auth server unavailable, trying fallback
Dec 6 15:27:44 hostname warning httpd[9402]: pam_unix(httpd:auth): check pass; user unknown
Dec 6 15:27:44 hostname notice httpd[9402]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=192.168.227.145
/var/log/daemon.log will show ;
/daemon:
Dec 6 15:29:40 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:29:40 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:29:40 hostname warning systemd[1]: nslcd.service failed.
Dec 6 15:35:47 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:35:47 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:35:47 hostname warning systemd[1]: nslcd.service failed.
> Dec 06 15:35:47 hostname systemd[1]: Started Naming services LDAP client daemon..
> Dec 06 15:35:47 hostname systemd[1]: Starting Naming services LDAP client daemon....
> Dec 06 15:35:47 hostname nslcd[8050]: nslcd: /etc/nslcd.conf:15: usertemplate: too may arguments
> ===================== > This is the hint that user-template is at fault
Conditions:
LDAP/nslcd config , remote authentication , user-template used
The values within user-template include white spaces :
example: uid=%s,CN=my home,OU=Generic Users,OU=good Users,OU=users,DC=users,DC=org
Impact:
LDAP/nslcd process failed with "error opening connection to nslcd" when user-template includes white spaces.
Workaround:
Replace the white-space character with underscore "_" in the user-template if possible, or remove the user-template and restart nslcd daemon
860317-1 : JavaScript Obfuscator can hang indefinitely
Component: TMOS
Symptoms:
High CPU usage by obfuscator for an extended period of time.
Conditions:
Occurs very rarely, when FPS or L7 DDoS protection are enabled.
Impact:
High CPU Usage.
Workaround:
Kill the obfuscator process
860277-2 : Default value of TCP Profile Proxy Buffer High Low changed in 14.1
Component: Local Traffic Manager
Symptoms:
Version: 13.1.3.1
# tmsh list ltm profile tcp tcp proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
proxy-buffer-high 49152
proxy-buffer-low 32768
}
proxy-buffer-high
Specifies the highest level at which the receive window is closed.
The default value is 49152.
proxy-buffer-low
Specifies the lowest level at which the receive window is closed.
The default value is 32768.
Version: 14.1.2.2
# list ltm profile tcp TCP proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
proxy-buffer-high 65535
proxy-buffer-low 32768
}
proxy-buffer-high
Specifies the highest level at which the receive window is closed.
The default value is 131072.
proxy-buffer-low
Specifies the lowest level at which the receive window is closed.
The default value is 98304.
Conditions:
Looking at the help for proxy-buffer-high and proxy-buffer-low in tmsh
Impact:
The default value for proxy-buffer-high is 65535 and the default value for proxy-buffer-low is 32768, but the help text indicates that the defaults are 13072 and 98304 respectively.
860245-3 : SSL Orchestrator configuration not synchronized across HA peers after upgrade from 14.1.2.x
Component: TMOS
Symptoms:
The SSL Orchestrator configuration is not synced properly across the high availability (HA) configuration.
The REST framework versions are different on the devices.
Conditions:
-- BIG-IP devices configured for HA.
-- SSL Orchestrator configured.
-- Upgrading from v14.1.2 to v15.1.x or newer.
Impact:
SSL Orchestrator configuration does not sync across BIG-IP HA peers.
Workaround:
The following steps are required on all HA, first on the active and then on the standby BIG-IP devices.
1. Open a BIG-IP terminal session with admin/root level access.
2. Run the following commands, in the order specified:
bigstart stop restjavad
rm -rf /shared/em/ssl.crt/*
bigstart start restjavad
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
restcurl -X DELETE shared/gossip-conflicts
restcurl -X DELETE shared/device-certificates
restcurl -X POST -d '{"generateKeyPair": true}' shared/device-key-pair
bigstart restart restjavad restnoded
860181-3 : After sync failure due to lack of local self-IP on the peer, adding in the self-IP does not resolve the sync error
Component: TMOS
Symptoms:
If you have BIG-IPs in a Device Service Cluster, and you attempt to sync a new floating self-IP over to a standby on a VLAN that the standby does not currently have a non-floating self-IP on, you will get an error and the sync will fail. This is the correct behavior. The issue, though, is that if you subsequently create a non-floating self-IP on the standby in order to rectify this issue, the sync will still fail.
Conditions:
-- BIG-IPs configured in a Device Service Cluster.
-- Device group is configured to use Automatic Sync or Manual with Incremental sync.
-- Attempting to sync a floating self-IP to a system that does not have a non-floating self-IP on the same VLAN.
Impact:
You are unable to sync BIG-IPs. Both devices will be out of sync and you will see an error displayed:
01070355:3: Self IP <address> is declared as a floating address but there is no non-floating address defined for this network
Even after you add a non-floating self-IP on the affected device, a subsequent config sync does not fix the error.
Workaround:
If you make any other configuration change that generates a config sync, this will correct itself after the other device has added a non-floating Self-IP.
Otherwise, this can be corrected by doing a full config sync, and can be done via the GUI or via tmsh.
In the GUI, change the Sync Type for the device group to Manual with Full Sync, and then do a config sync.
In tmsh, the command is:
run cm config-sync force-full-load-push to-group <affected_device_group>
860005-3 : Ephemeral nodes/pool members may be created for wrong FQDN name
Component: Local Traffic Manager
Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.
Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.
The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.
Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.
Workaround:
It may be possible to mitigate this issue by one or more of the following actions:
-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.
-- Reducing the number of FQDN template nodes (FQDN names to be resolved).
-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.
858973-3 : DNS request matches less specific WideIP when adding new wildcard wideips
Component: Global Traffic Manager (DNS)
Symptoms:
After adding a new wildcard wideip, DNS requests start matching the wildcard even if a more specific wildcard wideip should match.
Conditions:
New less specific Wildcard WideIPs are created.
Impact:
DNS request matches less specific WideIP.
Workaround:
# tmsh load sys config gtm-only
or
restart tmm
858877-1 : SSL Orchestrator config sync issues between HA-pair devices
Component: TMOS
Symptoms:
SSL Orchestrator configuration deployment across BIG-IP devices in a high-availability (HA) group may result in inconsistent state, if during deployment the connectivity between the HA peers is lost.
Conditions:
Deploying SSL Orchestrator configuration across BIG-IP devices in an HA group.
Impact:
Inconsistent SSL Orchestrator configuration on BIG-IP devices in an HA group.
Workaround:
Run the /usr/bin/ha-sync script. See ha-sync -h for help.
858769-4 : Net-snmp library must be upgraded to 5.8 in order to support SHA-2
Component: TMOS
Symptoms:
The net-snmp 5.7.2 library does not support extended key lengths for SHA and AES protocols used for SNMPv3 authentication and privacy protocols.
Conditions:
When the BIG-IP net-snmp libraries are version 5.7.2, or earlier, than only SHA and AES are available for configuring trap sessions and users in SNMPv3.
Impact:
The longer keys lengths for SNMPv3 cannot be used.
858701-3 : Running config and saved config are having different route-advertisement values after upgrading from v12.1.x★
Component: Local Traffic Manager
Symptoms:
If you upgrade a 12.1.x device with route advertisement enabled, there will be a difference between the running configuration and the saved configuration post upgrade.
-- In the running configuration, the word 'enabled' changes to 'selective'.
-- In bigip.conf, the setting is still set to 'enabled'.
Conditions:
-- Upgrading a v12.1.x device with route advertisement enabled.
-- After saving config both the running-config and bigip.conf are having same value i.e., 'selective'.
-- Load the configuration (tmsh load sys config).
Impact:
The route-advertisement setting is 'enabled' in the config file, but 'selective' in the running configuration. This has the following impact:
If you save the configuration and then reload it, the route advertisement is changed to 'selective' in the config file and 'disabled' in the running config.
Workaround:
After the running config is set to the 'disabled' value, reload the configuration again using the following command to set the running config and saved config to to 'selective':
tmsh load sys config
858549-4 : GUI does not allow IPv4-Mapped IPv6 Address to be assigned to self IPs
Component: TMOS
Symptoms:
When you try to use an IPv4-mapped IPv6 address as the self VI via GUI you get an error: '
Some fields below contain errors. Correct them before continuing.
Invalid IP or Hostname
Conditions:
Assign IPv4-mapped IPv6 address to self IPs via GUI.
Impact:
Cannot add the self IP to the BIG-IP system.
Workaround:
None.
858429 : BIG-IP system sending ICMP packets on both virtual wire interface
Component: Local Traffic Manager
Symptoms:
ICMP packets are forwarded to both virtual wire interface, which causes MAC-Flip on the connected switches.
Conditions:
-- Ingress ICMP packet is on one TMM.
-- Egress is on another TMM.
Impact:
Traffic is disrupted in the network.
Workaround:
None.
858309-1 : Setting a self IP with an IPv6 Address with an embedded IPv4 address causes tmm to continually restart
Component: Local Traffic Manager
Symptoms:
TMM keeps restarting after setting a self IP to an IPv6 address with an embedded IPv4 address in TMSH.
Conditions:
Set self IP to an IPv6 address with an embedded Ipv4 address using tmsh.
Impact:
Tmm restarts repeatedly. Traffic disrupted while tmm restarts.
Workaround:
Set self IP to IPv4 address.
858197-1 : Merged crash when memory exhausted
Component: TMOS
Symptoms:
Merged crashes when system memory is exhausted
Conditions:
System memory is is at 0% available.
Impact:
Merged crashes, stopping stats updates
Workaround:
Reduce the configuration on the system
858173-1 : SSL Orchestrator RPM not installed on HA-peer after upgrade from 14.1.2.1
Component: TMOS
Symptoms:
With BIG-IP devices configured in high availability (HA) mode, with SSL Orchestrator configured, when upgrading from v14.1.2 to v15.1.x or newer, the SSL Orchestrator configuration is not synced properly across the HA configuration.
This problem is caused by a REST framework sync issue between the devices in the high availability (HA) pair.
Conditions:
-- BIG-IP devices configured in HA mode.
-- SSL Orchestrator configured.
-- Upgrading from v14.1.2 to v15.1.x or newer.
Impact:
SSLO configuration not syncing across the BIG-IP HA pair.
Workaround:
The following steps are required on both HA peers, first on the active and then on the standby BIG-IP device.
1. Open a terminal session with admin/root level access.
2. Run the following commands, in the order specified:
bigstart stop restjavad
rm -rf /shared/em/ssl.crt/*
bigstart start restjavad
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
restcurl -X DELETE shared/gossip-conflicts
restcurl -X DELETE shared/device-certificates
restcurl -X POST -d '{"generateKeyPair": true}' shared/device-key-pair
bigstart restart restjavad restnoded
857845-6 : ASSERTs in hudproxy_tcp_repick() converted into an OOPS
Component: Local Traffic Manager
Symptoms:
Hudproxy_tcp_repick() asserts that no data is present.
Example of assertion in /var/log/tmm:
notice panic: ../modules/hudproxy/tcp/tcp_proxy.c:1610: Assertion "server drained" failed.
Conditions:
If data is present, then assertion fails.
Example of how to recreate ("server drained" failed):
-The virtual server uses an iRule containing both the TCP::collect and LB::detach statements.
-The LB::detach statement is not applied in a USER_REQUEST or USER_RESPONSE event.
-The server-side connection is detached before the TCP::collect has been drained.
Impact:
BIG-IP fails to process traffic when asserts fail.
Workaround:
There is no work around.
To avoid ("server drained" failed):
-Use TCP::notify to generate a USER_REQUEST or USER_RESPONSE event, and detach the server connection within the event.
For more information, refer to DevCentral iRules on TCP::notify.
857677-1 : Security policy changes are applied automatically after asm process restart
Component: Application Security Manager
Symptoms:
Changes in security policy are applied after ASM restart. This may activate unintended enforcement.
Conditions:
Restart ASM.
Impact:
Potentially unintended activation of new security entities.
Workaround:
None.
857633-2 : Attack Type (SSRF) appears incorrectly in REST result
Component: Application Security Manager
Symptoms:
After ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, a mistaken value for Attack Type (SSRF) appears incorrectly in REST query results.
Conditions:
ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, even if another ASM Signature update is installed subsequently.
Impact:
A mistaken value for Attack Type (SSRF) appears incorrectly in REST query results. This impacts BIG-IQ usage and other REST clients.
Workaround:
Workaround:
1) Install a newer ASU to reassociate the affected signatures with the correct attack type
2) Run the following SQL on the affected BIG-IP devices:
DELETE FROM PLC.NEGSIG_ATTACK_TYPES WHERE attack_type_name = "Server-Side Request Forgery (SSRF)";
857045-3 : LDAP system authentication may stop working
Component: TMOS
Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.
In /var/log/daemon.log, you may see the following:
warning systemd[1]: nslcd.service failed
Conditions:
Nslcd daemon crashed, and it fails to restart.
Impact:
System authentication stops working until nslcd is restarted.
Workaround:
Manually restart nslcd daemon:
tmsh start sys service nslcd
856953-2 : IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1
Component: TMOS
Symptoms:
In rare circumstances, TMM may core when changing the ike-peer configuration from IKEv2 to IKEv1.
Conditions:
- The BIG-IP system is attempting to establish an IKEv2 tunnel.
- The related ike-peer config is changed from IKEv2 to IKEv1.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not reconfigure the ike-peer configuration while the related IPsec tunnel is attempting to establish.
856713-1 : IPsec crash during rekey
Component: TMOS
Symptoms:
IPsec-related tmm crash and generated core file during rekey.
Conditions:
-- IPsec timeout occurs.
-- Some temporary SA's are created by racoon.
Impact:
Tmm crashes and creates core file. Traffic disrupted while tmm restarts.
Workaround:
None.
854493-3 : Kernel page allocation failures messages in kern.log
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:
swapper/16: page allocation failure: order:2, mode:0x104020
After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This issue is known to occur on the following VIPRION blade models:
- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)
Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.
It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades)
-- 48 MB (49152 KB for B4300 blades)
-- 128 MB (131072 KB for 4450 blades)
You must do this on each blade installed in the system.
When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on all blades, and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
853989-3 : DOSL7 Logs breaks CEF connector by populating strings into numeric fields
Component: Application Security Manager
Symptoms:
Dosl7 remote logger messages breaks ArcSight CEF connector when using ArcSight destination format. CEF Logs are dropped.
Conditions:
- ASM provisioned
- Dos profile attached to a virtual server
- Dos application protection enabled
- Logging profile configured with ArcSight format attached to a virtual
Impact:
ArcSight server might be broken after getting dosl7 attack detection messages from the BIG-IP.
Workaround:
BIG-IP iRule or another proxy can be used to intercept ArcSight messages and strip the a string portion from ArcSight numeric type fields.
853617-3 : Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles
Component: TMOS
Symptoms:
Validation does not prevent specific configuration, but reports errors. In newer versions:
-- err tmm1[7019]: 01010008:3: Proxy initialization failed for /Common/vs_test. Defaulting to DENY.
-- err tmm1[7019]: 01010008:3: Listener config update failed for /Common/vs_test: ERR:ERR_ARG
In older versions:
-- err tmm[23118]: 01010007:3: Config error: virtual_server_profile no suitable hudchain
-- err tmm[23118]: 01010007:3: Config error: add virtual server profile error
Conditions:
Creating a virtual server with UDP, HTTP, SSL, (and OneConnect) profiles.
Impact:
Virtual server is defined and in configuration, but does not pass traffic.
On v12.1.x and v13.0.0, attempts to recover from this configuration can leave TMM in a bad state, which can then result in a TMM crash.
Workaround:
None.
853565-1 : VCMP host primary blade reboot causes security policy loss in the VCMP guest primary blade
Component: Application Security Manager
Symptoms:
After rebooting a vCMP guest with ASM provisioned and configured, there are no asm policies. The following command returns no results:
tmsh list asm policy all-properties
Conditions:
-- vCMP host with 2+ slots
-- vCMP guest with 2+ slots
-- LTM+ASM provisioned
-- ASM security policy + virtual server configured
-- reboot primary slot of VCMP host
Impact:
There are no ASM policies on the vCMP guest.
853325-3 : TMM Crash while parsing form parameters by SSO.
Component: Access Policy Manager
Symptoms:
When a form is received in the response, TMM crashes when SSO identifies the form parameter, and logs the Form parameter value and type in SSOv2 form-based passthrough log.
Conditions:
-- When any of the form parameters that SSO receives in the response does not have a value.
-- Passthrough mode is enabled in SSO.
Impact:
TMM crash when Passthrough mode is enabled in SSO. Traffic disrupted while tmm restarts.
Workaround:
Do not use Passthrough mode with SSO.
853161-1 : Restjavad has different behavior for error responses if the body is over 2k
Component: TMOS
Symptoms:
The error Response body from iControl REST is truncated at 2048 characters. If an iControl REST response sends an error that is longer than 2048 characters, the truncated response will not contain valid JSON.
Conditions:
This occurs when iControl REST error messages are longer than 2048 characters.
Impact:
The error response body is deformed when the length of the error body is more than 2k characters
852873 : Proprietary Multicast PVST+ packets are forwarded instead of dropped
Component: Local Traffic Manager
Symptoms:
Because the BIG-IP system does not recognize proprietary multicast MAC addresses such as PVST+ (01:00:0c:cc:cc:cd) and STP (01:80:c2:00:00:00), when STP is disabled the system does not drop those frames. Instead the system treats those as L2 multicast frames and forwards between 2 interfaces.
Conditions:
-- STP disabled
-- All platforms except 2000 series, 4000 series, i2000 series, i4000 series and i850.
Impact:
PVST+ (01:00:0c:cc:cc:cd), a proprietary multicast MAC is forwarded instead of discarded, even when STP is disabled.
Workaround:
None.
852565-3 : On Device Management::Overview GUI page, device order changes
Component: TMOS
Symptoms:
When manual device group sync is enabled, the device with the most recent change will be displayed at the top of the Device Management::Overview GUI page.
Conditions:
-- Multiple devices in a device group
-- Device group has manual config sync enabled
-- A change is made on a device
Impact:
When the list loads, the device with the most recent changes is displayed at the top. This can make the device order appear to be inconsistent, and can create confusion when doing manual config sync if you are expecting the order to be always consistent.
852325-3 : HTTP2 does not support Global SNAT
Component: Local Traffic Manager
Symptoms:
The Global SNAT feature does not work with HTTP2.
Conditions:
-- Global SNAT is used
-- HTTP2 is used.
Impact:
Traffic uses the incorrect IP addresses when sourced from the BIG-IP system.
Workaround:
Use an explicit SNAT setting: SNAT Auto-Map or a SNAT pool.
852101-3 : Monitor fails.
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d fails external monitor SIP_monitor because GTM SIP Monitors need to be running as privileged.
Conditions:
TLS SIP monitor on pool member requiring client auth.
Impact:
Big3d fails external monitor SIP_monitor.
Workaround:
The only workaround is to allow world reading of key files in the filestore, however, this is not ideal as it exposes potentially sensitive data.
851857-3 : HTTP 100 Continue handling does not work when it arrives in multiple packets
Component: Local Traffic Manager
Symptoms:
If a 100 Continue response from a server arrives in mulitple packets, HTTP Parsing may not work as expected. The later server response payload may not be sent to the client.
Conditions:
The server responds with a 100 Continue response which has been broken into more than one packet.
Impact:
The response is not delivered to the client. Browsers may retry the request.
Workaround:
None.
851785-1 : BIG-IP 10350V-F platform reported page allocation failures in N3FIPS driver
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:
swapper/13: page allocation failure: order:2, mode:0x204020
After that, a stack trace follows. The process name in the line ('swapper/16', in this example). You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This issue is known to occur on the appliance 10350V-F D112.
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.
It is recommend to increase this to 128 MB (131072 KB).
When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID 851785' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID851785' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on the BIG-IP appliance and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the BIG-IP appliance and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
851745-1 : High cpu consumption due when enabling large number of virtual servers
Component: Advanced Firewall Manager
Symptoms:
Observed autodosd CPU burst
Conditions:
Enable autodosd and a large number of virtual servers
Impact:
High cpu utilization in autodosd
Workaround:
Disable autodosd
851581-1 : Server-side detach may crash TMM
Component: Local Traffic Manager
Symptoms:
TMM crash with 'server drained' panic string.
Conditions:
-- Server-side flow is detached while the proxy is still buffering data for the pool member and the client continues to send data.
-- The detach may be triggered by the LB::detach iRule commands or internally.
Impact:
TMM crash, failover, brief traffic outage. Traffic disrupted while tmm restarts.
Workaround:
-- In cases in which the detach is triggered internally, there is no workaround.
-- In cases in which the detach is triggered by LB::Detach, make sure the command is not executed when a request may still be in progress by using it in response events, for example HTTP_RESPONSE, USER_RESPONSE, etc.
851477-3 : Memory allocation failures during proxy initialization are ignored leading to TMM cores
Component: Local Traffic Manager
Symptoms:
Memory allocation failures during proxy initialization are ignored. TMM cores when trying to access uninitialized memory.
Conditions:
-- HTTP or HTTP/2 virtual server with httprouter profile.
-- Low memory or fragmented memory on the system when configuration is being loaded.
Impact:
TMM cores when accessing uninitialized memory.
Workaround:
No workaround.
851393-3 : Tmipsecd leaves a zombie rm process running after starting up
Component: TMOS
Symptoms:
After booting the system, you notice zombie 'rm' processes:
$ top -b | awk '$8=="Z"'
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
Restarting tmipsecd will kill the zombied process but will start a new one.
Conditions:
-- IPsec is enabled.
-- Booting up the system.
Impact:
A zombie 'rm' process exists. There should be no other impact.
Workaround:
None.
851385-4 : Failover takes too long when traffic blade failure occurs
Component: Local Traffic Manager
Symptoms:
When blades 1 and 4 are disabled on the active chassis, the failover period is between 3.4 to 4.7 seconds before the next-active device starts processing messages.
If the blades are physically pulled from the chassis,
the failure occurs within 1 second.
Conditions:
-- Multi-blade VIPRION system
-- Blades 1 and 4 are connected to the network via trunks, blades 2 and 3 are CPU-only blades
-- Blades 1 and 4 are disabled via the GUI
Impact:
Significant delay before BIG-IP delivers a web page during between-cluster failover
851341-2 : DNS cache responds with records exceeding cache-maximum-ttl for multiple TMMs
Component: Global Traffic Manager (DNS)
Symptoms:
DNS cache respond with records exceeding cache-maximum-ttl.
Conditions:
1. Multiple TMMs compared with single TMM.
2. Reassembled DNS response from previous cached records.
Impact:
DNS cache responds with records exceeding cache-maximum-ttl for multiple TMMs, but not with single TMMs. Inconsistent behavior might lead to confusion.
Workaround:
None.
851101-2 : Unable to establish active FTP connection with custom FTP filter
Component: Local Traffic Manager
Symptoms:
Unable to establish active FTP connection with custom FTP filter.
Conditions:
All of the following conditions are true:
-- Virtual server using custom FTP filter.
-- FTP filter has port (port used for data channel) set to 0 (zero).
-- Virtual server has source-port set to preserve-strict.
-- Using active FTP through the virtual server.
Impact:
-- The active FTP data channel is reset.
-- Commands that require data channel in active mode fail.
Workaround:
-- Change source-port to change or preserve.
-- Set port on FTP filter to be used for data channel.
-- Use passive FTP.
851045-3 : LTM database monitor may hang when monitored DB server goes down
Component: Local Traffic Manager
Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.
Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).
Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.
Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.
851021-3 : Under certain conditions, 'load sys config verify file /config/bigip.conf' may result in a 'folder does not exist' error
Component: TMOS
Symptoms:
TMSH error example:
Configuration error: Can't associate ASM device sync (/Common/testsync/staging.example.com) folder does not exist
Conditions:
The conditions under which this occurs are unknown.
Impact:
Load of config file fails with an error that the folder does not exist.
Workaround:
Use 'tmsh load sys config verify', without specifying a specific file.
850997-3 : 'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page
Component: TMOS
Symptoms:
The SNMPD daemon no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page.
Conditions:
Viewing the page at:
System :: High Availability : Fail-safe : System
Impact:
Unable to configure the high availability (HA) settings for the snmpd high availability (HA) daemon through the GUI.
Workaround:
Use TMSH to modify the snmpd high availability (HA) settings.
850873-1 : LTM global SNAT sets TTL to 255 on egress.
Component: Local Traffic Manager
Symptoms:
When using the global SNAT feature on LTM, IPv4 TTL/IPv6 Hop-Limit values may be erroneously set to 255/64 on egress.
Conditions:
Traffic is handled by global SNAT.
Impact:
TTL on egress is set to 255/; Hop-Limit on egress is set to 64.
Workaround:
None.
850777-1 : BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config
Component: TMOS
Symptoms:
After rebooting BIG-IP Virtual Edition (VE) deployed on a cloud provider, the instance enters LICENSE INOPERATIVE state.
Errors similar to one below are seen in an LTM log:
err chmand[4770]: Curl request to metadata service failed with error(7): 'Couldn't connect to server'.
Conditions:
- Static management IP address configuration.
- Instance is restarted.
Impact:
Instance is not operational after restart.
Workaround:
After instance is fully booted, reload the license with 'reloadlic'.
850677-2 : Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy
Component: Application Security Manager
Symptoms:
Non-ASCII parameter static values are garbled when created in a non-UTF-8 policy using REST.
Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII parameter static values using REST.
Impact:
Parameter static values containing non-ASCII characters are garbled when created using REST.
Workaround:
Use UTF-8.
850357-3 : LDAP - tmsh cannot add config to nslcd.conf
Component: TMOS
Symptoms:
nslcd comes as a dependency package for the nss-pam-ldapd and nslcd.conf file contains the configuration information for running nslcd.
tmsh does not support modification of nslcd.conf to include some options.
Conditions:
This would be encountered only if you wanted to do modify the nslcd configurations
Impact:
You are unable to modify nslcd configuration for some options.
This prevents the ability to use certain ldap-based remote authentication techniques.
Workaround:
Modify nslcd.conf file to include configuration changes manually and restart the nslcd daemon with systemctl restart nslcd
850349-3 : Incorrect MAC when virtual wire is configured with FastL4
Component: Local Traffic Manager
Symptoms:
Incorrect MAC is seen in the network when virtual wire is configured with a FastL4 profile.
Conditions:
Virtual wire is configured with a FastL4 profile.
Impact:
Incorrect MAC on the packets.
Workaround:
None.
850277-3 : Memory leak when using OAuth
Component: Access Policy Manager
Symptoms:
Tmm memory usage keeps going up when passing multiple HTTP requests through a kept-alive TCP connection carrying an OAuth token as bearer in the Authorization header.
Conditions:
-- Multiple HTTP requests through a kept-alive TCP connection.
-- Requests carry an OAuth token as bearer in the Authorization header.
Impact:
Memory leak occurs in which tmm memory usage increases.
Workaround:
None.
850193-2 : Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues
Component: Performance
Symptoms:
-- Uneven unic channel distribution and transmit errors (tx_errcnt) seen in /proc/unic.
-- Packet loss and increased retransmissions under load.
Conditions:
BIG-IP Virtual Edition (VE) in Hyper-V or Azure Cloud.
Impact:
-- Reduced throughput.
-- Packet loss and increased retransmissions under load.
Workaround:
None.
850145-3 : Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed
Component: Local Traffic Manager
Symptoms:
First HTTP request on a connection creates a connection to the server. Subsequent pipelined requests should be processed and use the established connection to the server. However, the requests were queued in the proxy and not processed resulting in connection hang.
Conditions:
- HTTP or HTTP/2 virtual server with httprouter profile.
- HTTP/1.1 connections with the client and server.
- Pipelined HTTP requests.
Impact:
Connection hangs and is eventually reset.
Workaround:
No workaround.
849349-3 : Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db
Component: Application Security Manager
Symptoms:
Web app flow might fail resulting in JavaScript errors related to CSP policy
Conditions:
-- ASM provisioned.
-- Bot-Defense or DoS Application profile assigned to a virtual server.
-- The backend server sends CSP headers.
Impact:
Web application flow might fail.
Workaround:
Attach an iRule:
when HTTP_REQUEST {
set csp 0
}
when HTTP_RESPONSE {
if { [HTTP::header exists Content-Security-Policy] } {
set csp "[HTTP::header values Content-Security-Policy]"
}
}
when HTTP_RESPONSE_RELEASE {
if { $csp != 0 } {
HTTP::header replace Content-Security-Policy $csp
}
set csp 0
}
849085-3 : Lines with only asterisks filling message and user.log file
Component: TMOS
Symptoms:
/var/log/message and /var/log/user.log files have lines that only contain asterisks.
For example:
Nov 12 10:40:57 bigip1 **********************************************
Conditions:
Snmp query an OID handled by sflow, for example:
snmpwalk -v2c -c public localhost SNMPv2-SMI::enterprises.14706.1.1.1
Impact:
The impact is cosmetic only, however it could make reading the logs more difficult if the sflow snmp tables are constantly being queried.
Workaround:
You have two options:
-- Filter out all sflow_agent log messages
-- Filter out all messages that contain a newline '\n' or carriage return character '\r'.
Both workarounds are done by editing the syslog template, this means that if the you upgrades, you must edit the template again to reinstate the workaround.
=============================================
Solution #1 - Filter out all sflow_agent logs:
1) remount /usr as read+write:
mount -o rw,remount /usr
2) Make a backup copy of the template:
cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig
3) Add write permissions to the template:
chmod +w /usr/share/defaults/config/templates/syslog.tmpl
4) Add the filter to syslog.tmpl
4a) Open syslog.tmpl for edit:
vi /usr/share/defaults/config/templates/syslog.tmpl
4b) Add the new filter after the filter f_messages:
filter f_not_sflow {
not match ("sflow_agent" value("$PROGRAM"));
};
For example:
filter f_messages {
level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO)
and not facility(auth, authpriv, cron, daemon, mail, news)
and not message("WA");
};
filter f_not_sflow {
not match ("sflow_agent" value("$PROGRAM"));
};
4c) Add the filter to the log that sends all source local message to the syslog pipe:
log {
source(local);
filter(f_not_sflow);
destination(d_syslog_pipe);
}
5) Save the changes and quit vi.
6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice':
tmsh modify /sys syslog daemon-from info
tmsh modify /sys syslog daemon-from notice
7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf.
8) remount /usr as read-only
mount -o ro,remount /usr
=============================================
Solution #2 - Filter out all messages with \n or \r:
1) remount /usr as r+w:
mount -o rw,remount /usr
2) Make a backup copy of the template:
cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig
3) Add write permissions to the template:
chmod +w /usr/share/defaults/config/templates/syslog.tmpl
4) Add the filter to syslog.tmpl:
4a) Open syslog.tmpl for edit:
vi /usr/share/defaults/config/templates/syslog.tmpl
4b) Add the new filter after the filter f_messages:
filter f_no_multi_line {
not (message('\n') or message('\r'));
};
For example:
filter f_messages {
level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO)
and not facility(auth, authpriv, cron, daemon, mail, news)
and not message("WA");
};
filter f_no_multi_line {
not (message('\n') or message('\r'));
};
4c) Add the filter to the log that sends all source local message to the syslog pipe:
log {
source(local);
filter(f_no_multi_line);
destination(d_syslog_pipe);
}
5) Save the changes and quit vi.
6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice':
tmsh modify /sys syslog daemon-from info
tmsh modify /sys syslog daemon-from notice
7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf.
8) remount /usr as read-only:
mount -o ro,remount /usr
848777-1 : Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.
Component: Local Traffic Manager
Symptoms:
Shared object address-list in non-default partition in non-default route-domain does not sync to peer node. The system reports the following exceptions when such an issue occurs:
-- err mcpd[4941]: 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).
-- err mcpd[4941]: 01071488:3: Remote transaction for device group /Common/DG1 to commit id 500 6754270728594498269 /Common/bigiptest1 0 failed with error 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).
Conditions:
-- Create Custom partition.
-- Create Custom Route-domain.
-- Change custom partition.
-- Create address list in non-default route domain.
-- Create virtual server with previously created address list and any TCP port.
-- Now, try to Sync to high availability (HA) peer.
Impact:
Sync fails with error. Configuration will not sync to peer node.
Workaround:
None.
848681-5 : Disabling the LCD on a VIPRION causes blade status lights to turn amber
Component: TMOS
Symptoms:
When the LCD is disabled or turned off on a VIPRION system, the blade status lights turn amber.
Conditions:
You can cause this to occur by running the command:
tmsh modify sys db platform.chassis.lcd value disable
Impact:
Blade status lights change to amber, even if nothing is wrong with the system.
Workaround:
None.
846977-3 : TCP:collect validation changed in 12.0.0: the first argument can no longer be zero★
Component: Local Traffic Manager
Symptoms:
Validation for TCP::collect was changed in BIG-IP software v12.0.0 (with the introduction of JET specifications). Prior to 12.0.0, there were no restrictions on the values of the two arguments. As of 12.0.0, the first argument ('collect_bytes') must be a positive integer, and the second argument ('skip_bytes) must be a non-negative integer.
Occurrences of 'TCP::collect 0 0' in iRules experience issues when upgrading to a newer version, producing warnings in LTM log:
/Common/T_collect:9: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid argument 0; expected syntax spec:"136 17][TCP::collect 0 0].
Conditions:
-- Using a version of BIG-IP software earlier than 12.0.0, configure an iRule with a 'TCP::collect 0 0' command.
-- Upgrade to 12.0.0 or later.
Impact:
Warning in the LTM log file. The iRules containing 0 values do not function as expected. There is no other impact.
Workaround:
Change 'TCP::collect 0 0' to a value other than 0 (zero) in any iRules before or after upgrade.
846873-3 : Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure
Component: Local Traffic Manager
Symptoms:
Traffic fails to pass through a virtual server.
Conditions:
-- Virtual server is removed and a new one is added in a single transaction.
-- Virtual server references a plugin profile.
For example, create a CLI transaction:
- delete ltm virtual vs_http
- create ltm virtual vs_https destination 1.1.1.1:443 vlans-enabled profiles replace-all-with { http ntlm oneconnect }
- submit cli transaction
Impact:
Traffic failure on the new virtual server.
Workaround:
Create a virtual server that does not accept any traffic, but keeps the NTLM MPI plugin channel alive:
tmsh create ltm virtual workaround destination 1.1.1.1:1 profiles replace-all-with { http oneconnect ntlm } vlans-enabled vlans none && tmsh save sys config
846521-5 : Config script does not refresh management address entry properly when alternating between dynamic and static
Component: TMOS
Symptoms:
Config script does not refresh management address entry properly when alternating between dynamic (DHCP) and static configuration.
Conditions:
- Management IP assignment is changed from dynamic (DHCP) to static.
- Same IP address is configured, as previously received from DHCP server.
Impact:
Remote management access is lost after DHCP lease expires.
Workaround:
Restart BIG-IP after changing the management IP address.
846441-1 : Flow-control is reset to default for secondary blade's interface
Component: Local Traffic Manager
Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.
Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.
Impact:
The flow-control setting is reset to default (tx-rx).
Workaround:
Reload the configuration on the primary blade.
846217-1 : Translucent vlan-groups set local bit in destination MAC address
Component: Local Traffic Manager
Symptoms:
Translucent vlan-groups may set the locally-unique bit in a destination MAC address when sending traffic to a pool member/client.
Conditions:
On versions earlier than 15.0.0:
- Translucent vlan-group is in use.
On v15.0.0 and later:
-- Translucent vlan-group is in use.
-- The connection.vgl2transparent db variable is enabled.
Impact:
Traffic handled by translucent vlan-groups may not work properly.
Workaround:
On versions earlier than 15.0.0, there is no workaround.
-- On version 15.0.0 and later, you can disable the connection.vgl2transparent db variable to mitigate the problem:
tmsh modify sys db connection.vgl2transparent value disable
Note: connection.vgl2transparent is disabled by default.
846181-1 : Request samples for some of the learning suggestions are not visible
Component: Application Security Manager
Symptoms:
Learning suggestions created from single request do not show source 'request log' in the 'Suggestion' GUI section.
Conditions:
'Learning Suggestion' created from only one 'Request Log' record.
Impact:
Learning suggestions created from single request does not show source 'request log' in the 'Suggestion' GUI section
Workaround:
None.
846141-3 : Unable to use Rest API to manage GTM pool members that have an pipe symbol '|' in the server name.
Component: TMOS
Symptoms:
Rest API returns 404 'Object not found"' error when attempting direct access to pool member that has pipe symbol '|' in the server or virtual server name.
Conditions:
An iControl/REST call to a pool member that has a virtual server on the Server whose name contains a | character in the server or virtual server name.
Impact:
The iControl/REST call cannot manage a pool member associated with a virtual server or server whose name contains a | character.
Workaround:
Rename the server or virtual server to a name that does not contains the | character.
846137-3 : The icrd returns incorrect route names in some cases
Component: TMOS
Symptoms:
The icrd returns an incorrect route names when a '.' (dot, or period) is present in the subPath, as it treats the subPath as an IP address and the leaf name as a subnet and considers its name as a whole. Also the subPath field is missed in the response route object. This happens only in the case of curl request.
Conditions:
-- The subPath contains a '.' in it.
-- A curl request is made.
Impact:
Result information is not compatible with actual result.
Workaround:
None.
846057-2 : UCS backup archive may include unnecessary files
Component: Application Security Manager
Symptoms:
UCS backup archive file size is much larger than UCS files in previous releases.
Conditions:
-- UCS backup process finishes with failure and does not clean temporary files.
-- A second UCS backup is attempted.
Impact:
Those files are included in the UCS archive, which results in an unusually large UCS backup files.
Workaround:
Before running the UCS backup process, remove directories:
/var/tmp/ts_db.save_dir_*.cstmp/
845629-1 : Hv_netvsc vmbus_17 timeout at boot causes reduced NIC performance
Component: TMOS
Symptoms:
-- Uneven unic channel distribution and transmit errors seen in /proc/unic.
-- Packet loss and increased retransmissions under load.
-- Errors reported in dmesg:
hv_netvsc vmbus_17 (unregistered net_device): timeout before we got a set response....
Conditions:
BIG-IP Virtual Edition (VE) in Azure boots while the hypervisor is under high load.
Impact:
-- Reduced throughput.
-- Packet loss and increased retransmissions under load.
Workaround:
This condition occurs when a timeout occurs when booting, resulting in the NIC driver not getting necessary information from the hypervisor.
Rebooting the BIG-IP VE may clear the condition if the hypervisor load has reduced.
845333-3 : An iRule with a proc referencing a datagroup cannot be assigned to Transport Config
Component: Local Traffic Manager
Symptoms:
If you try to assign an iRule to a Transport Config, and if the iRule has a proc that references a datagroup, the assignment fails with an error:
01070151:3: Rule [/Common/test2] error: Unable to find value_list (datagroup) referenced at line 6: [class lookup "first" datagroup]
Conditions:
-- Assign an iRule to a Transport Config.
-- The iRule has a proc.
-- The proc references a datagroup.
Impact:
Validation fails. An iRule with a proc referencing a datagroup cannot be assigned to Transport Config objects.
Workaround:
Make the datagroup a Tcl variable to bypass validation.
845313 : Tmm crash under heavy load
Component: Policy Enforcement Manager
Symptoms:
Tmm crashes.
Conditions:
-- BIG-IP PEM is licensed and configured.
-- Heavy traffic is received by PEM virtual server.
-- The traffic pattern goes through subscriber add/delete frequently.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
844925-2 : Command 'tmsh save /sys config' fails to save the configuration and hangs
Component: TMOS
Symptoms:
The 'tmsh save /sys config' command hangs and fails to save the configuration if there is a memory allocation failure when creating the reply.
Conditions:
-- A large number of iApps: in the thousands.
-- Each iApp has tens of variables.
Impact:
Because tmsh cannot save the configuration, if the BIG-IP system reboots, any changes made since the last successful save are lost.
Workaround:
Run the command:
tmsh save /sys config binary
This does not save the configuration to files in /config, but it does at least allow you to save the binary configuration.
That way, you can reboot the BIG-IP system and not lose the configuration.
Note: It os possible that a reboot will provide sufficient memory to save to configuration files. It depends on the configuration of virtual memory at the time of the save, which is impossible to predict. It is possible that every time you want to save the config, you must use the binary option.
844781-1 : [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection
Component: Access Policy Manager
Symptoms:
SELinux policy does not allow the rewrite plugin to create a directory and write troubleshooting data into /var/tmp/WebAppTrace.
Conditions:
Collecting Portal Access web applications traces per K13384: Performing a web applications trace (11.x - 14.x) :: https://support.f5.com/csp/article/K13384
Impact:
Cannot collect Portal Access web applications troubleshooting data as it described in in that AskF5 Article.
Workaround:
Connect via SSH using the root account and run this command:
restorecon -Rv /var/tmp/WebAppTrace/
844689-3 : Possible temporary CPU usage increase with unusually large named.conf file
Component: Global Traffic Manager (DNS)
Symptoms:
You might see occasional and temporary CPU usage increases when named.conf file is unusually large.
Conditions:
Unusually large named.conf file and zones are checked for updates (when the SOA expires).
Impact:
When a zone file is updated, a downstream effect is the ZoneRunner process to parse again the named.conf file. The parsing of an unusually large file may cause a temporary increase in CPU usage.
Workaround:
None.
844597-2 : AVR analytics is reporting null domain name for a dns query
Component: Advanced Firewall Manager
Symptoms:
AVR analytics is reporting null domain name for a DNS query if DNS DoS profile is attached to a virtual server, but the profile does not have the matching type vector enabled to the query type.
Conditions:
-- DNS DoS profile is attached to a virtual server.
-- The query type in the DNS query does not match an enabled DNS vector on the DNS profile.
Impact:
DNS domain name is reported as NULL
Workaround:
Enable the matching type vector on the DNS DoS profile.
844573-3 : Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret.
Component: Access Policy Manager
Symptoms:
The log message when OAuth client or resource server fails to generate the secret is assigned an incorrect log level, and is incorrectly logged at the emergency level.
Conditions:
This is encountered when this message is logged by mcpd.
Impact:
Log message cannot be grouped with messages at the correct log level.
Workaround:
None.
844421 : Cipher ordering in cipher rules can be wrong
Component: Local Traffic Manager
Symptoms:
With a cipher string such as ECDHE:ECDH_RSA:NATIVE is used, the expansion is done in the wrong order.
Conditions:
Cipher rules are used, and some are expanded.
Impact:
Cipher ordering can changes, so unexpected cipher suites are used.
Workaround:
None.
844337-2 : Tcl error log improvement for node command
Component: Local Traffic Manager
Symptoms:
Because of the Tcl error, connection gets reset and reports an error:
err tmm[18774]: 01220001:3: TCL error: /Common/test2- bad port in node <addr> <port> cmdTCL error (line 43) (line 43) invoked from within "node 172.x.x.x IP [LB::server port]"
Conditions:
Using node command under pre-load-balancing iRule events.
Impact:
Unclear port values in Tcl error message.
Workaround:
None.
844281-1 : [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.
Component: Access Policy Manager
Symptoms:
Java applets are not patched when accessed through APM Portal Access.
/var/log/rewrite contains error messages similar to following:
-- notice rewrite - fm_patchers/java_patcher_engine/CryptoToolsManager.cpp:568 (0x1919ab0): CryptoToolsManager :: _ReadCA() - cannot open CA file.
/var/log/auditd/audit.log contains AVC denials for rewrite on attempt to read file under /config/filestore/.
Conditions:
Java patching is enabled via rewrite profile and Portal Access resource.
Impact:
Java applets cannot be patched by APM Portal Access rewriter.
Workaround:
None.
844169-2 : TMSH context-sensitive help for diameter session profile is missing some descriptions
Component: Service Provider
Symptoms:
The tmsh context-sensitive help content for the following diameter session attributes is missing:
-- respond-unroutable
-- retransmission-action
-- retransmission-queue-limit-high
-- retransmission-queue-limit-low
-- retransmission-queue-max-bytes
-- retransmission-queue-max-messages
Conditions:
When attempting in tmsh to list a diameter session profile followed by a question mark for context-sensitive help- for example:
list ltm message-routing diameter profile session <sess-name> ?
Impact:
The specified attributes are no described.
Workaround:
These are the missing descriptions:
-- respond-unroutable: When selected (enabled), messages that do not match any known route will be transformed into an error answer message and sent to the originator of the request. When disabled, unroutable request messages are routed back to the connection where they came from. The default value is disabled.
-- retransmission-action: Specifies the action performed when retransmission has been triggered for a request message. The options are:
1) Disabled: Retransmission is disabled. This is the default action.
2) Busy: An answer message is generated with a TOO_BUSY result code and returned to the originator of the request.
3) Unable: An answer message is generated with an UNABLE_TO_DELIVER result code and returned to the originator of the request.
4) Retransmit: The request message will be retransmitted.
-- retransmission-queue-limit-high: Specifies the high watermark for the retransmission queue (in percentage). If the retransmission queue exceeds this limit, the transport window will begin closing. A value of 0 will disable closing the transport window. Valid range from 0 to 100. The default value is 90.
-- retransmission-queue-limit-low: Specifies the low watermark for the retransmission queue (in percentage). If the retransmission queue drops below this limit, the transport window will reopen. Valid range from 0 to 100. The default value is 60.
-- retransmission-queue-max-bytes: Specifies the maximum number of bytes that can be stored in a connections retransmission queue. A value of 0 will disable this limit. The default value is 131072 bytes.
-- retransmission-queue-max-messages: Specifies the maximum number of messages that can be stored in a connections retransmission queue. A value of 0 will disable this limit. The default value is 1024 messages.
844085-3 : GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address
Component: TMOS
Symptoms:
With multiple virtual servers that have the same destination address, changing all of them in the GUI to use an address list as their source address will result in the last one changed failing with an error similar to:
01070344:3: Cannot delete referenced virtual address /Common/1.2.3.4.
Conditions:
-- More than one virtual server with the same destination address.
-- Changing all the virtual servers that share the same destination address to use an address list for their source address.
Impact:
Unable to change the source address of a virtual server to an address list.
Workaround:
Use TMSH to manually create a traffic-matching criteria object and assign it to the virtual server:
tmsh create ltm traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination-address-inline <destination address of virtual server> destination-port-inline <destination port of virtual server> source-address-inline 0.0.0.0 source-address-list <address list name>
}
tmsh modify /ltm virtual <virtual server name> traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination 0.0.0.0:any
843801-1 : Like-named previous Signature Update installations block Live Update usage after upgrade★
Component: Application Security Manager
Symptoms:
Signature Update installations using ASU files with the same name on versions before 14.1.0 block Live Update usage after upgrade to 14.1.0 or later.
Conditions:
The same Signature Update file is installed multiple times on the device when running a version earlier than 14.1.0.
Impact:
Signature Update cannot be installed using Live Update, and errors appear in logs.
Workaround:
1. Delete the file: /var/lib/hsqldb/live-update/live-update-import.yaml.
2. Restart tomcat:
bigstart restart tomcat
This causes pre-upgrade records for Signature Update to be lost, but does not have any other functional impact.
843661-3 : TMSH allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command
Component: TMOS
Symptoms:
TMSH currently allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command, but the option is not honored and the entire license is revoked.
Conditions:
-- BIG-IP license and add-on license are installed.
-- Attempt to revoke the system license with 'add-on-keys' as an option.
Impact:
Add-on-keys option is ignored, and the entire license is revoked instead.
Workaround:
None.
843597-3 : Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle
Component: TMOS
Symptoms:
The vmxnet3 driver cannot handle MTUs larger than 9000 bytes.
Conditions:
-- Using a BIG-IP Virtual Edition (VE) with the vmxnet3 driver.
-- Passing packets larger than 9000 bytes.
Impact:
Either packets are dropped, or the hypervisor may crash on some platforms that do not handle this condition gracefully.
Workaround:
Modify the tmm_init.tcl file, adding the following line:
ndal mtu 9000 15ad:07b0
843317-1 : The iRules LX workspace imported with incorrect SELinux contexts
Component: Local Traffic Manager
Symptoms:
Files imported from iRules LX workspace may have incorrect SELinux contexts such as abrt_var_cache_t.
This can cause reloading the workspace to fail with errors:
01070079: failed to create workspace archive ... Return code {2}
Conditions:
Importing the iRules LX workspace.
Impact:
Workspace cannot be imported
Workaround:
As a workaround you can run the following command on the folders to restore the context:
restorecon -R -v
842989-7 : PEM: tmm could core when running iRules on overloaded systems
Component: Policy Enforcement Manager
Symptoms:
When sessions usage iRules are called on an already overloaded system it might crash.
Conditions:
Session iRule calls on heavily overloaded BIG-IP systems.
Impact:
Tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
Reduce the load on tmm or modify the optimize the irule.
842937-4 : TMM crash due to failed assertion 'valid node'
Component: Local Traffic Manager
Symptoms:
Under undetermined load pattern TMM may crash with message: Assertion 'valid node' fail.
Conditions:
This can occur while passing traffic with the Ram Cache profile enabled on a Virtual Server. Other conditions are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Refrain from using ramcache may mitigate the problem.
842865-1 : Add support for Auto MAC configuration (ixlv)
Component: TMOS
Symptoms:
Mac addresses are forced to be the same for ixlv trunks.
Conditions:
This happens when ixlv trunks are used.
Impact:
Mac addresses may not be as depicted on the device.
Workaround:
None.
842669-1 : Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log
Component: TMOS
Symptoms:
Systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log. Bare ')' being logged to /var/log/user.log., for example:
cat /var/log/user.log
[...]: Deleting file /shared/core/*.core.*
[...]: Deleting file /shared/core/*.core.*
[...] )
[...] )
Conditions:
This occurs when the system logs syslog messages containing embedded newlines, such as
-The cron process tries and fails to send an email because of output about a cron script.
-Modify syslog include configuration
-Apply ASM policy configuration change
Impact:
The logging subsystem accepts syslog messages with embedded newlines, and writes first part to the appropriate file, and the other lines to /var/log/user.log.
Workaround:
No known workaround.
842625-3 : SIP message routing remembers a 'no connection' failure state forever
Component: Service Provider
Symptoms:
When SIP message routing fails to route to a pool member (Triggering a MR_FAILED, MR::message status of 'no connection'), The BIG-IP system caches the failed state and continues to return this even after the pool member becomes reachable again.
Conditions:
When BIG-IP systen fails to route messages to the peer (server) due to unavailability of route or any other issues.
Impact:
The BIG-IP system is never be able to establish connection to the peer.
Workaround:
None.
842425-3 : Mirrored connections on standby are never removed in certain configurations
Component: Local Traffic Manager
Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.
Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.
Impact:
Leaking connections on the standby system.
Workaround:
You can use either of the following workarounds:
-- Use auto-lasthop with mirrored connections.
-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.
842193-3 : Scriptd coring while running f5.automated_backup script
Component: iApp Technology
Symptoms:
When the iApp, f5.automated_backup, script is terminated due to the max-script-run-time, the script still continues and finishes, sometimes with scriptd coring and posting error messages in /var/log/ltm:
-- info logger[17173]: f5.automated_backup iApp autobackup: STARTED
-- info logger[17175]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs GENERATING
-- err scriptd[13532]: 014f0004:3: script has exceeded its time to live, terminating the script <------ after 20 secs, it continues even after the scriptd core.
-- notice sod[3235]: 01140041:5: Killing /usr/bin/scriptd pid 13532.
-- warning sod[3235]: 01140029:4: high availability (HA) daemon_heartbeat scriptd fails action is restart.
-- info logger[19370]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs SAVED LOCALLY
(/var/local/ucs)
-- info logger[19372]: f5.automated_backup iApp autobackup: FINISHED
Conditions:
Configure the iApp application with f5.automated_backup template to do auto-backup at regular intervals.
Impact:
Scriptd core.
Workaround:
None.
842189-2 : Tunnels removed when going offline are not restored when going back online
Component: TMOS
Symptoms:
When a BIG-IP instance goes offline, any functioning tunnel is removed from the active configuration. Upon restoration to online operation, the tunnel is not automatically restored.
Conditions:
Configuration including tunnels.
Impact:
Failure of tunnel packet traffic.
Workaround:
Manually recreate the tunnel after the BIG-IP instance has been brought back online.
842137-5 : Keys cannot be created on module protected partitions when strict FIPS mode is set
Component: Local Traffic Manager
Symptoms:
When FIPS mode is set to use FIPS 140-2 Level 3 protection, new keys cannot be created in the module's protected partition
Conditions:
-- FIPS 140-2 Level 3 protection is configured on a NetHSM partition
-- You attempt to create a FIPS key using that partition
Impact:
New Keys cannot be created
Workaround:
Here are all the steps to generate a new netHSM key called "workaround" and install it into the BIG-IP config:
1.
[root@bigip1::Active:Standalone] config # fipskey.nethsm --genkey -o workaround -c module
WARNING: fipskey.nethsm will soon be deprecated for use with Thales. Please switch to using tmsh commands instead.
tmsh commands...
Generate Key:
tmsh create sys crypto key <key_name> security-type nethsm [gen-certificate|gen-csr] ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate CSR for existing key:
tmsh create sys crypto csr <csr_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate Self-Signed Certificate for existing key:
tmsh create sys crypto cert <cert_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Delete Key:
tmsh delete sys crypto key <keyname>
str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=2048 embedsavefile="workaround" plainname="workaround" digest=sha256]
key generation parameters:
operation Operation to perform generate
application Application pkcs11
protect Protected by module
verify Verify security of key yes
type Key type RSA
size Key size 2048
pubexp Public exponent for RSA key (hex)
embedsavefile Filename to write key to workaround
plainname Key name workaround
x509country Country code
x509province State or province
x509locality City or locality
x509org Organisation
x509orgunit Organisation unit
x509dnscommon Domain name
x509email Email address
nvram Blob in NVRAM (needs ACS) no
digest Digest to sign cert req with sha256
Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622
Starting synchronisation, task ID 5de83486.6e9e32d7f367eaf4
Directory listing failed: No such file or directory
2. (this is to confirm the key is present with the label "workaround"
[root@bigip1::Active:Standalone] config # nfkminfo -l
Keys with module protection:
key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622 `workaround'
Keys protected by cardsets:
...
3.
[root@bigip1::Active:Standalone] config # tmsh install sys crypto key workaround from-nethsm
4. (install public certificate)
[root@bigip1::Active:Standalone] config # tmsh install sys crypto cert workaround from-local-file /config/ssl/ssl.crt/workaround
841985-3 : TSUI GUI stuck for the same session during long actions
Component: Application Security Manager
Symptoms:
The GUI becomes unresponsive when you perform an operation that takes a long time (e.g., Attack Signatures update).
Conditions:
Long-running task is performed, such as export/import/update signatures.
Impact:
GUI is unresponsive for that session.
Workaround:
If you need to continue working during long task is performed, you can log in via another browser.
841953-5 : A tunnel can be expired when going offline, causing tmm crash
Component: TMOS
Symptoms:
When the system transitions from active or next active (standby), e.g., to offline, the internal flow of a tunnel can be expired.
If the device returns to active or standby, and if the tunnel is modified, a double flow removal can cause a tmm crash.
Conditions:
-- System transitions from active or next active.
-- Tunnel is modified.
-- Device returns to active or next active mode.
Impact:
The tmm process restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
841721-3 : BWC::policy detach appears to run, but BWC control is still enabled
Component: TMOS
Symptoms:
The dynamic BWC policy can be attached from iRules but not detached. No error occurs when BWC::policy detach is run, but the detached policy continues to work.
Conditions:
-- Dynamic BWC policy for a HTTP request URI during session.
-- Running BWC::policy detach.
Impact:
The detached policy continues to work.
841649-2 : Hardware accelerated connection mismatch resulting in tmm core
Component: TMOS
Symptoms:
Tmm receives an update from the ePVA for a hardware accelerated connection that is matched to the wrong correction. This can result in a tmm core, which is reported as a segment fault in the tmm log files.
Conditions:
A FastL4 virtual server that has hardware acceleration enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable hardware acceleration.
841469-4 : Application traffic may fail after an internal interface failure on a VIPRION system.
Component: Local Traffic Manager
Symptoms:
Blades in a VIPRION system connect with one another over a data backplane and a management backplane.
For more information on the manner in which blades interconnect over the data backplane, please refer to K13306: Overview of the manner in which the VIPRION chassis and blades interconnect :: https://support.f5.com/csp/article/K13306.
Should an internal interface fail and thus block communication over the data backplane between two distinct blades, an unusual situation arises where different blades compute different CMP states.
For example, if on a 4-slot chassis, blades 2 and 3 become disconnected with one another, the following is TMM's computation of which slots are on-line:
slot1: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
slot2: slots 1, 2, and 4 on-line (cmp state 0xb / 11)
slot3: slots 1, 3, and 4 on-line (cmp state 0xd / 13)
slot4: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
As different slots are effectively operating under different assumptions of the state of the cluster, application traffic does not flow as expected. Some connections time out or are reset.
You can run the following command to inspect the CMP state of each slot:
clsh 'tmctl -d blade -s cmp_state tmm/cmp'
All slots should report the same state, for instance:
# clsh 'tmctl -d blade -s cmp_state tmm/cmp'
=== slot 2 addr 127.3.0.2 color green ===
cmp_state
---------
15
=== slot 3 addr 127.3.0.3 color green ===
cmp_state
---------
15
=== slot 4 addr 127.3.0.4 color green ===
cmp_state
---------
15
=== slot 1 addr 127.3.0.1 color green ===
cmp_state
---------
15
When this issue occurs, logs similar to the following example can be expected in the /var/log/ltm file:
-- info bcm56xxd[4276]: 012c0015:6: Link: 2/5.3 is DOWN
-- info bcm56xxd[4296]: 012c0015:6: Link: 3/5.1 is DOWN
-- info bcm56xxd[4296]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4339]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4214]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
And a CMP transition will be visible in the /var/log/tmm file similar to the following example:
-- notice CDP: PG 2 timed out
-- notice CDP: New pending state 0f -> 0b
-- notice Immediately transitioning dissaggregator to state 0xb
-- notice cmp state: 0xb
For more information on troubleshooting VIPRION backplane hardware issues, please refer to K14764: Troubleshooting possible hardware issues on the VIPRION backplane :: https://support.f5.com/csp/article/K14764.
Conditions:
This issue arises after a very specific type of hardware failure. The condition is very unlikely to occur and is impossible to predict in advance.
Impact:
Application traffic is impacted and fails sporadically due to a mismatch in CMP states between the blades. Failures are likely to manifest as timeouts or resets from the BIG-IP system.
Workaround:
F5 recommends the following to minimize the impact of this potential issue:
1) For all highly available configurations (e.g., A/S, A/A, A/A/S, etc.).
The BIG-IP system has functionality, in all software versions, to enact a fast failover when the conditions described occur.
To ensure this functionality will trigger, the following configuration requirements must be met:
a) The mirroring strategy must be set to 'between'.
b) A mirroring channel to the next-active unit must be up.
c) The min-up-members option must be set to the number of blades in the chassis (e.g., 4 if there are 4 blades in the chassis).
Note: It is not required to actually configure connection mirroring on any virtual server; simply choosing the aforementioned strategy and ensuring a channel is up to the next-active unit will suffice. However, note that some configurations will benefit by also configuring connection mirroring on some virtual servers, as that can greatly reduce the number of affected connections during a failover.
2) For 'regular' standalone units.
If a VIPRION system is truly standalone (no kind of redundancy whatsoever), there is no applicable failsafe action, as you will want to keep that chassis online even if some traffic is impaired. Ensure suitable monitoring of the system is in place (e.g., remote syslog servers, SNMP traps, etc.), so that a BIG-IP Administrator can react quickly in the unlikely event this issue does occur.
3) For a standalone chassis which belongs to a pool on an upstream load-balancer.
If the virtual servers of a standalone VIPRION system are pool members on an upstream load-balancer, it makes sense for the virtual servers to report unavailable (e.g., by resetting all new connection attempts) so that the upstream load-balancer can select different pool members.
An Engineering Hotfix can be provided which introduces an enhancement for this particular use-case. A new DB key is made available under the Engineering Hotfix: tmm.cdp.requirematchingstates, which takes values 'enable' and 'disable'.
The default is 'disable', which makes the VIPRION system behave as in versions without the enhancement. When set to 'enable', the VIPRION system attempts to detect this failure and, if it does, resets all new connections. This should trigger some monitor failures on the upstream load-balancer and allow it to select different pool members.
Please note you should only request the Engineering Hotfix and enable this DB key when this specific use-case applies: a standalone VIPRION system which belongs to a pool on an upstream load-balancer.
When the new feature is enabled, the following log messages in the /var/log/ltm file indicate when this begins and stops triggering:
-- crit tmm[13733]: 01010366:2: CMP state discrepancy between blades detected, forcing maintenance mode. Unable to relinquish maintenance mode until event clears or feature (tmm.cdp.requirematchingstates) is disabled.
-- crit tmm[13262]: 01010367:2: CMP state discrepancy between blades cleared or feature (tmm.cdp.requirematchingstates) disabled, relinquishing maintenance mode.
841369-1 : HTTP monitor GUI displays incorrect green status information
Component: Local Traffic Manager
Symptoms:
LTM HTTP monitor GUI displays incorrect green status when related pool is down.
TMSH shows correct information
Conditions:
LTM HTTP monitor destination port does not match with pool member port.
Impact:
LTM HTTP marks the node down, but the Instances tab of the monitor in the GUI reports the status as green
Workaround:
You can use either of the following workarounds:
-- Use TMSH to get correct info.
-- Ensure that LTM HTTP monitor destination port does match pool member port.
841341-4 : IP forwarding virtual server does not pick up any traffic if destination address is shared.
Component: Local Traffic Manager
Symptoms:
Virtual servers do not forward any traffic but the SNAT does.
Conditions:
-- Multiple wildcard IP forwarding virtual servers with the same destination address.
-- SNAT is configured.
Impact:
IP forwarding virtual server does not pick up any traffic.
Workaround:
Delete and then re-create virtual servers.
841333-5 : TMM may crash when tunnel used after returning from offline
Component: TMOS
Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.
Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
841277-5 : C4800 LCD fails to load after annunciator hot-swap
Component: TMOS
Symptoms:
After following F5-recommended procedures for hot-swapping the left annunciator card on a C4800 chassis and replacing the top bezel, the LCD screen fails to load.
Conditions:
- C4800 chassis with 2 annunciator cards.
- Hot-swap the left annunciator card and replace the top bezel.
Impact:
-- Status light on the top bezel turns amber.
-- LCD becomes unresponsive, and continuously displays 'F5 Networks Loading...'.
Workaround:
1. Run the command:
tmsh modify sys db platform.chassis.lcd value disable
2. Wait 10 seconds.
3. Run the command:
tmsh modify sys db platform.chassis.lcd value enable.
This forces the LCD to sync back up with the VIPRION system and returns it to normal operation. The top bezel status light should turn green.
840809-1 : If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged
Component: Advanced Firewall Manager
Symptoms:
When subscriber info changes, the log events for LSN_PB_UPDATE are not logged.
