BIG-IP 14.1.3.1 Fixes and Known Issues

Supplemental Document : BIG-IP 14.1.3.1 Fixes and Known Issues

Applies To:

Show Versions

BIG-IP AAM

14.1.3

BIG-IP APM

14.1.3

BIG-IP Analytics

14.1.3

BIG-IP Link Controller

14.1.3

BIG-IP LTM

14.1.3

BIG-IP PEM

14.1.3

BIG-IP AFM

14.1.3

BIG-IP DNS

14.1.3

BIG-IP FPS

14.1.3

BIG-IP ASM

14.1.3

Updated Date: 05/28/2022

ID Number	CVE	Solution Article(s)	Description
881317-4	CVE-2020-5896	K15478554	BIG-IP Edge Client for Windows vulnerability CVE-2020-5896
832757-5	CVE-2017-18551	K48073202	Linux kernel vulnerability CVE-2017-18551
778049-4	CVE-2018-13405	K00854051	Linux Kernel Vulnerability: CVE-2018-13405
852929-7	CVE-2020-5920	K25160703	AFM WebUI Hardening
818213-2	CVE-2019-10639	K32804955	CVE-2019-10639: KASLR bypass using connectionless protocols
773693-5	CVE-2020-5892	K15838353	CVE-2020-5892: APM Client Vulnerability
834533-2	CVE-2019-15916	K57418558	Linux kernel vulnerability CVE-2019-15916

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
920961-3	3-Major		Devices incorrectly report 'In Sync' after an incremental sync
756139-1	3-Major		Inconsistent logging of hostname files when hostname contains periods
921421-1	4-Minor		iRule support to get/set UDP's Maximum Buffer Packets

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
809553	1-Blocking		ONAP Licensing - Cipher negotiation fails
957337-4	2-Critical		Mgmt in tmsh broken
954025	2-Critical		"switchboot -b HD1.1" fails to reboot chassis
933409-4	2-Critical		Tomcat upgrade via Engineering Hotfix causes live-update files removal★
927033-1	2-Critical		Installer fails to calculate disk size of destination volume★
910201-1	2-Critical		OSPF - SPF/IA calculation scheduling might get stuck infinitely
896217-4	2-Critical		BIG-IP GUI unresponsive
860517-3	2-Critical		MCPD may crash on startup with many thousands of monitors on a system with many CPUs.
796601-4	2-Critical		Invalid parameter in errdefsd while processing hostname db_variable
787285	2-Critical		Configuration fails to load after install of v14.1.0 on BIG-IP 800★
770989	2-Critical		Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x.★
769817-3	2-Critical		BFD fails to propagate sessions state change during blade restart
706521-4	2-Critical		The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password
934941-3	3-Major		Platform FIPS power-up self test failures not logged to console
930741-1	3-Major		Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot
928321-3	3-Major		Hardening of HSM UI
920301-2	3-Major		Unnecessarily high number of JavaScript Obfuscator instances when device is busy
916821-4	3-Major		An authenticated user on iControlREST may gain elevated privilege level
915825-4	3-Major		Configuration error caused by Drafts folder in a deleted custom partition while upgrading.
915497-3	3-Major		New Traffic Class Page shows multiple question marks.
911809-1	3-Major		TMM might crash when sending out oversize packets.
908021-2	3-Major		Management and VLAN MAC addresses are identical
904845-3	3-Major		VMware guest OS customization works only partially in a dual stack environment.
902401-3	3-Major		OSPFd SIGSEGV core when 'ospf clear' is done on remote device
898705-3	3-Major		IPv6 static BFD configuration is truncated or missing
898461-4	3-Major		Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'
889041-1	3-Major		Failover scripts fail to access resolv.conf due to permission issues
886689-4	3-Major		Generic Message profile cannot be used in SCTP virtual
867181-3	3-Major		ixlv: double tagging is not working
865241-3	3-Major		Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"
860317-1	3-Major		JavaScript Obfuscator can hang indefinitely
851733-1	3-Major		Tcpdump messages (warning, error) are sent to stdout instead of stderr
850777-1	3-Major		BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config
846441-1	3-Major		Flow-control is reset to default for secondary blade's interface
846137-3	3-Major		The icrd returns incorrect route names in some cases
843597-3	3-Major		Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle
829193-2	3-Major		REST system unavailable due to disk corruption
826905-1	3-Major		Host traffic via IPv6 route pool uses incorrect source address
806073-3	3-Major		MySQL monitor fails to connect to MySQL Server v8.0
795649-3	3-Major		Loading UCS from one iSeries model to another causes FPGA to fail to load
788577-4	3-Major		BFD sessions may be reset after CMP state change
783113-4	3-Major		BGP sessions remain down upon new primary slot election
767737-2	3-Major		Timing issues during startup may make an HA peer stay in the inoperative state
755197-3	3-Major		UCS creation might fail during frequent config save transactions
754971-2	3-Major		OSPF inter-process redistribution might break OSPF route redistribution of various types.
751584-1	3-Major		Custom MIB actions can be blocked by SELINUX permissions
740589-1	3-Major		Mcpd crash with core after 'tmsh edit /sys syslog all-properties'
737098-2	3-Major		ASM Sync does not work when the configsync IP address is an IPv6 address
652502-3	3-Major		snmpd returns 'No Such Object available' for ltm OIDs
933461-3	4-Minor		BGP multi-path candidate selection does not work properly in all cases.
924429-3	4-Minor		Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values
892677-4	4-Minor		Loading config file with imish adds the newline character
882713-1	4-Minor		BGP SNMP trap has the wrong sysUpTime value
864757-2	4-Minor		Traps that were disabled are enabled after configuration save
722230-3	4-Minor		Cannot delete FQDN template node if another FQDN node resolves to same IP address
591732-5	4-Minor		Local password policy not enforced when auth source is set to a remote type.
583084-8	4-Minor	K15101680	iControl produces 404 error while creating records successfully
849085-3	5-Cosmetic		Lines with only asterisks filling message and user.log file

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
941089	2-Critical		TMM core when using Multipath TCP
911041-2	2-Critical		Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash
898949-3	2-Critical		APM may consume excessive resources while processing VPN traffic
891849-2	2-Critical		Running iRule commands while suspending iRule commands that are running can lead to a crash
879409-2	2-Critical		TMM core with mirroring traffic due to unexpected interface name length
851857-3	2-Critical		HTTP 100 Continue handling does not work when it arrives in multiple packets
851345-2	2-Critical		The TMM may crash in certain rare scenarios involving HTTP/2
850873-1	2-Critical		LTM global SNAT sets TTL to 255 on egress.
824881-2	2-Critical		A rare TMM crash cause by the fix for ID 816625
811161-1	2-Critical		Tmm crash SIGSEGV - virtual_address_update() in ../mcp/db_vip.c:1992
766509-1	2-Critical		Strict internal checking might cause tmm crash
705768-1	2-Critical		The dynconfd process may core and restart with multiple DNS name servers configured
949145-4	3-Major		Improve TCP's response to partial ACKs during loss recovery
948757-3	3-Major		A snat-translation address responds to ARP requests but not to ICMP ECHO requests.
931513-2	3-Major		Some sequence of HTTP packets may cause TMM to crash
915689-4	3-Major		HTTP/2 dynamic header table may fail to identify indexed headers on the response side.
915605-1	3-Major		Image install fails if iRulesLX is provisioned and /usr mounted read-write★
913249-4	3-Major		Restore missing UDP statistics
901929-4	3-Major		GARPs not sent on virtual server creation
892385-2	3-Major		HTTP does not process WebSocket payload when received with server HTTP response
880361-3	3-Major		TMM may crash while processing iRules LX commands
879413-3	3-Major		Statsd fails to start if one or more of its *.info files becomes corrupted
862597-5	3-Major		Improve MPTCP's SYN/ACK retransmission handling
860005-3	3-Major		Ephemeral nodes/pool members may be created for wrong FQDN name
857845-6	3-Major		TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule
851477-3	3-Major		Memory allocation failures during proxy initialization are ignored leading to TMM cores
851045-3	3-Major		LTM database monitor may hang when monitored DB server goes down
850145-3	3-Major		Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed
823921-2	3-Major		FTP profile causes memory leak
820333-3	3-Major		LACP working member state may be inconsistent when blade is forced offline
819329-2	3-Major		Specific FIPS device errors will not trigger failover
818853-3	3-Major		Duplicate MAC entries in FDB
809701-2	3-Major		Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist
805017-2	3-Major		DB monitor marks pool member down if no send/recv strings are configured
803233-3	3-Major		Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
796993-1	3-Major		Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs
787853-2	3-Major		BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps.
786517-3	3-Major		Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address
783617-1	3-Major		Virtual Server resets connections when all pool members are marked disabled
776229-2	3-Major		iRule 'pool' command no longer accepts pool members with ports that have a value of zero
759480-3	3-Major		HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash
759056-2	3-Major		stpd memory leak on secondary blades in a multi-blade system
753805-3	3-Major		BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.
753594-2	3-Major		In-TMM monitors may have duplicate instances or stop monitoring
750278-4	3-Major	K25165813	A sub-second timeout for the SSL alert-timeout option may be desirable in certain cases
745682-1	3-Major		Failed to parse X-Forwarded-For header in HTTP requests
724824-3	3-Major		Ephemeral nodes on peer devices report as unknown and unchecked after full config sync
722707-2	3-Major		mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall
720440-4	3-Major		Radius monitor marks pool members down after 6 seconds
718790-1	3-Major		Traffic does not forward to fallback host when all pool members are marked down
710930-3	3-Major		Enabling BigDB key bigd.tmm may cause SSL monitors to fail
935593-3	4-Minor		Incorrect SYN re-transmission handling with FastL4 timestamp rewrite
932937-3	4-Minor		HTTP Explicit Proxy configurations can result in connections hanging until idle timeout.
895153-2	4-Minor		HTTP::has_responded returns incorrect values when using HTTP/2
895141	4-Minor		HTTP::has_responded returns incorrect values when using HTTP/2
822025-2	4-Minor		HTTP response not forwarded to client during an early response
808409-3	4-Minor		Unable to specify if giaddr will be modified in DHCP relay chain
801705-4	4-Minor		When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC
781225-2	4-Minor		HTTP profile Response Size stats incorrect for keep-alive connections
726983-2	4-Minor		Inserting multi-line HTTP header not handled correctly

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
919553-3	2-Critical		GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.
908673-3	2-Critical		TMM may crash while processing DNS traffic
837637-2	2-Critical	K02038650	Orphaned bigip_gtm.conf can cause config load failure after upgrading★
788465-2	2-Critical		DNS cache idx synced across HA group could cause tmm crash
926593-3	3-Major		GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'
852101-3	3-Major		Monitor fails.
844689-3	3-Major		Possible temporary CPU usage increase with unusually large named.conf file
781829-1	3-Major		GTM TCP monitor does not check the RECV string if server response string not ending with \n
693360-4	3-Major		A virtual server status changes to yellow while still available
644192-4	3-Major	K23022557	Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN
904937-4	4-Minor		Excessive resource consumption in zxfrd

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
940249-3	2-Critical		Sensitive data is not masked after "Maximum Array/Object Elements" is reached
927617-3	2-Critical		"Illegal Base64 value" violation is detected for cookie with valid base64 value
825413-2	2-Critical		/var/lib/mysql disk is full
943125-3	3-Major		Web-Socket request with JSON payload causing core during the payload parsing
941853-2	3-Major		Logging Profiles do not disassociate from virtual server when multiple changes are made
940897-2	3-Major		Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached
921337-3	3-Major		ASM processes some web-sockets requests longer than usual
917509-5	3-Major		ASM processes some requests longer than usual
893061-1	3-Major		Out of memory for restjavad
884425-1	3-Major		Creation of new allowed HTTP URL is not possible
868053-1	3-Major		Live Update service indicates update available when the latest update was already installed

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
919841-1	3-Major		AVRD may crash while processing Bot Defense traffic

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
928037-3	2-Critical		APM Hardening
910097-3	2-Critical		Changing per-request policy while tmm is under traffic load may drop heartbeats
905125-3	2-Critical		Security hardening for APM Webtop
896709-2	2-Critical		Add support for Restart Desktop for webtop in VMware VDI
831777-3	2-Critical		Tmm crash in Ping access use case
811965-2	2-Critical		Some VDI use cases can cause excessive resource consumption
760130-3	2-Critical		[APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK
748572-2	2-Critical		Occasionally ramcache might crash when data is sent without the corresponding event.
924929-1	3-Major		Logging improvements for VDI plugin
914649-2	3-Major		Support USB redirection through VVC (VMware virtual channel) with BlastX
904165-3	3-Major		APMD may crash while processing certain parameters
771961-1	3-Major		While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core
760629-3	3-Major		Remove Obsolete APM keys in BigDB
759356-2	3-Major		Access session data cache might leak if there are multiple TMMs
747020-1	3-Major		Requests that evaluate to same subsession can be processed concurrently
739570-3	3-Major		Unable to install EPSEC package★

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
904373-1	3-Major		MRF GenericMessage: Implement limit to message queues size
891385-4	3-Major		Add support for URI protocol type "urn" in MRF SIP load balancing
924349-1	4-Minor		DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
938165-2	2-Critical		TMM Core after attempted update of IP geolocation database file
851745-1	2-Critical		High cpu consumption due when enabling large number of virtual servers
747225-1	2-Critical		PCCD may get into crash-loop after BIG-IP upgrade or after BIG-IP restart
872645	3-Major		Protected Object Aggregate stats are causing elevated CPU usage
813301	3-Major		LSN_PB_UPDATE logs are not generated when subscriber info changes
781425	3-Major		Firewall rule list configuration causes config load failure
703165-4	3-Major		shared memory leakage
920361-4	4-Minor		Standby device name sent in Traffic Statistics syslog/Splunk messages

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
783289-1	2-Critical		PEM actions not applied in VE bigTCP.

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
935029-1	2-Critical		TMM may crash while processing IPv6 NAT traffic
815001-1	2-Critical		TMM Crash with inbound traffic during high availability (HA) failover

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
940401-3	5-Cosmetic		Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'

Anomaly Detection Services Fixes

ID Number	Severity	Solution Article(s)	Description
944785-1	3-Major		Admd restarting constantly. Out of memory due to loading malformed state file
923125-1	3-Major		Huge amount of admd processes caused oom
818465-2	3-Major		Unnecessary memory allocation in AVR module

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
932065-3	3-Major		iControl REST framework exception handling hardening
767613-2	3-Major		Restjavad can keep partially downloaded files open indefinitely

iApp Technology Fixes

ID Number	Severity	Solution Article(s)	Description
912969-4	3-Major		iAppsLX Security Hardening

Protocol Inspection Fixes

ID Number	Severity	Solution Article(s)	Description
754855-2	2-Critical		TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile

Cumulative fixes from BIG-IP v14.1.3 that are included in this release

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
928029	2-Critical		Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis
905849	3-Major		FastL4 UDP flows might not get offloaded to hardware
829317-6	3-Major		Memory leak in icrd_child due to concurrent REST usage

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
943101	2-Critical		Tmm crash in cipher group delete.
934461	2-Critical		Connection error with server with TLS1.3 single-dh-use.
915957	2-Critical		The wocplugin may get into a restart loop when AAM is provisioned
939209-3	3-Major		FIPS 140-2 SP800-56Arev3 compliance
930385	3-Major		SSL filter does not re-initialize when an OCSP object is modified
921721-2	3-Major		FIPS 140-2 SP800-56Arev3 compliance
809597-3	3-Major		Memory leak in icrd_child observed during REST usage
629787-1	3-Major		vCMP hypervisor version mismatch may cause connection mirroring problems.

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
934393	1-Blocking		APM authentication fails due to delay in sessionDB readiness

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
697331-3	3-Major		Some TMOS tools for querying various DBs fail when only a single TMM is running

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
892621-2	3-Major		Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software

Cumulative fixes from BIG-IP v14.1.2.8 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
935721-4	CVE-2020-8622, CVE-2020-8623, CVE-2020-8624	K82252291	ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624
911761-4	CVE-2020-5948	K42696541	iControl REST endpoint response includes the request content
879745-1	CVE-2020-5942	K82530456	TMM may crash while processing Diameter traffic
917469-4	CVE-2020-5946	K53821711	TMM may crash while processing FPS traffic
910017-4	CVE-2020-5945	K21540525	Security hardening for the TMUI Interface page
889557-2	CVE-2019-11358	K20455158	jQuery Vulnerability CVE-2019-11358
870273-3	CVE-2020-5936	K44020030	TMM may consume excessive resources when processing SSL traffic
856961-2	CVE-2018-12207	K17269881	INTEL-SA-00201 MCE vulnerability CVE-2018-12207
818177-4	CVE-2019-12295	K06725231	CVE-2019-12295 Wireshark Vulnerability
717276-7	CVE-2020-5930	K20622530	TMM Route Metrics Hardening
858537-3	CVE-2019-1010204	K05032915	CVE-2019-1010204: Binutilis Vulnerability

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
890229-3	3-Major		Source port preserve setting is not honored
747013-3	3-Major		Add OCSP server support to IKEv2 negotiation for IPsec peer authentication
617929-2	3-Major		Support non-default route domains

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
920481	2-Critical		REST GET on /mgmt/tm/sys/file/ssl-key returns bad/wrong passphrase
871561-3	2-Critical		Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)'
860349-1	2-Critical		Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication
856713-1	2-Critical		IPsec crash during rekey
854493-3	2-Critical		Kernel page allocation failures messages in kern.log
842865-1	2-Critical		Add support for Auto MAC configuration (ixlv)
841953-5	2-Critical		A tunnel can be expired when going offline, causing tmm crash
841333-5	2-Critical		TMM may crash when tunnel used after returning from offline
818253-1	2-Critical		Generate signature files for logs
817709-2	2-Critical		IPsec: TMM cored with SIGFPE in racoon2
811149-1	2-Critical		Remote users are unable to authenticate via serial console.
807453-1	2-Critical		IPsec works inefficiently with a second blade in one chassis
777229-1	2-Critical		IPsec improvements to internal pfkey messaging between TMMs on multi-blade
774361-2	2-Critical		IPsec High Availability sync during multiple failover via RFC6311 messages
769357-1	2-Critical		IPsec debug logging needs more organization and is missing HA-related logging
755716-1	2-Critical		IPsec connection can fail if connflow expiration happens before IKE encryption
749249-1	2-Critical		IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP
593536-7	2-Critical	K64445052	Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations
924493-4	3-Major		VMware EULA has been updated
907201-1	3-Major		TMM may crash when processing IPSec traffic
904705-3	3-Major		Cannot clone Azure marketplace instances.
888497-4	3-Major		Cacheable HTTP Response
887089-3	3-Major		Upgrade can fail when filenames contain spaces
880625-2	3-Major		Check-host-attr enabled in LDAP system-auth creates unusable config
880165-1	3-Major		Auto classification signature update fails
858197-1	3-Major		Merged crash when memory exhausted
856953-2	3-Major		IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1
844085-3	3-Major		GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address
838297-1	3-Major		Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication
828789-3	3-Major		Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters
820213-2	3-Major		'Application Service List' empty after UCS restore
814585-3	3-Major		PPTP profile option not available when creating or modifying virtual servers in GUI
810381-4	3-Major		The SNMP max message size check is being incorrectly applied.
807337-3	3-Major		Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.
804537-1	3-Major		Check SAs in context callbacks
802889	3-Major		Problems establishing HA connections on DAGv2 chassis platforms
797829-5	3-Major		The BIG-IP system may fail to deploy new or reconfigure existing iApps
783753-1	3-Major		Increase vCPU amount guests can use on i11800-DS platforms.
761753-2	3-Major		BIG-IP system incorrectly flags UDP checksum as failed on x520 NICs
759564-4	3-Major		GUI not available after upgrade
758517-1	3-Major		Callback for Diffie Hellman crypto is missing defensive coding
758516-1	3-Major		IKEv2 auth encryption is missing defensive coding that checks object validity
757862-1	3-Major		IKEv2 debug logging an uninitialized variable leading to core
748443-1	3-Major		HiGig MAC recovery mechanism may fail continuously at runtime
746704-2	3-Major		Syslog-ng Memory Leak
745261-2	3-Major		The TMM process may crash in some tunnel cases
726416-3	3-Major		Physical disk HD1 not found for logical disk create
489572-4	3-Major	K60934489	Sync fails if file object is created and deleted before sync to peer BIG-IP
431503-3	3-Major	K14838	TMSH crashes in rare initial tunnel configurations
919745-4	4-Minor		CSV files downloaded from the Dashboard have the first row with all 'NaN
918209-1	4-Minor		GUI Network Map icons color scheme is not section 508 compliant
914761-1	4-Minor		Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.
906889-1	4-Minor		Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
902417-4	4-Minor		Configuration error caused by Drafts folder in a deleted custom partition★
890277-2	4-Minor		Full config sync to a device group operation takes a long time when there are a large number of partitions.
822377-2	4-Minor		CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability
779857-1	4-Minor		Misleading GUI error when installing a new version in another partition★
777237-1	4-Minor		IPsec HA for failover confused by runtime changes in blade count
751103-4	4-Minor		TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop
767269-2	5-Cosmetic		Linux kernel vulnerability: CVE-2018-16884
714176-3	5-Cosmetic		UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
858429	2-Critical		BIG-IP system sending ICMP packets on both virtual wire interface
851581-1	2-Critical		Server-side detach may crash TMM
839749-2	2-Critical		Virtual server with specific address list might fail to create via GUI
813561-3	2-Critical		MCPD crashes when assigning an iRule that uses a proc
726518-3	2-Critical		Tmsh show command terminated with CTRL-C can cause TMM to crash.
915281-1	3-Major		Do not rearm TCP Keep Alive timer under certain conditions
810445-2	3-Major		PEM: ftp-data not classified or reported
800101-1	3-Major		BIG-IP chassis system may send out duplicated UDP packets to the server side
788753-4	3-Major		GATEWAY_ICMP monitor marks node down with wrong error code
785701-1	3-Major		Changes to a Web Acceleration profile are not instantly applied to virtual servers using the profile
785481-2	3-Major		A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached
781753-3	3-Major		WebSocket traffic is transmitted with unknown opcodes
766169-2	3-Major		Replacing all VLAN interfaces resets VLAN MTU to a default value
758437-6	3-Major		SYN w/ data disrupts stat collection in Fast L4
758436-4	3-Major		Optimistic ACKs degrade Fast L4 statistics
751036-1	3-Major		Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone
745663-3	3-Major		During traffic forwarding, nexthop data may be missed at large packet split
726734-4	3-Major		DAGv2 port lookup stringent may fail
814037-4	4-Minor		No virtual server name in Hardware Syncookie activation logs.

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
783125-2	2-Critical		iRule drop command on DNS traffic without Datagram-LB may cause TMM crash
800265-2	3-Major		Undefined subroutine in bigip_add_appliance_helper message

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
911629	2-Critical		Manual upload of LiveUpdate image file results in NULL response
918933-3	3-Major		Some ASM attack signatures do not match on cookies
901061-4	3-Major		Safari browser might be blocked when using Bot Defense profile and related domains.
888285-3	3-Major	K18304067	Sensitive positional parameter not masked in 'Referer' header value
848445-3	3-Major	K86285055	Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer★
919001-1	4-Minor		Live Update: Update Available notification is shown twice in rare conditions
879777	4-Minor		Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
908065-4	3-Major		Logrotation for /var/log/avr blocked by files with .1 suffix
866613-1	4-Minor		Missing MaxMemory Attribute

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
891505-1	2-Critical		TMM might leak memory when OAuth agent is used in APM per-request policy subroutine.
579219-3	2-Critical		Access keys missing from SessionDB after multi-blade reboot.
706782-3	3-Major		Inefficient APM processing in large configurations.
679751-1	4-Minor		Authorization header can cause a connection reset
602396-1	4-Minor		EPSEC Upload Package Button Is Greyed Out
478450-2	4-Minor		Improve log details when "Detection invalid host header ()" is logged

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
763121-3	2-Critical		Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM.
870385-3	3-Major		TMM may restart under very heavy traffic load
811157-2	3-Major		Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself
757555-2	3-Major		Network DoS Logging Profile does not work with other logging profiles together
757279-1	3-Major		LDAP authenticated Firewall Manager role cannot edit firewall policies
746483-2	3-Major		The autodosd process consumes a lot of memory and continuously restarts.
803149-1	4-Minor		Flow Inspector cannot filter on IP address with non-default route_domain
906885	5-Cosmetic		Spelling mistake on AFM GUI Flow Inspector screen

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
741213-2	3-Major		Modifying disabled PEM policy causes coredump

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
837269	3-Major		Processing ICMP unreachable packets causes FWNAT/CGNAT persistence issues with UDP traffic

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
933741-4	2-Critical		Security hardening in FPS GUI
876581-4	3-Major		JavaScript engine file is empty if the original HTML page cached for too long
891729-4	4-Minor		Errors in datasyncd.log★

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
797277-2	3-Major		URL categorization fails when multiple segments present in URL path and belong to different categories.
761273-2	3-Major		wr_urldbd creates sparse log files by writing from the previous position after logrotate.