Conditions:
If subscriber info changes, for example, if a client is sending a radius message with IMSI A - LSN_PB_UPDATE logs are observed. And later when the IMSI is changed to B and another radius message is sent from the client, then LSN_PB_UPDATE log events are not observed.
Impact:
LSN_PB_UPDATE are not logged.
840785-3 : Update documented examples for REST::send to use valid REST endpoints
Component: Local Traffic Manager
Symptoms:
The documented examples for REST::send refers to REST endpoints that are not valid.
Conditions:
Viewing the documentation at https://clouddocs.f5.com/api/irules/REST__send.html.
Impact:
Invalid examples lead to potential confusion.
Workaround:
Use valid REST endpoints, documented at https://clouddocs.f5.com/api/icontrol-rest/APIRef.html.
839361-4 : iRule 'drop' command does not drop packets when used in DNS_RESPONSE
Component: Global Traffic Manager (DNS)
Symptoms:
The iRule 'drop' command may not drop a DNS response when called under DNS_RESPONSE event.
Conditions:
iRule drop is used under DNS_RESPONSE event.
Impact:
DNS response may be improperly forwarded to the client.
Workaround:
Use DNS::drop instead.
839245-1 : IPother profile with SNAT sets egress TTL to 255
Component: Local Traffic Manager
Symptoms:
BIG-IP may set TTL to 255 on forwarded packets.
Conditions:
Virtual-server with ipother profile and SNAT configured.
Impact:
Traffic leaves with egress TTL set to 255.
Workaround:
None.
839121-1 : A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade★
Component: TMOS
Symptoms:
After upgrading, the configuration fails to load and throws an error about a profile that is located in profile_base.conf using SSLv2. However, upon inspection you will notice that there is no SSLv2 cipher in use.
Conditions:
The upgrade failure is seen when all the following conditions are met:
-- BIG-IP system with SSLv2 as the ciphers option in an SSL profile running software v12.x/v13.x.
-- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.
(1) Modified root SSL profile (such as /Common/clientssl or /Common/serverssl) is present in bigip.conf.
(2) The modified root SSL profile contains an invalid keyword 'COMPAT', 'SSLv2', or 'RC2' in its ciphers
(3) The default profiles whose ciphers inherited from the root profile are not present in bigip.conf. The error for invalid ciphers is reported against these profiles.
Impact:
Beginning in version 14.x, SSLv2 has been changed from being a warning condition, and now prevents the configuration from loading. In most cases the upgrade script properly removes this, so there is no issue. However, if this issue is encountered, the configuration fails to load after upgrading.
Workaround:
There are two possible workarounds:
-- The easiest way to work around this is to comment out the modified base profile from bigip.conf and then run the command: tmsh load sys config.
-- If you are post upgrade, you can use sed to remove the !SSLv2 entries. To do so, perform these steps on the standby device:
1. cp /config/bigip.conf /config/backup_bigip.conf
2. Run: sed -i "s/\!SSLv2://g" /config/bigip.conf
3. tmsh load /sys config
838925-5 : Rewrite URI translation profile can cause connection reset while processing malformed CSS content
Component: TMOS
Symptoms:
Malformed CSS where one of the style rules is missing a closing brace could cause LTM Rewrite profile to stop processing file or reset connection.
Conditions:
-- LTM Rewrite (URI translation) profile is attached to virtual server.
-- Content rewriting is enabled in Rewrite profile settings.
-- CSS file contains style rule with missing closing brace.
Impact:
URLs are not modified within affected files, starting from the missing closing brace. Intermittent connection resets occur.
Workaround:
Before rewriting, insert the missing symbol into CSS content either directly on the backend server or with an iRule.
838901-2 : TMM receives invalid rx descriptor from HSB hardware
Component: TMOS
Symptoms:
The HSB hardware returns an invalid receive (rx) descriptor to TMM. This results in a TMM core and can be seen as a SIGSEGV in the TMM logs. This also might result in continuous restarts of TMM, resulting in subsequent SIGSEGVs reported in the TMM logs until the unit is manually recovered.
Conditions:
The exact conditions under which this occurs are unknown.
Impact:
Traffic disrupted while tmm restarts. This may result in continuous TMM restarts until the BIG-IP system is rebooted.
Workaround:
None.
838861-2 : TMM might crash once after upgrading SSL Orchestrator★
Component: Access Policy Manager
Symptoms:
TMM might crash due to SIGABRT.
Conditions:
-- Session check agent is present in APM per-request policy.
-- APM Access Profile scope changes during SSL Orchestrator upgrade.
-- This issue can occur for SSL Orchestrator upgrades from 14.x to 15.x and above.
Impact:
TMM might crash once. Traffic disrupted while tmm restarts.
Workaround:
None.
838685-2 : DoS report exist in per-widget but not under individual virtual
Component: Application Visibility and Reporting
Symptoms:
'Undefined entity dosl7_vip was used' error message is reported on widgets whenever a 'Virtual Server' filter is selected on the 'Security :: Reporting : DoS : Custom Page' GUI page.
Conditions:
-- Navigate to Security :: Reporting : DoS : Custom Page in the GUI.
-- Filter widgets results with specific 'Virtual Server'.
Impact:
GUI widgets report errors and cannot show stats.
Workaround:
This GUI fix requires modifying a single PHP file in one location, which you can do directly on your BIG-IP system with a few bash commands:
1. Backup the file '/var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php':
$ cp /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/
2. Change permissions to allow modifying it:
$ chmod +w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
3. Change the file to include the fix:
$ sed -i 's/dosl7_vip/vip/g' /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
$ sed -i "s/ANALYTICS_MOD_DNS_DOS => 'vip'/ANALYTICS_MOD_DNS_DOS => 'dns_vip'/g" /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
4. Verify that the fix is as expected:
$ vimdiff /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/dos_custom_overview_commons.php
(** You should see two lines modified:
1. ANALYTICS_MOD_DOSL7 => 'dosl7_vip' to ANALYTICS_MOD_DOSL7 => 'vip'.
2. ANALYTICS_MOD_DNS_DOS => 'vip' to ANALYTICS_MOD_DNS_DOS => 'dns_vip')
5. Revert permissions of the file:
$ chmod -w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
6. Log out and log back into the GUI, so that the new version of the file loads.
838405-1 : Listener traffic-group may not be updated properly when spanning is in use.
Component: Local Traffic Manager
Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.
Conditions:
Spanning is disabled or enabled on a virtual address.
Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.
Depending on the configuration, virtual server may or may not forward the traffic when expected.
Workaround:
Enable/Disable spanning together with changing a traffic-group:
> modify ltm virtual-address 0.0.0.0 traffic-group none spanning enabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled
838353-3 : MQTT monitor is not working in route domain.
Component: Local Traffic Manager
Symptoms:
MQTT monitor fails when non-default route domains are used.
Conditions:
-When a non-default route domain is configured for a pool member
-mqtt monitor in use
Impact:
Mqtt monitor does not work in route domain.
838337-3 : The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.
Component: TMOS
Symptoms:
In 2019, Brazil cancelled DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP system's time zone database needs to be updated to reflect this change.
Conditions:
None.
Impact:
BIG-IP systems configured to use "America/Sao_Paul" (or other applicable Brazilian localities) will still apply DST. Hence time will spring forward and backward on previously designated dates.
This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, etc. will use incorrect time.
Note: You can inspect the time changes your system is due to apply by running the following command from the BIG-IP system's advanced shell (bash):
zdump -v <timezone>
For example:
zdump -v America/Sao_Paulo
Workaround:
As a workaround, you can set the BIG-IP system's time zone to that of a different country with the same UTC offset and already not observing DST.
For example, instead of using "America/Sao_Paul", you could use "America/Buenos_Aires" to obtain the same result.
838305-4 : BIG-IP may create multiple connections for packets that should belong to a single flow.
Component: Local Traffic Manager
Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.
Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.
Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.
838297-1 : Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication
Component: TMOS
Symptoms:
Under certain conditions, the BIG-IP system requires you to change your password on every login.
Furthermore, the login then fails, and loops endlessly asking for the password, even though the password has not expired.
Conditions:
-- BIG-IP 14.0.0 and later.
-- LDAP authentication is used for remote users.
-- Active Directory (AD) user account has shadowLastChange attribute with a value of 0 (or anything lower than the number of days since 1-1-1970).
Impact:
Remote AD BIG-IP users are unable to login to the BIG-IP system using remote LDAP authentication
Workaround:
Clear the value of shadowLastChange within AD.
837637-2 : Orphaned bigip_gtm.conf can cause config load failure after upgrading★
Component: TMOS
Symptoms:
Configuration fails to load after upgrade with a message like
01420006:3: Can't find specified cli schema data for 13.1.1.4
Conditions:
Orphaned bigip_gtm.conf from an older-version.
This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade leaving behind a bigip_gtm.conf with the old schema.
Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.
Impact:
Configuration fails to load after upgrade.
Workaround:
After deprovisioning DNS, before upgrading run
rm -f /config bigip_gtm.conf
tmsh load sys config gtm-only
837617-3 : Tmm may crash while processing a compression context
Component: Local Traffic Manager
Symptoms:
Tmm crashes on segfault.
Conditions:
Conditions are unknown.
Impact:
Traffic disrupted while tmm restarts.
837481-5 : SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID
Component: TMOS
Symptoms:
SNMPv3 fails to read authenticated or encrypted messages to all but one of the members of a Config Sync group.
Conditions:
Using SNMPv3 to read or receive Traps from high availability (HA) pairs.
Impact:
SNMPv3 can only work for one member of a configsync group.
Configuring passwords on one device, makes that device work, but other members of the config sync group will now fail.
Workaround:
- check "Authoritative (security) engineID for SNMPv3" is not synced (mostly code released since 2019)
engineID needs to be unique per device
- Modify /defaults/config_base.conf to set sync to "no" and check that these do not sync
We must NOT sync these parameters as they need to match the individual device engineID
display-name "Authoritative (security) engineID for SNMPv3"
display-name "Authentication pass phrase for SNMPv3 messages"
display-name "Privacy pass phrase used for encrypted SNMPV3 messages"
display-name "User's passphrase"
display-name "Privacy passphrase"
### Mount usr as rw see see K11302
mount -o remount,rw /usr
pico /defaults/config_base.conf
# use Control-w to search for the display names above
# change "configsyncd yes" to "configsyncd no" if necessary in each location
# use Control-x y to exit with saving
# Restore usr as ro
mount -o remount,ro /usr
tmsh load sys config
Then once they are not syncing over, you can create v3 on each device using the same pass phrase as your SNMPv3 manager is using
tmsh modify sys snmp users add { v3snmp { auth-protocol sha privacy-protocol aes username mikev3 auth-password password3 privacy-password password3} }
tmsh modify sys snmp users modify { v3snmp { security-level auth-privacy access rw } }
Then each device should respond OK to query for that same pass phrase
snmpwalk -v 3 localhost -a sha -x aes -A password3 -X password3 -u mikev3 -l authpriv
For more information about SNMP, see the following articles.
K15681: Customizing the SNMP v3 engineID
K6821: SNMP v3 fails if the SNMP engine ID is not unique
K3727: Configuring custom SNMP traps
837269 : Processing ICMP unreachable packets causes FWNAT/CGNAT persistence issues with UDP traffic
Component: Carrier-Grade NAT
Symptoms:
When hosts send ICMP unreachable error messages and processed by the BIG-IP system, subsequent good UDP packets do not get the persistence LSN translation address.
Conditions:
-- Virtual server with FW NAT or CGNAT configuration to accept UDP traffic.
-- Client or/and server randomly sends ICMP unreachable messages.
Impact:
LSN persistence issues. UDP packets from the same client IP address may not get the same translation address every time, even though there exists a persistence entry in the table
Workaround:
None.
837233-1 : "Application Security Administrator" user role cannot manage Dos Profile GUI
Component: Advanced Firewall Manager
Symptoms:
BIG-IP GUI users in "Application Security Administrator" role are not allowed to manage DoS profile page and settings.
Conditions:
This affects users logged in with the "Application Security Administrator" role
Impact:
DoS profiles cannot be edited from GUI
Workaround:
Either change user role to allow managing DoS profile or edit profiles from tmsh
835505-2 : Tmsh crash possibly related to NGFIPS SDK
Component: Local Traffic Manager
Symptoms:
tmsh crashes
Conditions:
The conditions that trigger this are unknown, and it occurs rarely. The NGFIPS SDK may core dump as well.
Impact:
Tmsh may crash.
835209-1 : External monitors mark objects down
Component: Global Traffic Manager (DNS)
Symptoms:
Object to which the external monitor is attached is marked down.
Conditions:
Executing external monitors trying to access something without appropriate permissions.
Impact:
Object to which the external monitor is attached is marked down.
Workaround:
None.
834217-5 : Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.
Component: Local Traffic Manager
Symptoms:
Due to a known issue BIG-IP may advertise sub-optimal window size.
Conditions:
Result of (init-rwnd * client-mss) is greater than maximum window size (65,535).
Impact:
Degraded TCP performance.
Workaround:
Do not use init-rwnd values that might result in values higher than maximum window size (65,535).
Assuming MSS of 1480, the maximum value of init-rwnd is:
65535/1480 = 44.
833685-3 : Idle async handlers can remain loaded for a long time doing nothing
Component: Application Security Manager
Symptoms:
Idle async handlers can remain loaded for a long time doing nothing becasue they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.
Conditions:
This issue might result from several sets of conditions. Here is one:
Exporting a big XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.
Impact:
Idle async handlers remain for a long time.
Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart it periodically via cron, as idle handlers are soon created again.
833049-2 : Category lookup tool in GUI may not match actual traffic categorization
Component: Access Policy Manager
Symptoms:
Category Lookup agent has changed to include the IP in the categorization query. The BIG-IP TMUI does not do the same (Access Policy :: Secure Web Gateway : Database Settings : URL Category Lookup).
Conditions:
-- SWG or URLDB provisioned.
-- Run traffic with category lookup in the PRP and note the category produced.
-- Run the same URL through the GUI lookup tool or the command line tool.
Impact:
Some websites may be categorized differently depending on if the IP address is passed in or not.
Workaround:
None.
832665-2 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5
Component: TMOS
Symptoms:
Features supported in newer versions of open-vm-tools will not be available.
Conditions:
This issue may be seen when running in VMware environments.
Impact:
Features that require a later version of open-vm-tools will not be available.
Workaround:
None.
832653 : Azure scan table warnings can be ignored.
Component: TMOS
Symptoms:
When running BIG-IP Virtual Edition (VE) in the Azure cloud environment, you may see warnings in daemon and user log files:
-- warning: tm_install::DosPtable::scan_table -- identification of /dev/sdb1 failed; ID is 7.
-- warning: tm_install::DosPtable::scan_table -- identification of /dev/sdb1 failed; ID is 7.
This warning is due to installer code that expects to be running on official F5 hardware. This warning can be ignored.
Conditions:
This warning may be seen when running BIG-IP VE in the Azure cloud environment.
Impact:
These are benigh warning messages that can be safely ignored.
Workaround:
None.
832233-3 : The iRule regexp command issues an incorrect warning
Component: Local Traffic Manager
Symptoms:
At validation time, mcpd issues a warning similar to the following:
warning mcpd[7175]: 01071859:4: Warning generated : /Common/test1:2: warning: ["\1" has no meaning. Did you mean "\\1" or "1"?][{(test) (\1)}]
Conditions:
Use arguments such as "\1", "\2", "\3" etc., in command regexp.
Impact:
A warning is generated, "\1" has no meaning, even though it is valid.
Workaround:
Ignore the warning.
832133-3 : In-TMM monitors fail to match certain binary data in the response from the server.
Component: Local Traffic Manager
Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system still marks them DOWN.
Conditions:
This issue occurs when all of the following conditions are met:
-- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).
-- One (or more) of your TCP or HTTP monitors specifies a receive string using HEX encoding, in order to match binary data in the server's response.
-- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.
Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.
Workaround:
You can use either of the following workarounds:
-- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.
-- Do not monitor the application through a binary response (if the application allows it).
831821-3 : Corrupted DAG packets causes bcm56xxd core on VCMP host
Component: TMOS
Symptoms:
On VCMP host, bcm56xxd crashes when it receives a corrupted DAG packets.
Conditions:
Unknown.
Impact:
Device goes offline, traffic disruption.
831517-1 : TMM may crash when Network Access tunnel is used
Component: Access Policy Manager
Symptoms:
TMM may crash.
Conditions:
-- APM session is established.
-- Network Access tunnel is established and used;
Impact:
APM end users experience Network Access tunnel disconnected. Traffic disrupted while tmm restarts.
Workaround:
None.
831293-3 : SNMP address-related GET requests slow to respond.
Component: TMOS
Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.
Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.
Impact:
Slow performance.
Workaround:
None.
829861 : iApp UI broken when referencing to iApp profile /Common/_sys_radius_proto_imsi
Component: iApp Technology
Symptoms:
When deploying a custom iApp template, the GUI says "An error has occurred while trying to process your request"
Conditions:
A custom iApp template is deployed that is derived from _sys_radius_proto_imsi
Impact:
UI display is impacted for the affected iApp.
829821-3 : Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured
Component: TMOS
Symptoms:
If a very large amount of pool members are configured (tens of thousands), mcpd may miss its high availability (HA) heartbeat and be killed by sod.
Conditions:
-- A large number of pool members.
-- Pool member validation occurs (such as when loading a configuration or doing a configsync operation).
Impact:
Mcpd is killed by sod. This causes a failover (when the BIG-IP is in a DSC) or outage (if standalone).
Workaround:
None.
829677-1 : .tmp files in /var/config/rest/ may cause /var directory exhaustion
Component: TMOS
Symptoms:
The /var partition might become completely full on the disk due to tmp files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.
Additionally, there may be periodic restjavad and bigd daemon restarts related to disk space exhaustion.
Conditions:
Process traffic while DoS Dashboard is open.
This issue is happening because a VIPRION process is not available because of a REST timeout.
Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.
Workaround:
Manually run the following commands, in sequence:
bigstart stop restjavad
rm -rf /var/config/rest/*.tmp
bigstart start restjavad
829661-2 : TCP connection fails to establish when an SFC policy is enabled
Component: TMOS
Symptoms:
TCP Connections fail to establish. Data transfer does not happen.
Conditions:
-- SFC chain is configured on the system.
-- The configured SFC chain contains legacy servers (non-SFC) as part of the chain.
-- A source port changes from one hop of the SFC chain to next hop.
Impact:
TCP Connections fail to establish. Data transfer does not happen.
Workaround:
None.
829317-3 : Memory leak observed when running ICRD child
Component: TMOS
Symptoms:
When ICRD child process is running and users are switching rapidly, memory may leak slowly in tmsh and APM.
Conditions:
[1] ICRD child process is running
[2] There are multiple users on the device
[3] The multiple users are fetching a web-page using curl, repeatedly and concurrently
Impact:
Memory slowly leaks in tmsh and APM.
829193-2 : REST system unavailable due to disk corruption
Component: TMOS
Symptoms:
-- The iControl REST commands respond with the following:
[INFO] Text: u'{"code":200,"message":"REST system unavailable due to disk corruption! See /var/log/restjavad.*.log for errors.","restOperationId":1472895,"kind":":resterrorresponse"}'
-- The GUI indicates that iAppLX sub-system is unresponsive.
-- On the BIG-IP device, /var/config/rest/storage/LOST-STORAGE.txt exists.
Conditions:
The conditions that trigger this are unknown. It might be due to a previous catastrophic event such as power loss or out-of-memory errors.
Manually creating the file /var/config/rest/storage/LOST-STORAGE.txt can also trigger this error.
Impact:
The iControl REST system is unavailable.
Workaround:
Run the following commands at the BIG-IP command prompt:
bigstart stop restjavad restnoded
rm -rf /var/config/rest/storage
rm -rf /var/config/rest/index
bigstart start restjavad restnoded
rm -f /var/config/rest/downloads/*.rpm
rm -f /var/config/rest/iapps/RPMS/*.rpm
tmsh restart sys service tomcat
Then, reinstall any iAppLX packages that were installed.
829029-3 : Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error
Component: Application Security Manager
Symptoms:
Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error.
Conditions:
At least two REST calls adding Attack Signatures and/or Attack Signature Sets which are sent in quick succession to the BIG-IP system.
Impact:
REST calls after the first may not be successful, resulting in failure to modify configuration as desired.
Workaround:
Retry the subsequent REST calls.
828873-2 : Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor
Component: TMOS
Symptoms:
In the deployment of BIG-IP 15.0.0 on Nutanix AHV Hypervisor, f5-label service is failing with inappropriate input device error.
Conditions:
Deployment of BIG-IP v15.0.0 on Nutanix AHV Hypervisor.
Impact:
Deployment of BIG-IP v15.0.0 is not stable to log into GUI or terminal on Nutanix AHV Hypervisor.
Workaround:
Steps:
1. Mount the drive:
mount -o rw,remount /usr
2. Add a comment below the line in the '/usr/lib/systemd/system/f5-label.service' service file:
#StandardInput=tty
3. Reload the daemon:
systemctl daemon-reload
4. Restart the service:
systemctl restart f5-label
828789-3 : Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters
Component: TMOS
Symptoms:
Certificate Subject Alternative Names are limited to 1023 characters.
Conditions:
Using a certificate with a Subject Alternative Name longer than 1023 characters.
Impact:
A certificate's Subject Alternative Name is not correct in the BIG-IP configuration.
This does not impact the BIG-IP system's ability to select the proper Client SSL profile on a virtual server that uses SNI matching to provide distinct certificates.
Workaround:
Specify fewer than 1023 character for the Certificate Subject Alternative Names.
828761 : APM OAuth - Auth Server attached iRule works inconsistently
Component: Access Policy Manager
Symptoms:
The iRule attached to the OAuth Resource Server (RS) is not triggered when the traffic hits the virtual server.
Conditions:
The issue occurs during a reboot of the BIG-IP device containing an OAuth server config and an attached iRule, or when the iRule is initially assigned to the OAuth Server.
Impact:
OAuth scope check agent fails with 'HTTP error 503': as the iRule attached to the RS virtual server is not triggered.
Workaround:
For existing OAuth servers with the iRule attached, modify the iRule, for example, adding a log. This makes the iRule trigger when it is initially attached or loaded.
828625-1 : User shouldn't be able to configure two identical traffic selectors
Component: TMOS
Symptoms:
Config load fails by issuing "tmsh load sys config verify"
01070734:3: Configuration error: Duplicate traffic selector is not allowed
Unexpected Error: Validating configuration process failed.
Conditions:
Duplicate IP addresses on multiple traffic-selectors attached to different ipsec-policies.
Impact:
Config load will fail after a reboot
Workaround:
Delete duplicate traffic-selectors.
828601-3 : IPv6 Management route is preferred over IPv6 tmm route
Component: Local Traffic Manager
Symptoms:
The IPv6 Management route has lower metrics than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the management interface.
Conditions:
-- Create an IPv6 management route, which is going to be a default gateway.
-- Receive another default gateway from a configured peer using any of dynamic routing protocols (BGP, OSPF, etc.)
Impact:
The incorrect routing table sends the traffic that matches the default route to the management interface.
Workaround:
None.
827441-1 : Changing a UDP virtual server with an immediate timeout to a TCP virtual server can cause connections to fail
Component: Local Traffic Manager
Symptoms:
The BIG-IP system sends a TCP SYN to the back-end server, but ignores the server's SYN-ACK response.
Conditions:
A virtual server that contains a UDP profile with idle-timeout immediate is modified to replace the UDP profiles with TCP profiles.
Impact:
Connections from the BIG-IP system to backend servers fails.
Workaround:
Delete and recreate the virtual server.
827209-2 : HSB transmit lockup on i4600
Component: TMOS
Symptoms:
TMM shows HSB transmit lockup message and cored.
Conditions:
-- Using an i4600 platform.
-- Other conditions under which this occurs are unknown.
Impact:
Disruption to processing traffic on the BIG-IP system.
Workaround:
None.
827021-2 : MCP update message may be lost when primary blade changes in chassis
Component: TMOS
Symptoms:
In a VIPRION chassis, when the Primary blade is disabled (intentionally or due to an unexpected loss of functionality) and a new Primary blade is selected, there is a brief window of time during which status messages forwarded from MCPD on a Secondary blade to MCPD on the Primary blade might be dropped, possibly resulting in an incorrect view of the state of configured objects.
Conditions:
This problem may occur under the following conditions:
-- The state of a blade-local object/resources (such as a network interface or trunk) changes.
-- There is a high load on MCPD (for example, due to configuration reload on the new Primary blade) which delays processing of some MCPD actions.
Impact:
This problem may result in the state of blade-local objects (such as interfaces or trunks) being seen and reported incorrectly across the blades in the chassis, or on one or more specific blades (Primary, Secondary) in the chassis.
For example, if loss of the Primary blade results in one or more interfaces in a trunk being marked down by LACPD on a specific blade, resulting changes in trunk/member status may not be propagated correctly to the Primary blade, and from there to other Secondary blades.
Workaround:
None.
826437 : CSR subject fields with comma(,) are truncated during certificate renewal via the GUI.
Component: TMOS
Symptoms:
CSR subject fields getting truncated during certificate renewal via the GUI.
Conditions:
-- Certificate subject field contains comma(,)
-- Renewing the certificate via the GUI.
Impact:
Invalid certificate signing requests are created. This may not be apparent until certificate validation occurs, or when the certificate authority denies the certificate signing request.
Workaround:
TMSH command line interface can be used to create the CSR when commas are present in subject field.
826349-2 : VXLAN tunnel might fail due to misbehaving NIC checksum offload
Component: Local Traffic Manager
Symptoms:
Some NICs, e.g., on BIG-IP 2000/4000 platforms, perform checksum offloading for UDP, and erroneously mark a 0 (zero) checksum as a checksum failure, even though the UDP header includes an optional, 16-bit one's complement checksum that provides an integrity check.
If the computed checksum is 0, it is transmitted as all ones. In this case the NIC should accept the checksum, but it does not.
Conditions:
NIC offload checksum of 0.
Impact:
VXLAN tunnel fails.
Workaround:
None.
826313-4 : Error: Media type is incompatible with other trunk members★
Component: TMOS
Symptoms:
Loading system configuration is failing after upgrade with an error message
01070619:3: Interface 5.0 media type is incompatible with other trunk members
Conditions:
-- Trunk interface created in BIG-IP version 12.3.4.
-- Trunk interfaces have different speeds (e.g. 100Mb interfaces and 1Gb interfaces)
-- Load the configuration after upgrading from v12.1.3.4 to v12.1.3.5.
Impact:
The system configuration is failing to load.
Workaround:
If you encounter this error, manually fix all trunks to only use interfaces of the same speed, and then load the configuration.
826297-1 : Address list as source/destination for virtual server cannot be changed from tmsh
Component: TMOS
Symptoms:
Address list as source/destination for virtual server cannot be changed from tmsh as it is applicable from GUI.
Conditions:
For an address created in tmsh:
# list security shared-objects address-list
security shared-objects address-list testAddressList {
addresses {
1.1.1.1/32 { }
2.2.2.2/32 { }
}
}
There is no Address list option shown in virtual server config:
# modify ltm virtual test source
Configuration Items:
[enter address or address/prefixlen] <==!!
Impact:
Address list as source/destination for virtual server cannot be changed from tmsh.
Workaround:
Use the GUI to make changes to the Address list as source/destination for virtual server.
826265-3 : The SNMPv3 engineBoots value restarts at 1 after an upgrade
Component: TMOS
Symptoms:
Many SNMPv3 clients pay attention to the engineBoots value as part of server authentication. When the BIG-IP system is upgraded, the engineBoots value is not retained, so it restarts at 1.
Conditions:
Upgrading a BIG-IP system whose engineBoots value is greater than 1.
Impact:
The engineBoots value is reset to 1. This may look like an error condition for the SNMPv3 client.
Workaround:
1. Run the following command (where n = the value at which you want to start the engineBoots):
tmsh modify sys snmp include 'engineBoots n'
2. Restart SNMPD.
826189-2 : The WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.
Component: TMOS
Symptoms:
The input validation performed by the BIG-IP system WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.
The WebUI should allow users to specify only a prefix (for example, 2001:db8:0:0:0:0:0:0 or 2001:db8::); however, it incorrectly allows users to specify a subnet mask too (for example, 2001:db8:0:0:0:0:0:0/96 or 2001:db8::/96).
In contrast, the TMSH utility correctly enforces values for this option.
Conditions:
The BIG-IP Administrator creates or modifies a DNS profile using the WebUI, and specifies an IP/SM value for the dns64-prefix option.
Impact:
Upon performing DNS64, TMM returns incorrect DNS answers that do not use the specified prefix. For example, if the Administrator specifies 2001:db8:0:0:0:0:0:0/96 as the prefix, and if the IPv4 address of the requested resource is 198.51.100.1, DNS64 returns ::198.51.100.1 instead of 2001:db8::c633:6401. This prevents end-user clients from reaching the intended resource.
The impact described in this section only applies to BIG-IP versions 14.1.0 and later. Previous BIG-IP versions also had this WebUI validation issue, but despite this TMM still returned the correct DNS answer.
Workaround:
When configuring this option using the WebUI, do not specify a subnet mask.
826049-1 : French language spelling error in BIG-IP Edge Client message window
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client message window contains spelling error while displaying in French language:
En cour de Réinstallation du
Conditions:
Using the BIG-IP Edge Client in a French environment.
Impact:
The message should be: En cours de Réinstallation du
Workaround:
None.
825501-1 : IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.★
Component: Protocol Inspection
Symptoms:
If the IPS IM package is installed on a multi-slot device, and one slot is offline, the IM package version might be different on the offline slot when it comes back online.
It also shows different versions of the Active IM package on different slots.
Conditions:
-- Multi-bladed clustered system.
-- One of the blades is offline.
-- The IPS IM package is installed to the primary blade.
Impact:
The primary blade syncs the IM package to all of the secondary blades that are online; however, when the offline blade comes back online, it does not have the updated IM package.
As a result, traffic being processed by different blades will be using different IPS libraries and might cause inconsistency in the functionality
Workaround:
Although there is no workaround, you can prevent the issue by ensuring that all blades are online when you install an IPS IM package.
825413-2 : /var/lib/mysql disk is full
Component: Application Security Manager
Symptoms:
PRX.BRUTE_FORCE_* db tables do not have a row_limit, so they can grow to consume all available disk space in /var/lib/mysql.
Conditions:
ASM provisioned
Impact:
/var/lib/mysql can run out of disk space
Workaround:
1. Truncate the two large tables. This clears all the row in those table and should make disk space.
Note that existing brute force username and IPs reporting data will be lost.
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_USERNAMES"
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_IPS"
2. Add row_limit for the two tables to avoid the same issue in the future.
Add following lines in the bottom of this file, /etc/ts/tools/clean_db.yaml
PRX.BRUTE_FORCE_MITIGATED_USERNAMES:
row_limit: 100000
order_by: brute_force_mitigated_username_id
PRX.BRUTE_FORCE_MITIGATED_IPS:
row_limit: 100000
order_by: brute_force_mitigated_ip_id
Restart clean_db process (there is no impact of restarting this process)
# pkill -f clean_db
Wait 30 sec, and make sure the process came back
# ps aux | grep clean_db
825245-2 : SSL::enable does not work for server side ssl
Component: Local Traffic Manager
Symptoms:
When SSL::enable is issued in an iRule, for example in the HTTP Request event, it will not enable the server side profile if the server side profile is disabled.
Conditions:
An HTTP profile is configured on a virtual, and the server-ssl profile on the same virtual is disabled.
Impact:
The connection will close instead of completing.
Workaround:
Do not use a disabled server-ssl profile in this situation.
825013-3 : GENERICMESSAGE::message's src and dst may get cleared in certain scenarios
Component: Service Provider
Symptoms:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands may not work properly if iRule processing changes to a different TMM. These commands may return an empty string rather than correct data.
Conditions:
-- Using "GENERICMESSAGE::message src" and/or "GENERICMESSAGE::message dst" iRule commands.
-- iRule processing moves from one TMM to another TMM.
Impact:
Incorrect data returned from "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands.
824881-2 : A rare TMM crash cause by the fix for ID 816625
Component: Local Traffic Manager
Symptoms:
In rare scenarios involving HTTP unchunking and plugins, the TMM may crash.
Conditions:
Software that contains the fix for ID 816625, which involves HTTP unchunking and some plugins, dynamically removing the unchunking logic when required.
Impact:
In addition, other plugin behavior may abort the unchunking logic in an unexpected way. This causes a double-abort, and triggers a TMM crash. Traffic disrupted while tmm restarts.
Workaround:
None.
824809-4 : bcm56xxd watchdog restart
Component: TMOS
Symptoms:
During initialization of very large configurations it is possible that the watchdog timer will fire and reset the bcm56xxd driver.
Conditions:
System configuration with very large number of objects being loaded.
Impact:
The driver restarts.
824437-2 : Chaining a standard virtual server and an ipother virtual server together can crash TMM.
Component: Local Traffic Manager
Symptoms:
TMM crashes with a SIGFPE and restarts. The TMM logs contain the following panic message:
Assertion "xbuf_delete_until successful" failed.
Conditions:
This issue occurs when the following conditions are met:
-- The system has been configured with a standard virtual server and an Any IP (ipother) virtual server chained together. This can be done explicitly using an iRule that features the 'virtual' command to connect the two virtual servers, or implicitly with certain APM configurations.
-- The pool member on the server-side asks this specific virtual server configuration on the BIG-IP system to retransmit data.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure the target virtual server in the chain configuration does not use the ipother profile.
824433-1 : Added HTTP2 and HTTP3 request/response statistic fields to the HTTP profile
Component: Local Traffic Manager
Symptoms:
The HTTP/1.1 request/response statistic fields in the HTTP profile are incremented incorrectly when HTTP2 traffic is encountered.
There is not currently a way to view the HTTP2 and HTTP3 request/response stats on the HTTP profile.
Conditions:
-- Client or server sends HTTP2 request/response.
-- Using GUI, TMSH, iControl (SOAP), or SNMP.
Impact:
Incorrect HTTP/1.1 request/response statistic values are present in the HTTP profile when HTTP2 traffic is encountered.
Workaround:
None.
824205-1 : GUI displays error when a virtual server is modified if it is using an address-list
Component: TMOS
Symptoms:
When you modify a virtual server, the GUI returns an error similar to the following:
01b90011:3: Virtual Server /Common/vs2_udp's Traffic Matching Criteria /Common/vs2_udp_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs1_tcp destination address, source address, service port.
Conditions:
This occurs when either of the following occur:
-- When renaming the virtual server.
-- When changing the address-list attribute.
Impact:
Cannot update virtual configuration with new value.
Workaround:
None.
824093-3 : Parameters payload parser issue
Component: Application Security Manager
Symptoms:
Incorrect parameter parsing occurs under some conditions. For example, in a signature violation, the 'Actual Parameter Name' value appears as 'attachment; filename'.
Conditions:
-- ASM in use.
-- Request contains multipart headers.
Impact:
Incorrect policy enforcement.
Workaround:
None.
823921-2 : FTP profile causes memory leak
Component: Local Traffic Manager
Symptoms:
When a FTP profile is added to a virtual server, TMM runs with memory leak and eventually system has to terminate connections.
Conditions:
A FTP profile is installed on virtual server and the inherit-parent-profile parameter is enabled or isession is also included on the FTP virtual.
Impact:
TMM runs with memory leak and eventually system has to terminate connections.
Workaround:
Disable the inherit-parent-profile option if fastL4 data-channel is adequate.
823825-5 : Renaming HA VLAN can disrupt state-mirror connection
Component: Local Traffic Manager
Symptoms:
If the VLAN that services the state mirror connection between BIG-IP systems is renamed, it can cause a disruption of the state mirror connection. It can also lead to an eventual crash.
Conditions:
Renaming the VLAN that services the state mirror connection between BIG-IP systems in an high availability (HA) configuration.
Impact:
System might crash eventually.
Workaround:
Do not rename the VLAN that services the state mirror connection between BIG-IP systems in an HA configuration.
822253-3 : After starting up, mcpd may have defunct child "run" and "xargs" processes
Component: TMOS
Symptoms:
After starting up, mcpd may have defunct child "run" and "xargs" processes
Conditions:
Slow disk storage or large configuration files.
Impact:
Minimal; some zombie processes are created.
822245-4 : Large number of in-TMM monitors results in some monitors being marked down
Component: Local Traffic Manager
Symptoms:
Pool members are marked down from the in-TMM monitor.
Conditions:
Device has a large number of in-TMM monitors.
Impact:
Monitor target may appear down when it is actually up.
Workaround:
Disable in-tmm monitors:
tmsh modify sys db bigd.tmm value disable
822025-2 : HTTP response not forwarded to client during an early response
Component: Local Traffic Manager
Symptoms:
In early server responses, the client does not receive the intended response from the HTTP::respond iRule. The client instead receives an unexpected 500 internal server error.
Conditions:
-- A slow client.
-- early server response with the HTTP::respond iRule.
Impact:
A client does not receive the redirect from the HTTP::respond iRule.
Workaround:
None.
821589-2 : DNSSEC does not insert NSEC3 records for NXDOMAIN responses
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC does not insert NSEC3 records for NXDOMAIN responses.
Conditions:
-- "process-xfr yes" is set for the dns profile associated with the listener;
And
-- There is no "Zone Transfer Clients" nameserver configured for that zone.
And
-- There is no wideip configured.
Impact:
DNSSEC does not respond NSEC3 for non-existent domain.
Workaround:
1. Change this setting for dns profile from "process-xfr yes" to "process-xfr no";
Or
2. Add a nameserver for "Zone Transfer Clients" of that zone.
Or
3. Add a wideip.
821309-3 : After an initial boot, mcpd has a defunct child "systemctl" process
Component: TMOS
Symptoms:
Zombie "systemctl" process, as a child of mcpd.
Conditions:
Reboot of the BIG-IP.
Impact:
Minimal; a single zombie process is created.
Workaround:
To get rid of the process, you can restart mcpd.
820845-2 : Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.
Component: TMOS
Symptoms:
BIG-IP systems might not respond to ( ARP / Neighbour Discovery ) requests received via EtherIP tunnels on a multi-blade system.
Conditions:
Decapsulated ( ARP / Neighbour Discovery ) requests for an address owned by the BIG-IP system is processed by a secondary blade.
Impact:
Some endpoints may not be able to resolve ( ARP / Neighbour protocol ) via EtherIP tunnel.
Workaround:
Create static ARP entries on affected endpoints.
820333-3 : LACP working member state may be inconsistent when blade is forced offline
Component: Local Traffic Manager
Symptoms:
Inconsistent (out-of-sync) LACP working member state.
Incorrect trunk high availability (HA) score.
Conditions:
LACP updates while blade is going offline.
Impact:
Incorrect high availability (HA) score may prevent the unit from automatically failing over.
820213-2 : 'Application Service List' empty after UCS restore
Component: TMOS
Symptoms:
The iApps :: Applications LX list does not display anything after restoring a UCS that was taken from a different device.
Conditions:
-- Restoring a UCS from a different device.
-- UCS includes the iAppLX package.
Impact:
Cannot see anything on 'Application Service List', and you are unable to configure the application.
Workaround:
Run the following command before restoring the UCS file:
clear-rest-storage
819457-3 : LTM high availability (HA) sync should not sync GTM zone configuration
Component: TMOS
Symptoms:
LTM high availability (HA) sync group are syncing GTM zone configuration changes.
Conditions:
1. BIG-IPs has both LTM and GTM provisioned.
2. The two BIG-IPs are inside one LTM sync group.
Impact:
GTM zone files are accidentally modified.
819429-3 : Unable to scp to device after upgrade: path not allowed
Component: TMOS
Symptoms:
SCP of file to the BIG-IP system results in error:
path not allowed
Conditions:
Issue occurs when both conditions are present:
-- The BIG-IP user has shell tmsh or shell none access.
-- The scp operation is performed on a non-symlink location present under scp whitelist (/config/ssh/scp.whitelist).
For example:
scp to /var/tmp succeeds
scp to /shared/tmp fails with 'path not allowed'.
Impact:
Cannot copy files to symlinks present under whitelist.
Workaround:
None.
819421-3 : Unable to scp/sftp to device after upgrade★
Component: TMOS
Symptoms:
Users with numeric usernames are unable to log in via scp.
Conditions:
-- Logging in via scp/sftp.
-- User account with a numeric username.
Impact:
Unable to log in via scp.
Workaround:
Include alpha characters in username.
819329-2 : Specific FIPS device errors will not trigger failover
Component: Local Traffic Manager
Symptoms:
When the FIPS device experiences a hardware failure during idle-time, the device may not fail over.
Conditions:
-- FIPS hardware failure occurs, but the device is idle
Impact:
The device may not fail over on FIPS hardware failure.
819261-3 : Log HSB registers when parts of the device becomes unresponsive
Component: TMOS
Symptoms:
Part of the HSB becomes unresponsive, and there is no logging of additional registers to assist in diagnosing the failure.
Conditions:
It is unknown under what conditions the HSB becomes unresponsive.
Impact:
Limited visibility into the HSB state when it becomes unresponsive.
Workaround:
None.
819233-5 : Ldbutil utility ignores '--instance' option if '--list' option is specified
Component: Access Policy Manager
Symptoms:
When running ldbutil utility, if the '--list' option is specified, then the '--instance' option has no effect. All the local users will be listed.
Conditions:
When both '--list' and '--instance' options are specified.
Impact:
The output lists all the local users and not limiting to the '--instance' option given.
Workaround:
None.
818853-3 : Duplicate MAC entries in FDB
Component: Local Traffic Manager
Symptoms:
Forwarding DataBase (FDB) not updated when a MAC moves among interfaces.
Conditions:
-- Having multiple paths to a MAC in a given configuration.
Impact:
There are duplicate MAC address entries which come from multiple interfaces.
Workaround:
None.
818833-3 : TCP re-transmission during SYN Cookie activation results in high latency
Component: Local Traffic Manager
Symptoms:
Issue is reported at the following system setup:
client <-> BIG-IP <-> concentrator <-> proxy <-> BIG-IP nat gateway <-> Internet
-- SYN Cookie got activated on F5 nat gateway.
-- Latency from 'Internet' (public host) is observed at 'Proxy' device sitting before F5 nat gw.
-- During the latency issue, SYN Cookie was active and evicting connections.
-- When SYN Cookie is enabled, it switches to l7 delayed binding as expected but it is not sending ACK for HTTP request so the client sends it again and again.
Conditions:
Haredware SYN Cookie is enabled on FastL4 profile
Impact:
High latency is observed.
Workaround:
Disable the SYN Cookie on the FastL4 profile
818789-5 : Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile
Component: Local Traffic Manager
Symptoms:
With in-tmm monitoring enabled (or sys db bigd tmm set to enable) and with https monitor's ssl-profile set to none, the expected behavior is to send ciphers in ClientHello based on default serverssl profile as mentioned in GUI help for https monitor.
Conditions:
Configure HTTPS Monitor with ssl-profile "None".
Impact:
Ciphers are not exchanged as expected in the ClientHello Packets
Workaround:
Configure HTTPS Monitor without ssl-profile option, default serverssl profile will be used
818737-1 : Improve error message if user did not select a address-list or port list in the GUI
Component: TMOS
Symptoms:
In the GUI, the Virtual Server screen displays the available address-lists or port lists for source address, but there is no clarity on whether the options are selected or available.
Conditions:
-- Virtual server's source address section.
Impact:
If you do not make a selection and try to create the Virtual Server, an error occurs: An error has occurred while trying to process your request.
Workaround:
Click to select the address-list of port-list displayed as source address for Virtual Server.
818721-1 : Virtual address can be deleted while it is in use by an address-list.
Component: Local Traffic Manager
Symptoms:
-- The virtual-address (and virtual server) will no longer work.
-- The BIG-IP won't answer ARP requests for it.
-- Loading the config again or performing similar operations will not re-create the virtual-address.
Conditions:
-- A virtual address is deleted while it is in use by an address list and virtual server.
-- MCPD is restarted (or the unit rebooted, etc.).
Impact:
Traffic processing is disrupted
818505-3 : Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Component: TMOS
Symptoms:
Using an iControl PUT command to modify a virtual address will change that address's netmask to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
Conditions:
Modifying a virtual address using an iControl PUT command.
Impact:
An unintentional change to the virtual address's netmask.
Workaround:
Two options:
-- Use a PATCH command instead of a PUT command.
-- Always specify the netmask explicitly when making changes.
818417-2 : Flowspecd starts with message: Shm segment not found in /etc/ha_table/ha_table.conf.
Component: TMOS
Symptoms:
During system boot, the flowspecd daemon emits a message 'Shm segment not found in /etc/ha_table/ha_table.conf', and heartbeat monitoring is disabled for flowspecd.
Conditions:
Flowspecd daemon is running.
Impact:
No heartbeat monitoring for flowspecd daemon.
Workaround:
Manually edit the file /etc/ha_table/ha_table.conf and insert a line at the end:
ha segment path: /flowspecd
818297 : OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure
Component: TMOS
Symptoms:
OVSDB-server fails to make SSL connections when Selinux is enforced.
In /var/log/openvswitch/ovsdb-server.log:
...|00012|stream_ssl|ERR|/config/filestore/files_d/Common_d/certificate_d/:Common:myCert_2468_1: stat failed (Permission denied).
Conditions:
-- Navigate to System :: Configuration : OVSDB.
-- Add cert and keys.
Impact:
Permission denied, SSL connection failure.
Workaround:
Step 1: Check openvswitch SELinux denial:
# audit2allow -w -a
Example output:
type=AVC msg=audit(1566915298.607:32958): avc: denied { search } for pid=18966 comm="ovsdb-server" name="/" dev="dm-7" ino=2 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:f5config_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
Step 2: Find openvswitch components that need Linux policy additions:
# audit2allow -a
Example output:
#============= openvswitch_t ==============
allow openvswitch_t f5config_t:dir search;
allow openvswitch_t f5filestore_t:dir search;
allow openvswitch_t f5filestore_t:file { getattr open read };
Step 3: Modify the policy to allow access to the component openvswitch_t:
# audit2allow -a -M openvswitch_t
Step 4: Apply the policy:
# semodule -i openvswitch_t.pp
818097-4 : Plane CPU stats too high after primary blade failover in multi-blade chassis
Component: Local Traffic Manager
Symptoms:
The data, control, and analysis plane stats are too high as reported by tmsh show sys performance system detail.
Conditions:
The primary blade in a multi-blade chassis fails over to another blade.
Impact:
The plane CPU stats are too high.
Workaround:
Remove the /var/tmstat/blade/statsd file on the previous primary blade and restart merged on that blade.
818069-4 : GUI hangs when iApp produces error message
Component: iApp Technology
Symptoms:
If lengthy Tcl errors are displayed in the GUI while creating an iApp, the GUI can hang.
Conditions:
-- Creating an iApp that contains a syntax error.
-- A large error message is emitted.
Impact:
GUI hangs.
Workaround:
Restart the tomcat process:
tmsh restart sys service tomcat
817709-2 : IPsec: TMM cored with SIGFPE in racoon2
Component: TMOS
Symptoms:
TMM asserted and cored in racoon2 with this panic message:
panic: iked/ikev2_child.c:2858: Assertion "Invalid Child SA proposal" failed.
Conditions:
When IKEv2 Phase 2 SA has no peer proposal associated with it.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
817089-1 : Incorrect source MAC address with hardware acceleration (ePVA) and asymmetric routing
Component: TMOS
Symptoms:
Connections that are hardware accelerated and that use asymmetric routing may use the wrong MAC address for return traffic. This can be observed by looking at a packet capture.
Conditions:
Hardware acceleration is enabled (ePVA/fastL4) with asymmetric routing.
Impact:
The return traffic has the wrong source MAC address. This may affect packet forwarding depending on the configuration.
Workaround:
Disable HW acceleration.
817085-4 : Multicast Flood Can Cause the Host TMM to Restart
Component: TMOS
Symptoms:
A vCMP host tmm is restarted.
Conditions:
The vCMP host is processing heavy multicast traffic.
Impact:
The host TMM restarts and traffic stops for the guests.
Workaround:
An adjustment to the scheduling can be made by this setting of the vCMP Host configuration:
# echo "realtime yield 90" > /config/tmm_init.tcl
# bigstart restart tmm
The bigstart restart tmm must be performed individually on all blades on the vCMP host. These changes also must be done on all vCMP hosts with guests in a high availability (HA) setup.
816881-1 : Serverside conection may use wrong VLAN when virtual wire is configured
Component: Local Traffic Manager
Symptoms:
Server syn is flowing on the wrong VLAN, when tmm tries to establish a server connection. The BIG-IP system sends RST packets of unmatched VLAN/MAC combination
Conditions:
-- Virtual wire is configured .
-- Clientside data and handshake come in on different VLANs.
Impact:
Some client connections fail to establish
Workaround:
None.
816353-1 : Unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1
Component: TMOS
Symptoms:
During re-licensing or license reload, an unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1 may be sent.
Conditions:
Occurs during license reload or reactivation.
Impact:
After a license reload, the unknown trap can be seen like the following:
run "tcpdump -ni mgmt port 162 -vvvv &":
12:01:59.883331 IP (tos 0x0, ttl 64, id 47411, offset 0, flags [DF], proto UDP (17), length 101)
10.248.136.179.55540 > 172.28.8.68.snmptrap: [bad udp cksum 0x486e -> 0xd7b8!] { SNMPv2c { V2Trap(58) R=1205683810 .1.3.6.1.2.1.1.3.0=1775555 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.2.1.47.2.0.1.0.1 } }
816229-1 : Kernel Log Messages Logged Twice
Component: TMOS
Symptoms:
You see duplicate log messages in /var/log/kern.log
Conditions:
This can be encountered when viewing /var/log/kern.log right after startup in BIG-IP versions dating back to 14.1.0
Impact:
Viewing ('cat'ing) kern.log results in duplicated log messages in the buffer.
816205-3 : IPsec passthrough scenario may not forward ICMP unreachable messages from the server-side
Component: Local Traffic Manager
Symptoms:
ICMP protocol 50 unreachable messages are not forwarded from the server-side to the client-side when a SNAT Virtual Server handles ESP flows that are not encapsulated in UDP port 4500 (RFC 3948). Other ICMP messages related to the server-side ESP flow may be similarly affected.
Conditions:
-- BIG-IP system is forwarding ESP (protocol 50) packets.
-- Virtual Server is configured with a SNAT pool or automap.
-- The server-side IPsec peer sends ICMP protocol errors in response to the ESP packets.
Impact:
ICMP packets arriving on the server-side are not forwarded to the client-side.
Workaround:
Option 1:
-- Enable NAT Detection (RFC 3947) on the IPsec peers.
NOTE: NAT Detection (RFC 3947) is the correct way to implement IPsec peers when network address translation occurs between the two IPsec peers.
Option 2:
-- Remove NAT from the Virtual Server.
-- Set the following sys db values:
# tmsh modify sys db ipsec.lookupip value "enable"
# tmsh modify sys db ipsec.lookupspi value "disable"
NOTE: The sys db settings in option 2 do not resolve the ICMP issue if NAT is configured on the Virtual Server.
815753-2 : TMM leaks memory when explicit SWG is configured with Kerberos authentication
Component: Access Policy Manager
Symptoms:
Memory usage of filter keeps increasing over time and becomes one of major consumers of the TMM memory.
Conditions:
This issue happens if the following conditions are met:
1. Access profile type is SWG-explicit.
2. Access policy contains HTTP 407 Response policy item with HTTP Auth Level being Negotiate.
3. Kerberos is used to authenticate a user.
Impact:
TMM sweeper enters aggressive mode and reaps connections.
Workaround:
None.
815529-2 : MRF outbound messages are dropped in per-peer mode
Component: Service Provider
Symptoms:
When a Message Routing profile is configured with a peer consisting of an outbound virtual server, transport config, no pool, and per-peer mode, messages may be dropped when the outgoing connection is persisted to a different tmm than the message was received on.
Conditions:
-- Message Routing Profile.
-- A peer configured for outbound traffic with a virtual server and transport config in per-peer mode, no pool.
-- Persistence is enabled.
-- Multiple outbound messages with the same destination address.
Impact:
Outbound traffic with the same destination address may be dropped at random.
Workaround:
Change the peer connection mode to 'Per TMM'.
815405-4 : GUI update of Child FastL4 profile overwrites CLI-only customized settings (options that are not available in GUI)
Component: Local Traffic Manager
Symptoms:
Child FastL4 profile is being reset after clicking Update from GUI.
Conditions:
-- Create child SSL FastL4, profile inheriting settings from a parent FastL4 profile.
-- From the command line, change any of the CLI-only visible settings in the child FastL4 profile (e.g., pva-acceleration, explicit-flow-migration, etc.), and save the changes.
-- In the GUI, click the Update button in the child FastL4 profile without making any change.
Impact:
The operation overwrites the CLI changes made in the child profile, and inherits those values from the parent settings instead.
Workaround:
None.
815089-3 : On a system with no VLANs, you can create virtual servers or SNATs that have identical address/port combinations
Component: Local Traffic Manager
Symptoms:
If you have a system with no VLANs configured, and you attempt to create virtual servers or SNATs that have the same address/port combinations, you will be able to do so without validation errors.
Conditions:
-- A BIG-IP system with no VLANs configured.
-- Creating virtual servers or SNATs that have identical address/port combinations.
Impact:
An invalid configuration is allowed.
Workaround:
None.
814941-1 : PEM drops new subscriber creation if historical aggregate creation count reaches the max limit
Component: Policy Enforcement Manager
Symptoms:
PEM subscriber create fails, usually seen across multiple high availability (HA) failover events
Conditions:
When the aggregate subscriber create reaches the maximum subscriber limit per tmm which is configured using sys db, sys db statemirror.mirrorsessions
Impact:
Unable to bringup any more subscribers
Workaround:
Restart tmm when the limits are reached
814761-2 : PostgreSQL monitor fails on second ping with count != 1
Component: Local Traffic Manager
Symptoms:
When using one of the DB monitors (Oracle, MSSQL, MySQL, PostgreSQL) to monitor the health of a server, the pool member may initially be marked UP, but then will be marked DOWN on the next and all subsequent pings.
When this occurs, an error message similar to the following appears in the monitor-instance log under /var/log/monitors:
Database down, see /var/log/DBDaemon.log for details.
Exception in thread "DBPinger-##" java.lang.AbstractMethodError: org.postgresql.jdbc3.Jdbc3Connection.isValid(I)Z
at com.f5.eav.DB_Pinger.db_Connect(DBDaemon.java:1474)
at com.f5.eav.DB_Pinger.db_Ping(DBDaemon.java:1428)
at com.f5.eav.MonitorWorker.run(DBDaemon.java:772)
at java.lang.Thread.run(Thread.java:748)
Conditions:
This may occur if all of the following conditions are true:
1. You are using a DB monitor (Oracle, MSSQL, MySQL, PostgreSQL) configured with a 'count' value of either '0' or a value of '2' or higher.
2. You are using a version of BIG-IP (including an Engineering Hotfix) which contains the fix for ID 775901.
Impact:
Unable to monitor the health of postgresql server pool members accurately.
Workaround:
To work around this issue, configure a 'count' value of '1' in the postgresql monitor configuration.
814585-3 : PPTP profile option not available when creating or modifying virtual servers in GUI
Component: TMOS
Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.
Conditions:
Creating or modifying a virtual server in the GUI.
Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.
Workaround:
Use TMSH to add a PPTP profile to the virtual server.
814353-3 : Pool member silently changed to user-disabled from monitor-disabled
Component: TMOS
Symptoms:
When a node (Disabled by Monitor) is updated via the member screen (no change to configuration required), the status changes from:
'Available (Disabled) pool members is available, monitor disabled'.
To:
'Available (Disabled), pool member is available, user disabled'.
Conditions:
-- A node disabled by Monitor.
-- Go to GUI LTM pool member and navigate into the monitor disabled member, then update without any configuration change.
Impact:
Pool member goes to 'user-disabled'.
Workaround:
To recover, re-enable the pool member.
814273-3 : Multicast route entries are not populating to tmm after failover
Component: TMOS
Symptoms:
Multicast route entries are not populating in tmm after failover. ZebOS has the multicast entries, but tmm does not.
Conditions:
-- High Availability (HA) configured, with multicast traffic.
-- A failover occurs.
Impact:
Multicast traffic does not pass through properly
Workaround:
Clear the multicast entries in ZebOS manually:
> clear ip mroute *
> clear ip igmp group
814097-2 : Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.
Component: Service Provider
Symptoms:
When using the Generic Message router to convert SIP messages from TCP to UDP, BIG-IP fails to raise the SERVER_CONNECTED iRule event.
Conditions:
Converting the transport of SIP messages with the Generic Message router.
Impact:
Any code that waits for the SERVER_CONNECTED event will not run.
814053-2 : Under heavy load, bcm56xxd can be killed by the watchdog
Component: TMOS
Symptoms:
bcm56xxd crashes, and the device fails over on heartbeat error:
warning sod[7244]: 01140029:4: HA daemon_heartbeat bcm56xxd fails action is restart.
notice sod[7244]: 010c006c:5: proc stat: [0] pid:12482 comm:(bcm56xxd) state:S utime:16612520 stime:879057 cutime:11 cstime:21 starttime:1601425044 vsize:2189299712 rss:527927 wchan:18446744073709551615 blkio_ticks:0 [-1] pid:12482 comm:(bcm56xxd) state:S
Conditions:
-- HA configured.
-- Programming the DAG while it is under heavy load (i.e., a large number of objects that have to be programmed into the switches).
Impact:
The bcm56xxd daemon may restart and produce a core file. It then continues trying to program the DAG.
This causes a system to go offline and stop processing traffic.
Workaround:
None.
814037-4 : No virtual server name in Hardware Syncookie activation logs.
Component: Local Traffic Manager
Symptoms:
Missing virtual server name in Hardware Syncookie activation logs. ltm/logs contains error messages:
notice tmm2[1150]: 01010240:5: Syncookie HW mode activated, server = 0.0.0.0:0, HSB modId = 2.
Conditions:
-- More than one virtual server with same Destination IP e.g., 'x.x.x.x'.
-- Port 'y' configured.
-- Hardware Syncookie activated.
Impact:
Difficult to determine which virtual server actually got the Syncookie activated.
Workaround:
None.
813969-3 : Network DoS reporting events as 'not dropped' while in fact, events are dropped
Component: Advanced Firewall Manager
Symptoms:
Logs/Tmctl shows packet dropped whereas AVR shows Action as 'Allowed' and not 'Dropped'.
Conditions:
-- AFM configured.
-- AFM passes the message to AVR for reporting.
Impact:
The operation does not update the drop flag. It appears from AVR Reporting that packets are allowed, but actually they are dropped
Workaround:
There is no workaround at this time.
813701-3 : Proxy ARP failure
Component: Local Traffic Manager
Symptoms:
In certain configurations, and when the BIG-IP system does not have a directly connected route to the request sender, proxy ARP may fail, leading to dropped ARP replies.
Conditions:
-- Running v12.1.4.1 or 12.1.3.7 with engineering hotfix 0.89.2.
-- ARP requests and replies are processed by different TMMs.
-- A directly connected route to the request sender is not available.
Impact:
ARP replies are dropped, leading to connection failures.
Workaround:
Create a self IP in the same subnet as the ARP request senders. This creates the necessary directly connected route.
813561-3 : MCPD crashes when assigning an iRule that uses a proc
Component: Local Traffic Manager
Symptoms:
MCPD crashes when assigning an iRule to a Virtual Server or loading a config with an iRule assigned.
Conditions:
The iRule must uses a proc that contains three statements associated with different feature flags.
Impact:
MCPD will crash, unable to use a desired iRule.
Workaround:
None
813409-1 : BD crash under certain circumstances
Component: Application Security Manager
Symptoms:
BD crashes with an error message:
01230140:3: RST sent from 10.0.1.101:83 to 10.0.1.1:464, [0x2911514:1148] Internal error (ASM requested abort (open error)).
Conditions:
The conditions under which this occurs are unknown.
Impact:
Traffic disruption / failover.
Workaround:
None.
813221-1 : Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync
Component: Global Traffic Manager (DNS)
Symptoms:
The virtual server for an LTM redundant peer is continually updated with its IP/Port changing back and forth between two values, leading to perpetual GTM configuration syncs.
Conditions:
The destination IP:port of the virtual server on the LTM is not in sync between the LTM devices in the device-group.
Impact:
The virtual server is flapping status between "blue" and 'green', and its destination IP:port is changing between a correct value and an incorrect one. Traffic will be impacted.
Workaround:
Perform a configsync on the LTM device-group that owns the virtual server.
813057-2 : False positive attack detection on DoS profile vectors for unbalanced traffic
Component: Advanced Firewall Manager
Symptoms:
DoS attack is detected on a profile vector when attack Packets Per Second (PPS) is lower than the threshold.
Conditions:
Unbalanced traffic between tmms for DoS profile vector.
Impact:
False positive attack detection.
Workaround:
None.
812993-1 : Monpd process consumes considerable amount of RAM on systems with many virtual servers
Component: Application Visibility and Reporting
Symptoms:
Monpd process consumes a considerable amount of RAM (several gigabytes). The RAM usage grows constantly within the first 24 hours. This occurs because of the collection of ADM (BADOS) real-time statistics in monpd memory for last 24 hours per virtual server.
Conditions:
Many virtual servers are defined in the system. The memory consumption depends on the number of virtual servers.
Impact:
Excessive memory consumption reduces available RAM for other system daemons.
Workaround:
None.
812929-2 : mcpd may core when resetting a DSC connection
Component: TMOS
Symptoms:
In rare circumstances mcpd may core when resetting its DSC connection.
Conditions:
The exact conditions are not known for this to occur. The BIG-IP system must be in a Device Service Cluster, and must have configuration sync enabled. It might be related to when an Administrative BIG-IP user makes manual changes to the device trust group that would cause the trust to be broken (and optionally, re-established).
Impact:
mcpd cores and restarts. This results in a failover to the next active peer.
Workaround:
None.
812705-1 : 'translate-address disabled' setting for LTM virtual server does not have any effect with iRules for NAT64 traffic
Component: Carrier-Grade NAT
Symptoms:
IPv4 Packets are forwarded to server-side with destination address changed to LTM pool member address even when 'translate-address disabled' is configured on a NAT64 virtual server.
Conditions:
-- Create iRules for LTM pool selection.
-- Configure the NAT64 virtual server with 'translate-address disabled'.
-- Send IPv6 client request accessing the NAT64 virtual server.
Impact:
Server-side IPv4 packets are forwarded with destination address modified. The server-side packets do not reach the intended destination, resulting in connection failures.
Workaround:
Use normal LTM pool selection instead of iRules-based, LTM pool selection.
812497-1 : VE rate limit should not count packet that does not have a matched vlan or matched MAC address
Component: Local Traffic Manager
Symptoms:
Virtual Edition (VE) Rate limit counts packets that are not intended for BIG-IP.