Cumulative fixes from BIG-IP v14.1.2.7 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
912221-2	CVE-2020-12662 CVE-2020-12663	K37661551	CVE-2020-12662 & CVE-2020-12663
900905-1	CVE-2020-5926	K42830212	TMM may crash while processing SIP data
891457-4	CVE-2020-5939	K75111593	NIC driver may fail while transmitting data
888417-4	CVE-2020-8840	K15320518	Apache Vulnerability: CVE-2020-8840
846917-3	CVE-2019-10744	K47105354	lodash Vulnerability: CVE-2019-10744
841577-4	CVE-2020-5922	K20606443	iControl REST hardening
839453-4	CVE-2019-10744	K47105354	lodash library vulnerability CVE-2019-10744
788057-5	CVE-2020-5921	K00103216	MCPD may crash while processing syncookies
917005-4	CVE-2020-8619	K19807532	ISC BIND Vulnerability: CVE-2020-8619
909837-2	CVE-2020-5950	K05204103	TMM may consume excessive resources when AFM is provisioned
888489-4	CVE-2020-5927	K55873574	ASM UI hardening
886085-3	CVE-2020-5925	K45421311	BIG-IP TMM vulnerability CVE-2020-5925
832885-3	CVE-2020-5923	K05975972	Self-IP hardening
816413-2	CVE-2019-1125	K31085564	CVE-2019-1125: Spectre SWAPGS Gadget
888493-4	CVE-2020-5928	K40843345	ASM GUI Hardening
839145-2	CVE-2019-10744	K47105354	CVE-2019-10744: lodash vulnerability

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
816233-3	2-Critical		Session and authentication cookies should use larger character set
724556-3	2-Critical		icrd_child spawns more than maximum allowed times (zombie processes)
858189-1	3-Major		Make restnoded/restjavad/icrd timeout configurable with sys db variables.
802977-2	3-Major		PEM iRule crashes when more than 10 policies are tried to be set for a subscriber
691499-3	3-Major		GTP::ie primitives in iRule to be certified
745465-1	4-Minor		The tcpdump file does not provide the correct extension

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
864513-3	1-Blocking	K48234609	ASM policies may not load after upgrading to 14.x or later from a previous major version★
891477	2-Critical		No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server
829677-1	2-Critical		.tmp files in /var/config/rest/ may cause /var directory exhaustion
811701-1	2-Critical		AWS instance using xnet driver not receiving packets on an interface.
810593-2	2-Critical	K10963690	Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade★
805417-1	2-Critical		Unable to enable LDAP system auth profile debug logging
769581-1	2-Critical		Timeout when sending many large requests iControl Rest requests
758604-2	2-Critical		Deleting a port from a single-port trunk does not work.
891721-1	3-Major		Anti-Fraud Profile URLs with query strings do not load successfully
871657-2	3-Major		Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S
867013-1	3-Major		Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout
842189-2	3-Major		Tunnels removed when going offline are not restored when going back online
821309-3	3-Major		After an initial boot, mcpd has a defunct child "systemctl" process
812929-2	3-Major		mcpd may core when resetting a DSC connection
811053-2	3-Major		REBOOT REQUIRED prompt appears after failover and clsh reboot
810821-1	3-Major		Management interface flaps after rebooting the device
807005-1	3-Major		Save-on-auto-sync is not working as expected with large configuration objects
806985	3-Major		Engineering Hotfix installation may fail when Engineering Hotfix contains updated nash-initrd package★
802685-3	3-Major		Unable to configure performance HTTP virtual server via GUI
793121-3	3-Major		Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication
788949-3	3-Major		MySQL Password Initialization Loses Already Written Password
760950-4	3-Major		Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment
756153-3	3-Major		Add diskmonitor support for MySQL /var/lib/mysql
756088-2	3-Major		The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address
753860-3	3-Major		Virtual server config changes causing incorrect route injection.
720610-2	3-Major		Updatecheck logs bogus 'Update Server unavailable' on every run
701529-2	3-Major		Configuration may not load or not accept vlan or tunnel names as "default" or "all"
688399-2	3-Major		HSB failure results in continuous TMM restarts
683135-1	3-Major		Hardware syncookies number for virtual server stats is unrealistically high
605675-4	3-Major		Sync requests can be generated faster than they can be handled
831293-3	4-Minor		SNMP address-related GET requests slow to respond.
804309-2	4-Minor		[api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument
755018-2	4-Minor		Egress traffic processing may be stopped on one or more VE trunk interfaces
743815-2	4-Minor		vCMP guest observes connflow reset when a CMP state change occurs.
484683-2	4-Minor		Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
842937-4	2-Critical		TMM crash due to failed assertion 'valid node'
751589-1	2-Critical		In BIG-IP VE, some IP rules may not be created during the first boot up.
893281-1	3-Major		Possible ssl stall on closed client handshake
852873	3-Major		Proprietary Multicast PVST+ packets are forwarded instead of dropped
848777-1	3-Major		Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.
828601-3	3-Major		IPv6 Management route is preferred over IPv6 tmm route
816881-1	3-Major		Serverside conection may use wrong VLAN when virtual wire is configured
813701-3	3-Major		Proxy ARP failure
810533-4	3-Major		SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile
802245-1	3-Major		When HTTP/2 is negotiated, if the provided cipher suite list cannot be matched, then the last one will be selected.
790205-3	3-Major		Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core
781041-1	3-Major		SIP monitor in non default route domain is not working.
778517-1	3-Major	K91052217	Large number of in-TMM monitors results in delayed processing
760050-2	3-Major		cwnd warning message in log
758599-1	3-Major		IPv6 Management route is preferred over IPv6 tmm route
758041-3	3-Major		Pool Members may not be updated accurately when multiple identical database monitors configured
757446-2	3-Major		Invoking the HTTP::respond iRule command when the HTTP2 profile is present can cause stalled or malformed responses.
756494-3	3-Major		For in-tmm monitoring: multiple instances of the same agent are running on the Standby device
752530-1	3-Major		TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.
752334-1	3-Major		Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation
750473-4	3-Major		VA status change while 'disabled' are not taken into account after being 'enabled' again
746922-6	3-Major		When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
714502-2	3-Major		bigd restarts after loading a UCS for the first time
686059-4	3-Major		FDB entries for existing VLANs may be flushed when creating a new VLAN.
608952-3	3-Major		MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2
522241-1	3-Major		Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
918169-2	2-Critical		The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.
744743-1	2-Critical		Rolling DNSSEC Keys may stop generating after BIG-IP restart
803645-3	3-Major		GTMD daemon crashes
789421-2	3-Major		Resource-administrator cannot create GTM server object through GUI
778365-2	3-Major		dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service
774481-2	3-Major		DNS Virtual Server creation problem with Dependency List
769385-1	3-Major		GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message
758772-3	3-Major		DNS Cache RRSET Evictions Stat not increasing
757464-1	3-Major		DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record
746348-2	3-Major		On rare occasions, gtmd fails to process probe responses originating from the same system.
712335-3	4-Minor		GTMD may intermittently crash under unusual conditions.
774257-2	5-Cosmetic		tmsh show gtm pool and tmsh show gtm wideip print duplicate object types

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
904593-2	2-Critical		Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled
868641-1	2-Critical		Possible TMM crash when disabling bot profile for the entire connection
865461-3	2-Critical		BD crash on specific scenario
843801-1	2-Critical		Like-named previous Signature Update installations block Live Update usage after upgrade★
813409-1	2-Critical		BD crash under certain circumstances
803813-2	2-Critical		TMM may experience high latency when processing WebSocket traffic
903357-3	3-Major		Bot defense Profile list is loads too slow when there are 750 or more Virtual servers
900797-4	3-Major		Brute Force Protection (BFP) hash table entry cleanup
900793-2	3-Major	K32055534	APM Brute Force Protection resources do not scale automatically
900789-4	3-Major		Alert before Brute Force Protection (BFP) hash are fully utilized
898825-4	3-Major		Attack signatures are enforced on excluded headers under some conditions
898741-4	3-Major		Missing critical files causes FIPS-140 system to halt upon boot
892653-2	3-Major		Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI
880789-1	3-Major		ASMConfig Handler undergoes frequent restarts
880753-1	3-Major	K38157961	Possible issues when using DoSL7 and Bot Defense profile on the same virtual server
874753-1	3-Major		Filtering by Bot Categories on Bot Requests Log shows 0 events
868721-3	3-Major		Transactions are held for a long time on specific server related conditions
863609-2	3-Major		Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies
850677-2	3-Major		Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy
833685-3	3-Major		Idle async handlers can remain loaded for a long time doing nothing
809125-2	3-Major		CSRF false positive
802873-1	3-Major		Manual changes to policy imported as XML may introduce corruption for Login Pages
799749-1	3-Major		Asm logrotate fails to rotate
793149-3	3-Major		Adding the Strict-transport-Policy header to internal responses
785529-1	3-Major		ASM unable to handle ICAP responses which length is greater then 10K
783165-3	3-Major		Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile
772165-1	3-Major		Sync Failed due to Bot Defense profile not found
759449-1	3-Major		Unable to modify the application language with 'Copy ASM Policy'
751430-1	3-Major		Unnecessary reporting of errors with complex denial-of-service policies
745324-1	3-Major		MCP crash or blocked for a long time when loading configuration
742549-2	3-Major		Cannot create non-ASCII entities in non-UTF ASM policy using REST
726401-1	3-Major		ASM cannot complete initial startup with modified management interface on VE
722337-1	3-Major		Always show violations in request log when post request is large
640842-3	3-Major		ASM end user using mobile might be blocked when CSRF is enabled
896285-4	4-Minor		No parent entity in suggestion to add predefined-filetype as allowed filetype
882769-3	4-Minor		Request Log: wrong filter applied when searching by Response contains or Response does not contain
852613-1	4-Minor		Connection Mirroring and ASM Policy not supported on the same virtual server

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
902485-2	3-Major		Incorrect pool member concurrent connection value
838685-2	3-Major		DoS report exist in per-widget but not under individual virtual

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
838861-2	2-Critical		TMM might crash once after upgrading SSL Orchestrator★
895313	3-Major		Enable manage config setting may fail after upgrade of AGC to version 7.0 on BIG-IP 14.1.0 or 14.1.2
831517-1	3-Major		TMM may crash when Network Access tunnel is used
799149-2	3-Major		Authentication fails with empty password
750631-2	3-Major		There may be a latency between session termination and deletion of its associated IP address mapping
600985-1	3-Major		Network access tunnel data stalls
719589-2	4-Minor		GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
814097-2	2-Critical		Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.
898997-4	3-Major		GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes
842625-3	3-Major		SIP message routing remembers a 'no connection' failure state forever
825013-3	3-Major		GENERICMESSAGE::message's src and dst may get cleared in certain scenarios
815529-2	3-Major		MRF outbound messages are dropped in per-peer mode
803809-2	3-Major		SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.
782353-6	3-Major		SIP MRF via header shows TCP Transport when TLS is enabled
754658-2	3-Major		Improved matching of response messages uses end-to-end ID
754617-2	3-Major		iRule 'DIAMETER::avp read' command does not work with 'source' option
746731-1	3-Major		BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set
696348-3	3-Major		"GTP::ie insert" and "GTP::ie append" do not work without "-message" option
788513-2	4-Minor		Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log
786981-3	4-Minor		Pending GTP iRule operation maybe aborted when connection is expired
793005-3	5-Cosmetic		'Current Sessions' statistic of MRF/Diameter pool may be incorrect

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
802421	2-Critical		The /var partition may become 100% full requiring manual intervention to clear space
755721-1	3-Major		A UDP DNS packet may incorrectly match a BDoS signature if such a packet was queued up due to ingress shaper

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
753014-4	3-Major		PEM iRule action with RULE_INIT event fails to attach to PEM policy

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
888625-2	3-Major		CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks
806825	3-Major		Align the behavior of NAT44 and NAT64 when translate-address is disabled under Virtual Configuration with LTM Pool and LSN Pool
761517-1	4-Minor		nat64 and ltm pool conflict

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
787965-1	3-Major		URLCAT by URI does not work if it contains port number
754257-2	3-Major		URL lookup queries not working

Cumulative fixes from BIG-IP v14.1.2.6 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
900757-4	CVE-2020-5902	K52145254	TMUI RCE vulnerability CVE-2020-5902
895525-4	CVE-2020-5902	K52145254	TMUI RCE vulnerability CVE-2020-5902
909237-4	CVE-2020-8617	K05544642	CVE-2020-8617: BIND Vulnerability
909233-4	CVE-2020-8616	K97810133	DNS Hardening
905905-3	CVE-2020-5904	K31301245	TMUI CSRF vulnerability CVE-2020-5904
895993-4	CVE-2020-5902	K52145254	TMUI RCE vulnerability CVE-2020-5902
895981-4	CVE-2020-5902	K52145254	TMUI RCE vulnerability CVE-2020-5902
895881-3	CVE-2020-5903	K43638305	BIG-IP TMUI XSS vulnerability CVE-2020-5903

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
742628-3	3-Major	K53843889	Tmsh session initiation adds increased control plane pressure

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
897229	3-Major		TLS session ticket resumption SNI check

Cumulative fixes from BIG-IP v14.1.2.5 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
883717-3	CVE-2020-5914	K37466356	BD crash on specific server cookie scenario
879025-4	CVE-2020-5913	K72752002	When processing TLS traffic, LTM may not enforce certificate chain restrictions
866013	CVE-2019-11477 CVE-2019-11478 CVE-2019-11479	K78234183	Linux Kernel Vulnerabilities: CVE-2019-11477 CVE-2019-11478 CVE-2019-11479
852445-3	CVE-2019-6477	K15840535	Big-IP : CVE-2019-6477 BIND Vulnerability
838677-3	CVE-2019-10744	K47105354	lodash library vulnerability CVE-2019-10744
837773-2	CVE-2020-5912	K12936322	Restjavad Storage and Configuration Hardening
834257-3	CVE-2020-5931	K25400442	TMM may crash when processing HTTP traffic
830401-3	CVE-2020-5877	K54200228	TMM may crash while processing TCP traffic with iRules
819197-4	CVE-2019-13135	K20336394	BIGIP: CVE-2019-13135 ImageMagick vulnerability
819189-3	CVE-2019-13136	K03512441	BIGIP: CVE-2019-13136 ImageMagick vulnerability
814953-3	CVE-2020-5940	K43310520	TMUI dashboard hardening
805837-2	CVE-2019-6657	K22441651	REST does not follow current design best practices
802261-2	CVE-2020-5875	K65372933	TMM may crash while processing SSL traffic via an HTTP/2 full-proxy
794561-1	CVE-2020-5874	K46901953	TMM may crash while processing JWT/OpenID traffic.
780601-2	CVE-2020-5873	K03585731	SCP file transfer hardening
769589-2	CVE-2019-6974	K11186236	CVE-2019-6974: Linux Kernel Vulnerability
767373-1	CVE-2019-8331	K24383845	CVE-2019-8331: Bootstrap Vulnerability
762453-2	CVE-2020-5872	K63558580	Hardware cryptography acceleration may fail
745377-1	CVE-2020-5871	K43450419	TMM cores in certain scenarios with HTTP virtual server
739971	CVE-2018-5391	K74374841	Linux kernel vulnerability: CVE-2018-5391
873469-1	CVE-2020-5889	K24415506	APM Portal Access: Base URL may be set to incorrectly
872673-3	CVE-2020-5918	K26464312	TMM can crash when processing SCTP traffic
868349-3	CVE-2020-5935	K62830532	TMM may crash while processing iRules with MQTT commands
864109-3	CVE-2020-5889	K24415506	APM Portal Access: Base URL may be set to incorrectly
859089-5	CVE-2020-5907	K00091341	TMSH allows SFTP utility access
858349-1	CVE-2020-5934	K44808538	TMM may crash while processing SAML SLO traffic
848405-4	CVE-2020-5933	K26244025	TMM may consume excessive resources while processing compressed HTTP traffic
838881-3	CVE-2020-5853	K73183618	APM Portal Access Vulnerability: CVE-2020-5853
837837-3	CVE-2020-5917	K43404629	SSH Client Requirements Hardening
832021-1	CVE-2020-5888	K73274382	Port lockdown settings may not be enforced as configured
832017-1	CVE-2020-5887	K10251014	Port lockdown settings may not be enforced as configured
829121-3	CVE-2020-5886	K65720640	State mirroring default does not require TLS
829117-3	CVE-2020-5885	K17663061	State mirroring default does not require TLS
811789-2	CVE-2020-5915	K57214921	Device trust UI hardening
810537-2	CVE-2020-5883	K12234501	TMM may consume excessive resources while processing iRules
805557-2	CVE-2020-5882	K43815022	TMM may crash while processing crypto data
789921-2	CVE-2020-5881	K03386032	TMM may restart while processing VLAN traffic
775833-2	CVE-2020-5880	K94325657	Administrative file transfer may lead to excessive resource consumption
887637-1	CVE-2019-3815	K22040951	Systemd-journald Vulnerability: CVE-2019-3815
868097-1	CVE-2020-5891	K58494243	TMM may crash while processing HTTP/2 traffic
823893-2	CVE-2020-5890	K03318649	Qkview may fail to completely sanitize LDAP bind credentials
748122-1	CVE-2018-15333	K53620021	BIG-IP Vulnerability CVE-2018-15333
746091-1	CVE-2019-19151	K21711352	TMSH Vulnerability: CVE-2019-19151
760723-2	CVE-2015-4037	K64765350	Qemu Vulnerability

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
870389-1	3-Major		Increase size of /var logical volume to 1.5 GiB for LTM-only VE images
858229-3	3-Major	K22493037	XML with sensitive data gets to the ICAP server
738330-3	3-Major		/mgmt/toc endpoint issue after configuring remote authentication

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
819009-3	2-Critical		Dynamic routing daemon mribd crashes if 'mrib debug all' is enabled in high availability (HA) config with Floating Self IP configured for PIM protocol.
792285-2	2-Critical		TMM crashes if the queuing message to all HSL pool members fails
777993-2	2-Critical		Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same
775897-1	2-Critical		High Availability failover restarts tmipsecd when tmm connections are closed
769169-3	2-Critical		BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring
767689-1	2-Critical		F5optics_install using different versions of RPM★
749388-3	2-Critical		'table delete' iRule command can cause TMM to crash
748205-3	2-Critical		SSD bay identification incorrect for RAID drive replacement★
699515-2	2-Critical		nsm cores during update of nexthop for ECMP recursive route
882557-4	3-Major		TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)
873877	3-Major		Kernel page allocation failure seen on VIPRION blades★
866925-3	3-Major		The TMM pages used and available can be viewed in the F5 system stats MIB
852001-3	3-Major		High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously
849405-1	3-Major		LTM v14.1.2.1 does not log after upgrade★
842125-4	3-Major		Unable to reconnect outgoing SCTP connections that have previously aborted
812981-4	3-Major		MCPD: memory leak on standby BIG-IP device
810957-2	3-Major		Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core
802281-1	3-Major		Gossip shows active even when devices are missing
800185-4	3-Major		Saving a large encrypted UCS archive may fail and might trigger failover
795685-2	3-Major		Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer
772117-3	3-Major		Overwriting FIPS keys from the high availability (HA) peer with older config leads to abandoned key on FIPS card
762073-2	3-Major		Continuous TMM restarts when HSB drops off the PCI bus
759735-2	3-Major		OSPF ASE route calculation for new external-LSA delayed
759172-1	3-Major		Read Access Denied: user (gu, guest) type (Certificate Order Manager)
758387-2	3-Major		BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it
751573-1	3-Major		Updates to HSL pool members may not take effect
749785-2	3-Major		nsm can become unresponsive when processing recursive routes
749690-1	3-Major		MOS_Image2Disk_Installation- kjournald service error★
746861-1	3-Major		SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated★
641450-7	3-Major	K30053855	A transaction that deletes and recreates a virtual may result in an invalid configuration
755317-1	4-Minor		/var/log logical volume may run out of space due to agetty error message in /var/log/secure

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
715032-2	1-Blocking	K73302459	iRulesLX Hardening
860881-1	2-Critical		TMM can crash when handling a compressed response from HTTP server
853329-4	2-Critical		HTTP explicit proxy can crash TMM when used with classification profile
839401-3	2-Critical		Moving a virtual-address from one floating traffic-group to another does not send GARPs out.
831325-2	2-Critical	K10701310	HTTP PSM detects more issues with Transfer-Encoding headers
799649-2	2-Critical		TMM crash
757391-2	2-Critical		Datagroup iRule command class can lead to memory corruption
755134-1	2-Critical		HTTP/2 connections may leak memory if server-side connection not established
868889	3-Major		BIG-IP may reset a stream with an empty DATA frame as END_STREAM
853613-2	3-Major		Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp
851789-3	3-Major		SSL monitors flap with client certs with private key stored in FIPS
847325-1	3-Major		Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior.
843105-1	3-Major		Adding multicast stats for multicast bridging over L2 wire transparent VLAN-group (LACP STP LLDP)
809729-2	3-Major		When HTTP/2 stream is reset by a client, BIG-IP may not respond properly
795261-2	3-Major		LTM policy does not properly evaluate condition when an operand is missing
788741-2	3-Major		TMM cores in the MQTT proxy under rare conditions
777269-1	3-Major		Gratuitous ARP may be sent for self IPs from incorrect MAC address at startup
770477-2	3-Major		SSL aborted when client_hello includes both renegotiation info extension and SCSV
761030-2	3-Major		tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route
758631-4	3-Major		ec_point_formats extension might be included in the server hello even if not specified in the client hello
757827-1	3-Major		Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution
755997-2	3-Major		Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address
755727-2	3-Major		Ephemeral pool members not created after DNS flap and address record changes
755213-1	3-Major		TMM cores in certain scenarios with HTTP/2 virtual server
751052-1	3-Major		HTTP iRule event HTTP_REJECT broken
746078-1	3-Major		Upgrades break existing iRulesLX workspaces that use node version 6
745923-2	3-Major		Connection flow collision can cause packets to be sent with source and/or destination port 0
743257-3	3-Major		Fix block size insecurity init and assign
705112-4	3-Major		DHCP server flows are not re-established after expiration
636842-2	3-Major	K51472519	A FastL4 virtual server may drop a FIN packet when mirroring is enabled
601189-4	3-Major		The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode
599567-4	3-Major		APM assumes SNAT automap, does not use SNAT pool
859113-3	4-Minor		Using "reject" iRules command inside "after" may causes core
852373-2	4-Minor		HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error
839245-1	4-Minor		IPother profile with SNAT sets egress TTL to 255
830833-2	4-Minor		HTTP PSM blocking resets should have better log messages
760683-1	4-Minor		RST from non-floating self-ip may use floating self-ip source mac-address
757777-3	4-Minor		bigtcp does not issue a RST in all circumstances
746077-4	4-Minor		If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
807177-2	2-Critical		HTTPS monitoring is not caching SSL sessions correctly
704198-4	2-Critical	K29403988	Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance
802961-2	3-Major		The 'any-available' prober selection is not as random as in earlier versions
772233-4	3-Major		IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.
754901-1	3-Major		Frequent zone update notifications may cause TMM to restart
750213-4	3-Major	K25351434	DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.
744280-2	4-Minor		Enabling or disabling a Distributed Application results in a small memory leak

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
858025-3	2-Critical	K33440533	Proactive Bot Defense does not validate redirected paths
852437-1	2-Critical	K25037027	Overly aggressive file cleanup causes failed ASU installation
882377-1	3-Major		ASM Application Security Editor Role User can update/install ASU
871905-1	3-Major	K02705117	Incorrect masking of parameters in event log
854177-3	3-Major		ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
850673-3	3-Major		BD sends bad ACKs to the bd_agent for configuration
681010-3	3-Major	K33572148	'Referer' is not masked when 'Query String' contains sensitive parameter

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
838709-1	2-Critical		Enabling DoS stats also enables page-load-time
828937-3	2-Critical	K45725467	Some systems can experience periodic high IO wait due to AVR data aggregation
870957-1	3-Major		"Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage
863161-3	3-Major		Scheduled reports are sent via TLS even if configured as non encrypted
835381-1	3-Major		HTTP custom analytics profile 'not found' when default profile is modified
830073-3	3-Major		AVRD may core when restarting due to data collection device connection timeout
817649-2	3-Major		AVR statistics for NAT cannot be shown on multi-bladed machine
865053-1	4-Minor		AVRD core due to a try to load vip lookup when AVRD is down
863069-3	4-Minor		Avrmail timeout is too small

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
879401-3	2-Critical		Memory corruption during APM SAML SSO
871761-4	2-Critical		Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS
788593-2	2-Critical	K43404365	APM logs may contain additional data
884797-2	3-Major		Portal Access: in some cases data is not delivered via WebSocket connection
866685-3	3-Major		Empty HSTS headers when HSTS mode for HTTP profile is disabled
866161-3	3-Major		Client port reuse causes RST when the security service attempts server connection reuse.
852313-2	3-Major		VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured
832569-2	3-Major		APM end-user connection reset
831781-5	3-Major		AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode
798261-2	3-Major		APMD fails to create session variables if spanning is enabled on SWG transparent virtual server
771905-2	3-Major		JWT token rejected due to unknown JOSE header parameters
768025-4	3-Major		SAML requests/responses fail with "failed to find certificate"
749036-2	3-Major		Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM
747725-3	3-Major		Kerberos Auth agent may override settings that manually made to krb5.conf
747624-2	3-Major		RADIUS Authentication over RSA SecureID is not working in challenge mode

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
811105-1	2-Critical		MRF SIP-ALG drops SIP 183 and 200 OK messages
781725-2	2-Critical		BIG-IP systems might not complete a short ICAP request with a body beyond the preview
882273	3-Major		MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow
876077-3	3-Major		MRF DIAMETER: stale pending retransmission entries may not be cleaned up
868381-3	3-Major		MRF DIAMETER: Retransmission queue unable to delete stale entries
866021-3	3-Major		Diameter Mirror connection lost on the standby due to "process ingress error"
853545-3	3-Major		MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event
824149-3	3-Major		SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured
815877-1	3-Major		Information Elements with zero-length value are rejected by the GTP parser
811033-2	3-Major		MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used
788093	3-Major		MRF iRule command MR::restore with no argument causes tmm to crash
859721-3	4-Minor		Using GENERICMESSAGE create together with reject inside periodic after may cause core
836357-3	4-Minor		SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2
788005-2	4-Minor		Bypass MRF SIP LB restriction of conversion from reliable transport (TCP) to unreliable transport (UDP)

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
778869-3	2-Critical	K72423000	ACLs and other AFM features (e.g., IPI) may not function as designed
751292-1	2-Critical		mcpd core after changing parent netflow to use version9
852289-2	3-Major	K23278332	DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector
771173-3	3-Major		FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.★

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
857725	3-Major		Anti-Fraud/DataSafe Logging Settings page not found

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
761199-1	2-Critical		Wr_urldbd might crash while system is in a restarting loop.
816529-2	3-Major		If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart.

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
839597-4	3-Major		Restjavad fails to start if provision.extramb has a large value
815649-1	3-Major		Named.config entry getting overwriting on SSL Orchestrator deployment

Cumulative fixes from BIG-IP v14.1.2.4 that are included in this release

Functional Change Fixes

None

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
867413-2	2-Critical		The allow-only-in-enterprise LAN feature on Mac OS not working after reboot

Cumulative fixes from BIG-IP v14.1.2.3 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
846365-3	CVE-2020-5878	K35750231	TMM may crash while processing IP traffic
818709-2	CVE-2020-5858	K36814487	TMSH does not follow current best practices
818429-4	CVE-2020-5857	K70275209	TMM may crash while processing HTTP traffic
808301-2	CVE-2019-6678	K04897373	TMM may crash while processing IP traffic
757357-3	CVE-2019-6676	K92002212	TMM may crash while processing traffic
782529-2	CVE-2019-6685	K30215839	iRules does not follow current design best practices
761144-4	CVE-2019-6684	K95117754	Broadcast frames may be dropped
761112-3	CVE-2019-6683	K76328112	TMM may consume excessive resources when processing FastL4 traffic
725551-2	CVE-2019-6682	K40452417	ASM may consume excessive resources
846157-3	CVE-2020-5862	K01054113	TMM may crash while processing traffic on AWS
817917-1	CVE-2020-5856	K00025388	TMM may crash when sending TCP packets
789893-2	CVE-2019-6679	K54336216	SCP file transfer hardening
749324-1	CVE-2012-6708	K62532311	jQuery Vulnerability: CVE-2012-6708
738236-7	CVE-2019-6688	K25607522	UCS does not follow current best practices

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
819397-1	1-Blocking	K50375550	TMM does not enforce RFC compliance when processing HTTP traffic
769193-5	3-Major		Added support for faster congestion window increase in slow-start for stretch ACKs
760234-1	4-Minor		Configuring Advanced shell for Resource Administrator User has no effect

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
806093-1	2-Critical		Unwanted LDAP referrals slow or prevent administrative login
789169-2	2-Critical		Unable to create virtual servers with port-lists from the GUI★
780817-5	2-Critical		TMM can crash on certain vCMP hosts after modifications to VLANs and guests.
762385	2-Critical		Wrong remote-role assigned using LDAP authentication after upgrade to 14.1.x and later★
762205-2	2-Critical		IKEv2 rekey fails to recognize VENDOR_ID payload when it appears
809205	3-Major		CVE-2019-3855: libssh2 Vulnerability
794501-2	3-Major		Duplicate if_indexes and OIDs between interfaces and tunnels
785741-1	3-Major	K19131357	Unable to login using LDAP with 'user-template' configuration
778125-1	3-Major		LDAP remote authentication passwords are limited to fewer than 64 bytes
760439-4	3-Major		After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status
760259-3	3-Major		Qkview silently fails to capture qkviews from other blades
759654-1	3-Major		LDAP remote authentication with remote roles and user-template failing
759499-2	3-Major		Upgrade from version 12.1.3.7 to version 14.1.0 failing with error★
758781-3	3-Major		iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates
758527-2	3-Major	K39604784	BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode
757519-1	3-Major	K92525101	Unable to logon using LDAP authentication with a user-template
756450-1	3-Major		Traffic using route entry that's more specific than existing blackhole route can cause core
754691-1	3-Major		During failover, an OSPF routing daemon may crash.
750318-3	3-Major		HTTPS monitor does not appear to be using cert from server-ssl profile
746266-3	3-Major		A vCMP guest VLAN MAC mismatch across blades.
738943-3	3-Major		imish command hangs when ospfd is enabled
705037-7	3-Major	K32332000	System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
816273-2	1-Blocking		L7 Policies may execute CONTAINS operands incorrectly.
826601-5	2-Critical		Prevent receive window shrinkage for looped flows that use a SYN cookie
817417-1	2-Critical		Blade software installation stalled at Waiting for product image★
816625-1	2-Critical		The TMM may crash in a rare scenario involving HTTP unchunking, and plugins.
800369-2	2-Critical		The fix for ID 770797 may cause a TMM crash
800305-2	2-Critical		VDI::cmp_redirect generates flow with random client port
791057-1	2-Critical		MCP may crash when traffic matching criteria is updated
770797-1	2-Critical		HTTP2 streams may get stuck in rare situations
836661	3-Major		Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet.
834373-3	3-Major		Possible handshake failure with TLS 1.3 early data
830797-2	3-Major		Standby high availability (HA) device passes traffic through virtual wire
815449-2	3-Major		BIG-IP closes connection when an unsized response is served to a HEAD request
814761-2	3-Major		PostgreSQL monitor fails on second ping with count != 1
797977-1	3-Major		Self-IP traffic does not preserve the TTL from the Linux host
789365-1	3-Major		pkcs11d CPU usage increases after running nethsm self validation test
772545-3	3-Major		Tmm core in SSLO environment
765517-1	3-Major		Traffic Match Criteria validation fails when create Virtual server with address list with overlapping address space but a different ingress VLAN
761185-2	3-Major	K50375550	Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic
760771-1	3-Major		FastL4-steered traffic might cause SSL resume handshake delay
758992-2	3-Major		The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address
758872-3	3-Major		TMM memory leak
758655-1	3-Major		TMC does not allow inline addresses with non-zero Route-domain.
753514-3	3-Major		Large configurations containing LTM Policies load slowly
749689-2	3-Major		HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart
726176-2	3-Major		Platforms using RSS hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
712919-2	3-Major	K54802336	Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server.
687887-3	3-Major		Unexpected result from multiple changes to a monitor-related object in a single transaction
824365-3	4-Minor		Need informative messages for HTTP iRule runtime validation errors
806085-2	4-Minor		In-TMM MQTT monitor is not working as expected
791337-1	4-Minor		Traffic matching criteria fails when using shared port-list with virtual servers
769309-2	4-Minor		DB monitor reconnects to server on every probe when count = 0
754003-3	4-Minor	K73202036	Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate
747628-1	4-Minor		BIG-IP sends spurious ICMP PMTU message to server
744210-2	4-Minor		DHCPv6 does not have the ability to override the hop limit from the client.

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
776133-1	2-Critical		RSS hash is not used on VE resulting in performance impact on non-SR-IOV devices

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
761032-2	3-Major	K36328238	TMSH displays TSIG keys
760471-3	3-Major		GTM iQuery connections may be reset during SSL key renegotiation.

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
813945-3	2-Critical		PB core dump while processing many entities
813389-1	2-Critical		TMM Crashes upon failure in Bot Defense Client-Side code
791669	2-Critical		TMM might crash when Bot Defense is configured for multiple domains
790349-2	2-Critical		merged crash with a core file
756108-1	2-Critical		BD crash on specific cases
754109-1	2-Critical		ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive
832857	3-Major		Support ID on AJAX CAPTCHA popup (SPA) does not match the Support ID in log
832205	3-Major		ASU cannot be completed after Signature Systems database corruption following binary Policy import
831661-2	3-Major		ASMConfig Handler undergoes frequent restarts
824101-1	3-Major		Request Log export file is not visible for requests including binary data
824037-2	3-Major		Bot Defense whitelists do not apply for IP 'Any' when using route domains
812341-2	3-Major		Patch or Delete commands take a long time to complete when modifying an ASM signature set.
805353-1	3-Major		ASM reporting for WebSocket frames has empty username field
800453-3	3-Major	K72252057	False positive virus violations
793017-1	3-Major		Files left behind by failed Attack Signature updates are not cleaned
786913-2	3-Major		Upgrade failure from 13.0.x or earlier when using LTM Policies with DOSL7
783513-2	3-Major		ASU is very slow on device with hundreds of policies due to logging profile handling
781021-2	3-Major		ASM modifies cookie header causing it to be non-compliant with RFC6265
778681-2	3-Major		Factory-included Bot Signature update file cannot be installed without subscription★
754841-1	3-Major		Policy updates stall and never complete
754425-1	3-Major		Exported requests cannot be opened in Internet Explorer or Edge browser
739618-2	3-Major		When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy
734228	3-Major		False-positive illegal-length violation can appear
795769-3	4-Minor		Incorrect value of Systems in system-supplied signature sets
789817-1	4-Minor		In rare conditions info fly-out not shown
760462-1	4-Minor		Live update notification is shown only for provisioned/licensed modules
758459-1	4-Minor		Cross origin AJAX requests are blocked Cross-Origin Resource Sharing (CORS) protection
620301-1	4-Minor		Policy import fails due to missing signature System in associated Signature Set

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
833113-3	3-Major		Avrd core when sending large messages via https
781581-3	3-Major		Monpd uses excessive memory on requests for network_log data

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
757782-1	2-Critical		OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default
825805-1	3-Major		NTLM Auth may fail due to incorrect handling of EPM response★
766577-2	3-Major		APMD fails to send response to client and it already closed connection.
756363-1	3-Major		SSLO or SWG connections using proxy chaining to Explicit Proxy can get reset
741222-2	3-Major		Install epsec1.0.0 into software partition.★
643935-4	3-Major		Rewriting may cause an infinite loop while processing some objects

WebAccelerator Fixes

ID Number	Severity	Solution Article(s)	Description
833213-3	3-Major		Conditional requests are served incorrectly with AAM policy in webacceleration profile

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
802865-1	3-Major		The iControl REST query request returning empty list for DoS Protected Objects
761345-3	3-Major		Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode
738284-2	3-Major		Creating or deleting rule list results in warning message: Schema object encode failed

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
821133-2	3-Major		Wrong wildcard URL matching when none of the configured URLS include QS

Anomaly Detection Services Fixes

ID Number	Severity	Solution Article(s)	Description
748813-3	2-Critical		tmm cores under stress test on virtual server with DoS profile with admd enabled
767045-2	3-Major		TMM cores while applying policy

Protocol Inspection Fixes

ID Number	Severity	Solution Article(s)	Description
787845	4-Minor		Tmsh command 'show running-config' fails when Protocol Inspection is not licensed.

Cumulative fixes from BIG-IP v14.1.2.2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
741163-3	CVE-2018-3693	K54252492	RHEL7: Kernel CVE-2018-3693
740755-6	CVE-2018-3620	K95275140	Kernel vulnerability: CVE-2018-3620
721319-1	CVE-2018-3639	K29146534	CVE-2018-3639

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
815689-3	3-Major		Azure walinuxagent has been updated to v2.2.42.
760574	3-Major		Updating BIG-IP 14.1.x Linux kernel to RHEL7.5
760468	3-Major		Route domains cause diskmonitor errors in logs

Cumulative fixes from BIG-IP v14.1.2.1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
795437-4	CVE-2019-6677	K06747393	Improve handling of TCP traffic for iRules
795197-1	CVE-2019-11477, CVE-2019-11478, CVE-2019-11479	K26618426	Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
781377-2	CVE-2019-6681	K93417064	tmrouted may crash while processing Multicast Forwarding Cache messages
778077-3	CVE-2019-6680	K53183580	Virtual to virtual chain can cause TMM to crash
771873-5	CVE-2019-6642	K40378764	TMSH Hardening
767653-1	CVE-2019-6660	K23860356	Malformed HTTP request can result in endless loop in an iRule script
636400-3	CVE-2019-6665	K26462555	CPB (BIG-IP->BIGIQ log node) Hardening
810657-2	CVE-2019-6674	K21135478	Tmm core while using service chaining for SSLO
809165-2	CVE-2020-5854	K50046200	TMM may crash will processing connector traffic
808525-2	CVE-2019-6686	K55812535	TMM may crash while processing Diameter traffic
795797-2	CVE-2019-6658	K21121741	AFM WebUI Hardening
788773-2	CVE-2019-9515	K50233772	HTTP/2 Vulnerability: CVE-2019-9515
788769-2	CVE-2019-9514	K01988340	HTTP/2 Vulnerability: CVE-2019-9514
788033	CVE-2020-5851	K91171450	tpm-status may return "Invalid" after engineering hotfix installation
781449-2	CVE-2019-6672	K14703097	Increase efficiency of sPVA DoS protection on wildcard virtual servers
777737-3	CVE-2019-6671	K39225055	TMM may consume excessive resources when processing IP traffic
773673-2	CVE-2019-9512	K98053339	HTTP/2 Vulnerability: CVE-2019-9512
768981-2	CVE-2019-6670	K05765031	VCMP Hypervisor Hardening
761014-2	CVE-2019-6669	K11447758	TMM may crash while processing local traffic
758018-5	CVE-2019-6661	K61705126	APD/APMD may consume excessive resources
756458-3	CVE-2018-18559	K28241423	Linux kernel vulnerability: CVE-2018-18559
756218-1	CVE-2019-6654	K45644893	Improve default management port firewall
751152-1	CVE-2018-5407	K49711130	OpenSSL Vulnerability: CVE-2018-5407
751143-1	CVE-2018-5407	K49711130	OpenSSL Vulnerability: CVE-2018-5407
745103-6	CVE-2018-7159	K27228191	NodeJS Vulnerability: CVE-2018-7159
798249-2	CVE-2019-6673	K81557381	TMM may crash while processing HTTP/2 requests
779177-2	CVE-2019-19150	K37890841	Apmd logs "client-session-id" when access-policy debug log level is enabled
759536-2	CVE-2019-8912	K31739796	Linux kernel vulnerability: CVE-2019-8912
757617-1	CVE-2018-16864 CVE-2018-16865	K06044762	Systemd vulnerabilities: CVE-2018-16864, CVE-2018-16865

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
759135-2	3-Major		AVR report limits are locked at 1000 transactions
714292-3	3-Major		Transparent forwarding mode across multiple VLAN groups or virtual-wire
788269-3	4-Minor		Adding toggle to disable AVR widgets on device-groups

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
793045-2	2-Critical		File descriptor leak in net-snmpd while reading /shared/db/cluster.conf
770953	2-Critical		'smbclient' executable does not work
767877-3	2-Critical		TMM core with Bandwidth Control on flows egressing on a VLAN group
765533-2	2-Critical	K58243048	Sensitive information logged when DEBUG logging enabled
760475-1	2-Critical		Apache spawns more processes than the configured limit, causing system low memory condition
755575-1	2-Critical		In MOS, the 'image2disk' utility with the '-format' option does not function properly
726240-1	2-Critical		'Cannot find disk information' message when running Configuration Utility★
788557-5	3-Major		BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior
788301-5	3-Major	K58243048	SNMPv3 Hardening
777261-4	3-Major		When SNMP cannot locate a file it logs messages repeatedly
766873	3-Major		Omission of lower-layer types from sFlow packet samples
761993-2	3-Major		The nsm process may crash if it detects a nexthop mismatch
761933-1	3-Major		Reboot with 'tmsh reboot' does not log message in /var/log/audit
761160-2	3-Major		OpenSSL vulnerability: CVE-2019-1559
760998-1	3-Major		F5.ip_forwarding iAPP fails to deploy
759814-1	3-Major		Unable to view iApp component view★
758119-6	3-Major	K58243048	qkview may contain sensitive information
747592-1	3-Major		PHP vulnerability CVE-2018-17082
724109-2	3-Major		Manual config-sync fails after pool with FQDN pool members is deleted
680917-5	3-Major		Invalid monitor rule instance identifier
648621-6	3-Major		SCTP: Multihome connections may not expire
776073-1	4-Minor		OOM killer killing tmm in system low memory condition as process OOM score is high
760680-1	4-Minor	K36350541	TMSH may utilize 100% CPU (single core's worth) when set to be a process group leader and SSH session is closed.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
759968-3	1-Blocking		Distinct vCMP guests are able to cluster with each other.
803845-2	2-Critical		When in HA, the Standby device is forwarding traffic causing a loop and subsequent network shutdown
787825-2	2-Critical	K58243048	Database monitors debug logs have plaintext password printed in the log file
774913-1	2-Critical		IP-based bypass can fail if SSL ClientHello is not accepted
760078-1	2-Critical		Incorrect source MAC used when the BIG-IP in L2 transparent mode generates a TCP RST packet.
758714-1	2-Critical		Virtual wire on a BIG-IP does not pass traffic when configured over two terminating link aggregation/trunk ports.
757578-2	2-Critical		RAM cache is not compatible with verify-accept
757441-4	2-Critical		Specific sequence of packets causes Fast Open to be effectively disabled
755585-1	2-Critical		mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction
747858-2	2-Critical		OSPF packets are duplicated in the BIG-IP in L2 transparent mode using virtual wires
746710-1	2-Critical		Use of HTTP::cookie after HTTP:disable causes TMM core
737985-2	2-Critical		BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode.
734551-3	2-Critical		L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server
801497-2	3-Major		Virtual wire with LACP pinning to one link in trunk.
798105-1	3-Major		Node Connection Limit Not Honored
794581	3-Major		Transfer might stall for an object served from WAM cache
788325-2	3-Major	K39794285	Header continuation rule is applied to request/response line
787433-3	3-Major		SSL forward proxy: OCSP signer certificate isn't refreshed or regenerated when forward proxy CA key/cert is changed
784713-3	3-Major		When SSL forward proxy is enabled, AKID extension of the OCSP signer certificate on the clientside is not correct
773821-1	3-Major		Certain plaintext traffic may cause SSLO to hang
773421-1	3-Major		Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
769801-1	3-Major		Internal tmm UDP filter does not set checksum
761385-1	3-Major		Without a virtual server, responses from server to client are dropped in a BIG-IP system when the latter is deployed in L2 transparent mode using virtual wire.
761381-1	3-Major		Incorrect MAC Address observed in L2 asymmetric virtual wire
754525-1	3-Major		Disabled virtual server accepts and serves traffic after restart
748891-2	3-Major		Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system.
742237-4	3-Major		CPU spikes appear wider than actual in graphs
719300-3	3-Major		ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address
689361-4	3-Major		Configsync can change the status of a monitored pool member
751586	4-Minor		Http2 virtual does not honour translate-address disabled
747585-3	4-Minor		TCP Analytics supports ANY protocol number

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
783849-2	3-Major		DNSSEC Key Generations are not imported to secondary FIPS card

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
781637-2	3-Major		ASM brute force counts unnecessary failed logins for NTLM
781605-3	3-Major		Fix RFC issue with the multipart parser
781069-2	3-Major		Bot Defense challenge blocks requests with long Referer headers
773553-2	3-Major		ASM JSON parser false positive.
769997-1	3-Major		ASM removes double quotation characters on cookies
769981-2	3-Major		bd crashes in a specific scenario
764373-3	3-Major		'Modified domain cookie' violation with multiple enforced domain cookies with different paths
753711-1	3-Major		Copied policy does not retain signature staging
751710-4	3-Major		False positive cookie hijacking violation
746394-1	3-Major		With ASM CORS set to 'Disabled' it strips all CORS headers in response.
745802-1	3-Major		Brute Force CAPTCHA response page truncates last digit in the support id
727107-4	3-Major		Request Logs are not stored locally due to shmem pipe blockage
803445-3	4-Minor		When adding several mitigation exceptions, the previously configured actions revert to the default action
772473-3	4-Minor		Request reconstruct issue after challenge
761088-1	4-Minor		Remove policy editing restriction in the GUI while auto-detect language is set
695878-2	4-Minor		Signature enforcement issue on specific requests

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
761749-2	2-Critical		Security pages unavailable after switching RT mode on off few times
797785-2	3-Major		AVR reports no ASM-Anomalies data.
792265-3	3-Major		Traffic logs does not include the BIG-IQ tags
773925-2	3-Major		Sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB tables files
765785-3	3-Major		Monpd core upon "bigstart stop monpd" while Real Time reporting is running

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
811145-2	2-Critical		VMware View resources with SAML SSO are not working
797541-1	2-Critical		NTLM Auth may fail when user's information contains SIDS array
784989-2	2-Critical		TMM may crash with panic message: Assertion 'cookie name exists' failed
777173-2	2-Critical		Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error
821369	3-Major		Incomplete Action 'Deny' does not take effect for HTTP-Connect
788417-2	3-Major		Remote Desktop client on macOS may show resource auth token on credentials prompt
787477-2	3-Major		Export fails from partitions with '-' as second character
786173-1	3-Major		UI becomes unresponsive when accessing Access active session information
783817-2	3-Major		UI becomes unresponsive when accessing Access active session information
782569-1	3-Major		SWG limited session limits on SSLO deployments
775621-2	3-Major		urldb memory grows past the expected ~3.5GB
769853-2	3-Major	K24241590	Access Profile option to restrict connections from a single client IP is not honored for native RDP resources
756777-1	3-Major		VDI plugin might crash on process shutdown during RDG connections handling
750823-1	3-Major		Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD
749161-2	3-Major		Problem sync policy contains non-ASCII characters
746768-4	3-Major		APMD leaks memory if access policy policy contains variable/resource assign policy items
697590-2	3-Major		APM iRule ACCESS::session remove fails outside of Access events
781445-1	4-Minor		named or dnscached cannot bind to IPv6 address
759579-1	4-Minor		Full Webtop: 'URL Entry' field is available again
756019-1	4-Minor		OAuth JWT Issuer claim requires URI format

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
811745-2	3-Major		Failover between clustered DIAMETER devices can cause mirror connections to be disconnected
804313-2	3-Major		MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.
761685-3	3-Major		Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set
750431-1	3-Major		Persistence record is deleted in MRF SIP after updating timeout value with the iRule 'SIP::persist timeout'
748253-1	3-Major		Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection
786565-2	4-Minor		MRF Generic Message: unaccepted packets received by GENERIC MESSAGE filter causes subsequent messages to not be forwarded

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
800209-1	3-Major		The tmsh recursive list command includes DDoS GUI-specific data info
780837-1	3-Major		Firewall rule list configuration causes config load failure
761234-2	3-Major		Changing a virtual server to use an address list should be prevented if the virtual server has a security policy with a logging profile attached
760355	4-Minor		Firewall rule to block ICMP/DHCP from 'required' to 'default'★

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
760438-3	3-Major		PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions
759192-3	3-Major		TMM core during display of PEM session under some specific conditions
756311-4	3-Major		High CPU during erroneous deletion
753163-4	3-Major		PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
804185-2	3-Major		Some WebSafe request signatures may not work as expected
783565-2	3-Major		Upgrade support for DB variable to attach AJAX payload to vToken cookie should be consistent with config in MCP
775013-2	3-Major		TIME EXCEEDED alert has insufficient data for analysis

Anomaly Detection Services Fixes

ID Number	Severity	Solution Article(s)	Description
803477-2	3-Major		BaDoS State file load failure when signature protection is off

Cumulative fixes from BIG-IP v14.1.2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
773649-6	CVE-2019-6656	K23876153	APM Client Logging

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
771705-1	3-Major		You may not be able to log into BIG-IP Cloud Edition if FSCK fails
754875-1	3-Major		Enable FIPS in prelicensed VE images without requiring a reboot

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
753485-1	2-Critical		AVR global settings are being overridden by HA peers

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
757306-3	3-Major		SNMP MIBS for AFM NAT do not yet exist

Protocol Inspection Fixes

ID Number	Severity	Solution Article(s)	Description
794285	1-Blocking	K36191493	BIG-IQ reading AFM configuration fails with status 400

Cumulative fixes from BIG-IP v14.1.1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
807477-10	CVE-2019-6650	K04280042	ConfigSync Hardening
797885-2	CVE-2019-6649	K05123525	ConfigSync Hardening
796469-6	CVE-2019-6649	K05123525	ConfigSync Hardening
810557-8	CVE-2019-6649	K05123525	ASM ConfigSync Hardening
809377-6	CVE-2019-6649	K05123525	AFM ConfigSync Hardening
799617-2	CVE-2019-6649	K05123525	ConfigSync Hardening
799589-2	CVE-2019-6649	K05123525	ConfigSync Hardening
794389-6	CVE-2019-6651	K89509323	iControl REST endpoint response inconsistency
794413-2	CVE-2019-6471	K10092301	BIND vulnerability CVE-2019-6471
793937-1	CVE-2019-6664	K03126093	Management Port Hardening

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
744937-8	3-Major	K00724442	BIG-IP DNS and GTM DNSSEC security exposure

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
798949-3	3-Major		Config-Sync fails when Config-Sync IP configured to management IP
760622-3	3-Major		Allow Device Certificate renewal from BIG-IP Configuration Utility
760363-1	3-Major		Update Alias Address field with default placeholder text

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
811333-2	3-Major		Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile★

Cumulative fixes from BIG-IP v14.1.0.6 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
769361-2	CVE-2019-6630	K33444350	TMM may crash while processing SSLO traffic
767401-1	CVE-2019-6629	K95434410	TMM may crash while processing TLS traffic
759343-6	CVE-2019-6668	K49827114	MacOS Edge Client installer does not follow best security practices
758909-1	CVE-2019-6628	K04730051	TMM may crash will processing PEM traffic
758065-4	CVE-2019-6667	K82781208	TMM may consume excessive resources while processing FIX traffic
757084-2	CVE-2019-6627	K00432398	Bypassing SSL interception in SSL Orchestrator may crash TMM if virtual server is SNAT enabled
757023-2	CVE-2018-5743	K74009656	BIND vulnerability CVE-2018-5743
756538-4	CVE-2019-6645	K15759349	Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair.
754944-1	CVE-2019-6626	K00432398	AVR reporting UI does not follow best practices
754345-2	CVE-2019-6625	K79902360	WebUI does not follow best security practices
754103-1	CVE-2019-6644	K75532331	iRulesLX NodeJS daemon does not follow best security practices
753975-2	CVE-2019-6666	K92411323	TMM may crash while processing HTTP traffic with webacceleration profile
753776-2	CVE-2019-6624	K07127032	TMM may consume excessive resources when processing UDP traffic
748502-1	CVE-2019-6623	K72335002	TMM may crash when processing iSession traffic
737731-6	CVE-2019-6622	K44885536	iControl REST input sanitization
737574-6	CVE-2019-6621	K20541896	iControl REST input sanitization★
737565-6	CVE-2019-6620	K20445457	iControl REST input sanitization
726393-2	CVE-2019-6643	K36228121	DHCPRELAY6 can lead to a tmm crash
726327	CVE-2018-12120	K37111863	NodeJS debugger accepts connections from any host
757455-2	CVE-2019-6647	K87920510	Excessive resource consumption when processing REST requests
753796-1	CVE-2019-6640	K40443301	SNMP does not follow best security practices
750460-1	CVE-2019-6639	K61002104	Subscriber management configuration GUI
750298-1	CVE-2019-6638	K67825238	iControl REST may fail while processing requests
750187-1	CVE-2019-6637	K29149494	ASM REST may consume excessive resources
745371-1	CVE-2019-6636	K68151373	AFM GUI does not follow best security practices
745257-1	CVE-2018-14634	K20934447	Linux kernel vulnerability: CVE-2018-14634
742226-6	CVE-2019-6635	K11330536	TMSH platform_check utility does not follow best security practices
710857-5	CVE-2019-6634	K64855220	iControl requests may cause excessive resource usage
702469-7	CVE-2019-6633	K73522927	Appliance mode hardening in scp
673842-6	CVE-2019-6632	K01413496	VCMP does not follow best security practices
773653-6	CVE-2019-6656	K23876153	APM Client Logging
773641-6	CVE-2019-6656	K23876153	APM Client Logging
773637-6	CVE-2019-6656	K23876153	APM Client Logging
773633-6	CVE-2019-6656	K23876153	APM Client Logging
773621-6	CVE-2019-6656	K23876153	APM Client Logging

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
749704-2	4-Minor		GTPv2 Serving-Network field with mixed MNC digits

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
774445-1	1-Blocking	K74921042	BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2
789993-1	2-Critical		Failure when upgrading to 15.0.0 with config move and static management-ip.
773677-1	2-Critical	K72255850	BIG-IP 14.1.0 system-journald write to /run/log/journal cause SWAP usage increase★
769809-4	2-Critical		The vCMP guests 'INOPERATIVE' after upgrade
765801	2-Critical		WCCP service info field corrupted in upgrade to 14.1.0 final★
760573-1	2-Critical	K00730586	TPM system integrity check may return invalid status when booting into BIG-IP 14.1.0★
760508-1	2-Critical	K91444000	On systems with multiple versions of BIG-IP in use, the 'invalid' System Integrity Status may persist★
760408-3	2-Critical	K23438711	System Integrity Status: Invalid after BIOS update★
760164-1	2-Critical		BIG-IP VE Compression Offload HA action requires modification of db variable
757722-2	2-Critical		Unknown notify message types unsupported in IKEv2
756402-2	2-Critical		Re-transmitted IPsec packets can have garbled contents
756071-3	2-Critical		MCPD crash
755254-1	2-Critical	K54339562	Remote auth: PAM_LDAP buffer too small errors★
753650-2	2-Critical		The BIG-IP system reports frequent kernel page allocation failures.
750586-2	2-Critical		HSL may incorrectly handle pending TCP connections with elongated handshake time.
743803-1	2-Critical		IKEv2 potential double free of object when async request queueing fails
741503-1	2-Critical		The BIG-IP system fails to load base config file when upgrading with static IPv4★
726487-4	2-Critical		MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
648270-1	2-Critical		mcpd can crash if viewing a fast-growing log file through the GUI
766365-1	3-Major		Some trunks created on VE platform stay down even when the trunk's interfaces are up
766329-2	3-Major		SCTP connections do not reflect some SCTP profile settings
765033	3-Major		Upgrades to versions that restrict resource-admin users from accessing bash may fail under certain conditions★
760597-1	3-Major		System integrity messages not logged
760594	3-Major		On BIG-IP VE, 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details.
758879	3-Major		BIG-IP VE with ixlv devices does not reliably pass some traffic after hard-boot
748206-1	3-Major		Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position
748187-4	3-Major		'Transaction Not Found' Error on PATCH after Transaction has been Created
746657-1	3-Major		tmsh help for FQDN node or pool member shows incorrect default for fqdn interval
745809-2	3-Major		The /var partition may become 100% full requiring manual intervention to clear space
740543-1	3-Major		System hostname not display in console
725791-6	3-Major	K44895409	Potential HW/HSB issue detected
718405-2	3-Major		RSA signature PAYLOAD_AUTH mismatch with certificates
581921-5	3-Major	K22327083	Required files under /etc/ssh are not moved during a UCS restore
754500-2	4-Minor		GUI LTM Policy options disappearing
726317-6	4-Minor		Improved debugging output for mcpd

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
759723-1	2-Critical		Abnormally terminated connections on server side may cause client side streams to stall
758465-1	2-Critical		TMM may crash or iRule processing might be incorrect
756356-2	2-Critical		External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long
753912-4	2-Critical	K44385170	UDP flows may not be swept
752930-3	2-Critical		Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
747727-1	2-Critical		HTTP Profile Request Header Insert Tcl error
747239-1	2-Critical		TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection
745533-6	2-Critical		NodeJS Vulnerability: CVE-2016-5325
741048-1	2-Critical		iRule execution order could change after editing the scripts
766293-1	3-Major		Monitor logging fails on v14.1.0.x releases
760550-5	3-Major		Retransmitted TCP packet has FIN bit set
758311-1	3-Major		Policy Compilation may cause MCPD to crash
757985-1	3-Major	K79562045	TMM memory leak
757698-1	3-Major		TMM crashes in certain situations of which iRule execution interleaves client side and server side flows
756270-4	3-Major		SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
754985-1	3-Major		Standby mirrored server SSL connections fail, and tmm may crash while processing mirrored TLS traffic
752078-2	3-Major		Header Field Value String Corruption
749414-4	3-Major		Invalid monitor rule instance identifier error
747907-2	3-Major		Persistence records leak while the HA mirror connection is down
742078-6	3-Major		Incoming SYNs are dropped and the connection does not time out.
740959-4	3-Major		User with manager rights cannot delete FQDN node on non-Common partition
740345-3	3-Major		TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled.
696755-3	3-Major		HTTP/2 may truncate a response body when served from cache
696735-2	3-Major		TCP ToS Passthrough mode does not work correctly
504522-4	3-Major		Trailing space present after 'tmsh ltm pool members monitor' attribute value
747968-3	4-Minor		DNS64 stats not increasing when requests go through DNS cache resolver

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
777937-3	1-Blocking		AWS ENA: packet drops due to bad checksum

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
759721-2	3-Major	K03332436	DNS GUI does not follow best practices
749508-1	3-Major		LDNS and DNSSEC: Various OOM conditions need to be handled properly
749222-1	3-Major		dname compression offset overflow causes bad compression pointer
748902-5	3-Major		Incorrect handling of memory allocations while processing DNSSEC queries
746877-1	3-Major		Omitted check for success of memory allocation for DNSSEC resource record
744707-2	3-Major		Crash related to DNSSEC key rollover
723288-4	3-Major		DNS cache replication between TMMs does not always work for net dns-resolver
748177-1	4-Minor		Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
759360-2	2-Critical		Apply Policy fails due to policy corruption from previously enforced signature
749912-1	2-Critical		[BIG-IQ Integration] Deadlock occurs when adding multiple hostnames with transparent enforcement
723790-3	2-Critical		Idle asm_config_server handlers consumes a lot of memory
765449-1	3-Major		Update availability status may be inaccurate
763001-1	3-Major	K70312000	Web-socket enforcement might lead to a false negative
761941-1	3-Major		ASM does not remove CSRT token query parameter before forwarding a request to the backend server
761194-2	3-Major		param data type violation on an Integer parameter, if an integer value is sent via websocket JSON
760878-3	3-Major		Incorrect enforcement of explicit global parameters
759483-1	3-Major		Message about HTTP status code which are set by default disappeared from the UI
758085-1	3-Major		CAPTCHA Custom Response fails when using certain characters
756418-1	3-Major		Live Update does not authenticate remote users
742558-1	3-Major		Request Log export document fails to show some UTF-8 characters
687759-3	3-Major		bd crash
774941-1	4-Minor		GUI misspelling in Bot Defense logging profile
768761-2	4-Minor		Improved accept action description for suggestions to disable signature/enable metacharacter in policy
766357-1	4-Minor		Two simultaneously manual installations can cause live-update inconsistency
765413-1	4-Minor		ASM cluster syncs caused by PB ignored suggestions updates
761921-1	4-Minor		avrd high CPU utilization due to perpetual connection attempts
761553-2	4-Minor		Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic
761549-2	4-Minor		Traffic Learning: Accept and Stage action is shown only in case entity is not in staging
761231-2	4-Minor	K79240502	Bot Defense Search Engines getting blocked after configuring DNS correctly
759462-1	4-Minor		Site names and vulnerabilities cannot be retrieved from WhiteHat server
755005-1	4-Minor		Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations
750689-3	4-Minor		Request Log: Accept Request button available when not needed
749184-2	4-Minor		Added description of subviolation for the suggestions that enabled/disabled them
747560-5	4-Minor		ASM REST: Unable to download Whitehat vulnerabilities
769061-2	5-Cosmetic		Improved details for learning suggestions to enable violation/sub-violation