Conditions:
-- Rate-limited license in BIG-IP Virtual Edition (VE)
-- Promiscuous mode is enabled
Impact:
If you do not have an unlimited license for a Virtual Edition device, you cannot use VLAN tags or MAC Masquerading without a greatly increased risk of running out of licensed bandwidth. Even if you are not using any service, BIG-IP counts all traffic seen on the interface against the license. Due to VMWare's switch design you have to expose the device to all of the traffic to use those two features.
812493-2 : When engineID is reconfigured, snmp and alert daemons must be restarted★
Component: TMOS
Symptoms:
The engineID, engineBoots, engineTime values in SNMPv3 traps are shared by both the SNMP and the Alert daemons and are included in traps raised by both daemons. When the engineID is reconfigured then both daemons must be restarted in order to resynchronize the new values.
Conditions:
Traps issued by the SNMP and Alert daemons may not have engine values that are in sync when the EngineID is first reconfigured. This can happen both with a configuration change and an upgrade.
Impact:
This may confuse the SNMP client receiving the trap.
Workaround:
Restart the snmp daemon and then the alert daemon when the engine ID is reconfigured for the first time and the first time after a software upgrade
tmsh restart sys service snmpd alertd
812481-2 : HSL logging may work unreliably for Management-IP firewall rules
Component: Advanced Firewall Manager
Symptoms:
HSL logging related to Management-IP firewall rules can periodically freeze and corresponding log messages can be lost.
Conditions:
No special conditions, this can happen intermittently on any setup.
Impact:
HSL log messages related to Management-IP firewall rules are missed.
Workaround:
None.
811701-1 : AWS instance using xnet driver not receiving packets on an interface.
Component: TMOS
Symptoms:
Packets are being sent to the AWS instance but no packets are seen on interface.
Conditions:
-- AWS instance using xnet driver.
-- Occurs when the instances are idle and then suddenly passes traffic again.
-- Other, more specific conditions are unknown at this time.
Impact:
Loss of packets in the interface, in turn, causing data loss.
Workaround:
A temporary way to avoid the problem is to configure BIG-IP Virtual Edition (VE) to use an alternative network driver in place of the default 'xnet' driver. In releases 14.1.0 and later, this would be the 'sock' driver.
Use The following command sequences from the BIG-IP instance's 'bash' prompt to configure the alternative driver. (Note the use of the 'greater-than' symbol.)
# echo "device driver vendor_dev 1d0f:ec20 sock" > /config/tmm_init.tcl
[check that the file's contents are correct]
# cat /config/tmm_init.tcl
[restart the BIG-IP's TMM processes]
# bigstart restart tmm
[make certain that the 'driver_in_use' is 'sock']
# tmctl -dblade -i tmm/device_probed
811161-1 : Tmm crash SIGSEGV - virtual_address_update() in ../mcp/db_vip.c:1992
Component: Local Traffic Manager
Symptoms:
TMM cores when creating a virtual server.
Conditions:
ISO build that includes the fix for ID 718790 or ID 783617.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
811157-2 : Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself
Component: Advanced Firewall Manager
Symptoms:
"Global Staged Default Action" message is logged into the firewall log for ICMP traffic targeted to Self-IP or Virtual Server destination address, even though this traffic can never be affected by Global Default Actions.
The "Global Staged Default Action" counter is also incremented.
Conditions:
Logging is enabled for Global Staged Default Action by setting the sys db tm.fw.stagedglobaldefaultrule.log to value "enabled" (this sys db has value "disabled" by default).
There are no special conditions for the "Global Staged Default Action" counter increment.
Impact:
Misleading messages are logged into the firewall log.
The "Global Staged Default Action" counter is incorrectly incremented.
The traffic itself is not affected and there are no other negative effects except the incorrect log message and counter update.
Workaround:
There is no workaround regarding the "Global Staged Default Action" counter increment.
For preventing the misleading log message disable logging of Global Staged Default Action by setting the sys db tm.fw.stagedglobaldefaultrule.log to value "disabled".
811149-1 : Remote users are unable to authenticate via serial console.
Component: TMOS
Symptoms:
Attempts to login to the serial console with remote user credentials (e.g., RADIUS, LDAP, TACACS remote auth) fail with one of the following error messages:
-- 'Cannot load user credentials for user' (v13.1.1.2)
-- 'Session setup problem, abort.' (v14.1.0.1)
Conditions:
Configure system for remote authentication and attempt authentication via serial console.
Impact:
Remote authentication users are unable to login via serial console.
Workaround:
There are two workarounds:
-- Remote authentication users can login using an SSH connection to the BIG-IP system's management IP address.
-- Use the credentials of a local user account to login to the serial console.
811053-2 : REBOOT REQUIRED prompt appears after failover and clsh reboot
Component: TMOS
Symptoms:
In rare circumstances, when a reboot immediately follows a VIPRION blade failover, a REBOOT REQUIRED prompt will appear on one blade after the system starts up again.
Conditions:
This issue can be created by doing the following:
- using a VIPRION system with at least 2 blades running
- AAM is not provisioned
- reset the primary blade
- immediately following the blade reset, run 'clsh reboot' on a secondary blade.
Impact:
Following the clsh reboot, the REBOOT REQUIRED prompt appears on one blade:
[root@vip4480-r44-s18:/S2-yellow-S::REBOOT REQUIRED:Standalone] config #
Any blade with this prompt must be rebooted again.
Workaround:
None currently known.
811045 : Tmsh load sys config from-terminal merge: error for config embedded sub profile can have only a single object of any part enabled
Component: Advanced Firewall Manager
Symptoms:
When merging a network sub profile using 'tmsh load sys config from-terminal merge", tmsh reports a config error.
010715e4:3: Security log profile '/Common/logpartition01' can have only a single object of any part enabled.
Unexpected Error: Loading configuration process failed.
Conditions:
-- AFM is provisioned.
-- Using TMSH terminal merge.
-- Specifying an existing network log profile name that does not match the name in the configuration.
Following is a detailed example:
-- TMSH terminal merge works when you provide an existing name under network log profile. For example, if a BIG-IP has the following config in bigip.conf:
"security log profile pf-log-01 {
network {
/Common/logpartition01 { <--- name contains /Common/
filter {
log-acl-match-accept enabled
}
format {
type user-defined
user-defined "${date_time},${bigip_hostname},${management_ip_address},${src_ip},${src_port},${dest_ip},${dest_port},${translated_src_ip},${translated_dest_ip},${translated_src_port},${translated_dest_port},${date_time},,${protocol},${action}"
}
publisher lp-hsl-01
}
}
}"
-- Terminal merge does not work, if you specify a different name under network when compared to name in the config. In this case, the name of the log profile under network stored for logpartition01 is '/Common/logpartition01'. When merging a config under network, the following config reports an error:
"security log profile pf-log-01 {
network {
logpartition01 { <--- name is logpartition01, but not '/Common/logpartition01'
filter {
log-acl-match-accept enabled
}
format {
type user-defined
user-defined "${date_time},${bigip_hostname},${management_ip_address},${src_ip},${src_port},${dest_ip},${dest_port},${translated_src_ip},${translated_dest_ip},${translated_src_port},${translated_dest_port},${date_time},,${protocol},${action}"
}
publisher lp-hsl-01
}
}
}"
Impact:
New config is not applied. Error is posted.
Workaround:
While merging the config, specify the exact name of the profile that is already present in the config files.
Note: The name of the sub-profile can be found in /config/bigip.conf file on the BIG-IP system.
811041-5 : Out of shmem, increment amount in /etc/ha_table/ha_table.conf
Component: TMOS
Symptoms:
System logs error:
err sod[8444]: 01140003:3: Out of shmem, increment amount in /etc/ha_table/ha_table.conf.
Conditions:
-- Large number of traffic groups.
-- A number of devices in the device cluster.
-- Heavy traffic resulting in numerous configsync or config save operations.
Impact:
Memory leak. Future changes to the high availability (HA) table may fail or be ignored. This could result in HA events not being tracked correctly.
Workaround:
None.
810825 : Export, then import of pool outside of a default route domain may fail
Component: Access Policy Manager
Symptoms:
While importing a policy, you get an error:
Syntax Error:(/shared/tmp/apmom/import/abc.conf at line ###) invalid IP address: "1.1.1.1%0%1"
Conditions:
-- Importing a previously exported policy
-- The policy was from a partition with a non-zero route domain
Impact:
Importing the policy fails on syntax error.
Workaround:
You can manually edit the file and then attempt the import again. For example if a pool member was supposed to exist in route domain 1 with port 1812, the erroneous policy might look like this:
ltm pool /@partition/@name-safenet-radius-pool {
members {
prod/1.1.1.1%1:radius {
address 1.1.1.1%0%1 <=====
priority-group 1
state up
}
}
min-active-members 1
}
It can be manually fixed by removing the erroneous %0 in the string.
ltm pool /@partition/@name-safenet-radius-pool {
members {
prod/1.1.1.1%1:radius {
address 1.1.1.1%1
priority-group 1
state up
}
}
min-active-members 1
}
810821-1 : Management interface flaps after rebooting the device
Component: Local Traffic Manager
Symptoms:
The Management interface flaps after rebooting the device, which may cause a momentary active-active condition in a high availability (HA) configuration.
Conditions:
This can occur after rebooting the active or standby device in an HA configuration if the final management port configuration completes late in the startup sequence. This can be due to network conditions for the network the management port is connected to.
This problem has been observed only on hardware platforms.
Impact:
Devices go active-active for a few seconds and then resume normal operation.
Workaround:
You may be able to work around this by changing the management port speed to 100/Fixed Duplex.
For more information on changing the interface, see K14107: Configuring the media speed and duplex settings for network interfaces (11.x - 13.x), available at https://support.f5.com/csp/article/K14107.
810613-2 : GUI Login History hides informative message about max number of lines exceeded
Component: TMOS
Symptoms:
When there are more than 10000 lines in /var/log/secure* files, visiting System :: Logins :: [History|Summary] in the GUI shows 'No Entries' instead of the actual error message about the large number of lines.
Conditions:
If there are more than 10000 lines in /var/log/secure* files.
Impact:
GUI displays 'No Entries' instead of the actual error message.
Workaround:
-- Via the CLI by specifying the number of lines:
tmsh show sys log security lines 15000 | less
-- Delete the large amount of secure files from /var/log/.
810593-2 : Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade★
Solution Article: K10963690
Component: TMOS
Symptoms:
The vCMP guests go to 'INOPERATIVE' after upgrade.
Conditions:
-- Upgrading the host from v12.1.4.1.
-- Upgrading the host from v13.1.1.5.
Impact:
The vCMP guests go to the 'INOPERATIVE' state and do not pass traffic.
Workaround:
There is no workaround. You must upgrade to a Fixed version, for example, 15.1.0.
810533-4 : SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile
Component: Local Traffic Manager
Symptoms:
When the client attempts to connect, even when sending the proper SNI extension, the BIG-IP system resets the connection after the client hello.
Conditions:
-- SNI Required set to true.
-- No Server Name configured in the client SSL profile.
Impact:
SSL connections with valid SNI are closed, and the client cannot connect. With generic alerts enabled, you will see 'SSL alert number 40'. This is because the system does not read the server names from the SAN extension within the certificate.
Workaround:
Specify a valid server name in the server name field of the client SSL profile.
810445-2 : PEM: ftp-data not classified or reported
Component: Local Traffic Manager
Symptoms:
When a virtual server is configured with an FTP profile, and also a PEM or classification profile, the traffic associated with the FTP data stream is not correctly classified or reported.
Conditions:
-- Virtual server is configured with an FTP profile.
-- There is also PEM or classification profile.
Impact:
Traffic associated with ftp-data (i.e., file transfers using FTP) may not be classified or reported.
Workaround:
None.
810381-4 : The SNMP max message size check is being incorrectly applied.
Component: TMOS
Symptoms:
If the SNMP server receives an SNMPv3 request with a small max message size then, it applies that check to all requests. This can cause SNMPv1 and SNMPv2c requests time out if they are too long or if their responses are too long, for example, large get bulk requests.
Conditions:
An SNMPv3 small max message size received while processing large SNMPv1 and SNMPv2c requests.
Impact:
Responses time out.
Workaround:
Do not send SNMPv3 requests to the BIG-IP system.
810373-1 : Errors running 'config' command
Component: TMOS
Symptoms:
Running the 'config' command reports errors:
coapi_query failed at /usr/local/lib/perl5/F5/COAPI.pm line 215, <FH> line 3.
Conditions:
This might occur under either of the following conditions:
-- The BIG-IP Virtual Edition (VE) instance has low memory.
-- Running the command occurs before mcpd is in a running state.
Impact:
Failure to configure the management IP address.
Workaround:
Wait for the VE instance to start up and fully stabilize and have mcpd in the running state before running the config command.
809657-2 : HA Group score not computed correctly for an unmonitored pool when mcpd starts
Component: TMOS
Symptoms:
When mcpd starts up, unmonitored pools in an high availability (HA) group do not contribute to the HA group's score.
Conditions:
-- HA group configured with at least one pool.
-- At least one of the pools assigned to the HA group is not using monitoring.
-- mcpd is starting up (due to bigstart restart, or a reboot, etc.).
Impact:
Incorrect HA Group score.
Workaround:
Remove the unmonitored pools from the HA group and re-add them.
809597-3 : Memory leak observed when running ICRD child
Component: Local Traffic Manager
Symptoms:
When ICRD child process is running and users are switching rapidly, memory may leak.
Conditions:
[1] ICRD child process is running
[2] There are multiple users on the device
[3] The multiple users are fetching a web-page using curl, repeatedly and concurrently
Impact:
The memory leak is very progressive. Eventually ICRD's child process will run out of memory.
809553-4 : ONAP Licensing - Cipher negotiation fails
Component: TMOS
Symptoms:
Cipher negotiation fails between the BIG-IP and a third-party license server.
Conditions:
This occurs when BIG-IP is deployed in a custom ONAP environment that uses a third-party license server.
Impact:
TLS negotiation fails.
Workaround:
Change the order of ciphers.
Enable only ECDHE ciphers.
809509-1 : Resource Admin User unable to download UCS using Rest API.
Component: TMOS
Symptoms:
Resource Admin User cannot download UCS file using REST API. The system returns a message:
Authorization failed
Conditions:
-- BIG-IP user with Resource Administrator role.
-- Try to Download UCS file using REST API.
Impact:
Resource Administrator user cannot download UCS file using REST API.
Workaround:
The Resource Administrator user can use the GUI to download the file.
809125-2 : CSRF false positive
Component: Application Security Manager
Symptoms:
A CSRF false-positive violation.
Conditions:
CSRF enforcing security policy.
This is a very rare scenario, but it happens due to a specific parameter in the request, so the false-positive might repeat itself many times for the same configuration.
Impact:
False-positive Blocking / Violation
Workaround:
If this happens change the csrf parameter and restart the asm daemon:
1. Change the csrf parameter name internal parameter:
/usr/share/ts/bin/add_del_internal add csrf_token_name <string different than csrt>
2. Restart the asm daemon:
restart asm
808893-2 : DNS DoS profile vectors do not function correctly★
Component: Advanced Firewall Manager
Symptoms:
Clients report that DNS TXT queries are not working. In /var/log/ltm, you see the following error:
DOS attack start was detected for vector TXT query DOS.
Conditions:
This can occur when DNS profile DoS vectors are enabled. It can be encountered after upgrading.
Impact:
DNS DoS detection and mitigation is not functioning correctly.
Workaround:
None.
808889-2 : DoS vector or signature stays hardware-accelerated even when traffic rate is lower than mitigation threshold
Component: Advanced Firewall Manager
Symptoms:
Incorrect hw_offload status for DoS vector or signature in tmctl dos_stat after the attack has stopped.
Conditions:
BIG-IP system with DoS-accelerated vectors support (SPVA support).
Impact:
DoS vector/signature stays hardware-accelerated.
Workaround:
After attack, change the state for DoS vector/signature to detect-only. Then return vector state to mitigate.
808801-2 : AVRD crash when configured to send data externally
Component: Application Visibility and Reporting
Symptoms:
AVRD can crash repeatedly when configured to send telemetry data externally.
Conditions:
-- AVR is configured to send telemetry data to an external source (like connection with BIG-IQ).
-- Large number of config objects in the system, such as virtual servers and pool members.
Impact:
AVRD process crashes, and telemetry data is not collected.
Workaround:
Split the configuration updates into smaller batches
808485-2 : Add 'virtual-server' argument to 'tmsh help sys connection' for version 14.x
Component: TMOS
Symptoms:
Virtual-server argument is not available in tmsh in versions prior to 14.x.
Conditions:
Running the command 'tmsh show sys connection'.
Impact:
Inability to filter for virtual server.
Workaround:
None.
808409-3 : Unable to specify if giaddr will be modified in DHCP relay chain
Component: Local Traffic Manager
Symptoms:
ID746077 changed the dhcprelay behavior in order to comply with RFC 1542 Clarifications and Extensions for BOOTP.
However, as the change also encompasses the DHCP-to-DHCP relay scope, the behavior cannot be configurable with a db key.
Conditions:
DHCP Relay deployments where the giaddr needs to be changed.
Impact:
You are unable to specify whether giaddr will be changed.
Workaround:
None.
808277-4 : Root's crontab file may become empty
Component: TMOS
Symptoms:
Under low-disk conditions for the /var/ filesystem, BIG-IP system processes may incorrectly update root's crontab file (/var/spool/cron/root). This results in the file contents being removed; i.e., the file is empty.
Conditions:
Low disk space on the /var filesystem.
Impact:
System and user entries in root's crontab file stop executing.
Workaround:
None.
808017-2 : When using a variable as the only parameter to the iRule persist command, the iRule validation fails
Component: Local Traffic Manager
Symptoms:
When using a variable as the only parameter to the iRule persist command, for example:
when HTTP_REQUEST {
set persistence none
persist $persistence
}
The iRule validation fails with the message:
Persistence mode (Cookie) called out in rule <rule name> requires a corresponding persistence profile for virtual server
Conditions:
Using a variable as the only parameter to the iRule persist command.
Impact:
Validation fails and hence the system config cannot be loaded.
Workaround:
The first parameter is one of pre-defined action keywords, so use plain text.
807945-2 : Loading UCS file for the first time not updating MCP DB
Component: TMOS
Symptoms:
MCP DB is not updated after loading a UCS file.
Conditions:
1. Save UCS with 'flow-control' default value 'tx-rx'.
2. Modify the value from 'rx-tx' to 'none'.
3. Save another UCS with modified value.
4. Load the UCS with default value, everything works fine here.
5. Load the UCS with the modified value.
Impact:
The 'flow-control' setting gets changed. The functionality does not work after the first UCS load as MCP DB is not getting updated.
Workaround:
Load the same UCS again.
The MCP DB gets updated properly.
807913 : The word 'ceritifcate' is misspelled in an error message
Component: Enterprise Manager
Symptoms:
The word 'ceritifcate' should be spelled 'certificate' in the error message:
err big3d[5725]: 12b10000:3: Could not list the ceritifcate directory '/shared/em/ssl.crt' in function EmCertsModified: Permission denied.
Conditions:
This message is produced by big3d when attempting to re-read the certificate file after it realises the timestamp of the file has changed.
Impact:
There is no functional impact to the system. This is an error message that needs updating. In addition, the inclusion of the term 'EM' is erroneous, and you can ignore it.
Workaround:
None.
807821-4 : ICMP echo requests occasionally go unanswered
Component: Local Traffic Manager
Symptoms:
ARP entry get stuck at state NEXTHOP_INCOMPLETE for several seconds.
Conditions:
-- There is no ARP entry for the return-route router.
-- The 'remote' BIG-IP system receives ICMP echo request.
Impact:
Possible traffic failures.
Workaround:
None.
807569-1 : Requests fail to load when backend server overrides request cookies and Bot Defense is used
Component: Application Security Manager
Symptoms:
When Bot Defense is used on the backend server that overrides request cookies, requests to non-HTML resources may fail, or may receive the whitepage JavaScript challenge. An example is when a back-end server responds with a Set-Cookie header containing empty values for each cookie request cookie it does not recognize.
Conditions:
-- Bot Defense is enabled.
-- Backend server is overriding the Bot Defense cookies with the TS prefix.
Impact:
Some URLs fail to load following the JavaScript challenge.
Workaround:
Use an iRule to strip the TSPD_101 cookie from the request before forwarding it to the backend:
when HTTP_REQUEST_RELEASE {
HTTP::cookie remove "TSPD_101"
}
807453-1 : IPsec works inefficiently with a second blade in one chassis
Component: TMOS
Symptoms:
Under high availability (HA) configurations, a secondary blade does not receive mirrored updates for security associations (SAs).
When a new ike-peer is created, if that peer's IP address is handled by a secondary blade, all IKE negotiation packets are dropped after forwarding between primary and secondary blades.
But an ike-peer that is present from the start is mistakenly assigned to a primary blade, and thus works correctly.
Conditions:
-- More than one blade: a secondary blade in addition to a primary blade.
-- Remote ike-peer IP addresses that happen to hash to a secondary blade by the BIG-IP system disaggregation (DAG) mechanism.
-- Configuration for Active-Standby, which works on Active but fails to mirror SAs to Standby, when the IP address would be handled by a secondary blade.
Impact:
After failover from Active to Standby, missing SAs that could not be mirrored are renegotiated, causing tunnel outage until new negotiation concludes.
After adding a new ike-peer that should negotiate on a secondary blade, all IKE packets vanish, so no tunnel is ever created for such an ike-peer.
In high availability (HA) configurations, tunnels re-establish after renegotiation, for tunnels that would be assigned to a secondary blade. This works, but undercuts the benefit of high availability (HA) for tunnels other than those on a primary blade.
Workaround:
For a new ike-peer assigned to a secondary blade, restart tmm or the blade, and when the system comes back up, this peer is handled on the primary blade.
Note: Although this peer can then create a tunnel, any secondary blade is unused by IPsec.
807337-3 : Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.
Component: TMOS
Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction will attempt to 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.
Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object, such as (delete, create, modify).
Impact:
Web UI shows misleading info about pool monitor.The monitor-related object may be unchanged; or monitoring may stop for that object.
Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').
807309-2 : Incorrect Active/Standby status in CLI Prompt after failover test
Component: TMOS
Symptoms:
After running 'promptstatusd -y' to check current failover status, it displays an incorrect Active/Standby status in the CLI prompt.
Conditions:
This occurs under the following conditions:
1. Modify the db variable: bigdb failover.state.
2. Check that /var/prompt/ps1 and CLI prompt reflect the setting.
2. Reboot the BIG-IP system.
Impact:
Status shown in the prompt does not change.
Workaround:
Do not run 'promptstatusd -y' command manually.
The db variable 'failover.state is a status-reporting variable. The system does not report status manually set to something other than the actual status.
Note: 'promptstatusd' is not a BIG-IP user command, it is a daemon. It is highly unlikely that manually running this command will produce information that is useful or relevant to the status being sought.
807005-1 : Save-on-auto-sync is not working as expected with large configuration objects
Component: TMOS
Symptoms:
In device group has enabled 'save sys config' for all auto-sync operations using the following command:
modify cm device-group name save-on-auto-sync true
Warning: Enabling the save-on-auto-sync option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.
Conditions:
-- The save-on-auto-sync option is enabled.
-- Device has large configuration, such as 2,100 virtual servers and ~1100 partitions
Impact:
Configuration it not saved, which leads to out-of-sync condition.
Workaround:
You can avoid this issue by using manual sync instead of auto-sync, or by not enabling 'save-on-auto-sync'.
806985 : Installation issues when adding new blade v12.1.3 to VPR cluster v14.1.0.1 EHF★
Component: TMOS
Symptoms:
A newly inserted blade fails to upgrade on a Viprion system.
Conditions:
The issue is seen only on VIPRION chassis when the primary blade is running engineering hotfix (EHF) v14.1.0.1 EHF 0.17.7 and newly inserted blade is configured with v12.1.3.
Impact:
Unable to upgrade the new blade in VIPRION chassis.
Workaround:
Ensure the active volume on the primary blade contains a version other than an EHF, and the other volume is installed with the EHF, then insert the new blade in the chassis.
806881-2 : Loading the configuration may not set the virtual server enabled status correctly
Component: TMOS
Symptoms:
When loading the configuration, if the virtual address is disabled but the virtual server is enabled, the virtual server may still pass traffic.
Conditions:
-- Loading the configuration.
-- A virtual server's virtual address is disabled.
Impact:
Virtual servers unexpectedly process traffic.
Workaround:
Manually re-enable and disable the virtual address.
806825 : Align the behavior of NAT44 and NAT64 when translate-address is disabled under Virtual Configuration with LTM Pool and LSN Pool
Component: Carrier-Grade NAT
Symptoms:
Configure translate-address disabled under Virtual with LTM pool configured.
In the NAT44 case, LTM pool is used as next-hop and packets are L2 forwarded to LTM pool members without destination address translated.
In NAT64 case, packets are dropped if there is no route available to reach the IPv4 destinations (derived from original IPv6 destination). Packets are not L2 forwarded to LTM pool members.
Conditions:
-- Virtual server with LTM pool configured.
-- CGNAT LSN pool configured.
-- Translate-address disabled.
Impact:
If there is no route available to reach the destination, NAT64 packets are dropped.
Workaround:
Configure default gateways/routes to reach the IPv4 destination in NAT64 case.
806073-3 : MySQL monitor fails to connect to MySQL Server v8.0
Component: TMOS
Symptoms:
The LTM MySQL health monitor fails to connect to a MySQL server running MySQL Server v8.0.
A pool member configured for a MySQL server running MySQL Server v8.0 and using the MySQL health monitor will be marked DOWN.
Conditions:
This occurs when using the LTM MySQL health monitor to monitor a MySQL server running MySQL Server v8.0.
Impact:
BIG-IP cannot monitor the health of a MySQL server running MySQL Server v8.0 using the MySQL health monitor.
805417-1 : Unable to enable LDAP system auth profile debug logging
Component: TMOS
Symptoms:
Beginning in version 14.1.0, LDAP debugging must be performed on nslcd logs and not pam_ldap logs; however, it is not possible to enable debug logging on nslcd via the configuration file.
Conditions:
This would be encountered only if you (or F5 Support) wanted to do troubleshooting of LDAP connections by enabling debug logging.
Impact:
LDAP system authentication 'debug' parameter does not provide sufficient levels of debug logs, but there is no functional impact to normal system operation.
Workaround:
To enable debug logging and have the system post log messages to the SSH/console window, start the nslcd process with -d option, which causes nslcd to run in the foreground until you press control-c to stop it:
systemctl stop nslcd
nslcd -d
Note: The -d setting does not persist, so each time you want to log debug output, you must complete this procedure.
You can increase the amount of debug output by specifying additional -d options (up to 3), e.g., '-ddd' or '-d -d -d'.
When done, stop nslcd with control-c, and then restart it with the default options via the normal systemctl daemon:
systemctl start nslcd
805325-2 : tmsh help text contains a reference to bigpipe, which is no longer supported
Component: TMOS
Symptoms:
The 'sys httpd ssl-certkeyfile' tmsh help text contains a reference to bigpipe, which is no longer supported.
Conditions:
Viewing tmsh help for 'sys httpd ssl-certkeyfile'.
Impact:
Incorrect reference to bigpipe.
Workaround:
You can use the following command sequence to change the key:
modify httpd { ssl-certfile [string] ssl-certkeyfile [string] }
805017-2 : DB monitor marks pool member down if no send/recv strings are configured
Component: Local Traffic Manager
Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle or PostgreSQL database monitor type) is configured without a 'send' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.
Conditions:
-- AnLTM pool or pool members are configured to us an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- No send string is configured for the monitor.
Impact:
With this configuration, the monitor connects to the configured database, but does not issue a query or check for a specific response. Pool members are always marked DOWN when using a database monitor with no 'send' string configured.
Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).
804537-1 : Check SAs in context callbacks
Component: TMOS
Symptoms:
Crypto operations can crash.
Conditions:
Any crypto operation involving an ike-sa or a child-sa.
Impact:
Tunnel outage due to core, lasting until restart and renegotiation.
Workaround:
None.
804477-4 : Log HSB registers when parts of the device becomes unresponsive
Component: TMOS
Symptoms:
Part of the HSB becomes unresponsive and there is no logging of additional registers to assist in diagnosing the failure.
Conditions:
It is unknown under what conditions the HSB becomes unresponsive.
Impact:
Limited visibility into the HSB state when it becomes unresponsive.
Workaround:
None.
804309-2 : [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument
Component: TMOS
Symptoms:
Running the command 'tmsh list' on a pool or virtual server with the 'all-properties' argument generates a warning:
[api-status-warning] ltm/virtual, properties : deprecated : urldb-feed-policy
Conditions:
Including the 'all-properties' argument with the 'tmsh list' command.
Impact:
There is no impact to the system. The excessive [api-status-warning] at stderr and /var/log/ltm for tmsh list commands are spurious, benign, and can be ignored.
Workaround:
tmsh modify /mgmt shared settings api-status log resource-property deprecatedApiAllowed false
tmsh modify /mgmt shared settings api-status log resource deprecatedApiAllowed false
804157-1 : ICMP replies are forwarded with incorrect checksums causing them to be dropped
Component: Local Traffic Manager
Symptoms:
If a FastL4 virtual server receives an ICMP response without first receiving an ICMP request, the checksum on the ICMP response that is egressed by tmm will not be calculated correctly.
Conditions:
An ICMP response without a corresponding ICMP request, such as in non-symmetric routing scenarios.
Impact:
ICMP replies are forwarded with the incorrect checksum and likely will be dropped by the recipient or other devices on the network.
Workaround:
Ensure symmetric routing. Configure L7 virtual servers for use with ipother profiles.
803833-4 : On Upgrade or UCS Restore Decryption of the vCMP Guest sym-unit-key Field Fails on the Host★
Component: TMOS
Symptoms:
An upgrade or UCS restore fails on the host with an error message:
err mcpd[1001]: 01071769:3: Decryption of the field (sym_unit_key) for object (<guest name>) failed.
Conditions:
-- An upgrade or UCS restore of the vCMP host.
-- Having a vCMP guest's sym-unit-key field populated.
-- Having changed the host's master key.
Impact:
The upgrade or UCS restore fails with an MCPD error.
Workaround:
Comment out the sym-unit-key field and load the configuration.
803825-3 : WebSSO does not support large NTLM target info length
Component: Access Policy Manager
Symptoms:
WebSSO crashes.
Conditions:
When the optional field of the target info is about 1000 bytes or larger.
Impact:
WebSSO crashes and loss of service.
Workaround:
Config NTLM not to have large target info, recommend < 800.
803813-2 : TMM may experience high latency when processing WebSocket traffic
Component: Application Security Manager
Symptoms:
Under certain conditions, TMM may experience higher than usual latency when processing WebSocket traffic.
Conditions:
-- WebSocket traffic.
-- Very long connections or large amounts traffic.
-- Platforms with many CPUs.
Impact:
Increased latency in WebSocket traffic.
Workaround:
None.
803809-2 : SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.
Component: Service Provider
Symptoms:
When MRF SIP is configured in per-client mode and preserve-strict source port is enabled on a virtual server, messages may fail to forward due to port collisions when multiple clients try to use the same port (which is expected/accepted behavior with this configuration). After the port has been freed or the configuration changed, messages continue to fail for clients that had previous port collisions.
Conditions:
-- MRF SIP configured with: Per-Client connection mode and virtual server with preserve-strict source port enabled.
-- Multiple clients try to connect using the same local port.
-- Previously failed client connections attempt to connect again after the port has been freed or configuration changed.
Impact:
Calls from one or more clients are unable to be completed.
Workaround:
You can prevent this behavior using either workaround:
-- Configure a different connection mode (Per-TMM, for example).
-- Disable preserve-strict source port on the virtual server.
803645-3 : GTMD daemon crashes
Component: Global Traffic Manager (DNS)
Symptoms:
The gtmd process crashes in response to a call triggered by its own timer event.
Conditions:
The conditions under which this causes this intermittent issue are difficult to reproduce, but it might occur when the system is under heavy load when gtmd is starved of CPU cycles.
Impact:
The gtmd process restarts and produces a core file.
Workaround:
None.
803629-2 : SQL monitor fails with 'Analyze Response failure' message even if recv string is correct
Component: Local Traffic Manager
Symptoms:
For a database (mssql, mysql, postgresql or oracle) monitor type, with a 'recv' string configured, a pool member configured to use the DB monitor may be marked down even if the server is working and includes the configured response string among the response data.
Debug logging of the SQL monitor indicates the following:
... [DBPinger-3778] - Response from server: Database: 'db1'Database: 'information_schema'
... [DBPinger-3778] - Checking for recv string: information_schema
... [DBPinger-3778] - Analyze Response failure
The log shows 'Analyze Response failure' error message even when the configured 'recv' string appears within the response message from the DB server.
Conditions:
This occurs when the string matching the configured 'recv' string value does not appear in the response from the DB server in the row indicated by the 'recv-row' value configured for the monitor.
The default value of 'none' for the 'recv-row' monitor configuration value is actually interpreted as 'row 1' by the DB monitor core implementation.
Therefore, with the default configuration, any 'recv' string configured must appear in the first row of the DB server response in order to be recognized as a match.
Impact:
The DB monitor fails, and the DB server (node) is marked as down even though it is reachable and responding correctly per the configured 'recv' string.
Workaround:
You may use one of the following methods to work around this issue:
1. Configure the DB monitor's 'recv' string to match on the first row in the server response message.
2. Configure the 'recv-row' value in the DB monitor to match the row of the DB server's response which contains the configured 'recv' string.
3. Do not configure 'send' or 'recv' string for the DB monitor.
803457-2 : SNMP custom stats cannot access iStats
Component: TMOS
Symptoms:
While doing an snmpwalk, you encounter the following error:
-- tcl callback Default return string: istats: tmstat_open_read: open: /var/tmstat/istats: Permission denied.
-- istats: tmstat_read: open: /var/tmstat/istats: Permission denied.
-- ERROR opening iStats read segment '/var/tmstat/istats': Permission denied.
Conditions:
This occurs when using SNMP to access iStats.
Impact:
iStats cannot be accessed through SNMP and generates an error.
Workaround:
None.
803237-4 : PVA does not validate interface MTU when setting MSS
Component: TMOS
Symptoms:
An incorrect MSS value might be used when hardware (HW) syncookies are used, and the MTU is smaller than the MSS.
Conditions:
-- The BIG-IP system sends TCP segments, fragmented across multiple IP packets, that exceed the size of the local interface MTU.
-- This occurs when HW Syncookies are enabled.
Impact:
TCP segments larger than the local interface MTU sent towards the client. These TCP segments are transmitted as IP fragments.
Workaround:
Increase MTU size.
803233-3 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
Component: Local Traffic Manager
Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):
1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:
-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.
2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:
-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.
Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.
Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.
Workaround:
None.
803157-1 : LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots
Component: TMOS
Symptoms:
In reboot case, the BIG-IP system buffers the shutdown sequence log messages and writes them to disk once the syslog service starts during the boot process. The boot_marker message is written before shutdown messages sync to disk. This leads to out-of-sequence log messages, making it difficult to determine when the service stop occurred.
Conditions:
Reboot the BIG-IP system.
Impact:
Log messages appear out of order. It is difficult to tell whether service stop happened as part of reboot, or any error during the subsequent boot process.
Workaround:
None.
803149-1 : Flow Inspector cannot filter on IP address with non-default route_domain
Component: Advanced Firewall Manager
Symptoms:
Flow Inspector cannot filter on IP address with non-default route_domain.
Conditions:
-- In Flow Inspector.
-- Attempting to filter results.
-- Some results use IP addresses with non-default route domains.
Impact:
Filter does not return results as expected.
Workaround:
None.
803109-2 : Source-port preserve-strict configured along with OneConnect may result in zombie forwarding flows
Component: Local Traffic Manager
Symptoms:
Source-port preserve-strict and OneConnect may result in zombie forwarding flows.
Conditions:
-- Source-port is set to preserve-strict.
-- OneConnect configured.
Impact:
Zombie forwarding flows. Over time, the the current allocation count grows and does not return to its prior level when traffic stops.
Workaround:
None.
802977-2 : PEM iRule crashes when more than 10 policies are tried to be set for a subscriber
Component: Policy Enforcement Manager
Symptoms:
Tmm crashes.
Conditions:
Using an iRule to apply more than 10 referential policies for a subscriber.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
802889 : Problems establishing HA connections on DAGv2 chassis platforms
Component: TMOS
Symptoms:
High availability (HA) mirroring does not work correctly on VIPRION B4400 blades.
Conditions:
- VIPRION B4400 chassis platform with multiple blades.
- HA mirroring is enabled.
Impact:
HA mirroring does not work
Workaround:
None.
802873-1 : Manual changes to policy imported as XML may introduce corruption for Login Pages
Component: Application Security Manager
Symptoms:
Manual changes to a policy imported as XML may introduce corruption for Response Pages. The following log appears:
ASM subsystem error (asm_config_server.pl ,F5::PrepareConf::Policy::prepare_alternate_response_file_tbl): failed to parse response headers - please check response page.
Conditions:
-- XML policy file is missing a response header.
-- Import the policy.
Impact:
The affected reponse page is not returned for traffic as expected, and an error is reported instead.
Workaround:
Mitigation:
Ensure that response_header exists in XML policy file before import.
Workaround:
Go to the affected policy's Response Pages: Login Page, click Save and then click Apply Policy.
802721-2 : Virtual Server iRule does not match an External Data Group key that's 128 characters long
Component: Local Traffic Manager
Symptoms:
Virtual server iRule does not match an External Data Group key that is 128 characters long.
Conditions:
-- A string type External Data Group with a key/value pair whose key is 128 characters long.
-- An iRule using [class match] to get the value from the Data Group.
Impact:
The call to [class match] returns an empty string ("").
Workaround:
None.
802685-3 : Unable to configure performance HTTP virtual server via GUI
Component: TMOS
Symptoms:
When creating 'performance HTTP' virtual servers via GUI, the following error is reported:
01070734:3: Configuration error: A Virtual Server(/Common/vfasthttp) cannot be associated with both fasthttp and L4 profile.
Conditions:
Use the GUI to create a virtual server of type Performance (HTTP).
Impact:
Failed to create a 'performance HTTP' virtual server.
Workaround:
Use TMSH to configure the performance HTTP virtual server:
tmsh create ltm virtual vfasthttp destination 1.1.1.1:80 ip-protocol tcp profiles add { fasthttp }
802449-1 : Valid GTP-C traffic may cause buffer overflow
Component: Protocol Inspection
Symptoms:
Valid GTP-C traffic may cause buffer overflow with incrementing sequence numbers.
Conditions:
Valid GTP traffic with incrementing sequence number will cause memory corruption/core when processed through IPS library.
Impact:
TMM Crash/core. Traffic disrupted while tmm restarts.
Workaround:
The only workaround is to disable protocol inspection or remove GTP service from all protocol-inspection profiles.
802421 : The /var partition may become 100% full requiring manual intervention to clear space
Component: Advanced Firewall Manager
Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.
Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.
Conditions:
Process traffic while DoS Dashboard is open
Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.
Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.
Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.
Run the following commands, in sequence:
bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad
Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.
802381-2 : Localdb authentication fails
Component: Access Policy Manager
Symptoms:
In Active / Standby setup, user authentication fails after failover occurs.
Conditions:
-- APM configured in Active / Standby setup.
-- Per-session policy configured with Localdb Auth .
-- Failover occurs.
Impact:
APM end users are unable to authenticate.
Workaround:
Restart localdbmgr on the new active device, using the following command:
# bigstart restart localdbmgr
802245-1 : When HTTP/2 is negotiated, if the provided cipher suite list cannot be matched, then the last one will be selected.
Component: Local Traffic Manager
Symptoms:
The last provided cipher suite in the list is chosen if HTTP/2 is negotiated and not matched.
Conditions:
-- HTTP/2 negotiation is enabled.
-- The provided cipher suites are not matched.
Impact:
The least-secure cipher suite would be selected.
Workaround:
Put the most secure cipher suite in the end of the list.
802189-2 : iApps: Calling 'Package Require <PKG>' in a template with a manager role is not supported
Component: iApp Technology
Symptoms:
With the Manager role, when calling 'package require <PKG>' in an iApp template, following exception occurs:
Error parsing template:can't eval proc: "script::run" invalid command name "file" while executing "file join $dir $f".
Conditions:
Users can not use Manager Role when importing iApps that contain a 'package require' call.
Impact:
Cannot use Manager Role when importing iApps that contain a 'package require' call.
Workaround:
Use the Admin role to import new templates.
801705-4 : When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC
Component: Local Traffic Manager
Symptoms:
The 'HTTP::cookie attribute' irule command allows manipulation of Cookie or Set-Cookie headers in HTTP requests or responses. When this command is used to insert a cookie attribute, it appends the attribute (and a possible value) to the header without a leading space character. A leading space character is a requirement per RFC 6265. When such a header is formed with iRule command 'HTTP::cookie insert' or 'HTTP::cookie attribute insert', the leading space is not provided, violating the RFC.
Conditions:
-- A virtual server with HTTP profile is configured.
-- There is an iRule generating or updating a cookie header with 'HTTP::cookie insert' or 'HTTP::cookie attribute insert' command.
Impact:
There is no space preceding the attribute. RFC is violated.
Workaround:
When inserting a cookie attribute with iRule command, add a leading space to the name of attribute to be inserted.
801541-2 : tmm memory growth if high availability (HA) peer is unavailable
Component: Local Traffic Manager
Symptoms:
tmm memory utilization growth.
Conditions:
The next-active device in the high availability (HA) configuration is down, and either of the following:
-- Persistence mirroring is configured.
-- Connection mirroring of a virtual server with a persistence profile is configured.
Impact:
Connection limits due to memory tmm memory pressure or possible tmm out-of-memory failure.
Workaround:
Disable persistence and/or connection mirroring if the standby device will be down for an extended period of time.
800265-2 : Undefined subroutine in bigip_add_appliance_helper message
Component: Global Traffic Manager (DNS)
Symptoms:
When using the -a switch with bigip_add (which instructs bigip_add to use bigip_add_appliance_helper), the script terminates with an error:
Undefined subroutine >m_env::get_unique_certs called at /usr/local/bin/bigip_add_appliance_helper line 113.
Conditions:
Use the bigip_add script with the -a switch in appliance mode.
Impact:
BIG-IP_add fails in appliance mode, reporting an error message.
Workaround:
None.
800189-1 : Changing log level may not increase logging to the verbosity expected
Component: TMOS
Symptoms:
If you change only the log level in ipsec ike-daemon ikedaemon, for example to debug2, this may not increase the actual logging verbosity.
Conditions:
Changing log-level to control the amount of debug logging.
Impact:
Cannot see as much verbose debug logging as expected.
Workaround:
In addition to log level, you must also specify a publisher. This is as-designed operation for logging, for example:
tmsh create sys log-config publisher my_publisher { destinations add { local-syslog }}
tmsh modify net ipsec ike-daemon ikedaemon log-publisher my_publisher
tmsh modify net ipsec ike-daemon ikedaemon log-level debug2
800101-1 : BIG-IP chassis system may send out duplicated UDP packets to the server side
Component: Local Traffic Manager
Symptoms:
On a BIG-IP chassis based system, a single UDP packet on the client side flow may be duplicated and sent out to the server side.
Conditions:
When the UDP flow has been idle for more than 10 minutes and L2 entries for the flow in the broadcom switch have aged out.
Impact:
Duplicated server side egress packets may cause server side processing error.
799749-1 : Asm logrotate fails to rotate
Component: Application Security Manager
Symptoms:
ASM logrotate reports errors in /var/log/asm.:
error: error creating output file /ts/log//bd.log.1: File exists
Conditions:
Files ending with .1 exists in the logs directories.
Impact:
Logrotate does not work. May fill disk with logs over time.
Workaround:
Remove or rename all of the .1 logs.
799149-2 : Authentication fails with empty password
Component: Access Policy Manager
Symptoms:
Per-req policy authentication fails when an empty password is detected. Following errors are seen in apm logs:
-- err apmd[13930]: 01490301:3: /Common/test_sp::abcdef78/Common/test_auth/XXXXXXX==: Empty session variable value received from tmm.
-- err apmd[13930]: 01490302:3: /Common/test_sp::abcdef78/Common/test_auth/XXXXXXX==: Failed to decrypt session variable 'subsession.logon.last.password' from tmm with error code: 3.
Conditions:
-- APM is licensed and provisioned.
-- Per-req policy is created with at least one Auth agent.
Impact:
APM end users cannot change a password/token or access backend resources.
Workaround:
None.
799001-3 : Sflow agent does not handle disconnect from SNMPD manager correctly
Component: TMOS
Symptoms:
If Sflow agent loses the connection with the SNMPD Manager, it tries to connect multiple times but fails to reconnect.
Conditions:
Sflow agent loses connection with the SNMPD Manager. The conditions that may trigger this are unknown.
Impact:
Snmpd service restarts repeatedly
Workaround:
Run 'tmsh restart sys service sflow_agent' to clear the session data in the sflow agent which results in successful re-connection with snmpd.
798885-2 : SNMP response times may be long due to processing burden of requests
Component: TMOS
Symptoms:
It is possible with large configurations to make SNMP requests that require a lot of processing to gather the statistics needed to respond to the request.
Conditions:
With large configurations, it is possible to overburden MCPD and SNMPD such that client queries time out.
Impact:
SNMP clients might think the BIG-IP system has become unresponsive.
Workaround:
If the responses to SNMP queries are taking too long, MCPD and SNMPD may overburden the control plane. It may be necessary to lengthen the timeout and retry values used by the SNMP client. It may also be helpful to trim what is queried, for example, not repetitively walking large tables like the Virtual Server or LTM Pool Member tables for statistics.
797953 : Workaround for SSLo deployment failure from BigIQ to BIG-IP
Component: TMOS
Symptoms:
After discovering and importing multiple SSLo BIG-IPs into BigIQ, configure the SSLo topology on the BigIQ and deploy; some of the BIG-IPs have successful deployment, while some other might fail deployment due to invalid configuration error. It is a post deployment error where /shared/iapp/interception-rules has update error.
/shared/iapp/interception-rules is removed starting from RPM 7.0
Conditions:
BIG-IP with SSLo RPM lower than 7.0.0
Impact:
Some of the BIG-IPs might fail deployment due to Invalid Configuration error which is a result of the updating /shared/iapp/interception-rules error.
Workaround:
1. Discover and import the BIG-IP with SSLo to BigIQ (general setting deployment will be done as part of the import process)
2. On each BIG-IP, ssh to it and restart restjavad and restnoded and wait for the processes to be restarted.
3. Configure the SSLo configuration on BigIQ and deploy to BIG-IPs.
If the BIG-IP already has SSLo configuration prior to import into BigIQ and you encounter this issue, its SSLo configuration needs to be cleared first. Navigate to /Main/SSL Orchestrator/Configuration, click on the Delete Configuration button, confirm the deletion and then do the above 3 steps.
797829-5 : The BIG-IP system may fail to deploy new iApps or to reconfigure existing iApps.
Component: TMOS
Symptoms:
The BIG-IP system may fail to deploy new iApps or to reconfigure existing iApps. When this happens, a long error message is displayed in the GUI that begins with:
script did not successfully complete: ('source-addr' unexpected argument while executing
The message is also logged to /var/log/audit by scriptd with a severity of 'notice'.
The unexpected argument mentioned in the error varies depending on the iApp being deployed and on the settings you configure. You may also see 'snatpool', 'ldap', etc.
Conditions:
This issue occurs when:
-- The BIG-IP system is configured with multiple users of varying roles.
-- The scriptd daemon has already spawned the maximum number (5) of allowed child processes to serve its queue, and all the processes were assigned a low 'security context'. This can happen, for instance, if a low-privileged user (such as an Auditor) has been looking at the configuration of iApps using the GUI a lot.
-- Subsequentially, a high-privileged user (such as an Administrator) attempts to deploy a new iApp or reconfigure an existing one.
Note: You can inspect the number of child processes already created by scriptd by running the following command:
pstree -a -p -l | grep scriptd | grep -v grep
However, it is not possible to determine their current 'security context'.
Impact:
New iApps cannot be deployed. Existing iApps cannot be re-configured.
Workaround:
Restart scriptd. To restart scriptd, run:
bigstart restart scriptd
Running this command has no negative impact on the system.
The workaround is not permanent; the issue may occasionally recur depending on your system usage.
797821-1 : Logging profiles on /Common cannot be configured with publishers on other folders
Component: Application Security Manager
Symptoms:
Security logging profiles created on the /Common folder cannot be configured with publishers which exist on other folders, when creating or editing them from the GUI.
Conditions:
Attempting to create security logging profiles on a folder different from the folder of the publisher, and the logging profile is on /Common.
Note: In general, this setup is not advisable. Folders under /Common could be synced using a different device group than /Common with less devices. This might cause sync failures when receiving objects in /Common which point to objects on different folders. It is better to create the publishes on /Common, and have the security logging profiles on other folders.
Impact:
Unable to create security logging profiles with sub folder configuration from the GUI.
Workaround:
It is possible to create this configuration from TMSH or REST API to work around the problem.
797609-2 : Creating or modifying some virtual servers to use an address or port list may result in a warning message
Component: TMOS
Symptoms:
Creating or modifying a virtual server with TCP or UDP profiles to use an address or port list may result in an error similar to:
01070096:3: Virtual server /Common/vs lists profiles incompatible with its protocol.
Conditions:
-- Configure virtual server using a TCP or UDP profile.
-- Attempt to attach an address or port list to the virtual server.
Impact:
Unable to configure a virtual server to use an address or port list.
Workaround:
Create a traffic-matching-criteria object manually, and associated it with the virtual server.
Note: The protocol of the traffic-matching-criteria object must match that of the virtual server.
797221-1 : BCM daemon can be killed by watchdog timeout during blade-to-blade failover
Component: TMOS
Symptoms:
The BCM daemon deletes entries from tables during blade to blade failover. If tables are very large, the entry-by-entry deletion may take too long, such that the daemon is restarted by the watchdog timeout.
Conditions:
Very large L2 tables during blade-to-blade failover.
Impact:
There is a BCM core file on the primary blade after the failover.
Workaround:
None.
796993-1 : Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs
Component: Local Traffic Manager
Symptoms:
When a pool contains FQDN nodes as pool members, pool member state changes messages are not logged in /var/log/ltm.
Conditions:
-- Create a pool with fqdn node as it pool members
-- Apply monitor to it
-- Monitor marks the pool member up/down based on reachability
Impact:
-- Status message is not updated in /var/log/ltm logs.
-- There is no functional impact.
796985-1 : Default IPv4 IP address is assigned to Alt-Address in isolated vCMP guest; vCMP host or guest are upgraded and guest is 'Inoperative'★
Component: TMOS
Symptoms:
vCMP host or guest is upgraded, and the vCMP guest is 'Inoperative', with messages similar to the following in /var/log/ltm:
-- warning clusterd[1546]: 013a0005:4: Clusterd using /VERSION for SW specification.
-- info clusterd[1546]: 013a0023:6: Blade 1: No info received from slot: Starting up
-- err clusterd[1546]: 013a0004:3: result {
-- err clusterd[1546]: 013a0004:3: result.code 17237812
-- err clusterd[1546]: 013a0004:3: result.attribute float_mgmt2_ip
-- err clusterd[1546]: 013a0004:3: result.message 01070734:3: Configuration error: Cluster alt-address: 192.168.1.246 cannot be the same address family as cluster address: 192.168.1.246
-- err clusterd[1546]: 013a0004:3: }
-- err clusterd[1546]: 013a0004:3: Per-invocation log rate exceeded; throttling.
-- notice clusterd[1546]: 013a0006:5: Disconnecting from mcpd.
-- info clusterd[1546]: 013a0007:6: clusterd stopping...
Conditions:
-- Isolated vCMP guest.
-- Both 'Address' and 'Alt-Address' are assigned the same IPv4 address.
-- Upgrade occurs.
Impact:
Upon host/guest upgrade, vCMP guest is 'Inoperative'.
Workaround:
There are 3 workarounds:
-- Assign IPv4 management-ip for the guest PRIOR to upgrade:
tmsh modify vcmp <guest_name> management-ip <ip>/<mask>
-- Prior to upgrade, assign IPv6 'Alt-Address' within the guest:
tmsh modify sys cluster default alt-address <IP>/<mask>
-- When already upgraded and seeing the issue on a guest: execute:
> /shared/db/cluster.conf
The config loads, and /shared/db/cluster.conf is recreated:
cat /shared/db/cluster.conf
cluster default {
alt_addr="192.168.1.246/24" ====>
min_up_members="1"
min_up_members_enable="disable"
min_up_members_action="failover"
addr 192.168.1.246/24 ====>
members {
1
2
3
4
}
software HD1.1 "BIG-IP 14.1.0.3 0.0.6 0.0.6" true
software HD1.2 " " false
software HD1.3 " " false
}
796601-4 : Invalid parameter in errdefsd while processing hostname db_variable
Component: TMOS
Symptoms:
Errdefsd crashes, creates a core file, and restarts.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Possible loss of some logged messages.
Workaround:
None.
795933-2 : A pool member's cur_sessions stat may incorrectly not decrease for certain configurations
Component: Local Traffic Manager
Symptoms:
Under certain conditions, a pool member's cur_sessions stat may increase, but not decrease when it should.
Conditions:
- The virtual server using the pool has an iRule attached that references global variables.
- The virtual server using the pool has an ASM security policy attached to it.
- Traffic flows to the pool member.
Impact:
Incorrect stats.
795649-3 : Loading UCS from one iSeries model to another causes FPGA to fail to load
Component: TMOS
Symptoms:
When loading a UCS file from one iSeries model to a different iSeries model, the FPGA fails to load due to a symlink in the UCS file pointing to the firmware version for the source device.
The system will remain in INOPERATIVE state, and messages similar to the following will be seen repeatedly in /var/log/ltm:
-- emerg chmand[7806]: 012a0000:0: FPGA firmware mismatch - auto update, No Interruption!
-- emerg chmand[7806]: 012a0000:0: No HSBe2_v4 PCIs found yet. possible restart to recover Dataplane.
-- emerg chmand[7806]: 012a0000:0: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
-- err chmand[7806]: 012a0003:3: HAL exception publishing switch config: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
Conditions:
Loading a UCS from one iSeries model onto another model, for example, from an i7800 onto an i11400-ds, or from an i2600 to an i5600.
Impact:
FPGA fails to load; the BIG-IP system becomes unusable.
Workaround:
1. Update the symbolic link /config/firmware/hsb/current_version to point to the correct firmware file for the hardware model in use. Here are some examples:
-- For the i2800:
# ln -sf /usr/firmware/hsbe2v4_atlantis/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version
-- For the i7800:
# ln -sf /usr/firmware/hsbe2v2_discovery/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version
-- For the i11400-ds:
# ln -sf /usr/firmware/hsbe2_discovery_turbo/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version
2. Reboot the system
795501-3 : Possible SSL crash during config sync
Component: Local Traffic Manager
Symptoms:
During config sync, it's possible that cipher group processing will crash.
Conditions:
-- SSL is configured.
-- Config sync is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
795429-3 : Unrelated iControl REST transaction error message is returned when committing a transaction without any tasks.
Component: TMOS
Symptoms:
An unrelated iControl REST transaction error message is returned when committing an iControl REST transaction that does not contain any tasks:
Error: Missing transaction ID for this call.
Conditions:
-- Committing an iControl REST transaction.
-- The task does not contain any tasks within 120 seconds of creating the transaction.
Impact:
Unrelated error message can be confusing and increase troubleshooting time.
Workaround:
None.
795329-2 : IM installation fails if 'auto-add-new-inspections' enabled on profile★
Component: Protocol Inspection
Symptoms:
IPS IM package installation fails. IPS log /var/log/pi_hitless_upgrade shows following message:
Error during switching: unsupported type for timedelta seconds component: tuple.
Conditions:
-- IM package should contain compliance check related to a specific service (e.g., HTTP).
-- At the time of IM package installation, there is an IPS profile with following parameters:
+ The 'auto-add-new-inspections' property set to 'on'.
+ Contains a service related to compliance checks, for example:
* Presence on the following services causes an issue with the BIG-IP v14.1.0 IM:
HTTP, SIP, IMAP
* Presence on the following services causes an issue with the BIG-IP v15.0.0 IM:
HTTP, SIP, IMAP, GTP, Diameter
Impact:
IPS IM package is not installed.
Workaround:
1. Before IM package installation, set the profile property 'auto-add-new-inspections' to 'off' (disable).
2. Install IM package.
3. Manually add compliance checks from the IM package to profile. Compliance checks names appear similar to the following:
-- pi_updates_14.0.0-20190607.2216.im
-- pi_updates_14.0.0-20190607.2216.im
795285 : Key creation on non-existing NetHSM partition stays in create-fail loop for CloudHSM
Component: Local Traffic Manager
Symptoms:
Using CloudHSM in AWS (BIG-IP Virtual Edition (VE)), the ltm log contains the following messages (where 'test partition' is the name of the your partition):
-- err pkcs11d[9859]: 01680040:3: netHSM: Failed to find partition with label 'testpartition' on the netHSM.
-- err pkcs11d[9859]: 01680048:3: C_CloseSession: pkcs11_rv=0x000000b3, CKR_SESSION_HANDLE_INVALID .
-- err pkcs11d[9859]: 01680040:3: netHSM: Failed to find partition with label 'testpartition' on the netHSM.
-- err pkcs11d[9859]: 01680048:3: C_CloseSession: pkcs11_rv=0x000000b3, CKR_SESSION_HANDLE_INVALID .
-- err pkcs11d[9859]: 01680040:3: netHSM: Failed to find partition with label 'testpartition' on the netHSM.
-- err pkcs11d[9859]: 01680040:3: netHSM: Failed to find partition with label 'testpartition' on the netHSM.
Conditions:
-- Use CloudHSM in AWS.
-- Create a key on a nonexistent NetHSM partition.
Impact:
pkcs11d tries to create the key and fails nonstop.
Workaround:
To recover, you must reboot VE.
Note: Restarting pkcs11d or the cloudhsm.client service does not resolve the issue.
794585-2 : User cannot log in after license reactivation on vCMP host
Component: Access Policy Manager
Symptoms:
Client connections to an APM virtual server is reset after license is reactivated on vCMP host. The following error logs showed up in vCMP guest /var/log/apm:
Jerr tmm2[2666]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_process_state_client_get_license, Line: 9627
err tmm2[2666]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 3679
Conditions:
-- APM configured
-- License is reactivated on vCMP host.
Impact:
APM clients will not be able to log in.
Workaround:
Disassociate and then re-associate the APM profile with the virtual server.
794505-3 : OSPFv3 IPv4 address family route-map filtering does not work
Component: Local Traffic Manager
Symptoms:
Filtering IPv4 routes using route-map does not work. All the IPv4 redistributed routes fail to redistribute if the route-map is attached to the OSPFv3 IPv4 address-family.
Conditions:
1. Configure two OSPF sessions, one for the IPv4 address-family and the other for the IPv6 address family.
2. Redistribute kernel routes.
3. Check routes are propagated.
4. Add a route map to allow any IPv4 kernel route matching IP address.
Impact:
All routes fail to propagate and show that the IPv6 OSPF database external is empty. All IPv4 routes are blocked to redistribute instead of the routes mentioned in the route-map/prefix-list.
Workaround:
None.
794417-1 : Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not
Component: Local Traffic Manager
Symptoms:
On a single virtual server, when 'TLS Renegotiation' is enabled in an associated Client SSL profile, the system should prevent enabling the 'Enforce TLS Requirements' option in the associated HTTP/2 profile.
Conditions:
BIG-IP system validation does not prevent this configuration in the following scenario:
1. Disable the 'Enforce TLS Requirements' option in the HTTP/2 profile.
2. Enable 'TLS Renegotiation' in the Client SSL profile.
3. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile.
Impact:
The configuration will not load if saved.
Workaround:
Do not simultaneously disable 'Enforce TLS Requirements' in the HTTP/2 profile, and enable 'TLS Renegotiation' in the Client SSL profile on a single virtual server.
794385-2 : BGP sessions may be reset after CMP state change
Component: Local Traffic Manager
Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.
This happens in the following instances:
- Blade reset.
- Booting up or shutting down.
- Running 'bigstart restart'.
- Setting a blade state from/to primary/secondary.
During these events, there is a small chance that ingress ACK packet of previously established BGP connection is going to be disaggregated to the new processing group(TMMs) and selected TMM is ready to process traffic, but is not ready yet to process traffic for existing connection. In this case, connection isn't processed and reset instead.
Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BGP peering is configured.
-- CMP state change is occurred on one of the blades.
-- BGP ingress ACK packet is disaggregated to TMM, which either wrong TMM or not ready to process the packet of already established connection
Impact:
Affected BGP peering is reset and dynamic routes learnt by the configured protocol are withdrawn, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decisions are from networks learnt by affected routing protocols when the routing process on the BIG-IP system becomes unreachable. However, this state is short-lived, because the peering is recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
There is no workaround, but the issue was never seen with a configuration where CMP hash of affected VLAN is changed back to Default value.
793929-1 : In-TMM monitor agent might crash during TMM shutdown
Component: Local Traffic Manager
Symptoms:
A crash due to assertion in the in-TMM monitor agent occurs while TMM is shutting down.
Conditions:
In-TMM monitors are active and TMM shuts down, e.g., for BIG-IP reboot.
Impact:
There is no functional impact because TMM was shutting down anyway.
Workaround:
Turn off all in-TMM monitors before rebooting the BIG-IP system.
793669-1 : FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value
Component: Local Traffic Manager
Symptoms:
On a high availability (HA) paired device group configuration, where there are FQDN nodes as pool members in a pool, when the pool member is enabled or disabled on one device, and with config-sync, the other device does not fully update the peer. The template node gets updated with the new value, but the ephemeral pool member retains the old value.
Conditions:
Steps to Reproduce:
1. Configure HA, specifically a Device group (e.g., Failover) with two BIG-IP systems.
2. Create an HTTP pool (TEST_FQDN_POOL) and FQDN Pool Member on both systems.
3. Wait for the FQDN pool member to report as AVAIL_GREEN and the ephemeral node as AVAIL_BLUE on both systems.
4. Tmsh login to any of the systems.
5. Run the command:
tmsh run cm config-sync to-group Failover
6. Run the command:
tmsh modify ltm pool TEST_FQDN_POOL members modify { example.com:http { session user-disabled } }
7. Run the command:
tmsh run cm config-sync force-full-load-push to-group Failover
Impact:
FQDN pool member enabling/disabling is not being fully propagated to the other device after config-sync.
Workaround:
None.
793217-2 : HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation
Component: Advanced Firewall Manager
Symptoms:
Depending on traffic patterns, when HW DoS on BIG-IP i2800/i4800 is configured, HW DoS might mitigate up to 10% more aggressively. If the rate-limit configured is 1000pps, the device might allow only 900pps.
Conditions:
-- HW DoS on BIG-IP i2800/i4800 platforms.
-- Attack pattern is distributed evenly on all tmm threads.
Impact:
HW DoS mitigates more aggressively, which might result in seeing fewer packets than what is configured.
Workaround:
Configure the rate-limit to be 10% more than what is desired.
793149-3 : Adding the Strict-transport-Policy header to internal responses
Component: Application Security Manager
Symptoms:
Some applications requires the Strict-transport-Policy header to appear in all responses. BIG-IP internal responses do not add this header.
Conditions:
- ASM is provisioned with CAPTCHA/CSI challenge enabled
or
- DoS is provisioned with CAPTCHA/CSI enabled
or
- Bot Defense is provisioned with CAPTCHA mitigation/Browser JS verification/Device ID collection is enabled.
Impact:
Responses arrives to the browser without the Strict-transport-Policy header.
Workaround:
Create an iRule to add the header to the response.
793121-3 : Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication
Component: TMOS
Symptoms:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, high availability (HA) status, provisioning, and installed software information.
Conditions:
The TMUI redirect-http-to-https is enabled.
Impact:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, HA status, provisioning, and installed software information.
Workaround:
On the vCMP guest, disable sys httpd redirect-http-to-https.
793077 : Failed SSH logins no longer log entries into the audit log file
Component: TMOS
Symptoms:
When using SSH to log into the BIG-IP systems, failed login attempts are no longer being logged in the /var/log/audit log file. Instead failed logins continue to be logged in /var/log/secure log file.
Conditions:
-- Using SSH to log into a BIG-IP system.
-- The login attempt fails (e.g., due to invalid credentials).
Impact:
Log file /var/log/audit no longer shows failed SSH login attempts.
Failed logins via GUI continue to be logged in /var/log/audit file.
Workaround:
View /var/log/secure log file for failed SSH login attempts.
793005-3 : 'Current Sessions' statistic of MRF/Diameter pool may be incorrect
Component: Service Provider
Symptoms:
In MRF/Diameter deployment, the LTM pool 'Current Sessions' statistics may show an unusually large number, such as 18446744073709551606.
Conditions:
There is a Diameter answer that does not match a pending request, the answer message is dropped, but BIG-IP system still decrements the 'Current Sessions' counter. If the counter is already zero, it can underflow.
Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue. When it underflows, the number becomes useless, making troubleshooting more difficult.
Workaround:
None.
792341-2 : Google Analytics shows incorrect stats.
Component: Application Security Manager
Symptoms:
ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.
Conditions:
Scenario 1:
-- ASM provisioned.
-- ASM policy attached to a virtual server with challenge mitigation enabled (as part of brute force protection, for example).
Scenario 2:
-- Bot defense profile attached to a virtual server with challenge mitigation enabled.
Scenario 3:
-- DoS Application profile attached to a virtual server with challenge mitigation enabled.
Impact:
Incorrect data is displayed in the Google Analytics dashboard.
Workaround:
Have an iRule that injects google-analytics.js into the challenge white page at the HTTP_RESPONSE_SENT time event.
792045-1 : Prevent WAM cache type change for small objects
Component: WebAccelerator
Symptoms:
Transfer stalls.
Conditions:
- AAM is provisioned.
- Small object cache is configured.
- Response is a few bytes less than the small object threshold.
Impact:
Transfer stalls.
Workaround:
None.
791365-2 : Bad encryption password error on UCS save
Component: TMOS
Symptoms:
When a user with the admin role attempts to save a UCS with a passphrase, the following error is encountered:
[resource-admin@inetgtm1dev:Active:Standalone] ucs # tmsh save sys ucs /var/local/ucs/test-ucs passphrase password
Saving active configuration...
Error: Bad encryption password. <=========
Operation aborted.
/var/tmp/configsync.spec: Error creating package
WARNING:There are error(s) during saving.
Not everything was saved.
Be very careful when using this saved file!
Error creating package
Error during config save.
Unexpected Error: UCS saving process failed.
Conditions:
1) Log into the BIG-IP system as a user with admin role that has Advanced Shell access.
2) Attempt to create a UCS with a passphrase.
Impact:
Unable to save UCS with a passphrase.
Workaround:
This affects users logged in with the Admin role; you will be able to create a UCS with a passphrase while logged in as either the root user or as a user with the resource-admin role.
791361-1 : Configured management port rules can be lost after loading UCS file and rebooting
Component: Advanced Firewall Manager
Symptoms:
Configured management port rules are missing after loading a UCS file that adds the management-ip to the failover network, and subsequently rebooting.
Conditions:
-- Load a UCS file that adds the management-ip to the failover network.
-- Reboot.
Impact:
Management port rules can be lost. This can prevent normal operation of high availability (HA) configurations.
Workaround:
There is no workaround at this time.
791061-2 : Config load in /Common removes routing protocols from other partitions
Component: TMOS
Symptoms:
While loading the /Common partition, config routing protocols on other partition route-domains will be removed.
Conditions:
-- Configure route-domains on other partitions with routing-protocols.
-- Load the /Common partition config alone.
Impact:
Routing protocols config from other partitions are removed.
Workaround:
Reload the config with the command:
load sys config partitions all
790949-2 : MRF Router Profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' Do Not Match Behavior.
Component: Service Provider
Symptoms:
Default values differ between tmsh and GUI documentation, and actual behavior. The special value 0 is documented to either disable the respective limit or apply a default value. Actual behavior for 0 is to silently apply internal default values of 32768 bytes and 256 messages, regardless of the protocol. These defaults might not match the profile default values for a given MRF protocol such as Diameter, SIP, or MQTT.
For some protocols such as Diameter, there is no validation of whether the maximum pending messages value falls within the acceptable range of 1-65535, and values outside that range are silently truncated to 16-bits and then 0 is treated according to the actual behavior described above.
Some documented and actual default values have changed across releases.
Conditions:
An MRF router profile is configured with the 'Maximum Pending Bytes' or 'Maximum Pending Messages' parameter set to a non-default value or 0.
Affected MRF router profiles are: 'diameter', 'sip', 'mqtt' and 'generic'.
Impact:
Depending on the protocol, the limits might not take effect as configured.
Incorrect documentation and/or lack of validation could lead to configuring an invalid value.
Workaround:
None.
790845-2 : An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default
Component: Local Traffic Manager
Symptoms:
An In-TMM monitor may be marked down when the CMP-hash (Cluster Multiprocessing) is set to non-default value.
Conditions:
-- There is a configured In-TMM monitor (K11323537).
-- CMP-hash is set to non-default value.
Note: For information about In-TMM monitoring, see K11323537: Configuring In-TMM monitoring :: https://support.f5.com/csp/article/K11323537.
Impact:
An In-TMM monitor is falsely marked as down.
Workaround:
Use default settings for a CMP-hash.
790205-3 : Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core
Component: Local Traffic Manager
Symptoms:
TMM cores when adding a route (either statically or dynamically) to a child route domain.
Conditions:
Adding a more-specific route to a child domain that overrides a route in the default domain.
Impact:
TMM cores. A failover or outage. Traffic disrupted while tmm restarts.
Workaround:
None.
790113-2 : Cannot remove all wide IPs from GTM distributed application via iControl REST
Component: Global Traffic Manager (DNS)
Symptoms:
The following tmsh command allows you to delete all wide IPs using an 'all' specifier:
modify gtm distributed-app da1 wideips delete { all }
There is no equivalent iControl REST operation to do this.
Conditions:
This can be encountered while trying to delete all wide IPs from a distributed application via iControl REST.
Impact:
iControl REST calls that should allow you to remove all wide IPs from a GTM distribution application return an error, leaving you unable to complete the task via iControl REST.
Workaround:
You can use one of the following workarounds:
-- Use the WebUI.
-- Use the tmsh utility, for example:
tmsh modify gtm distributed-app da1 wideips delete { all }
-- Invoke tmsh from within the bash iControl REST endpoint, for exmaple:
curl -u username:password -s -H 'Content-Type: application/json' -X POST -d "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'tmsh modify gtm distributed-app da1 wideips delete { all }'\"}" https://<IP>/mgmt/tm/util/bash
789421-2 : Resource-administrator cannot create GTM server object through GUI
Component: Global Traffic Manager (DNS)
Symptoms:
Users logged in with a role of resource-administrator are unable to create a GTM server object via GUI. The warning banner reports 'No Access'.
Conditions:
A user with a role of resource-administrator attempts to create a GTM server object.
Impact:
Unable to create GTM server object via the GUI.
Workaround:
Use tmsh or iControl/REST.
789181-3 : Link Status traps are not issued on VE based BIG-IP systems
Component: TMOS
Symptoms:
The Link Status traps, both F5 proprietary and standard LinkUp/LinkDown are issued on the BIG-IP hardware but not on BIG-IP Virtual Edition (VE) configurations.
Conditions:
This occurs when interfaces on hardware-based BIG-IP systems or VE-based BIG-IP configurations experience link status events (links go up or down, or are administratively enabled or disabled).
Impact:
Log messages are issued and SNMP traps are issued if an SNMP trap destination is configured.
On a VE-based BIG-IP system, these logs and traps do not occur.
An SNMP client waiting for a Link Status trap on an administrative enable or disable then, does not receive the trap.
Workaround:
None.
789085-2 : When executing the ACCESS::session iRule command under a serverside event, tmm may crash
Component: Access Policy Manager
Symptoms:
Executing the ACCESS::session iRule command inside a serverside event, e.g., SERVER_CONNECTED, may cause tmm to crash.
Conditions:
ACCESS::session iRule command invoked under a serverside event, for example:
when SERVER_CONNECTED {
log local0. "[ACCESS::session data get session.user.sessionid]"
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
788949-3 : MySQL Password Initialization Loses Already Written Password
Component: TMOS
Symptoms:
In some cases, the MySQL root password initialization is not complete. A re-attempt to restart MySQL fails.
Conditions:
-- MySQL startup script is interrupted.
-- Setting the root password fails.
Impact:
Processes may fail to connect to MySQL server.
Workaround:
None.
788813-1 : TMM crash when deleting virtual-wire config
Component: Local Traffic Manager
Symptoms:
Tmm crashes.
Conditions:
This can occur when deleting a virtual-wire config
Impact:
Traffic disrupted while tmm restarts.
788753-4 : GATEWAY_ICMP monitor marks node down with wrong error code
Component: Local Traffic Manager
Symptoms:
Pool state shows down when there is no route configured to node.
Conditions:
-- In-tmm gateway_icmp monitor configured for a node or pool member.
-- There is no route to the node or pool member.
Impact:
The pool member or node is marked down and the reason listed is 'timeout', instead of 'no route to host'.
Workaround:
None.
788645-4 : BGP does not function on static interfaces with vlan names longer than 16 characters.
Component: TMOS
Symptoms:
If a VLAN, VLAN group, or tunnel has a name with more than 15 characters, BGP does not function properly on that interface.
Conditions:
-- BGP Dynamic routing in use.
-- Interface name greater than 15 characters.
Impact:
BGP Dynamic Routing is not working.
Workaround:
1. Rename the interface using 15 or fewer characters.
2. Remove Static Binding and Bind to all interfaces.
788513-2 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log
Component: Service Provider
Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:
warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]
This appears to be benign, as the configuration loads successfully, and the script works as expected.
Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name
Instead of:
RADIUS::avp replace USER-NAME "static value"
Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.
Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.
788465-2 : DNS cache idx synced across HA group could cause tmm crash
Component: Global Traffic Manager (DNS)
Symptoms:
DNS cache idx conflicts and tmm crash.
Conditions:
-- High availability (HA) configuration.
-- DNS cache is configured and synced to the peer twice
-- A second DNS cache is configured on the peer.
Impact:
The idx conflicts will be observed. If the second DNS cache is of another type and is added to a virtual server, accessing that virtual server might cause a tmm core. Traffic disrupted while tmm restarts.
Workaround:
On the BIG-IP system that has the DNS cache idx conflicts, restart tmm:
# bigstart restart tmm
787973-3 : Potential memory leak when software crypto request is canceled.
Component: Local Traffic Manager
Symptoms:
Memory may occasionally leak when a software crypto request is cancelled before it has completed.
Conditions:
There are a number of reasons why a software crypto request may be canceled.
Impact:
Memory may leak.
Workaround:
No workaround.
787969-1 : Validation error regarding disabling DoS Software Mode is unclear
Component: Advanced Firewall Manager
Symptoms:
You encounter an error message: This platform does not support DoS hardware capability, which is needed to disable this sys db variable.
Conditions:
-- This can be encountered during system start, or when loading a UCS file.
-- The error is logged if the DB variable Dos.ForceSWDos is set to false on a platform that does not support hardware DoS capability.
Impact:
Error is logged but it is unclear that the error means that the db variable Dos.ForceSWDos is set to false, but the device does not have hardware DoS capability.
Workaround:
None.
787965-1 : URLCAT by URI does not work if it contains port number
Component: Traffic Classification Engine
Symptoms:
If absolute URI contains port number then URLCAT returns the result: Uncategorized.
Conditions:
Create new connection using CONNECT <absolute_uri> method.
Impact:
AFM rules configured with use of categorization do not work as intended.
Workaround:
Add URI with port number to custom Feed List.
787905-4 : Improve initializing TCP analytics for FastL4
Component: Local Traffic Manager
Symptoms:
TCP analytics for FastL4 might stay uninitialized under specific circumstances.
Conditions:
System clock advances while initializing TCP analytics for FastL4.
Impact:
TCP analytics for FastL4 might stay uninitialized for a while and miss some analytics data.
Workaround:
N/A
787853-2 : BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system unexpectedly responds to ICMP echo requests to a virtual-address that is unavailable, or unexpectedly does not respond to ICMP echo requests to a virtual-address that is available.
The BIG-IP system fails to remove a dynamic route for a virtual-address that is unavailable or fails to add a dynamic route for a virtual-address that is available.
Conditions:
1. Create two virtual servers with multiple nodes. Set ICMP echo as all or selective/all.
2. Ping from client to virtual address.
3. Bring down nodes.
4. ping fails from client to virtual address as expected
5. Bring up nodes and make sure all virtual servers are online.
6. Start ping from client to virtual address.
Impact:
The BIG-IP system might respond incorrectly to ICMP echo requests sent to a virtual-address.
-- If the virtual-address icmp-echo is set to 'all' or 'any', the BIG-IP system may not respond correctly after a virtual-address availability change.
-- If the virtual-address route-advertisement is set to 'all' or 'any', the route for the virtual-address may not advertise properly after a virtual-address availability change.
The BIG-IP system might fail to insert or remove a dynamic route for a virtual-address. This might cause the network to direct traffic to a down virtual-address or alternatively, not direct traffic to an up virtual-address.
Workaround:
Update virtual address ICMP setting to any or selective/any.
787285 : Configuration fails to load after install of v14.1.0 on BIG-IP 800★
Component: TMOS
Symptoms:
When performing an installation of 14.1.0 on the BIG-IP 800 platform, the configuration fails to load after booting and reports an error:
01070920:3: Application error for confpp: iptables-restore v1.4.21: Couldn't load target `ha_multicast':No such file or directory
Conditions:
-- Install or upgrade to 14.1.0.
-- BIG-IP 800 platform.
Impact:
Unable to load configuration.
Workaround:
None.
786981-3 : Pending GTP iRule operation maybe aborted when connection is expired
Component: Service Provider
Symptoms:
When there is a suspended iRule operation (such as the table or after command) in GTP iRule event, the operation may be intermittently aborted when the connection is expired.
Conditions:
This occurs when a connection times out while there is still a pending iRule operation. For example, in one use case, there is a table command in GTP_SIGNALLING_INGRESS event, and the immediate idle timeout is configured in the UDP profile.
Impact:
GTP iRule may not be completely executed.
Workaround:
For the specific use case when immediate idle timeout is used, change idle timeout to some positive value. Then use the iRule to expire the connection after the GTP iRule event is done, for example, by setting 'IP::idle_timeout 0' in SERVER_CONNECTED event.
786633-1 : Debug-level messages are being logged even when the system is not set up for debug logging
Component: TMOS
Symptoms:
With certain modules provisioned, the following debug apmd log events are reported to the logging server:
-- slot1/systemname debug apmd[14204]: GSSAPI client step 2.
-- err apmd[14204]: 01490107:3: ...: Local error, SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) (-2)
Conditions:
-- APM, APML, ASM, AVR, iRulesLX, LTM provisioned.
-- Configured to use Generic Security Service Application Program Interface (GSSAPI, also GSS-API).
Impact:
Debug-level messages are logged even when the BIG-IP system is not configured to use debug logging:
debug apmd[14204]: GSSAPI client step 2.
Workaround:
None.
786517-3 : Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address
Component: Local Traffic Manager
Symptoms:
- Monitors are firing and are being sent to a pool-member or node address rather than a monitor's alias address.
- Running the command 'tmsh load /sys config' reports an error:
01070038:3: Monitor /Common/a-tcp address type requires a port.
Conditions:
-- Create a monitor without an alias address.
-- Modify the monitor later in the TMUI to specify an alias address.
Impact:
Monitors are sent to an incorrect IP address.
tmsh load /sys config will fail to load the configuration.
Workaround:
There are two workarounds:
-- Delete and recreate the monitor and specify the correct alias address at creation time.
-- Fix the monitor definition using tmsh.
785877-2 : VLAN groups do not bridge non-link-local multicast traffic.
Component: Local Traffic Manager
Symptoms:
VLAN groups do not bridge non-link-local multicast traffic.
Conditions:
-- VLAN groups configured.
-- Using non-link-local multicast traffic.
Impact:
Non-link-local multicast traffic does not get forwarded.
Workaround:
None.
785701-1 : Changes to a Web Acceleration profile are not instantly applied to virtual servers using the profile
Component: Local Traffic Manager
Symptoms:
Changing parameters in a Web Acceleration profile does not change the behavior of virtual servers already using the profile.
Conditions:
This issue is encountered after changing the settings of a Web Acceleration profile already in use by one or more virtual servers.
Impact:
The changes are saved correctly and are visible in the Web UI and tmsh; however, virtual servers already using the profile are not affected by the changes. This may result in some confusion and in the BIG-IP Administrator being unable to apply their desired changes.
Workaround:
After modifying the profile, remove the profile from all virtual servers and then re-add it.
785529-1 : ASM unable to handle ICAP responses which length is greater then 10K
Component: Application Security Manager
Symptoms:
ASM drops ICAP and HTTP connections when a multipart request arrives to the ASM enforcer and then forwarded to the ICAP server for virus inspection, and the ICAP server replies with a large (greater then 10 KB) response.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Antivirus service IP and port defined in the BIG-IP GUI under Options :: Integrated Services.
-- Antivirus protection enabled in the ASM policy.
Impact:
ASM drops ICAP and HTTP connections.
Workaround:
Configure the ICAP server to send back responses smaller than 10 KB.
785481-2 : A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached
Component: Local Traffic Manager
Symptoms:
Setting the DB variable tm.rejectunmatched to 'false' causes the BIG-IP system to not send RSTs when there is a match but the connection is rejected due to connection limits.
Conditions:
- tm.rejectunmatched is set to 'false'.
- A packet is matching a BIG-IP object.
- The packet is to be rejected because of connection limits.
Impact:
Reset packets are not sent back to clients when they should be.
Workaround:
None.
785361-1 : In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped
Component: Local Traffic Manager
Symptoms:
If the BIG-IP system is configured in L2Wire mode, packets from srcIP 0.0.0.0 are dropped.
Conditions:
L2Wire mode.
Impact:
All srcIP 0.0.0.0 packets are dropped silently.
Workaround:
Configure the virtual server to be in L2-forward mode.
785017-1 : Secondary blades go offline after new primary is elected
Component: TMOS
Symptoms:
Secondary active blades go offline.
Conditions:
-- Cluster with three or more active blades.
-- Primary blade is rebooted.
For example, on a 4-bladed system, after slot 1 (primary blade) was rebooted and slot 2 (secondary blade) takes over as primary, slots 3 and 4 both go offline due to high availability (HA) table, with the logs showing reason as 'waiting for configuration load'.
Impact:
Cluster reduced to a single blade, which may impact performance.
Workaround:
None.
784733-3 : GUI LTM Stats page freezes for large number of pools
Component: TMOS
Symptoms:
When a configuration has approximately 5400 pools and 40,000 pool members, navigating to the GUI page to look at stats for all or one pool, the GUI page may freeze indefinitely.
Conditions:
Configurations with large number of pools and pool members, e.g., 5400 pools and/or 40,000 pool members.
Impact:
Cannot view pool or pool member stats in GUI.
Workaround:
Use iControl REST or TMSH to retrieve stats for such a large number of pools or pool members.
784565-2 : VLAN groups are incompatible with fast-forwarded flows
Component: Local Traffic Manager
Symptoms:
Traffic flowing through VLAN groups may get fast-forwarded to another TMM, which might cause that connection to be reset with reason 'Unable to select local port'.
Conditions:
-- Using VLAN groups.
-- Flows are fast-forwarded to other TMMs.
Impact:
Some connections may fail.
Workaround:
None.
783969 : An invalid SSL close_notify might be sent in some cases.
Component: Local Traffic Manager
Symptoms:
If a clienthello is not fully received and parsed, any alert sent might be invalid (show an invalid version number).
Conditions:
-- A virtual server has a client-ssl profile.
-- The 'unclean-shutdown' option is disabled.
-- The virtual server receives an incomplete clienthello before shutting down.
Impact:
There is no functional impact, although alerts sent might show an invalid version number.
Workaround:
Enable unclean-shutdown (which is enabled by default).
783617-1 : Virtual Server resets connections when all pool members are marked disabled
Component: Local Traffic Manager
Symptoms:
The BIG-IP system immediately responds with a RST against a SYN when all pool members are marked disabled by a monitor.
Conditions:
All the pool members are marked disabled by a monitor or administratively.
Impact:
Cannot use iRules to respond with an HTTP 503 error to incoming traffic.
Workaround:
None.
783293-1 : Special chars < > & displayed incorrectly in BIG-IP GUI logon banner window
Component: TMOS
Symptoms:
If you try to enter any of these three characters: < > & (greater than, less than, ampersand) into GUI Preference page or TMSH sys global-settings configuration, they are displayed as escape chars in the GUI window correspondingly as: < > &.
Conditions:
Entering one of these three characters into GUI banner text settings: < > &.
Impact:
At GUI Logon page, the page displays with the following characters: < > & instead of the specified characters: < > &.
Workaround:
None.
783289-1 : PEM actions not applied in VE bigTCP.
Component: Policy Enforcement Manager
Symptoms:
If PEM virtual server is configured using bigTCP, the return traffic from the server may not return to the same TMM. PEM policies do not get applied.
Conditions:
-- BIG-IP Virtual Edition.
-- bigTCP is configured (FastL4 with PEM/GPA hudfilters).
-- Virtual server uses Source-NAT.
Impact:
PEM policies do not get applied.
Workaround:
To work around this, do the following:
-- Configure bigTCP virtual server not to use source-NAT.
-- Configure destination-IP for hashing in server-vlan (the external VLAN that has the virtual server).
783233-2 : OAuth puts quotation marks around claim values that are not string type
Component: Access Policy Manager
Symptoms:
When you define a claim to use with OAuth, and the claim-type setting is set to something other than String, the claim value is treated as a string anyway and encapsulated in quotation marks.
Conditions:
-- OAuth is configured.
-- The oauth claim value being used is not of type string (i.e. array, or boolean, or number)
Impact:
The claim value is encapsulated in quotation marks and processed as a string.
Workaround:
None.
783217-1 : Negative numbers of received packets in DoS-sampled log messages for bad actor and attacked destination attacks
Component: Advanced Firewall Manager
Symptoms:
There are negative values for the number of received packets in DoS-sampled log messages for bad actor and attacked destination attacks.
Conditions:
Running the reset-stats command.
Impact:
Incorrect log messages.
Workaround:
Restart tmm. Traffic disrupted while tmm restarts.
Do not run reset-stats command.
783165-3 : Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile
Component: Application Security Manager
Symptoms:
When creating a whitelist in the Bot Defense profile with url "Any" - after modifying the Bot Defense log profile, the whitelist does not apply anymore.
Conditions:
-- Bot Defense profile is attached to the Virtual Server
-- Adding a whitelist to the Bot Defense profile with url "Any"
-- Modifying the Bot Defense profile afterwards.
Impact:
Whitelist does not apply - users from the defined IP/GEO location might be blocked.
Workaround:
Delete and add the whitelist after modifying the profile.
783145-4 : Pool gets disabled when one of its pool member with monitor session is disabled
Component: Local Traffic Manager
Symptoms:
A pool which has at least two pool members and one of its pool members associated with a monitor is disabled, the entire pool gets marked disabled-by-parent.
Conditions:
-- Monitor assigned to a single pool member.
-- That member is manually disabled.
Impact:
The pool status for the entire pool is marked disabled-by-parent.
Workaround:
None.
783125-2 : iRule drop command on DNS traffic without Datagram-LB may cause TMM crash
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM may crash and restart when an iRule on a DNS virtual server performs the 'drop' command while the BIG-IP system is handling both a DNS request and DNS response at the same time for the same DNS client IP and port without UDP Datagram-LB.
Conditions:
-- The BIG-IP instance has two or more TMM processes as a result of having two or more physical cores or virtual CPUs.
-- A virtual server with both DNS and UDP profiles and one or more iRules.
-- The UDP profile has Datagram LB disabled.
-- The iRules have a 'drop' command.
-- The iRules have a DNS_REQUEST and/or DNS_RESPONSE event with an iRule command that require coordinating data with another TMM on the system, such as the 'table' command.
Impact:
TMM crash or restart. Traffic impacted. Traffic disrupted while tmm restarts.
Workaround:
F5 strongly recommends using a UDP profile with Datagram-LB enabled for DNS UDP virtual servers.
Alternatively, replace the 'drop' command with DNS::drop in DNS_REQUEST and DNS_RESPONSE events, or with UDP::drop in other iRule events.
See the respective references pages for DNS::drop and UDP::drop for the Valid Events each iRule command is available in:
https://clouddocs.f5.com/api/irules/DNS__drop.html
https://clouddocs.f5.com/api/irules/UDP__drop.html
783113-4 : BGP sessions remain down upon new primary slot election
Component: TMOS
Symptoms:
BGP flapping after new primary slot election.
Conditions:
--- A BFD session is processed on a secondary blade. (It can be identified by running tcpdump.)
-- After a primary blade reset/reboot, the BFD session should be processed by the same tmm on the same blade, which was secondary before the primary blade reset/reboot.
-- The BFD session creation should happens approximately in 30 seconds after the reset/reboot.
Impact:
BGP goes down. BGP flaps cause route-dampening to kick-in on the BGP neighbors.
Workaround:
There is no workaround, but you can stabilize the BIG-IP system after the issue occurs by restarting the tmrouted daemon. To do so, issue the following command:
bigstart restart tmrouted
783073 : Cookie Persistence profile is not showing up in the GUI
Component: Local Traffic Manager
Symptoms:
Cookie Persistence profile is not showing up in the GUI; also missing from the GUI is persistence type cookie.
Conditions:
Attempting to view the Cookie Persistence profile.
Impact:
User cannot configure persistence profile at GUI.
Workaround:
Use TMSH to configure the profile.
782613-5 : Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp
Component: TMOS
Symptoms:
If a security firewall policy is part of an iApp inside a folder created by that iApp, then when the iApp is deleted, any config sync peer will not delete the policy when it deletes the rest of the iApp.
Conditions:
-- iApp with folder and security firewall policy is deleted.
-- High availability (HA) config sync configuration.
Impact:
The security policy is gone on the system where the iApp was initially deleted, but the peer still has that object, and it can't be deleted because it's part of an iApp.
Workaround:
None.
782353-6 : SIP MRF via header shows TCP Transport when TLS is enabled
Component: Service Provider
Symptoms:
When an SSL Client Profile (TLS) is enabled on a SIP Message-Routing Virtual Server, the via header shows an incorrect transport protocol when SIP messages are sent out the client side of MRF. For example, the via header contains 'SIP/2.0/TCP' or 'SIP/2.0/UDP', when it should read 'SIP/2.0/TLS'.
Conditions:
Sending SIP messages from the client side of the SIP MRF when an SSL client profile is enabled on the SIP Message-Routing virtual server.
Impact:
The via header is not correct and violates the SIP RFC.
Workaround:
Create an iRule that replaces the incorrect via header with a correct one, for example:
when SIP_REQUEST_SEND {
if { [clientside] } {
SIP::header replace Via [string map [list "SIP/2.0/TCP " "SIP/2.0/TLS " "SIP/2.0/UDP " "SIP/2.0/TLS "] [SIP::header Via 0]] 0
}
}
781985-1 : DNSSEC zone SEPS records may be wiped out from running configuration
Component: Global Traffic Manager (DNS)
Symptoms:
Under certain circumstances, DNSSEC zone SEPS records may be wiped out from running configuration.
Conditions:
This occurs only with GTM configurations loaded by the command: tmsh load sys config gtm-only.
Impact:
SEPS records may be lost after a configuration reload.
Workaround:
None.
781829-1 : GTM TCP monitor does not check the RECV string if server response string not ending with \n
Component: Global Traffic Manager (DNS)
Symptoms:
GTM TCP monitor marks resource down.
Conditions:
TCP server respond string not ending with '\n'.
Impact:
Available resources are marked down.
Workaround:
If the TCP server is sending a text response, reconfigure the server to make sure it terminates the output with '\n'.
If the TCP server can not be changed (for example if it produces binary output), it may be possible to create an external gtm monitor instead.
781753-3 : WebSocket traffic is transmitted with unknown opcodes
Component: Local Traffic Manager
Symptoms:
The BIG-IP system does not preserve WebSocket frames. Frame headers and payload may be reordered such that a header for a second frame may be sent out in the middle of a first frame's payload. Frame boundaries get skewed and payload gets interpreted as headers.
Conditions:
A request logging profile is configured on a WebSocket virtual server.
Impact:
WebSocket frames are not preserved such that traffic appears to be garbage.
-- If request logging is enabled, client frames may not be preserved.
-- If response logging is enabled, server frames may not be preserved.
Workaround:
Remove the request logging profile.
781733-2 : SNMPv3 user name configuration allows illegal names to be entered
Component: TMOS
Symptoms:
The validation of SNMPv3 user names is not strict, and allows users of both the GUI and TMSH to enter badly formed user names. When the SNMP daemon reads these user names from the snmpd.conf file, validation rejects the names.
Conditions:
Poorly formed SNMPv3 user names can be entered into configuration, for example, names with embedded spaces.
Impact:
The user names are not accepted by the SNMP daemon when it reads the configuration from the snmpd.conf file.
Workaround:
Use alphanumeric characters for SNMPv3 user names, and do not include embedded spaces in the names.
781485-4 : PEM with traffic group can lead to local cache leaks on STANDBY if there is an ACTIVE-ACTIVE transition
Component: Policy Enforcement Manager
Symptoms:
PEM spm_local_cache could get leaked on the STANDBY chassis.
Conditions:
-- If the high availability (HA) cluster switches to ACTIVE-ACTIVE mode during its lifetime.
-- PEM running in a Traffic-group configuration.
Impact:
Memory on the STANDBY chassis get leaked.
Workaround:
None.
781425 : Firewall rule list configuration causes config load failure
Component: Advanced Firewall Manager
Symptoms:
'tmsh load sys config' has a syntax error.
The syntax error is reported on 'security firewall rule-list rule' configuration.
Conditions:
This occurs only if any of the rule-list rule ip-protocol contains one of the following protocols:
-- BBN-RCC-MON
-- NVP-II
-- DCN-MEAS
-- OSPFIGP
-- CRUDP
Impact:
The system fails to load the configuration.
Workaround:
Manually edit the configuration file: /config/bigip_base.conf
1. Replace the ip-protocol name from rule-list configuration:
-- Change BBN-RCC-MON to bbn-rcc.
-- Change NVP-II to nvp.
-- Change DCN-MEAS to dcn.
-- Change OSPFIGP to ospf.
-- Change CRUDP to crudp.
2. Save the file.
3. Issue the command:
tmsh load sys config.
The configuration now loads without syntax errors.
781113-1 : Support to enable/disable reusing serverside TIME_WAIT connections
Component: Local Traffic Manager
Symptoms:
Currently, the serverside connections in TIME_WAIT state are reused for new serverside connections (by default) before TIME_WAIT expires. A mechanism is required to disable reusing the TIME_WAIT connections if needed.
Conditions:
A new serverside connection request is made that matches an existing TIME_WAIT connection and connection is reused.
Impact:
BIG-IP system behavior on reusing TIME_WAIT connections is configurable based on the tmm.reuse.ss.timewaitconns sys db.
tmm.reuse.ss.timewaitconns: enabled (the default)
-- A new serverside connection request comes for a TIME_WAIT serverside connection.
-- Connection is reused.
tmm.reuse.ss.timewaitconns: disabled
- A new serverside connection request comes for a TIME_WAIT serverside connection
- "Port in use" error is returned
Workaround:
There is no workaround at this time.
781041-1 : SIP monitor in non default route domain is not working.
Component: Local Traffic Manager
Symptoms:
SIP pool members in non-default route domain are being marked as unavailable even though they are available.
Conditions:
SIP pool members in non default route domain.
Impact:
SIP service unavailable.
780745-2 : TMSH allows creation of duplicate community strings for SNMP v1/v2 access
Component: TMOS
Symptoms:
TMSH allows you to create multiple access records with the same IP protocol, same Source IP network, and same community string.
Conditions:
Duplicate access records are created in TMSH.
Impact:
Unintended permissions can be provided when an undesired access record with the correct community string is matched to a request instead of the desired access record.
Workaround:
Use the Configuration Utility to manage SNMP v1/2c access records. (The GUI properly flags the error with the message:
The specified SNMP community already exists in the database.
If you use tmsh, ensure that community strings remain unique within each Source IP Network for each IP protocol.
780437-2 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
Component: TMOS
Symptoms:
It is possible, although unlikely, for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.
As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.
The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.
Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.
Symptoms for this issue include:
-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.
-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.
-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):
qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img
qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img
-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]
Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.
-- Large configuration with many guests.
-- The VIPRION chassis is rebooted.
-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is Bug ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.
Impact:
-- Loss of entire configuration on previously working vCMP guests.
-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.
-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.
Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.
If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.
779857-1 : Misleading GUI error when installing a new version in another partition★
Component: TMOS
Symptoms:
While installing a new version in another partition, the GUI displays an error for a brief time:
'Install Status':Failed Troubleshooting
Conditions:
Install a new version in another partition.
Impact:
The GUI error is misleading. It is showing the install status as 'Failed Troubleshooting' even though the installation is proceeding normally. The installation process is proceeding normally; only the error is incorrect and does not indicate a problem with the installation.
Workaround:
If you click on the 'Troubleshooting' link on the GUI screen, the GUI indicates that it is actually installing properly without any error.
779793-2 : [LC] Error Message "Cannot modify the destination address of monitor" for destination * bigip_link monitor
Component: Global Traffic Manager (DNS)
Symptoms:
Using BIG-IP Link Controller (LC), every 10 seconds, the system logs messages similar to the following example:
-- err mcpd[5570]: 0107082c:3: Cannot modify the destination address of monitor /Common/_user_gslbMonitor_bigipLink_fast_60sec.
-- err mcpd[5570]: 01071488:3: Remote transaction for device group /Common/gtm to commit id 1 6681134264373087063 /Common/ELC002.kbn.mlit.go.jp 0 failed with error 0107082c:3: Cannot modify the destination address of monitor /Common/_user_gslbMonitor_bigipLink_fast_60sec..
Conditions:
-- A bigip_link monitor with destination * written in bigip_gtm.conf.
-- That monitor is associated with a link.
-- The following command is run on one of the sync group peers:
tmsh load /sys config gtm-only.
Impact:
LC system failing to load configuration.
Workaround:
Run this command on the LC system that is logging the error message:
tmsh load /sys config gtm-only
779769-2 : [LC] [GUI] destination cannot be modified for bigip-link monitors
Component: Global Traffic Manager (DNS)
Symptoms:
The 'destination' for BIG-IP Link Controller (LC) bigip_link monitor cannot be modified through GUI.
Conditions:
Using the LC bigip_link monitor in the GUI.
Impact:
Cannot change 'destination' for LC bigip_link monitor through GUI.
Workaround:
Use tmsh.
779633-1 : BIG-IP system reuses serverside TIME_WAIT connections irrespective of TMMs used
Component: Local Traffic Manager
Symptoms:
When reusing a serverside TIME_WAIT connection, the BIG-IP system:
-- Establishes the new connection if clientside/serverside connections are on the same TMM.
-- Sends a RST 'Unable to obtain local port' if clientside/serverside connections are on different TMMs.
Conditions:
This happens in two scenarios:
Scenario 1:
-- A new serverside connection is requested that matches an existing TIME_WAIT connection (e.g., by using source-port preserve-strict in the virtual server)
-- Clientside/serverside connections are on the same TMM.
Scenario 2:
-- Clientside/serverside connections are on different TMMs.
Impact:
BIG-IP system behavior is inconsistent. In one case, BIG-IP establishes the connection. In the other case, BIG-IP resets the connection.
Workaround:
None.
779137-2 : Using a source address list for a virtual server does not preserve the destination address prefix
Component: Local Traffic Manager
Symptoms:
Configuring a network virtual server with a source address list causes the system to treat the virtual server as a host.
Conditions:
-- Configure a source address list on the virtual server.
-- Configure a network address for the destination of the virtual server (not an address list).
Impact:
Traffic does not flow to the virtual server as expected.
Workaround:
None.
778817-2 : Invalid client request can cause un-captured exception on ASM container.
Component: iApp Technology
Symptoms:
Posting invalid message body content can cause restnoded to restart.
Conditions:
Post request with invalid data.
Impact:
ASM service disruption and loss of the state on in-process service requests.
Workaround:
NA
778517-1 : Large number of in-TMM monitors results in delayed processing
Component: Local Traffic Manager
Symptoms:
A monitor may continue to probe for a while after it has been removed from pool / member / node. Duplicate monitor instances may get created after associating a monitor to a server.
Conditions:
Device has a large number of in-TMM monitors.
Impact:
-- Monitor target may appear down when responding correctly.
-- Monitor may continue to run after removed from pool / member / node.
-- Increased monitoring load on server.
Workaround:
Disable in-tmm monitors:
tmsh modify sys db bigd.tmm value disable
778365-2 : dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service
Component: Global Traffic Manager (DNS)
Symptoms:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS. If there is DNS service running on the LDNS, RTT metrics should be collected successfully as expected. However if there is no DNS service on the LDNS, there should not be any RTT metrics collected. But BIG-IP still populates the RTT values giving users a "false positive" results.
Conditions:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS and there is no DNS service running on the LDNS.
Impact:
RTT metrics are collected even though no response from the DNS service is present giving users wrong impression that there is.
778333-3 : GUI/CLI max-in-progress discrepancy occurs after upgrade from v11.x to v13.x or later
Component: Access Policy Manager
Symptoms:
If there is an access profile that was created using BIG-IP v11.x or earlier, with a default value of max-in-progress(0), when the configuration is upgraded to v13.x or later, the GUI shows max-in-progress as 128, but at the CLI and in the database, the actual value is 0.
Conditions:
In versions earlier than v13.x, the field 'Max In Progress Sessions Per Client IP' was set to 0 by default; from v13.x, the value is 128.
Impact:
There is a max-in-progress discrepancy between the GUI and the CLI.
Workaround:
During upgrade validation, manually add 'Max In Progress Sessions Per Client IP' to user_spec if it was set to the default value.
The upgrade then treats the field as a customized value, so the discrepancy disappears.
778317-1 : IKEv2 HA after Standby restart has race condition with config startup
Component: TMOS
Symptoms:
A restarted standby system can end up with missing SAs, if the high availability (HA) process that mirrors the SAs from persistent storage runs before the configuration of IPsec has completed.
Conditions:
The loss of mirrored SAs requires this sequence of events:
-- A system becomes standby after failover; then is restarted.
-- During restart, HA manages to run before IPsec configuration.
-- SAs unsupported by current config are lost despite mirroring.
-- After another failover, the newly active system is missing SAs.
Impact:
A tunnel outage can occur (until SAs are renegotiated) after failover, if the newly active system lost some mirrored SAs when it was restarted while still acting as the standby system.
The impact cannot be observed until standby becomes active, when the missing SAs require a new key negotiation.
Workaround:
None.
778225-3 : vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host
Component: Protocol Inspection
Symptoms:
Automatic hitless upgrade for protocol inspection fails on vCMP guests. This occurs because vCMP guest don't install f5_api_com key and certificates.
Conditions:
After licensing a vCMP guest, there is no f5_api_com key or certificate (you can run key_cache_path and crt_cache_path to determine that).
Impact:
Hitless upgrade fails for protocol inspection and traffic classification on vCMP guests.
Workaround:
Install the hitless upgrade IM package manually.
778041-1 : tcpdump fails with an unclear message when the 'epva' option is used on non-epva platforms (directly or through 'all' option)
Component: TMOS
Symptoms:
When tcpdump is invoked with the epva option on a non-epva platform (BIG-IP Virtual Edition, for example), it fails with an unclear message
errbuf:DPT Provider fatal error. Provider:ePVA Provider. No valid arguments.
Conditions:
-- Using a non-epva platform such as VE.
-- Calling the epva option:
+ Directly:
tcpdump -i 0.0 --f5 epva
+ Indirectly using 'all' (which includes epva):
tcpdump -i 0.0 --f5 all
Impact:
Unclear message does not give clear indication what the issue is, or how to get tcpdump to run with the 'all' option on non-epva platforms
Workaround:
Do not use the explicit epva option on non-epva platforms (it does not work anyway, as there is no epva debug information on those platforms).
Instead of 'all', explicitly specify other, non-epva providers on such platforms, for example, specifying 'noise' and 'ssl' providers:
tcpdump -i 0.0 --f5 n,ssl
777389-1 : In a corner case, for PostgreSQL monitor MCP process restarts
Component: TMOS
Symptoms:
MCP expects a monitoring response from SQL server and starts polling for data continuously, resulting in infinite loop.
Conditions:
In one of the corner cases of SQL monitoring, MCP expects to read monitoring data from the PostgreSQL server, but there is no data available to read.
Impact:
MCPD goes into an infinite loop and skips the heartbeat report, resulting in its restart. While MCPD is restarting, the system is offline and does not process traffic. After restart, system operation returns to normal.
Workaround:
None.
777245-1 : DNSSEC client-facing SOA zone serial does not update when DNSSEC related RR changes
Component: Global Traffic Manager (DNS)
Symptoms:
In certain cases, a DNSSEC client-facing SOA zone serial does not always update when DNSSEC-related resource records change.
Conditions:
A DNSSEC-related resource record changes.
Impact:
A DNSSEC client-facing SOA zone serial may not always update.
Workaround:
None.
777229-1 : IPsec improvements to internal pfkey messaging between TMMs on multi-blade
Component: TMOS
Symptoms:
There is no known performance degradation. This work eliminates unnecessary duplication of internal messages.
Conditions:
- IPsec tunnel configured.
- Multi-blade system.
Impact:
Extra logging in the TMM log due to duplicated internal messaging.
Workaround:
For vCMP systems, provision the Guest on one blade only. There is no workaround for bare-metal systems.
776489-2 : Remote authentication attempts to resolve only LDAP host against the first three name servers configured.
Component: TMOS
Symptoms:
'Login failed' is displayed on the BIG-IP system's login screen.
Conditions:
-- Remote authentication is enabled.
-- There are more than three name servers configured.
Impact:
Admins may not be able to log into the BIG-IP GUI with their admin user account if the first 3 configured DNS name servers are not reachable.
Workaround:
None.
776393-2 : Memory leak in restjavad causing restjavad to restart frequently with OOM
Component: TMOS
Symptoms:
Restjavad frequently (approximately every 5 minutes) restarting due to OutOfMemory:Java heap space with no extra memory.
Conditions:
-- BIG-IP system with no extra memory given to restjavad.
-- The configuration contains a large number of configuration items related to APM access-policies, APM policy-items, APM policy agents, LTM nodes, LTM rules, DNS Requests, sys application services, LTM data-groups, LTM profiles, security bot-defense profiles, and sys file ssl-certs.
Impact:
REST API intermittently unavailable.
Workaround:
Give restjavad extra memory. This is two-step process.
1. Update memory allocated to the control plane using TMUI. System :: Resource Provisioning. The line for Management has a drop-down box for Small, Medium, or Large. The resulting sizes for restjavad is 192, 352, and 592, respectively. Set this to Large.
2. Run the following two commands, in sequence:
tmsh modify sys db restjavad.useextramb value true
bigstart restart restjavad
776229-2 : iRule 'pool' command no longer accepts pool members with ports that have a value of zero
Component: Local Traffic Manager
Symptoms:
Values of 0 (zero) are no longer accepted for pool member ports in iRule 'pool' commands. The system reports an error similar to the following in /var/log/ltm:
err tmm3[12179]: 01220001:3: TCL error: /Common/_user_script_member <CLIENT_ACCEPTED> - bad port in 'pool member <addr> <port>' cmd while executing "pool test_pool member 10.1.30.10 0"
Conditions:
-- Configure an iRule to use the 'pool' command to go to the pool member using a zero port in the CLIENT_ACCEPTED event.
-- Attach the iRule to the virtual server.
-- Run traffic through it.
Impact:
The iRule rejects traffic when the pool member's port number is 0.
Workaround:
Configure any iRule using the 'pool' command to go to apool member using a non-0 port in the CLIENT_ACCEPTED event.
775801-2 : [GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener
Component: Global Traffic Manager (DNS)
Symptoms:
'Route Advertisement' is not enabled even if you check the checkbox.
Conditions:
Creating GTM listener using the GUI.
Impact:
'Route Advertisement' is not enabled.
Workaround:
After the listener is created, modify the listener in the GUI and check the checkbox for 'Route Advertisement', and save.
775797-2 : Previously deleted user account might get authenticated
Component: TMOS
Symptoms:
A user account which may have originally been manually configured as a local user (auth user) but may have since been removed, might still get authenticated and be able to modify the BIG-IP configuration.
Conditions:
-- User account configured as local user.
-- The user account is deleted later.
(Note: The exact steps to produce this issue are not yet known).
Impact:
The deleted user that no longer exists in the local user list and which is also not explicitly authorized by remote role groups, can get authenticated. The deleted user is also able to modify the BIG-IP configuration via iControl.
Workaround:
None.
775733-1 : /etc/qkview_obfuscate.conf not synced across blades
Component: TMOS
Symptoms:
By default, sensitive data, such as SSL keys, are excluded from QKView files. However, in some cases you may want to include sensitive information in the QKView file, so it must be obfuscated it for security purposes. (Note: For information on how to configure this feature, see K55559493: Obfuscating sensitive data in a QKView file :: https://support.f5.com/csp/article/K55559493.)
In high availability (HA) configurations, the /etc/qkview_obfuscate.conf file is not copied to secondary blades on chassis platforms during sync operations.
Conditions:
-- Run qkview.
-- Upload qkview file to iHealth.
Impact:
Potentially sensitive information could be uploaded to iHealth or F5 Support. This occurs because qkview acts differently if there is an obfuscate.conf on the active by automatically gathering the same information on the blades, but not obfuscating that sensitive data.
Workaround:
Manually copy /etc/qkview_obfuscate.conf to all blades.
Note: Do not upload sensitive data to iHealth or F5 Support. If you are obfuscating data, make sure to complete this step for every blade.
774617-1 : SNMP daemon reports integer truncation error for values greater than 32 bits
Component: TMOS
Symptoms:
Some values sent to SNMP can grow too large over time, causing an integer truncation error.
Conditions:
Values greater than 32 bits sent to SNMP.
Impact:
SNMP values are truncated. An error message is logged in var/log/daemon.log:
err snmpd[20680]: truncating integer value > 32 bits
Workaround:
No current workaround.
774481-2 : DNS Virtual Server creation problem with Dependency List
Component: Global Traffic Manager (DNS)
Symptoms:
Cannot use the GUI to create virtual servers with dependent virtual server.
Conditions:
This occurs when creating a virtual server that contains a dependent virtual server.
Impact:
Cannot use the GUI to create the virtual server that contains a dependent virtual server in one step.
Workaround:
You can use either of the following workarounds:
-- Use tmsh;
-- Create the virtual server through GUI without dependent virtual server first and then edit the virtual server to add dependency.
774361-2 : IPsec High Availability sync during multiple failover via RFC6311 messages
Component: TMOS
Symptoms:
After multiple failover events, BIG-IP can fail to coordinate with a remote peer via RFC6311 protocol messages, whose content can present the wrong message IDs, which are also marshalled in host byte order instead of network byte order.
Conditions:
When active and standby systems failover multiple times, and a newly active system must sync IDs with the newly standby system before exchanging messages with a remote peer to synchronize expected ID sequences.
Impact:
IPsec tunnels experience a temporary outage until new security associations are negotiated.
Workaround:
No workaround is known at this time.
774301-4 : Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList
Component: Access Policy Manager
Symptoms:
When the BIG-IP system is configured as SAML IdP or SAML SP processes SAML Requests/Responses, the verification of digital signature fails in certain cases:
err apmd[19684]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 5321 Msg: ERROR: verifying the digest of SAML Response
Conditions:
-- BIG-IP system is configured as SAML IdP or SAML SP.
-- SAML sends the "ArtifactResponse" message with both "ArtifactResponse" and "Assertion" signed.
-- This is also applicable to any SAML requests/responses that are signed:
a) SAML Authentication Request
b) SAML Assertion
c) SAML Artifact Response
e) SAML SLO Request/Response
Impact:
Output does not match the 'Canonicalized element without Signature' calculated by APM. BIG-IP SAML IdP or SAM SP fails to process SAML Requests/Responses resulting in errors. Cannot deploy APM as SAML SP with Assertion Artifact binding.
Workaround:
None.
774261-1 : PVA client-side current connections stat does not decrease properly
Component: Local Traffic Manager
Symptoms:
When FTP is used with bigproto, the PVA client-side current connections stat does not decrease after connections are closed.
Conditions:
-- Use an FTP virtual server.
-- End user clients connect to the virtual server.
Impact:
An incorrect stat for client-side current connections will be reported for 'tmsh show sys pva-traffic global' and 'tmctl pva_stat'.
Example:
config # tmsh show sys pva-traffic global
-------------------------------------------------
Sys::PVA
-------------------------------------------------
PVA Traffic ClientSide ServerSide
Bits In 23.6K 219.7K
Bits Out 219.7K 23.6K
Packets In 40 335
Packets Out 335 40
Current Connections 295 0 <-----
Maximum Connections 296 8
Total Connections 335 40
Miscellaneous
Cur PVA Assist Conns 0
Tot PVA Assist Conns 335
HW Syncookies Generated 0
HW Syncookies Detected 0
config # tmsh show sys conn all-properties
Really display 1000 connections? (y/n) y
Sys::Connections
Total records returned: 0 <--------- No connections; this is the correct state.
Workaround:
This issue does not occur when 'inherit parent profile' is enabled on the FTP profile used by the virtual server.
774257-2 : tmsh show gtm pool and tmsh show gtm wideip print duplicate object types
Component: Global Traffic Manager (DNS)
Symptoms:
Tmsh show gtm pool and show gtm wideip commands with field-fmt will display the object type twice in the output. For example:
tmsh> show gtm pool a field-fmt
gtm pool pool emptypool:A
tmsh> show gtm wideip a field-fmt
gtm wideip wideip testwip.f5.com:A
Conditions:
This occurs when running the following tmsh commands:
tmsh show gtm pool <poolname> field-fmt
tmsh show gtm wideip <wideipname> field-fmt
Impact:
The output type is printed twice
Workaround:
None.
774225-3 : mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting
Component: Global Traffic Manager (DNS)
Symptoms:
mcpd is in a restart loop after creating an internal DNSSEC FIPS key on a secondary GTM while rebooting the primary DNSSEC key generator GTM (gtm.peerinfolocalid==0).
Conditions:
New DNSSEC internal FIPS key is created and assigned to DNSSEC zone when BIG-IP system with gtm.peerinfolocalid==0 is down.
Impact:
mcpd is in a restart loop.
Workaround:
For maintenance window operations, set DNSSEC peer leader to the unit that will remain UP while rebooting the primary key generator in sync group (gtm.peerinfolocalid==0).
# tmsh modify gtm global-settings general peer-leader <gtm-server-name>
After the reboot is complete, all devices are back up, and everything looks good in the configs, clear the peer-leader setting:
# tmsh modify gtm global-settings general peer-leader none
If there are two GTM units: GTM1 (having gtm.peerinfolocalid == 0), GTM2, and you are going to reboot GTM1, then before rebooting, run the following command to configure the DNSSEC peer-leader setting:
# tmsh modify gtm global-settings general peer-leader GTM2
After reboot, clear the peer-leader setting:
# tmsh modify gtm global-settings general peer-leader none
774173-2 : WebUI - Cipher Group preview causes high availability (HA) sync state to become Changes Pending
Component: Local Traffic Manager
Symptoms:
In the GUI, editing a cipher group without submitting causes the high availability (HA) configuration sync state to become 'Changes Pending'.
Conditions:
Edit cipher group in GUI without submitting.
Impact:
HA sync state becomes 'Changes Pending' even though you have not submitted the changes.
Workaround:
Edit and preview cipher group using tmsh:
tmsh modify ltm cipher group
tmsh show ltm cipher group
773577-2 : SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted
Component: TMOS
Symptoms:
On an SNMPv3 configuration, when a security-name and a username are the same but have different passwords, traps are not properly crafted.
Conditions:
security-name is the same as an SNMPv3 username.
Impact:
SNMP traps cannot be decoded
Workaround:
Delete or rename user.
773333-2 : IPsec CLI help missing encryption algorithm descriptions
Component: TMOS
Symptoms:
Encryption algorithms against IPsec help are not listed in the CLI.
Conditions:
LTM licensed on the BIG-IP.
Impact:
Unable to view the help.
Workaround:
None. The actual command line help should be:
(/Common)(tmos)# create net ipsec ike-peer test version add { v2 } phase1-encrypt-algorithm ?
Specifies the encryption algorithm used for the isakmp phase 1 negotiation. This directive must be defined. Possible value is one of following:
3des, aes128, aes192, aes256, blowfish, camellia, cast128, des
Note: The values blowfish, cast128, and camellia are v1 only.
773253-3 : The BIG-IP may send VLAN failsafe probes from a disabled blade
Component: Local Traffic Manager
Symptoms:
The BIG-IP system sends multicast ping from a disabled blade. tmm core
Conditions:
-- There is one or more blades disabled on the VIPRION platform.
-- VLAN failsafe is enabled on one or more VLANs.
-- the VLAN failsafe-action is set to 'failover'.
-- There is more than one blade installed in the chassis or vCMP guest.
Impact:
The BIG-IP system sends unexpected multicast ping requests from a disabled blade.
Workaround:
To mitigate this issue, restart tmm on the disabled blade. This causes tmm to stop sending the multicast traffic.
Impact of workaround: Traffic disrupted while tmm restarts.
773229-2 : Replacing a virtual server's FastL4 profile can cause traffic to fail in specific circumstances
Component: Local Traffic Manager
Symptoms:
If a virtual server starts with a FastL4 profile with an idle_timeout of zero, and this profile is then replaced with one that has a non-zero idle_timeout, it can cause traffic to fail with a 'No flow found for ACK' error in the RST packet (if DB variable tm.rstcause.pkt is enabled) or logged (if DB variable tm.rstcause.log is enabled).
Conditions:
-- There is a virtual server configured with a FastL4 profile with an idle-timeout setting of zero ('immediate').
-- The FastL4 profile is replaced with one that has a non-zero idle-timeout setting.
Impact:
Traffic no longer passes through the virtual server properly.
Workaround:
To avoid this issue, if you need to change the FastL4 profile in this manner, delete and recreate the entire virtual server rather than replace the profile.
Impact of workaround: This results in a traffic disruption for that virtual server.
If the issue has already occurred, the only way to recover is to restart TMM
Impact of workaround: This also results in a traffic disruption, this time a general one.
773173-1 : LTM Policy GUI is not working properly
Component: TMOS
Symptoms:
The GUI, is not displaying LTM policies created with a rule in which log criteria is 'action when the traffic is matched'.
Also, some of the Actions disappear while adding multiple actions in a rule.
Using tmsh shows the polices created in the GUI.
Conditions:
From the GUI, create LTM policies with a rule in which log criteria is 'action when the traffic is matched'.
Impact:
GUI is not displaying LTM policies created with log as action in rule.
Workaround:
Use tmsh.
772497-5 : When BIG-IP is configured to use a proxy server, updatecheck fails
Component: TMOS
Symptoms:
Executing Update Check fails when run on a BIG-IP system that is behind a proxy server.
Conditions:
-- A proxy server is configured on the BIG-IP system using proxy.host db variable (and associated port, protocol, etc.).
-- You run Update Check.
Impact:
The Update Check fails to connect because the script resolves the IP address prior to sending the request to the proxy server.
Workaround:
You can use either of the following workarounds:
I
=======
Modify the /usr/bin/updatecheck script to not resolve the service ip for callhome.f5.com. To do so, remove the script text 'PeerAddr => $service_ip,' from lines 336,337:
1. Locate the following section in the script:
@LWP::Protocol::http::EXTRA_SOCK_OPTS = ( PeerAddr => $service_ip,
SSL_hostname => $service_name,
2. Update the script to remove the content 'PeerAddr => $service_ip,', so that it looks like the following example:
@LWP::Protocol::http::EXTRA_SOCK_OPTS = ( SSL_hostname => $service_name,
II
=======
As an alternative, use a sed command, as follows:
1. Remount /usr as rw.
2. Run the following command:
# sed -e "s/PeerAddr => $service_ip,//" -i /usr/bin/updatecheck
772297-2 : LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade
Component: Local Traffic Manager
Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.
Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.
Impact:
LLDP-related options under 'tmsh net interface' for that secondary blade are reset to default.
Workaround:
Run 'tmsh load sys config' on the primary blade, and the LLDP-settings will reapply to the interfaces.
772165-1 : Sync Failed due to Bot Defense profile not found
Component: Application Security Manager
Symptoms:
A sync failure might happen in a sync-failover device group after manually editing the /config/bigip.conf file and removing the Bot Defense profiles, and then performing a config sync.
The system reports a sync error message similar to this:
FODG (Sync Failed): A validation error occurred while syncing to a remote device.
- Sync error on device-b: Load failed from /Common/device-a 01020036:3: The requested profile (/Common/bot-defense-device-id-generate-before-access) was not found.
- Recommended action: Review the error message and determine corrective action on the device.
Conditions:
Manually editing the /config/bigip.conf file and removing the Bot Defense profile, then loading the config, and performing a config sync.
Impact:
Sync failure.
Workaround:
Reload the config from the receiving device, and then perform a force sync in the opposite direction, overriding the previous changes. This should bring the system back to in sync.
771961-1 : While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core
Component: Access Policy Manager
Symptoms:
If the device is active at the time and is passing traffic, if the SSL Orchestrator configuration is deleted, tmm can core.
Conditions:
SSL Orchestrator device is active and passing traffic while being deleted.
Impact:
TMM cores. Traffic disrupted while tmm restarts.
Workaround:
None.
771137 : vCMP host reports much larger 'Virtual-disk' usage than du reports on the guest
Component: TMOS
Symptoms:
Host and guest 'used disk space' data is inconsistent.
Conditions:
-- Copy a file in the guest and check the 'Disk Use (bytes)' field using 'tmsh show vcmp virtual-disk' in the host and the du utility in the guest.
-- Delete the file and check the size again.
Impact:
vCMP host reports much larger 'Virtual-disk' usage than du reports on the guest.
Workaround:
None.
770989 : Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x.★
Component: TMOS
Symptoms:
F5optics installation can fail with RPM database corruption on B4450 blades and iSeries platforms when installing 14.1.x.
Conditions:
-- Using B4450 blades or iSeries platforms.
-- Clean install (i.e., a completely new installation) of 14.1.0 from either an external drive or PXE without taking over license:
image2disk --format=volumes --nosaveconfig --nosavelicense BIGIP-14.1.0-0.0.116.iso
Impact:
-- After 14.1.0 boots up, when you check /shared/lib/rpm RPM database (by running the command: /opt/bin/rpm --dbpath /shared/lib/rpm -qa), you see errors if the RPM database has already been corrupted.
+ rpmdb: /shared/lib/rpm/Name: unexpected file type or format.
+ error: cannot open Name index using db3 - Invalid argument (22).
-- No default f5optics package is reported when running the command: tmsh show net f5optics. No f5optics packages is present in the /shared/f5optics/images/ directory (even the /shared/f5optics/images/ directory is not created).
Due to corruption of '/shared/lib/rpm' RPM database, additional component 'f5optics' installation can fail with RPM error. Other components such as geoip or epsec might also be affected due to corrupted '/shared/lib/rpm' RPM database.
Other symptoms may be that the Link Controller linkcost library (Non-US patch) may be unable to install, showing the error message:
DB_VERSION_MISMATCH: Database environment version mismatch.
Workaround:
Remove the RPM database and manually install the f5_optics RPM package.
Steps
=====
1. Remove corrupted RPM database:
# rm -rf /shared/lib/rpm/
2. Initialize rpm database and update
# /opt/bin/rpm --root /shared --dbpath /lib/rpm --initdb
# /opt/bin/rpm --dbpath /shared/lib/rpm -qa
3. For iSeries platform:
# /usr/bin/f5optics_install
For VIPRION platform
# tmsh install net f5optics slot all
770657-2 : On hardware platforms with ePVA, some valid traffic is blocked when in L2 transparent mode and syn cookies are enabled
Component: TMOS
Symptoms:
Valid traffic gets blocked under L2 transparent mode if syn cookie protection is enabled.
Conditions:
-- In L2 transparent mode.
-- Syn cookie protection is enabled.
-- ePVA offloading is enabled.
-- BIG-IP platform contains the embedded Packet Velocity Acceleration (ePVA) chip.
-- Attack traffic in progress.
Impact:
Some valid traffic gets blocked.
Workaround:
None.
769817-3 : BFD fails to propagate sessions state change during blade restart
Component: TMOS
Symptoms:
BFD fails to propagate sessions state change during blade restart.
Conditions:
-- On a chassis with multiple blades, several routing protocol sessions are established, (e.g., BGP sessions).
-- BFD sessions are configured for each BGP session to sustain fast failover of BGP sessions.
-- There is a BGP session that can be established only via specific blade and the corresponding BFD session of this BGP session is processed on the same blade.
-- This blade is restarted (e.g., using the bladectl command) or experienced a blade failure.
Impact:
The BFD session remains in the BFD sessions table and remains there until BGP session is timed out by hold the timer (90 seconds, by default). Dynamic routes, which are learnt via affected BGP session, remain in the routing table until the hold time is reached.