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
763349-3	2-Critical		AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out
756205-1	2-Critical		TMSTAT offbox statistics are not continuous
756102-2	2-Critical		TMM can crash with core on ABORT signal due to non-responsive AVR code
771025-3	3-Major		AVR send domain names as an aggregate
764665-2	3-Major		AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change
763005-3	3-Major		Aggregated Domain Names in DNS statistics are shown as random domain name
760356-2	3-Major		Users with Application Security Administrator role cannot delete Scheduled Reports

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
770557-3	2-Critical		Per-Session RADIUS Acct STOP message is forged based on pool route domain, but is sent through default one
769281-1	2-Critical		Per-request Acess Policy may show user interface pages incorrectly i nlanguages other than English
755447-1	2-Critical		SSLO does not deliver content generated/originated from inline device
753370-3	2-Critical		RADIUS auth might not be working as configured when there is change in RADIUS auth config name.
774633-2	3-Major		Memory leak in tmm when session db variables are not cleaned up
774213-1	3-Major		SWG session limits on SSLO deployments
760410-1	3-Major		Connection reset is seen when Category lookup agent is used in per-req policy
760250	3-Major		'Unsupported SSO Method' error when requests sharing the same TCP session
759868-1	3-Major		TMM crash observed while rendering internal pages (like blocked page) for per-request policy
758764-2	3-Major		APMD Core when CRLDP Auth fails to download revoked certificate
758701-1	3-Major		APM fails to handle Remote Desktop Gateway connections from standalone RDP clients after fresh install
757992-3	3-Major		RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup
757360-1	3-Major		Category lookup returns wrong category on subsequent traffic following initial HTTP CONNECT traffic through SSLO
755475-1	3-Major		Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync
755047-1	3-Major		Category lookup returns wrong category on CONNECT traffic through SSLO
754542-2	3-Major		TMM may crash when using RADIUS Accounting agent
752875-2	3-Major		tmm core while using service chaining for SSLO
751807-1	3-Major		SSL Orchestrator may not activate service connectors if traffic is an HTTP tunnel
751424-1	3-Major		HTTP Connect Category Lookup not working properly
749057-1	3-Major		VMware Horizon idle timeout is ignored when connecting via APM
745574-1	3-Major		URL is not removed from custom category when deleted
738430-3	3-Major		APM is not able to do compliance check on iOS devices running F5 Access VPN client
734291-1	3-Major		Logon page modification fails to sync to standby
695985-4	3-Major		Access HUD filter has URL length limit (4096 bytes)
766761-2	4-Minor		Ant-server does not log requests that are excluded from scanning

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
766405-2	2-Critical		MRF SIP ALG with SNAT: Fix for potential crash on next-active device
754615-2	2-Critical		Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup.
763157-2	3-Major		MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped
760370-2	3-Major		MRF SIP ALG with SNAT: Next active ingress queue filling
759077-2	3-Major		MRF SIP filter queue sizes not configurable
755630-1	3-Major		MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes
752822-1	3-Major		SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type
751179-1	3-Major		MRF: Race condition may create to many outgoing connections to a peer
746825-1	3-Major		MRF SIP ALG with SNAT: Ephemeral listeners not created for unsubscribed outgoing calls
745947-2	3-Major		Add log events for MRF SIP registration/deregistration and media flow creation/deletion
745590-1	3-Major		SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added
760930-2	4-Minor		MRF SIP ALG with SNAT: Added additional details to log events
747909-5	4-Minor		GTPv2 MEI and Serving-Network fields decoded incorrectly

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
757524	1-Blocking		Data operation attempt on object that has not been loaded
757359-1	2-Critical		pccd crashes when deleting a nested Address List
754805	2-Critical	K97981358	Possible tmm crash when AFM DoS badactor or attacked-dst or endpoint vector configured
753028-2	3-Major		AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule
756477-2	5-Cosmetic		Drop Redirect tab incorrectly named as 'Redirect Drop'

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
744516-4	2-Critical		TMM panics after a large number of LSN remote picks

Anomaly Detection Services Fixes

ID Number	Severity	Solution Article(s)	Description
748121-3	2-Critical		admd livelock under CPU starvation
653573-6	2-Critical		ADMd not cleaning up child rsync processes
756877-1	3-Major		Virtual server created with Guided Configuration is not visible in Grafana

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
752803-1	2-Critical		CLASSIFICATION_DETECTED running reject can lead to a tmm core
752047-1	2-Critical		iRule running reject in CLASSIFICATION_DETECTED event can cause core

Cumulative fixes from BIG-IP v14.1.0.5 that are included in this release

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
755817	3-Major		v14.1.0.5 includes Guided Configuration 4.1
751824-1	3-Major		Restore old 'merge' functionally with new tmsh verb 'replace'

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
663819-1	3-Major		APM NTLM Authentication for RDP Client Gateway and Microsoft Exchange Proxy are incompatible with Microsoft workaround for MS17-010 (Wannacry / Eternalblue)

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
761173-1	2-Critical		tmm crash after extended whitelist modification
751869-2	2-Critical		Possible tmm crash when using manual mode mitigation in DoS Profile
760393	3-Major		GARP is not sent from newly active device after failover for FW NAT policy rule's dest prefixes
750477-1	3-Major		LTM NAT does not forward ICMP traffic
737035-2	3-Major		New and improved infrastructure for BDoS to share learned traffic characteristics within the device group/cluster setup.

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
757088-1	2-Critical		TMM clock advances and cluster failover happens during webroot db nightly updates
758536	3-Major		Traffic Intelligence IM pkg for 14.1.0 fails to install on base build version 14.1.0.x

Protocol Inspection Fixes

ID Number	Severity	Solution Article(s)	Description
737558-1	2-Critical		Protocol Inspection user interface elements are active but do not work
774881	3-Major		Protocol Inspection profiles can be added to a virtual server without Protocol Inspection being licensed.

Cumulative fixes from BIG-IP v14.1.0.4 that are included in this release

Functional Change Fixes

None

Cumulative fixes from BIG-IP v14.1.0.3 that are included in this release

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
745783-1	3-Major		Anti-fraud: remote logging of login attempts

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
758667-1	2-Critical		BIG-IP VE high availability (HA) actions are not invoked when offload hardware hangs
754541-2	2-Critical		Reconfiguring an iApp that uses a client SSL profile fails
760222	3-Major		SCP fails unexpected when FIPS mode is enabled
725625-1	3-Major		BIG-IP VE Cryptographic Offload updated to Intel QAT 1.7 v4.4.0 SDK

Cumulative fixes from BIG-IP v14.1.0.2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
757025-1	CVE-2018-5744	K00040234	BIND Update
756774-6	CVE-2019-6612	K24401914	Aborted DNS queries to a cache may cause a TMM crash
750292-2	CVE-2019-6592	K54167061	TMM may crash when processing TLS traffic
749879-2	CVE-2019-6611	K47527163	Possible interruption while processing VPN traffic
744035-6	CVE-2018-15332	K12130880	APM Client Vulnerability: CVE-2018-15332
757027-1	CVE-2019-6465	K01713115	BIND Update
757026-1	CVE-2018-5745	K25244852	BIND Update
745713-4	CVE-2019-6619	K94563344	TMM may crash when processing HTTP/2 traffic
745387-1	CVE-2019-6618	K07702240	Resource-admin user roles can no longer get bash access
745165-1	CVE-2019-6617	K38941195	Users without Advanced Shell Access are not allowed SFTP access
737910-4	CVE-2019-6609	K18535734	Security hardening on the following platforms
724680-6	CVE-2018-0732	K21665601	OpenSSL Vulnerability: CVE-2018-0732
703835-5	CVE-2019-6616	K82814400	When using SCP into BIG-IP systems, you must specify the target filename
702472-7	CVE-2019-6615	K87659521	Appliance Mode Security Hardening
698376-5	CVE-2019-6614	K46524395	Non-admin users have limited bash commands and can only write to certain directories
713806-8	CVE-2018-0739	K08044291	CVE-2018-0739: OpenSSL Vulnerability
699977-3	CVE-2016-7055	K43570545	CVE-2016-7055: OpenSSL Vulnerability in NodeJS ILX

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
755641-1	2-Critical		Unstable asm_config_server after upgrade, 'Event dispatcher aborted'
744685-2	2-Critical		BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension
744188-1	2-Critical		First successful auth iControl REST requests will now be logged in audit and secure log files
739432	3-Major		F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems
738108-1	3-Major		SCTP multi-homing INIT address parameter doesn't include association's primary address

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
753642-1	2-Critical		iHealth may report false positive for Critical Malware
752835-2	2-Critical	K46971044	Mitigate mcpd out of memory error with auto-sync enabled.
750580-1	2-Critical		Installation using image2disk --format may fail after TMOS v14.1.0 is installed★
707013-3	2-Critical		vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest
668041-4	2-Critical	K27535157	Config load fails when an iRule comment ends with backslash in a config where there is also a policy.★
621260-2	2-Critical		mcpd core on iControl REST reference to non-existing pool
753564-1	3-Major		Attempt to change password using /bin/passwd fails
751011-3	3-Major		ihealth.sh script and qkview locking mechanism not working
751009-3	3-Major		Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out
750661	3-Major		URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied.
750447-3	3-Major		GUI VLAN list page loading slowly with 50 records per screen
749382-1	3-Major		Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater
746873-1	3-Major		Non-admin users are not able to run the tmsh list command due to permissions error for LTM message-routing
745825-1	3-Major		The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading
737536-2	3-Major		Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
721585-1	3-Major		mcpd core processing ltm monitors with deep level of inheritance
639619-7	3-Major		UCS may fail to load due to Master key decryption failure on EEPROM-less systems★
751636-1	4-Minor		Downgrading from v14.1.0 to a previous release leaves two directories with improper ownership★
737423-2	4-Minor		Binutils vulnerabilities: CVE-2018-7569 CVE-2018-10373 CVE-2018-13033

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
754143-1	2-Critical		TCP connection may hang after finished
747617-2	2-Critical		TMM core when processing invalid timer
742184-3	2-Critical		TMM memory leak
738945-4	2-Critical		SSL persistence does not work when there are multiple handshakes present in a single record
716714-4	2-Critical		OCSP should be configured to avoid TMM crash.
750200-3	3-Major		DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode
749294-4	3-Major		TMM cores when query session index is out of boundary
746131-4	3-Major		OpenSSL Vulnerability: CVE-2018-0732
744686-2	3-Major		Wrong certificate can be chosen during SSL handshake
743900-1	3-Major		Custom DIAMETER monitor requests do not have their 'request' flag set
739963-4	3-Major		TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
739349-3	3-Major		LRO segments might be erroneously VLAN-tagged.
724327-2	3-Major		Changes to a cipher rule do not immediately have an effect
720219-3	3-Major	K13109068	HSL::log command can fail to pick new pool member if last picked member is 'checking'
717896-4	3-Major		Monitor instances deleted in peer unit after sync
717100-1	3-Major		FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
716167-2	3-Major		The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp
704450-5	3-Major		bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
703593-1	3-Major		TMSH tab completion for adding profiles to virtual servers is not working as expected

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
756094-2	2-Critical		DNS express in restart loop, 'Error writing scratch database' in ltm log

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
752942-1	2-Critical		Live Update cannot be used by Administrator users other than 'admin' and 'root'
750922-1	2-Critical		BD crash when content profile used for login page has no parse parameters set
749136-1	2-Critical		Disk partition /var/log is low on free disk space
748321-1	2-Critical		bd crash with specific scenario
744347-4	2-Critical		Protocol Security logging profiles cause slow ASM upgrade and apply policy
721741-4	2-Critical		BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
754420-1	3-Major		Missing policy name in exported ASM request details
754066-1	3-Major		Newly added Systems are not added as part of installing a Server Technologies update file
753295-1	3-Major		ASM REST: All signatures being returned for policy Signatures regardless of signature sets
750973-1	3-Major		Import XML policy error
750793-2	3-Major		Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition
750686-1	3-Major		ASE user cannot create or modify a bot signature.
750683-1	3-Major		REST Backwards Compatibility: Cannot modify enforcementMode of host-name
750668-1	3-Major		Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition
750666-1	3-Major		Impossible to create Bot Signature/Bot Category Signature in user partition different from 'Common'
750356-2	3-Major		Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted
749500-1	3-Major		Improved visibility for Accept on Microservice action in Traffic Learning
749109-3	3-Major		CSRF situation on BIGIP-ASM GUI
748999-3	3-Major		invalid inactivity timeout suggestion for cookies
748848-2	3-Major		Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers
748409-2	3-Major		Illegal parameter violation when json parsing a parameter on a case-insensitive policy
747977-1	3-Major		File manually uploaded information is not synced correctly between blades
747777-3	3-Major		Extractions are learned in manual learning mode
747550-3	3-Major		Error 'This Logout URL already exists!' when updating logout page via GUI
746750-1	3-Major		Search Engine get Device ID challenge when using the predefined profiles
746298-1	3-Major		Server Technologies logos all appear as default icon
745813-1	3-Major		Requests are reported to local log even if only Bot Defense remote log is configured
745624-1	3-Major		Tooltips for OWASP Bot Categories and Anomalies were added
745607-1	3-Major		Bot Defense : Bot Traffic - 3 month/last year filter not displayed correctly
745531-2	3-Major		Puffin Browser gets blocked by Bot Defense
742852-1	3-Major		Bot Defense protection blocks Safari browser requests while using cross site redirect protection by 'Location' header
739945-4	3-Major		JavaScript challenge on POST with 307 breaks application
738676-1	3-Major		Errors when trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests
737866-2	3-Major		Rare condition memory corruption
754365-5	4-Minor		Updated flags for countries that changed their flags since 2010
721724-1	4-Minor		LONG_REQUEST notice print incorrect in BD log

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
746941-2	2-Critical		Memory leak in avrd when BIG-IQ fails to receive stats information
753446-2	3-Major		avrd process crash during shutdown if connected to BIG-IQ
749464-2	3-Major		Race condition while BIG-IQ updates common file
749461-2	3-Major		Race condition while modifying analytics global-settings
745027-2	3-Major		AVR is doing extra activity of DNS data collection even when it should not
744595-3	3-Major		DoS-related reports might not contain some of the activity that took place
744589-3	3-Major		Missing data for Firewall Events Statistics
715110-1	3-Major		AVR should report 'resolutions' in module GtmWideip

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
752592-1	2-Critical		VMware Horizon PCoIP clients may fail to connect shortly after logout
754346-2	3-Major		Access policy was not found while creating configuration snapshot.
746771-3	3-Major		APMD recreates config snapshots for all access profiles every minute
745654-4	3-Major		Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
743437-3	3-Major		Portal Access: Issue with long 'data:' URL

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
749603-1	3-Major		MRF SIP ALG: Potential to end wrong call when BYE received
749227-1	3-Major		MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE
748043-2	3-Major		MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP
747187-2	3-Major		SIP falsely detects media flow collision when SDP is in both 183 and 200 response
745715-2	3-Major		MRF SIP ALG now supports reading SDP from a mime multipart payload
745628-1	3-Major		MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message
745514-1	3-Major		MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message
745404-4	3-Major		MRF SIP ALG does not reparse SDP payload if replaced
744949-1	3-Major		MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix
744275-1	3-Major		BIG-IP system sends Product-Name AVP in CER with Mandatory bit set
742829-1	3-Major		SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
747104-1	1-Blocking	K52868493	LibSSH: CVE-2018-10933
752363-2	2-Critical		Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled
749331-3	2-Critical		Global DNS DoS vector does not work in certain cases
747922-3	2-Critical		With AFM enabled, during bootup, there is a small possibility of a tmm crash
748176-1	3-Major		BDoS Signature can wrongly match a DNS packet
748081-1	3-Major		Memory leak in Behavioral DoS module
747926-2	3-Major		Rare TMM restart due to NULL pointer access during AFM ACL logging

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
726647-5	3-Major		PEM content insertion in a compressed response may truncate some data

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
752782-1	3-Major		'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'
741449-3	4-Minor		alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts
738677-1	4-Minor		Configured name of wildcard parameter is not sent in data integrity alerts

Anomaly Detection Services Fixes

ID Number	Severity	Solution Article(s)	Description
755378-1	2-Critical		HTTPS connection error from Chrome when BADOS TLS signatures configured
727136-1	3-Major		One dataset contains large number of variations of TLS hello messages on Chrome

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
745733-3	3-Major		TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup

Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
745629	2-Critical		Ordering Symantec and Comodo certificates from BIG-IP
713817-1	3-Major		BIG-IP images are available in Alibaba Cloud
738891-1	4-Minor		TLS 1.3: Server SSL fails to increment key exchange method statistics

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
746424	2-Critical		Patched Cloud-Init to support AliYun Datasource
745851	3-Major		Changed Default Cloud-Init log level to INFO from DEBUG
742251-1	4-Minor		Add Alibaba Cloud support to Qkview

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
749774-5	3-Major		EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
749675-5	3-Major		DNS cache resolver may return a malformed truncated response with multiple OPT records

Cumulative fix details for BIG-IP v14.1.3.1 that are included in this release

957337-4 : Mgmt in tmsh broken

Component: TMOS

Symptoms:
TMSH Command: "list mgmt shared <tab>" does not display the tab complete option. You may see an error:

(tmos)# list mgmt shared echo *tab*
Unexpected Error: "Object contains no "method" child value"

Conditions:
When mgmt is used in a tmsh command and you attempt to tab complete

Impact:
You are unable to configure objects in mgmt.

This issue also prevents users with the admin role from accessing the following REST endpoints:

shared/authz/users
shared/echo-js

The error returned was HTTP/1.1 401 F5 Authorization Required

Fix:
Removing the condition that checks admin role of authUserReference during evaluatePermission.

954025 : "switchboot -b HD1.1" fails to reboot chassis

Component: TMOS

Symptoms:
Changing the default boot image with "switchboot -b HD1.1" fails to reboot the chassis.

Conditions:
-- Install 14.1.x-tmos-bugs 14.1.2.8 Build 434.0 on HD1.2 of a chassis with two blades and boot to HD1.2 .
-- Execute switchboot -b HD1.1

Impact:
Switchboot command does not work and you are unable to change the default boot image.

Fix:
You can now change the default boot image.

949145-4 : Improve TCP's response to partial ACKs during loss recovery

Component: Local Traffic Manager

Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.

Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.

Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.

Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.

Fix:
Partial ACK handling during loss recovery is improved.

948757-3 : A snat-translation address responds to ARP requests but not to ICMP ECHO requests.

Component: Local Traffic Manager

Symptoms:
A snat-translation address with ARP enabled responds to ARP requests but not ICMP ECHO requests.

Conditions:
A snat-translation address is configured with ARP enabled.

Impact:
Application traffic should not be impacted, as external hosts trying to resolve the snat-translation and return traffic to it should still be able to do so; however, ping is an important network troubleshooting tool, and not being able to ping the address may create confusion.

Workaround:
None.

Fix:
A snat-translation now correctly responds to both ARP requests and ICMP ECHO requests.

944785-1 : Admd restarting constantly. Out of memory due to loading malformed state file

Component: Anomaly Detection Services

Symptoms:
Admd consumes more than 10GB of RSS
Wrong signature statistics and possible memory corruption, potentially results in high memory consumption.

Conditions:
-- Upgrading from 13.x, 14.x to 15.x
-- Device service clustering configuration
-- App-Protect-DOS signatures configured.

Impact:
ADMD not working, ADMD constantly restarting, consuming all of the system memory. Out of memory. ADMD killed due to memory consumption

Workaround:
Make sure that all the devices within a cluster are running compatible state file version (either all with versions before 15.1.0.x or after), if not, then:
1. Stop ADMD on all of those devices: bigstart stop admd
2. Upgrade or Downgrade the BIG-IP version to match the above criteria.
3. Remove the old state files: rm -rf /var/run/adm/*
4. Start ADMD: bigstart start ADMD

If there is an issue on a single blade device, then:
1. Stop ADMD on all of those machines: bigstart stop admd
2. Remove the old state files: rm -rf /var/run/adm/*
3. Start ADMD: bigstart start ADMD

Fix:
No more memory corruption, no OOM nor ADMD restarts.

943125-3 : Web-Socket request with JSON payload causing core during the payload parsing

Component: Application Security Manager

Symptoms:
Any web-socket request with JSON payload may cause a core witihin the JSON parser, depending on the used machine memory distribution.

Conditions:
Depends on the memory distribution of the used machine.
Sending web-socket request with JSON payload to the backend server.

Impact:
BD crash while parsing the JSON payload.

Workaround:
N/A

Fix:
No crashes during JSON payload parsing.

943101 : Tmm crash in cipher group delete.

Component: Local Traffic Manager

Symptoms:
Deleting a cipher group associated with multiple profiles could cause tmm crash.

Conditions:
Deleting a cipher group associated with multiple profiles.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed an issue with cipher group delete.

941853-2 : Logging Profiles do not disassociate from virtual server when multiple changes are made

Component: Application Security Manager

Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.

Conditions:
Multiple Logging Profile changes are made in a single update.

Impact:
The previous Logging Profiles are not disassociated from the virtual server.

Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.

941089 : TMM core when using Multipath TCP

Component: Local Traffic Manager

Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic interrupted while TMM restarts.

Workaround:
There is no workaround other than to disable MPTCP.

Fix:
TMM no longer produces a core.

940897-2 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached

Component: Application Security Manager

Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".

Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.

Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.

Workaround:
N/A

Fix:
No false positives detected.

940401-3 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'

Component: Fraud Protection Services

Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.

Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.

Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.

Workaround:
None.

Fix:
Section now reads 'Rooting Detection'.

940249-3 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached

Component: Application Security Manager

Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.

Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.

Impact:
Data after last allowed element is not masked.

Fix:
Now the values are masked.

939209-3 : FIPS 140-2 SP800-56Arev3 compliance

Component: Local Traffic Manager

Symptoms:
BIG-IP is not compliant with a NIST revision to the SP800-56A standard for cryptographic algorithms.

Conditions:
Using cryptographic algorithms covered by this revision in a FIPS 140-2 deployment.

Impact:
BIG-IP will comply with the older standard.

Fix:
Updated cryptographic algorithms and self-tests according to the SP800-56Arev3 standard.

938165-2 : TMM Core after attempted update of IP geolocation database file

Component: Advanced Firewall Manager

Symptoms:
TMM crashes while running traffic that uses AFM Firewall policies.

Conditions:
-- Update IP geolocation database file to the latest version.
-- Configure AFM policies with logging enabled.
-- Run traffic which hits the AFM policies and triggers logging.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Revert to using the previously working version of the IP-geolocation file.

https://support.f5.com/csp/article/K11176#restore

Fix:
The BIG-IP system now validates the region/country strings returned by the geolocation database for IP addresses used in the traffic.

935721-4 : ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

Solution Article: K82252291

935593-3 : Incorrect SYN re-transmission handling with FastL4 timestamp rewrite

Component: Local Traffic Manager

Symptoms:
FastL4 profiles configured with the TCP timestamp rewrite option enabled does not treat retransmitted SYNs in a correct manner.

Conditions:
FastL4 profile with TCP timestamp rewrite option is in use.

Impact:
Timestamp on some TCP packets sent by BIG-IP systems might be incorrect.

Workaround:
Do not use TCP timestamp rewrite.

935029-1 : TMM may crash while processing IPv6 NAT traffic

Component: Carrier-Grade NAT

Symptoms:
Under certain conditions, TMM may crash while processing IPv6 NAT traffic

Conditions:
-IPv6 NAT configured

Impact:
TMM crash leading to a failover event.

Workaround:
None.

Fix:
TMM now processes IPv6 NAT traffic as expected.

934941-3 : Platform FIPS power-up self test failures not logged to console

Component: TMOS

Symptoms:
The BIG-IP system does not log FIPS power-up self-test failures to the console.

Conditions:
A FIPS failure occurs during the power-up self test.

Impact:
Platform FIPS failures are made more difficult to identify and diagnose, because the system console fails to include anything at all that indicates a failure.

Workaround:
None.

934461 : Connection error with server with TLS1.3 single-dh-use.

Component: Local Traffic Manager

Symptoms:
Connection failure with TLS1.3 and single-dh-use configured.

Conditions:
14.1 with TLS1.3 single-dh-use.

Impact:
Connection failure in 14.1 versions.

Workaround:
Disable single-dh-use, or disable tls1.3.

Fix:
14.1 now supports TLS1.3 single-dh-use and hello retry on serverside.

934393 : APM authentication fails due to delay in sessionDB readiness

Component: Access Policy Manager

Symptoms:
On the Velocity platform, the APM Authentication fails, and APMD cores when trying to connect to sessionDB.

Conditions:
The APMD checks for TMM readiness by trying to connect to sessionDB and retries after a fixed delay before giving up. The sessionDB on the Velocity platform takes time to get ready and fails to create a config snapshot from APMD.

Impact:
It takes a long time to create the configuration snapshot. Authentication fails and APMD cores.

Workaround:
Restart all services, by using the following tmsh command:
tmsh restart /sys service all

Fix:
A semaphore based synchronization is now used instead of predictive (fixed ) delay to connect to TMM (sessionDB). This issue has been fixed.

933741-4 : Security hardening in FPS GUI

Component: Fraud Protection Services

Symptoms:
FPS GUI does not follow current best practices.

Conditions:
* Provision and license Fraud Protection Service (FPS).

Impact:
FPS GUI does not follow current best practices.

Workaround:
None.

Fix:
FPS GUI now follows current best practices.

933461-3 : BGP multi-path candidate selection does not work properly in all cases.

Component: TMOS

Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.

Conditions:
An inbound route-map exists that modifies a route's path selection attribute.

Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.

Workaround:
None.

933409-4 : Tomcat upgrade via Engineering Hotfix causes live-update files removal★

Component: TMOS

Symptoms:
After applying an Engineering Hotfix ISO that contains the tomcat package, live-update files are inadvertently removed and live update no longer works properly.

Conditions:
-- Engineering Hotfix contains the tomcat package.
-- Engineering Hotfix installation.

Impact:
Live-update functionality does not work properly.

Workaround:
There is no workaround to avoid this issue. But you can reinstall a newly created Engineering Hotfix that uses a fixed version of the live-install package.

Fix:
Fixed an issue with inadvertently removing live-update files while applying an Engineering Hotfix.

932937-3 : HTTP Explicit Proxy configurations can result in connections hanging until idle timeout.

Component: Local Traffic Manager

Symptoms:
After an HTTP return code of 400 Bad Request or 403 Forbidden, connection table entries may not be removed from the connection table until they reach the idle timeout threshold.

Conditions:
-- HTTP Explicit Proxy Configuration.
-- BIG-IP HTTP response contains a 400 Bad Request or 403 Forbidden status code.

Impact:
The hanging connection table entries can cause subsequent connections from the same source port to fail. Also, the subsequent connection attempts can cause the idle timer to be reset.

Workaround:
Use an iRule to prevent connections from hanging:

when HTTP_REJECT {
after 1
}

Fix:
HTTP Explicit Proxy configurations no longer results in connections hanging until idle timeout.

932065-3 : iControl REST framework exception handling hardening

Component: Device Management

Symptoms:
iControl REST framework does not follow best practices for exception handling

Conditions:
iControl REST framework use by an authenticated user.

Impact:
iControl REST framework does not follow best practices for exception handling

Workaround:
None.

Fix:
iControl REST framework now follows best practices for exception handling

931513-2 : Some sequence of HTTP packets may cause TMM to crash

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing HTTP traffic.

Conditions:
A virtual with standard HTTP profile is configured.

Impact:
When TMM crashes it causes a failover event and may interrupt traffic processing.

Workaround:
None

Fix:
TMM now processes HTTP traffic as expected.

930741-1 : Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot

Component: TMOS

Symptoms:
If there is a truncated BIG-IP software image in /shared/images, a kernel lockup and reboot could occur.

One way to have a truncated image in /shared/images is by using iControl/SOAP to upload the image. Using SOAP, the image is uploaded in chunks, so until the last chunk is uploaded, the image is not complete/is truncated.

Conditions:
-- Truncated BIG-IP image in /shared/images
-- Using SOAP to upload the image.

Impact:
Traffic disruption caused by the reboot.

Workaround:
If you are using SOAP to upload BIG-IP software images, upload them to /shared first and then move them to /shared/images.

930385 : SSL filter does not re-initialize when an OCSP object is modified

Component: Local Traffic Manager

Symptoms:
Create an OCSP object using DNS resolver ns1, associate the OCSP object to SSL profile and a virtual.

Then, modify the OCSP object to DNS resolver ns2.

After the modification, wait for cache-timeout and cache-error-timeout and then connect to virtual again. The nameserver contacted is still ns1.

Conditions:
An OCSP object is configured and modified.

Impact:
The wrong nameserver is used after modification to the OCSP object.

Fix:
After the fix, the correct nameserver will be contacted after the OCSP object is modified.

928321-3 : Hardening of HSM UI

Component: TMOS

Symptoms:
Under certain conditions, the Hardware Security Module UI does not follow current best practices.

Conditions:
Authenticated access of the HSM UI

Impact:
Under certain conditions, the Hardware Security Module UI does not follow current best practices.

Workaround:
None.

Fix:
The ardware Security Module UI now follows current best practices.

928037-3 : APM Hardening

Component: Access Policy Manager

Symptoms:
Under certain conditions APM does not follow current best practices.

Conditions:
APM configured

Impact:
Under certain conditions APM does not follow current best practices.

Workaround:
None.

Fix:
APM now follows current best practices.

928029 : Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis

Component: TMOS

Symptoms:
Wrong popup message for switchboot popup "This will restart the chassis. Continue?".

Conditions:
Run "switchboot" command

Impact:
A confusing popup message is displayed.

Workaround:
NA

Fix:
Updated the switchboot popup message "This will restart BIG-IP tenant. Continue?"

927617-3 : "Illegal Base64 value" violation is detected for cookie with valid base64 value

Component: Application Security Manager

Symptoms:
Request that should be passed to the backend server with cookie header which contain cookie valid value encoded to base64 is blocked.

Conditions:
A cookie name has to be defined in "Security ›› Application Security : Headers : Cookies List ›› New Cookie..." with enabled "Base64 Decoding".

Impact:
Blocking page, while the request should not be blocked.

Workaround:
Disable "Base64 Decoding" for the desired cookie.

Fix:
Requests with valid base64 encoding cookies should not get blocked by the enforcer.

927033-1 : Installer fails to calculate disk size of destination volume★

Component: TMOS

Symptoms:
Installation fails with a 'Disk full (volume group)' error in var/log/liveinstall.log:

error: tm_install::Process::Process_full_install -- predicted size for BIGIP14125 is 12315728, current location size is 11120640, and vg has 0 remaining.

Conditions:
Platforms with software RAID that also have a symlink in /dev/md that looks like the following:

[root@bigip1] images # ls -l /dev/md/
total 8
-rw-r--r--. 1 root root 5 2020-07-09 16:12 autorebuild.pid
lrwxrwxrwx. 1 root root 8 2020-07-09 16:51 localhost:0 -> ../md127
-rw-------. 1 root root 66 2020-07-09 16:11 md-device-map

Impact:
Unable to successfully upgrade.

Workaround:
Create the expected symlink manually:

cd /dev/md
ln -s ../md127 _none_\:0

926593-3 : GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS gateway_icmp monitor for IPv6 virtual servers sometimes returns 'state: timeout' even though big3d receives the packet successfully.

Conditions:
- GTM/DNS provisioned.
- IPv6 virtual server with gateway_icmp GTM/DNS monitor.

Impact:
IPv6 virtual servers are marked down unexpectedly.

Workaround:
Use a different gtm monitor type than gateway_icmp for IPv6 targets

924929-1 : Logging improvements for VDI plugin

Component: Access Policy Manager

Symptoms:
If the Virtual Desktop Interface (VDI) plugin aborts, the names of the events are not logged in the APM log file.

Conditions:
- Virtual Desktop Interface (VDI) configured
- The plugin encounters a problem and aborts

Impact:
Event names are not displayed in the APM log.

Workaround:
None.

Fix:
Event names along with the exceptions are also seen in the APM log file.

924493-4 : VMware EULA has been updated

Component: TMOS

Symptoms:
The End User License Agreement (EULA) presented in VMware is out of date.

Conditions:
The EULA is presented to the user when deploying an OVF template.

Impact:
The current EULA is version: DOC-0355-16 (as explained in K12902: End User License Agreement Change Notice :: https://support.f5.com/csp/article/K12902).

Although the OVA EULA for 16.0.0 shows: DOC-0355-12, the EULA presented during license activation is the EULA in force for this instance, so you can safely ignore the discrepancy; there is no functional impact.

Workaround:
None needed. The EULA presented during license activation is the EULA in force for this instance.

Fix:
The EULA presented in VMware was out of date and has been updated.

924429-3 : Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values

Component: TMOS

Symptoms:
While restoring a UCS archive, you get an error similar to the following example:

/var: Not enough free space
535162880 bytes required
326418432 bytes available
/shared/my.ucs: Not enough free disk space to install!
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.

As part of restoring UCS archives, some files (for example, the contents of the filestore) are temporarily copied to the /var/tmp directory.

The script that ensures enough free disk space is available for the UCS restore operation incorrectly reports the /var filesystem's free disk space for the /var/tmp directory.

This is incorrect, as /var/tmp is a symlink to /shared/tmp, and so the free disk space of the /shared filesystem should be used instead.

Conditions:
-- Restoring a UCS file.
-- The UCS file contains large items that are temporarily stored under the /var/tmp directory (for example, many EPSEC files, many large external data-groups, etc.).
-- The /var filesystem has limited free disk space.

Impact:
The UCS installation fails even if /var/tmp has sufficient disk space.

Workaround:
None.

Fix:
The UCS installation script now reports the correct free disk space for the /var/tmp directory, allowing UCS archive installations to complete.

924349-1 : DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP

Component: Service Provider

Symptoms:
Current Diameter CER/CEA messages does not advertise all HostIPAddresses.

Conditions:
-- Exchange Diameter messages CER/CEA between peers, configure a SNAT pool and an alternate address in the SCTP profile.
-- The CER from BIG-IP contains snatpool IP addresses
-- The CEA from BIG-IP contains alternate addresses

Impact:
Unable to see multiple HostIPAddress in CER/CEA

Fix:
Able to validate HostIpAddress as per RFC6733 on Diameter over SCTP.

923125-1 : Huge amount of admd processes caused oom

Component: Anomaly Detection Services

Symptoms:
Top shows that a large number of admd processes are running.

Conditions:
-- Configuration with Sync-Failover device groups and BADOS.
-- Some stressful (unknown) condition occurs.

Impact:
Memory is exhausted.

Workaround:
Restart admd:
bigstart restart admd

921721-2 : FIPS 140-2 SP800-56Arev3 compliance

Component: Local Traffic Manager

Symptoms:
BIG-IP is not compliant with a NIST revision to the SP800-56A standard for cryptographic algorithms.

Conditions:
Using cryptographic algorithms covered by this revision in a FIPS 140-2 deployment.

Impact:
BIG-IP will comply with the older standard.

Workaround:
Updated cryptographic key assurances and pair-wise consistency checks according to the SP800-56Arev3 standard.

921421-1 : iRule support to get/set UDP's Maximum Buffer Packets

Component: Local Traffic Manager

Symptoms:
UDP profiles have a setting to set the Maximum Buffer Packets for UDP connections. This value cannot be modified with an iRule.

Conditions:
-- UDP profile is used.
-- You need to dynamically change the max buffer packets setting in an iRule.

Impact:
Unable to dynamically change the max buffer packets setting in an iRule.

Workaround:
None

Fix:
You can now dynamically change the max buffer packets setting in an iRule. The setting is UDP::max_buf_pkts

Behavior Change:
A new iRule command has been added, UDP::max_buf_pkts. This allows you to dynamically override the maximum number of packets setting in the UDP profile.

921337-3 : ASM processes some web-sockets requests longer than usual

Component: Application Security Manager

Symptoms:
ASM processes some web-socket requests longer than usual and can cause some latency when passing requests to the backend server.

Conditions:
Content profile parsing is enabled in ASM.

Impact:
Latency can be noted when passing web-socket requests to the backend server.

Workaround:
N/A

Fix:
ASM is processes web-socket requests as expected

920961-3 : Devices incorrectly report 'In Sync' after an incremental sync

Component: Application Security Manager

Symptoms:
The security policies assigned to a virtual server are different among the devices in a traffic-group.

Conditions:
-- ASM provisioned.
-- Manual Sync Active-Standby Failover Device Group with ASM sync enabled.
-- An L7 ASM security policy is manually changed on a virtual server (not using the ASM wizard).

Impact:
After incremental sync, devices report 'In Sync' but there is a configuration discrepancy in the security policy assigned to the virtual server.

Workaround:
Modify the underlying LTM policy to be 'legacy':
# tmsh modify ltm policy <LTM Policy Name> legacy

Fix:
An internal config parameter is now available to work around this issue. In order to use the workaround, you must enable a db variable.

To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1

Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------

NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.

Behavior Change:
There is now an internal config parameter that enables a workaround for this issue. In order to use the workaround, you must enable a db variable.

To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1

Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------

NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.

920481 : REST GET on /mgmt/tm/sys/file/ssl-key returns bad/wrong passphrase

Component: TMOS

Symptoms:
GET request on REST endpoint /mgmt/tm/sys/file/ssl-key returns the incorrect value for passphrase.

Conditions:
This occurs when getting the ssl-key information, and the key contains a passphrase.
-- Using BIG-IP v14.1.2.5 or v14.1.2.6 to deploy Amazon Machine Image (AMI).

Impact:
Passphrase value is incorrect. Autoscale AWS deployments fail when trying to deploy a BIG-IP v14.1.2.5 or v14.1.2.6 AMI. This is the result of a change in how ssl-key passphrases are being returned in REST calls.

Workaround:
None.

Fix:
Can now deploy from BIG-IP v14.1.2.5 or v14.1.2.6 AMI when using passphrase from a GET request on REST endpoint /mgmt/tm/sys/file/ssl-key.

920361-4 : Standby device name sent in Traffic Statistics syslog/Splunk messages

Component: Advanced Firewall Manager

Symptoms:
'Traffic Statistics' syslog/Splunk messages are sent with the hostname of the standby device.

Conditions:
When a virtual server is configured with a security logging profile enabled for DoS Protection logging.

Impact:
'Traffic Statistics' syslog/Splunk messages show the wrong hostname. It should show the active device hostname.

Workaround:
None.

Fix:
Corrected Traffic Statistics syslog/Splunk messages to show the hostname of the active instead of the standby device in logging messages.

920301-2 : Unnecessarily high number of JavaScript Obfuscator instances when device is busy

Component: TMOS

Symptoms:
When the device has high CPU or I/O rate, it can cause the JavaScript Obfuscator to run multiple times simultaneously, causing even higher CPU usage.

Conditions:
-- ASM/DoS/FPS are provisioned.
-- BIG-IP device is experiencing a high CPU or I/O rate.

Impact:
High CPU Usage.

Workaround:
None.

Fix:
The system now avoids creating multiple JavaScript Obfuscator processes.

919841-1 : AVRD may crash while processing Bot Defense traffic

Component: Application Visibility and Reporting

Symptoms:
Under certain conditions, the AVRD application on BIG-IP may crash.

Conditions:
-- Bot Defense Profile is attached to the virtual server.
-- Mobile SDK is licensed and enabled.

Impact:
Instability in the avrd process. Statistics data can be lost.

Workaround:
None.

Fix:
AVRD now processes Bot Defense traffic as expected.

919745-4 : CSV files downloaded from the Dashboard have the first row with all 'NaN

Component: TMOS

Symptoms:
In the Dashboard .csv file, all of the values in the first row are set to 'NaN'

Conditions:
This is encountered when loading the downloaded Dashboard .csv files with historical data from the GUI.

Impact:
The first row of the downloaded .csv from Dashboard shows all the values as 'NaN'.

Workaround:
None.

Fix:
Fixed an issue with 'NaN' being reported in the first line of the downloaded dashboard .csv files.

919553-3 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.

Component: Global Traffic Manager (DNS)

Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.

Fix:
GTM/DNS monitors based on the TCP protocol no longer fail when the server's response spans multiple packets.

919001-1 : Live Update: Update Available notification is shown twice in rare conditions

Component: Application Security Manager

Symptoms:
When entering Live Update page, sometimes Update Available notification is shown twice.

Conditions:
You first enters Live Update page.

Impact:
Notification is shown twice.

Workaround:
None.

Fix:
Notification is shown only once in all cases.

918933-3 : Some ASM attack signatures do not match on cookies

Component: Application Security Manager

Symptoms:
Some ASM attack signatures are not matching as expected on a cookie value.

Conditions:
Matching enabled for specific attack signatures.

Impact:
False negative. A signature does not match and an attack is getting through.

Workaround:
There is no valid workaround except creating custom signatures for cookies from all these signatures.

Fix:
Signatures now match on cookies as expected.

918209-1 : GUI Network Map icons color scheme is not section 508 compliant

Component: TMOS

Symptoms:
Network Map color scheme is not compliant with Section 508 of the Rehabilitation Act (section 508). There is no clear difference between a green/active node and the blue/square items. With the new system colors and flat shapes, the icons are nearly identical. Other than shape (circle vs. square), the new colors appear identical; the blue and green are nearly appearing as one color.

Conditions:
Accessing Network Map from GUI via Local Traffic :: Network Map.

Impact:
There is no clear color difference between a green/active node icon and the blue/square icon.

Workaround:
None.

Fix:
Modified the color codes. Now the Network Map icons color scheme is section 508 compliant.

918169-2 : The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS HTTPS monitor may fail to find the configured receive string in a HTTP response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when all of the following conditions are true:

-- The server being monitored performs an unclean shutdown of the SSL session (the underlying TCP connection is closed without first issuing a close notify alert at the SSL level).

-- The server's HTTP response does not terminate with a newline.

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by performing any one of the following actions:

-- Ensure the server issues a close notify alert before it closes the underlying TCP connection.

-- Ensure the server's HTTP response ends with a newline.

Fix:
The GTM/DNS HTTPS monitor no longer fails when the SSL peer performs an unclean shutdown.

917509-5 : ASM processes some requests longer than usual

Component: Application Security Manager

Symptoms:
ASM processes some requests longer than usual and can cause some latency when passing requests to the backend server.

Conditions:
Content profile parsing is enabled in ASM

Impact:
Latency can be noted when passing requests to the backend server

Workaround:
N/A

Fix:
ASM is processes requests as expected

917469-4 : TMM may crash while processing FPS traffic

Solution Article: K53821711

917005-4 : ISC BIND Vulnerability: CVE-2020-8619

Solution Article: K19807532

916821-4 : An authenticated user on iControlREST may gain elevated privilege level

Component: TMOS

Symptoms:
An authenticated iControl REST user may gain elevated privileges using unspecified means.

Conditions:
iControl REST users with non-admin privileges configured

Impact:
A lower privileged iControl REST user may be able to execute functions requiring a higher privilege level.

Fix:
Privilege levels now properly enforced in iControl REST.

915957 : The wocplugin may get into a restart loop when AAM is provisioned

Component: Local Traffic Manager

Symptoms:
When AAM is provisioned the wocplugin resource allocation may fail, which could result in a restart loop of the plugin. This renders the AAM module nonfunctional.

Conditions:
Application Acceleration Manager (AAM) is provisioned

Impact:
AAM is not functional

Workaround:
None

Fix:
The wocplugin is now correctly provisioned and runs without restarts.

915825-4 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.

Component: TMOS

Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.

Configuration error: Can't associate folder (/User/Drafts) folder does not exist.

Conditions:
This occurs in the following scenario:

1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.

Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.

Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.

915689-4 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.

Component: Local Traffic Manager

Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already stored in the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.

Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.

Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers are incrementally indexed on subsequent responses instead of using the existing table index.

Workaround:
None.

Fix:
HTTP/2 response headers now properly use the dynamic header table index when possible.

915605-1 : Image install fails if iRulesLX is provisioned and /usr mounted read-write★

Component: Local Traffic Manager

Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.

tmsh show software status will report the status for the target volume:

Could not access configuration source.

Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.

Impact:
Unable to upgrade or more generally install an image on a new or existing volume.

Workaround:
Re-mount /usr as read-only:

mount -o remount,ro /usr

915497-3 : New Traffic Class Page shows multiple question marks.

Component: TMOS

Symptoms:
When you navigate to the traffic class creation page by clicking Create button in the Traffic Class list page, Chinese characters are displayed with multiple question marks.

Conditions:
This is encountered when creating a new Traffic Class.

Impact:
Multi-byte characters are displayed incorrectly.

Workaround:
None.

Fix:
Fixed an issue with rendering multi-byte characters on the Traffic Class screen.

915281-1 : Do not rearm TCP Keep Alive timer under certain conditions

Component: Local Traffic Manager

Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.

Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.

Impact:
Continuous rearming results in consuming CPU resources unnecessarily.

Workaround:
None.

Fix:
Rearming of TCP Keep Alive timer is improved.

914761-1 : Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.

Component: TMOS

Symptoms:
Using crontab to automatically backup UCS file by scheduling cronjobs fails due to SELinux permissions. The failure produces the following error:

Unexpected Error: UCS saving process failed.

Conditions:
This is encountered when 'tmsh save sys ucs' is executed through a cronjob.

Impact:
UCS file is not successfully saved and backup fails.

Workaround:
None.

914649-2 : Support USB redirection through VVC (VMware virtual channel) with BlastX

Component: Access Policy Manager

Symptoms:
USB is unavailable after opening VMware View Desktop.

Conditions:
1. Secure Tunnel disabled on VCS
2. Launch view virtual desktop via native view client from an APM webtop or from the View client

Impact:
USB is unavailable after opening VMware View Desktop

Workaround:
None.

Fix:
USB is now available after opening VMware View Desktop

913249-4 : Restore missing UDP statistics

Component: Local Traffic Manager

Symptoms:
The following UDP statistics are missing:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes

Conditions:
Viewing UDP statistics.

Impact:
Unable to view these UDP statistics.

Workaround:
None.

Fix:
The following UDP statistics are now restored:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes

912969-4 : iAppsLX Security Hardening

Component: iApp Technology

Symptoms:
Under certain conditions, iAppsLX does not follow current best security practices.

Conditions:
iAppsLX REST access by an authenticated administrative user

Impact:
iAppsLX does not follow current best security practices.

Workaround:
None

Fix:
iAppsLX now follows current best security practices.

912221-2 : CVE-2020-12662 & CVE-2020-12663

Solution Article: K37661551

911809-1 : TMM might crash when sending out oversize packets.

Component: TMOS

Symptoms:
TMM crashes with an assert; Drop assertion similar to the following:
notice panic: ../dev/ndal/ndal.c:758: Assertion "pkt length cannot be greater than MAX_PKT_LEN" failed.

Conditions:
-- Xnet driver is used in BIG-IP Virtual Edition (VE).
-- TMM tries to send oversize packets.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

911761-4 : iControl REST endpoint response includes the request content

Solution Article: K42696541

911629 : Manual upload of LiveUpdate image file results in NULL response

Component: Application Security Manager

Symptoms:
When uploading a LiveUpdate image file from the GUI, the upload fails.

In /var/log/restjavad.0.log you see the following error:

[SEVERE][768][25 May 2020 05:38:20 UTC][com.f5.rest.workers.liveupdate.LiveUpdateFileTransferWorker] null

Conditions:
LiveUpdate images are uploaded manually.

Impact:
LiveUpdate images fail to upload.

Workaround:
1. Upload the file to LiveUpdate files directory '/var/lib/hsqldb/live-update/update-files' on the host.

2. Send a POST request with the filename for inserting the file to the LiveUpdate
database:
* url : https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/update-files
* payload - json:
{ "filename": "<FILE_NAME>",
 "fileLocationReference": {"link": "<FILE_NAME>"}}

3. Get the file link reference:
 https://{{big_ip1}}/mgmt/tm/live-update/asm-attack-signatures/update-files?$filter=filename eq '<FILE_NAME>'

4. From the response copy the "selfLink" part :
 "selfLink": "https://localhost/mgmt/tm/live-update/asm-attack-signatures/update-files/<UPDATE_FILE_ID>"

5. Create a POST request with the value above for creating a new installation record:
* url : https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/installations
* payload - json:
{ "updateFileReference": {
 "link": "https://localhost/mgmt/tm/live-update/asm-attack-signatures/update-files/<UPDATE_FILE_ID>"}
}

6. Now the file is available to install it from the GUI.

7. Another option is to install it via the PATCH request and the installation_id from the response received at step 5:
* url: https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/installations/<INSTALLATION_ID>
* payload: { "status" : "install" }

911041-2 : Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash

Component: Local Traffic Manager

Symptoms:
An iRule executing on the FLOW_INIT event can suspend. If it does so while connecting to a virtual-to-virtual flow, it can cause a TCP crash, which results in a tmm restart.

Conditions:
An iRule executing on the FLOW_INIT event suspends while connecting to a virtual-to-virtual flow.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
Do not include any iRules that suspend processing in FLOW_INIT.

Fix:
Suspending the iRule FLOW_INIT on a virtual-to-virtual flow no longer leads to a crash.

910201-1 : OSPF - SPF/IA calculation scheduling might get stuck infinitely

Component: TMOS

Symptoms:
After SPF/IA calculation gets suspended, it might enter a state where it never fires again.

Conditions:
SPF/IA calculation gets suspended;

This occurs for various reasons; BIG-IP end users have no influence on it occurring.

Impact:
OSPF routes are visible in the OSPF database, but not installed in the routing table.

Workaround:
Restart the routing daemons:
# bigstart restart tmrouted

Running this command allows you to recover from this situation, but does not prevent the event from reoccurring.

If due to a topology, SPF/IA calculation suspension occurs again after a restart, this workaround essentially has no effect.

910097-3 : Changing per-request policy while tmm is under traffic load may drop heartbeats

Component: Access Policy Manager

Symptoms:
Cluster failover, tmm restart, and tmm killed due to missed heartbeats. tmm crash

Conditions:
TMM is under load due to heavy traffic while MCP attempts to configure per-request policy. This can be caused by a modification to the policy or one of its agents, or by a restart of the TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
When making changes to per-request policies, use a scheduled maintenance window so that impact to traffic is minimized.

910017-4 : Security hardening for the TMUI Interface page

Solution Article: K21540525

909837-2 : TMM may consume excessive resources when AFM is provisioned

Solution Article: K05204103

909237-4 : CVE-2020-8617: BIND Vulnerability

Solution Article: K05544642

909233-4 : DNS Hardening

Solution Article: K97810133

908673-3 : TMM may crash while processing DNS traffic

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, TMM may crash with a SIGABRT while processing DNS traffic.

Conditions:
Undisclosed series of DNS requests.

Impact:
TMM crash leading to a failover event.

Workaround:
None.

Fix:
TMM now processes DNS traffic as expected.

908065-4 : Logrotation for /var/log/avr blocked by files with .1 suffix

Component: Application Visibility and Reporting

Symptoms:
AVR logrotate reports errors in /var/log/avr:

error: error creating output file /var/log/avr/avrd.log.1: File exists
/var/log/avr/avrd.log will remain unchanged
/var/log/avr/avrd.log.1 will remain unchanged

Conditions:
Files ending with .1 exist in the log directory.

Impact:
Logrotate does not work. This might fill the disk with logs over time.

Workaround:
Remove or rename all of the .1 log files.

Fix:
Fixed an issue with logrotate failing when files ending with .1 exist in the log directory.

908021-2 : Management and VLAN MAC addresses are identical

Component: TMOS

Symptoms:
The 'tmsh show sys mac-address' command indicates the management interface is using the same MAC address as a VLAN.

Conditions:
This can occur on chassis based systems and on VCMP guests. The MAC address pool does not reserve specific MAC addresses for the management interfaces and so pool entries may be reused for VLANs.

Impact:
The management MAC address is the same as the VLAN MAC address, resulting in issues relating to the inability to differentiate traffic to the management port or to traffic ports.

Workaround:
None.

Fix:
The issue has been fixed for hardware platforms. That is, MAC addresses in the MAC address pool have been reserved for the management port. Due to the small MAC pool size for a few platforms (see K14513: MAC address assignment for interfaces, trunks, and VLANs :: https://support.f5.com/csp/article/K14513#vlans), entries cannot be reserved for VCMP guest management interfaces.

907201-1 : TMM may crash when processing IPSec traffic

Component: TMOS

Symptoms:
Under certain conditions, TMM may crash while negotiation IPSec traffic with a remote peer.

Conditions:
-IPSec peers configured and active

Impact:
TMM crash, leading to a failover event.

Workaround:
None.

Fix:
TMM now processes IPSec traffic as expected.

906889-1 : Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Component: TMOS

Symptoms:
Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Conditions:
Viewing New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Impact:
Calculation mistake in the GUI: shows 8 times the actual values, for example:

Packets In 2 shows as 016 in the GUI
Packets Out 0 shows as 8 in the GUI

Workaround:
View statistics in tmsh.

906885 : Spelling mistake on AFM GUI Flow Inspector screen

Component: Advanced Firewall Manager

Symptoms:
On the AFM GUI Flow Inspector screen, there is a spelling mistake 'Additinal Info'. It should read 'Additional Info'.

Conditions:
You can locate the spelling error by following these steps:
1. Navigate to Security :: Debug :: Flow Inspector :: Get Flows (should be blank).
2. Select New Flows and then Get Flows.
3. Select the flow (i.e., click anywhere on the result except the hyperlink).

Impact:
There is a spelling mistake on the word 'Additional'. There is no functional impact to the system; this is a cosmetic issue only.

Workaround:
None.

905905-3 : TMUI CSRF vulnerability CVE-2020-5904

Solution Article: K31301245

905849 : FastL4 UDP flows might not get offloaded to hardware

Component: TMOS

Symptoms:
In some cases one side - client or server - of a fastL4 UDP flow might not get offloaded to hardware.

Conditions:
FastL4 UDP virtual server

Impact:
One side of the UDP flow is not accelerated by hardware.

Workaround:
None

Fix:
Both sides of the fastL4 UDP flow are now offloaded correctly.

905125-3 : Security hardening for APM Webtop

Component: Access Policy Manager

Symptoms:
Under certain conditions, the APM Webtop does not follow current best practices.

Conditions:
-APM access policy is configured with webtop enabled.

Impact:
APM Webtop does not follow current best practices.

Workaround:
None.

Fix:
The APM Webtop now follows current best practices.

904937-4 : Excessive resource consumption in zxfrd

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, zxfrd may consume excessive resources.

Conditions:
-- Provision GTM (Global Traffic DNS).
-- Create one or more zones in the GUI via DNS::Zones::Zones::Zone List.

Impact:
Excessive resources consumption, potentially leading to failover event.

Workaround:
None.

Fix:
zxfrd no longer consumes excessive resources.

904845-3 : VMware guest OS customization works only partially in a dual stack environment.

Component: TMOS

Symptoms:
The result of guest OS customization depends on the DHCP state on the management (mgmt) interface and the applied customization profile (i.e., IPv4 only, IPv4 and IPv6, or IPv6 with IPv4 prompt).

By default, DHCP is enabled on the management interface.

During configuration, you can customize only one IPv4 or one IPv6 address in a dual stack environment.

Conditions:
Applying a customization profile to VMware VM in a dual stack environment.

Impact:
You can only partially customize the mgmt interface IP profiles for VMware VMs in a dual stack environment.

Workaround:
Configure the mgmt interface addresses using the config script.

Fix:
VMware customization works only partially in a dual stack environment. To avoid misconfiguration, set the desired mgmt interface addresses using the config script.

904705-3 : Cannot clone Azure marketplace instances.

Component: TMOS

Symptoms:
Cannot clone Azure marketplace instances because cloned instances do not properly retrieve publisher and product code from the metadata service.

Conditions:
Applies to any Azure marketplace instance.

Impact:
Cannot clone Azure marketplace instances.

Workaround:
None.

Fix:
Updated the version of the API used to get data from the metadata service. Cloned instances now properly retrieve the publisher and product code from the metadata service.

904593-2 : Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled

Component: Application Security Manager

Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, the configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the master device, before the master has a chance to sync the configuration to the new device, causing the configuration in the master device to be overwritten.

Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.

Impact:
Configuration of all devices in the Auto Scale group is overwritten.

Workaround:
Disable ASM Live Update Automatic Download.

This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.

For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping

-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable

904373-1 : MRF GenericMessage: Implement limit to message queues size

Component: Service Provider

Symptoms:
The GenericMessage filter does not have a configurable limit to the number of messages that can be received.

Conditions:
If a message is waiting for an asynchronous iRule operation during a GENERICMESSAGE_INGRESS or GENERICMESSAGE_EGRESS iRule event, new messages are placed in either the ingress or egress queue. As the number of messages increase, more memory is required.

Impact:
If too many messages are queued, the system may exceed an internal count which could lead to a core.

Workaround:
None.

Fix:
The existing max_pending_messages attribute of the message router profile is used to limit the size of the queues.

904165-3 : APMD may crash while processing certain parameters

Component: Access Policy Manager

Symptoms:
Under certain conditions APMD may crash while processing certain parameters.

Conditions:
-APM active.
-Pre-inspection checks active.

Impact:
APMD crash, leading to a failover event

Workaround:
None.

Fix:
APMD now processes parameters as expected.

903357-3 : Bot defense Profile list is loads too slow when there are 750 or more Virtual servers

Component: Application Security Manager

Symptoms:
Security :: Bot Defense : Bot Defense Profiles page loading takes a long time when there are profiles configured with hundreds of virtual servers. For example: a configuration with 750 virtual servers takes about 40 seconds to load the page. Configuration with 1300 virtual servers takes more than 70 seconds.