Workaround:
Change BGP hold time to reasonable lower value.
769581-1 : Timeout when sending many large requests iControl Rest requests
Component: TMOS
Symptoms:
After sending hundreds of REST requests, REST requests eventually begins to time out. This is the case for applications such as an AS3, with requests with 700 services.
Conditions:
1. Download and install the AS3 iApp. This adds the /mgmt/shared/appsvcs/ endpoint to the the BIG-IP system.
2. Deploy config with AS3:
curl -X POST \
https://<$IP_address>/mgmt/shared/appsvcs/declare \
-H 'Content-Type: application/json' \
-d //This should be the data from an AS3 body
3. While deployment in step 2 is happening, make a GET to the tasks:
curl -X GET \
https://<$IP_address>/mgmt/shared/appsvcs/task \
-H 'Content-Type: application/json'
4. Delete configuration:
curl -X DELETE \
https://<$IP_address>/mgmt/shared/appsvcs/declare
It may take 3 or 4 times repeating steps 2 through 4 for the issue to show up. When it appears, you will start seeing messages in the AS3 task response like the following:
-- 'message': 'failed to save BIG-IP config (POST http://<$USERNAME>:<$PASSWORD>@<$IP_address>:8100/mgmt/tm/task/sys/config create task save sys config response=400 body={\"code\":400,\"message\":\"remoteSender:Unknown, method:POST \",\"originalRequestBody\":\"{\\\"command\\\":\\\"save\\\"}\",\"referer\":\"Unknown\",\"restOperationId\":6924816,\"kind\":\":resterrorresponse\"})'
Impact:
Saving new configuration data does not work. Any new transaction tasks fail.
Workaround:
1. Restart restjavad and all iControl Rest (icrd_child) instances.
2. Wait longer for large requests to finish before performing additional requests.
769385-1 : GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message
Component: Global Traffic Manager (DNS)
Symptoms:
GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message:
err mcpd[7649]: error: crypto codec New token is smaller with added values.
Conditions:
Two or more GTM devices with internal FIPS modules are configured with DNSSEC keys with 'use-fips internal' set, and GTM config sync between the devices is configured and enabled.
Impact:
DNSSEC keys are not imported into the FIPS cards of devices that receive the key via a synchronization from another device.
Workaround:
None.
769341-1 : HA failover deletes outstanding IKEv2 SAs along with IKEv1 SAs
Component: TMOS
Symptoms:
High availability (HA) failover from active to next-active device should delete existing IKEv1 SAs because the IKEv1 racoon daemon terminates on standby. But it should not also delete the IKEv2 SAs at the same time, and it does.
Conditions:
This occurs during failover.
Impact:
The deletes IKEv2 SAs mirrored for HA. In the event of rapid failover and failback, this issue might result in missing SAs on the active device.
Workaround:
None.
769145-2 : Syncookie threshold warning is logged when the threshold is disabled
Component: TMOS
Symptoms:
Setting connection.syncookies.threshold to zero disables the threshold, but the system still reports log messages similar to:
warning tmm3[18189]: 01010055:4: Syncookie embryonic connection counter 38 exceeded sys threshold 0
Conditions:
Setting connection.syncookies.threshold to zero.
Impact:
Warnings that do not provide valid information. If the threshold value is a non-zero value, it does indicate an issue. However, this message is benign when the end of the message reads 'exceeded sys threshold 0'.
Workaround:
None.
769029-1 : Non-admin users fail to create tmp dir under /var/system/tmp/tmsh
Component: TMOS
Symptoms:
The cron.daily/tmpwatch script deletes the /var/system/tmp/tmsh directory. After some time, the tmsh directory is created again as part of another cron job.
During the interval, if a non-admin accesses tmsh, tmsh creates the /tmp/tmsh directory with that user's permissions, which creates issues for subsequently non-admin user logons.
Conditions:
Try to access the tmsh from non-admin users when /var/system/tmp/tmsh is deleted.
Impact:
The first non-admin user can access tmsh. Other, subsequent non-admin users receive the following error:
01420006:3: Can't create temp directory, /var/system/tmp/tmsh/SKrmSB, errno 13] Permission denied.
After some time this /var/system/tmp/tmsh permission is updated automatically.
Workaround:
So that the script does not remove tmsh directory, but deletes 1-day old tmp files under /var/system/tmp/tmsh, update the last line of /etc/cron.daily/tmpwatch as follows:
tmpwatch --nodirs 1d /var/system/tmp
767977 : Source port unexpectedly changes on message connections
Component: Service Provider
Symptoms:
When a connection closes, the connection will close before sending any remaining pending messages.
Conditions:
This occurs when a message-based connection closes while the connection still has pending messages. The connection closes (TCP FIN) while messages are waiting to be sent.
Impact:
The unsent messages are dropped.
Workaround:
.
767737-2 : Timing issues during startup may make an HA peer stay in the inoperative state
Component: TMOS
Symptoms:
When two BIG-IP systems are paired, it is possible during startup for the network connection to be made too early during the boot sequence. This may leave a peer in the inoperative state.
Conditions:
This is a timing-related issue that might occur during boot up of high availability (HA) peers.
Impact:
An HA peer does not become ACTIVE when it should.
Workaround:
None.
767613-2 : Restjavad can keep partially downloaded files open indefinitely
Component: Device Management
Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client does not complete the download. Since these files remain opened, the total number of available file handles for the process decreases and the disk space for the files cannot be recovered. Symptoms may include errors like 'Too many open files', low disk space even after deleting the associated files, and items listed with '(deleted)' in lsof output.
Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.
Impact:
Various errors ('Too many open files.'), low disk space, items listed with '(deleted)' when listed using lsof.
Workaround:
To free the file handles, restart restjavad:
tmsh restart sys service restjavad
Files that were deleted now have their space reclaimed.
767341-3 : If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.
Component: TMOS
Symptoms:
Repeated TMM service crash SIGBUS with memory copy operation at the top of stack trace.
Conditions:
TMM loads filestore file and size of this file is smaller than the size reported by mcp or if this ifile store is not present at all.
This condition is possible due to
- filesystem errors/corruption or
- BIG-IP user intervention.
Filesystem error might be due to power loss, full disk or other reasons.
Impact:
TMM crash.
The program terminated with signal SIGBUS, Bus error.
Workaround:
Manual copy of the "good" ifile store and forceload on the previously bad unit. Usually trivial, but error prone.
Another workaround is clean install, if possible/acceptable
767305-2 : If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried
Component: TMOS
Symptoms:
Upon querying a sysTmmStat* SNMP OID (for example, sysTmmStatTmUsageRatio5s), you find your SNMP client returns an error message similar to the following example:
No Such Instance currently exists at this OID
The very next time you query that same SNMP OID (or any other sysTmmStat* SNMP OID), you find they all work as expected and return the correct result.
Conditions:
This issue occurs after restarting only the mcpd daemon, i.e., running bigstart restart mcpd.
Impact:
All sysTmmStat* SNMP OIDs do not work until one of them is queried at least once, and the query is allowed to fail. After that, all sysTmmStat* SNMP OIDs work as expected.
Workaround:
Restart all services together, i.e., running the command: bigstart restart.
Should the mcpd daemon happen to be restarted on its own, you can simply ignore the error message and allow your SNMP polling station to fail a single polling cycle.
If you want to ensure that this issue does not occur, for example, so that your SNMP polling station does not generate unnecessary alarms, do not restart the mcpd daemon on its own, but rather restart all services together by running the following command:
bigstart restart
767217-2 : Under certain conditions when deleting an iRule, an incorrect dependency error is seen
Component: Local Traffic Manager
Symptoms:
If an iRule is being referenced by another iRule, and the reference is then removed, attempts to delete the formerly referenced iRule will result in an error similar to the following:
01070265:3: The rule (/Common/irule1) cannot be deleted because it is in use by a rule (/Common/irule2).
Conditions:
-- An iRule referencing another iRule.
-- The referencing iRule is in use.
Impact:
Unable to delete the iRule.
Workaround:
Save and re-load the configuration.
767013-3 : Reboot when B2150 and B2250 blades' HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch
Component: TMOS
Symptoms:
In a rare scenario, the HSB sends a large amount and continuous pause frames to the Broadcom switch, which indicates that the HSB is in a bad state.
Conditions:
This happens when there is heavy traffic load on VIPRION B2150 and B2250 blades. The root cause of that is still under investigation. It happens extreme rarely.
Impact:
Reboot the BIG-IP system.
Workaround:
None.
766921-1 : Localdbmgr process crashes and generates a core
Component: Access Policy Manager
Symptoms:
Rarely, the localdbmgr process crashes when starting up.
Also the ldbutil utility can crash when launched.
Conditions:
-- APM is configured on the BIG-IP device.
Impact:
Ldbutil operation fails.
Workaround:
None.
766601 : SSL statistics are updated even in forward proxy bypass
Component: Local Traffic Manager
Symptoms:
The SSL statistics are updated even in the event of forward proxy bypass.
Conditions:
SSL and forward proxy bypass are configured on a virtual server.
Impact:
This is a display only issue; there is no functional or performance impact.
Workaround:
None.
766593-1 : RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20
Component: Local Traffic Manager
Symptoms:
RESOLVE::lookup returns empty string.
Conditions:
Input bytes array is at length of 4, 16, or 20.
For example:
[RESOLV::lookup @dnsserveraddress -a [binary format a* $host1.d1test.com]]
Impact:
RESOLVE::lookup returns empty string.
Workaround:
Use lindex 0 to get the first element of the array.
For example:
[RESOLV::lookup @dnsserveraddress -a [lindex [binary format a* $host1.d1test.com] 0]]
766509-1 : Strict internal checking might cause tmm crash
Component: Local Traffic Manager
Symptoms:
Overly strict internal validation can cause TMM to raise an OOPS when it does not need to.
Conditions:
Device instability.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Set 'tmm.oops' to a value other than 'panic':
tmsh modify sys db tmm.oops value silent
tmsh modify sys db tmm.oops value log
766169-2 : Replacing all VALN interfaces resets VLAN MTU to a default value
Component: Local Traffic Manager
Symptoms:
When the last physical interface is removed from a VLAN, VLAN's MTU is reset to default value of 1500. However when replacing all interfaces belonging to a VLAN with a new ones (e.g., with a command 'tmsh modify net vlan [name] interfaces replace-all-with {...}'), even if it does not look like removing all interfaces, it is actually done by removing all interfaces immediately followed by adding new ones. Because all interfaces are removed first, the VLAN MTU is reset to the default value even if the original value is perfectly valid for newly added interfaces. As it is done automatically inside TMM, it is not reflected in the configuration. TMSH and Configuration Utility continue to report original value.
Conditions:
Issue is visible only when removing or replacing all interfaces in a VLAN which has MTU value different than default 1500. Added interfaces must also have MTU values larger than 1500.
Impact:
VLAN MTU is set to 1500 despite Configuration Utility and TMSH still reporting original value.
Workaround:
There are two workarounds:
-- Reset desired MTU value after each operation of replacing all interfaces in a VLAN.
-- Avoid replace-all-with operation by adding new interfaces before removing unneeded ones.
765969-1 : Not able to get HSB register dump from hsb_snapshot on B4450 blade
Component: TMOS
Symptoms:
Running hsb_snapshot tool fails on B4450 blades with the following message:
Too many rows in tmm/hsb_internal_pde_info table
Conditions:
When vCMP is provisioned on VIPRION B4450 blades.
Impact:
HSB register dump is not available in hsb_snapshot orQkview for diagnostic purpose.
Workaround:
None.
765365-1 : ASM tries to send response cookies after response headers already forwarded - makes CSRF false positive
Component: Application Security Manager
Symptoms:
ASM blocks a legal request and fires CSRF false positive violations when csrf JavaScript code is injected into a page without an html tag.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- CSRF protection configured.
-- HTML pages learning features enabled.(BruteForce/WebScraping).
-- CSRF JavaScript code is injected into a page without an html tag.
Impact:
HTTP requests are blocked sometimes when they should not be.
Workaround:
To workaround this issue, configure asm internal and then restart asm, as follows:
/usr/share/ts/bin/add_del_internal add cs_resp_ingress_count 1
bigstart restart asm
764969-3 : ILX no longer supports symlinks in workspaces as of v14.1.0
Component: Local Traffic Manager
Symptoms:
The GUI and TMSH report an error message if a symlink is present, and the workspace does not run. The error appears similar to the following:
General database error retrieving information.
General error: 01070711:3: boost::filesystem::status: Permission denied: "/var/ilx/workspaces/Common/test_links1/tmp_file" in statement [SELECT COUNT(*) FROM dev_workspace WHERE name LIKE '%'].
Conditions:
-- An ILX workspace is in the configuration.
-- The workspace contains a symlink.
-- Install the relevant rpm package with --no-bin-links (e.g., npm install <package-name> --no-bin-links).
Impact:
The ILX module is not accessible via the GUI, and the workspace with the symlink cannot be run.
Workaround:
1. Remove the symlink.
2. Copy the file into the workspace.
764901-2 : PEM policy filters rules memory gets leaked if policy is deleted before deleting the rules
Component: Policy Enforcement Manager
Symptoms:
There is a memory leak associated with deleting policies before rules.
Conditions:
If a policy is deleted before its rules are deleted.
Impact:
Memory leak.
Workaround:
Delete all rules in a policy prior to a policy delete operation.
764873-2 : An accelerated flow transmits packets to a dated, down pool member.
Component: TMOS
Symptoms:
Normally, when a pool member becomes unavailable, the flow is redirected towards another available pool member. However, an accelerated flow can continue to send traffic to the dated pool member rather than the updated one.
Conditions:
A flow changes the pool member it goes to while the flow is accelerated.
Impact:
The traffic continues to target the dated pool member that is not available.
Workaround:
Disable HW acceleration.
Or on BIG-IP v14.1.0 and later, if a pool member goes away, run the following command to flush all accelerated flow to be handled correctly by software:
tmsh modify sys conn flow-accel-type software-only
763145-1 : TMM Crash when using certain HTTP iRules with HTTP Security Profile
Component: Local Traffic Manager
Symptoms:
TMM could crash with core when HTTP Security Profile (Protocol Security, PSM) is on the Virtual Server, and using an iRule with either the HTTP::redirect or HTTP::respond commands, together with HTTP::disable on the same event. This is normally an incorrectly written iRule, but TMM crashes in this case.
Conditions:
-- HTTP Security Profile is used.
-- iRules contain HTTP::disable command and either HTTP::redirect or HTTP::respond on the same event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Edit the iRules to prevent calling HTTP::disable together with HTTP::respond or HTTP::redirect.
763121-3 : Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM.
Component: Advanced Firewall Manager
Symptoms:
TMM crashes and produces a core file. The crash is a SIGFPE accompanied by the following panic string:
Assertion "packet must already have an ethernet header" failed.
Conditions:
This issue occurs when all of the following conditions are met:
- The system is provisioned for AFM.
- A TCP Half Open attack to the system is underway.
- A BIG-IP Administrator attempts to use the AFM Packet Tester tool, and simulates sending a TCP segment with the SYN flag set.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the AFM Packet Tester tool while a TCP Half Open attack is underway.
763093-3 : LRO packets are not taken into account for ifc_stats (VLAN stats)
Component: Local Traffic Manager
Symptoms:
The ifc_stats do not correctly reflect the number of incoming octets/packets. There is a discrepancy between octets/packets in/out in the ifc_stats table, which tracks per-VLAN stats.
Conditions:
LRO is enabled and used for incoming packets.
Impact:
ifc_stats are incorrect for incoming octets and packets.
Workaround:
Disable LRO using the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable
After modifying that variable, you must restart tmm for it to take effect (traffic disrupted while tmm restarts):
bigstart restart tmm
762137-2 : Ping6 with correctly populated NDP entry fails
Component: Local Traffic Manager
Symptoms:
TMM NDP entries show correct info with neighbor discovery protocol (NDP) resolved but ping6 fails
Conditions:
This occurs only on a cluster setup. Other conditions that cause the issue are unknown.
Impact:
Ping6 fails for that address.
Workaround:
None.
762097-1 : No swap memory available after upgrading to v14.1.0 and above★
Component: TMOS
Symptoms:
After an upgrade to v14.1.0 or higher, swap memory may not be mounted. TMM or other host processes may restart due to lack of memory.
Conditions:
System is upgraded to v14.1.0 or above
System has RAID storage.
Impact:
May lead to low or out of memory condition. The Linux oom killer may terminate processes possibly affecting service.
Typically management activities may be impacted eg sluggish GUI (config utility) or tmsh sessions.
Workaround:
Mount the swap volume with correct ID representing the swap device.
Perform the following steps on the system after booting into the affected software version:
1. Get the correct ID (RAID device number (/dev/md<number>)):
blkid | grep swap
Note: If there is no RAID device number, perform the procedure detailed in the following section.
2. Check the device or UUID representing swap in /etc/fstab.
3. If swap is not represented with the correct ID, modify the /etc/fstab swap entry to point to the correct device.
4. Enable the swap:
swapon -a
5. Check swap volume size:
swapon -s
If the blkid command shows there is no UUID associated with the swap RAID device, use the following procedure:
1. Generate a random UUID:
uuidgen
2. Make sure swap is turned off:
swapoff -a
3. Recreate the swap partition with UUID generated in step 1:
mkswap -U <uuid_from_step_1> <raid_device_from_step_1>
4. Run blkid again to make sure that you now have a UUID associated with the raid device:
blkid | grep swap
5. edit fstab and find the line
<old_value> swap swap defaults 0 0
6. Replace the old value, whether it was an incorrect UUID or a device name, with the UUID generated in step 1. For example:
UUID=8b35b30b-1076-42bb-8d3f-02acd494f2c8 swap swap defaults 0 0
762073-2 : Continuous TMM restarts when HSB drops off the PCI bus
Component: TMOS
Symptoms:
In the unlikely event that HSB drops off the PCI bus, TMM continuously restarts until the BIG-IP system is rebooted.
Conditions:
The conditions under which the issue occurs are unknown, but it is a rarely occurring issue.
Impact:
Repeated TMM restarts. Traffic disrupted until you reboot the BIG-IP system. The HSB reappears and is functional after reboot.
Workaround:
Manually reboot the BIG-IP system.
761753-2 : BIG-IP system incorrectly flags UDP checksum as failed on x520 NICs
Component: TMOS
Symptoms:
When UDP checksum is 0 (zero), a BIG-IP device with an x520 NIC causes the packets to be marked as 'checksum failed'.
Conditions:
-- Using BIG-IP Virtual Edition (VE).
-- VE is using x520 VF.
Impact:
UDP Packets with 0 checksum are dropped.
Workaround:
None.
761621-2 : Ephemeral FQDN pool members in Partition shown as Common under Local Traffic > Pools > "Members"
Component: TMOS
Symptoms:
When Ephemeral FQDL pool members exist in non-Common partition, they are shown to be in the /Common partition on the Local Traffic : Pools : Members page. In the statistics view of the same object, they are shown appropriately with their non-Common partition.
Conditions:
-- Ephemeral FQDL pool members exist in a non-Common partition.
-- View the FQDL pool members on Local Traffic : Pools : Members page.
Impact:
No impact to configuration, however, the display is confusing and shows contradictory partition information.
Workaround:
None.
761565-1 : ASM BD core when custom captcha page configured size more than 45K with %ASM.captcha.support_id% placeholder is at the end
Component: Application Security Manager
Symptoms:
ASM BD crash when custom captcha page configured size is 45K
Conditions:
- ASM provisioned.
- ASM policy attached to a virtual server.
- CAPTCHA page size is bigger than 45 KB.
- CAPTCHA protection is enabled via brute force or ASM::captcha iRule.
Impact:
There is an ASM BD crash that occurs upon a request protection by CAPTCHA mitigation. If configured for high availability (HA), failover occurs.
Workaround:
Define CAPTCHA page sizes smaller than 45 KB.
761517-1 : nat64 and ltm pool conflict
Component: Carrier-Grade NAT
Symptoms:
When a pool is assigned to a virtual server with nat64, the destination address is changed to the one of the pool, regardless if address translation is enabled or not.
Conditions:
vs with nat64 and pool configured.
Impact:
nat64 does not happen, even if the translate-address option is set to disable.
Workaround:
none
761389-1 : Disabled Virtual Server Dropping the Virtual Wire traffic
Component: Local Traffic Manager
Symptoms:
When a virtual server is disabled, it drops the traffic on the virtual wire.
Conditions:
Virtual wire is configured and corresponding virtual server is disabled.
Impact:
Virtual wire traffic which is matching the disabled virtual wire is dropped.
761321-2 : 'Connection Rate Limit' is hidden, but 'Connection Rate Limit Mode' is not
Component: TMOS
Symptoms:
'Connection Rate Limit' setting is hidden when it is appropriate to do so. However, the 'Connection Rate Limit Mode' setting is still visible, even when 'Connection Rate Limit' is hidden.
Conditions:
1. Create a Virtual Server with type Standard.
2. Click Configuration 'Advanced'.
3. Enter values for 'Connection Rate Limit" and "Connection Rate Limit Mode'.
4. Save the configuration.
5. Change the virtual server type to Forwarding (Layer 2).
Impact:
'Connection Rate Limit' is hidden -- which it should be, but 'Connection Rate Limit Mode' is not -- which it should be as well. Although 'Connection Rate Limit Mode' is available, the system ignores any setting specified.
Workaround:
Do not configure 'Connection Rate Limit Mode', as it has no effect.
761303-2 : Upgrade of standby BIG-IP system results in empty Local Database
Component: Access Policy Manager
Symptoms:
Upgrade of standby BIG-IP system results in empty Local Database.
Conditions:
This happens on standby device in a high availability (HA) setup.
Impact:
All previously existing local users disappear from the standby device. If a failover happens, then none of the local users will be able to login now.
Workaround:
To trigger a full database dump from the active BIG-IP system that returns the standby device's database to its original state, on the standby device, do the following:
1. Reboot.
2. Switch to a new installation volume.
3. Force stop the localdbmgr process:
bigstart stop localdbmgr
4. Wait at least 15 minutes.
5. Restart the localdbmgr:
bigstart restart localdbmgr
761273-2 : wr_urldbd creates sparse log files by writing from the previous position after logrotate.
Component: Traffic Classification Engine
Symptoms:
After log rotation, the wr_urldbd daemon continues to write at the pre-rotate offset into the file, so the next message is written at offset N, making the file sparse, with all characters prior to position being read as nulls.
Conditions:
System rotates log files.
Impact:
Some automated systems might not be able to read log file.
Workaround:
None.
761084-3 : Custom monitor fields appear editable for Auditor, Operator, or Guest
Component: TMOS
Symptoms:
Mozilla Firefox browser shows custom monitor fields editable for Auditor, Operator, or Guest role users.
Conditions:
You can experience this issue by following these steps:
1. Create custom monitor (e.g., http, mysql, tcp).
2. Use FireFox browser to logon to the BIG-IP system Configuration utility with a user role that is Auditor, Operator, or Guest.
3. Access the custom monitor. Note that Send String, Receive String, and Receive Disable String are all grayed out.
4. Click the browser Back button.
5. Click the browser Forward button.
Impact:
Send String, Receive String, and Receive Disable String are now editable fields. Although the Auditor, Operator, or Guest. user can edit the fields, the Update button is still grayed out, so any entry is not saved.
Workaround:
None.
761027 : Web Browser Hang on Reading Compressed Data from BIG-IP
Component: WebAccelerator
Symptoms:
Reading an object from the BIG-IP system.
Conditions:
The virtual server has both a web acceleration profile with an active application and the HTTP compression filter on it.
When reading a compressible object from the web acceleration small object cache, the HTTP compression filter may compress the data, but not rewrite the Content-Length header.
Impact:
The client will wait for the BIG-IP to deliver the amount of data specified by the Content-Length header, but since the object was compressed, there isn't that much data to deliver.
Workaround:
You can use either of the following workarounds:
-- Remove the HTTP compression filter from the virtual server.
-- Mark objects smaller than 4,000 bytes as no-store.
760950-4 : Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment
Component: TMOS
Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.
Note: A previous bug had this same symptom, but was due to a different root cause.
Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.
Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.
Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.
760835-1 : Static generation of rolling DNSSEC keys may be missing when the key generator is changed
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP system may lose DNSSEC keys if the key generator is changed from rolling keys to static keys
Conditions:
DNSSEC key generation is changed from rolling to static.
Impact:
DNSSEC keys may be lost.
Workaround:
None.
760833-1 : BIG-IP GTM might not always sync a generation of a DNSSEC key from its partner
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP GTM might not always sync a generation of a DNSSEC key from its partner.
Conditions:
Generating a DNSSEC key.
Note: This is an intermittent issue.
Impact:
DNSSEC keys may not be synced.
Workaround:
None.
760752-2 : Internal sync-change conflict after update to local users table
Component: Device Management
Symptoms:
-- The 'top' command shows Java and mcpd becoming CPU intensive.
-- /var/log/audit shows many 'modify { user_role_partition { user_role_partition_user ...'
-- /var/log/restjavad-audit.0.log shows many REST API calls to 'http://localhost:8100/mgmt/shared/gossip' from the peer.
Conditions:
-- Create a new admin user with bash access on a device.
Impact:
High CPU usage (Java and mcpd) on control and analysis plane.
Workaround:
To work around this issue, follow these steps:
1. Sync from the device where the user was created.
2. Run the following command on all devices:
tmsh restart sys service restjavad
Although Java and mcpd will still show high CPU usage even after restart, waiting a few minutes enables the processes to return to normal.
760740-1 : Mysql error is displayed when saving UCS configuration on BIG-IP system with only LTM provisioned
Component: Protocol Inspection
Symptoms:
When saving the configuration to a UCS file, the process tries save the IPS learning information stored in the MySql database. Because BIG-IP systems with only LTM provisioning (i.e., without AFM licensed) do not have the MySql server running, saving the configuration to a UCS file succeeds, but the system reports a spurious message during the operation:
Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock.
Conditions:
-- Saving the configuration to a UCS file.
-- BIG-IP system is provisioned with LTM only.
Impact:
The error message is cosmetic and has no impact on the UCS save process.
Workaround:
None.
760615-2 : Virtual Server discovery may not work after a GTM device is removed from the sync group
Component: Global Traffic Manager (DNS)
Symptoms:
LTM configuration does not auto-discover GTM-configured virtual servers.
Conditions:
-- GTM is deprovisioned on one or more GTM sync group members, or the sync group is reconfigured on one or more members.
-- Those devices remain present in the GTM configuration as 'gtm server' objects.
-- iQuery is connected to those members.
Impact:
Virtual servers are not discovered or added automatically.
Workaround:
You can use either of the following workarounds:
-- Manually add the desired GTM server virtual servers.
-- Delete the 'gtm server' objects that represent the devices that are no longer part of the GTM sync group. These can then be recreated if the devices are operating as LTM-configured devices.
760570 : The BIG-IP installer fails to automatically detect installation media.★
Component: TMOS
Symptoms:
Image2disk command does not automatically detect repository. As a result, installation with image2disk command may not work. Here is an example of the affected image2disk command syntax.
switch_root:/# image2disk --format=volumes --nosaveconfig --nosavelicense
Conditions:
-- 14.1.0 clean install using DVD-ROM or USB thumb drive.
-- Using a command that does not specify a repository.
Impact:
Installer cannot start unless you explicitly specify the repository.
Workaround:
You can use either of the following workarounds:
-- Manually specify repository while running image2disk command. For example, the following command successfully starts installation with DVD-ROM (/cdserver) or USB thumb drive (/mnt/thumb/<ISO>):
switch_root:/# image2disk --format=volumes --nosaveconfig --nosavelicense /cdserver
switch_root:/# image2disk --format=volumes --nosaveconfig --nosavelicense /mnt/thumb/<ISO>
-- At the command line, type 'start', and the interactive software installation starts.
760518-4 : PEM flow filter with DSCP attribute optimizes traffic resulting in some PEM action enforcement
Component: Policy Enforcement Manager
Symptoms:
Some PEM action enforcement does not work with flow filter with PEM attribute set.
Conditions:
Flow filter has the Differentiated Services Code Point (DSCP) attribute set
Impact:
Some PEM actions such as http-redirect do not perform as expected.
Workaround:
Set the DSCP to the default value
760468 : Route domains cause diskmonitor errors in logs
Component: TMOS
Symptoms:
Configuring a non-default route-domain results in frequent diskmonitor error in the LTM log file:
warning diskmonitor[14972]: 011d0002:4: Skipping net:[4026532306]. Stat returned message: /usr/bin/stat: cannot read file system information for net:[4026532306]: No such file or directory.
Conditions:
-- BIG-IP system running v14.1.x.
-- Non-default route-domain configured.
Impact:
There is no functional impact. The message logged does not indicate functional issues. However, the issue might occur frequently, which can be erroneously concerning.
Workaround:
This issue can be worked around with two methods.
The first is by creating a syslog-ng filter.
1. Log in to the TMOS shell (tmsh) by typing the following command:
-----
tmsh
-----
2. To edit syslog, type the following command:
-----
edit /sys syslog
-----
3. When syslog configuration opens in the vi text editor, copy and paste the entire entries below:
============ CUT BELOW ==============
modify syslog {
include "
# Workaround for ID760468 to remove diskmonitor messages
filter f_no_audit {
not message(\"AUDIT|diskmonitor.*Skipping net:\");
};"
}
============ CUT ABOVE ==============
4. Exit the text editor by typing the following key sequence:
-----
:wq!
-----
5a. At the following prompt, type y to save the changes to the file:
Save changes? (y/n/e)
The tmsh utility prompt returns.
5b. If the syslog filter contains syntax errors, the tmsh utility returns the following prompt:
There were errors. Continue editing (y) or discard changes (n) (y/n)
Correct the errors until there are no more errors flagged.
6. Save the configuration by typing the following command:
-----
save /sys config
-----
The second is by modifying the diskmonitor script as follows.
Note: This change does not replicate between blades, does not ConfigSync, is not preserved as part of a UCS archive, and is not preserved across software installs on a system.
1. Mount /usr as rw (read-write).
2. Open /usr/bin/diskmonitor in an editor, locate the line that references '/shared/em', and add this immediately above it:
|| substr($mountline[1], 0, 4) eq 'net:'
3. Mount /usr as ro (read-only).
Here is a one-line command string you can use:
mount /usr -o remount,rw && if [ ! -f /usr/bin/diskmonitor.id760468 ]; then /bin/cp /usr/bin/diskmonitor{,.id760468}; fi && sed -ie "/^.*shared\/em.*\$/i\ || substr(\$mountline[1], 0, 4) eq 'net:'" /usr/bin/diskmonitor && (perl -c /usr/bin/diskmonitor || echo "WARNING: DISKMONITOR SCRIPT IS NO LONGER VALID PERL") && mount /usr -o remount,ro
760406-3 : HA connection might stall on Active device when the SSL session cache becomes out-of-sync
Component: Local Traffic Manager
Symptoms:
You see 'SSL handshake timeout' error messages in LTM log, and high availability (HA) system performance becomes degraded.
Conditions:
This might occur in either of the following scenarios:
Scenario 1
-- Manual sync operations are performed during while traffic is being passed.
-- SSL Connection mirroring is enabled.
Scenario 2
-- Saving configuration on an HA Standby node during while traffic is being passed.
-- SSL Connection mirroring is enabled.
Impact:
-- In Scenario 1, the sync operations causes the session cache to be out-of-sync between active and standby nodes.
-- In Scenario 2, the save operation clears the session cache on the standby node. As a result, the session cache might be out-of-sync between active and standby nodes.
In either Scenario:
-- SSL Connection mirroring fails and posts the timeout message.
-- The HA system performance becomes degraded due to SSL connection timeout.
Workaround:
-- Disable SSL session caching by setting 'Cache Size' in the client SSL profile option to 0.
-- Set device management sync type to Automatic with incremental sync.
760130-3 : [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK
Component: Access Policy Manager
Symptoms:
-- Increased overall TMM memory usage, which eventually forces TMM to start closing connections to reduce memory usage.
-- connflow memory usage keeps increasing. Memory usage can be observed with this command:
# tmctl -f /var/tmstat/blade/tmm0 memory_usage_stat -w200
Conditions:
1. Using PingAccess.
2. Errors are being logged in /var/log/paa.
Impact:
-- Memory leak.
-- Eventually TMM starts closing connections randomly.
Workaround:
None.
760117-1 : Duplicate error messages in log when updating a zone through ZoneRunner GUI
Component: Global Traffic Manager (DNS)
Symptoms:
Duplicate error messages in log when updating a zone through ZoneRunner GUI.
Conditions:
This occurs upon every update to a zone in the GUI.
Impact:
The BIG-IP system logs the multiple occurrences of the following error in the /var/log/daemon.log file:
err named[17053]: 18-Feb-2019 15:22:51.011 general: error: zone siterequest.com/IN/external: zone serial (2019021807) unchanged. zone may fail to transfer to slaves.
Workaround:
None.
760050-2 : cwnd warning message in log
Component: Local Traffic Manager
Symptoms:
The following benign message appears in the log: cwnd too low.
Conditions:
The TCP congestion window has dropped below one Maximum Segment Size, which should not happen.
Impact:
None. TCP resets the congestion window to 1 MSS.
Workaround:
This message does not indicate a functional issue, so you can safely ignore this message. There is no action to take, but the presence of the message can be useful information for debugging other TCP problems.
759852-1 : SNMP configuration for trap destinations can cause a warning in the log
Component: TMOS
Symptoms:
The snmpd configuration parameters can cause net-snmp to issue a warning about deprecated syntax.
Conditions:
The use of a sys snmp command similar to the following to modify the snmpd.conf file:
sys snmp v2-traps { TRAP1 { host 1.2.3.4 community somestring } }
Impact:
net-snmp issues a warning that the syntax has been deprecated and reports a warning message in the log.
Workaround:
None.
759840-1 : False positive 'Null in request' violation or bare byte subviolations
Component: Application Security Manager
Symptoms:
'Null in request' violation or bare byte subviolations detected when there is no null in request.
Conditions:
Brute force attack mitigated by captcha or challenge.
Impact:
Traffic blocking or false positive alarm
Workaround:
None.
759737-2 : Control and Analysis Plane CPU usage statistics may be inaccurate
Component: TMOS
Symptoms:
CPU usage statistics reported for Control and Analysis planes are not always allocated appropriately between the two planes.
Conditions:
Non-Data plane processes consuming CPU cycles generate usage statistics that are then classified as Control or Analysis plane CPU usage.
Impact:
CPU usage statistics for Control and Analysis planes may not provide actionable data due to their inaccuracy.
Workaround:
None.
759671-1 : Unescaped slash in RE2 in user-defined signature should not be allowed
Component: Application Security Manager
Symptoms:
An unescaped slash in RE2 keyword in a user-defined signature caused a REST PATCH to the signature to have no effect.
Conditions:
A user-defined signature has an unescaped slash in RE2 keyword.
Impact:
REST PATCH to update the user-defined signature has no effect.
Workaround:
The slash in the signature keyword must be escaped by backslash.
759606-2 : REST error message is logged every five minutes on vCMP Guest
Component: TMOS
Symptoms:
Guestagentd periodically logs the following REST error message for each secondary slot in /var/log/ltm:
Rest request failed{"code":502."message":"This is a non-primary slot on the Viprion. Please access this device through the cluster address.","restOperationId":6410038,"kind":":resterrorresponse"}
Conditions:
Upgrade a vCMP guest from pre-13.1.x to a 13.1.x or later version.
Impact:
There is stale stat information for vCMP guests running on secondary slots.
Workaround:
Create a Log Filter with no publisher on the vCMP guest to discard the specific error message:
sys log-config filter Filter_RestError {
level info
message-id 01810007
source guestagentd
}
759564-4 : GUI not available after upgrade
Component: TMOS
Symptoms:
After installing over the top of a previous version, the Management GUI is inaccessible while SSH access works. You may see one or more of the following conditions
Shell prompt may show logger[1234]: Re-starting named
bigstart restart httpd fails
bigstart start httpd fails
Conditions:
Installation over a previously used Boot Volume
Impact:
Corrupt install
Workaround:
Boot back to previous boot volume and then delete the boot volume containing the failed install.
759449-1 : Unable to modify the application language with 'Copy ASM Policy'
Component: Application Security Manager
Symptoms:
When using the 'Copy policy' feature, if you select another application language, it copies the actual policy without taking account of the modification on GUI, and it remains UTF-8 if it originally was UTF-8.
Conditions:
1. Go to Security :: Application Security : Security Policies : Policies List.
2. Select an ASM Policy.
3. Click 'Copy policy'.
4. Modify application language to anything else.
5. Click Save.
Impact:
Newly copied policy carries the application language setting that was active before the change, so the copy does not match the original.
Workaround:
None.
759392-2 : HTTP_REQUEST iRule event triggered for internal APM request
Component: Access Policy Manager
Symptoms:
Requests for the internal APM renderer for logo customization trigger the HTTP_REQUEST iRule event.
Conditions:
Customized logo in Access Profile
Impact:
HTTP_REQUEST event will be raised for requests for the customized logo in the Access Profile.
Workaround:
Inside the HTTP_REQUEST event, if it is necessary to not take a certain action on a customized logo, it is possible to check that the URL does not equal the URL for the logo (it should start with '/public/images/customization/' and contain the image name).
759370-2 : FIX protocol messages parsed incorrectly when fragmented between the body and the trailer.
Component: Service Provider
Symptoms:
FIX message has successfully parsed header part (iRule event FIX_HEADER triggered), but is eventually discarded as incomplete (no iRule event FIX_MESSAGE).
Conditions:
FIX message fragmented between body part and the trailer (tag 10).
Impact:
FIX protocol messages are not forwarded.
Workaround:
Assure FIX protocol packet size does not exceed MTU value.
759356-2 : Access session data cache might leak if there are multiple TMMs
Component: Access Policy Manager
Symptoms:
Due to asynchronicity in the TMM subsystem, it is possible that the session data cache might be created after the session is terminated. As a result, that session data cache never gets released.
Conditions:
-- Transparent SWG.
-- The BIG-IP system has more than one TMM.
Impact:
TMM memory might be exhausted eventually.
Workaround:
None.
759258-2 : Instances shows incorrect pools if the same members are used in other pools
Component: TMOS
Symptoms:
Monitor 'Instances' tab shows incorrect pools if the same members are used in other pools.
Conditions:
Steps to Reproduce:
1. Create custom monitor or use system default.
2. Assign that monitor to a test pool.
3. Navigate to Local Traffic :: Monitors, click the test monitor, then select the Instances tab.
Impact:
The test pool is displayed, as well any other pools that use the same member or members (but with other monitors assigned).
Workaround:
None.
759056-2 : stpd memory leak on secondary blades in a multi-blade system
Component: Local Traffic Manager
Symptoms:
On secondary blades in a multi-blade system, stpd shows continued increased memory usage.
Conditions:
A non passthru STP mode (STP, RSTP or MSTP) is enabled on the system.
Impact:
System performance is degraded due to needless memory usage by stpd.
Workaround:
None.
758929-2 : Bcm56xxd MIIM bus access failure after TMM crash
Component: TMOS
Symptoms:
Bcm56xxd daemon running on certain BIG-IP devices might experience MIIM bus access failure after a tmm crash. The system posts a message similar to the following in the ltm log:
info bcm56xxd: 012c0016:6: MiimTimeOut:soc_miim_write, timeout (id=0xc9 addr=0x1f data=0x0000)
Conditions:
-- Heavily stressed system
-- Using one of the following platforms:
+ VIPRION B2250 Blade (A112)
+ VIPRION B2150 Blade (A113)
+ VIPRION B4300 Blade (A108)
+ BIG-IP 5250v
+ BIG-IP i5820
+ BIG-IP i7800
Impact:
The affected BIG-IP system fails to pass traffic. If configured for high availability (HA), failover occurs.
Workaround:
Reboot the affected BIG-IP platform / VIPRION blade.
758704 : Excessive 'GuestInfoAddNicEntry: NIC limit (16) reached' logging
Component: Local Traffic Manager
Symptoms:
BIG-IP logs 'GuestInfoAddNicEntry: NIC limit (16) reached' messages every 30 seconds.
Conditions:
Configuring more than 16 VLANs on VMware where the VLAN limit is 16.
Impact:
BIG-IP logs 'GuestInfoAddNicEntry: NIC limit (16) reached' every 30 Seconds, and it logs one entry for every limit above the maximum (for example if you configure 20 VLANs the message will be logged 4 times).
758615-1 : Reconstructed POST request is dropped after DID cookies are deleted
Component: Application Security Manager
Symptoms:
POST Request is dropped during DID challenge.
Conditions:
POST request is issued a DID challenge.
Impact:
Request is dropped.
Workaround:
None.
758604-2 : Deleting a port from a single-port trunk does not work.
Component: TMOS
Symptoms:
Deleting a port from a single-port trunk does not work.
Conditions:
1. Disable all ports for a trunk, for example by disabling them on a directly connected switch. The last port is not deleted correctly.
2. Re enable some other ports, the trunk now also uses the disabled port.
Impact:
No user connectivity depending on which port is used.
Workaround:
None.
758599-1 : IPv6 Management route is preferred over IPv6 tmm route
Component: Local Traffic Manager
Symptoms:
The IPv6 Management route has lower metric than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the mgmt interface.
Conditions:
Create an IPv6 mgmt route and a static IPv6 tmm route on the same BIG-IP system. IPv6 routes from TMM are injected at metric 1024.
Impact:
The incorrect routing table sends the traffic that matches the default route to the mgmt interface.
Workaround:
None.
758596-2 : Unable to associate cipher group with long name profile
Component: Local Traffic Manager
Symptoms:
TMM reports the following error when cipher group is associated with client SSL or server SSL profiles:
cipher group: invalid profile name
Conditions:
Client SSL or server SSL has a name longer than 31 characters.
Impact:
Unable to configure cipher groups with certain profiles.
Workaround:
Shorten the profile name to be fewer than 31 characters.
758542-3 : OAuth database instance appears empty after upgrade from v13.x★
Component: Access Policy Manager
Symptoms:
The database from a prior configuration does not seem to have any tokens. The tokens are being stored in a new database with a different name.
Conditions:
Upgrade from v13.x.
-- The name of one OAuth database instance is duplicated entirely in another instance name (for example, 'oauthdb' and 'oauthdbprod').
Impact:
Old database seems to have lost tokens. In the case of these two database instances:
oauthdb
oauthdbprod
Because the name 'oauthdb' is also present in the name 'oathdbprod', the system creates a new database instance of 'oauthdb' at upgrade, so oauthdb will have an empty database.
Workaround:
Before upgrading, do the following:
1) Copy database oauth to another database with a completely different name.
2) Copy tokens in new database to the old, empty database.
758517-1 : Callback for Diffie Hellman crypto is missing defensive coding
Component: TMOS
Symptoms:
Destruction of objects during Diffie Hellman crypto callback does not first check for object validity.
Conditions:
Async callback for Diffie Hellman crypto call when objects no longer look valid.
Impact:
IPsec tunnels down during tmm core in rare cases.
Workaround:
No work around is known at this time.
758516-1 : IKEv2 auth encryption is missing defensive coding that checks object validity
Component: TMOS
Symptoms:
Auth signature crypto callback does not check objects for validity before encryption.
Conditions:
Encryption during auth signature callback processing for IKE_AUTH.
Impact:
IPsec tunnels go down when tmm cores in rare situations.
Workaround:
No workaround is known at this time.
758491-1 : When using Thales NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), the BIG-IP will not be able to use the keys
Component: Local Traffic Manager
Symptoms:
Ltm log showing SSL handshake failures with similar lines (this is for Diffie-Hellman Key Exchange):
warning bigip1 tmm1[28813] 01260013 SSL Handshake failed for TCP 192.0.2.1:57106 -> 192.0.2.200:5607
warning bigip1 tmm1[28813] 01260009 Connection error: ssl_hs_vfy_sign_srvkeyxchg:13583: sign_srvkeyxchg (80)
debug bigip1 tmm1[28813] 01260036 FIPS acceleration device error: fips_poll_completed_reqs: req: 4 status: 0x1 : Cancel
err bigip1 pkcs11d[26259] 01680002 Key table lookup failed. error.
After enabling pkcs11d debug, the pkcs11d.debug log will show:
2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_CLASS
2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_CLASS matches
2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_ID
2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_ID does not match <===
Conditions:
Fipskey.nethsm wrapper was used to create keys in any of the following scenarios:
1. Keys were created on earlier versions of BIG-IP software, and the device was upgraded to 14.1.0 or later.
2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm
Impact:
SSL handshake failures
Workaround:
There are two workarounds:
-- Re-create the keys using tmsh command.
IMPORTANT: This workaround is suitable for deployments that are new and not in production.
-- Re-import the keys from nethsm using:
tmsh install sys crypto key <key_label> from-nethsm
Where key_label is the rightmost string in the output of the Thales command: nfkminfo -l.
758437-6 : SYN w/ data disrupts stat collection in Fast L4
Component: Local Traffic Manager
Symptoms:
Fast L4 analytics reports very large integers for goodput.
Conditions:
BIG-IP receives SYNs with attached data.
Impact:
Goodput data is unreliable.
Workaround:
None.
758436-4 : Optimistic ACKs degrade Fast L4 statistics
Component: Local Traffic Manager
Symptoms:
Fast L4 Analytics reports very large integers for goodput.
Conditions:
Endpoints send ACKs for data that has not been sent.
Impact:
Goodput statistics are not usable in certain data sets.
Workaround:
None.
758348-1 : Cannot access GUI via hostname when it contains _ (underscore character)
Component: TMOS
Symptoms:
BIG-IP allows configuring hostname with embedded '_' (underscore). However the BIG-IP GUI is not accessible when hostname includes '_', and results in a 400 Bad Request.
Conditions:
BIG-IP hostname includes '_'
Impact:
BIG-IP GUI cannot be accessed.
Workaround:
No known work around if having '_' in hostname is a requirement.
758105-3 : Drive model WDC WD1005FBYZ-01YCBB2 must be added to pendsect drives.xml
Component: TMOS
Symptoms:
Below messages get logged to /var/log/messages
-- notice syslog-ng[15662]: Configuration reload request received, reloading configuration;
-- warning pendsect[31898]: skipping drive -- Model: WDC WD1005FBYZ-01YCBB2
-- warning pendsect[31898]: No known drives detected for pending sector check. Exiting
Conditions:
Using hardware containing drive model WDC WD1005FBYZ-01YCBB2.
Impact:
The system logs the messages because the drive model is not listed in /etc/pendsect/drives.xml.
Workaround:
Manually edit /etc/pendsect/drives.xml as follows:
1. Give write permissions to modify file:
chmod u+w /etc/pendsect/drives.xml
2. Open the file and add the following at the end of the file, before default:
<snip>
<WD1005FBYZ>
<offset firmware="RR07">0</offset>
<offset firmware="default">0</offset>
<family> "wd_Gold"</family>
<wd_name>"Gold"</wd_name>
</WD1005FBYZ>
<DEFAULT>
<firmware version="default">
<offset>0</offset>
</firmware>
<name> "UNKNOWN"</name>
<family> "UNKNOWN"</family>
<wd_name>"UNKNOWN"</wd_name>
</DEFAULT>
</model>
</drives>
3. Save and close the file.
4. Remove write permissions so that no one accidentally modifies this file:
chmod u-w /etc/pendsect/drives.xml
5. Run the following command and check /var/log/messages to verify no errors are seen:
/etc/cron.daily/pendsect
758041-3 : Pool Members may not be updated accurately when multiple identical DB monitors configured
Component: Local Traffic Manager
Symptoms:
When two or more DB monitors (MSSQL, MySQL, PostgreSQL, Oracle) with identical "send" and "recv" strings are configured and applied to different pools (with at least one pool member in each), the monitor status of some pool members may not be updated accurately.
Other parameters of the affected monitors that differ (such as "recv row" or "recv column" indicating where the specified "recv" string should be found in the result set) may cause pool members using one of the affected monitors to connect to the same database to be marked UP, while pool members using another affected monitor may be marked DOWN.
As a result of this issue, pool members that should be marked UP or DOWN by the configured monitor may instead be marked according to another affected monitor's configuration, resulting in the affected pool members being intermittently marked with an incorrect state.
After the next monitor ping interval, affected pool members members may be marked with the correct state.
Conditions:
This may occur when multiple DB monitors (MSSQL, MySQL, PostgreSQL, Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different pools/members.
For example:
ltm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
recv none
send "select version();"
...
}
Impact:
Monitored pool members using a DB monitor (MSSQL, MySQL, PostgreSQL, Oracle) randomly go offline/online.
Workaround:
To avoid this issue, configure each DB monitor with some unique value within the 'send' and 'recv' parameters.
For example:
ltm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
recv 5.7
send "select version();"
...
}
757862-1 : IKEv2 debug logging an uninitialized variable leading to core
Component: TMOS
Symptoms:
Logging an internal error might result in core.
Conditions:
When ike_sa variable is uninitialized.
Impact:
Loss of tunnels due to core.
Workaround:
None.
757848-1 : F5 Adaptive Authentication feature has been removed
Component: Access Policy Manager
Symptoms:
F5 Adaptive Authentication feature has been removed from the product beginning with the v15.0.0 release. This version removed:
-- Adaptive auth configuration from admin UI (Authentication : F5 Adaptive Authentication (MFA)).
-- Corresponding online help.
-- Adaptive Auth agents from the list of agents in VPE (F5 MFA Device Registration, F5 MFA User Verification under Authentication tab).
-- The reports from admin UI Access :: Overview :: F5 Adaptive Auth (MFA).
Conditions:
Attempting to use the F5 Adaptive Authentication feature from BIG-IP Admin UI.
Impact:
No F5 Adaptive Authentication-related features exist in this release.
Workaround:
None.
757822-1 : Subroutine name should use partition name and policy name
Component: Access Policy Manager
Symptoms:
When you create API per-request policy using the same name as a policy from another partition, BIG-IP generates an error similar to the following:
java.net.ProtocolException: status:400, body:{"code":400,"message":"transaction failed:01070734:3: Configuration error: DB validation exception, unique constraint violation on table (subroutine_properties) object ID (/TST/svc1-my_auth svc1-my_prp). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:subroutine_properties status:13)","errorStack":[],"apiError":2}.
Conditions:
-- Configure an API protection per-request policy in one partition with the same name as a policy in another partition.
-- Attempt to import or export the policy.
Impact:
Import / export functionality fails.
Workaround:
Ensure that names for API protection per-request policies are unique.
757787-2 : Unable to edit LTM Policies that belong to an Application Service (iApp) using the WebUI.
Component: TMOS
Symptoms:
When creating a new rule or modifying an existing rule in a LTM Policy using the WebUI, the operation fails and an error similar to the following example is returned:
Transaction failed:010715bd:3: The parent folder is owned by application service (/Common/MyPolicy.app/MyPolicy), the object ownership cannot be changed to ().
Conditions:
-- The LTM Policy belongs to an Application Service (iApp).
-- The modification is attempted via the WebUI.
Impact:
Unable to make changes to existing LTM Policies.
Workaround:
Use the tmsh utility to make the necessary modifications to the LTM Policy. For example, the following command modifies an existing rule:
tmsh modify ltm policy myapp.app/Drafts/myapp_l7policy rules modify { 0 { conditions modify { 0 { http-method equals values { GET POST } } } } }
757781-3 : Portal Access: cookie exchange may be broken sometimes
Component: Access Policy Manager
Symptoms:
Portal Access uses special HTTP request with URL '/private/fm/volatile.html' to exchange cookie data between client and BIG-IP. Sometimes the BIG-IP system might send an invalid response to such a request. As a result, no cookie data can be sent from the backend server to the client.
Conditions:
Invalid response to HTTP requests with the following URL:
/private/fm/volatile.html.
Impact:
Portal Access client cannot see cookies set by the backend server. Backend server does not send cookie data to the client.
Workaround:
None.
757572 : Virtual Edition doesn't support forging MAC addresses with Mellanox ConnectX-3 virtual functions
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) does not support forging MAC addresses when using virtual functions from Mellanox ConnectX-3 adapters. Without this, features like MAC Masquerading and VLAN groups do not function.
Conditions:
-- VE with a Mellanox ConnectX-3 virtual function.
-- Configuration requiring the use of non-default MAC addresses.
Impact:
Attempts to use these features with these NICs will not succeed, and traffic that relies on this configuration will not function.
Workaround:
None.
757555-2 : Network DoS Logging Profile does not work with other logging profiles together
Component: Advanced Firewall Manager
Symptoms:
When the network DoS logging profile is configured with other logging profiles, such as AFM ACL logging profile, on the same virtual server, DoS logging does not occur.
Conditions:
Configure DoS logging profile on a virtual server with other logging profiles, such as AFM ACL logging profile.
Impact:
When DoS attack happens, no DoS attack is being logged.
Workaround:
Configure one general log profile for all DoS and AFM logging.
757505-3 : peer-cert-mode set to 'always' does not work when client-ssl is enabled with session-ticket
Component: Local Traffic Manager
Symptoms:
When a session is restored using a session-ticket, the peer-cert-mode setting is not acknowledged.
Conditions:
-- Session tickets are enabled.
-- The peer-cert-mode in the client SSL profile is set to `always'.
-- A session is restored using a ticket.
Impact:
The SSL client is validated only once, instead of each time.
Workaround:
Disable session ticket.
757446-2 : Invoking the HTTP::respond iRule command when the HTTP2 profile is present can cause stalled or malformed responses.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system stalls a connection instead of sending the intended HTTP response, or sends a malformed response.
Conditions:
This issue occurs when all of the following conditions are met:
-- The virtual server uses the http2 profile.
-- The virtual server uses an iRule that invokes the HTTP::respond command under the HTTP_REQUEST or HTTP_RESPONSE event.
Impact:
Clients do not get the expected responses, leading to application failures.
Workaround:
None.
757431-1 : mcpd process killed after upgrade from 12.1.3★
Component: Local Traffic Manager
Symptoms:
The BIG-IP appliance fails to become available after upgrade, and the mcpd process keeps restarting.
Conditions:
A BIG-IP system is upgraded from 12.1.3 to 14.1.0, with a very large configuration. For example, this was encountered with more than 8,000 virtual servers and more than 600 monitor instances.
Impact:
The BIG-IP system fails to become operational.
Workaround:
If you are encountering this, you can disable the mcpd heartbeat with the following command to complete the upgrade:
tmsh modify sys daemon-ha mcpd heartbeat disable
Once the upgrade is complete, enable the heartbeat:
tmsh modify sys daemon-ha mcpd heartbeat enable
757279-1 : LDAP authenticated Firewall Manager role cannot edit firewall policies
Component: Advanced Firewall Manager
Symptoms:
The system posts the following message when the LDAP authenticated Firewall Manager role creates/modifies a firewall policy with rules or upgrading existing firewall policy:
User does not have modify access to object (fw_uuid_config).
Conditions:
-- Log in using an account with the Firewall Manager role.
-- Create/modify firewall policy with rules or upgrade existing firewall policy.
Impact:
Firewall modification operations fail with access to object (fw_uuid_config) error.
Workaround:
None.
757167-1 : TMM logs 'MSIX is not supported' error on vCMP guests
Component: TMOS
Symptoms:
On vCMP guests, logs of 'MSIX is not supported' messages apppear in /var/log/tmm.
Conditions:
This occurs only on vCMP guests.
Impact:
MSIX is not supported on vCMP guests, but system operation and traffic passing are not impacted otherwise.
Workaround:
None.
757029-2 : Ephemeral pool members may not be created after config load or reboot
Component: Local Traffic Manager
Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP system reboot operation.
Conditions:
This may occur on affected BIG-IP versions when:
-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
-- DNS queries to resolve these FQDN names occur almost simultaneously.
The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.
Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.
As a result, some pools may not have any active pool members, and do not pass traffic.
This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.
Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes:
tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.
756998-1 : DoSL7 Record Traffic feature is not recording traffic
Component: Application Security Manager
Symptoms:
Enabling 'Record Traffic During Attacks' in the DoS Application Profile does not record traffic during attacks: TCP Dump files are not being created in the /shared/dosl7/tcpdumps/ directory as expected.
Conditions:
-- Enabling 'Record Traffic During Attacks' in the DoS Application Profile.
-- DoSL7 Attacks are detected.
Impact:
Attack traffic is not being recorded as expected.
Workaround:
None.
756830-1 : BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'
Component: TMOS
Symptoms:
The BIG-IP system may fail source translation for connections matching a virtual server that has connection mirroring enabled and source port selection set to 'preserve strict'.
Conditions:
Connections match a virtual server that has following settings:
- Connection mirroring is enabled.
- Source Port set to 'Preserve Strict'.
In addition, CMP hash selection (DAG mode) on the corresponding VLANs is set to 'Default DAG'.
Impact:
Source translation may fail on BIG-IP system, leading to client connection failures.
Workaround:
You can try either of the following:
-- Do not use the Source Port setting of 'Preserve Strict'.
-- Disable connection mirroring on the virtual server.
756820-2 : Non-UTF8 characters returned from /bin/createmanifest
Component: TMOS
Symptoms:
/bin/createmanifest reads from mcpd values stored for items that are obtained from firmware. These might contain non-UTF8 characters. This program is called in qkview, which then gets updated to iHealth. If any non-UTF8 character is present, the output is omitted (because XML cannot handle non-UTF8 characters).
Conditions:
Data stored in mcpd obtained from firmware contain non-UTF8 characters.
Impact:
The upload to iHealth will not contain any of the manifest data set obtained via createmanifest.
Workaround:
The values can be obtained from the qkview by reading the qkview_run.data, but the convenience of reading these in iHealth is not possible.
756812-2 : Nitrox 3 instruction/request logger may fail due to SELinux permission error
Component: Local Traffic Manager
Symptoms:
When the tmm Nitrox 3 queue stuck problem is encountered, the Nitrox 3 code tries to log the instruction/request, but it may fail due to SELinux permissions error.
The system posts messages in /var/log/ltm similar to the following:
-- crit tmm1[21300]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 00:09.7, discarded 54).
-- crit tmm1[21300]: 01010025:2: Device error: n3-compress0 Failed to open instruction log file '/shared/nitroxdiag/instrlog/tmm01_00:09.7_inst.log' err=2.
Conditions:
-- tmm Nitrox 3 queue stuck problem is encountered.
-- The Nitrox 3 code tries to log the instruction/request.
Impact:
Error messages occur, and the tmm Nitrox 3 code cannot log the instruction/request.
Workaround:
None.
756494-3 : For in-tmm monitoring: multiple instances of the same agent are running on the Standby device
Component: Local Traffic Manager
Symptoms:
The standby device is sending monitor requests at a more frequent interval than what is configured.
Conditions:
-- In-tmm monitoring configured.
-- High availability (HA) configured.
There is no explicit way to reproduce this and it does not occur every time.
Impact:
Multiple instances of in-tmm monitoring may be created and the BIG-IP device may be sending monitoring traffic more frequently than what is configured.
Workaround:
Reboot the BIG-IP system.
756457-2 : tmsh command 'show security' returning a parsing error
Component: Advanced Firewall Manager
Symptoms:
Running the tmsh command 'tmsh -m show security' returns a parsing error similar to the following:
Unexpected Error: Chunked data did not start with start_message.
Conditions:
-- AFM is provisioned.
-- Running the command: 'tmsh -m show security'.
Impact:
-- the 'show security' commands return a parsing error.
-- Some show commands might not work.
Workaround:
None.
756401-2 : IKEv2 debug logging often omits SPI values that would identify the SAs involved
Component: TMOS
Symptoms:
Debug logging for IPsec often has no clear identification of which SA was involved during some logged events.
Conditions:
When you examine logs in either /var/log/tmm or /var/log/ipsec.log to debug IPsec activity.
Impact:
You might have trouble analyzing what happened from logs when the SA involved in an event is not identified.
Workaround:
None.
756313-2 : SSL monitor continues to mark pool member down after restoring services
Component: Local Traffic Manager
Symptoms:
After an HTTPS monitor fails, it never resumes probing. No ClientHello is sent, just 3WHS and then 4-way closure. The pool member remains down.
Conditions:
-- The cipherlist for the monitor is not using TLSv1 (e.g., contains -TLSv1 or !TLSv1).
-- The pool member is marked down.
Impact:
Services are not automatically restored by the health monitor.
Workaround:
To restore the state of the member, remove it, and add it back to the pool.
756177-2 : GTM marks pool members down across datacenters
Component: Global Traffic Manager (DNS)
Symptoms:
GTM pool members are marked down even though the monitored resource is available.
GTM debug logs indicate that each GTM is relying on the other GTM to conduct probing:
debug gtmd[13166]: 011ae039:7: Check probing of IP:Port in DC /Common/dc1.
debug gtmd[13166]: 011ae03a:7: Will not probe in DC /Common/dc1 because will be done by other GTM (/Common/gtm2).
---
debug gtmd[7991]: 011ae039:7: Check probing of IP:Port in DC /Common/dc2.
debug gtmd[7991]: 011ae03a:7: Will not probe in DC /Common/dc2 because will be done by other GTM (/Common/gtm1).
Conditions:
-- GTM configured in different data centers.
-- GTM pool configured with a single monitor, and the monitor uses an alias address that can be pinged from both data centers.
-- GTM pool members configured from different data centers.
Impact:
Pool members are marked down.
Workaround:
Instead of a single monitor, use a monitor created specifically for each data center.
756153-3 : Add diskmonitor support for MySQL /var/lib/mysql
Component: TMOS
Symptoms:
If the disk partition /var/lib/mysql is filled to 100%, diskmonitor does not notify that the partition is nearly exhausted.
Conditions:
The disk partition /var/lib/mysql is filled to 100%.
Impact:
diskmonitor does not notify that disk partition /var/lib/mysql is nearly exhausted.
Workaround:
None.
756139-1 : Inconsistent logging of hostname files when hostname contains periods
Component: TMOS
Symptoms:
Some logs write the hostname with periods (eg, say for FQDN. For example, /var/log/user.log and /var/log/messages files log just the hostname portion:
-- user.log:Aug 5 17:05:01 bigip1 ).
-- messages:Aug 5 16:57:32 bigip1 notice syslog-ng[2502]: Configuration reload request received, reloading configuration.
Whereas other log files write the full name:
-- daemon.log:Aug 5 16:58:34 bigip1.example.com info systemd[1]: Reloaded System Logger Daemon.
-- maillog:Aug 5 16:55:01 bigip1.example.com err sSMTP[12924]: Unable to connect to "localhost" port 25.
-- secure:Aug 5 17:02:54 bigip1.example.com info sshd(pam_audit)[2147]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=10.14.13.20 attempts=1 start="Mon Aug 5 17:02:30 2019" end="Mon Aug 5 17:02:54 2019".
-- ltm:Aug 5 17:02:42 bigip1.example.com warning tmsh[2200]: 01420013:4: Per-invocation log rate exceeded; throttling.
Conditions:
BIG-IP hostname contains periods or an FQDN:
[root@bigip1:Active:Standalone] log # tmsh list sys global-settings hostname
sys global-settings {
hostname bigip1.example.com
}
Impact:
Hostname is logged inconsistently. Some logs write the full hostname (FQDN), while other log files write only the hostname portion. This can make searching on hostname more complicated.
Workaround:
None.
756088-2 : The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address
Component: TMOS
Symptoms:
The BIG-IP system unexpectedly responds to ICMP echo requests to a virtual-address that is unavailable, or unexpectedly does not respond to ICMP echo requests to a virtual-address that is available.
The BIG-IP system fails to remove a dynamic route for a virtual-address that is unavailable or fails to add a dynamic route for a virtual-address that is available.
Conditions:
-- There are multiple virtual servers associated with a virtual address.
-- The virtual-address icmp-echo is set to 'all' or 'any'.
-- The virtual-address route-advertisement is set to 'all' or 'any'.
Impact:
The BIG-IP might respond incorrectly to ICMP echo requests sent to a virtual-address.
-- If the virtual-address icmp-echo is set to 'all' or 'any', the BIG-IP may not respond correctly after a virtual-address availability change.
-- If the virtual-address route-advertisement is set to 'all' or 'any', the route for the virtual-address may not advertise properly after a virtual-address availability change.
The BIG-IP might fail to insert or remove a dynamic route for a virtual-address. This might cause the network to direct traffic to a down virtual-address or alternatively, not direct traffic to an up virtual-address.
Workaround:
None.
755976-3 : ZebOS might miss kernel routes after mcpd deamon restart
Component: TMOS
Symptoms:
After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses).
One of the most common scenario is a device reboot.
Conditions:
-- Dynamic routing is configured.
-- Virtual address is created and Route Advertisement is configured:
imish -e 'sh ip route kernel'
-- mcpd daemon is restarted or device is rebooted.
Impact:
The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised.
Workaround:
There are several workarounds; here are two:
-- Restart the tmrouted daemon:
bigstart restart tmrouted
-- Recreate the affected virtual address.
755791-2 : UDP monitor not behaving properly on different ICMP reject codes.
Component: Local Traffic Manager
Symptoms:
Unexpected or improper pool/node member status.
Conditions:
The BIG-IP system receives the ICMP rejection code as icmp-net/host-unreachable.
Impact:
The monitor might consider a server available when some type of ICMP rejection has been received that is not port unreachable.
Workaround:
You can use either of the following workarounds:
-- Use UDP monitors configured with a receive string.
-- Do not use UDP monitors.
755739-1 : SAML metadata import (SP or IdP) fails if the metadata file has both SPSSODescriptor and IdPSSODescriptor
Component: Access Policy Manager
Symptoms:
If the SAML SP or IDP metadata has both SPSSODescriptor and IdPSSODescriptor tags, the import fails with errors like this:
The metadata file '/var/tmp/1547120861955.upload' being used to create SAML IdP connector 'Kismet' is an SP metadata file.
Conditions:
-- SP or IDP metadata file has both SPSSODescriptor and IdPSSODescriptor tags and
-- Attempt to import them to create SP or IdP connector objects.
Impact:
Metadata import is not successful.
Workaround:
Use the following workarounds, as appropriate:
-- When importing SP metadata, remove all IDPSSODescriptor tags from the metadata file.
-- When importing IDP metadata, remove all SPSSODescriptor tags from the metadata file.
755721-1 : A UDP DNS packet may incorrectly match a BDoS signature if such a packet was queued up due to ingress shaper
Component: Advanced Firewall Manager
Symptoms:
A UDP DNS packet may incorrectly match a BDoS signature if such a packet was queued up due to ingress shaper. In the worst case, this incorrect signature match might drop the packet.
Conditions:
AFM is enabled and it receives multiple (back-to-back-to-back) UDP DNS packets, which (due to ingress shaper) might cause queueing for some of the packets in the same data path thread.
Impact:
In this case, when the queued packet is later picked up for further processing, it may incorrectly match a BDoS signature (that would not have otherwise matched if this packet was not queued). A UDP DNS packet may match an incorrect signature and thus might be incorrectly dropped by the BIG-IP system.
Workaround:
None.
755716-1 : IPsec connection can fail if connflow expiration happens before IKE encryption
Component: TMOS
Symptoms:
IKEv2 negotiation fails, and tmm log shows the following error:
notice [INTERNAL_ERR]: ikev2....: Invalid BIG-IP flow context
Conditions:
Unusual timing that results in connflow expiration immediately preceding Diffie Hellman generation.
Impact:
IKE Negotiation fails, so an SA cannot be established.
Workaround:
None.
755631-1 : UDP / DNS monitor marking node down
Component: Local Traffic Manager
Symptoms:
The UDP / DNS monitor marks nodes down.
Conditions:
-- UDP or DNS monitor configured.
-- Interval is multiple of timeout.
-- The response is delayed by over one interval.
Impact:
Pool member is marked down.
Workaround:
Increase the interval to be greater than the response time of the server.
755507-4 : [App Tunnel] 'URI sanitization' error
Component: Access Policy Manager
Symptoms:
URI sanitization error with app tunnel (application tunnel). The system posts messages similar to the following:
-- APM log: warning tmm[19703]: 01490586:4: /Common/AP-AD:Common:ff776e4a: Invalid Resource Access For RESOURCENAME. RST due to URI sanitization
-- LTM log: err tmm[19703]: 01230140:3: RST sent from 10.0.0.1:80 to 10.0.0.1:228, [0x2263e2c:7382] Unrecognized resource access (RESOURCENAME)
Conditions:
Access Policy that includes a 'Logon Page' and 'Advanced Resource Assign' (full webtop and app tunnel).
Impact:
APM does not send a response after receiving a request to 'GET /vdesk/resource_app_tunnels_info.xml'.
Workaround:
None.
755450-1 : Memory leak when using lots of iApps
Component: TMOS
Symptoms:
Scriptd creates open files that are never closed by improperly closing sockets before exiting. This eventually results in errors that there are too many open files which can overload the system.
Conditions:
Run a large number of iApps on a system for a long period of time. You can determine if you are affected by this by using the following command:
lsof | grep scriptd |grep socket |wc -l
After it has run for a while you will notice that this number is slowly growing as scriptd processes exit without closing their sockets appropriately.
Impact:
Constantly increasing use of system resources.
Workaround:
None.
755311-1 : No DIAMETER Disconnect-Peer-Request message sent when TMM is shutting down
Component: Service Provider
Symptoms:
When TMM is shutting down with active DIAMETER connections, it does not send out any Disconnect-Peer-Request messages to its DIAMETER pool members.
Conditions:
- DIAMETER in use.
- Active connections from the BIG-IP system to its DIAMETER pool members.
- TMM is shutting down.
Impact:
The remote server is not notified of the change in DIAMETER peer status.
Workaround:
None.
755282-1 : [GTM] bigip_add password prompt for IPv4-mapped IPv6 address
Component: Global Traffic Manager (DNS)
Symptoms:
After running the big_ip add script without a specifying a server address, the host address posted in the ssh password prompt is an IPv4-mapped IPv6 address for IPv4 servers.
For example:
Enter root password for 0000:0000:0000:0000:0000:FFFF:0A3C:010A
Conditions:
Run bigip_add without a server address, when the host address is an IPv4-mapped IPv6 address.
Impact:
There is no way to tell what the actual server name is without converting the IPv4-mapped IPv6 addresses back to an IPv4 to find which password to enter, for example: 0A3C:010A to 10.60.1.10
Workaround:
To workaround this, edit the bigip_add script.
IMPORTANT: Make sure to back up the bigip_add script before making modifications.
1. Make /usr folder writable
# mount -o rw,remount /usr
2. Backup bigip_add:
# cp /usr/local/bin/bigip_add /shared/tmp/bigip_add.backup
3. Edit bigip_add by adding different 'print' output for IPv4 servers.
Replace this:
< print "Enter $ruser password for $ip if prompted\n";
With something similar to this:
> if ($ip =~ /0000:0000:0000:0000:0000:FFFF:/) {
> my $display_ipv4 = ipv6_to_ipv4($ip);
> print "Enter $ruser password for $display_ipv4 if prompted\n";
> } else {
> print "Enter $ruser password for $ip if prompted\n";
> }
NOTE: Do not modify the actual value for $ip.
Below is an example diff:
# diff /shared/tmp/bigip_add.backup /usr/local/bin/bigip_add
18a19
>
43a45,51
> sub ipv6_to_ipv4
> {
> my $in_addr = $_[0];
> my @ipv6 = split /:/, $in_addr;
>
> my $ipv6_part1 = hex ($ipv6[6]);
> my $ipv6_part2 = hex($ipv6[7]);
44a53,60
> my $ipv4_1=scalar($ipv6_part1>>8);
> my $ipv4_2=scalar($ipv6_part1&0xff);
> my $ipv4_3=scalar($ipv6_part2>>8);
> my $ipv4_4=scalar($ipv6_part2&0xff);
>
> my $ipv4 = "${ipv4_1}.${ipv4_2}.${ipv4_3}.${ipv4_4}";
> return $ipv4;
> }
75d90
<
152c167,173
< print "Enter $ruser password for $ip if prompted\n";
---
>
> if ($ip =~ /0000:0000:0000:0000:0000:FFFF:/) {
> my $display_ipv4 = ipv6_to_ipv4($ip);
> print "Enter $ruser password for $display_ipv4 if prompted\n";
> } else {
> print "Enter $ruser password for $ip if prompted\n";
> }
179d199
<
755197-3 : UCS creation might fail during frequent config save transactions
Component: TMOS
Symptoms:
If 'tmsh save sys config' is run simultaneously with 'tmsh save sys ucs <file>', there is the possibility of a race condition where a file gets scheduled to be added to the UCS file, but gets deleted by the save-config before it actually gets saved.
Conditions:
-- Run 'save sys config' at the same time as 'save sys ucs <file>' in tmsh.
-- Files are getting added by one tmsh command, yet deleted by the other. For example, when deleting a file that has not been saved to the configuration, while the system tried to create a UCS that contains that to-be-deleted file.
Note: There are many operations in which 'save sys config' is performed internally, so running the 'save sys ucs <file>' operation might encounter the timing error any time, even when you are not manually running 'save sys config'.
Impact:
The UCS is not created, and system posts messages similar to the following:
-- config/bigip_base.conf/: Cannot stat: No such file or directory.
-- Exiting with failure status due to previous errors.
-- Operation aborted.
This is a rare, timing-related occurrence. Even though the 'save sys ucs <file>' aborts and logs errors, simply re-running the command is likely to succeed.
Workaround:
Re-run the 'save sys ucs <file>' after it aborts. Nothing else needs to be changed or restored.
755018-2 : Egress traffic processing may be stopped on one or more VE trunk interfaces
Component: TMOS
Symptoms:
Trunk interface members might be missing from tmm on BIG-IP Virtual Edition (VE).
Conditions:
-- Using trunks on VE.
-- May happen after a TMM restart, or after interface link states change.
Impact:
No egress traffic processing on one or more interfaces of a VE trunk.
Workaround:
Remove the interfaces from the trunk and re-add them:
# tmsh modify net trunk <trunk name> interfaces none
# tmsh modify net trunk <trunk name> interfaces add { <interface1> <interface2> }
754971-2 : OSPF inter-process redistribution might break OSPF route redistribution of various types.
Component: TMOS
Symptoms:
Enabling inter-process OSPF route redistribution might cause overall problems with OSPF route redistribution.
Conditions:
OSPF is configured with inter-process OSPF route redistribution, for example:
router ospf
network 0.0.0.0/0 area 0
redistribute kernel
redistribute ospf 1234 <--- !
Impact:
Routes might not be redistributed and will not be present in OSPF database. This affects all redistribution types (kernel, static, etc..)
Workaround:
Do not use inter-process OSPF route redistribution.
754750-1 : Policy validation error 'All blocking flags are unset' appears even when a violation is set to block
Component: Application Security Manager
Symptoms:
The following policy validation error appears after a policy is applied if no signature sets are set to block (even when a violation is set to block):
"All blocking flags are unset while policy is in blocking enforcement mode."
Conditions:
-- A policy is applied.
-- No signature sets are set to block.
Impact:
A policy validation error occurs: 'All blocking flags are unset while policy is in blocking enforcement mode.' This is a cosmetic error and does not indicate an issue with the system.
Workaround:
None.
754658-2 : Improved matching of response messages uses end-to-end ID
Component: Service Provider
Symptoms:
Some responses incorrectly match requests when their hop-by-hop IDs match. This causes the response to be dropped.
Conditions:
Matching hop-by-hop ID.
Impact:
Responses rarely match the wrong request, but when they do, they will be dropped.
Workaround:
None.
754617-2 : iRule 'DIAMETER::avp read' command does not work with 'source' option
Component: Service Provider
Symptoms:
Configuring a 'source' option with the iRule 'DIAMETER::avp read' command does not work.
The operation posts a TCL error in /var/log/ltm logs:
err tmm3[11998]: 01220001:3: TCL error: /Common/part1 <MR_INGRESS> - Illegal value (line 1) error Illegal value invoked from within "DIAMETER::avp read 444 source [DIAMETER::avp data get 443 grouped]".
Conditions:
Using the 'DIAMETER::avp read' iRule command with a 'source' option.
Impact:
'DIAMETER::avp read' does not work with the 'source' option.
Workaround:
Use 'DIAMETER::avp get data' with the 'source' option, and re-create the header part when needed.
754604-2 : iRule : [string first] returns incorrect results when string2 contains null
Component: Local Traffic Manager
Symptoms:
In an iRule such as 'string first $string1 $string2' returns incorrect results when $string2 contains a null byte and $string1 is not found within $string2. Performing the same search in tclsh, the expected -1 (not found) result is returned.
Conditions:
-- 'string first $string1 $string2' iRule.
-- string2 in an iRule contains a null byte.
Impact:
Operation does not return the expected -1 (not found) result, but instead returns an unexpected, random result.
Workaround:
None.
754460-2 : No failover on HA Dual Chassis setup using HA score
Component: TMOS
Symptoms:
On a high availability (HA) set up of two chassis, an HA failover does not occur, despite HA score on Standby being greater than Active.
Conditions:
-- Multiple blades disabled.
-- Both active and standby chassis have same HA score.
-- Enabling blades on standby chassis.
Impact:
Although enabling blades on the standby chassis causes a higher HA score on the standby (which should cause a failover to occur), HA state remains the same on both chassis. HA failover is not occurring using HA score calculation.
Workaround:
None.
754335-1 : Install ISO does not boot on BIG-IP VE★
Component: TMOS
Symptoms:
The install ISO does not boot on BIG-IP Virtual Edition (VE).
Conditions:
Attempting to boot a BIG-IP VE from a virtual DVD-ROM drive loaded with an affected ISO file.
Impact:
The system does not fully boot and hangs, preventing you from performing an installation or using the live environment for other recovery purposes.
Workaround:
To work around this issue, boot the BIG-IP VE from an ISO file earlier than 14.1.0. If necessary, install that version, and then upgrade to 14.1.0 using the live installer.
754257-2 : URL lookup queries not working
Component: Traffic Classification Engine
Symptoms:
Occasionally, there is no response to a url-categorization query.
Conditions:
This might occur under the following conditions:
-- When there are duplicate requests using tmsh.
-- When the connection is partially closed by the server.
Impact:
URL does not get classified. Cannot take any actions against those URLs.
Workaround:
None.
754132-2 : A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command
Component: TMOS
Symptoms:
A default route is not propagated in Network Layer Reachability Information (NLRI) by a routing framework on a command: 'clear ip bgp <neighbor router-id> soft out'.
-- Enter to imi(Integrated Management Interface) shell.
[root@hostname:Active:Standalone] config # imish
hostname[0]>
-- Issue a command inside imish. 10.0.0.4 is neighbor BGP router-id.
hostname[0]>clear ip bgp 10.0.0.4 soft out
Conditions:
-- There is a BIG-IP system with the following routing configuration:
imish output:
hostname[0]#sh run
!
no service password-encryption
!
interface lo
!
... <skip other default information, like interfaces.>
!
router bgp 1
bgp router-id 10.17.0.3
bgp graceful-restart restart-time 120
neighbor 10.17.0.4 remote-as 1
!
-- There is a default route, which is advertised by this BGP configuration. Here is one way to check it:
hostname[0]:sh ip ospf database
... <skip less important info>
AS External Link States
Link ID ADV Router Age Seq# CkSum Route Tag
0.0.0.0 10.17.0.3 273 0x80000002 0x5c4e E2 0.0.0.0/0 0
The 'clear ip bgp 10.17.0.4 soft out' command is issued, and there is no NLRI with a default route generated. You can confirm that by running tcpdump and reading what is in the generated Link-state advertisement (LSA), messages or by watching OSPF debug logs.
Note: The source from which you gather the default route and advertise it to the neighbors does not matter. It might be the usual BGP route learned from another router, a locally created route, or it might be configured by 'neighbor <neighbor router-id> default-originate'.
Impact:
A default-route is not propagated in NLRI by 'soft out' request, even with default-originate configured.
Workaround:
There is no specific workaround for 'clear ip bgp <neighbor router-id> soft out' command, but if you want to make routing protocol propagate a NLRI with a default route, you can do either of the following:
-- Remove the default route from advertised routes. This workaround is configuration-specific, so there there are no common steps.
+ If you have default-originate configured for your neighbor, then delete that part of the configuration and re-add it.
+ If you create a default route as a static route, recreate it.
+ And so on.
The idea is to remove a root of default route generation and then add it back.
-- Run a 'soft in' command from your neighbor. If a neighbor you want to propagate a NLRI is a BIG-IP device, or is capable of running this type of command, you can issue a imish command on the neighbor:
# neighbor-hostname[0]: clear ip bgp <neighbor router-id> soft in
Note: This time, the 'soft in' command requests the NLRIs.
753860-3 : Virtual server config changes causing incorrect route injection.
Component: TMOS
Symptoms:
Updating the virtual server to use a different virtual address (VADDR) does not work as expected. The old VADDR route should remove and inject the new route for the new virtual address. Instead, it injects incorrect routes into the routing protocols.
Conditions:
-- Change the VADDR on a virtual server.
-- Set route-advertisement on both VADDRs.
Impact:
Incorrect routes are injected into routing protocols.
Workaround:
None.
753805-3 : BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.
Component: Local Traffic Manager
Symptoms:
After failover, a longer time than expected for the virtual server to become available.
Conditions:
-- There is a configuration difference in the pool members before and after the configuration synchronization.
-- Probe status is also different.
Impact:
Virtual server takes longer than expected to become available.
Workaround:
Run full sync (force-full-load-push) from the active BIG-IP system to solve this issue.
753715-1 : False positive JSON max array length violation
Component: Application Security Manager
Symptoms:
False-positive JSON max array length violation is reported.
Conditions:
-- JSON profile is used.
-- The violation is coming for non-array under certain conditions.
Impact:
The system reports a false-positive violation.
Workaround:
None.
753594-2 : In-TMM monitors may have duplicate instances or stop monitoring
Component: Local Traffic Manager
Symptoms:
Most monitored resources (such as pools) report messages similar to the following:
Availability : unknown
Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet.
A fraction of the monitored resources report the correct status based on the state of the resource.
Enabling bigdlog may show instances of messaging containing 'tmm_mid=x:0' (where x can be values like 0, 1, 2 etc.), for example, it is tmm_mid=1:0 in the following example:
[0][11288] 2019-03-08 10:03:04.608: ID 10859 :(_do_ping): post ping, status=UNKNOWN [ tmm?=true td=true tr=false tmm_mid=1:0 addr=::ffff:1.2.37.44:443 mon=/Common/https fd=-1 pend=0 #conn=0 up_intvl=5 dn_intvl=5 timeout=16 time_until_up=0 immed=0 next_ping=[1552068189.684126][2019-03-08 10:03:09] last_ping=[1552068184.684909][2019-03-08 10:03:04] deadline=[1552067610.048558][2019-03-08 09:53:30] on_service_list=True snd_cnt=119 rcv_cnt=0 ]
The following error might appear in /var/log/ltm:
-- failed to handle TMA_MSG_DELETE message: MID 0, error TMA_ERR_INVALID_MID(Monitor ID is invalid or unused)
Conditions:
-- Configure In-TMM monitoring with a sufficiently large number of monitored objects.
-- Modify monitors while pool members are in an offline state or perform rapid modification of In-TMM monitors.
Impact:
Some monitors may be executed multiple times per configured interval on a resource, and some monitors may not be executed at all against resources.
Workaround:
Switch to traditional bigd monitoring instead of In-TMM:
tmsh modify sys db bigd.tmm value disable
753536-2 : REST no longer requires a token to login for TACACS use
Component: TMOS
Symptoms:
Configurations that previously used TACACS for authentication in order to make REST requests are no longer required to use a token for remote authentication. You can simply use username and password.
Conditions:
Use of remote authentication using TACACS.
Impact:
If you have scripts that automatically request tokens, you no longer need them.
Workaround:
None.
753526-1 : IP::addr iRule command does not allow single digit mask
Component: Local Traffic Manager
Symptoms:
When plain literal IP address and mask are used in IP::addr command, the validation fails if the mask is single digit.
Conditions:
The address mask is single digit.
Impact:
Validation fails.
Workaround:
Assign address/mask to a variable and use the variable in the command.
753501-1 : iRule commands (such as relate_server) do not work with MRP SIP
Component: Service Provider
Symptoms:
Some iRule commands (such as relate_server) fail when used in conjunction with Message Routing Protocol (MRP) SIP configurations using message routing transport.
Conditions:
-- MRP SIP configuration uses transport-config.
-- iRule command 'relate_server' is configured on the corresponding virtual server.
Impact:
iRule commands such as relate_server cannot be used with MRF SIP.
Workaround:
None.
753423-6 : Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation
Component: TMOS
Symptoms:
Working-mbr-count not showing correct number of interfaces.
Conditions:
Slot got disabled and re-enabled immediately.
Impact:
Interfaces may be removed from an aggregation permanently.
Workaround:
Disable and re-enable the slot with time gap of one second.
753159-1 : Pool IP ToS/QoS settings are not preserved on mirrored FastL4 connections
Component: Local Traffic Manager
Symptoms:
Mirrored serverside FastL4 connections do not inherit the IP ToS/QoS values from the selected pool or values set via iRule IP::tos/LINK::qos commands.
Conditions:
-- FastL4 virtual server with mirroring.
-- Pool with non-zero IP ToS/QoS values.
or
-- iRule with IP::tos/LINK::qos serverside commands
Impact:
IP ToS/QoS values are not set on mirrored connection after failover.
Workaround:
Configure desired IP ToS/QoS values in FastL4 profile
753014-4 : PEM iRule action with RULE_INIT event fails to attach to PEM policy
Component: Policy Enforcement Manager
Symptoms:
PEM iRule action with RULE_INIT event fails to attach to PEM policy.
Conditions:
Attaching PEM policy with PEM iRule action that contains a RULE_INIT event.
Impact:
PEM fails to update the new iRule action.
Workaround:
Force mcpd to reload the BIG-IP configuration.
To do so, follow the steps in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.
753001-1 : mcpd can be killed if the configuration contains a very high number of nested references
Component: TMOS
Symptoms:
mcpd can be killed by sod if the configuration contains a very high number of nested references. This results in a core file due to a SIGABRT signal.
Conditions:
A very high number of nested configuration references (such as SSL certificate file objects).
Impact:
Failover or outage (if not HA). The system sends no traffic or status while mcpd restarts.
Workaround:
None.
752994-1 : Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod
Component: TMOS
Symptoms:
With a large number of client SSL profiles, combined with shallow nesting of these profiles, all referring to a single SSL certificate file object, mcpd can take a lot of time to process an update to that certificate. It is possible this amount of time will be longer than sod's threshold, and cause it to kill mcpd.
Conditions:
- A large number (hundreds or thousands) of client SSL profiles that have a shallow nesting structure and all point back to a single SSL certificate file object.
- Happens when the SSL certificate is updated.
Impact:
sod kills mcpd, which causes a failover (when high availability (HA) is configured) or an outage (when there is no high availability (HA) configured).
Workaround:
None.
752797-1 : BD is not correctly closing a shared memory segment
Component: Application Security Manager
Symptoms:
Number shared memory segments is increasing.
Conditions:
There are many ASM restarts.
Impact:
Memory increases on the system.
Workaround:
None.
752766-1 : The BIG-IP system might fail to read SFPs after a reboot
Component: Local Traffic Manager
Symptoms:
SFP interfaces are reported as missing:
# tmsh show net interface 2.0
--------------------------------------------------------
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
In Out In Out
--------------------------------------------------------
2.0 miss 0 0 0 0 0 0 none
sys ha-status will report tmm ready-for-world as failed:
# tmsh show sys ha-status
-------------------------------------------------------------------------
Sys::HA Status
Feature Key Action Fail
-------------------------------------------------------------------------
ready-for-world tmm none yes
ready-for-world tmm1 none yes
ready-for-world tmm2 none yes
ready-for-world tmm3 none yes
ready-for-world tmm4 none yes
ready-for-world tmm5 none yes
Conditions:
This has been seen on the i15800 and i11000 series BIG-IP platforms immediately after the system boots.
Impact:
The BIG-IP system does not become ready after a reboot.
Workaround:
Mitigation if the system is in this state, restart tmm:
# tmsh restart sys service tmm
752530-1 : TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.
Component: Local Traffic Manager
Symptoms:
Fast L4 TCP Analytics reports incorrect goodput when server sequence number and the TMM generated sequence number are different.
Conditions:
This occurs when either of the following conditions are met:
-- tcp-generate-isn is set in the Fast L4 profile.
-- SYN cookie is active.
Impact:
The GUI page Statistics :: Analytics :: TCP :: Goodput page displays incorrect goodput values.
Workaround:
None.
752334-1 : Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation
Component: Local Traffic Manager
Symptoms:
When Fast L4 receives out of order TCP packets, TCP analytics may compute wrong goodput value.
Conditions:
When FAST L4 receives out-of-order packets.
Impact:
Fast L4 reports an incorrect goodput value for the connection.
Workaround:
None.
752228-1 : GUI Network Map to account for objects in a Disabled By Parent state
Component: TMOS
Symptoms:
When an object has a Disabled By Parent state, it is counted in the Unknown status instead of evaluating its actual Availability status.
Conditions:
Viewing objects with Disabled By Parent state in Network Map.
Impact:
The status shown in the map and summary view does not reflect the correct status.
Workaround:
Use the object list views to filter by status to see the correct status.
752216-6 : DNS queries without the RD bit set may generate responses with the RD bit set
Solution Article: K33587043
Component: Global Traffic Manager (DNS)
Symptoms:
If the BIG-IP system is configured to use forward zones, responses to DNS queries may include the RD bit, even if RD bit is not set on the query.
Conditions:
-- Forward zone is configured.
-- Processing a query without the RD bit.
Impact:
Some responses to DNS queries may include the RD bit, even thought the RD bit is not set on the query. This is cosmetic, but some DNS tools may report this as an RFC violation.
Workaround:
None.
752163-1 : PEM::session info cannot set subscriber type and ID
Component: Policy Enforcement Manager
Symptoms:
Cannot set the subscriber type and ID with iRule PEM::session info <subs-id | subs-type | subscriber-type | subscriber-id > <value>.
Conditions:
Trying to set a subscriber type and ID attributes using the following iRules returns error.
PEM::session info <ip> subscriber-id <value>
PEM::session info <ip> subscriber-type <value>
PEM::session info <ip> subs-id <value>
PEM::session info <ip> subs-type <value>
Impact:
Cannot set subscriber type and ID using PEM:session info iRule.
Workaround:
Set the subscriber type and ID together using the following iRule.
PEM::session info <ip addr> subscriber subscriber-id> <subscriber-type>
751991-1 : BIOS update fails with "flashrom not safe for BIOS updates yet" log message
Component: TMOS
Symptoms:
Upon installing a version of BIG-IP that contains an updated version of the system BIOS onto an F5 hardware platform, the BIOS update may fail.
Messages similar to the following may be seen at the console:
Updating BIOS to /usr/firmware/<filename>.bin
Using layout file /usr/firmware/<filename>.layout to update bios region
Updating BIOS... DO NOT POWER DOWN
Updating BIOS... DO NOT POWER DOWN (elapsed seconds:1)
...
Updating BIOS... DO NOT POWER DOWN (elapsed seconds:##)
BIOS update failed. Check /var/log/ltm for errors
Broadcast message from systemd-journald@localhost (<date & time string>):
chmand[####]: 012a0000:0: BIOS update failed. Check /var/log/ltm for errors
A message similar to the following will be seen in the /var/log/ltm file:
info chmand[####]: 012a0006:6: /bin/bios_update: flashrom not safe for BIOS updates yet.
Conditions:
This may occur on F5 hardware platforms running affected versions of BIG-IP based on RHEL 7.x, when booting into an affected version that includes a newer BIOS image than the system is currently using.
The "tmsh show sys hardware" command can be used to see the currently-used BIOS version.
The /var/log/ltm file contains messages from chmand when BIOS (and other firmware) updates are attempted, which display the version found currently installed and the newer version for which the update was attempted.
Impact:
Affected F5 hardware platforms may continue to run a non-current version of system BIOS, which may compromise system stability and/or performance.
Workaround:
It is possible to work around this issue by installing a later, non-affected version of BIG-IP into a different volume, booting into that version to perform firmware updates, then booting back into the affected BIG-IP version.
751924-2 : TSO packet bit fails IPsec during ESP encryption
Component: TMOS
Symptoms:
Internal error when an unexpected packet bit for TCP segment offload manages to reach crypto code for ESP in IPsec, when this is not expected.
Conditions:
Traffic passing through ESP encapsulation for an IPsec tunnel when the TSO bit (for TcpSegmentationOffload) is set on the packet involved.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
751589-1 : In BIG-IP VE, some IP rules may not be created during the first boot up.
Component: Local Traffic Manager
Symptoms:
The BIG-IP Virtual Edition (VE) system might not be able to install some IP rules in the host during the first boot up. As a result, some types of traffic (e.g., ssh) destined for the BIG-IP system via the data path (not via the management interface) might not be able to respond back to a sender. This issue exists only during the first boot into a new BIG-IP partition after installation.
Conditions:
This issue exists if the following conditions are met:
-- The BIG-IP system is VE.
-- Before installing a new BIG-IP image, the sys db variables 'liveinstall.saveconfig' and 'liveinstall.moveconfig' are both set to 'disable'. By default, both variables are set to 'enable'.
-- First boot into a new BIG-IP partition after installation.
Impact:
Some types of traffic (e.g., ssh) destined for the BIG-IP system via the data path (not via the management interface) might not be able to respond back to a sender.
Workaround:
You can use either of the following workarounds:
-- Restart mcpd using the following command:
bigstart restart mcpd
-- After the first boot into a new BIG-IP partition, you can simply reboot the BIG-IP system again, and then the necessary IP rules are created correctly.
751584-1 : Custom MIB actions can be blocked by SELINUX permissions
Component: TMOS
Symptoms:
When creating custom MIBs you can execute commands, but you may run into SELINUX permissions issues that prevent the tmctl command from executing.
Conditions:
Executing tmctl calls inside custom MIB procedures
Impact:
Statistics are not collected for the MIB objects
Workaround:
None.
751581-3 : REST API Timeout while queriying large number of persistence profiles
Component: TMOS
Symptoms:
When you have a large number of collections in BIG-IP, REST API seems to be timed out without any response from BIG-IP
Conditions:
When BIG-IP has large number of persistence profiles.
Impact:
REST API gets timed out when REST API queries the BIG-IP for persistence profiles. There is no response sent for given REST API.
Workaround:
When you have a large number of collections, you are recommended to use paging mechanism.
Please refer https://devcentral.f5.com/d/icontrol-rest-user-guide-version-131-246.
"iControl ® REST supports pagination options for large collections.
751540-3 : GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server
Component: Global Traffic Manager (DNS)
Symptoms:
GTM changes in some devices are not synced to other GTM-configured devices in the same syncgroup.
Conditions:
-- There are multiple self IP addresses configured on one VLAN.
-- Some, but not all, self IP addresses are configured for GTM server.
Impact:
GTM Sync group not syncing properly.
Workaround:
Configure all self IP addresses in the syncgroup for GTM server.
751448-1 : TMM, ZebOS, and Linux routing table may lose dynamic routes on a tmm restart
Component: TMOS
Symptoms:
There are three major routing participants on a BIG-IP system: TMM, ZebOS, and Linux routing tables. Each of them replicates routes between the other. The 'bigstart restart tmm' command restarts tmm, and a part of the restart process is to mark VLAN interfaces DOWN and later UP. Another part the same process is to restart the ZebOS daemons.
There is a race condition between these two events, so the following might happen:
1) tmm marks interface named vlan1 as DOWN, and a bit later marks as UP, but not UP and RUNNING.
2) The ZebOS daemons are restarted and ready to update interface status. They request a current status and mark interface UP, not UP and RUNNING.
3) tmm is fully restarted and marks vlan1 UP and RUNNING.
4) The ZebOS daemons reject dynamic routes because interface vlan1 is UP, but not RUNNING.
Conditions:
- BIG-IP Virtual Edition (VE).
- Dynamic routing is configured and there is a decide with some dynamic routes.
- You run the 'bigstart restart tmm' command.
Impact:
Traffic which relays on dynamic routes is interrupted. Because this is a race condition, it depends on configuration and timing.
Workaround:
Restart tmrouted daemon using the following command:
bigstart restart tmrouted
751430-1 : Unnecessary reporting of errors with complex denial-of-service policies
Component: Application Security Manager
Symptoms:
In the tmm log files, messages are reported:
016e0002:3: Execution of action 'l7dos enable from-profile=/dos-xyzzy' failed, error ERR_NOT_SUPPORTED
Conditions:
-- ASM provisioned.
-- At least one virtual server configured with a complex L7DoS policy.
Impact:
The BIG-IP system continually logs erroneous errors to /var/log/ltm.
Workaround:
Attach another 'bot' profile to the virtual server associated with the error.
751409-1 : MCP Validation does not detect when virtual servers differ only by overlapping VLANs
Component: TMOS
Symptoms:
It is possible to configure two virtual servers with the same address, port, and route domain, and have them overlap only in VLANs. MCP does not detect the overlap.
Errors like this may be seen in the ltm log:
err tmm1[29243]: 01010009:3: Failed to bind to address
Conditions:
Two (or more) virtual servers with the same address, port, and route domain, and have them overlap only in VLANs
Impact:
Traffic does not get routed properly.
Workaround:
There is no workaround other than ensuring that virtual servers that have the same address, port, and route domain have no overlap of VLANs.
751383-1 : Invalidation trigger parameter values are limited to 256 bytes
Component: WebAccelerator
Symptoms:
Invalidation trigger parameter values are limited to a internal representation of 256 bytes. The values are escaped for regex matching, so the effective value size from the user perspective can be somewhat smaller than 256 bytes. Oversize values result in invalidation of all content on the target policy node.
Conditions:
-- AAM policy with invalidation trigger.
-- Invalidation trigger request with parameter value larger than 256 bytes.
Impact:
All content on target policy node is invalidated rather than the specific content targeted.
Workaround:
None.
751116-1 : DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring
Component: Advanced Firewall Manager
Symptoms:
The DoS visibility screens (Monitoring :: Security :: Reporting : DoS) may display DNS and Network protocol DoS attacks with the incorrect mitigation details.
Conditions:
An attacked object assigned to a DoS profile with either DNS or Network security protocols that are configured to have detect-only or learn-only states for DoS attacks.
Impact:
Network or DNS DoS attacks, detected by a DoS profile with detect-only or learn-only protection, display mitigation as Blocking instead of the configured Transparent protection. This does not affect the reported traffic data found in the DoS visibility dimensions and charts.
Workaround:
None.
751103-4 : TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop
Component: TMOS
Symptoms:
Issuing the command 'tmsh save sys config' results in a question when display threshold is set and when management routes are configured. There is no prompt when no management routes are configured. This question is posted only when management-routes are configured, and does not appear when other provisioning commands are issued and the config is saved.
Conditions:
1. Set the cli preference display-threshold to a smaller value than the default.
2. Create management routes.
3. Issue the following command:
tmsh save sys config
Impact:
When there are more items configured than the threshold, the system presents a question:
Display all <number> items? (y/n)
Scripts are stopped until the prompt is answered.
Workaround:
To prevent the question from popping up, set display threshold to 0 (zero).
In the case of this script, you can also delete the management route definitions to prevent the question from being asked.
751036-1 : Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone
Component: Local Traffic Manager
Symptoms:
Virtual server status becomes unavailable when the connections are over the rate limit, and stays unavailable when the number of connections fall below the limit.
Conditions:
-- The connections are over the rate limit, making the virtual server status unavailable.
-- The number of connections fall below the limit.
Impact:
Virtual server status reports unavailable, even though it should report available.
This causes DNS to continue to mark the virtual server as unavailable.
Workaround:
This problem does not impact virtual server processing traffic. It simply reports the wrong status.
751024-4 : i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd
Component: TMOS
Symptoms:
Messages similar to the following appear in /var/log/ltm:
info bcm56xxd: 012c0012:6: I2C muxes are not cleared. Problem with mux 224:
Conditions:
-- i5000/i7000/i10000 platforms.
-- May be caused by a defective optic, rebooting/upgrading BIG-IP, removing and reinserting optics.
Impact:
Changes in optic state may be ignored while I2C bus is unavailable.
Workaround:
For each SFP, perform the following procedure:
1. Unplug the optic.
2. Wait 10 seconds.
3. Plug optic back in.
Note: This message might be caused by a defective optic. If error messages stop when one optic is removed, and error messages resume when the optic is inserted, replace that optic.
751021-1 : One or more TMM instances may be left without dynamic routes.
Component: TMOS
Symptoms:
Inspecting the BIG-IP's routing table (for instance, using tmsh or ZebOS commands) shows that dynamic routes have been learnt correctly and should be in effect.
However, while passing traffic through the system, you experience intermittent failures. Further investigation reveals that the failures are limited to one or more TMM instances (all other TMM instances are processing traffic correctly). The situation does not self-recover and the system remains in this state indefinitely.
An example of a traffic failure can be a client connection reset with cause 'No route to host'. If the client retries the same request, and this hits a different TMM instance, the request might succeed.
Conditions:
This issue is known to occur when all of the following conditions are met:
- The system is a multi-blade VIPRION or vCMP cluster.
- The system just underwent an event such as a software upgrade, a reboot of one or more blades, a restart of the services on one or more blades, etc.
Impact:
Traffic fails intermittently, with errors that point to lack of routes to certain destinations.
Workaround:
You can try to temporarily resolve the issue by restarting the tmrouted daemon on all blades. To do so, run the following command:
# clsh "bigstart restart tmrouted"
However, there is no strict guarantee this will resolve the issue, given the nature of the issue.
Alternatively, you could temporarily replace the dynamic routes with static routes.
750705-2 : LTM logs are filled with error messages while creating/deleting virtual wire configuration
Component: Local Traffic Manager
Symptoms:
LTM logs are filled with error messages when creating/deleting virtual wire config.
Conditions:
Virtual wire is created and then deleted.
Impact:
Error messages are getting logged to ltm.
750702-1 : TMM crashes while making changes to virtual wire configuration
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
This can occur when deleting a virtual-wire configuration.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
750631-2 : There may be a latency between session termination and deletion of its associated IP address mapping
Component: Access Policy Manager
Symptoms:
In SWG, if a new request from a client executes iRule command "ACCESS::session exists" when the session has expired previously, the command will return false. However, if command "ACCESS::session create" is executed following the exist command, the session ID of the previous session may be returned.
Conditions:
In SWG, if a new request from a client IP comes into the system right after its previous session has expired.
Impact:
The Access filter will determine that the session ID is stale and, therefore, will redirect the client to /my.policy
750588-1 : While loading large configurations on BIG-IP systems, some daemons may core intermittently.
Component: TMOS
Symptoms:
When manually copying a large config file and running 'tmsh load sys config' on specific hardware BIG-IP platforms, multiple cores may be observed from different daemons.
Conditions:
This has been observed on i4800 platforms when the 'management' provisioning (corresponding to the provision.extramb DB key) is set to 500 MB or less.
Impact:
The mcp daemon may core and all daemons on the BIG-IP system may be restarted.
Workaround:
Set db key 'provision.extramb' to 1024 or greater.
750491-4 : PEM Once-Every content insertion action may insert more than once during an interval
Component: Policy Enforcement Manager
Symptoms:
Successful PEM content insertion accounting is lost during re-evaluation, resulting in more insertions per insertion interval.
Conditions:
During re-evaluation to update the existing flow.
Impact:
More than expected Insert content action with Once-Every method of insert content action
Workaround:
None.
750473-4 : VA status change while 'disabled' are not taken into account after being 'enabled' again
Component: Local Traffic Manager
Symptoms:
The virtual-address network is not advertised with route-advertisement enabled.
Conditions:
1. Using a virtual-address with route advertisement enabled.
2. Disable virtual-address while state is down.
3. Enable virtual-address after state comes up.
Impact:
No route-advertisement of the virtual-address.
Workaround:
Toggle the route-advertisement for virtual-address.
750204-3 : Add support for P-521 curve in the X.509 chain to SSL LTM
Component: Local Traffic Manager
Symptoms:
SSL is unable to verify certificate signed with EC P-521 key.
Conditions:
N/A
Impact:
Client/server authentication (X.509 signature verification) will failed when using certificate signed with EC P-521 key.
Workaround:
Client/server has to use certificate signed with supported EC curve (P-256/P-384).
749761-3 : AFM Policy with Send to Virtual and TMM crash in a specific scenario
Component: Advanced Firewall Manager
Symptoms:
TMM restart in a specific scenario when AFM Policy is configured in multiple contexts (Global, Route Domain, Virtual Server), with Log Translations enabled, and Send-To-VS feature configured in at least one of the rules in the Security Policy.
Conditions:
-- When using Firewall ACL Policy in more than one context, i.e., more than one of the following context has ACL Security Policy applied:
+ Global Context
+ Route Domain
+ Virtual Server Context
-- Send To Virtual Server is configured on any Rule on the Security policy.
-- Traffic matching a Rule (with logging enabled) in more than one context.
-- AFM Security Logging Profile has log Translation Field Enabled.
Impact:
TMM restart causes service disruption. Traffic disrupted while tmm restarts.
Workaround:
Disable Logging of Translation Fields in Security Logging Profile.
749528-1 : IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap
Component: Service Provider
Symptoms:
Under certain conditions the wrong self-IP can be selected as a source address for connections from an Internal Virtual Server to remote servers.
Conditions:
- Using an Internal Virtual Server (IVS).
- The VLAN being used to connect from the IVS to the server does not have a floating self-IP configured.
- At least one other VLAN has a floating self-IP configured.
- The primary virtual server that connects to the IVS is using SNAT automap.
Impact:
IVS traffic might not be routed properly.
Workaround:
- Configure a floating self-IP on the IVS server side VLAN.
or
- Use a SNAT pool instead of automap.
749519-1 : Error messages seen while running "run sys crypto nethsm-test" tool
Component: Local Traffic Manager
Symptoms:
Error messages seen while running nethsm-test tool with command "run sys crypto nethsm-test"
Invalid req_id 1073741841 actual 1073741842 in Message Header: Ignoring the Message
Conditions:
Install and Configure AWS cloudHSM as BIG-IP netHSM.
Run command "tmsh run sys crypto nethsm-test.
Impact:
Error messages seen while running "tmsh run sys crypto nethsm-test" with AWS cloudHSM.
Workaround:
You may use aws cloudhsm client 1.0.18 or 1.1.0 to work around this issue.
749477-1 : Provisioning URLDB and SWG simultaneously produces a confusing error message if neither module was originally provisioned
Component: Access Policy Manager
Symptoms:
If you have URLDB or SWG provisioned and try to provision the other, you will get an error message:
The requested provision module (%s) is not compatible with already provisioned module (%s).
This same error message is displayed if neither module was provisioned to start with, and can be confusing.
Conditions:
Attempt to provision SWG and URLDB without either module being originally provisioned
Impact:
You can safely ignore the benign error message.
Workaround:
None.
749383-1 : Audit Log: 'cmd_data=list cm device recursive' are being generated continuously even the command has not been executed
Component: Device Management
Symptoms:
The system generates and logs the following message continuously, at the rate of 3 times a minute:
user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=list cm device recursive:.
Conditions:
This occurs in normal operation.
Impact:
All tmsh commands are logged including the command which executed by a internal cron job. So, messages of 'cmd_data=list cm device recursive' are logged in /var/log/audit even the command has not been executed by a user. This is designed behavior.
Workaround:
None.
749332 : Client-SSL Object's description can be updated using CLI but not REST
Component: TMOS
Symptoms:
REST PUT fails to update the object description when proxy-ca-cert and proxy-ca-key are not configured, and triggers an error:
SSL forward proxy RSA CA key is missing.
Conditions:
Issue is seen only with REST, and when proxy-ca-cert and proxy-ca-key are not configured.
Impact:
REST cannot be used to update/modify the description.
Workaround:
You can use TMSH to update/modify the description, even if proxy-ca-cert and proxy-ca-key are not configured.
749249-1 : IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP
Component: TMOS
Symptoms:
IPsec tunnels fail to establish and CPUs go to 100%.
Conditions:
- IPsec tunnels configured.
- System has multiple blades.
Impact:
The CPU exhaustion may cause system instability.
The tmm logs may contain large numbers of messages similar to the following:
-- notice SA is not in LARVAL state when receives PFKEY UPDATE: src=50.1.1.53 dst=40.1.1.50 spi=0xc9cd688 proto=0x32 dir=0x1:IN reqid=0.0:0:0x10c81 state=1
Workaround:
For vCMP systems, provision the Guest on one blade only. There is no workaround for bare-metal systems.
749041-2 : MRSIP log of subscriber deletion outputs '(null)" for subscriber URI
Component: Service Provider
Symptoms:
New logging was added for SIP subscriber registration and deletion. The deletion log MRSIPERR_SUBSCRIBER_DELETION_LOG() fails to show the subscriber URI, and instead, /var/log/ltm shows messages similar to the following:
MR_SIP: Subscriber registration deleted (xxx.xxx.xxx.xxx:5060 -> yyy.yyy.yyy.yyy:5060) subscriber URI: (null)
Conditions:
-- A SIP subscriber registration is deleted.
-- The log level DB variable log.mrsip.level is 'notice' or above.
Impact:
Prevents correlation of the deletion with the corresponding registration of the subscriber URI.
Workaround:
None.
748851-3 : Bot Detection injection include tags which may cause faulty display of application
Component: Application Security Manager
Symptoms:
The Bot Detection feature / Bot Defense profile includes JavaScript which is injected within <APM_DO_NOT_TOUCH> tags. Some web applications may be displayed incorrectly due to these tags.
Conditions:
- Your application includes JavaScript which dynamically adds HTML elements and expects a certain set of tags in the <head> section of the HTML.
- Bot Detection / Bot Defense are enabled.
Impact:
Some web applications may be displayed incorrectly.
Workaround:
None
748572-2 : Occasionally ramcache might crash when data is sent without the corresponding event.
Component: Access Policy Manager
Symptoms:
Ramcache filter causes crash when sending data without HUDCTL_RESPONSE while in CACHE_COLLECT event.
Conditions:
When the access_policy_trace db variable is enabled, failure in insertion of policy path cookie in the header while sending a redirect to the client might cause the ramcache filter to SIGSEGV.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Turn off the access_policy_trace db variable.
748545-1 : Remove 'sys-unconfig' and 'rhel-configure' binaries and related systemd service
Component: TMOS
Symptoms:
The RHEL-related binaries 'sys-unconfig' and 'rhel-configure' are shipped with BIG-IP when they are not relevant.
Conditions:
Running a BIG-IP v14.1.x release
Impact:
Binaries with RHEL branding are installed on system which are not used in BIG-IP and generate superfluous files.
Workaround:
N/A
748529-1 : BIG-IP Virtual Edition with cloudhsm integration needs to restart tmm after a fresh install
Component: Local Traffic Manager
Symptoms:
Right after a fresh BIG-IP install to a BIG-IP VE with cloudhsm integration, a nethsm key/cert enabled SSL client profile cannot be applied to a virtual server. A warning will be generated:
warning tmm1[19027]: 01260009:4: Connection error: hud_ssl_handler:1149: invalid profile (40)
Conditions:
Apply an SSL client profile with cloudHSM key/cert at AWS cloud.
Impact:
Virtual server enabled with cloudHSM key/cert can't be configured.
Workaround:
"bigstart restart tmm" after the fresh install.
748451-3 : Manager users cannot perform changes in per-request policy properties
Component: Access Policy Manager
Symptoms:
Users with Admin role can edit and administer per-request policy properties. Users with Manager role, which can manage most APM objects, cannot manage this specific one.
Conditions:
User with Manager role tries to modify or change per-request policies properties.
Impact:
Cannot manage per-request policy properties if user role is Manager.
Workaround:
There is no workaround other than having an Admin user manage these objects.
748443-1 : Higig MAC recovery mechanism may fail continuously during run time
Component: TMOS
Symptoms:
At runtime, the Higig MAC recovery mechanism might be triggered due to FCS errors. Normally, the recovery mechanism will recover from the issue. However, if it does not recover, the mechanism will continue to run over and over again.
Conditions:
May related to the traffic pattern the blade is processing.
Impact:
The blade will stay at Inoperative state and not able to pass traffic
Workaround:
Manually reboot the blade.
748355-2 : MRF SIP curr_pending_calls statistic can show negative values.
Component: Service Provider
Symptoms:
Certain irregular SIP message patterns may produce an erroneous curr_pending_calls value that can drop below zero and underflow.
Conditions:
Uncommon message flows like re-transmitted INVITE or OK responses can trigger the issue, which may be brought about at times by lost packets when using UDP.
Impact:
SIP curr_pending_calls may show incorrect values.
748295-1 : TMM crashes on shutdown when using virtio NICs for dataplane
Component: TMOS
Symptoms:
TMM crash on stop or restart.
Conditions:
1. Put the virtio NIC in a bad state while TMM is running (for example, detach the NIC from the host).
2. Run the following command: bigstart stop tmm
Impact:
TMM crash generates a core file. However, there is no impact on traffic as the device is already in a bad state before the crash.
Workaround:
None.
748070 : API Protection feature inadvertently allows editing of associated access policy
Component: Access Policy Manager
Symptoms:
This release contains a feature called API Protection. API Protection access policies are hidden from the user interface in most areas except the log settings area.
Conditions:
Modifying API Protection access policy from Access :: Overview :: Event Logs :: Settings.
Impact:
If the API protection policy / profile is modified outside of API Protection GUI, the 'Apply Access Policy' may become activated with no way to deactivate it.
Workaround:
Navigate to the API Protection area and modify any part of the API Protection profile. This causes it to re-deploy, at which time the system clears the 'Apply Access Policy' prompt.
748052-1 : pkcs11 test utility is failing when running nethsm-test on BIG-IP systems configured for AWS CloudHSM
Component: Local Traffic Manager
Symptoms:
When using the nethsm-test tool to validate netHSM installation and configuration on the BIG-IP system, running the command 'tmsh run sys crypto nethsm-test' fails.
Conditions:
-- AWS CloudHSM installed and configured as BIG-IP netHSM.
-- Running nethsm-test.
Impact:
Failure to run command: tmsh run sys crypto nethsm-test. pkcs11 test utility fails.
Workaround:
None.
748044 : RAID status in tmsh is not updated when disk is removed or rebuild finishes
Component: TMOS
Symptoms:
'tmsh show sys raid' shows stale information
When the RAID status changes because a disk fails, is pulled without being removed from the RAID, or when RAID rebuild completes, the new status is not updated to be visible in tmsh.
Log messages, SNMP traps and alerts associated with the change in RAID status do not appear.
Conditions:
-- Platforms that support RAID running 14.0.0 or later.
-- Running the command: tmsh show sys raid.
Impact:
'tmsh show sys raid' output might show disk as ok when it has actually failed, or may show the disk as rebuilding when it is actually ok.
Workaround:
From a bash shell run the command 'array' to see the correct state of the RAID.
If a disk has failed or been removed, the following tmsh commands remove the disk from the RAID:
tmsh mod sys raid array <arrayName> remove <DiskName>
748031-1 : Invalidation trigger parameter containing reserved XML characters does not create invalidation rule
Component: WebAccelerator
Symptoms:
If a parameter value for an invalidation trigger contains reserved XML characters, compilation of the resulting invalidation rule fails due to the reserved characters not being escaped.
Conditions:
- AAM policy with invalidation trigger defined
- trigger request with parameter value(s) containing reserved XML characters
Impact:
The invalidation rule requested by the trigger request is not created. Content is not invalidated as expected.
Workaround:
No workaround exists.
747960-2 : BIG-IP VE with 1nic does not handle fragmented traffic to webui or ssh properly
Component: Performance
Symptoms:
Attempts to send fragmented packets destined for SSH or the webui of BIG-IP VE running with 1 NIC will fail. This is a rare situation generally, but one noted area where we have seen it is when BIG-IQ attempts to discover the BIG-IP.
Conditions:
BIG-IP VE configured with 1 network interface. Send IP fragmented traffic to either SSH or the web interface (TCP/8443 for 1nic).
Impact:
The IP fragments will not be properly reassembled and the connection will ultimately fail. This is only an issue for IP fragmented traffic sent with 1nic destined for SSH or the webui.
Workaround:
Prevent IP fragmentation, or configure multiple network interfaces.
747676-3 : Remote logging needs 'localip' to set source IP properly
Component: TMOS
Symptoms:
Source ip of log entries sometimes use self-ip.
Conditions:
It happens when configuring mgmt IP and route is slower than syslog-ng start.
This issue happens in case of the HA scenario also.
Impact:
Remote log entry has wrong source IP address.
Workaround:
Use localip keyword to force specific IP address.
udp("1.1.1.9" port (514) localip("100.100.100.101"));
In case of the HA configuration, use persist-name key word or syslog-ng may fail to start.
# setting for device A
udp("1.1.1.9" port (514) localip("100.100.100.101") persist-name(devA) );
# setting for device B
udp("1.1.1.9" port (514) localip("100.100.100.102") persist-name(devB));
747225-1 : PCCD may get into crash-loop after BIG-IP upgrade or after BIG-IP restart
Component: Advanced Firewall Manager
Symptoms:
When there are scheduled firewall rules, and per-policy compilation optimization enabled, PCCD may enter crash-loop after installing new build. In very rare cases this can happen after regular BIG-IP restart. Per-policy compilation optimization is enabled by default, the sys db variable pccd.perpolicycompilation is true.
Conditions:
-- AFM is licensed and provisioned.
-- There are scheduled firewall rules.
-- Per-policy compilation optimization enabled (sys db variable pccd.perpolicycompilation is true)
-- The BIG-IP system is upgraded or restarted
Impact:
After this failure, an rare problem is that PCCD is continuously crashing. New firewall config is not applied on data traffic. The pre-upgrade firewall config is still applied on data traffic.
Workaround:
Set sys db variable pccd.perpolicycompilation to false.
747203-2 : Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding
Component: TMOS
Symptoms:
-- SYN/ACK packets arriving on a tunnel fail to be matched to an existing flow followed by a RST issued by the BIG-IP system.
-- The BIG-IP system reports 'no flow found'.
-- MAC addresses can contain random values, or fe:fe:fe:fe:fe:fe.
Conditions:
-- Using IKEv2 with both NAT-T and interface mode.
-- The BIG-IP is configured to use several tmm instances.
-- The combination of IP addresses and port numbers result in distributing legs of processing one flow across several tmm instances.
Impact:
NATT/ESP tunnel flows can end with a RST reset.
Workaround:
None.
747065-2 : PEM iRule burst of session ADDs leads to missing sessions
Component: Policy Enforcement Manager
Symptoms:
Some PEM sessions that were originally added, later disappear and cannot be added back.
Conditions:
-- Subscriber addition is done by iRule on UDP virtual servers.
-- The sessions are added in a burst.
-- A small fraction of such sessions cannot be added back after delete.
Impact:
Policies available in the missing session cannot be accessed.
Workaround:
Add a delay of at least a few milliseconds between adding multiple session with same subscriber-id and IP address.
746922-6 : When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
Component: Local Traffic Manager
Symptoms:
In a situation when a routing entity belonging to the child route domain is searching for an egress point for a traffic flow, it's searching for a routing entry in the child domain first, then if nothing is found, it searches for it in the parent route domain and returns the best found routing entry.
If the best routing entry from the parent route domain is selected, then it is held by a routing entity and is used to forward a traffic flow. Later, a new route entry is added to the child route domain's routing table and this route entry might be better than the current, previously selected, routing entry. But the previously selected entry doesn't get invalidated, thus the routing entity that is holding this entry is forwarding traffic to a less-preferable egress point.
#Example:
RD0(parent) -> RD1(child)
routing table: default gw for RD0 is 0.0.0.0/0%0
pool member is 1.1.1.1/32%1
-
Pool member searches for the best egress point and finds nothing in the routing table for route domain 1, and then later finds a routing entry, but from the parent route domain - 0.0.0.0/0%0.
Later a new gw for RD1 was added - 0.0.0.0/0%1, it's preferable for the 1.1.1.1/32%1 pool member. 0.0.0.0/0%0 should be (but is not) invalidated to force the pool member to search for a new routing entry and find a better one if it exists, as in this case, with - 0.0.0.0/0%1.
Conditions:
1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. New routing entry for child route domain is added.
Impact:
If a new added route is preferable to an existing one in a different route domain, the new, preferable, route is not going to be used by a routing object that has previously selected a route. Thus, traffic flows through these routing objects to an unexpected/incorrect egress point. This might result in undesirable behavior:
-- The route might be unreachable, and all traffic for a specific pool member is dropped.
-- The virtual server cannot find an available SNAT address.
-- Simply, the wrong egress interface is being used.
Workaround:
Use either of these workaround after a new route in child domain is added.
-- Recreate a route.
Recreate a parent route domain's routes. Restart tmrouted daemon if routes are gathered via routing protocols.
-- Recreate a routing object.
- If a pool member is affected, recreate the pool member.
- If a SNAT pool list is affected, recreate it.
- And so on.
746837-2 : AVR JS injection can cause error on page if the JS was not injected
Component: Application Visibility and Reporting
Symptoms:
If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR 'promises' to the client a JS injection in the response by adding the expected length of the JS to the Content-length header.
If later, it is identified that the response contains no HTML tag, AVR does not inject the JS; instead it wraps the response with spaces.
This can lead to errors in cases where the change in response size is not supported.
Conditions:
AVR is configured to collect 'Page Load Time' and the response from the web server has these conditions:
-- The response is uncompressed.
-- The context-type header is text/html.
-- The response is not chunked (Context-length header exists).
-- The payload does not include the HTML head tag.
Impact:
White Spaces at the end of the page can cause it to be invalid for some applications.
Workaround:
To avoid trying to inject to pages where the JS does not fit, use iRules to control which pages should get the JS injection.
For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.
746758-3 : Qkview produces core file if interrupted while exiting
Component: TMOS
Symptoms:
If, during qkview operation's exit stage, it is interrupted (with Ctrl-C for example), it produces a core file.
Conditions:
-- Qkview is exiting.
-- The qkview operation receives an interrupt.
Impact:
A core file is produced.
Workaround:
When closing qkview, or if it is closing, do not interrupt it; wait for it to exit.
746731-1 : BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set
Component: Service Provider
Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Firmware-Revision AVPs in DIAMETER Capabilities Exchange Request messages.
Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Firmware-Revision AVP.
Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.
Workaround:
Configure an iRule in the MRF transport-config, for example:
ltm rule workaround {
when DIAMETER_EGRESS {
if {[serverside] && [DIAMETER::command] == "257" } {
DIAMETER::avp flags set 267 0
}
}
}
746719-1 : SERVFAIL when attempting to view or edit NS resource records in zonerunner
Component: Global Traffic Manager (DNS)
Symptoms:
While attempting to use ZoneRunner to edit NS resource records, getting error:
01150b21:3: RCODE returned from query: 'SERVFAIL'.
Conditions:
- An NS resource record is selected using the zonerunner GUI
- The NS record points to a zone that bind is not authoritative for.
- Recursion is enabled on the zone in question
- The bind process is not able to reach the nameserver referenced in the NS record.
Impact:
Administrator is unable to use ZoneRunner to edit NS records.
Workaround:
Set recursion to no for the appropriate zone, perform the change, set recursion back to yes.
Note: This will be impacting to any clients expecting recursion for the duration of the change.
746704-2 : Syslog-ng Memory Leak
Component: TMOS
Symptoms:
After a long uptime (almost a year) syslog-ng had consumed 1.1G of virtual memory on BIG-IP.
Conditions:
Memory leak when syslog-ng handles continuous SIGHUP signals.
Impact:
Minimal. This is a leak of virtual memory. If syslog-ng does not read or write to this memory it will not be consume physical memory.
Workaround:
Run this command once a month:
service syslog-ng restart
746620-3 : "source-port preserve" does not work on BIG-IP Virtual Edition
Component: Performance
Symptoms:
BIG-IP Virtual Edition uses RSS hashing for selecting TMMs which has the side effect of causing "source-port preserve" to reuse ports aggressively. This can ultimately lead to connection failures.
Conditions:
BIG-IP virtual edition with "source-port preserve" configured on a fastl4 virtual server and VE configures RSS hash. VE will configure RSS hash if both the below conditions are met
1. VE supports RSS hash on the NIC. Currently, RSS is supported on ixlv and vmxnet3 NICs
2. The number of TMMs <= maximum number of queues supported by the NIC. For ixlv this is 4 and for vmxnet3 this is 8
Impact:
Connections may fail due to reusing ports too quickly.
Workaround:
On the Virtual Server, set source-port to "change".
746483-2 : The autodosd process consumes a lot of memory and continuously restarts.
Component: Advanced Firewall Manager
Symptoms:
The autodosd process consumes a lot of memory and continuously restarts.
(The autodosd process is a control plane process which supports the BIG-IP AFM DoS Auto Threshold feature.)
Conditions:
Many virtual servers (e.g., 1,020) with dos-profiles attached, even there is no DoS vector enabled.
Impact:
The BIG-IP system continuously restarts.
Workaround:
Set sys db dos.auto.threshold.learnalways to false.
This sys db variable controls whether the BIG-IP system should learn/store traffic history and calculate the auto-thresholds when we are in manual-threshold mode also. The default is on (always learn).
746464-1 : MCPD sync errors and restart after multiple modifications to file object in chassis
Component: TMOS
Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:
1. Errors are logged to /var/log/ltm similar to the following:
-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..
2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.
Conditions:
This can be encountered when rapidly making changes to files such as creating and then deleting them while the config sync of the file creation is still in progress.
Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.
Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.
746348-2 : On rare occasions, gtmd fails to process probe responses originating from the same system.