Conditions:
At least one Bot profile attached to hundreds of virtual servers. For 750 and more virtual servers attached the slow loading is significant.

Impact:
Bot Defense list page loading time can take more than 30 seconds.

Workaround:
None.

902485-2 : Incorrect pool member concurrent connection value

Component: Application Visibility and Reporting

Symptoms:
In AVR pool-traffic report, 'server-concurrent-conns' reports a larger value than 'server-max-concurrent-conns'.

Conditions:
This is encountered when viewing the pool-traffic report.

Impact:
Incorrect stats reported in the pool-traffic report table

Workaround:
In /etc/avr/monpd/monp_tmstat_pool_traffic_measures.cfg, change the formula of server_concurrent_connections:

From this:
formula=round(sum(server_concurrent_conns),2)

Change it to this:
formula=round(sum(server_concurrent_conns)/count(distinct time_stamp),2)

Fix:
Changed the calculation formula of 'server-concurrent-conns' so it reports the correct statistics.

902417-4 : Configuration error caused by Drafts folder in a deleted custom partition★

Component: TMOS

Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.

01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.

Conditions:
Create draft policy under custom partition

Impact:
Impacts the software upgrade.

Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.

902401-3 : OSPFd SIGSEGV core when 'ospf clear' is done on remote device

Component: TMOS

Symptoms:
The ospfd process generates a core.

Conditions:
-- IA routes.
-- OSPF is in FULL/DR state.

Impact:
An OSPF daemon generates a core, potentially losing routing information and OSPF dynamic routes for a moment while the ospfd daemon restarts.

Workaround:
None.

Fix:
OSPF no longer cores when running 'clear ip ospf' on remote.

901929-4 : GARPs not sent on virtual server creation

Component: Local Traffic Manager

Symptoms:
When a virtual server is created, GARPs are not sent out.

Conditions:
-- Creating a new virtual server.

Impact:
Traffic could be impacted if other systems have the virtual server address already in their ARP caches.

Workaround:
After creating the virtual server, disable and re-enable the ARP setting on the corresponding virtual address.

Fix:
GARPs are now sent when a virtual server is created.

901061-4 : Safari browser might be blocked when using Bot Defense profile and related domains.

Component: Application Security Manager

Symptoms:
As a fix to ID879777 (https://cdn.f5.com/product/bugtracker/ID879777.html), when navigating to a related domain using Safari, requests might be blocked.

Conditions:
- Using Bot Defense profile, with "Cross Domain Requests" mode "Validate Upon Request"
- BIG-IP version containing fix of ID879777 (16.0 and higher or EngHF)
- Surfing the site using Safari browser.

Impact:
Some requests might be blocked.

Workaround:
None.

Fix:
Set the cookie so all requests in the target domain will contain it.

900905-1 : TMM may crash while processing SIP data

Solution Article: K42830212

900797-4 : Brute Force Protection (BFP) hash table entry cleanup

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.

Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.

Impact:
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.

Workaround:
N/A

Fix:
Mitigated entries are kept in the hash table.

900793-2 : APM Brute Force Protection resources do not scale automatically

Solution Article: K32055534

Component: Application Security Manager

Symptoms:
Under certain conditions, resources for Brute Force Protection must be manually scaled by administrators to provide full protection.

Conditions:
-- Many virtual server (hundreds) that have web application protection with brute force protection enabled.
-- Numerous failed login requests coming to all virtual servers all the time.

Impact:
Administrators must manually change the hash size upon need instead of relying on the automatic configuration.

Workaround:
Set the internal parameter external_entity_hash_size to 0 to allow automatic recalculation of the correct value.

Fix:
Brute Force Protection resources are now scaled automatically based on available system resources.

900789-4 : Alert before Brute Force Protection (BFP) hash are fully utilized

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IP addresses and usernames. There is a separate hash table for each virtual server. When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed without logging a warning.

Conditions:
This can be encountered when Brute Force Protection is enabled and the hash table reaches its maximum capacity.

Impact:
No alert is sent when entries are evicted.

Workaround:
None.

Fix:
Alert/Warning is now announced in ASM logs, describing the status of the hash table.

900757-4 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254

898997-4 : GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes

Component: Service Provider

Symptoms:
GTP message parsing fails and log maybe observed as below:

GTP:../modules/hudfilter/gtp/gtp_parser.c::242 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser_ver_2.c::153 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser.c::103 (Failing here).

Conditions:
- GTP profile is applied to virtual or GTP::parse command is used
- GTP message contains IE (information element) which is larger than 2048 bytes

Impact:
- message parsing fails, traffic maybe interupted

Fix:
GTP profile and GTP::parse iRules now support IE larger than 2048 bytes

898949-3 : APM may consume excessive resources while processing VPN traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, APM may consume excessive resources while processing VPN traffic

Conditions:
-APM provisioned
-VPN clients connected

Impact:
Excessive resources consumption, potentially leading to a TMM crash and failover event.

Workaround:
None.

Fix:
APM now processes VPN traffic as expected.

898825-4 : Attack signatures are enforced on excluded headers under some conditions

Component: Application Security Manager

Symptoms:
Attack signatures are marked as detected when they should be marked as excluded (i.e., a false positive).

Conditions:
-- A 100-continue transaction occurs in HTTP.
-- The internal parameter answer_100_continue is set to a non-default value of 0.

Impact:
False positive enforcement for header signature.

Workaround:
Set the answer_100_continue to 1 (default) on versions later than 15.0.0.

898741-4 : Missing critical files causes FIPS-140 system to halt upon boot

Component: Application Security Manager

Symptoms:
After activating a FIPS 140-2 license on a device and rebooting, the device fails to boot.

Conditions:
-- Device is licensed for FIPS 140 mode
-- A critical system file is missing

Impact:
System halts during boot because of sys-eicheck.py failure.

Workaround:
Prior to rebooting into FIPS 140-2 mode, ensure that there are no missing critical files by running the sys-eicheck command.

If the missing files are due to missing signature update files:

- Manually upload the missing images in System ›› Software Management : Live Update - this will ensure that the image is associated with an installation record.

898705-3 : IPv6 static BFD configuration is truncated or missing

Component: TMOS

Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.

-- IPv6 static BFD configuration entries go missing during a daemon restart.

Conditions:
IPv6 static BFD configuration.

Impact:
The IPv6 static BFD configuration does not persist during reloads.

-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.

Workaround:
None.

898461-4 : Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'

Component: TMOS

Symptoms:
The following SCTP iRule commands:

-- SCTP::mss
-- SCTP::ppi
-- SCTP::collect
-- SCTP::respond
-- SCTP::client_port
-- SCTP::server_port

Are unavailable in the following MRF iRule events:

-- GENERICMESSAGE_EGRESS
-- GENERICMESSAGE_INGRESS
-- MR_EGRESS
-- MR_INGRESS

Attempts to use these commands in these events result in errors similar to:

01070151:3: Rule [/Common/sctp_TC] error: /Common/sctp1: error: [command is not valid in current event context (GENERICMESSAGE_EGRESS)][SCTP::ppi 46].

Conditions:
-- Using MRF and SCTP.
-- Using the specified set of iRule commands within the listed iRule events.

Impact:
Unable to use these iRule commands within these iRule events.

Workaround:
None.

Fix:
These iRule commands are now available within these iRule events.

897229 : TLS session ticket resumption SNI check

Component: Local Traffic Manager

Symptoms:
A TLS session ticket might be used for session resumption if the SNI does not match the original session ticket.

Conditions:
-- TLS 1.2 or 1.3.
-- Session ticket resumption.
-- SNI does not match the original session ticket.

Impact:
Session resumption might occur when the current session ticket extension SNI does not match session ticket SNI.

Workaround:
None.

Fix:
Session resumption with session ticket is now resumed only when the SNI matches the original session ticket.

896709-2 : Add support for Restart Desktop for webtop in VMware VDI

Component: Access Policy Manager

Symptoms:
VMware has a restart desktop option to reboot the Horizon Agents, but APM does not support this feature on the webtop.

Conditions:
You wish to use the VMware Restart desktop feature for the Horizon Agents that are managed by the vCenter Server.

Impact:
Cannot restart the desktop (Horizon Agent) from the webtop by clicking the restart icon.

Workaround:
None.

Fix:
APM now supports restart desktop option on webtop for VMware VDI.

896285-4 : No parent entity in suggestion to add predefined-filetype as allowed filetype

Component: Application Security Manager

Symptoms:
No parent entity appears in an ASM Policy Builder suggestion to add to the policy a predefined-filetype to the allowed filetypes list.

Conditions:
The issue is encountered when filetypes are configured with learning mode which allows new filetypes to be added to the policy. Relevant learning modes to this issue are: Always, Selective and Compact.

Impact:
No parent entity appears in the sugestion.

Workaround:
None.

Fix:
Suggestions to add filetypes to the allowed-filetypes list in the policy now contain parent entity.

896217-4 : BIG-IP GUI unresponsive

Component: TMOS

Symptoms:
When you try to log into the GUI via the management IP, you see only a single gray bar displayed in the middle of the window.

Conditions:
-- A GUI session expired while you were logged on.
-- The partition on which the GUI session expires is deleted.
-- You log on again.

Impact:
GUI becomes unresponsive.

Workaround:
Restart tomcat via SSH:
# bigstart restart tomcat

895993-4 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254

895981-4 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254

895881-3 : BIG-IP TMUI XSS vulnerability CVE-2020-5903

Solution Article: K43638305

895525-4 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254

895313 : Enable manage config setting may fail after upgrade of AGC to version 7.0 on BIG-IP 14.1.0 or 14.1.2

Component: Access Policy Manager

Symptoms:
Clicking to change the Enable Manage Config setting may fail after upgrade, and reports an error message:
transaction failed:01020036:3: The requested AAA OAuth Provider (/Common/test.app/test_oauthProvider_test) was not found.

Conditions:
This issue occurs in the following scenario:
-- Run BIG-IP software 14.1.0 or 14.1.2.
-- Upgrade AGC to version 7.0.
-- A use case instance, for example SAML SP , is created and deployed.
-- Click the Disable Manage Config lock icon to set it to Enable Manage Config; This enables editing the configuration using the GUI or tmsh.
-- Use the GUI or tmsh to edit a configuration option related to that SAML SP use case instance.
-- Navigate to the AGC-created instance of the configuration, and click the Enable Manage Config lock icon.

Impact:
Attempting to Enable Manage Config fails. The changes you made using the GUI or tmsh are lost. The associated use case instance becomes unusable from AGC.

Note: You can still use the use case outside of AGC.

Workaround:
To prevent the issue from happening, do not edit AGC-created configurations using the GUI or tmsh; only modify the configuration using AGC.

Fix:
Clicking Enable Manage Config in AGC now retains changes made outside the AGC use case.

895153-2 : HTTP::has_responded returns incorrect values when using HTTP/2

Component: Local Traffic Manager

Symptoms:
HTTP::has_responded is not detected in an iRule when the request comes across via HTTP/2. Instead, HTTP::has_responded always return the value 'false'.

Conditions:
-- HTTP/2 profile.
-- iRule containing the command HTTP::has_responded.

Impact:
Calls to HTTP::respond or HTTP::redirect are not correctly identified by HTTP::has_responded when using HTTP/2.

Workaround:
None.

Fix:
HTTP::has_responded is now properly detected in iRules where HTTP/2 is used.

895141 : HTTP::has_responded returns incorrect values when using HTTP/2

Component: Local Traffic Manager

Symptoms:
HTTP::has_responded is not detected in an iRule when the request comes across via HTTP/2. Instead, HTTP::has_responded always returns the value 'false'.

Conditions:
-- HTTP/2 profile.
-- iRule containing the command HTTP::has_responded.

Impact:
Calls to HTTP::respond or HTTP::redirect are not correctly identified by HTTP::has_responded when using HTTP/2.

Workaround:
None.

Fix:
HTTP::has_responded is properly detected in iRules where HTTP/2 is used.

893281-1 : Possible ssl stall on closed client handshake

Component: Local Traffic Manager

Symptoms:
If a client connection closes before finishing client ssl handshake, in some cases BIG-IP ssl does not close and connection remains until idle timeout.

Conditions:
Client ssl handshake and client FIN must arrive while BIG-IP server ssl finished is in crypto.

Impact:
Some ssl client connection remain until idle timeout.

Fix:
Allow transmit of any pending crypto during ssl shutdown.

893061-1 : Out of memory for restjavad

Component: Application Security Manager

Symptoms:
REST framework not available due to Out of memory error

Conditions:
Long list of Live Update installations

Impact:
Live Update GUI is not responding.

Workaround:
1) Increase memory assigned to the Linux host: (value dependant on platform)

# tmsh modify sys db provision.extramb value 1000

2) Allow restjavad to access the extra memory:

# tmsh modify sys db restjavad.useextramb value true

3) Save the config:

# tmsh save sys config

4) The re-provisioning will trigger a restart of the services. Wait until the unit is online again.

5) Increase the restjavad maxMessageBodySize property:

# curl -s -f -u admin: -H "Content-Type: application/json" -d '{"maxMessageBodySize":134217728}' -X POST http://localhost:8100/mgmt/shared/server/messaging/settings/8100 | jq .
{
  "maxMessageBodySize": 134217728,
  "localhostRestnodedConnectionLimit": 8,
  "defaultEventHandlerTimeoutInSeconds": 60,
  "minEventHandlerTimeoutInSeconds": 15,
  "maxEventHandlerTimeoutInSeconds": 60,
  "maxActiveLoginTokensPerUser": 100,
  "generation": 6,
  "lastUpdateMicros": 1558012004824502,
  "kind": "shared:server:messaging:settings:8100:restservermessagingpoststate",
  "selfLink": "https://localhost/mgmt/shared/server/messaging/settings/8100"
}

Ensure the command returns output showing the limit has been increased (as shown above).

6) Reboot the unit.

892677-4 : Loading config file with imish adds the newline character

Component: TMOS

Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.

In particular, this affects the bigip_imish_config Ansible module.

Conditions:
Loading a config with 'imish -f <f_name>' commands.

Note: This command is used with the bigip_imish_config Ansible module.

Impact:
Regex expressions are not created properly.

Workaround:
You can use either of the following workarounds:

-- Delete and re-add the offending commands using the imish interactive shell.

-- Restart tmrouted:
bigstart restart tmrouted

892653-2 : Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI

Component: Application Security Manager

Symptoms:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.

Conditions:
This is encountered when configuring the Splunk Logging Format in the GUI

Impact:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.

Workaround:
Use tmsh to define the maximum query string size and maximum request size. For more information, see the tmsh command reference for the security log profile at https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/security/security-log-profile.html

Fix:
Maximum Query String Size and Maximum Request Size fields will be shown in the GUI in case the Splunk Logging Format is selected.

892621-2 : Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software

Component: Advanced Firewall Manager

Symptoms:
BDoS Signature mitigated in software.

Conditions:
IP packets size metric in BDoS signature.

Impact:
BDoS Signature with IP packet size metric mitigated only in software for IPv6 packets.

Workaround:
None.

Fix:
IP packets size metric bin calculation algorithm for IPv6 packets in software now matches hardware version.

892385-2 : HTTP does not process WebSocket payload when received with server HTTP response

Component: Local Traffic Manager

Symptoms:
WebSocket connection hangs on the clientside if the serverside WebSocket payload is small and received in the same TCP packet with server HTTP response.

Conditions:
-- Virtual contains HTTP and WebSocket filters.
-- HTTP response and a small WebSocket payload is received in the same TCP packet from the server.
-- Small WebSocket payload is not delivered on the clientside.

Impact:
-- WebSocket connection hangs.

Workaround:
None.

Fix:
HTTP processes WebSocket payload without delay when payload is received with server HTTP response.

891849-2 : Running iRule commands while suspending iRule commands that are running can lead to a crash

Component: Local Traffic Manager

Symptoms:
Running iRule commands while suspending iRule commands that are running can lead to a crash.

Conditions:
-- Running iRule commands.
-- iRule commands that suspend iRules are running.

For more information on the conditions that trigger iRule suspend, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Running iRule commands while suspending iRule commands are running no longer results in a tmm crash.

891729-4 : Errors in datasyncd.log★

Component: Fraud Protection Services

Symptoms:
An error exists in datasyncd.log:
DATASYNCD|ERR |Mar 13 12:47:54.079|16301| datasyncd_main.c:1955|tbl_gen_state_machine: cannot start the generator for table CS_FPM

Conditions:
Upgrades from version 13.x to 14.0.0 or higher.

Impact:
FPS has a maximum of ~990 rows instead of 1001, and there are errors in datasyncd.log. However, the upgrade completes normally, and the system operates as expected.

Workaround:
These are benign error messages that you can safely ignore. Upgrade completes successfully, and the system operates as expected.

If you prefer, however, you can perform a clean install instead instead of upgrading. This has an impact on your configuration, as that information will be lost when you do a clean install.

Fix:
Now the max rows number is 1001 when upgrading from any version prior to 14.0.0.

891721-1 : Anti-Fraud Profile URLs with query strings do not load successfully

Component: TMOS

Symptoms:
When a URL containing a query string is added to an anti-fraud profile, the BIG-IP config load fails:

010719d8:3: Anti-Fraud URL '/url\?query=string' is invalid. Every protected URL should be a valid non-empty relative path specified in lower case in the case insensitive Anti-Fraud profile '/Common/antifraud'.
Unexpected Error: Loading configuration process failed.

Conditions:
Adding a query string to a URL for an anti-fraud profile.

Impact:
After a BIG-IP config save, loading of new bigip.conf fails.

Workaround:
Follow this procedure:

1. Remove the escaping characters \ (backslash) for ? (question mark) in the bigip.conf file.
2. Load the configuration.

Fix:
The issue has been fixed: Now Anti-fraud profile URLs support query strings such as /uri?query=data, and they can be successfully loaded.

891505-1 : TMM might leak memory when OAuth agent is used in APM per-request policy subroutine.

Component: Access Policy Manager

Symptoms:
TMM leaks memory and eventually crashes when it cannot allocate any more memory.

Conditions:
OAuth agent is used in APM per-request policy subroutine and authentication fails.

Impact:
Over a period of time, TMM crashes, as it is unable to allocate any more memory. Traffic is disrupted while tmm restarts.

Workaround:
None.

Fix:
When fixed, TMM works as expected and no longer leaks memory.

891477 : No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server

Component: TMOS

Symptoms:
When a bandwidth control policy is applied on a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.

Both static bandwidth control policies and dynamic bandwidth control policies can cause the problem.

Conditions:
This issue occurs when both of the following conditions are met:

-- Virtual server configured with a bandwidth control policy.
-- Standard type of virtual server.

Impact:
The BIG-IP system does not retransmit unacknowledged data segments.

Workaround:
None.

891457-4 : NIC driver may fail while transmitting data

Solution Article: K75111593

891385-4 : Add support for URI protocol type "urn" in MRF SIP load balancing

Component: Service Provider

Symptoms:
MRF SIP load balancing does not support the urn URI protocol type.

Conditions:
-- Using MRF SIP in LB mode.
-- Clients are using the urn protocol type in their URIs.

Impact:
SIP messages with urn URIs are rejected.

Fix:
Added support for the urn URI protocol type.

890277-2 : Full config sync to a device group operation takes a long time when there are a large number of partitions.

Component: TMOS

Symptoms:
When a full config sync is done to a device group with large number of partitions:
-- The config sync operation takes a long time to complete.
-- There is a spike in CPU usage on the device where config push is initiated.
-- The mcpd daemon is unresponsive to other daemons, such tmsh, GUI etc., as it is busy pushing the config sync.
-- iQuery connections are terminated due to high CPU utilization.

Conditions:
Full config sync on device with large number of partitions.

Impact:
The operation takes a long time to complete, minutes on a BIG-IP Virtual Edition (VE) configurations, and varies by platform and the size of the configuration. For example, config sync on a medium BIG-IP VE setup running v15.1.0.1 with 512 partitions takes ~3 minutes.

Impedes management of device as well as terminates iQuery connections to GTM/DNS devices.

Workaround:
Enable Manual Incremental Sync.

890229-3 : Source port preserve setting is not honored

Component: Local Traffic Manager

Symptoms:
The source port is always changed in source-port preserve mode even if the original source port with the other parameters would hash to the same TMM.

Conditions:
This issue occurs when both of the following conditions are met:

-- The virtual server is configured with source-port preserve (the default).
-- The system uses one of the following hash configurations including IP addresses.
    - Using RSS DAG as a default hash on BIG-IP Virtual Edition (VE) (Z100) or on 2000- and 4000-series devices.
    - Configuring a VLAN's 'CMP Hash' setting to a non-default value.
    - Using a special variable such as non-default udp.hash or tcp.hash.

Impact:
Applications relying on a specific, fixed source port might not work as expected.

Workaround:
Set source-port to preserve-strict.

Fix:
Now source-port preserve setting does best effort to preserve the source port.

Behavior Change:
Beginning with v16.0.0, the TM.PortFind.Src_Preserve BigDB variable introduced in v15.1.0 is no longer supported.

The source-port preserve setting now does best effort to preserve the source port.

889557-2 : jQuery Vulnerability CVE-2019-11358

Solution Article: K20455158

889041-1 : Failover scripts fail to access resolv.conf due to permission issues

Component: TMOS

Symptoms:
When a failover is triggered, the floating IP addresses do not migrate to the newly active device. In /var/log/auditd/audit.log, you see the following errors:

/var/log/auditd/audit.log:type=AVC msg=audit(1583426470.463:27492): avc: denied { read } for pid=26865 comm="curl" name="resolv.conf" dev="dm-5" ino=32804 scontext=system_u:system_r:f5config_failover_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file

Conditions:
-- A failover event occurs.
-- oci-curl will be called when failover happens, which may be unable to read /etc/resolv.conf.

Impact:
Failover does not complete. Floating IP addresses do not move to the active device.

Workaround:
Run two commands:
tmsh modify sys db failover.selinuxallowscripts enable
setenforce 0

Impact of workaround: these commands disable SELinux policy enforcement.

888625-2 : CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks

Component: Carrier-Grade NAT

Symptoms:
There is a difference in active port block counter between statistics collected in TMM and actual allocations in 'lsndb list pba'.

Conditions:
The issue happens when the port block allocation process fails after incrementing the active port blocks counter.

Impact:
No functional impact. But the stats counters will be incorrect.

Fix:
Update the active port block counter correctly when port block allocation fails.

888497-4 : Cacheable HTTP Response

Component: TMOS

Symptoms:
JSESSIONID, BIGIPAUTHCOOKIE, BIGIPAUTH can be seen in the browser's debugging page.

Conditions:
-- Accessing the BIG-IP system using the GUI.
-- Viewing the browser's stored cache information.

Impact:
HTTPS session information is captured/seen in the browser's local cache, cookie.

Note: The BIG-IP system does not display and/or return sensitive data in the TMUI. Content that is marked appropriately as sensitive is never returned, so it is never cached. Data that is cached for TMUI in the client browser session is not considered secret.

Workaround:
Disable caching in browsers.

888493-4 : ASM GUI Hardening

Solution Article: K40843345

888489-4 : ASM UI hardening

Solution Article: K55873574

888417-4 : Apache Vulnerability: CVE-2020-8840

Solution Article: K15320518

888285-3 : Sensitive positional parameter not masked in 'Referer' header value

Solution Article: K18304067

Component: Application Security Manager

Symptoms:
When the URI and 'Referer' header share the same positional parameter, the 'Referer' positional parameter is not masked in logs.

Conditions:
Sending a request with positional parameter in URI and 'Referer' header.

Impact:
'Referer' header positional parameter value is not masked in logs.

Workaround:
None.

Fix:
'Referer' positional parameter value is masked as expected.

887637-1 : Systemd-journald Vulnerability: CVE-2019-3815

Solution Article: K22040951

887089-3 : Upgrade can fail when filenames contain spaces

Component: TMOS

Symptoms:
Filenames with spaces in /config directory can cause upgrade/UCS load to fail because the im upgrade script that backs up the config, processes the lines in a file spec using white space characters. The number of spaces in the filename is significant because it determines how the process separates the name into various fields, including a path to the file, an md5sum, and some file properties (notably size). If the path contains white space, when the upgrade/UCS load process attempts to use a field, the operation encounters a value other than what it expects, so the upgrade/UCS load fails.

The file's content is also significant because that determines the md5sum value.

Although rarely occurring, a tangential issue exists when the sixth word is a large number. The sixth field is used to determine the amount of space needed for the installation. When the value is a very large number, you might see an error message at the end of the upgrade or installation process:

Not enough free disk space to install!

Conditions:
Filenames with spaces in /config directory.

Impact:
Upgrade or loading of UCS fails.

Workaround:
Remove the spaces in filenames and try the upgrade/UCS load again.

886689-4 : Generic Message profile cannot be used in SCTP virtual

Component: TMOS

Symptoms:
When creating virtual server or transport config containing both SCTP and Generic Message profile, it will fail with an error:

01070734:3: Configuration error: Profile(s) found on /Common/example_virtual that are not allowed: Only (TCP Profile, SCTP Profile, DIAMETER Profile, Diameter Session Profile, Diameter Router Profile, Diameter Endpoint, SIP Profile, SIP Session Profile, SIP Router Profile, DoS Profile, profile statistics)

Conditions:
Create virtual server or transport config which contains both SCTP and Generic Message profile.

Impact:
You are unable to combine the Generic Message profile with the SCTP profile.

Fix:
Generic Message profile can be used in SCTP virtual

886085-3 : BIG-IP TMM vulnerability CVE-2020-5925

Solution Article: K45421311

884797-2 : Portal Access: in some cases data is not delivered via WebSocket connection

Component: Access Policy Manager

Symptoms:
If a client browser opens a WebSocket connection, Portal Access may not send data to the client if the first message in the new connection comes from the server.

Conditions:
- Web application with WebSocket connection
- First data in WebSocket connection is sent from server to client

Impact:
Data is not delivered to the client browser via the WebSocket connection.

Fix:
Now Portal Access can deliver data to the client browser via the WebSocket connection when the first data is sent from the server.

884425-1 : Creation of new allowed HTTP URL is not possible

Component: Application Security Manager

Symptoms:
When pressing 'Create' button in
Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs page, the requested page is not loaded.

Conditions:
Policy with about 5000 and more parameters causes long loading time, which results in loading failure.

Impact:
The requested page (New Allowed HTTP URL...) is not loaded.

Workaround:
Use fewer parameters (less than 5000) per policy.

883717-3 : BD crash on specific server cookie scenario

Solution Article: K37466356

882769-3 : Request Log: wrong filter applied when searching by Response contains or Response does not contain

Component: Application Security Manager

Symptoms:
When searching by "Response contains" or "Response does not contain", an incorrect filter is applied and displayed

Conditions:
This occurs in the GUI when selecting "Response contains" or "Response does not contain" filter

Impact:
You are unable to search by response in the GUI

Workaround:
There is no way to search in GUI, but you can search using REST API

Fix:
Correct filter applied and displayed for Response contains or Response does not contain filters

882713-1 : BGP SNMP trap has the wrong sysUpTime value

Component: TMOS

Symptoms:
The timestamp value of sysUpTime in SNMP traps reported by BGP is incorrect.

Conditions:
BGP connection with a peer flaps, and sends traps for the following:
bgpSnmpNotifyEstablished
bgpSnmpNotifyBackwardTransition

Impact:
The sysUpTime in the trap generated by BGP is incorrect.

Workaround:
None.

Fix:
Fixed an incorrect calculation of sysUpTime.

882557-4 : TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)

Component: TMOS

Symptoms:
If the underlying virtio platform specifies RX and/or TX queue sizes that are 4096 or larger, the BIG-IP system cannot allocate enough contiguous memory space to accommodate this. Errors similar to these are seen in the tmm log files:

ndal Error: Failed to allocate 2232336 (2228224 + 4096 + 16) bytes
virtio[0:7.0]: Error: Failed to allocate descriptor chain
virtio[0:7.0]: Error: Failed allocate indirect rx buffers

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with virtio drivers.
-- The underlying platform specifies RX and/or TX queue sizes of 4096 or larger.

Impact:
TMM continually restarts.

Workaround:
Use the sock driver instead of virtio.

In your BIG-IP VE VM execute the lspci command to determine which virtio driver is present:

# lspci -nn | grep -i eth | grep -i virtio
00:03.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:04.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:0b.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]

Configure a socket driver:

echo "device driver vendor_dev 1af4:1000 sock" > /config/tmm_init.tcl

Reboot the instance

882377-1 : ASM Application Security Editor Role User can update/install ASU

Component: Application Security Manager

Symptoms:
Live Update modifications are allowed for Application Security Editor Role.

Conditions:
Login as Application Security Editor user and try to install ASU.

Impact:
Application Security Editor Role role is permitted to update Attack Signatures when it shouldn't be.