Component: Global Traffic Manager (DNS)
Symptoms:
On rare occasions, some resources are marked 'unavailable', with a reason of 'big3d: timed out' because gtmd fails to process some probe responses sent by the instance of big3d that is running on the same BIG-IP system.
Conditions:
The monitor response from big3d sent to the gtmd on the same device is being lost. Monitor responses sent to other gtmds are sent without issue. The conditions under which this occurs have not been identified.
Impact:
Some resources are marked 'unavailable' on the affected BIG-IP system, while the other BIG-IP systems in the sync group mark the resource as 'available'.
Workaround:
Restart gtmd on the affected BIG-IP system.
746152-1 : Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column
Component: TMOS
Symptoms:
The DMA drop packet and bytes registers (rqm_dma_drp_pkts and rqm_dma_drp_bytes in tmm/hsbe2_internal_pde_ring
table) can have huge numbers, which appear to be close to multiples of 4G (2^32). The count reported in the register from hsb_snapshot shows very small number:
from tmm/hsbe2_internal_pde_ring
name active bus rqm_dma_drp_pkts rqm_dma_drp_bytes
---------------- ------ --- ---------------- -----------------
lbb0_pde1_ring2 1 2 17179869185 4398046511186
lbb0_pde1_ring3 1 2 8589934597 2199023256108
lbb0_pde2_ring0 1 2 0 0
lbb0_pde2_ring1 1 2 0 0
lbb0_pde2_ring2 1 2 8589934592 2199023255552
lbb0_pde2_ring3 1 2 0 0
lbb0_pde3_ring0 1 2 0 0
lbb0_pde3_ring1 1 2 0 0
lbb0_pde3_ring2 1 2 8589934592 2199023255552
lbb0_pde3_ring3 1 2 0 0
lbb0_pde4_ring0 1 2 0 0
lbb0_pde4_ring1 1 2 0 0
lbb0_pde4_ring2 1 2 8589934592 2199023255552
lbb0_pde4_ring3 1 2 0 0
lbb1_pde1_ring1 1 3 0 0
lbb1_pde1_ring2 1 3 4294967298 1099511627952
From hsb_snapshot for pde1's ring 0 to ring 3:
50430: 00000000 rqm_dma_drp_pkt_cnt_4
50530: 00000000 rqm_dma_drp_pkt_cnt_5
50630: 00000001 rqm_dma_drp_pkt_cnt_6
50730: 00000005 rqm_dma_drp_pkt_cnt_7
Conditions:
The register reads sometimes return a 0 value.
Impact:
The DMA drop stats are not accurate
Workaround:
Restart tmm can reset the stats, but it will disrupt traffic.
746137-1 : DNSSEC: Creating a new DNSSEC Zone can result in gtmd attempting to sync every 10 seconds
Component: Global Traffic Manager (DNS)
Symptoms:
Creating a new DNSSEC Zone can result in gtmd attempting to sync every 10 seconds even though the configuration appears to be the same on each GTM in the sync group. This will last until another change is committed to the database (for example: create a new un-related object like a gtm wideip)
Conditions:
The user creates a new DNSSEC Zone.
Impact:
gtmd may attempt to sync every 10 seconds until another configuration change is made.
Workaround:
If the user makes another un-realted configuration change, like creating a gtm datacenter or wideip, the attempt to sync every 10 seconds will stop.
746122-1 : 'load sys config verify' resets the active master key to the on-disk master key value
Component: TMOS
Symptoms:
Master key is reset to an older value which may differ from the 'active' value.
Conditions:
Configuration is validated via 'tmsh load sys config verify'.
Impact:
Configuration elements may be encrypted with a different key leading to a corrupt configuration state. If the configuration is saved, future loads will fail.
Workaround:
None.
745682-1 : Failed to parse X-Forwarded-For header in HTTP requests
Component: Local Traffic Manager
Symptoms:
Failed to parse X-Forwarded-For header. This results in failure when extracting proper values in DOSL7.
Conditions:
-- 'Accept XFF' is enabled in HTTP profile. HTTP profile is added to the virtual server.
-- Bot Defense profile is added to the virtual sever.
-- HTTP request contains 'X-Forwarded-For' header.
Impact:
DOSL7 does not receive the proper values for X-Forwarded-For.
Workaround:
None.
745663-3 : During traffic forwarding, nexthop data may be missed at large packet split
Component: Local Traffic Manager
Symptoms:
When splitting large packages, nexthop data is used for the first small packet, but missed in subsequent packets.
Conditions:
Forward of host LRO packet (e.g., FTP data-channel).
Impact:
Heavy packet loss, re-transmissions, and delays.
Workaround:
None.
745589-6 : In very rare situations, some filters may cause data-corruption.
Component: Local Traffic Manager
Symptoms:
In very rare situations, an internal data-moving function may cause corruption.
Filters that use the affected functionality are:
HTTP2, Sip, Sipmsg, MQTTsession, serdes_diameter, FTP.
Conditions:
The affected filters are used, and some very rare situation occurs.
Impact:
This may cause silent data corruption, or a TMM crash.
Workaround:
There is no workaround at this time.
745545-1 : CMP forwarded LRO host packets do not restore LRO flag
Component: Local Traffic Manager
Symptoms:
When packets are being CMP forwarded for the host (e.g., related connection), the LRO flag is not being restored. As a result, these packets do not go through TSO which results in PMTU response and the connection hangs.
Conditions:
This issue is particular to CMP forwarded host connections which are going over the TMM interface due to explicit LRO and large MTU.
Impact:
The connection hangs.
Workaround:
There is no workaround.
745465-1 : The tcpdump file does not provide the correct extension
Component: TMOS
Symptoms:
The output file from tcpdump generation is named support.tcpdump even though it is a compressed file.
Conditions:
Whenever tcpdump is generated and downloaded.
Impact:
You must rename the file with the correct file extension and then decompress it to access the .dmp files.
Workaround:
Rename the downloaded file from support.tcpdump to <filename>.tar.gz and decompress it.
745291-2 : The BIG-IP HTTP2 filter makes inappropriate assumptions about requests and responses without content lengths
Component: Local Traffic Manager
Symptoms:
HTTP2 differs from HTTP1 in that it is possible to have a request or response without a Content-Length header, and have the connection remain open afterwards. The HTTP2 framing allows the end of such a request or response to be detected.
This difference can cause the HTTP framework within the BIG-IP system to become confused in certain HTTP2 scenarios. This can lead to inappropriate traffic handling of HTTP2 requests and responses.
Conditions:
-- An HTTP2 request or response is seen without a Content-Length header.
-- The HTTP2 request is either sent in multiple frames, or single frame + followed by one or more Data frames.
-- That request or response would require a Content-Length (or Transfer-Encoding: Chunked) in HTTP 1.x.
Impact:
-- HTTP2 traffic handling can fail if no Content-Length header exists, and one is expected in HTTP 1.x.
-- The Data Frames are not sent to the HTTP1 server side.
-- In certain scenarios, the HTTP1 side sends the pool member response back to the pool member .
That will result in RST of the backend side connection with the following message in /var/log/ltm "
[F5RST(peer): HTTP2 internal error (bad state transition in egress_complete)]
Workaround:
None.
745285 : Virtual server configured with destination address list may not respond to ARP and ICMP echo
Component: Local Traffic Manager
Symptoms:
When a virtual server configured with destination address list, some of the address ranges within the list may be configured as a subnet virtual address. Subnet virtual addresses do not respond to ARP and ICMP echo. This is in line with the traditional subnet listeners.
Conditions:
A virtual server is configured with destination address list, that contains address ranges.
Impact:
Addresses may behave differently in a destination address list depending on whether the address is configured as a host or as part of a range.
Workaround:
If the addresses of a destination address list are desired to behave as hosts, then do not add address ranges to the list, but add them as a list of individual addresses.
745261-2 : The TMM process may crash in some tunnel cases
Component: TMOS
Symptoms:
When Direct Server Return (DSR) or asymmetric routing with a tunnel is deployed, the TMM process may crash.
Conditions:
There are two scenarios that may lead to this issue:
Scenario 1: DSR
- DSR is deployed.
Scenario 2: Asymmetric routing
- The sys db variable connection.vlankeyed is set to 'disable'.
- A VLAN and a tunnel are used to handle asymmetric routing.
Impact:
The TMM process crashes.Traffic disrupted while tmm restarts.
Workaround:
None.
745035-2 : gtmd crash
Component: Global Traffic Manager (DNS)
Symptoms:
gtmd crashes
Conditions:
This rarely occurs when an iQuery connection is abnormally terminated.
Impact:
Under rare circumstances, gtmd may crash and restart.
Workaround:
None
744924-1 : Bladed unit goes offline after UCS install
Component: TMOS
Symptoms:
Unit goes offline after UCS install. Secondary blades go offline. This lasts about a minute, and then the system goes back online.
Conditions:
After UCS install.
Impact:
-- Limited high availability (HA) capabilities (failover, sync, mirroring, etc.).
-- Cluster reduced to a single blade immediately after UCS install, which might impact performance.
Workaround:
None.
744787-4 : Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias
Component: Global Traffic Manager (DNS)
Symptoms:
WideIP alias will be replaced.
Conditions:
There is an existing alias for a WideIP and adding the same alias for another WideIP.
Impact:
The previous WideIP will be replaced.
Workaround:
Avoid adding existing WideIP for other WideIP.
744743-1 : Rolling DNSSEC Keys may stop generating after BIG-IP restart
Component: Global Traffic Manager (DNS)
Symptoms:
Rolling DNSSEC Keys may stop generating when a BIG-IP system restart.
Conditions:
BIG-IP system gets restarted by calling 'bigstart restart' command.
Impact:
Rolling DNSSEC keys can stop generating.
Workaround:
None.
744730-1 : After increasing the disk size on a VE or VCMP guest a manual reboot is required for the increase to go into effect.
Component: TMOS
Symptoms:
When the disk on a BIG-IP Virtual Edition (VE) or VCMP guest is increased the larger disk will be allocated, but VE or VCMP guest will not be able to use the extra space initially.
A Manual reboot will allow the system to use the extra space.
The Desired behavior for BIG-IP is to reboot by itself.
Conditions:
This occurs when you launch BIG-IP Virtual Edition or VCMP guest with a larger system disk than was provisioned initially.
Impact:
BIG-IP cannot use the extra space.
Workaround:
Manually reboot the affected system.
744520-1 : virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface
Component: TMOS
Symptoms:
virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface.
Conditions:
Virtual server with pem profile and Vxlan-GRE tunnel interface.
Impact:
Traffic drop.
Workaround:
There is no workaround.
744407-3 : While the client has been closed, iRule function should not try to check on a closed session
Component: Access Policy Manager
Symptoms:
tmm cores. System posts a message:
access::session exists is used during CLIENT_CLOSED iRule event.
Conditions:
-- Client has closed the connection.
-- iRule function tries to check on a closed session.
-- An 'access session::exists' command is used inside the iRule event CLIENT_CLOSED.
Impact:
tmm may core. Traffic disrupted while tmm restarts.
Workaround:
Do not use the iRule command 'access session::exists' inside CLIENT_CLOSED.
744316-4 : Config sync of APM policy fails with Cannot update_indexes validation error.
Component: Access Policy Manager
Symptoms:
Config sync operation fails for APM policy when policy item of same name points to different agent on source and target
The system posts errors similar to the following:
Sync error on rfang-vemgmt.lab.labnet.com: Load failed from /Common/rfang-ve-3mgmt.lab.labnet.com 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (access_policy_item_agent) object ID (/Common/resm_act_message_box_1 /Common/resm_act_message_box_ag_1). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:access_policy_item_agent status:13)"
Conditions:
This occurs in the following scenario:
1. Configure a failover device group containing two BIG-IP systems.
2. Create an APM access profile on one unit.
+ Launch VPE for the policy.
+ Add a macro.
+ In macro add an agent, e.g., Message box.
+ Add macro to the main policy.
3. Initiate config sync to another device.
4. On one BIG-IP system, add another Message box agent using the same macro. On the other BIG-IP system, make a copy of the access profile.
5. On either BIG-IP system, initiate another config sync operation.
Impact:
Unable to sync configuration in a failover device group.
Workaround:
You can work around this using the following procedure:
1. On the device receiving the config sync, delete the APM policies that contain the referenced APM policy items.
2. Perform an overwrite-config-sync operation from the sending device to this device.
744252-2 : BGP route map community value: either component cannot be set to 65535
Component: TMOS
Symptoms:
The community value for BGP route map entries should allow values of 1-65535 for both components, but it is not allowing 65535 for either component.
Conditions:
-- Using BGP route map community values.
-- Attempting to set one or both components to 65535.
Impact:
Unable to use the full range of BGP route map community values
Workaround:
There is no workaround at this time.
743946-2 : Tmsh loads schema versions 12.x and earlier which are no longer supported★
Component: TMOS
Symptoms:
BIG-IP systems support directly upgrading to a new version from the previous two major BIG-IP versions.
Thus, upgrading to BIG-IP version 15.x from BIG-IP version 13.x, 14.x or 15.x is supported.
Similarly, tmsh and iControl REST interfaces allow a previous version to be specified, to interpret commands and format responses according to the specified schema versions.
Thus, schema versions 13.x, 14.x and 15.x are supported by tmsh and iControlREST.
However:
Affected versions of BIG-IP version 15.x still load unsupported 12.x and 11.x tmsh schema versions.
Affected versions of BIG-IP version 14.x still load unsupported 11.x tmsh schema versions.
Conditions:
This occurs on affected versions of BIG-IP.
Impact:
Instances of tmsh consume more memory (averaging approximately 16MB per instance on BIG-IP version 15.1.0) due to loading unsupported 12.x and 11.x schemas.
If a large number of tmsh instances are loaded (due to a large number of users logged in, and particularly a large number of remotely-authenticated users), tmsh memory consumption can contribute to out-of-memory conditions.
Workaround:
None.
743815-2 : vCMP guest observes connflow reset when a CMP state change occurs.
Component: TMOS
Symptoms:
There is a connflow reset when a CMP state change occurs on a vCMP guest. The system posts log messages similar to the following: CMP Forwarder expiration.
Conditions:
-- vCMP configured.
-- Associated virtual server has a FastL4 profile with loose init and loose close enabled.
Impact:
This might interrupt a long-lived flow and eventually cause an outage.
Workaround:
None.
743234-4 : Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons
Component: TMOS
Symptoms:
Configuring EngineID for SNMPv3 does not take effect until
the SNMP and Alert daemons are restarted.
Conditions:
Configure the EngineID for SNMPv3 using the tmsh command:
modify sys snmp include 'EngineType n'
Impact:
The SNMPv3 value does not take effect.
Workaround:
Restart the daemons after changing the EngineID:
restart /sys service snmpd
restart /sys service alertd
Note: The SNMP daemon should be restarted before the Alert daemon.
743132-6 : mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile
Component: TMOS
Symptoms:
On a chassis platform, if 'tmsh modify sys httpd ssl-certificate' is run immediately after creating a new certificate file, it's possible for mcpd to restart on the secondary blades. This happens when it takes longer for csyncd to copy the new certificate file to the other blades than it takes mcpd to send the modify message to the other blades.
Conditions:
Chassis platform with multiple blades.
Setting the httpd ssl-certificate to a new file.
Impact:
mcpd stops on secondary blades, causing those blades to go offline for a short time while mcpd and other daemons restart.
Workaround:
When setting the httpd ssl-certificate to a new file, wait a few seconds after creating the file before issuing the tmsh modify command.
742838-1 : A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition
Component: Local Traffic Manager
Symptoms:
If you have a published policy in /Common that is in use by a virtual server in a different partition, if you try to create and modify a draft of the existing policy, you will get an error like this:
"01070726:3: Policy /Common/Drafts/test-policy in partition Common cannot reference policy reference /Common/Drafts/test-policy /test/test-vs in partition test"
This happens in both the GUI and TMSH.
Conditions:
-- A published policy exists in /Common.
-- The published policy is attached to a virtual server in a different partition.
-- Attempt to create and modify a draft of the policy.
Impact:
Inability to edit the published policy.
Workaround:
None.
742753-4 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail
Component: TMOS
Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.
Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:
- Remove the Referer header.
- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.
Impact:
Users cannot log on to the BIG-IP system's WebUI.
Workaround:
As a workaround, you can do any of the following things:
- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).
- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).
- Modify the proxy solution so that it inserts compatible Referer and Host headers.
742628-3 : Tmsh session initiation adds increased control plane pressure
Solution Article: K53843889
Component: TMOS
Symptoms:
Under certain circumstances, the Traffic Management Shell (tmsh) can consume more system memory than expected.
Conditions:
Multiple users or remote processes connecting to the BIG-IP administrative command-line interface.
Impact:
Increased control plane pressure. Various delays may occur in both command-line and GUI response. Extreme instances may cause one or more processes to terminate, with potential disruptive effect. Risk of impact from this issue is increased when a large number of automated tmsh sessions are created.
Workaround:
For users with administrative privilege (who are permitted to use the 'bash' shell), the login shell can be changed to avoid invoking tmsh when it may not be needed:
tmsh modify /auth user ADMINUSERNAME shell bash
742603-1 : WebSocket Statistics are updated to differentiate between client and server sides
Component: Local Traffic Manager
Symptoms:
The WebSocket feature has statistics that records the number of each type of frame seen. These statistics do not differentiate between client and server sides.
Conditions:
The WebSocket profile is used to add WebSocket protocol parsing.
Impact:
WebSocket Traffic Statistics may be misleading
Workaround:
None.
742549-2 : Cannot create non-ASCII entities in non-UTF ASM policy using REST
Component: Application Security Manager
Symptoms:
You cannot create non-ASCII entities (such as URLs and parameters) in a non-UTF-8 policy using REST.
Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII entries using REST.
Impact:
You cannot create an entity (such as a URL or parameter) which contains non-ASCII characters using REST.
Workaround:
Use UTF-8.
742170-2 : REST PUT command fails for data-group internal
Component: TMOS
Symptoms:
Cannot change content of existing data-group internal using REST PUT command.
Conditions:
-- Using REST API.
-- Creating and updating data-group in a single transaction.
Impact:
Cannot modify data-group internal via the REST API.
Workaround:
Add 'type' in the content.
Note: This change in behavior occurred as the result of a different change in the software. Previously, you could not create and update data-group in a single transaction. Now you can, but you must also specify 'type'.
742120-1 : MCPd crash seen during load sys config
Component: Advanced Firewall Manager
Symptoms:
If the system is gathering IP intelligence category stats (e.g., by issuing the following command: show security ip-intelligence global-policy ip-intelligence-categories) and simultaneously you issue the command 'load sys config', MCPd might crash while fetching the stats.
Conditions:
-- IP intelligence category stats are being fetched.
-- The command 'load sys config' is executed.
Impact:
MCPd restarts.Traffic disrupted while the daemon restarts.
Workaround:
There is no workaround other than not gathering IP intelligence category stats while the load sys config operation is being performed.
742105-2 : Displaying network map with virtual servers is slow
Component: TMOS
Symptoms:
The network map loads slowly when it contains lots of objects.
Conditions:
Load the network map in a configuration that contains 1000 or more objects.
Impact:
The network map loads very slowly.
Workaround:
None.
741676-2 : Intermittent crash switching between tunnel mode and interface mode
Component: TMOS
Symptoms:
Changing the policy mode for an IPsec tunnel can crash when switching back and forth between tunnel mode and interface mode.
Conditions:
Changing mode in ipsec-policy from tunnel to interface, or vice versa.
Impact:
A tmm restart, after a core, interrupts all IPsec tunnel service until new SAs are negotiated to replace the old ones.
Workaround:
Start with desired mode, tunnel or interface, and avoid changing the value from one to the other.
741213-2 : Modifying disabled PEM policy causes coredump
Component: Policy Enforcement Manager
Symptoms:
TMM undergoes core dump after a disabled policy has a new rule added.
Conditions:
-- Add a rule to disabled PEM policy.
-- Enable the PEM policy, and this policy is applied by PCRF.
-- Traffic is generated for this subscriber.
Impact:
TMM restarts. Traffic disrupted while tmm restarts.
Workaround:
Modify a PEM policy only when the policy is enabled.
740977-1 : Tracert and traceroute from client does not display route path
Component: Local Traffic Manager
Symptoms:
When performing a traceroute or tracert from the client side, the route path that is taken is not displayed.
Conditions:
-- On any Microsoft Windows or Linux client that is connected to a BIG-IP system running software v14.1.x.
-- Clients connecting through APM Network Access are also impacted.
Impact:
The traceroute path is not shown.
Workaround:
None.
740589-1 : Mcpd crash with core after 'tmsh edit /sys syslog-all-properties'
Component: TMOS
Symptoms:
Syslog-ng consumes more than 95% CPU starving other processes of CPU time. This leads to eventual mcpd crash with core.
Conditions:
Configuring nonexistent local IP addresses and remote log server.
Impact:
Abnormal CPU usage. Potential eventual mcpd crash with core.
Workaround:
To mitigate the issue, you can use either of the following:
-- Follow these two steps:
1. Remove the remote log server from the configuration.
2. Replace the nonexistent local IP addresses with self IP addresses.
-- Configure the remote destination host with a unique parameter in the configuration so that syslog does not get confused if there are multiple entries:
udp(190.45.32.51 port(514) localip(190.46.2.221) persist-name(r1));
udp(190.45.32.51 port(514) localip(190.46.2.222) persist-name(r2));
udp(190.200.60.1 port(514) localip(190.46.2.221) persist-name(r3));
udp(190.200.60.1 port(514) localip(190.46.2.222) persist-name(r4));
739820-1 : Validation does not reject IPv6 address for TACACS auth configuration
Component: TMOS
Symptoms:
TACACS authentication does not support IPv6 address for the authentication server, but both GUI and TMSH allow IPv6 addresses to be configured for TACACS. Such configurations may result in failed logins with messages in /var/log/secure like
Aug 8 10:47:39 gtm-13108-174 err httpd[5948]: pam_tacplus: skip invalid server: 2001::1001:1001 (invalid port: no digits)
Conditions:
Use the GUI or TMSH to create or modify a TACACS server
Impact:
Remote authentication will fail unless a second server is configured with IPv4 address.
Workaround:
Do not configure IPv6 address for TACACS server
739618-2 : When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy
Component: Application Security Manager
Symptoms:
When using AWAF or MSP license, you cannot use the BIG-IP Configuration Utility to set rule to control ASM in an LTM policy.
Conditions:
- AWAF or MSP license
Impact:
Admin cannot use the BIG-IP Configuration Utility create LTM policy that controls ASM, and must use TMSH.
Workaround:
Use TMSH to create the rule instead of GUI:
For example:
create ltm policy Drafts/test99 controls add { asm } requires add { http } rules add { rule1 { actions add { 0 { asm enable policy dummy2 }} ordinal 1 }}
739553-1 : Setting large number for Wide IP Persistence TTL breaks Wide IP persistence
Component: Global Traffic Manager (DNS)
Symptoms:
Wide IP persistence is not working. Previous Wide IP persistence records are cleared.
Conditions:
This occurs when the Wide IP Persistence TTL plus the persist-record creation time is greater than 4294967295.
Impact:
Wide IP persistence does not work.
Workaround:
There is no workaround other than not setting Wide IP Persistence TTL to a number greater than 4294967295.
739118-1 : Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
Component: TMOS
Symptoms:
Changing existing self IP addresses in bigip_base.conf file directly. After uploading the changed configuration file, BIG-IP routing service provides out of date Self IP route information to dependent services.
Conditions:
- Self IP address is configured on the BIG-IP system.
- Manually change the IP address of a self IP in bigip_base.conf file.
- Load changed configuration via tmsh.
Impact:
Different services have different route information:
-- tmsh table - has the old route.
-- Dynamic routing - hHas the old and new routes.
-- Kernel table - has the new route.
Workaround:
There are two workarounds, preventive and corrective.
Preventive:
Do not manually change self IP addresses in bigip_base.conf file. It is not recommended way to add/change BIG-IP configuration. Use GUI or tmsh instead.
Corrective:
If changed configuration is uploaded. In GUI or tmsh, delete changed self IP address, and then create a self IP address with old IP address and delete it as well. Now, all affected routes are removed.
738881-3 : Qkview does not collect any data under certain conditions that cause a timeout
Component: TMOS
Symptoms:
Qkview enforces a timeout mechanism in various locations for its submodules. In certain conditions, when a timeout occurs, Qkview should still be able to collect what data it can before doing this check.
Conditions:
A particular timeout is encountered during a Qkview operation.
Impact:
Data that might have been collected is not, which might result in missing helpful diagnostic information.
Workaround:
Work around the issue by increasing the qkview timeout, for example:
qkview -t 720
738865-3 : MCPD might enter into loop during APM config validation
Component: Access Policy Manager
Symptoms:
Mcpd crashes after a config sync.
Conditions:
This can occur during configuration validation when APM is configured.
Impact:
Mcpd may take too long to validate the APM configuration and is killed by watchdog, causing a core
Workaround:
Use the Visual Policy Editor to configure access policy instead of tmsh commands.
The Visual Policy Editor does not allow policies to be created if they contain loops.
738547-3 : SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII
Component: Access Policy Manager
Symptoms:
When SAML metadata file that contains certain UTF-8 characters other than ASCII is imported, SAML SAX Parser returns error
Conditions:
When SAML metadata file contains certain UTF-8 characters other than the ASCII set,
Impact:
SAML metadata file is not imported, and the system reports an error. SAML configuration on BIG-IP systems is impacted.
Workaround:
Remove the non-ASCII UTF-8 characters, and try the import operation again.
738450-1 : Parsing pool members as variables with IP tuple syntax
Component: Local Traffic Manager
Symptoms:
There is a config loading warning at tmsh similar to the following: unexpected end of arguments;expected argument spec:PORT.
Conditions:
Tcl variable is used for the IP tuple instead of a plain value.
Impact:
iRule LB::reselect command may not recognize an IP tuple when it is a variable. tmsh warning shows.
Note: There is no warning in the GUI.
Workaround:
Use plain value instead of variable.
738045-5 : HTTP filter complains about invalid action in the LTM log file.
Component: Local Traffic Manager
Symptoms:
Payload data is collected at the HTTP_REQUEST event and finishes collecting (HTTP::release) when the NAME_RESOLVED event occurs. On releasing, data is forwarded to the serverside, triggering the HTTP_REQUEST_SEND event.
When trying to raise HTTP_REQUEST_SEND, the iRule queues it and returns IN_PROGRESS, because the system is already in the process of running TCLRULE_NAME_RESOLVED. (Nested iRules: TCLRULE_NAME_RESOLVED -> TCLRULE_HTTP_REQUEST_SEND)
Due to the IN_PROGRESS status, tcp_proxy skips forwarding HUDCTL_REQUEST to the serverside, but not the subsequent payload. So the HTTP filter considers this an invalid action.
Conditions:
-- Standard virtual server with iRules attached (for example, using the following configuration for a virtual server):
when HTTP_REQUEST {
HTTP::collect
NAME::lookup @10.0.66.222 'f5.com'
}
when NAME_RESOLVED {
HTTP::release
}
when HTTP_REQUEST_SEND {
log local0. "Entering HTTP_REQUEST_SEND"
}
-- Client sends two HTTP Post requests.
-- After the first request, the second connection is kept alive (for example, by using HTTP header Connection) so that the second request can reuse the same connection.
Impact:
The second request gets reset, and the system logs errors in the LTM log file.
Workaround:
To avoid nested iRules in this instance, simply remove the HTTP_REQUEST_SEND from the iRule.
738032-1 : BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system maintains an SSL session cache for SSL (https) monitors. After changing the properties of an SSL monitor that might affect the operation of SSL, the BIG-IP continues to reuse an existing SSL session ID.
Conditions:
-- The BIG-IP system has cached session ID from previous SSL session.
-- SSL properties of monitor that might affect the operation of SSL are changed.
-- Monitor is using bigd.
Impact:
Sessions still use cached session ID. If session continues to succeed, session uses cached session ID till expiry.
Workaround:
-- Restart bigd.
-- Remove the monitor from the object and re-apply.
-- Use in-tmm monitors.
737739-1 : Bash shell still accessible for admin even if disabled
Component: TMOS
Symptoms:
With the administrator role, you have an option in TMUI to disable or restrict terminal access. If you disable or restrict access, the corresponding REST endpoint is neither disabled nor restricted.
Conditions:
Use TMUI as the admin, or as a user with the administrator role, and either of the following:
-- Disable terminal access.
-- Restrict access to TMSH.
Impact:
Users with the Administrator role can obtain shell access via REST.
With terminal access disabled:
-- If you attempt to login using SSH, you will not be to do so.
-- If you make a POST request to the /mgmt/tm/util/bash endpoint with a body that includes a command to run, that command will be run.
With access to TMSH restricted:
-- A POST request to the /mgmt/tm/util/bash endpoint that includes a body with a command to run will be run.
Workaround:
None.
737346-1 : After entering username and before password, the logging on user's failure count is incremented.
Component: TMOS
Symptoms:
Listing login failures (i.e., using the following command: 'tmsh show auth login-failures') shows a failed login for the user who is currently logging in via console or SSH.
Conditions:
-- A user is logging in via console or SSH.
-- Between the time the system presents the password prompt and the user enters the password.
Note: This does not apply to GUI or iControl REST logins.
Impact:
If many logins for the same user get to this state simultaneously, it may be enough to exceed a specified lockout threshold, locking the user out.
Workaround:
There is no workaround other than using the GUI or iControl REST to log in to the system.
737322-2 : tmm may crash at startup if the configuration load fails
Component: TMOS
Symptoms:
Under certain circumstances, tmm may crash at startup if the configuration load fails.
Conditions:
This might occur after a configuration loading failure during startup, when TMM might take longer than usual to be ready.
Impact:
tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
737098-2 : ASM Sync does not work when the configsync IP address is an IPv6 address
Component: TMOS
Symptoms:
If the configsync IP address of the device is configured to be an IPv6 address, changes in ASM configuration do not synchronize across the cluster.
Conditions:
Devices in a Device Group have an IPv6 address set as their configsync IP address.
Impact:
ASM configuration does not synchronize across the Device Group.
Workaround:
Set the configsync IP address to be an IPv4 address and restart the asm_config_server process. To restart the asm_config_server process, run the following command:
pkill -f asm_config_server
730852-3 : The tmrouted repeatedly crashes and produces core when new peer device is added
Component: TMOS
Symptoms:
There is a tmrouted crash when new peer device is added.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Core produced. Tmrouted crashes repeatedly. Dynamic routing for all route domains is temporarily disrupted.
Workaround:
Have MCP force load as described in K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).
727191-1 : Invalid arguments to run sys failover do not return an error
Component: TMOS
Symptoms:
If an invalid device name is used in the sys failover command, the device name reject is logged in /var/log/ltm and failover does not occur. No error or failure message is displayed on the command line.
Note: In prior versions, the system incorrectly performed a force-to-standby operation (no 'device' specified), rather than a directed failover operation (failover to specified 'device'). Although this resulted in the active device becoming standby, it did not cause the system to choose the (nonexistent) device specified.
Conditions:
Run a tmsh command similar to the following:
sys failover standby traffic-group traffic-group-1 device invalid_name
Impact:
Since no failover occurs and no error/warning is returned, this may result in some confusion.
Workaround:
There is no workaround.
726900-1 : Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters
Component: Local Traffic Manager
Symptoms:
Virtual server may attempt to use syncookies on first SYN packet rather than allowing the connection to pass through to the real server.
Conditions:
Modifying a virtual server (CLI/iControl/GUI) to switch from FastL4 or TCP profiles to an 'ip-other' profile.
Impact:
The configured 'ip-other' virtual server will fail to accept all traffic. For example, a TCP or a UDP flow which should have been accepted and processed by the 'ip-other' virtual server will be dropped incorrectly, trying to enforce 'Syn Cookie' validation.
Workaround:
When switching a virtual server profile from FastL4/TCP to the 'ip-other' profile, delete the virtual server and then re-add it with the 'ip-other' profile.
726734-4 : DAGv2 port lookup stringent may fail
Component: Local Traffic Manager
Symptoms:
Under certain circumstances tmm might not be able to find a local port, and the connection may fail. This happens, for example, for active FTP with mirroring enabled.
Conditions:
Active FTP with mirroring enabled.
Impact:
Connection cannot get established.
Workaround:
There is no workaround other than to disable mirroring.
726518-3 : Tmsh show command terminated with CTRL-C can cause TMM to crash.
Component: Local Traffic Manager
Symptoms:
TMM crash when running show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name]
Conditions:
-- Running the command:
show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name].
- The command is terminated by the client connection, aborting with CTRL-C.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not terminate tmsh show commands with CTRL-C.
726416-3 : Physical disk HD1 not found for logical disk create
Component: TMOS
Symptoms:
The blade error 'Physical disk HD1 not found for logical disk create' is observed when bigstart restart happens on primary blade of chassis-based systems using solid state drives (SSD).
/var/log/ltm shows messages similar to the following:
-- localhost.localdomain debug chmand[25459]: 012a0007:7: mcp_logical_disk mcp_create received
-- localhost.localdomain debug chmand[25459]: 012a0007:7: logical_disk create received: name[HD1] media[general_use_ssd]
-- localhost.localdomain err chmand[25459]: 012a0003:3: Physical disk HD1 not found for logical disk create
-- localhost.localdomain debug chmand[25459]: 012a0007:7: mcp_physical_disk mcp_create received
-- localhost.localdomain debug chmand[25459]: 012a0007:7: physical_disk create received: serial number[S3F3NX0K810723] name[HD1]
and/or
err chmand[4712]: 012a0003:3: Physical disk HD1 not found for logical disk create
ltm log implies that logical disk create is requested before physical disk creation.
Conditions:
This occurs on chassis-based systems (more than one blade) using SSD, when bigstart restart happens on primary blade.
Impact:
The system posts the following error under ltm log:
err chmand[3370]: 012a0003:3: Physical disk HD1 not found for logical disk create.
When system posts the error, it just skips executing couple of lines of code, to be precise two API calls.
These API calls are related to updating DiskInfo and disk wearout information.
This message is benign and can be safely ignored
Workaround:
There is no workaround.
726401-1 : ASM cannot complete initial startup with modified management interface on VE
Component: Application Security Manager
Symptoms:
The management interface is needed during initial ASM config and startup. This value is hardcoded in an ASM config file as the default 'eth0' instead of being discovered dynamically based on the device configuration. So if the management interface is configured to be on a different interface than eth0 and this config file is not changed to reflect that, ASM fails to start.
Conditions:
-- Running BIG-IP Virtual Edition (VE).
-- The management interface is configured to be on a different interface than eth0.
-- The config file (/etc/ts/common/image.cfg) does not reflect that change.
Impact:
ASM fails to start.
Workaround:
Modify the config file (/etc/ts/common/image.cfg) to match the non-default interface (e.g., eth1 instead of eth0).
726164-1 : Rolling DNSSEC Keys can stop regenerating after a length of time on the standby system
Component: Global Traffic Manager (DNS)
Symptoms:
Rolling DNSSEC Keys may stop generating when a BIG-IP system is on standby for a length of time
Conditions:
BIG-IP system is on standby for a length of time, in general, longer than twelve hours.
Impact:
Rolling DNSSEC keys can stop regenerating.
Workaround:
None.
726011-4 : PEM transaction-enabled policy action lookup optimization to be controlled by a sys db
Component: Policy Enforcement Manager
Symptoms:
There is no way to disable optimization if time-based actions are enabled in the PEM policy and a statistical transaction-based action enforcement is desired.
Conditions:
If the PEM classification tokens do not change.
Impact:
Time-based actions such as insert content may not get applied to such flows.
Workaround:
None.
725505-1 : SNAT settings in network resource are not applied after FastL4 profile is updated
Component: Access Policy Manager
Symptoms:
When the admin updates a FastL4 profile, the iRule associated with the internal virtual server (the APM forward virtual server) is removed.
This iRule sets up the SNAT setting, however, since the iRule is removed, the SNAT setting is not applied to new network access connections.
Conditions:
-- Using network access.
-- FastL4 profile is updated.
Impact:
When accessing the backend resource, the BIG-IP system uses the self IP address as the source IP address instead of the IP address configured under the network access resource. Traffic disrupted while tmm restarts.
Workaround:
Restart tmm.
Restarting tmm re-creates the forward virtual servers and attach the relevant iRule.
724994-4 : API requests with 'expandSubcollections=true' are very slow
Component: TMOS
Symptoms:
Submitting an iControl REST query using the option 'expandedSubcollections=true' takes significantly longer to return than one without that option. For example, the command 'https://localhost/mgmt/tm/ltm/virtual?expandSubcollections=true' takes significantly longer than the command 'https://localhost/mgmt/tm/ltm/virtual'.
Conditions:
Submitting a query using expandedSubcollections=true.
Impact:
The response takes significantly longer to return
Workaround:
The additional processing time occurs because the 'expandedSubCollections' parameter fetches all the related associated elements. You can use the following alternative to retrieve the virtual configuration:
1. Run the following query:
GET mgmt/tm/ltm/virtual
2. Obtain the list of virtual servers by:
2a. parsing either the selfLink or the fullPath properties in the response items array, where the response is from step 1.
2b. writing an iControlLX worker that does this.
Note: Writing a worker abstracts the parsing logic into a user-defined endpoint. It provides API access to the data.
3. Iterate over the virtual servers querying each with the option 'expandSubcollections=true'.
724824-3 : Ephemeral nodes on peer devices report as unknown and unchecked after full config sync
Component: Local Traffic Manager
Symptoms:
After a Full Configuration Sync is performed in a device cluster, Ephemeral (FQDN) nodes on peers to the device initiating the Configuration Sync will report their status as Unknown with monitor status of Unchecked.
Note: The nodes are still monitored properly by the peer devices even though they are not reported as such.
Conditions:
-- Full configuration sync performed in a device cluster.
-- Ephemeral (FQDN) nodes configured.
Impact:
Monitor status on the peer devices is reported incorrectly.
Workaround:
Any of the following three options will correct reporting status on the peer devices:
-- Restart bigd
-- Cause monitoring to the FQDN nodes to fail for at least one probing interval, and then restore monitoring accessibility.
-- Disable and then re-enable the FQDN node
Each of these workarounds results in the reported status of the FQDN node on the peer reporting correctly again. The workarounds do not prevent a subsequent configuration sync from placing the FQDN nodes back into Unknown status on peers, however.
724556-3 : icrd_child spawns more than maximum allowed times (zombie processes)
Component: TMOS
Symptoms:
icrd_child is issued a SIGTERM. The SIGTERM might not succeed in destroying the process, especially if the system is under a lot of load. This leads to zombie processes.
Conditions:
-- The icrd_child process is issued a SIGTERM that does not successfully destroy the icrd_child process.
-- System under heavy load.
Impact:
There are zombie icrd_child processes consuming memory.
Workaround:
Restart the system.
723833-2 : IPsec related routing changes can misfire, like changing tunnel mode to interface mode
Component: TMOS
Symptoms:
IPsec config changes that rely upon interface mode tunnels, which are driven by routes with associated tunnel VLANs, can sometimes fail to pass traffic after a config change altering routes, or altering the number of tunnels involved.
Conditions:
- Changing tunnel mode to interface mode.
- Adding or removing routes for interface mode IPsec tunnels.
- Deleting an IPsec tunnel object.
Impact:
An IPsec tunnel outage may occur before a system restart, which looks like absence of proper routing config, but which is due to inconsistent update when changes affect routing used by IPsec tunnels in interface mode. In some cases, a tmm core can occur which interrupts service briefly until restarted.
Workaround:
Typically saving before bigstart restart gets routing config related to IPsec back into working order.
723306-1 : Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
Component: Local Traffic Manager
Symptoms:
Loading correct configuration with 'tmsh load /sys config' fails. The error message appears similar to the following:
01070726:3: Virtual Address /test/0.0.0.0 in partition test cannot be referenced by Virtual Server /Common/test-internal in partition Common.
Unexpected Error: Loading configuration process failed.
Conditions:
Creating internal virtual server, when 0.0.0.0 address exists on another partition.
Impact:
Inability to load config, with created internal virtual server.
Workaround:
Create internal virtual server first; then create the 0.0.0.0 address on a different partition.
723112-5 : LTM policies does not work if a condition has more than 127 matches
Component: Local Traffic Manager
Symptoms:
LTM policies do not work if number of matches for a particular condition exceeds 127.
Conditions:
LTM policy that has a condition with more than 127 matches.
Impact:
LTM policy does not match the expected condition.
Workaround:
There is no workaround at this time.
722741-1 : Damaged tmm dns db file causes zxfrd/tmm core
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd/tmm cores on startup.
Conditions:
Damaged tmm dns db file.
Impact:
System remains in a tmm-restart loop caused by tmm opening a corrupted tmmdns.bin on startup and segfaulting. Traffic disrupted while tmm restarts.
Workaround:
Delete the damaged db files.
722707-2 : mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall
Component: Local Traffic Manager
Symptoms:
The 'debug' log for a 'mysql' monitor may incorrectly report data being received from the database when network routing is configured to drop packets from that database, causing confusion when diagnosing packet traffic. This might be stimulated by configuring the firewall to enable traffic to/from the 'mysql' database, and then (after the 'mysql' monitor successfully connecting with the database) changing firewall rules to drop packets returned *from* the database.
Conditions:
-- A 'mysql' monitor successfully connects to the 'MySql' database.
2. Once connection is established, firewall rules are changed to 'DROP' packets returned from the 'MySQL' database, resulting in several entries in the 'mysql' monitor 'debug' log that incorrectly suggest packets were received from the 'MySQL' database.
Impact:
Several log entries may be made in the 'mysql' debug log suggesting packets were received from the 'MySQL' database (after a previous successful database probe connection), when in fact those packets were dropped due to changes in the firewall rules. These log entries may confuse debugging scenarios, but will typically self-correct (such as after three log message entries).
Workaround:
When configuring network traffic for 'MySQL' database resources, ensure symmetry for traffic handling (either bi-directional packet routing between 'bigd' and the 'MySQL' database is supported, or neither 'send' nor 'receive' packet routing to the 'MySQL' database is supported).
722647-4 : The configuration of some of the Nokia alerts is incorrect
Component: TMOS
Symptoms:
The categories for perceived severity in the alert_nokia.conf file are 0-4, 10-11, but there is an entry in the file with a value of 6.
Conditions:
-- Traps are enabled to support SNMP alerts in the Nokia NetAct format, e.g., using the following command:
tmsh modify sys db alertd.nokia.alarm value enable
-- The values in the alert_nokia.conf file are applied.
Impact:
Some of the values are incorrect. Handling of the trap/clear for the mislabeled trap is incorrect.
Workaround:
Edit the alert_nokia.conf file and restart the alert daemon.
722534-1 : load sys config merge not supported for iRulesLX
Component: Local Traffic Manager
Symptoms:
iRulesLX configurations are (for the most part) contained in the file system, rather than the 'traditional' BIG-IP config files. An attempt to merge configurations containing iRulesLX using the tmsh command 'load sys config merge' options fails with an error similar to the following:
# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ilx plugin test-plugin {
from-workspace test-ws
}
Validating configuration...
Unexpected Error: "basic_string::at"
Conditions:
The configuration being merged contains iRulesLX.
Impact:
The merge will fail with the error: Unexpected Error: "basic_string::at". The previous configuration will continue to work.
Workaround:
There is no workaround at this time for merging iRulesLX configuration. If the iRulesLX configuration is removed from the configuration to be merged, the merge will work.
722230-3 : Cannot delete FQDN template node if another FQDN node resolves to same IP address
Component: TMOS
Symptoms:
If multiple FQDN nodes and corresponding pool members are created, with FQDN names that resolve to the same (or a common) IP address, you may not be able to delete any of the affected FQDN nodes even after its corresponding FQDN pool member has been deleted.
Conditions:
This occurs under the following conditions
-- Multiple FQDN template nodes exist with FQDN names that resolve to the same (or a common) IP address.
-- FQDN pool members exist for each FQDN template node, with corresponding ephemeral pool members for each which share the same IP address.
-- One of the FQDN pool members is removed from its pool.
-- You attempt to delete the corresponding FQDN template node.
Impact:
The FQDN template node remains in the configuration and cannot be deleted, while an ephemeral node or pool member exists with an IP address corresponding to that FQDN name.
Workaround:
To work around this issue:
1. Remove all remaining conflicting FQDN pool members (with FQDN names that resolve to the shared/conflicting IP address).
2. Delete the desired FQDN node.
3. Re-create the remaining FQDN pool members to replace those removed in step 1.
721591 : Java crashes with core during a basic TLS Signature test
Component: TMOS
Symptoms:
Java crashes with core.
Conditions:
This is a random crash and there are no known conditions for reproducing it.
Impact:
This crash occurs randomly during normal operation and has following impact:
-- Stats are not available.
-- Server health does not improve with mitigation.
-- Valid traffic never reaches the backend.
Workaround:
-- Restart the Java service.
-- Restart the BIG-IP system.
721020-1 : Changes to the master key are reverted after full sync
Component: TMOS
Symptoms:
Changing the master key on a device that is in a device cluster are reverted when performing a full sync of any device-group. The master key is reset to its previous value.
Conditions:
-- The BIG-IP system is in a device cluster.
-- You change the master key from within TMSH.
Impact:
Subsequent configuration loads fail on the device.
Workaround:
There is no workaround.
720610-2 : Updatecheck logs bogus 'Update Server unavailable' on every run
Component: TMOS
Symptoms:
The updatecheck operation erroneously logs that the Update Server is unavailable on every run, successful or not.
Conditions:
The BIG-IP system is configured to run the Automatic Update Check feature.
Impact:
Misleading messages in the log file, implying that the update server is not available.
Workaround:
None.
720440-4 : Radius monitor marks pool members down after 6 seconds
Component: Local Traffic Manager
Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.
Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.
Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.
Workaround:
There is no workaround at this time.
720434-3 : Multi-blade Chassis iAppLX Package upgrade sync is incomplete across blades
Component: Device Management
Symptoms:
Some iAppLX package files on primary blade do not exist on secondary blades.
Conditions:
After installing an iAppLX package on a multi-blade chassis the package files are synced to other blades. This process is not instantaneous and may take several minutes.
During this time if the same iAppLX package is upgraded, not all of the files will be synced across blades, and an incomplete iAppLX package will exist on secondary blades.
Impact:
When a failover occurs to a blade with an incomplete iAppLX package, parts of the iAppLX GUI may not work.
Workaround:
To trigger a resync of files from primary to secondary blades run the following command:
bigstart restart csyncd
720045-3 : IP fragmented UDP DNS request and response packets dropped as DNS Malformed
Component: Advanced Firewall Manager
Symptoms:
AFM/DHD treats the IP fragmented UDP DNS packet (request or response) as DNS Malformed packet and drops these packets.
Conditions:
-- AFM/DHD is enabled (provisioned and licensed).
-- DNS Malformed vector is enabled at Device context (by default, it's always enabled).
-- AFM/DHD receives fragmented IP packet for UDP DNS request or response.
Impact:
AFM/DHD incorrectly treats such packets as DNS malformed and drops them.
If AFM/DHD receives any DNS request/response UDP packet that is fragmented at the IP layer, the system drops the packet, interrupting DNS service between client/servers through BIG-IP systems.
Workaround:
None.
719589-2 : GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic
Component: Access Policy Manager
Symptoms:
GUI and CLI category lookup test tool (Access Policy :: Secure Web Gateway : Database Settings : URL Category Lookup) can return different categories compared to the actual data-plane traffic
Conditions:
Access Policy, Secure Web Gateway : Database Settings : URL Category Lookup or command line lookup using 'urldb -c' construction.
Impact:
Some websites may be categorized differently depending on whether or not the IP is passed in. Correct category may not be returned.
Workaround:
None.
719555-5 : Interface listed as 'disable' after SFP insertion and enable
Component: TMOS
Symptoms:
If an unpopulated front panel interface is disabled, then an SFP inserted and the interface re-enabled, TMSH will continue to display the interface as 'disabled' in 'tmsh show net interface output' commands.
Conditions:
-- BIG-IP appliance or blade.
-- Unpopulated front panel interface is disabled.
-- SFP inserted and the interface re-enabled.
-- Running the command: tmsh show net interface output.
Impact:
Output of the command shows the interface is disabled even though it is enabled and fully operational.
Workaround:
This issue is cosmetic; the interface is functional so it may be used.
To correctly identify the enabled/disabled state of the interface, use the following command: tmsh list net interface
719304-1 : Inconsistent node ICMP monitor operation for IPv6 nodes
Component: Local Traffic Manager
Symptoms:
While running ping from different blades in a multi-blade environment, pings fail from blades that do not have the tmm that is responsible for pinging the node.
Conditions:
The blade that does not contain the owning tmm is responsible for the node monitors.
Impact:
The node will be incorrectly marked as being unavailable/down.
Workaround:
You can use the following workarounds:
-- Statically assign the NDP entries.
-- Set the route to a gateway that has a non-zero host portion in the address.
718796-3 : IControl REST token issue after upgrade★
Component: Device Management
Symptoms:
When upgrading to version 13.1.0.x, sometimes a user who previously had permissions to make calls to iControl REST loses the ability to make those calls.
Conditions:
-- Upgrading to version 13.1.0.x.
-- iControl REST.
Impact:
A previously privileged user can no longer query iControl REST. Also, some remotely authenticated users may loose access to the Network Map and Analytics view after the upgrade.
Workaround:
You can repair the current users permissions with the following process:
1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process:
# restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator"
# bigstart restart restjavad.
2) Update shared/authz/roles/iControl_REST_API_User userReference list to add all affected users' accounts using PUT:
# restcurl shared/authz/roles/iControl_REST_API_User > role.json
# vim role.json and add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list
# curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User
Now, when you create a new user, the permissions should start in a healthy state.
718790-1 : Traffic does not forward to fallback host when all pool members are marked down
Component: Local Traffic Manager
Symptoms:
Traffic does not get forwarded to fallback hosts.
Conditions:
-- HTTP Profile configured with Fallback Host.
-- All the pool members are marked administrative down.
Impact:
Traffic does not get forwarded.
Workaround:
Pick a monitor working properly for the pool.
718573-1 : Internal SessionDB invalid state
Component: TMOS
Symptoms:
TMM crashes.
Conditions:
SessionDB is accessed in a specific way that results in an invalid state.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
718288-2 : MCPD might crash on secondary blades when DNSSEC client-facing SOA zone serial not updated
Component: Local Traffic Manager
Symptoms:
In certain cases, a DNSSEC client-facing SOA zone serial does not always update when DNSSEC-related resource records change. That might cause MCPD to crash on secondary blade.
Conditions:
A DNSSEC-related resource record changes.
Impact:
A DNSSEC client-facing SOA zone serial may not always update. That might cause MCPD crash on secondary blade. Traffic disrupted while MCPD restarts.
Workaround:
None.
718230-1 : Attaching a BIG-IP monitor type to a server with already defined virtual servers is not prevented
Component: TMOS
Symptoms:
In certain circumstances, attaching a BIG-IP monitor type to a non-BIG-IP server with already defined virtual servers is allowed by the system when it should not be allowed.
Conditions:
Attempting to attach a BIG-IP monitor type to a non-BIG-IP server.
Impact:
The BIG-IP monitor can be added to a non-BIG-IP server without error. This causes a configuration load error, such as after a reboot, tmm restart, or tmsh load sys config, and results in an error message such as:
-- localhost emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all gtm-only" - failed. -- Loading schema version: 12.1.3 Loading schema version: 12.1.5.1 01071033:3: Server (/Common/generic_server_object) contains monitor (/Common/bigiptest) which is an invalid type. Unexpected Error: Loading configuration process failed.
Workaround:
None.
718108-3 : It is not possible to core the icrd_child process if iControl REST requests were sent to the BIG-IP system using non-admin accounts
Component: TMOS
Symptoms:
When trying to create a diagnostic core file of the icrd_child process (for example, using the command: kill -6 <PID>), the process restarts but does not create a core file.
Conditions:
iControl REST requests are sent to the BIG-IP system using non-administrative (or resource admin) user accounts.
Impact:
This issue may hinder F5 Support efforts to diagnose memory leaks or other issues affecting the icrd_child process.
Workaround:
There are two workarounds for this issue.
Workaround #1:
The problem can be avoided by making calls to iControl REST using only User IDs that have the 'Admin' or 'Resource Admin' roles.
Note: If iControl REST calls have already been made with User IDs that have a role other than 'Admin' or 'Resource Admin', the 'restjavad' process must be restarted before core files can be created for icrd_child processes.
Workaround #2:
If iControl REST calls have already been made with User IDs that have a role other than 'Admin' or 'Resource Admin', and a core file is needed for a currently running icrd_child process, running the following two commands in the Advanced Shell (aka bash) creates the core file.
1: "echo 2 > /proc/sys/fs/suid_dumpable"
2: "pkill -6 icrd_child"
Note: The commands are shown inside quotation marks but do not include the quotations marks.
718033-4 : REST calls fail after installing BIG-IP software or changing admin passwords
Component: Device Management
Symptoms:
After installing the latest BIG-IP software, or changing the BIG-IP admin passwords once or twice, REST calls might fail with the following error: 400 - Bad Request.
Conditions:
The conditions under which this occurs are not well understood. The issue occurs randomly, and is likely the result of a timing issue.
Impact:
REST calls or GUI operations fail to work. Get errors on screen.
Workaround:
Run the following command on the BIG-IP system:
$ bigstart restart restjavad
717785-2 : Interface-cos shows no egress stats for CoS configurations
Component: TMOS
Symptoms:
No egress packet counts per CoS queue are reported on B21x0 and 5x00/7x00 platforms. The issue affects the egress packet statistics reporting per CoS queue only. The operation of the CoS feature is not affected and the egress packets statistics reporting per external interface is also not affected.
Conditions:
-- Valid 8 HW CoS feature configuration has been enabled and passing traffic.
-- BIG-IP 5x00/7x00 platforms and VIPRION 21x0 blades.
-- Running the show net interface-cos command.
Impact:
Egress packet statistics reported per CoS queue shows no counts.
Workaround:
None.
717306-1 : Added ability to use Vip-targeting-Vip with DNS Cache server-side connections
Component: Global Traffic Manager (DNS)
Symptoms:
A Vip-targeting-vip setup for DNS Cache is not possible, as unbound connections does not match to existing VIPs.
Conditions:
Virtual Server with same IP address as outbound DNS Cache server-side connections.
Impact:
Unable to perform Vip-targeting-Vip configurations with DNS Cache connections
Workaround:
None.
717174-1 : WebUI shows error: Error getting auth token from login provider★
Component: Device Management
Symptoms:
Occasionally, the BIG-IP Admin Utility TMUI fails to function correctly and produces the following error:
Error getting auth token from login provider.
This occurs when the BIG-IP REST Daemon restjavad fails to start up properly.
Conditions:
This error most often occurs on the first or second boot after upgrade, and more often on Virtual Edition BIG-IP platforms running on oversubscribed or slow hypervisors.
Impact:
TMUI and any other BIG-IP system components that rely on REST Workers such as: OpenID Connect key rotation discovery, portions of the TMOS Web Configuration Utility, and Guided Configuration (AGC and WGC) fail to function properly.
Workaround:
Restarting the BIG-IP REST daemons restjavad and restnoded will usually correct the problem. To do so, connect to the SSH console and issue the following two commands:
bigstart restart restjavad
bigstart restart restnoded
716140-2 : Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors
Component: TMOS
Symptoms:
During daemon startup, the snmpd daemon zeroes out sensitive data in the snmpd.conf files. This is done so that passwords are not available to be read on disk. This can cause problems when other daemons using the net-snmp shared libraries access snmpd.conf files for data that they need during startup.
If you have 'zeroed out' data under /config/net-snmp/snmpd.conf, the system reports 'Unsupported security level' errors in response to SNMP v3 query, for example:
snmpget -v 3 -u testuser -a SHA -A "testuser" -x AES -X "testuser" -l authPriv localhost sysSystemUptime.0
snmpget: Unsupported security level (Sub-id not found: (top) -> sysSystemUptime)
Conditions:
Custom SNMP v3 users created and exist in /config/net-snmp/snmpd.conf 'zeroed out' data:
Example from /config/net-snmp/snmpd.conf where user 'testuser' has some data that is 'zeroed out' (0x 0x):
usmUser 1 3 0x80001f88808047605278d46d5b "testuser" "testuser" NULL .1.3.6.1.6.3.10.1.1.1 0x .1.3.6.1.6.3.10.1.2.1 0x 0x
Impact:
Daemons usually start in an orderly fashion and usually do not conflict with each other. However, it is possible that they might fail to load correctly due to the zeroing out of data.
For example this can cause SNMP v3 access errors for users with 'zeroed out' data under /config/net-snmp/snmpd.conf:
snmpget -v 3 -u testuser -a SHA -A "testuser" -x AES -X "f5testuser" -l authPriv localhost sysSystemUptime.0.
snmpget: Unsupported security level (Sub-id not found: (top) -> sysSystemUptime).
Workaround:
Use tmsh to configure SNMP users.
715379-3 : IKEv2 accepts asn1dn for peers-id only as file path of certificate file
Component: TMOS
Symptoms:
IKEv2 only has a very inconvenient way to specify ID for an ike-peer when using peers-id-type asn1dn. The string value of peers-id-value was understood only as a file path, and not as a representation of the asn1dn value itself. The file had to be a certificate, whose subject happened to be the ID of the remote peer as a distinguished name (DN), so this could be extracted as binary DER for asn1dn. This was both awkward and error prone, requiring what amounts to a copy of a peer's certificate before it is sent during negotiation.
Conditions:
-- Using certificate based authentication in IPsec IKEv2.
-- Configuring an ike-peer with peers-id-type as asn1dn.
Impact:
Very difficult to use asn1dn as the ID of a peer, impeding inter-operation with other vendors.
Workaround:
If you can install a local copy of the peer's certificate, with an asn1dn value inside matching what that peer will actually send in an IKE_AUTH exchange, IKEv2 can extract the asn1dn provided the value of peers-id-value is an absolute file system path to this local certificate copy.
714642-4 : Ephemeral pool-member state on the standby is down
Component: Local Traffic Manager
Symptoms:
On a standby BIG-IP system, an ephemeral pool-members state remains user-down after re-enabling an FQDN node on the primary system.
Conditions:
Re-enabling a forced-down FQDN node on the primary system.
Impact:
On the standby system, the ephemeral pool-members are in state: user-down, (forced-down in GUI).
Workaround:
None.
714502-2 : bigd restarts after loading a UCS for the first time
Component: Local Traffic Manager
Symptoms:
bigd restarts when loading a UCS for the first time, where the load succeeds; and no related messages are reported in /var/log/ltm; and no bigd core file is produced.
Conditions:
bigd loads a UCS file for the first time, such as after the command:
tmsh load sys ucs no-license keep-current-management-ip no-platform-check
Impact:
The UCS file is correctly reloaded, and bigd restarts with the loaded configuration. No bigd core is produced, and no related messages are found in /var/log/ltm. After restart, bigd performs all system functions as expected.
Workaround:
System runs as expected after the bigd restart, and the user need not take any action.
714372-3 : Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari
Component: Local Traffic Manager
Symptoms:
If the BIG-IP system has a web-acceleration which provides a number of caching and optimization options suitable for HTTP/1.1. It uses 'Connection: Keep-Alive' header on a server side, which results in appearance of 'Keep-Alive' header in a response. Such a HTTP header was adopted by the industry but not standardized. When a web-acceleration profile is configured and provides a response, Safari clients do not accept responses with a such header and reject those with a RST_STREAM message.
Conditions:
-- BIG-IP has a virtual server with HTTP/2 profile and a web-acceleration profile.
-- A pool member responds with 'Keep-Alive' header in the following format: Keep-Alive: timeout=<number>, max=<number>.
Impact:
A response to a request is rejected, which might cause incorrect rendering of HTTP page.
Workaround:
Use an iRule to remove the Keep-Alive header:
when HTTP_RESPONSE_RELEASE {
HTTP::header remove keep-alive
}
Alternatively use an LTM Policy where this header is removed from a server's response.
714176-3 : UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed
Component: TMOS
Symptoms:
-- UCS archive restore fails
-- The Traffic Management Shell (TMSH) and/or /var/log/ltm file show following error message:
01071769:3: Decryption of the field (privatekey) for object (9717) failed. Unexpected Error: Loading configuration process failed.
Conditions:
- Restoring configuration from UCS.
- The UCS is being restored on a different BIG-IP system with a different master key.
Impact:
-- The UCS configuration is not applied.
-- The BIG-IP is not in a fully operational state.
Workaround:
If you encounter this error and dynad is not in use (dynamic debug) you can manually edit bigip_base.conf.
1. Locate the dynad config in /config/bigip_base.conf file:
For example, the dynad config will look like:
sys dynad key {
key $M$jV$VX7HMp5q346nsTYDYFPnYdJLrBPyQSCrDTJYAz4je7KXJAC38fxtDJL35KtF66bq
}
2. Modify the dynad configuration lines to:
sys dynad key {
key "test"
}
3, Save the updated bigip_base.conf file
4. Load the configuration with command: tmsh load sys config
713614-4 : Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)
Component: TMOS
Symptoms:
Warning similar to below, referencing a non-floating self IP:
Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)
Conditions:
Virtual Server is defined using the same IP address as a non-floating self IP.
Impact:
Virtual Server does not fail over with floating traffic group as expected.
713183-3 : Malformed JSON files may be present on vCMP host
Component: TMOS
Symptoms:
Malformed JSON files may be present on vCMP host.
Conditions:
All needed conditions are not yet defined.
- vCMP is provisioned.
- Guests are deployed.
- Software versions later than 11.6.0 for both guest/host may be affected.
Impact:
Some vCMP guests may not show up in the output of the command:
tmsh show vcmp health
In addition, there might be files present named using the following structure:
/var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.
There is no functional impact to the guests or to the host, other than these lost tables, which are provided as a convenience to the vCMP host administrator.
Workaround:
None.
712857-3 : SWG-Explicit rejects large POST bodies during policy evaluation
Component: Access Policy Manager
Symptoms:
When an access profile of type SWG-Explicit is being used, there is a 128 KB limit on POST bodies while the policy is being evaluated.
The system posts an error message similar to the following in /var/log/apm:
err tmm[13751]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 3048
Conditions:
This applies only during policy evaluation. After the policy has been set to 'Allow', there is no limit to the POST body.
Impact:
Unable to start an SWG-Explicit policy with a large POST body.
Workaround:
None.
712534 : DNSSEC keys are not generated when configured to use an external FIPS device
Component: Local Traffic Manager
Symptoms:
DNSSEC keys that use an external FIPS device are not generated, and an SELinux denial is reported in /var/log/auditd/audit.log. The logged permission denial should indicate that a process running under the 'mcpd_t' SELinux context was denied the 'execmem' permission.
Conditions:
-- A device is configured with one or more DNSSEC keys that are configured to be generated by an external FIPS device (indicated by the 'use-fips' option being set to 'external').
-- An unpatched version of the Thales client software be in use on the device.
Impact:
DNSSEC keys will not be generated when configured to use the external FIPS device.
Workaround:
Update the version of the Thales client software that is in use on the device.
712335-3 : GTMD may intermittently crash under unusual conditions.
Component: Global Traffic Manager (DNS)
Symptoms:
GTMD may intermittently crash when an unexpected error occurs while creating a statistics row for a resource added to the configuration.
Conditions:
-- A pool member is added to the system.
-- There is an unexpected failure to create the associated statistics row.
Impact:
GTMD restarts. Global traffic functionality is not available while GTMD is restarting.
Workaround:
There is no workaround at this time.
712241-2 : A vCMP guest may not provide guest health stats to the vCMP host
Component: TMOS
Symptoms:
A vCMP guest usually provides the vCMP host with some guest health statistics as a convenience to the vCMP host administrator. These stats are:
-- mgmt/tm/sys/ha-status
-- mgmt/tm/sys/software/status
-- mgmt/tm/sys/software/provision
These tables are created by the host when host vcmpd queries the guest over the vmchannel using REST.
These RESTful queries may sometimes fail, causing the queried vCMP guest to be omitted in the display of the output of the following command: $ tmsh show vcmp guest
Conditions:
-- vCMP provisioned.
-- Guests are deployed.
-- Host vcmpd queries the guest over the vmchannel using REST.
Impact:
There is no functional impact to the guests or to the host, other than these lost tables.
-- Some vCMP guests may not show up in the output of the following command: tmsh show vcmp health
-- Some guests may appear with the wrong status in the GUI. Such as being grey when it should be green.
-- Files containing guest information, kept in:
/var/run/vcmpd/<guestname>/json/(sys-ha-status.json|sys-provision.json|sys-software.json) may be missing from that directory.
-- There might be files present there named using the following structure:
/var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.
Workaround:
There is no workaround at this time.
711056-1 : License check VPE expression fails when access profile name contains dots
Component: Access Policy Manager
Symptoms:
License Check Agent always flows down fallback branch. Logs show the following pattern:
-- err apmd[13738]: 01490190:3: /Common/my.profile.name:Common:2a392ccd: Key 'tmm.profilelicense./Common/my.profile.name#' was not found in MEMCACHED.
-- err apmd[13738]: 01490086:3: /Common/my.profile.name:Common:2a392ccd: Rule evaluation failed with error: can't use empty string as operand of "-"
Conditions:
-- Access profile contains '.' (dot) characters in its name.
-- License Check agent is used in the VPE to check against profile license.
Impact:
License check always fails, resulting in denied logon.
Workaround:
Use a different policy name without '.' characters.
710930-3 : Enabling BigDB key bigd.tmm may cause SSL monitors to fail
Component: Local Traffic Manager
Symptoms:
When bigd.tmm is enabled, SSL monitors may begin to fail.
Conditions:
-- The in-tmm monitoring feature is enabled via the bigd.tmm db variable (it is disabled by default)
-- The cipher string of the attached SSL profile uses keywords that are invalid with TMM.
Impact:
The cipher string will no longer be valid when bigd.tmm is enabled and the keywords will need to be modified or removed. SSL monitors begin to fail after modifying bigd.tmm.
Workaround:
Modify or remove incompatible keywords from the ciphers string; the in-tmm monitoring feature only allows ciphers that are allowed by SSL profiles.
710809-4 : Restjavad hangs and causes GUI page timeouts
Component: Device Management
Symptoms:
Restjavad stops responding, causing GUI page timeouts.
Conditions:
The conditions behind this issue are not known.
Impact:
restjavad is active, but all endpoints are nonresponsive.
Workaround:
Restart restjavad.
709952-2 : Disallow DHCP relay traffic to traverse between route domains
Component: Local Traffic Manager
Symptoms:
DHCP traffic can traverse between route domains, e.g., when working with a route domain with a parent. Under certain circumstances, this is not desired.
Conditions:
DHCP relay in use on a route domain with a parent relationship or strict isolation disabled.
Impact:
The DHCP server side flow might get established to the parent route domain, and will persist even after the route in its own route domain becomes available again.
Workaround:
There is no workaround at this time.
709381-2 : iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out.
Component: Local Traffic Manager
Symptoms:
An iRules LX plugin does not properly run and messages similar to the following example are logged to the /var/log/ltm file:
err tmm[17616]: 01220001:3: TCL error: /Common/my-plugin/my-rule <HTTP_REQUEST> - ILX timeout. invoked from within "ILX::call $ilx_handle -timeout 3000 my-function"
Conditions:
An iRules LX workspace archive is imported to BIG-IP version 13.1.0 or later from a previous software version.
It should be noted this is what happens during a regular software upgrade. Therefore, you might encounter this issue when upgrading a system to BIG-IP version 13.1.0 or later.
Impact:
The affected iRules LX are not functional under the new software version, and the virtual servers utilizing them will experience various failures.
Workaround:
Change the node version from 0.12.15 to 6.9.1 and back.
708803-2 : Remote admin user with misconfigured partition fallback to "All"
Component: TMOS
Symptoms:
When remote role groups are used to set user role and partition from the remote authentication server, and the server is configured to set a user to Administrator role with access to a particular partition, the user instead receives Administrator role on all partitions. Users with Administrator role on the BIG-IP are required to have all partition access.
Conditions:
Remote authentication with remote role groups. Remote authentication server configured to set a user to Administrator role with access to a particular partition.
Impact:
Administrator users have access to all partitions.
Workaround:
Change configuration on remote authentication server. Users with Administrator role need all partition access. Users who must be restricted to a particular partition should be given a more restrictive role.
706782-3 : Inefficient APM processing in large configurations.
Component: Access Policy Manager
Symptoms:
In configurations with large numbers of virtual servers or other entities, the apmd, oauth, and localdbmgr processes may consume large amounts of system resources.
Conditions:
-- Large configuration.
-- APM provisioned.
-- Multiple traffic groups exacerbate the effect.
Impact:
Heavy use of odd-numbered CPU cores may slow all control-plane operations, including user-interface response.
Workaround:
None known.
706685-3 : Unable to log into BIG-IP GUI after partition is deleted
Component: TMOS
Symptoms:
The BIG-IP GUI no longer presents a login dialog if a GUI's session becomes invalidated while it is viewing a partition that has subsequently been deleted.
Conditions:
-- A GUI session is logged in and a non-/Common partition is selected.
-- The GUI session expires or is invalidated (producing the message 'Your login credentials are no longer valid').
-- While in that state, the selected partition is deleted via an SSH session.
-- A subsequent attempt is made to log into the GUI (in any browser).
Impact:
Unable to log into the BIG-IP GUI. The UI consists of a grey backdrop colour with a partially drawn login field. There is no way to enter text into the field, so there is no way to log in. You must use SSH to log into the device and restart the tomcat process.
In the browser's JavaScript console, the following message may be seen:
Uncaught TypeError: Cannot read property 'style' of null at window.onload (login.jsp:35).
Workaround:
Use SSH to log into the device, and restart the tomcat process:
tmsh restart sys service tomcat
705768-1 : dynconfd may core and restart with multiple DNS name servers configured
Component: Local Traffic Manager
Symptoms:
The dynconfd daemon may crash with a core and restart when processing a DNS query while multiple DNS name servers are configured or the list of DNS name servers is changed.
Conditions:
This may occur rarely when FQDN nodes are configured and multiple DNS name servers are configured, including when a name server is added to or removed from the system DNS configuration while a DNS query is active.
Impact:
Resolution of FQDN names for FQDN nodes and pool members may be briefly interrupted while the dynconfd daemon restarts. This may cause a delay in propagation of DNS zone changes to the BIG-IP configuration.
Workaround:
This issue occurs rarely. There is currently no known workaround.
705037-7 : System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
Solution Article: K32332000
Component: TMOS
Symptoms:
It is possible for the BIG-IP system to present duplicate if_index statistics of network objects, either viewed internally or polled via SNMP.
Conditions:
-- High availability (HA) configuration.
-- Tunnels configured.
-- If dynamic routing is configured, additional impact may be noted.
Impact:
-- Unreliable or confusing statistics via SNMP polling.
-- If dynamic routing is also configured, possible nsm daemon restart, which may lead to loss of dynamic routes.
Workaround:
None.
703165-4 : shared memory leakage
Component: Advanced Firewall Manager
Symptoms:
Processes that require shared memory to operate are failing (e.g. pabnagd).
Conditions:
Many shmem segments allocated and used by tmm.
Impact:
Potential failures in any process that requires shared memory segments, causing lack of services such as learning (bd+pabnagd), request logging (pabnagd+asm-config), etc.
Workaround:
There is no workaround at this time.
703090-5 : With many iApps configured, scriptd may fail to start
Component: TMOS
Symptoms:
If many iApp instances are installed, scriptd may have issues starting up, including the log message:
"script has exceeded its time to live, terminating the script"
Conditions:
This occurs when many iApp instances exist. F5's internal testing has been able to show that it occurs with 70 instances.
Impact:
The error message will show up, and some instances of the script will not run.
Workaround:
Restarting scriptd will resolve the issue.
701529-2 : Configuration may not load or not accept vlan or tunnel names as "default" or "all"
Component: TMOS
Symptoms:
As a result of a known issue, configurations containing vlan or tunnels named "default" or "all" are no longer accepted.
Conditions:
Attempting to configure this will result in a log message similar to the following:
root@(f5-ve)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net tunnels tunnel default profile ppp
01070712:3: Cannot create tunnel 'default' in rd1 - ioctl failed: Invalid argument
Impact:
A configuration that contained this in earlier versions and upgraded to the affected version will fail to load.
Workaround:
Change or rename all instances of vlans and/or tunnels named "default" or "all"
701341-4 : If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts
Solution Article: K52941103
Component: TMOS
Symptoms:
If an issue causes /config/BigDB.dat to be empty or its contents become corrupted, mcpd fails to start up.
System commands report errors about being unable to read DB keys. 'bigstart' outputs errors:
--dbval: Unable to find variable: [security.commoncriteria]
Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.
Impact:
The system fails to start up, and mcpd continually restarts. The BIG-IP system fails to process traffic while the mcpd process is restarting.
Workaround:
To work around this issue, you can remove the empty or corrupted BigDB.dat file. To do so, perform the following procedure:
Impact of workaround: Performing the following procedure should not have a negative impact on your system.
1. Log in to bash.
2. To remove the zero-byte or corrupted BigDB.dat file, type the following command:
rm /config/BigDB.dat
700639-4 : The default value for the syncookie threshold is not set to the correct value
Component: Local Traffic Manager
Symptoms:
The default value for connection.syncookies.threshold should be set to 64000. Instead, this value defaults to 16384.
Conditions:
This issue may be encountered when a virtual server uses syncookies.
Impact:
The connection.syncookies.threshold value will be lower than intended, possibly resulting in lower performance.
Workaround:
Use tmsh to manually set the threshold value:
# tmsh modify sys db connection.syncookies.threshold value 64000
698933-6 : Setting metric-type via ospf redistribute command may not work correctly
Component: TMOS
Symptoms:
When using a dynamic routing configuration, where an OSPF process redistributes routes setting a metric-type from another OSPF process the metric type is not changed.
Conditions:
Dynamic routing configuration with 2 or more OSPF processes redistributing routes using the "redistribute ospf <other process number> metric-type <type>"
Impact:
Metric type is not changed.
Workaround:
Change metric-type using a route-map applied to the redistribute command.
696348-3 : "GTP::ie insert" and "GTP::ie append" do not work without "-message" option
Component: Service Provider
Symptoms:
When adding "GTP::ie insert" and "GTP::ie append" without "-message" option to iRule, there is warning message:
[The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:VALUE"1290 38]
Conditions:
Using "GTP::ie insert" or "GTP::ie append" command without "-message" option
Impact:
The commands still be executed during runtime but the warning message may confuse user.
692218-3 : Audit log messages sent from the primary blade to the secondaries should not be logged.
Component: TMOS
Symptoms:
Audit log messages sent from the primary blade to the secondaries are logged.
Conditions:
Multi-blade platform.
Impact:
Unnecessary messages in the log file.
Workaround:
None.
690928-1 : System posts error message: 01010054:3: tmrouted connection closed
Component: TMOS
Symptoms:
Beginning in BIG-IP 12.0.0, the tmrouted process pushes dynamic routes directly to the Traffic Management Microkernel (TMM). This message indicates the system is shutting down and is expected behavior during the reboot or shutdown process. The appearance of this message on a stable running system may indicate an issue with tmrouted functionality.
System posts the following message in /var/log/ltm: 01010054:3: tmrouted connection closed
Conditions:
This message occurs when all of the following conditions are met:
-- You have configured the BIG-IP system to use dynamic routing.
-- The BIG-IP system is in the process of shutting down or rebooting.
Impact:
This message is benign, unless you view the message on a stable running system. In this case, the message may indicate an issue with the tmrouted process.
Workaround:
None.
689147-2 : Confusing log messages on certain user/role/partition misconfiguration when using remote role groups
Component: TMOS
Symptoms:
When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful.
Errors similar to the following appear in /var/log/ltm:
-- User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition.
-- Input error: invalid remote user credentials, partition does not exist, broken-partition
Errors similar to the following appear in /var/log/secure:
tac_authen_pap_read: invalid reply content, incorrect key?
Conditions:
Using remote role groups to set user/role/partition information for remote users, and either of the following:
-- A remote user is configured with the role of administrator, resource administrator, auditor, or web application security administrator, with access to a particular partition, rather than all. (These roles require access to all partitions.)
-- A remote user is configured with partition access set to a partition that does not exist on the BIG-IP system.
Impact:
The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure.
Workaround:
Check /var/log/ltm for more specific error messages.
688399-2 : HSB failure results in continuous TMM restarts
Component: TMOS
Symptoms:
The TMM is continually restarted due to lack of HSB PDE device. When this issue occurs, HSB errors may be present in the TMM log files, prior to a TMM core (SIGSEGV).
Conditions:
It's unknown how this issue occurs.
Impact:
TMM continually restarts until the unit is rebooted. Traffic disrupted while tmm restarts. The reboot appears to clear the condition.
Workaround:
Manually reboot the unit.
688397-1 : Reset causes for HTTP/2 streams are not recorded
Component: Local Traffic Manager
Symptoms:
The reset causes for HTTP2 streams are not recorded in statistics.
Conditions:
An HTTP/2 stream is reset for some reason.
Impact:
It may be difficult to debug HTTP/2 issues.
Workaround:
None.
688231-4 : Unable to set VET, AZOT, and AZOST timezones
Component: TMOS
Symptoms:
Unable to set VET, AZOT, and AZOST timezones
Conditions:
This occurs under normal operation.
Impact:
Cannot set these timezones.
Workaround:
Use the following zones with the same offset:
The AZOT timezone is the same offset as
N – November Time Zone.
The AZOST timezone is the same offset as
Z – Zulu Time Zone,
GMT – Greenwich Mean Time,
WET – Western European Time.
The VET timezone is the same offset as
AST – Atlantic Standard Time,
CDT – Cuba Daylight Time, CLT – Chile Standard Time,
EDT – Eastern Daylight Time,
FKT – Falkland Island Time,
Q – Quebec Time Zone.
686059-4 : FDB entries for existing VLANs may be flushed when creating a new VLAN.
Component: Local Traffic Manager
Symptoms:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN.
Conditions:
- Creating a new VLAN with existing VLANs using trunk members.
- STP is enabled on its trunk member.
Impact:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN. This will result in potential network saturation.
Workaround:
To avoid the FDB flushing on trunk member interfaces of existing, unrelated VLANs, ensure that STP is disabled on its trunk member.
686043-1 : dos.maxicmpframesize and dos.maxicmp6framesize sys db variables does not work for fragmented ICMP packets
Component: Advanced Firewall Manager
Symptoms:
ICMP/ICMPv6 fragmented packet with size larger than dos.maxicmpframesize is not counted in stats for
'ICMP frame too large' DoS vector.
Conditions:
-- ICMP fragmented packet with size larger than dos.maxicmpframesize is received.
-- ICMPv6 fragmented packet with size larger than dos.maxicmpframesize is received.
Impact:
-- ICMP fragmented packet with size larger than dos.maxicmpframesize is not dropped.
-- ICMP fragmented packet with size larger than dos.maxicmpframesize is not counted in stats for 'ICMP frame too large' DoS vector.
-- ICMPv6 fragmented packet with size larger than dos.maxicmp6framesize is not dropped.
-- ICMPv6 fragmented packet with size larger than dos.maxicmp6framesize is not counted in stats for 'ICMP frame too large' DoS vector.
Workaround:
None.
683135-1 : Hardware syncookies number for virtual server stats is unrealistically high
Component: TMOS
Symptoms:
In some situations 'tmsh show ltm virtual' shows unrealistically high hardware (HW) syncookie numbers.
These unrealistically high HW syncookie stats cause AFM DoS TCP synflood vector to have high numbers, and that can cause TCP synflood vector to drop packets in HW based on the configured rate-limit for that vector.
Conditions:
Virtual server with hardware syncookie protection enabled.
Impact:
Stats issue. Can have impact to traffic if AFM TCP Synflood vector is enabled in mitigation mode.
Workaround:
Disable the TCP Synflood vector in mitigate mode.
Since Syncookie is already providing protection, the TCP Synflood option should be enabled only in detect-only mode, if at all.
680917-5 : Invalid monitor rule instance identifier
Component: TMOS
Symptoms:
iApp triggers an error while attempting to change server properties for pool members. The error reads "Invalid monitor rule instance identifier"
Conditions:
While changing the server properties associated with the pool members through iApp.
Impact:
Will not be able to change the server properties using iApp.
679901-5 : The iControl REST timeout value is not configurable.
Component: TMOS
Symptoms:
Updating a large (75 KB or more records) data-group results in errors. This occurs because the communication between icrd_child and restjavad times out, and consequently the system raises errors.
The default timeout is set to 60 seconds.
Conditions:
Using iControl REST to update a data-group that contains a large number of records, e.g., 75,000 or more.
Impact:
The operation times out and there is no way to configure the iControl REST timeout value.
Workaround:
None.
679431-4 : In routing module the 'sh ipv6 interface <interface> brief' command may not show header
Component: TMOS
Symptoms:
In the BIG-IP Advanced Routing module the 'sh ipv6 interface <interface> brief' command does not show header
Conditions:
- Advanced Routing module licensed and configured
- From within imish shell, run the command 'sh ipv6 interface <interface> brief'.
Impact:
The header is not shown.
Workaround:
Run the equivalent command without indicating the interface:
sh ipv6 interface brief
679316-7 : iQuery connections reset during SSL renegotiation
Component: Global Traffic Manager (DNS)
Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
Conditions:
This occurs when a system tries to send data over the iQuery connection while the two endpoints are performing SSL renegotiation.
Note: iQuery connections automatically perform SSL renegotiation every 24 hours.
Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.
Note: This is a subtly different issue from the one (with a very similar error, 140940F5 virtual server 140940E5) described in Bug ID 477240: iQuery connection resets every 24 hours :: https://cdn.f5.com/product/bugtracker/ID477240.html (K16185: BIG-IP GTM iQuery connections may be reset during SSL key renegotiation :: https://support.f5.com/csp/article/K16185).
This issue occurs even in versions where ID 477240 is fixed. There is no fix for this specific trigger of the same message.
Note: The iQuery communication issue is fixed through Bug ID 760471: GTM iQuery connections may be reset during SSL key renegotiation :: https://cdn.f5.com/product/bugtracker/ID760471.html.
Workaround:
There is no workaround at this time.
675911-6 : Different sections of the WebUI can report incorrect CPU utilization
Solution Article: K13272442
Component: TMOS
Symptoms:
The following sections of the WebUI can report incorrect (i.e. higher than expected) CPU utilization:
- The "download history" option found in the Flash dashboard
- Statistics › Performance › Traffic Report (section introduced in version 12.1.0)
Values such as 33%, 66% and 99% may appear in these sections despite the system being potentially completely idle.
Conditions:
HT-Split is enabled (this is the default for platforms that support it).
Impact:
Incorrect CPU utilization is reported by multiple sections of the WebUI, which can confuse BIG-IP Administrators and cause unnecessary alarm.
Workaround:
You can obtain CPU history through various other means. One way is to use the sar utility.
In 12.x and 13.x:
sar -f /var/log/sa6/sa
or for older data
sar -f /var/log/sa6/sa.1
The oldest data is found compressed in /var/log/sa6 and must be gunzipped before use.
In 11.x:
sar -f /var/log/sa/sa
or for older data
sar -f /var/log/sa/sa.1
The oldest data is found compressed in /var/log/sa and must be gunzipped before use.
Live CPU utilization also can be obtained through various other means. Including: the Performance Graphs, SNMP polling, iControl polling, various command-line utilities such as top, etc.
673573-3 : tmsh logs boost assertion when running child process and reaches idle-timeout
Component: TMOS
Symptoms:
An idle-timeout occurs while running a sub-process in interactive mode, resulting in a log message. tmsh logs a benign but ominous-looking critical error to the console and to /var/log/ltm if a tmsh command reaches idle timeout and a spawned sub-process is still running.
The errors in /var/log/ltm begin with the following text:
'boost assertion failed'
Conditions:
-- tmsh command reaches idle timeout.
-- Spawned sub-process is still running.
Impact:
Although the wording indicates a failure, the message is benign and you can safely ignore it.
Workaround:
None.
673357-1 : SWG puts flow in intercept mode when session is not found
Component: Access Policy Manager
Symptoms:
In SWG, flows that should be getting bypassed are placed in intercept mode.
Conditions:
This occurs when the per-request policy receives an https request and a session is not established.
Impact:
In some cases, the client sees certificate warning.
Workaround:
If the access policy is "start->allow"; following iRule can be used for workaround:
when CLIENT_ACCEPTED {
if { [ACCESS::session exists] } {
log local0. "Found Access Session"
log local0. [ACCESS::session exists]
} else {
set sid [ACCESS::session create -lifetime 300 -timeout 300 -flow]
log local0. "No Access Session found, creating $sid"
ACCESS::session data set session.ui.mode "0"
ACCESS::session data set session.policy.result "allow"
}
}
671372-5 : When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.
Solution Article: K01930721
Component: TMOS
Symptoms:
When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.
Conditions:
-- Creating a pool.
-- Modifying all of its members in a single tmsh transaction.
Impact:
The pool will be created but the members will not be modified.
Workaround:
Create a pool in one transaction; followed by modifying members in another transaction.
671025-3 : File descriptor exhaustion can occur when state-mirroring peer-address is misconfigured
Component: TMOS
Symptoms:
devmgmtd exhausting file descriptors when state-mirroring peer-address is misconfigured:
err devmgmtd[8301]: 015a0000:3: [evConnMgr.tcc:29 evIncomingConn] Incoming connection failed: Too many open files
Conditions:
State-mirroring peer-address is misconfigured or configured to a self-ip with port lockdown misconfigured.
Impact:
devmgmtd has too many open files causing iControl issues as it is unable to communicate with devmgmtd.
Workaround:
None.
670994-5 : There is no validation for IP address on the ip-address-list for static subscriber
Component: Policy Enforcement Manager
Symptoms:
You can add IP address for a static subscriber with a subnet mask, and the system creates a subscriber by discarding the subnet mask without any error message.
Conditions:
This occurs when you add a ip address with a subnet mask to the ip address list for a static subscriber.
Impact:
An invalid ip address is added without warning or error.
666378-1 : A virtual server's connections per second (precision.last_value) is confusingly named.
Component: Local Traffic Manager
Symptoms:
A virtual server's current connections-per-second statistic has a confusing name. The statistic is maintained when rate limiting is configured for a virtual server. The statistic is updated when the virtual hits a rate-limiting condition, and it stays at the last value it held when the limit was hit.
Conditions:
If the rate limit is never configured then the value is 0. If the rate limit is configured and is hit, then the value is the active count when the limit was hit. The value stays at that count until the limit is hit again.
Impact:
There is no functional impact, but the statistic's meaning is confusing.
Workaround:
The MIB description should clarify the meaning of this statistic.
665117-7 : DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping
Solution Article: K33318158
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Server status flapping from red-green-red.
Conditions:
-- Two generic hosts in two different DataCenters;
-- Two generic hosts are not available through DNS;
-- Same monitor with available alias IP/port configured.
Impact:
Server status flaps from red to green and back.
Workaround:
Check Transparent for these monitors.
663946-6 : The vCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments
Component: Advanced Firewall Manager
Symptoms:
On a vCMP platform with host and guest using different BIG-IP versions, when DNS is under load greater than the AFM-configured rate limit, certain IPv4 packets are categorized as IPv6 atomic fragments and may be dropped due to rate limits.
Conditions:
-- vCMP platform with host and guest using different BIG-IP versions.
-- AFM enabled.
-- DNS load greater than AFM-configured rate limit for IPv6 atomic fragments (default 10 KB).
Impact:
May result in lower than expected DNS load test results.
Workaround:
You can use any of the following workarounds:
-- Disable AFM.
-- Increase detection limit for IPv6 atomic fragments under AFM.
-- Disable hardware offload with sys db Dos.VcmpHWdos.
Note: For AFM HW DoS protection, the host and vCMP guest must be the same version, disable hardware DoS checking on the vCMP guest to prevent this issue. To do so, set sys db dos.forceswdos to 'true'.
663925-3 : Virtual server state not updated with pool- or node-based connection limiting
Component: Local Traffic Manager
Symptoms:
Rate- or connection-limited pool members and nodes do not immediately affect virtual server status.
Conditions:
The connection count reaches the configured connection limit.
Impact:
Virtual server is automatically disabled when connection limit is reached and returns from the unavailable state after connections decrease.
The actual functionality of connection-limiting is occurring at the tmm level (you can see connections rejection after reaching the max limit in logs). The system is just not logging status in mcp as update_status is not being called automatically.
Workaround:
None.
662301-4 : 'Unlicensed objects' error message appears despite there being no unlicensed config
Component: TMOS
Symptoms:
An error message appears in the GUI reading 'This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.' Examination of the configuration and license shows that there are no configuration error or unlicensed configuration objects. The device is operational.
Conditions:
The BIG-IP system is licensed and the configuration loaded.
Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.
Workaround:
Restart mcpd by running the following command:
bigstart restart mcpd
661640-1 : Improve fast failover of PIM-based multicast traffic when BIG-IP is deployed as an Active/Standby high availability (HA) pair.
Component: TMOS
Symptoms:
Although the effect differs for different topologies, in general, the multicast traffic is interrupted for 5-to-180 seconds after failover.
Conditions:
Fast failover of PIM-based multicast traffic when the BIG-IP system is deployed as an Active/Standby high availability (HA) configuration.
Impact:
The multicast traffic is interrupted for 5-to-180 seconds after a failover event.
Workaround:
None. This is an improvement request.
660913-3 : For ActiveSync client type, browscap info provided is incorrect.★
Component: Access Policy Manager
Symptoms:
Clients using Microsoft ActiveSync are failing access policy evaluation.
Conditions:
-- This occurs with clients using Microsoft ActiveSync.
-- It can be encountered on upgrade if you are upgrading to version 12.1.2 - 14.1.0 from an earlier version.
Impact:
ActiveSync "Client UI" expression will fail and a wrong branch will be selected. As a result Clients using ActiveSync may not be authenticated.
Workaround:
In the VPE change the ActiveSync "Client UI" expression to:
expr { [mcget {session.server.landinguri}] starts_with "/Microsoft-Server-ActiveSync" || [mcget {session.ui.mode}] == 8 }
660759-1 : Cookie hash persistence sends alerts to application server.
Component: Fraud Protection Services
Symptoms:
When Persistence cookie insert is enabled with a non-default cookie name, the cookie might be overwritten after an alert is handled.
Conditions:
-- Persistence profile in their virtual server.
-- Profile relies on cookie hash persistence.
-- Non-default Cookie name used for cookie persistence.
(Default cookie naming strategy appends Pool Name, which results in two cookies set with different names and different values, leaving the application pool persistence cookie unmodified.)
Impact:
Sends alerts to application server. Traffic might be sent to wrong pool member.
Workaround:
Use an iRule similar to the following to remove persistence cookie in case of alerts:
ltm rule /Common/cookie_persist_exclude_alerts {
when HTTP_REQUEST {
#enable the usual persistence cookie profile.
if { [HTTP::path] eq "/<alert-path>/" } {
persist none
}
}
}
658943-2 : Errors when platform-migrate loading UCS using trunks on vCMP guest
Component: TMOS
Symptoms:
During platform migration from a physical BIG-IP system to a BIG-IP vCMP guest, the load fails with one of these messages:
01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.
01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.
Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest.
Impact:
The platform migration fails and the configuration does not load.
Workaround:
You can use either of the following Workarounds:
-- Remove all trunks from the source configuration prior to generation of the UCS.
-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.
658850-2 : Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP
Component: TMOS
Symptoms:
When you load a UCS file using the platform-migrate parameter, the mgmt-dhcp value (enabled, disabled, or unset) will overwrite the value on the destination. Depending on the effect, this could change the destination's management IP and default management route.
If the UCS does not have mgmt-dhcp explicitly written out, note that its value is treated as the default for the local system, which varies by the type of system. On Virtual Edition (VE) platforms, the default is to enable DHCP. On all other platforms, the default is to disable DHCP.
Conditions:
This occurs when loading a UCS using the platform-migrate parameter:
tmsh load sys ucs <ucs_file_from_another_system> platform-migrate
Impact:
Changing the mgmt-dhcp value on the destination can result in management changing from statically configured to DHCP or DHCP to statically configured. This can result in loss of management access to the device, requiring in-band or console access.
Workaround:
If you want to reset the target device to use a static IP, run the following commands after loading the UCS with the platform-migrate command:
tmsh modify sys global-settings mgmt-dhcp disabled
tmsh create sys management-ip <ip>/<mask>
tmsh delete sys management-route default
tmsh create sys management-route default gateway <ip>
657834-5 : Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent
Solution Article: K45005512
Component: TMOS
Symptoms:
When using OSPF with high load and network recalculation there is a possibility of a race condition that can lead to additional OSPF retransmissions being sent out. This might also cause SNMP traps to be sent, if configured on the system.
Conditions:
-- OSPF routing protocol configured.
-- System configured to send SNMP traps.
-- OSPF instability/networking flaps.
Note: The greater the number of routes flapping, the more likely to see the condition.
Impact:
There is no impact on the OSPF processing itself. The additional traffic does not cause failing adjacencies or loss of routing information.
However, this might cause many additional OSPF related traps to be sent, which might cause additional load on the external network monitoring system.
Workaround:
While this does not have a direct workaround, you may want to investigate the cause of the network/OSPF instability that causes the additional retransmissions.
653210-2 : Rare resets during the login process
Component: Access Policy Manager
Symptoms:
On rare occasions, the login process resets and a NULL sresult message will be logged in /var/log/apm:
-- notice tmm[18397]: 01490505:5: /Common/ltm-apm_main_irules:Common:448568c9: Get license - Unexpected NULL session reply. Resetting connection.
Conditions:
A race condition allows license information to be processed out of order.
Impact:
The system resets the client connection attempt. The APM end user client must retry the login process.
Workaround:
Have the APM end user client retry the login operation.
652502-3 : snmpd returns 'No Such Object available' for ltm OIDs
Component: TMOS
Symptoms:
When the BIG-IP starts with an expired license snmp queries for ltm related OIDs will return 'No Such Object available on this agent at this OID'.
Even if you re-activate the license or install a new one snmpd will not be notified of the change in license and will stil return 'No Such Object available on this agent at this OID' until the snmpd process is restarted.
Conditions:
The BIG-IP starts with an expired licensed which is reactivated later.
Impact:
snmp queries to the ltm OIDs like ltmRst and ltmVirtual will not return any data.
Workaround:
A restart of snmpd (bigstart restart) after the license is re-activated or a new one is installed will resolve the issue.
646768-2 : VCMP Guest CM device name not set to hostname when deployed
Solution Article: K71255118
Component: TMOS
Symptoms:
When you access the vCMP guest instance after you deploy the system, the instance uses the hostname bigip1.
Conditions:
This issue occurs when all of the following conditions are met:
-- The BIG-IP system is running v11.6.0 or earlier.
-- You configure a vCMP guest instance that is running BIG-IP v11.6.0 or later.
-- You have configured the vCMP guest instance with a hostname other than bigip1.
-- You deploy the vCMP guest instance.
Impact:
The vCMP guest does not use the configured hostname.
Workaround:
-- In tmsh, run the following commands, in sequence:
mv cm device bigip1 HOSTNAME
save sys config
-- Rename the device name in the GUI.
646440-1 : TMSH allows mirror for persistence even when no mirroring configuration exists
Component: Local Traffic Manager
Symptoms:
When Mirroring is not configured in a high-availability (HA) configuration, the Configuration Utility (GUI) correctly hides the 'mirror' option for Persistence profile. However, Persistence Mirroring can still be enabled via TMSH.
Conditions:
-- Mirroring is configured in an HA configuration.
-- Persistence profile.
-- Using TMSH.
Impact:
A memory leak and degraded performance can occur when:
-- The Mirroring option of a Persistence profile is enabled.
-- Mirroring in the HA environment is not configured.
Workaround:
Always use the Configuration Utility (GUI) to configure Persistence profiles.
If you encounter this issue, complete the following procedure to locate Persistence profiles with Mirroring enabled, and then disable Mirroring for those profiles:
1. Access the BIG-IP Bash prompt.
2. List the Persistence profiles with the following command:
tmsh list ltm persistence
3. Examine the Persistence profiles to identify the ones with 'mirror enabled'.
4. Disable Mirroring for each Persistence profile, using a command similar to the following:
tmsh modify ltm persistence <persistence_type> <profile_name> mirror disabled
5. Save the changes to the Persistence profiles:
tmsh save sys config
640842-3 : ASM end user using mobile might be blocked when CSRF is enabled
Component: Application Security Manager
Symptoms:
Users report their access is blocked; when you look at the error log, you see CSRF errors.
Conditions:
-- CSRF enabled on ASM.
-- ASM client is using a mobile device.
Impact:
Client is blocked.
Workaround:
None.
640374-1 : DHCP statistics are incorrect
Component: Local Traffic Manager
Symptoms:
DHCP statistics are incorrect if DHCP server is down while a new virtual server is created. And when the DHCP server comes back up, the current pending transactions are incorrect.
Conditions:
-- DHCP relay configured.
-- DHCP server is down while the virtual server is created.
Impact:
The 'current pending transactions' for the DHCP server is incorrect if the DHCP server is down while a new virtual server is created.
Workaround:
None.
632553-4 : DHCP: OFFER packets from server are intermittently dropped
Solution Article: K14947100
Component: Local Traffic Manager
Symptoms:
With a DHCP relay virtual server, OFFER packets from DHCP server are intermittently not forwarded to the client and dropped on BIG-IP.
Conditions:
It is not known exactly what triggers this condition, but it occurs intermittently when the DHCP relay virtual server is in use.
Impact:
Client machines joining the network do not receive DHCP OFFER messages.
Workaround:
Enforce that the serverside flow is getting deleted, e.g. if dhcp server 10.0.66.222 is broken, issue the following tmsh command:
tmsh delete sys connection ss-server-addr 10.0.66.222 cs-server-port 67
625807-1 : tmm cored in bigproto_cookie_buffer_to_server
Component: Local Traffic Manager
Symptoms:
TMM cores on SIGSEGV during normal operation.
Conditions:
It is not known exactly what triggers this, but it may be triggered when a connection is aborted in a client-side iRule iRule, this log signature may indicate that this is being triggered:
tmm3[11663]: 01220009:6: Pending rule <irule_name> <HTTP_REQUEST> aborted for <ip> -> <ip>
Impact:
Traffic disrupted while tmm restarts.
617929-2 : Support non-default route domains
Component: Local Traffic Manager
Symptoms:
Some connections are reset
Conditions:
This occurs when the device is configured with non-default route domains when connecting to other tmms over the backplane
Impact:
Traffic processing failure
Workaround:
None
617636-2 : LTM v11.6.x Errors in F5-BIGIP-LOCAL-MIB.txt prevent its compilation in NMS (Network Management System)
Solution Article: K15009669
Component: TMOS
Symptoms:
Error during compilation of MIB file F5-BIGIP-LOCAL-MIB.txt in NMS:
Unexpected token: in /.../mibs/F5-BIGIP-LOCAL-MIB.mib line no: 27738.
The above compilation error is caused by missing commas in F5-BIGIP-LOCAL-MIB.txt:
ltmFwRuleStatRuleStatType OBJECT-TYPE
SYNTAX INTEGER {
enforced(1)staged(2), <===== comma missing here
active(3),
overlapper(4)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
""
::= { ltmFwRuleStatEntry 6 }
ltmFwPolicyRuleStatRuleStatType OBJECT-TYPE
SYNTAX INTEGER {
enforced(1)staged(2), <===== comma missing here
active(3),
overlapper(4)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
""
::= { ltmFwPolicyRuleStatEntry 6 }
Conditions:
Compile F5-BIGIP-LOCAL-MIB.txt from 11.6.x versions in NMS.
Impact:
F5-BIGIP-LOCAL-MIB.txt fails to compile in NMS.
Workaround:
Correct syntax in the F5-BIGIP-LOCAL-MIB.txt file, as follows:
ltmFwRuleStatRuleStatType OBJECT-TYPE
SYNTAX INTEGER {
enforced(1),
staged(2),
active(3),
overlapper(4)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
""
::= { ltmFwRuleStatEntry 6 }
ltmFwPolicyRuleStatRuleStatType OBJECT-TYPE
SYNTAX INTEGER {
enforced(1),
staged(2),
active(3),
overlapper(4)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
""
::= { ltmFwPolicyRuleStatEntry 6 }
615934-4 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
Component: TMOS
Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.
Conditions:
If there is an existing key/certificate, and the key/certificate management iControl functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.
Impact:
Key/certificate overwrite using iControl operations might fail.
608952-3 : MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2
Component: Local Traffic Manager
Symptoms:
MSSQL health monitor always shows down.
Conditions:
The Microsoft SQL server that is being monitored has disabled support for legacy security protocols, and supports only versions TLSv1.1 and TLSv1.2.
Impact:
MSSQL monitor is unable to perform health checking when SQL Server is configured to require TLSv1.1 or TLSv1.2.
Workaround:
None.
606032-5 : Network Failover-based high availability (HA) in AWS may fail
Component: TMOS
Symptoms:
MCPD posts an error that network failover is not configurable:
01071ac2:3: Device-group (/Common/autoscale-group): network-failover property must be disabled in VE-1NIC.
Conditions:
Attempting to setup high availability (HA) in Amazon Web Services (AWS) with only 1 network interface.
Impact:
Configuration of high availability (HA) in AWS cannot be completed.
Workaround:
The current workaround is to configure high availability (HA) in AWS with at least 2 network interfaces.
605675-4 : Sync requests can be generated faster than they can be handled
Component: TMOS
Symptoms:
Configuration changes in quick succession might generate sync change messages faster than the receiving BIG-IP system can parse them. The sending BIG-IP system's queue for its peer connection fills up, mcp fails to allocate memory, and then the system generates a core file.
Conditions:
Configuration changes in quick succession that might generate sync-change messages.
Impact:
Core file and sync operation does not complete as expected. The possibility for this occurring depends on the size and complexity of the configuration, which impacts the time required to sync, and the traffic load occurring at the time of the sync operation.
Workaround:
None.
603124-2 : [FW FQDN] Lower minimum allowed refresh interval (than current min of 10 mins)
Component: Advanced Firewall Manager
Symptoms:
Firewall FQDN feature allowed the periodic refresh interval to be no less than 10 minutes. However, FQDN-to-IP mappings may change more frequently than every 10 minutes.
This causes mismatch between the actual FQDN-to-IP mappings and the mappings AFM/Firewall has learnt.
Conditions:
-- Firewall rules have been configured with FQDNs as one of the match dimensions (source or destination, or both).
-- AFM DNS resolver refresh interval set to smallest possible allowed value of 10 minutes.
-- FQDN-to-IP mappings change more frequently than 10 minutes.
Impact:
Mismatch between the actual FQDN-to-IP mappings and the mappings AFM/Firewall has learnt/cached.
Workaround:
None,
602396-1 : EPSEC Upload Package Button Is Greyed Out
Component: Access Policy Manager
Symptoms:
The EPSEC upload package button is greyed out when there are multiple traffic groups.
Conditions:
-- Multiple traffic groups are configured.
-- Viewing the 'Upload Package' button on the System :: Software Management : Antivirus Check Updates : Package Status.
Impact:
'Upload Package' button is greyed out. Cannot upload packages for Antivirus Check Update.
Workaround:
Delete one of the traffic groups till the button is available.
601220-3 : Multi-blade trunks seem to leak packets ingressed via one blade to a different blade
Component: TMOS
Symptoms:
When a multi-blade VIPRION deployment first starts up or recovers from a chassis-wide force-offline/release-offline event, multi-blade trunks seem to leak packets that ingressed on one blade, out the same trunk's member interfaces on other blades.
Conditions:
-- Multi-blade VIPRION deployment.
-- Chassis-wide reboot or force-offline/release-offline event occurs.
Impact:
This is a very intermittent issue that is not reproducible and happens for only a few milliseconds. This may temporarily impact the upstream switch L2 FDB and cause slight traffic redirection as the upstream switch will learn the source MAC of the gratuitous ARPing host from the same trunk the traffic was broadcast to.
Note: This is not an F5-specific problem. It occurs on every stack switch hardware under these conditions.
Workaround:
There is no workaround.
600985-1 : Network access tunnel data stalls
Component: Access Policy Manager
Symptoms:
In certain scenarios, the network access tunnel stays up; however, no data transfer occurs on the tunnel. This issue occurs intermittently.
Conditions:
The cause of this issue is not yet known.
Impact:
Data stalls on the tunnel and hence wont be able to access any applications. However, Edge Client shows the VPN tunnel as 'Connected'.
Workaround:
Manually re-establish the tunnel.
593536-7 : Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations
Solution Article: K64445052
Component: TMOS
Symptoms:
Devices do not have matching configuration, but system reports device group as being 'In Sync'.
Conditions:
This occurs when the following conditions are met:
-- Device Service Cluster Device Group with incremental sync is enabled.
-- A ConfigSync operation occurs where a configuration transaction fails validation.
-- A subsequent (or the final) configuration transaction is successful.
Impact:
The BIG-IP system incorrectly reports that the configuration is in-sync, despite the fact that it is not in sync. You might experience various, unexpected failures or unexplained behavior or traffic impact from this.
Workaround:
Turn off incremental sync (by enabling 'Full Sync' / 'full load on sync') for affected device groups.
Once the systems are in sync, you can turn back on incremental sync, and it will work as expected.
591732-5 : Local password policy not enforced when auth source is set to a remote type.
Component: TMOS
Symptoms:
Local password policy not enforced when auth source is set to a remote type. Any non-default password policy change is not enforced for local users.
Conditions:
1) Some part of the local password policy has been changed from the default values, for example, changing the password minimum-length to 12 where the default is 6.
2) The auth source is set to a remote source, such as LDAP, AD, TACACS.
Impact:
The system does not enforce any of the non-default local password policy options.
For example, even if the minimum-length is set to 12, a local user's password can be set to something less than 12.
Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).
Workaround:
None.
591305-3 : Audit log messages with "user unknown" appear on install
Component: TMOS
Symptoms:
Multiple log entries in /var/log/audit similar to
May 4 11:37:35 localhost notice mcpd[5488]: 01070417:5: AUDIT - client Unknown, user Unknown - transaction #33-1 - object 0 - create_if { db_variable { db_variable_name "version.edition" db_variable_value "<none>" db_variable_sync_type "private_internal" db_variable_data_type "string" db_variable_display_name "Version.Edition" } } [Status=Command OK]
Conditions:
This happens on initial install, it is not yet known what triggers it.
Impact:
This is the result of a daemon on the system not properly identifying itself to mcpd. The log messages can be safely ignored.
587821-8 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
Component: TMOS
Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.
In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.
Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.
Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.
Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.
Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.
583084-8 : iControl produces 404 error while creating records successfully
Solution Article: K15101680
Component: TMOS
Symptoms:
iControl produces an HTTP 404 - Not Found error message while creating the BIG-IP DNS topology record successfully.
Conditions:
Creating GTM topology record without using full path via iControl.
Impact:
Resulting code/information is not compatible with actual result.
For a post request, the create command and the list command are formed and executed, and the name in the curl request and the name in the list response are compared to verify whether or not it is the actual object. When a create command is executed with properties that are not fullPath (e.g., in iControl), it still creates the object with fullPath. So list returns the name with fullPath and compares it with the name that does not contain the fullPath, and the comparison fails because the names do not match.
Workaround:
Use the full path when creating BIG-IP DNS topology records using iControl.
580715-1 : ASM is not sending 64 KB remote logs over UDP
Component: Application Security Manager
Symptoms:
REmote logs are missing. The following log messages appears in bd.log and asm.log:
ASM configuration error: event code L3350 Failed to write to remote logger vs_name_crc 1119927693 LoggingAccount.cpp:3348`remote log write FAILED res = -3 <Failed to send remote message (remote server not responding)> errno <Message too long>.
Conditions:
-- A remote logger configured for UDP.
-- Max message length of 64 KB.
Impact:
Missing logs in the remote logger.
Workaround:
You can use either of the following workarounds:
-- Change the remote logger to TCP.
-- Reduce the message length to 1 KB.
579219-3 : Access keys missing from SessionDB after multi-blade reboot.
Component: Access Policy Manager
Symptoms:
Reboot a 4-blade vCMP guest. Now, only the master key for catalog remained. All subkeys are missing.
Conditions:
This can occur intermittently during a reboot in a multi-blade vCMP guest configured with APM.
Impact:
Some Access subkeys may be missing after the reboot.
Workaround:
Reboot the primary blade.
578989-9 : Maximum request body size is limited to 25 MB
Component: Access Policy Manager
Symptoms:
When a POST request with body size exceeds 25 MB is sent to APM virtual server, the request fails.
Conditions:
POST request body size exceeded 25 MB.
Impact:
The POST request fails. The maximum request body size is limited to 25 MB
Workaround:
There is no workaround at this time.
569859-5 : Password policy enforcement for root user when mcpd is not available
Component: TMOS
Symptoms:
When the mcpd configuration database is not available password policy is not enforced when changing passwords for the user 'root' using the command-line utility 'passwd' utility.
Conditions:
-- Advanced shell access
-- mcpd is not available.
-- Change root password with the 'passwd' utility.
Impact:
Root password may be set to a string that does not comply with the current password policy.
Workaround:
None.
560682-2 : The REST Framework no longer works when downgrading from BIG-IP version 12.x or 13.x to 11.6.x or 11.5.x
Component: Device Management
Symptoms:
After activating an earlier software version (by downgrading from a later version, or any other means) from BIG-IP version 12.x or 13.x to 11.6.x or 11.5.x, the REST Framework no longer works.
At this time, iControl REST requests issued against the BIG-IP system return a 404 HTTP status code.
Additionally, the BIG-IP system logs messages similar to the following example to the /var/log/httpd/httpd_errors file:
Dec 3 15:57:51 localhost err httpd[14486]: [error] [client 192.168.94.48] File does not exist: /usr/local/www/mgmt
Conditions:
- Upgrading the BIG-IP system to version 12.x or 13.x and then activating a previous boot location containing 11.5.x or 11.6.x.
- Utilizing iControl REST.
Impact:
iControl REST does not work on the older software version.
Note: If you boot back into the version 12.x or 13.x slot, iControl REST functionality returns.
Workaround:
To recover from this issue and restore iControl REST functionality on the older software version, run the following command:
rm -fv /shared/lib/rpm/* && reboot
Note: On a VIPRION or vCMP system with multiple blades, you should run "clsh 'rm -fv /shared/lib/rpm/* && reboot'" instead, so that all blades are fixed and the system will work regardless of which blade becomes primary after the reboot.
547692-5 : Firewall-blocked KPASSWD service does not cause domain join operation to fail
Component: Access Policy Manager
Symptoms:
KPASSWD service runs on tcp/464 and udp/464. If both of these ports were blocked, BIG-IP would not be able to properly set the machine account password for the created machine account. However, there is a bug on BIG-IP as well, which fails to report this failure back to the administrator.
As the machine account itself was successfully created on ActiveDirectory side without the correct password, and BIG-IP's failure to report the KPASSWD failure problem, the domain join operation seems had worked perfectly.
However, since the password information is never set on ActiveDirectory side, this causes this machine account effectively unusable because BIG-IP would never be able to establish a working SCHANNEL with ActiveDirectory server because of this password mismatch.
creation is LDAP (+ Kerberos GSS-API with SASL binding), the machine account itself is generated. Furthermore, as password setting for machine account is not allowed to be performed by administrator, this situation obfuscate the fact the KPASSWD was failing as AD server never receives thus AD never logged any failure on this matter, while BIG-IP fails to detect the KPASSWD failure, and so as administrator's user experience goes, everything seems perfectly worked for domain join.
Conditions:
Out of DNS, LDAP, KERBEROS, KPASSWD services which are required for domain join operation, only KPASSWD is blocked.
Impact:
Created machine account is effectively unusable due to password mismatch, and BIG-IP would never be able to establish a working SCHANNEL, this renders NTLM authentication feature to be not working.
Workaround:
Allow KPASSWD to reach ActiveDirectory server
544958-1 : Monitors packets are sent even when pool member is 'Forced Offline'.
Component: Local Traffic Manager
Symptoms:
If you have a pool member associated with more than one virtual server and the pool member is marked Forced-Offline, the pool monitor will continue to function if the monitor is assigned to both pools.
Conditions:
-- Pools containing identical members.
-- Pool monitoring configured.
-- Pool members are Forced Offline.
Impact:
Monitors packets are sent even when pool member is 'Forced Offline'.
Workaround:
None.
534187-5 : Passphrase protected signing keys are not supported by SAML IDP/SP
Component: Access Policy Manager
Symptoms:
Signing operation may fail if the BIG-IP system is used as a SAML Identity Provider or Service Provider and is configured to use passphrase-protected signing keys.
Conditions:
Private key used to perform digital signing operations is passphrase protected.
Impact:
SAML protocol will not function properly due to inability to sign messages.
Workaround:
To work around the problem, remove the passphrase from the signing key.
512490-12 : Increased latency during connection setup when using FastL4 profile and connection mirroring.
Component: Local Traffic Manager
Symptoms:
Connection setup when using FastL4 profile and connection mirroring takes longer than previous versions.
Conditions:
FastL4 profile with connection mirroring.
Impact:
Slight delay during connection setup.
Workaround:
Disable tm.fastl4_ack_mirror. Optionally, enable tm.fastl4_mirroring_taciturn for signal to noise ratio improvements. This helps resolve connection setup latency.
505037-5 : Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop
Solution Article: K01993279
Component: Local Traffic Manager
Symptoms:
Modifying a monitored pool with a gateway failsafe device might put secondary into restart loop.
Conditions:
Only occurs in clustered environments, when modifying a monitored pool to set the gateway failsafe device while the secondary is down. Symptom occurs when the secondary comes back up and attempts to update the health status of a pool.
Impact:
Secondary in a restart loop.
Workaround:
Remove the gateway failsafe device. Re-apply when the blade is up.
499348-9 : System statistics may fail to update, or report negative deltas due to delayed stats merging
Component: TMOS
Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.
The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.
Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This might occur under the following conditions:
-- The system is spawning/reaping processes on a frequent basis (e.g., when there is a large number of external monitors).
-- iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server (this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis).
Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.
Workaround:
This issue has two workarounds:
1. Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following:
-- Reduce the frequency of configuration changes.
-- Reduce the use of 'SSL::profile' in iRules.
-- Reduce the number/frequency of processes being spawned by the system.
2. Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command:
tmsh modify sys db merged.method value slow_merge.
498926 : Client can fail to start a new session in multi-domain SSO.
Component: Access Policy Manager
Symptoms:
A client cannot start a new session from the session expired page if the session expires on the primary auth domain before the policy completes.
Conditions:
-- Configure multi-domain SSO.
-- Client attempts to access an application (www.site.com) and is then redirected to the auth domain (www.primaryauth.com).
-- The auth policy is allowed to expire without completing.
Impact:
The 'start a new session' prompt cannot send the client back to the application to restart the policy, since that information was lost when the session expired. The client must use the back button to return to the application to start a new session.
Workaround:
As a workaround, in Customization, modify the HREF for the Session Expired Message so that it redirects to www.site.com.
In the customization text for the Session Expired Message, replace [SESSION_RESTART_URL] with the session variable %{session.server.network.name}.
489960-4 : Memory type stats is incorrect
Component: WebAccelerator
Symptoms:
When tmm allocates memory, it adds up stats per memory type allocated. AAM is not properly marking memory type for strings objects, affecting other types of memory stats depending on configuration and release.
Conditions:
AAM is provisioned and there are virtuals in BIG-IP configuration which have web acceleration profiles associated with one or more AAM policies.
Impact:
Stats for some types of memory can be skewed causing troubleshooting issues.
Workaround:
None.
486712-5 : GUI PVA connection maximum statistic is always zero
Component: TMOS
Symptoms:
The GUI PVA connection maximum statistic is always zero, regardless of the number of PVA connections established.
Conditions:
This occurs when fastL4 connections are used.
Impact:
The customer cannot determine the maximum number of PVA connections because the stat is always zero.
484683-2 : Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer.
Component: TMOS
Symptoms:
-- After a configuration synchronization (ConfigSync) operation, the peer of a high-availability (HA) pair cannot show the summary of cert-chain using the command:
tmsh run sys crypto check-cert verbose enabled
-- After a ConfigSync operation, Certificate Subjects may be missing or empty when viewed in the Configuration Utility/GUI under System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: <certificate>.
Conditions:
Conditions leading to this issue include:
1. On the command line or in the GUI, set up an high availability (HA) configuration.
2. Import Certificate chain to one BIG-IP system.
3. Perform a ConfigSync operation to sync the certificate chain to the high availability (HA) peer.
Impact:
After a ConfigSync operation, the certificate chain summary is not created on other high availability (HA) peers.
Workaround:
1. Copy the cert-chain file to a location on the system (e.g., /shared/tmp/).
2. Update the cert-chain using a command similar to the following:
modify sys file ssl-cert Cert-Chain_Browser_Serv.crt source-path file:/shared/tmp/Cert-Chain_Browser_Serv.crt_5361_1.
Note: The step above causes the units to be out of sync, so an additional config-sync operation is required to bring the units 'In Sync' again.
474797-4 : Nitrox crypto hardware may attempt soft reset while currently resetting
Component: Local Traffic Manager
Symptoms:
Nitrox crypto hardware may attempt soft reset to clear a stuck condition while already engaged in a soft reset attempt.
Conditions:
Soft reset is needed to clear a stuck condition occurring in the timeframe during which another soft reset is occurring.
Impact:
The initial soft reset attempt does not complete as the process is restarted by the new attempt.
Workaround:
Correct the condition resulting in the need for the soft reset to clear the stuck condition or disable hardware-based crypto acceleration by setting db variable 'tmm.ssl.cn.shunt' to disable.
To disable hardware-based crypto acceleration issue the following command:
tmsh modify sys db tmm.ssl.cn.shunt value disable
Note: Disabling hardware-based crypto acceleration results in all crypto actions being processed in software, which might result in higher CPU and memory usage based on traffic patterns.
470346-2 : Some IPv6 client connections get RST when connecting to APM virtual
Component: Access Policy Manager
Symptoms:
IPv6 clients connecting to APM virtual server that renders some page, e.g., logon page, webtop, or message box, might get connection resets.
Conditions:
IPv6 client has the last 4 bytes of the IP address set to some special-purpose address, e.g., multicast address.
Impact:
Client connection is reset.
Workaround:
Change the last 4 bytes of the client IPv6 address to avoid the IPv4 special-address range.
469724-2 : When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire
Component: TMOS
Symptoms:
Evaluation features cause perpetual features to expire when the evaluation license expires.
Conditions:
-- Perpetual license with an evaluation/demonstration add-on feature.
-- The add-on license expires or is expired.
Impact:
When an evaluation/demonstration add-on license expires, features included in both the evaluation add-on as well as the regular, perpetual license stop working.
This behavior is covered in F5 article K4679: BIG-IP evaluation and demonstration licenses do expire :: https://support.f5.com/csp/article/K4679.
Workaround:
To work around this issue, activate the license from the command line:
When reactivating an existing license, and deactivating an expired evaluation license key, specify the base registration key and add-on (if any), and use the -i option for the expired evaluation license key in the get_dossier command.
For example, if the expired evaluation license key is ABCDEFG-ZZZZZZZ, use the following command:
get_dossier -b ABCDE-ABCDE-ABCDE-ABCDE-ABCDEFG -a ABCDEFG-ABCDEFG -i ABCDEFG-ZZZZZZZ
You can find these steps detailed in K2595: Activating and installing a license file from the command line :: https://support.f5.com/csp/article/K2595. This part in particular is required to work around this issue
431503-3 : TMSH crashes in rare initial tunnel configurations
Solution Article: K14838
Component: TMOS
Symptoms:
In rare BigIP configuration scenarios, TMM may crash during its startup process when the tunnel configurations are loaded.
Conditions:
During TMM startup, a tunnel is created, then immediately removed during the configuration load period, when TMM neighbor messages may be in flight via the tunnel. When the race condition fits, the neighbor message may land on an invalid tunnel.
Impact:
TMM crash in rare race conditions.
Workaround:
None.
409062-1 : ArcSight HSL is not supported for most system daemons
Solution Article: K20008325
Component: TMOS
Symptoms:
If a HSL configuration is defined that tries to publish logs from core system daemons (chmand, TMM, fpdd, merged, etc.) to an ArcSight destination, this will not work properly, and instead, all log messages at debug level and higher (from that daemon) will be captured in the local system log files.
For instance, configuring a wide-open filter that captures all traffic, such as the following, will result in many core daemons logging debug logs to /var/log/ltm on the BIG-IP system:
sys log-config filter remote-log-filter {
publisher publisher
}
sys log-config publisher publisher {
destinations {
arcsight { }
}
}
sys log-config destination remote-high-speed-log hsl {
pool-name pool_arcsight
}
sys log-config destination arcsight arcsight {
forward-to hsl
}
Conditions:
This occurs when a high-speed logger is configured with the ArcSight remote log servers as the destination.
Impact:
As a result of this, the system will log excessively to the local log files.
Workaround:
Only configure log filters that publish logs to ArcSight for supported (AFM, ASM, and SWG) components.
398683-3 : Use of a # in a TACACS secret causes remote auth to fail
Solution Article: K12304
Component: TMOS
Symptoms:
TACACS remote auth fails when the TACACS secret contains the '#' character.
Conditions:
TACACS secret contains the '#' character.
Impact:
TACACS remote auth fails.
Workaround:
Do not use the '#' character in the TACACS secret.
385013-4 : Certain user roles do not trigger a sync for a 'modify auth password' command
Component: TMOS
Symptoms:
If users with the certain roles change their password, the BIG-IP system does not detect that it is out-of-sync with its peer and does not trigger an automatic sync:
Conditions:
-- Multiple BIG-IP devices in a Device Service Cluster that sync configurations with each other.
-- A user with one of the following roles logs in and changes their password:
+ guest
+ operator
+ application-editor
+ manager
+ certificate-manager
+ irule-manager
+ resource-admin
+ auditor
Impact:
The system does not detect that it is out of sync with its peer, and does not report this condition. If automatic sync is enabled, a sync does not automatically occur.
Workaround:
Force a full sync to the peer systems.
382363-5 : min-up-members and using gateway-failsafe-device on the same pool.
Solution Article: K30588577
Component: TMOS
Symptoms:
The system does not require setting a pool's min-up-members greater than 0 (zero) when also using gateway-failsafe-device on the same pool.
Conditions:
A pool's min-up-members is 0 when gateway-failsafe-device is set.
Impact:
Failure to set min-up-members greater than 0 when using gateway-failsafe-device might cause errors. The tmm might crash.
Workaround:
Set min-up-members greater than 0 when using gateway-failsafe-device.
291256-2 : Changing 'Minimum Length' and 'Required Characters' might result in an error
Component: TMOS
Symptoms:
When setting a value for the password policy attribute 'Minimum Length', and setting 'Required Characters' 'Numeric', 'Uppercase', 'Lowercase', and 'Other' to values whose sum is greater than 'Minimum Length' the system does not save changes, and instead reports an error:
err mcpd[1647]: 01070903:3: Constraint 'min length must be greater than or equal to the sum of all "required" types of characters' failed for 'password_policy'
Conditions:
-- Change the value of 'Minimum Length'.
-- Change the values in 'Required Characters' ('Numeric', 'Uppercase', 'Lowercase', and 'Other').
-- The sum of the values from 'Required Characters' is a greater than 'Minimum Length' value before you changed it.
Here is an example:
1. From the default of '6', change 'Minimum Length' to 10.
2. At the same time, change each of the 'Required Characters' options ('Numeric', 'Uppercase', 'Lowercase', and 'Other') to '2', for a total of 8.
3. Click Update.
(These values should be work because the value in 'Minimum Length' (10) is greater than the sum of the values in 'Required Characters' (8).)
Impact:
The changes are not saved, and an error is posted:
Constraint 'min length must be greater than or equal to the sum of all "required" types of characters' failed for 'password_policy'.
Workaround:
You can use either of the following workarounds:
-- To workaround this using the GUI, set 'Minimum Length' and 'Required Characters' separately (i.e., specify 'Minimum Length' and click Update, and then specify 'Required Characters' and click Update).
-- Use tmsh instead of the GUI.
264701-3 : GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608)
Solution Article: K10066
Component: Global Traffic Manager (DNS)
Symptoms:
The zrd process exits and cannot be restarted.
Conditions:
This occurs when the journal is out-of-sync with the zone.
Impact:
The zrd process cannot be restarted.
Workaround:
Before beginning, ensure that no one else is making config changes (i.e., consider making changes during a maintenance window).
I) On a working system, perform the following:
1. # rndc freeze $z
(Do this for all nonworking zones. Do not perform the thaw until you finish copying all needed files to the nonworking system.)
2. # tar zcvf /tmp/named.zone.files namedb/db.[nonworking zones].
3. # rndc thaw $z
II) On each nonworking system, perform the following:
1. # bigstart stop zrd; bigstart stop named
2. Copy the nonworking /tmp/named.zone.files from a working GTM system.
3. # bigstart start named; bigstart start zrd.
(Before continuing, review /var/log/daemon.log for named errors, and review /var/log/gtm for zrd errors0.)
Repeat part II until all previously nonworking systems are working.
III) On a working GTM system, run the following command:
# touch /var/named/config/named.conf.
222220-4 : Distributed application statistics
Component: Global Traffic Manager (DNS)
Symptoms:
Distributed application statistics shows only requests passed to its first wide IP.
Conditions:
Using Distributed application statistics and multiple wide-IP-members.
Impact:
The system does not include statistics for requests passed to other wide-IP-members of the distributed application.
Workaround:
None.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/