882273 : MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow

Component: Service Provider

Symptoms:
Memory leak can cause tmm to crash and memory usage to grow.

Conditions:
-- Diameter transmission setting is enabled and action should be retrans.
-- auto-init should be enabled.
-- And server is down.

Impact:
Memory corruption will lead to tmm crash in longer run and memory leak make memory usage to grow in linear order. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
When server is down BIG-IP keeps creating new connection to it. there is memory leak need to be fixed.

881317-4 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896

Solution Article: K15478554

880789-1 : ASMConfig Handler undergoes frequent restarts

Component: Application Security Manager

Symptoms:
Under some settings and load, the RPC handler for the botd process restarts frequently, causing unnecessary churn and message-cluttered logs.

Conditions:
-- Bot protection is enabled.
-- A high volume of bot attacks are handled.

Impact:
The RPC handler for the botd process restarts frequently, causing unnecessary churn and noisy logs

Workaround:
None.

Fix:
The botd handler is now restored to a more robust process lifecycle.

880753-1 : Possible issues when using DoSL7 and Bot Defense profile on the same virtual server

Solution Article: K38157961

Component: Application Security Manager

Symptoms:
When DoSL7 and Bot Defense profiles are configured together on the same Virtual Server, some requests might not be handled by the Bot Defense profile.

Conditions:
-- DoSL7 profile is attached to the virtual server (with Application).
-- Bot Defense profile is attached to the virtual server.
-- Another security module is attached to the virtual server (WebSafe, MobileSafe, ASM).

Impact:
Some requests might not be processed by the Bot Defense profile.

Workaround:
Disable dosl7.idle_fast_path:
tmsh modify sys db dosl7.idle_fast_path value disable

Fix:
The mechanism which caused this issue is now correctly enabled.

880625-2 : Check-host-attr enabled in LDAP system-auth creates unusable config

Component: TMOS

Symptoms:
When configuring system auth to use LDAP, if you set check-host-attr to enabled, the resulting /config/bigip/pam.d/ldap/system-auth.conf that is generated cannot be parsed by nslcd.

Conditions:
-- Configuring system auth to use LDAP.
-- Setting check-host-attr to enabled.

Impact:
LDAP-based auth does not function.

Workaround:
None.

880361-3 : TMM may crash while processing iRules LX commands

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing iRules LX commands

Conditions:
-iRules LX in use

Impact:
TMM crash, leading to a failover event.

Workaround:
None.

Fix:
TMM now processes iRules LX commands as expected.

880165-1 : Auto classification signature update fails

Component: TMOS

Symptoms:
During classification update, you get an error:

"Error: Exception caught in script. Check logs (/var/log/hitless_upgrade.log) for details"

An additional diagnostic is that running the command "/usr/bin/crt_cache_path" reports "none".

Conditions:
This is encountered while updating the classification signatures or the protocol inspection updates.

It can occur when something goes wrong during license activation, but license activation ultimately succeeds.

Impact:
When this issue occurs, auto classification signature update will fail.

Workaround:
You may be able to recover by re-activating the BIG-IP license via tmsh.

879777 : Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge

Component: Application Security Manager

Symptoms:
After configuring the "validate upon request" option in "Cross Domain Requests" in a Bot Defense profile, JS challenges continue to be sent.

Conditions:
-- Bot Defense profile is enabled
-- "Cross Domain Request":"validate upon request" option is enabled
-- A browser navigates to a qualified (HTML) page from a related domain.

Impact:
Browser receives another JS challenge, instead of retrieving the cookie from the related domain. This causes extra latency for the client.

Workaround:
Use "validate in a bulk" option.

Fix:
Retrieving the cookie from the related domain even if the page is qualified.

879745-1 : TMM may crash while processing Diameter traffic

Solution Article: K82530456

879413-3 : Statsd fails to start if one or more of its *.info files becomes corrupted

Component: Local Traffic Manager

Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd fails to load it and ends up restarting continuously. You see the following messages in /var/log/ltm:

-- err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'.
-- err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.

Conditions:
Corrupted *.info file in /var/rrd.

Impact:
Stats are no longer accurate.

Workaround:
It might take multiple attempts to repair the *.info files. You might have to run the following command several times for different .info files, where <filename> is the actual name of the file (e.g., 'throughput.info'):

found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done

Fix:
The system now detects corrupt *.info files and deletes and recreates them.

879409-2 : TMM core with mirroring traffic due to unexpected interface name length

Component: Local Traffic Manager

Symptoms:
TMM cores.

Conditions:
-- Platform: B4400 Blade (BIG-IP VPR-B4450N).
-- High availability (HA) mirroring is set up.
-- Provisioned modules: LTM, AFM.
-- HA mirroring messages are received with unexpected interface name length.

Impact:
Processing of invalid length can cause memory corruption. The tmm process generates a core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now validates the length of the interface name before processing the HA message at the receiver side and ignores the HA message if the interface name length is wrong.

879401-3 : Memory corruption during APM SAML SSO

Component: Access Policy Manager

Symptoms:
During processing of SAML SSO single logout (SLO) requests, a block of tmm memory may become corrupted.

Conditions:
- BIG-IP system is configured as SAML SP.
- External SAML IdP sends SLO request.

Impact:
Various possible negative effects, including TMM core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
BIG-IP system configured as SAML SP no longer causes memory corruption when handling certain traffic.

879025-4 : When processing TLS traffic, LTM may not enforce certificate chain restrictions

Solution Article: K72752002

876581-4 : JavaScript engine file is empty if the original HTML page cached for too long

Component: Fraud Protection Services

Symptoms:
JavaScript engine file is empty.

Conditions:
Original HTML page with FPS injected content is cached for too long due to some caching headers (e.g., ETag), so the JavaScript engine link becomes invalid.

Impact:
No FPS protection for that HTML page.

Workaround:
You can use either workaround:

-- Use an iRule to disable caching for protected HTML pages.

-- Set caching time for protected HTML pages to the same value as the datasync tables regeneration timer according to the active datasync profile (default value is two 2 days).

Fix:
FPS now also removes ETag headers from protected HTML pages.

876077-3 : MRF DIAMETER: stale pending retransmission entries may not be cleaned up

Component: Service Provider

Symptoms:
DIAMETER router messages queued for retransmission may not be deleted until the connection closes.

Conditions:
-- Diameter transmission setting is enabled and a DIAMETER message is queued for retransmission.
-- The retransmission for the message is not triggered

Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.

Workaround:
None.

Fix:
Stale pending retransmission entries are cleaned up properly.

874753-1 : Filtering by Bot Categories on Bot Requests Log shows 0 events

Component: Application Security Manager

Symptoms:
A log that has 'Browser Automation’ as the ‘Bot Category’ exists.

When filtering for only Bot Category: Browser Automation, nothing Shows up.

Conditions:
-- ASM provisioned.
-- Filtering by Bot Categories on Bot Requests Log

Impact:
Legitimate requests being blocked but cannot filter on the category to narrow down their focus.

Workaround:
None.

Fix:
Filtering by Bot Categories on Bot Requests Log is now fixed on the GUI page.

873877 : Kernel page allocation failure seen on VIPRION blades★

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file:

warning kernel: : [7673174.106142] swapper/6: page allocation failure: order:2, mode:0x104020

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades).
-- 48 MB (49152 KB for B4300 blades).
-- 128 MB (131072 KB for 4450 blades).

You must do this on each blade installed in the system.

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

873469-1 : APM Portal Access: Base URL may be set to incorrectly

Solution Article: K24415506

872673-3 : TMM can crash when processing SCTP traffic

Solution Article: K26464312

872645 : Protected Object Aggregate stats are causing elevated CPU usage

Component: Advanced Firewall Manager

Symptoms:
Due to a large number of tables containing 'Protected Object Aggregate stats', the merged daemon might cause elevated CPU usage on odd-numbered CPU cores.

Conditions:
AFM, ASM, or DoS features are provisioned.

Impact:
Elevated CPU usage on odd-numbered cores caused by merged daemon.

Workaround:
None.

Fix:
Protected Object Aggregate stats no longer cause elevated CPU usage.

871905-1 : Incorrect masking of parameters in event log

Solution Article: K02705117

Component: Application Security Manager

Symptoms:
When using CSRF protection, sensitive parameters values can be masked incorrectly in the event log.

Conditions:
The request contains a CSRF token and sensitive parameters.

Impact:
Sensitive parameters values can be masked incorrectly in the event log.

Workaround:
None.

Fix:
Sensitive parameters values are now correctly masked in the event log when request contains CSRF token.

871761-4 : Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS

Component: Access Policy Manager

Symptoms:
APM virtual server user's GUI (e.g., 'Logon page') cannot be rendered by browsers.

Conditions:
This issue is encountered when an XML profile is configured for the APM virtual server.

Impact:
APM end users are unable to get a logon page.

Workaround:
Disable the XML profile for the APM virtual server.

Fix:
There is no unexpected traffic interruption from the APM virtual server when the XML profile is configured for the virtual server.

871657-2 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S

Component: TMOS

Symptoms:
Mcpd restarts and produces a core file.

Conditions:
This can occur while adding a pool member to a NAPTR GTM pool where the flag used is an uppercase 'A' or 'S' character.

Impact:
Mcpd crash and restart results in high availability (HA) failover.

Workaround:
Use a lowercase 'a' or 's' as the flag value.

Fix:
Mcpd no longer crashes under these conditions. The flag value is always stored in lowercase regardless of the case used as input in the REST call or tmsh command, etc.

871561-3 : Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)'

Component: TMOS

Symptoms:
Software upgrades on a vCMP guest might fail with log messages in /var/log/ltm similar to:

info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (Software compatibility tests failed.)

info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (The requested product/version/build is not in the media.)

Conditions:
Performing a software upgrade on a vCMP guest, when the software images are present on the vCMP hypervisor.

Impact:
Unable to perform software installations.

Workaround:
Option 1:
Make sure that the .iso files for both base image and engineering hotfix reside only on a vCMP guest before starting the installation.

Option 2:
Even if the engineering hotfix installation has failed, the base image should still have been installed properly, so you can restart the vCMP guest and perform a hotfix installation on top of already installed base image.

Option 3:
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. Ensure there is copy of the hotfix locally within the vcmp Guest. Then restart the lind service

 tmsh restart sys service lind

The hotfix installation should begin again this time using the hotfix from within the guest /shared/images/ location.

Option 4:
Manually eject the CD from the vCMP guest's virtual CD drive, and then restart lind:

1. Confirm the wrong ISO image is still locked (inserted in the CD drive):

 isoinfo -d -i /dev/cdrom

Note: Pay attention to the volume id in the output
From within the vCMP guest

2. Unlock (eject) the image:

 eject -r -F /dev/cdrom && vcmphc_tool -e

3. Verify the CD drive is now empty:

 isoinfo -d -i /dev/cdrom

The output should report an error that includes:

<…> Sense Code: 0x3A Qual 0x00 (medium not present) Fru 0x0 <…>

4. Restart lind:

 tmsh restart sys service lind

870957-1 : "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage

Component: Application Visibility and Reporting

Symptoms:
TMM CPU utilization around 100 percent under Security ›› Reporting : ASM Resources : CPU Utilization.

Conditions:
No special conditions. Only viewing at the stats of TMM CPU in 'Security ›› Reporting : ASM Resources : CPU Utilization'. They will always be in wrong scale, but when the TMM has ~1% CPU usage, it will be presented as 100% CPU usage.

Impact:
Wrong scale is presented and might cause machine's state to be interpreted wrongly.

Workaround:
1. Backup /etc/avr/monpd/monp_asm_cpu_info_measures.cfg file.
2. Run the following:
    $ sed -i 's|tmm_avg_cpu_util)/(count(distinct time_stamp)|tmm_avg_cpu_util)/(count(distinct time_stamp)*100|g' /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
3. Compare the backup file to /etc/avr/monpd/monp_asm_cpu_info_measures.cfg:
    Make sure that there are two lines modified, and that the modification is multiplying with 100 the denominator (i.e., actually dividing the TMM value with 100).
4. To make those changes take affect, run the following command:
    $ bigstart restart monpd

Fix:
Dividing the TMM value with 100 to fit correct scale.

870389-1 : Increase size of /var logical volume to 1.5 GiB for LTM-only VE images

Component: TMOS

Symptoms:
The /var logical volume size of 950 MiB for LTM-only BIG-IP Virtual Edition (VE) images may be too small for some deployments. This can result in result in loss of SSH access.

Conditions:
This applies to deployments that use declarative onboarding for configuration.

Impact:
Complex declarative onboarding configurations may fill the /var logical volume. You are locked out because of the too-small volume.

Workaround:
The workaround is to manually extend the /var logical volume.

For more information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952.

Fix:
The size of the /var logical volume was increased from 950 MiB to 1.5 GiB for LTM-only VE images.

Behavior Change:
The size of the /var logical volume was increased from 950MiB to 1.5GiB for LTM-only Virtual Edition images.

870385-3 : TMM may restart under very heavy traffic load

Component: Advanced Firewall Manager

Symptoms:
TMM occasionally restarts when running heavy workloads. The crash is a timing-related issue between different tmm threads, and thus happens only occasionally.

Conditions:
-- AFM is provisioned with DoS functionality.
-- The BIG-IP system is under heavy workload.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer restarts under these conditions.

870273-3 : TMM may consume excessive resources when processing SSL traffic

Solution Article: K44020030

868889 : BIG-IP may reset a stream with an empty DATA frame as END_STREAM

Component: Local Traffic Manager

Symptoms:
HTTP/2 defines END_STREAM flag in a frame as an end of a stream. A peer can send an empty (with no payload) DATA frame to designate a last one in a stream. When BIG-IP receives an empty DATA frame, it handles it incorrectly, sending RST_STREAM to a client.

Conditions:
-- The BIG-IP system has a virtual server configured with an HTTP/2 profile on the client side.
-- The client sends a request containing a payload over a stream, ending the stream with empty DATA frame.

Impact:
The BIG-IP system may reset the stream.

Workaround:
A client should resend the request handling more data.

Fix:
When empty DATA frame with END_STREAM flag is handled by the BIG-IP system, it terminates the stream accordingly.

868721-3 : Transactions are held for a long time on specific server related conditions

Component: Application Security Manager

Symptoms:
Long request buffers are kept around for a long time in bd.

Conditions:
-- The answer_100_continue internal parameter is turned off (non default) or the version is pre 15.1
-- The server closes the connection while request packets are accumulated.

Impact:
The long request buffers are consumed. You may see a "Too many concurrent long requests" log message and requests with large content lengths will get reset.

Workaround:
There is no workaround that can be done from ASM configuration.
If possible, change the server application settings to wait longer for the request payload in 100-continue request or change the client side application to not work with 100-continue.

Fix:
Add a check for this scenario so transactions will be released correctly.

868641-1 : Possible TMM crash when disabling bot profile for the entire connection

Component: Application Security Manager

Symptoms:
When using an iRule to disable bot profile, and causing it to be disabled (for the entire connection) during a CAPTCHA challenge -- TMM will crash.

Conditions:
-- Bot Defense profile is attached to the Virtual Server, with a CAPTCHA mitigation.
-- An iRule is attached to the virtual server, which disables bot profile.
-- Sending a request that is responded with a CAPTCHA, then sending (in the same connection), a request that disable the bot profile, and then answering the CAPTCHA.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
When using an iRule to disable bot defense profile on certain conditions, add an "else" clause for re-enabling the profile, taking note that all ::disable iRule commands are effective for the entire connection, and not just the transaction.

Fix:
TMM no longer crashes when disabling bot defense profile for the entire connection.

868381-3 : MRF DIAMETER: Retransmission queue unable to delete stale entries

Component: Service Provider

Symptoms:
DIAMETER messages queued for retransmission that do not receive answer responses may be missed by the sweeper logic and not be deleted until the connection closes.

Conditions:
-- A DIAMETER message is queued for retransmission without a timeout to tigger retransmission.
-- No answer response is received.

Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.

Workaround:
None.

Fix:
The retransmission queue has been fixes so all stale messages are deleted as expected.

868349-3 : TMM may crash while processing iRules with MQTT commands

Solution Article: K62830532

868097-1 : TMM may crash while processing HTTP/2 traffic

Solution Article: K58494243

868053-1 : Live Update service indicates update available when the latest update was already installed

Component: Application Security Manager

Symptoms:
When downloading and installing the latest ASU file manually the Live Update indicator located at the top left of the screen still indicates that there is a new update available.

Conditions:
-- The Live Update scheduler is not in auto mode (System :: Software Management :: Live Update :: Installation of Automatically Downloaded Updates = Disabled).
-- Upload and update the latest ASU file manually.

Impact:
The Live Update indicator continues to indicate on a new update though the latest file was installed.

Workaround:
None.

Fix:
The Live Update service no longer displays a false message regarding updates available.

867413-2 : The allow-only-in-enterprise LAN feature on Mac OS not working after reboot

Component: Access Policy Manager

Symptoms:
Firewall feature on Mac devices does not work after reboot, if the device connects to a hotspot network immediately after reboot

Conditions:
-- End user client is using a Mac device.
-- Edge Client is in 'Always Connected' mode.
-- allow-only-in-enterprise LAN is enabled.
-- The Mac device is rebooted.

Impact:
The device is able to connect to the Internet after reboot, but not to the internal network.

Workaround:
None.

Fix:
The allow-only-in-enterprise LAN feature now works correctly on a Mac device after a reboot.

867181-3 : ixlv: double tagging is not working

Component: TMOS

Symptoms:
If a VLAN tag is configured on the Virtual Function in the host, and the BIG-IP guest is configured to use a tagged VLAN, packets that egress the host on this VLAN contain only the VLAN tag configured on the host (i.e. the BIG-IP's VLAN tag is lost).

Conditions:
- Using a BIG-IP VE.
- A VLAN tag is configured on both the host VF and on the BIG-IP.

Impact:
The BIG-IP's VLAN tag is lost.

Fix:
Both VLAN tags are now present in packets.

867013-1 : Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout

Component: TMOS

Symptoms:
You are unable to associate new ASM policies to LTM policies, due to REST timeout.

Conditions:
This can be encountered when there are a large number of policies configured in ASM.

Impact:
Unable to associate new ASM policies to LTM policies, due to rest timeout.

Workaround:
None.

Fix:
Modified REST query to get only fullPath to display the list of policies, so the timeout no longer occurs.

866925-3 : The TMM pages used and available can be viewed in the F5 system stats MIB

Component: TMOS

Symptoms:
The memory pages available and in use are tracked with system statistics. Previously those statistics were available only with the tmctl command in the shell.

Conditions:
When system resource decisions are being made, the information about memory usage is important.

Impact:
It is not feasible to query each BIG-IP device separately.

Workaround:
None.

Fix:
You can query these statistics with SNMP through the F5-BIGIP-SYSTEM-MIB::sysTmmPagesStat table.

866685-3 : Empty HSTS headers when HSTS mode for HTTP profile is disabled

Component: Access Policy Manager

Symptoms:
HTTP Strict-Transport-Security (HSTS) headers have an empty value for some APM Access Policy-generated responses.

Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS mode=disabled (which it is by default).
-- HTTP requests for APM renderer content, including CSS, JS, and image files from the webtop.

Impact:
Some audit scanners can consider the empty value of Strict-Transport-Security headers as a vulnerability. For browsers, the empty HSTS value equals no HSTS in response.

Workaround:
1. Enable HSTS mode for the HTTP profile.
2. Use an iRule to remove the empty HSTS header from responses:

when HTTP_RESPONSE_RELEASE {
    if { [HTTP::header value "Strict-Transport-Security"] eq "" } {
        HTTP::header remove "Strict-Transport-Security"
    }
}

Fix:
When the HTTP profile is configured with HSTS mode=disabled, responses from APM renderer content are now sent without an HSTS header.

866613-1 : Missing MaxMemory Attribute

Component: Application Visibility and Reporting

Symptoms:
The MaxMemory Attribute is not reported in the System Monitor statistics report.

Conditions:
This is encountered when viewing the System Monitor report.

Impact:
No 'MaxMemory' value label appears in System Monitor statistics. Instead, there are duplicate AvgMemory fields, for example:
...(AvgMemory='3818',AvgMemory='3818').

Workaround:
Use the AvgMemory value that is the higher of the two to represent MaxMemory.

Note: Sometimes, the AvgMemory and MaxMemory values are the same. In that case, use the second value.

Fix:
The MaxMemory attribute is now reported in System Monitor statistics.

866161-3 : Client port reuse causes RST when the security service attempts server connection reuse.

Component: Access Policy Manager

Symptoms:
If the security service attempts server connection reuse, client port reuse causes RST on new connections.

Conditions:
-- Service profile is attached to virtual server.
or
-- SSL Orchestrator (SSLO) is licensed and provisioned and Service chain is added in the security policy.
-- Security service reuses server-side connection.
-- Client reuses the source port.

Impact:
The BIG-IP system or SSLO rejects new connection from clients when a client reuses the port.

Workaround:
None.

Fix:
The BIG-IP system or SSLO no longer rejects the client connection when the service tries to the reuse server connection and the client reuses the port.

866021-3 : Diameter Mirror connection lost on the standby due to "process ingress error"

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.

Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.

Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.

Fix:
Diameter mirror connection no longer lost due to "process ingress error" when there is high mirror traffic.

866013 : Linux Kernel Vulnerabilities: CVE-2019-11477 CVE-2019-11478 CVE-2019-11479

Solution Article: K78234183

865461-3 : BD crash on specific scenario

Component: Application Security Manager

Symptoms:
BD crash on specific scenario

Conditions:
A brute force attack mitigation using captcha or client side challenge.

Impact:
BD crash, failover.

Workaround:
Add an iRule that removes the query string from the referrer header only for the login page POSTs.

865241-3 : Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"

Component: TMOS

Symptoms:
When BGP tries to print the address of the default route's peer but there is no matching address for IPv4 or IPv6 so the system returns a NULL and attempting to print results in a crash.

Conditions:
-- Running the show command: sh bgp ipv6 ::/0.
-- There is no matching IPv4 or IPv6 address for the peer.

The conditions that cause this to occur are unknown.

Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.

Workaround:
None.

865053-1 : AVRD core due to a try to load vip lookup when AVRD is down

Component: Application Visibility and Reporting

Symptoms:
AVRD cores during startup.

Conditions:
Avrd receives a SIGTERM while it is starting.

Impact:
This can lead to an AVRD core.

Fix:
Added some more checks while loading new configuration. Suppose to reduce the frequent of these occurrences. Still can happen in very rare occasions.

864757-2 : Traps that were disabled are enabled after configuration save

Component: TMOS

Symptoms:
The ifLinkUpDownTrapEnable setting is not saved to config files nor UCS. If you have disabled 'link up/down' traps for an interface, save the config, and then load the config files or UCS, all interfaces will have traps enabled, even the ones that were explicitly disabled.

Conditions:
-- Disable 'link up/down' traps for an interface.
-- Save the configuration or UCS.
-- Reload the configuration or load the UCS.

Impact:
All interfaces have traps enabled, even the ones that were explicitly disabled.

Workaround:
None.

864513-3 : ASM policies may not load after upgrading to 14.x or later from a previous major version★

Solution Article: K48234609

Component: TMOS

Symptoms:
ASM policies may not load immediately after upgrade due to SELinux policies issues relating to the upgrade process.

Conditions:
1. ASM is provisioned.
2. One or more ASM Security Policies is attached to one or more virtual servers.
3. Upgrade from v12.x or v13.x to v14.x or later.

Impact:
Traffic is not processed properly after upgrade due to failure to load ASM policies.

Workaround:
You can use either of the following workarounds.

-- Remove ASM Policies while upgrading:
  1. Prior to upgrade, remove all ASM Security Policies from all virtual servers.
  2. Upgrade.
  3. Reassociate each ASM Security Policy with its original virtual server.

-- Restore the UCS on a new boot location after upgrade:
  1. Prior to upgrade, create a UCS.
  2. Upgrade or create a new instance of the software version at the target location.
  3. Restore the UCS at the new location.

Fix:
ASM policies now load as expected after upgrading to 14.x or later from a previous major version.

864109-3 : APM Portal Access: Base URL may be set to incorrectly

Solution Article: K24415506

863609-2 : Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies

Component: Application Security Manager

Symptoms:
After changing a parent policy's learning mode or other learning attributes in policy-builder settings, deploying the policy will result in differences in the child policies.

Conditions:
On BIG-IP and BIG-IQ:
1. Parent policy has a policy-building section that is inherited.
2. Child policy has wildcard default (*) elements such as urls.
On BIG-IQ:
3. Change parent learning mode from manual to disabled or vice versa
4. Deploy changes

Impact:
There are differences after deploy.

Workaround:
Discover and deploy again from BIG-IQ

Fix:
Changes are deployed from BIG-IQ without causing unexpected changes.

863161-3 : Scheduled reports are sent via TLS even if configured as non encrypted

Component: Application Visibility and Reporting

Symptoms:
The scheduled report email is sent from BIG-IP using TLS even if configured to not use encryption. When the mail server TLS is outdated it may lead to failure of the mail delivery.

Conditions:
The scheduled reports are enabled and configured to use a mail server which reports TLS capability.

Impact:
The minor impact is unexpected behaviour. In rare cases it may lead to malfunction of the scheduled reports.

Fix:
The automatic TLS connection was introduced via udate of the phpmailer module. The current fix disables automatic behaviour such that encryption will be used according to BIG-IP configuration.

863069-3 : Avrmail timeout is too small

Component: Application Visibility and Reporting

Symptoms:
AVR report mailer times out prematurely and reports errors:

AVRExpMail|ERROR|2019-11-26 21:01:08 ECT|avrmail.php:325| PHPMailer exception while trying to send the report: SMTP Error: data not accepted.

Conditions:
Configure reports, which will be sent to e-mail

Impact:
Error response from SMTP server, and the report is not sent

Workaround:
Increase timeout in avrmail.php via bash commands

Fix:
The timeout was increased in avrmail.php

862597-5 : Improve MPTCP's SYN/ACK retransmission handling

Component: Local Traffic Manager

Symptoms:
- MPTCP enabled TCP connection is in SYN_RECEIVED state.
- TMM cores.

Conditions:
- MPTCP is enabled.
- SYN/ACK (with MP_JOIN or MP_CAPABLE) sent by the BIG-IP is not ACKed and needs to be retransmitted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP option in the TCP profile.

Fix:
MPTCP's SYN/ACK retransmission handling is improved.

860881-1 : TMM can crash when handling a compressed response from HTTP server

Component: Local Traffic Manager

Symptoms:
TMM crashes while handling HTTP response

Conditions:
HTTP virtual server performing decompression of response data from a server, e.g. because a rewrite profile is attached to the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable compression on the server.

860517-3 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.

Component: TMOS

Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.

As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash

Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.

Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.

Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.

Fix:
The memory efficiency of MCPD has been improved. This allows very large BIG-IP configurations to be used successfully.

860349-1 : Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication

Component: TMOS

Symptoms:
After upgrading BIG-IP to 14.1 the LDAP/AD remote authentication will fail .

The /var/log/secure will show :

/secure:
Dec 6 15:27:44 hostname err httpd[9402]: pam_ldap(httpd:auth): error opening connection to nslcd: No such file or directory
Dec 6 15:27:44 hostname notice httpd[9402]: pam_ldap(httpd:auth): auth server unavailable, trying fallback
Dec 6 15:27:44 hostname warning httpd[9402]: pam_unix(httpd:auth): check pass; user unknown
Dec 6 15:27:44 hostname notice httpd[9402]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=192.168.227.145

/var/log/daemon.log will show ;

/daemon:
Dec 6 15:29:40 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:29:40 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:29:40 hostname warning systemd[1]: nslcd.service failed.
Dec 6 15:35:47 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:35:47 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:35:47 hostname warning systemd[1]: nslcd.service failed.

> Dec 06 15:35:47 hostname systemd[1]: Started Naming services LDAP client daemon..
> Dec 06 15:35:47 hostname systemd[1]: Starting Naming services LDAP client daemon....
> Dec 06 15:35:47 hostname nslcd[8050]: nslcd: /etc/nslcd.conf:15: usertemplate: too may arguments
> ===================== > This is the hint that user-template is at fault

Conditions:
LDAP/nslcd config , remote authentication , user-template used

The values within user-template include white spaces :

example: uid=%s,CN=my home,OU=Generic Users,OU=good Users,OU=users,DC=users,DC=org

Impact:
LDAP/nslcd process failed with "error opening connection to nslcd" when user-template includes white spaces.

Workaround:
Replace the white-space character with underscore "_" in the user-template if possible, or remove the user-template and restart nslcd daemon

860317-1 : JavaScript Obfuscator can hang indefinitely

Component: TMOS

Symptoms:
High CPU usage by obfuscator for an extended period of time.

Conditions:
Occurs very rarely, when FPS or L7 DDoS protection are enabled.

Impact:
High CPU Usage.

Workaround:
Kill the obfuscator process

Fix:
Datasyncd daemon kills hanging obfuscator processes if they stop responding.

860005-3 : Ephemeral nodes/pool members may be created for wrong FQDN name

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.

Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.

The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.

Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.

Workaround:
It may be possible to mitigate this issue by one or more of the following actions:

-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.

-- Reducing the number of FQDN template nodes (FQDN names to be resolved).

-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.

859721-3 : Using GENERICMESSAGE create together with reject inside periodic after may cause core

Component: Service Provider

Symptoms:
In iRules, when "GENERICMESSAGE::message create" is called after "reject" command inside "after -periodic", it may cause core. Below is an example iRules.

when CLIENT_ACCEPTED {
    ... omitted ...
    after 1000 -periodic {
        ... omitted ...
        reject
        GENERICMESSAGE::message create "test"
    }
}

This relates to ID 859113.

Conditions:
GENERICMESSAGE::message create" is called after "reject" inside "after -periodic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event

Fix:
Using GENERICMESSAGE create together with reject inside periodic after no longer cause core

859113-3 : Using "reject" iRules command inside "after" may causes core

Component: Local Traffic Manager

Symptoms:
In iRules, when "reject" is used inside "after -periodic" and it is followed by "GENERICMESSAGE::message create". It may trigger a tmm core. Below is an example iRule.

when CLIENT_ACCEPTED {
    ... omitted ...
    after 1000 -periodic {
        ... omitted ...
        reject
        GENERICMESSAGE::message create "test"
    }
}

This relates to ID 859721

Conditions:
- "reject" is used inside "after -periodic"
- it is followed by "GENERICMESSAGE::message create"

Impact:
Traffic disrupted while tmm restarts.

Fix:
Using "reject" iRules command inside "after" no longer cause core.

859089-5 : TMSH allows SFTP utility access

Solution Article: K00091341

858537-3 : CVE-2019-1010204: Binutilis Vulnerability

Solution Article: K05032915

858429 : BIG-IP system sending ICMP packets on both virtual wire interface

Component: Local Traffic Manager

Symptoms:
ICMP packets are forwarded to both virtual wire interface, which causes MAC-Flip on the connected switches.

Conditions:
-- Ingress ICMP packet is on one TMM.
-- Egress is on another TMM.

Impact:
Traffic is disrupted in the network.

Workaround:
None.

858349-1 : TMM may crash while processing SAML SLO traffic

Solution Article: K44808538

858229-3 : XML with sensitive data gets to the ICAP server

Solution Article: K22493037

Component: Application Security Manager

Symptoms:
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.

Conditions:
XML profile is configured with sensitive elements on a policy.
ICAP server is configured to inspect file uploads on that policy.

Impact:
Sensitive data will reach the ICAP server.

Workaround:
No immediate workaround except policy related changes

Fix:
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.

Behavior Change:
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1.

When this is changed to 0 (using this command):
/usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0
XML requests with sensitive data will not be sent to ICAP.

858197-1 : Merged crash when memory exhausted

Component: TMOS

Symptoms:
Merged crashes when system memory is exhausted

Conditions:
System memory is is at 0% available.

Impact:
Merged crashes, stopping stats updates

Workaround:
Reduce the configuration on the system

Fix:
Remove function call to drop row from table on error path where row was not successfully added.

858189-1 : Make restnoded/restjavad/icrd timeout configurable with sys db variables.

Component: Device Management

Symptoms:
When a large number of LTM objects are configured on BIG-IP, making updates via iControl REST can result in restjavad/restnoded/icrd errors.

Conditions:
Using iControl REST/iapp to update a data-group that contains a large number of records, e.g., 75,000 or more.

Impact:
REST operations can time out when they take too long, and it is not possible to increase the timeout.

Workaround:
None.

Fix:
ICRD/restjavad/restnoded timeouts are now configurable through sys db variables.

Behavior Change:
New Sys DB variables have been added to allow you to modify the timeout settings of restjavad, restnoded, and icrd:

restnoded.timeout
restjavad.timeout
icrd.timeout

The default value is 60 seconds for each of these.

A restart of restjavad and restnoded is required for the change to take effect.

tmsh restart /sys service restjavad
tmsh restart /sys service restnoded

858025-3 : Proactive Bot Defense does not validate redirected paths

Solution Article: K33440533

Component: Application Security Manager

Symptoms:
Under certain conditions, Proactive Bot Defense may redirect clients to an unvalidated path.

Conditions:
-Proactive Bot Defense enabled.

Impact:
Clients may be redirected to an unvalidated path.

Workaround:
None.

Fix:
Proactive Bot Defense now validates redirected paths as expected.

857845-6 : TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule

Component: Local Traffic Manager

Symptoms:
Whenever the server or client side data have not been drained, 'server drained' or 'client drained' appear in /var/log/tmm as errors.

Conditions:
-- Using iRule configuration with LB::detach or LB::connect.
-- Server- or client-side data has not been drained before those statements are triggered.

Impact:
TMM crashes and can cause an outage on standalone system or failover in a DSC. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes and the 'server not drained' or 'client not drained' message is logged instead. If tmm.oops is set to 'log', the OOPS messages is reported in /var/log/tmm.

857725 : Anti-Fraud/DataSafe Logging Settings page not found

Component: Fraud Protection Services

Symptoms:
When navigating to Security :: Fraud Protection Service : Anti-Fraud Logging Settings, a 404 error is shown instead of the actual page.

Conditions:
- Provision Fraud Protection Service.
- License DataSafe or Fraud Protection Service.
- Enable the 'antifraud.riskengine.reportlogins' database variable.

Impact:
'Anti-Fraud Logging Settings' page is not found.

Workaround:
Configure logging setting using the Traffic Management Shell (tmsh) utility.

Fix:
'Anti-Fraud Logging Settings' page is shown correctly.

856961-2 : INTEL-SA-00201 MCE vulnerability CVE-2018-12207

Solution Article: K17269881

856953-2 : IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1

Component: TMOS

Symptoms:
In rare circumstances, TMM may core when changing the ike-peer configuration from IKEv2 to IKEv1.

Conditions:
- The BIG-IP system is attempting to establish an IKEv2 tunnel.
- The related ike-peer config is changed from IKEv2 to IKEv1.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not reconfigure the ike-peer configuration while the related IPsec tunnel is attempting to establish.

Fix:
TMM no longer cores.

856713-1 : IPsec crash during rekey

Component: TMOS

Symptoms:
IPsec-related tmm crash and generated core file during rekey.

Conditions:
-- IPsec timeout occurs.
-- Some temporary SA's are created by racoon.

Impact:
Tmm crashes and creates core file. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
IPsec-related tmm crash has been fixed.

854493-3 : Kernel page allocation failures messages in kern.log

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)

Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades)
-- 48 MB (49152 KB for B4300 blades)
-- 128 MB (131072 KB for 4450 blades)

You must do this on each blade installed in the system.

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades, and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

Fix:
The BIG-IP system no longer experiences kernel page allocation failures.

854177-3 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality

Component: Application Security Manager

Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.

Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.

Impact:
Latency is introduced to ASM handling.

Workaround:
Set the fast changing nodes to static updates every hour.

Fix:
ASM now correctly ignores pool member updates that do not affect remote logging.

853613-2 : Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp

Component: Local Traffic Manager

Symptoms:
A TCP connection hangs occasionally.

Conditions:
-- The TCP connection is on the clientside.
-- sys db tm.tcpsendrandomtimestamp is enabled (default is disabled).
-- A virtual server's TCP's Verified Accept and Timestamps are both enabled.

Impact:
TCP connections hangs, and data transfer cannot be completed.

Workaround:
You can use either of the following workarounds:
-- Disable tm.tcpsendrandomtimestamp.
-- Disable either the TCP's Verified Accept or Timestamps option.

Fix:
This release provides improved interaction between TCP's Verified Accept and Timestamps options and the tm.tcpsendrandomtimestamp setting.

853545-3 : MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event

Component: Service Provider

Symptoms:
For each message dropped during GENERICMESSAGE_INGRESS, memory is leaked.

Conditions:
Usage of GENERICMESSAGE::message drop iRule command during GENERICMESSAGE_INGRESS event will leak memory.

Impact:
As more memory is leaked, less memory is available for message processing, eventually leading to a core.

Workaround:
Use MR::message drop during MR_INGRESS event instead to drop a message.

Fix:
Usage of GENERICMESSAGE::message drop iRule command no longer leaks memory.

853329-4 : HTTP explicit proxy can crash TMM when used with classification profile

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may serve HTTP traffic as forward proxy and use DNS resolver objects to provide a server to connect to for request processing. When a classification profile is attached to the virtual server, it may result in a TMM crash with regards to some HTTP requests.

Conditions:
-- PEM is provisioned.
-- HTTP explicit proxy is configured on a virtual server.
-- A classification profile attached to the virtual server.

Impact:
TMM crashes, causing failover. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release prevents a condition causing this TMM crash.

852929-7 : AFM WebUI Hardening

Solution Article: K25160703

852873 : Proprietary Multicast PVST+ packets are forwarded instead of dropped

Component: Local Traffic Manager

Symptoms:
Because the BIG-IP system does not recognize proprietary multicast MAC addresses such as PVST+ (01:00:0c:cc:cc:cd) and STP (01:80:c2:00:00:00), when STP is disabled the system does not drop those frames. Instead the system treats those as L2 multicast frames and forwards between 2 interfaces.

Conditions:
-- STP disabled
-- All platforms except 2000 series, 4000 series, i2000 series, i4000 series and i850.

Impact:
PVST+ (01:00:0c:cc:cc:cd), a proprietary multicast MAC is forwarded instead of discarded, even when STP is disabled.

Workaround:
None.

Fix:
Traffic with Destination MAC as PVST+ (01:00:0c:cc:cc:cd) or STP (01:80:c2:00:00:00) is sent to the BIG-IP system, egress traffic is monitored to check that MAC is dropped when either or both of the following db variables is enabled or vice-versa:
bcm56xxd.rules.badpdu_drop
bcm56xxd.rules.lldp_drop

852613-1 : Connection Mirroring and ASM Policy not supported on the same virtual server

Component: Application Security Manager

Symptoms:
Connection Mirroring used together with ASM is not supported by the BIG-IP system, and a config validation prevents associating an ASM Policy with a virtual server that is configured with Connection Mirroring.

Conditions:
Virtual Server is attempted to be configured with Connection Mirroring and ASM Policy together.

Impact:
Connection Mirroring and ASM Policy cannot be configured on the same virtual server.

Workaround:
None.

Fix:
Connection Mirroring and ASM Policy can now be configured on the same virtual server. Only a subset of ASM features are supported. Please refer to the documentation for support and limitations when using Connection Mirroring with ASM.

852445-3 : Big-IP : CVE-2019-6477 BIND Vulnerability

Solution Article: K15840535

852437-1 : Overly aggressive file cleanup causes failed ASU installation

Solution Article: K25037027

Component: Application Security Manager

Symptoms:
Directory cleanup for for failed Attack Signature Updates (ASU) is too aggressive and may delete needed files in the middle of installation itself, which causes the update to fail.

Conditions:
An ASU runs at the same time as the file cleanup task.

Impact:
The ASU fails to complete successfully.

Workaround:
The default clean interval is 300 seconds (5 minutes).

1. Run the following command to monitor the clean activity:
#tailf /var/log/ts/asmcrond.log | grep CleanFiles

2. Watch for following message in the log:
asmcrond|INFO|Mar 20 21:54:44.389|24036|F5::PeriodicTask::Base::run,,Running Task: CleanFiles

3. Upgrade the ASU immediately.

If 5 minutes is not enough, you can increase the clean interval.

1. Adjust the interval in the /etc/ts/tools/asmcrond.cfg file:

From:
[CleanFiles]
Interval=300

To:
[CleanFiles]
Interval=3000

Important: Do not set Interval too high. 50 minutes (3000 seconds) should be enough.

2. Restart the asmcrond by killing the process. It respawns after several seconds.
ps -ef | grep asmcrond
kill <pid>

3. Monitor the asmcrond.log until you see another Cleanfiles log message.
# tailf /var/log/ts/asmcrond.log | grep CleanFiles

4. Install the ASU; the temp files can stay in the folder for 50 minutes.

5. After the ASU is installed, change the interval back to 300 and restart asmcrond.

6. Make sure asmcrond has been started correctly.
# ps -ef | grep asmcrond
# tailf /var/log/ts/asmcrond.log

Fix:
The directory cleanup does not clean up files that are being actively used for an installation.

852373-2 : HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error

Component: Local Traffic Manager

Symptoms:
HTTP/2 connection breaks and Tcl error is logged in /var/log/ltm similar to the following:

TCL error: /Common/http2_disable <CLIENT_ACCEPTED> - Unknown error (line 1) (line 1) invoked from within "HTTP2::disable".

Conditions:
Any of the following Tcl commands are used in any iRule event: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside.

Impact:
HTTP/2 traffic is not passed to the serverside.

Workaround:
Do not use the following Tcl commands: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside

Fix:
When the previously mentioned Tcl commands are used in appropriate HTTP iRule events, such as CLIENT_ACCEPTED, HTTP/2 filter is put into passthrough mode and traffic is delivered to the server.

852313-2 : VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured

Component: Access Policy Manager

Symptoms:
VMware Horizon clients cannot ,connect to APM and /var/log/apm contains hte following error:
... err tmm3[12345]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_BOUNDS. File: ../modules/hudfilter/access/access.c, Function: access_do_internal_retry, Line: 16431

Conditions:
-- Access Policy has 'VMware View Logon Page' agent configured with 'Kerberos Authentication'.
-- The policy has been in use for some time.

Impact:
VMware Horizon client cannot connect to APM after some time.

Workaround:
None.

Fix:
Fixed an issue, where 'VMware View Logon Page' agent configured with 'Kerberos Authentication' does not process logon requests after some time.

852289-2 : DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector

Solution Article: K23278332

Component: Advanced Firewall Manager

Symptoms:
DNS over TCP packet is not rate-limited accurately by DoS device sweep and flood vector.

Conditions:
-- Setting the correct DNS pkt type in the DoS device sweep or flood vector.
-- Sending DNS over TCP.

Impact:
DNS over TCP is DDoS attack is not mitigated correctly.

Workaround:
Using DNS DoS vector to mitigate the attack.

Fix:
The attack mitigation by sweep and flood vector is accurate.

852101-3 : Monitor fails.

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d fails external monitor SIP_monitor because GTM SIP Monitors need to be running as privileged.

Conditions:
TLS SIP monitor on pool member requiring client auth.

Impact:
Big3d fails external monitor SIP_monitor.

Workaround:
The only workaround is to allow world reading of key files in the filestore, however, this is not ideal as it exposes potentially sensitive data.

852001-3 : High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously

Component: TMOS

Symptoms:
When using more than 4 BIG-IP devices connected in a device cluster, and adding 2 more devices to the trust domain, the mcpd processes of each device may get into a sync loop. This causes mcpd to reach up to 90% CPU utilization during this time, and causes other control-plane functionality to halt. This state may last 10-20 minutes in some cases, or continuous in other cases.

Conditions:
-- More than 4 BIG-IP devices are configured in a trust domain configuration.
-- Adding at least 2 more devices to the trust domain, one after the other, without waiting for the full sync to complete.
-- ASM, FPS, or DHD (DOS) is provisioned.

Impact:
High CPU utilization, GUI, TMSH, and REST API not responding or slow-responding, other system processes halted.

Workaround:
When adding a BIG-IP device to the trust domain, before adding any other device, wait a few minutes until the sync is complete, and no more sync logs display in /var/log/ltm.

Fix:
MCPD no longer utilizes high CPU resources when adding simultaneously 4 or more devices to CMI.

851857-3 : HTTP 100 Continue handling does not work when it arrives in multiple packets

Component: Local Traffic Manager

Symptoms:
If a 100 Continue response from a server arrives in mulitple packets, HTTP Parsing may not work as expected. The later server response payload may not be sent to the client.

Conditions:
The server responds with a 100 Continue response which has been broken into more than one packet.

Impact:
The response is not delivered to the client. Browsers may retry the request.

Workaround:
None.

Fix:
100 Continue responses are parsed correctly by the HTTP parser if they are broken into multiple packets.

851789-3 : SSL monitors flap with client certs with private key stored in FIPS

Component: Local Traffic Manager

Symptoms:
Bigd reporting 'overload' or 'overloaded' in /var/log/ltm.
SSL monitors flapping while the servers are available.

Conditions:
-- FIPS-enabled platform.
-- HTTPS monitors using client-cert authentication where the key is stored in FIPS HSM.
-- Large number of monitors or low interval.

Impact:
Periodic service interruption depending on which monitors are flapping. Reduced number of available servers.

Workaround:
-- Increase the interval on the monitors.
-- Switch the monitors to use software keys.

Fix:
Optimized FIPS API calls to improve performance of SSL monitors.

851745-1 : High cpu consumption due when enabling large number of virtual servers

Component: Advanced Firewall Manager

Symptoms:
Observed autodosd CPU burst

Conditions:
Enable autodosd and a large number of virtual servers

Impact:
High cpu utilization in autodosd

Workaround:
Disable autodosd

Fix:
Autodosd no longer excessively consumes CPU cycles.

851733-1 : Tcpdump messages (warning, error) are sent to stdout instead of stderr

Component: TMOS

Symptoms:
Tcpdump error and warning messages are sent to stdout. This causes issues when the packet capture is sent to a file, and standard programs such as Wireshark do not understand the error message strings and error.

Conditions:
-- tcpdump used to capture packets.
-- tcpdump stdout redirected to a file.
-- The capture file is read by standard packet parse-and-display tools wuch as Wireshark .

Impact:
Captures cannot be analyzed from the capture file

Workaround:
None.

Fix:
Tcpdump messages are now sent to stderr. Packet dumps continue to be in stdout. A capture file contains only captured packets, and can be analyzed by any tool that understands pcap format (wuch as Wireshark, tshark etc.)

851581-1 : Server-side detach may crash TMM

Component: Local Traffic Manager

Symptoms:
TMM crash with 'server drained' panic string.

Conditions:
-- Server-side flow is detached while the proxy is still buffering data for the pool member and the client continues to send data.
-- The detach may be triggered by the LB::detach iRule commands or internally.

Impact:
TMM crash, failover, brief traffic outage. Traffic disrupted while tmm restarts.

Workaround:
-- In cases in which the detach is triggered internally, there is no workaround.

-- In cases in which the detach is triggered by LB::Detach, make sure the command is not executed when a request may still be in progress by using it in response events, for example HTTP_RESPONSE, USER_RESPONSE, etc.

Fix:
TMM does not crash no matter when the server-side detach is triggered.

851477-3 : Memory allocation failures during proxy initialization are ignored leading to TMM cores

Component: Local Traffic Manager

Symptoms:
Memory allocation failures during proxy initialization are ignored. TMM cores when trying to access uninitialized memory.

Conditions:
-- HTTP or HTTP/2 virtual server with httprouter profile.
-- Low memory or fragmented memory on the system when configuration is being loaded.

Impact:
TMM cores when accessing uninitialized memory.

Workaround:
No workaround.

Fix:
Memory allocation failures are now detected and virtual server ends up in DENY state. No connections are accepted in this state.

851345-2 : The TMM may crash in certain rare scenarios involving HTTP/2

Component: Local Traffic Manager

Symptoms:
The HTTP/2 Gateway configuration is used without the HTTP MRF Router.

The TMM may crash in rare scenarios when a stream is being torn down.

Conditions:
-- HTTP/2 is configured in the Gateway scenario.
-- The HTTP MRF Router is not used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The TMM no longer crashes in rare scenarios when a stream is being torn down.

851045-3 : LTM database monitor may hang when monitored DB server goes down

Component: Local Traffic Manager

Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.

Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).

Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.

Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.

850873-1 : LTM global SNAT sets TTL to 255 on egress.

Component: Local Traffic Manager

Symptoms:
When using the global SNAT feature on LTM, IPv4 TTL/IPv6 Hop-Limit values may be erroneously set to 255/64 on egress.

Conditions:
Traffic is handled by global SNAT.

Impact:
TTL on egress is set to 255/; Hop-Limit on egress is set to 64.

Workaround:
None.

850777-1 : BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config

Component: TMOS

Symptoms:
After rebooting BIG-IP Virtual Edition (VE) deployed on a cloud provider, the instance enters LICENSE INOPERATIVE state.

Errors similar to one below are seen in an LTM log:

err chmand[4770]: Curl request to metadata service failed with error(7): 'Couldn't connect to server'.

Conditions:
- Static management IP address configuration.
- Instance is restarted.

Impact:
Instance is not operational after restart.

Workaround:
After instance is fully booted, reload the license with 'reloadlic'.

Fix:
In case of 1 NIC with static route, issuing "bigstart restart mcpd" will not be enough to bring system to the licensed state, issue "reboot" instead.

850677-2 : Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy

Component: Application Security Manager

Symptoms:
Non-ASCII parameter static values are garbled when created in a non-UTF-8 policy using REST.

Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII parameter static values using REST.

Impact:
Parameter static values containing non-ASCII characters are garbled when created using REST.

Workaround:
Use UTF-8.

Fix:
This release supports REST access in non-UTF-8 policies.

850673-3 : BD sends bad ACKs to the bd_agent for configuration

Component: Application Security Manager

Symptoms:
-- The bd_agents stops sending the configuration in the middle of startup or a configuration change.

-- The policy may be incomplete in the bd causing incorrect enforcement actions.

Conditions:
This is a rarely occurring issue, and the exact conditions that trigger it are unknown.

Impact:
-- The bd_agent hangs or restarts, which may cause a complete ASM restart (and failover).

-- A partial policy may exist in bd causing improper enforcement.

Workaround:
-- Unassign and reassign the policy.

-- if unassign/reassign does not help, export and then reimport the policy.

Fix:
Fixed inconsistency scenario between bd and bd_agent.

850145-3 : Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed

Component: Local Traffic Manager

Symptoms:
First HTTP request on a connection creates a connection to the server. Subsequent pipelined requests should be processed and use the established connection to the server. However, the requests were queued in the proxy and not processed resulting in connection hang.

Conditions:
- HTTP or HTTP/2 virtual server with httprouter profile.
- HTTP/1.1 connections with the client and server.
- Pipelined HTTP requests.

Impact:
Connection hangs and is eventually reset.

Workaround:
No workaround.

Fix:
If a connection to the server has been established, pipelined requests are now processed immediately and not queued.

849405-1 : LTM v14.1.2.1 does not log after upgrade★

Component: TMOS

Symptoms:
After upgrading to v14.1.2.1, logs are not generated and sysstat.service is not running.

Conditions:
-- Upgrade from BIG-IP v12.1.x (which uses CentOS 6) to BIG-IP v14.1.2.1 or later (which uses CentOS 7).
-- The issue is momentary and is not always reproducible.

Impact:
Logs are not generated and sysstat.service is not running.

Workaround:
Once the BIG-IP system starts up, check for failed services:

systemctl list-units --failed

If results show sysstat.service as FAILED, run the following command:

restorecon -Rv /var/log/sa6 && systemctl start sysstat

849085-3 : Lines with only asterisks filling message and user.log file

Component: TMOS

Symptoms:
/var/log/message and /var/log/user.log files have lines that only contain asterisks.

For example:

Nov 12 10:40:57 bigip1 **********************************************

Conditions:
Snmp query an OID handled by sflow, for example:

snmpwalk -v2c -c public localhost SNMPv2-SMI::enterprises.14706.1.1.1

Impact:
The impact is cosmetic only, however it could make reading the logs more difficult if the sflow snmp tables are constantly being queried.

Workaround:
You have two options:
-- Filter out all sflow_agent log messages
-- Filter out all messages that contain a newline '\n' or carriage return character '\r'.

Both workarounds are done by editing the syslog template, this means that if the you upgrades, you must edit the template again to reinstate the workaround.

=============================================
Solution #1 - Filter out all sflow_agent logs:

1) remount /usr as read+write:
    mount -o rw,remount /usr

2) Make a backup copy of the template:
    cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig

3) Add write permissions to the template:
    chmod +w /usr/share/defaults/config/templates/syslog.tmpl

4) Add the filter to syslog.tmpl

4a) Open syslog.tmpl for edit:
vi /usr/share/defaults/config/templates/syslog.tmpl

4b) Add the new filter after the filter f_messages:
filter f_not_sflow {
not match ("sflow_agent" value("$PROGRAM"));
};

  For example:
filter f_messages {
level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO)
and not facility(auth, authpriv, cron, daemon, mail, news)
and not message("WA");
};

filter f_not_sflow {
not match ("sflow_agent" value("$PROGRAM"));
};

4c) Add the filter to the log that sends all source local message to the syslog pipe:
log {
source(local);
filter(f_not_sflow);
destination(d_syslog_pipe);
}

5) Save the changes and quit vi.

6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice':
tmsh modify /sys syslog daemon-from info
tmsh modify /sys syslog daemon-from notice

7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf.

8) remount /usr as read-only
    mount -o ro,remount /usr

=============================================
Solution #2 - Filter out all messages with \n or \r:

1) remount /usr as r+w:
    mount -o rw,remount /usr

2) Make a backup copy of the template:
    cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig

3) Add write permissions to the template:
    chmod +w /usr/share/defaults/config/templates/syslog.tmpl

4) Add the filter to syslog.tmpl:

4a) Open syslog.tmpl for edit:
    vi /usr/share/defaults/config/templates/syslog.tmpl

4b) Add the new filter after the filter f_messages:
filter f_no_multi_line {
not (message('\n') or message('\r'));
    };

   For example:
filter f_messages {
level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO)
and not facility(auth, authpriv, cron, daemon, mail, news)
and not message("WA");
};

filter f_no_multi_line {
not (message('\n') or message('\r'));
    };

4c) Add the filter to the log that sends all source local message to the syslog pipe:
log {
source(local);
filter(f_no_multi_line);
destination(d_syslog_pipe);
}

5) Save the changes and quit vi.

6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice':

tmsh modify /sys syslog daemon-from info
tmsh modify /sys syslog daemon-from notice

7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf.

8) remount /usr as read-only:
    mount -o ro,remount /usr

Fix:
The sflow log message that was a multiline message has been changed so that it is no longer multiline.

848777-1 : Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.

Component: Local Traffic Manager

Symptoms:
Shared object address-list in non-default partition in non-default route-domain does not sync to peer node. The system reports the following exceptions when such an issue occurs:

-- err mcpd[4941]: 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).

-- err mcpd[4941]: 01071488:3: Remote transaction for device group /Common/DG1 to commit id 500 6754270728594498269 /Common/bigiptest1 0 failed with error 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).

Conditions:
-- Create Custom partition.
-- Create Custom Route-domain.
-- Change custom partition.
-- Create address list in non-default route domain.
-- Create virtual server with previously created address list and any TCP port, or port list.
-- Now, try to Sync to high availability (HA) peer.

Impact:
Sync fails with error. Configuration does not sync to peer node.

Workaround:
None.

Fix:
Configuration now syncs to peer node successfully.

848445-3 : Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer★

Solution Article: K86285055

Component: Application Security Manager

Symptoms:
Global/URL/Flow Parameters with flag is_sensitive true are not masked in referrer and their value may be exposed in logs.

Conditions:
Global/URL/Flow Parameters with flag is_sensitive true are defined in the policy. In logs, the value of such parameter will be masked in QS, but will be exposed in the referrer.

Impact:
The parameter will not be masked in 'Referer' value header in logs, although it is masked in 'QS' string.

Workaround:
Can defined the parameters as global sensitive parameters.

Fix:
After the fix, such parameters will be treated like global sensitive parameters and will be covered also in the Referer

848405-4 : TMM may consume excessive resources while processing compressed HTTP traffic

Solution Article: K26244025

847325-1 : Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior.

Component: Local Traffic Manager

Symptoms:
-- High tmm CPU utilization.
-- Stalled connections.
-- Incorrect persistence decisions.

Conditions:
-- A OneConnect profile is combined with certain persist profiles on a virtual server.

-- The virtual server configuration is changed while there is an ongoing connection to the virtual server. Any connections that make a request after the configuration change can be affected.

-- The persistence types that are affected are:
   - Source Address (but not hash-algorithm carp)
   - Destination Address (but not hash-algorithm carp)
   - Universal
   - Cookie (only cookie hash)
   - Host
   - SSL session
   - SIP
   - Hash (but not hash-algorithm carp)

Impact:
-- High tmm CPU utilization.
-- Stalled connections.
-- Incorrect persistence decisions.

Workaround:
None.

Fix:
Changing a virtual server that uses a OneConnect profile no longer triggers incorrect persistence behavior.

846917-3 : lodash Vulnerability: CVE-2019-10744

Solution Article: K47105354

846441-1 : Flow-control is reset to default for secondary blade's interface

Component: TMOS

Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.

Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.

Impact:
The flow-control setting is reset to default (tx-rx).

Workaround:
Reload the configuration on the primary blade.

846365-3 : TMM may crash while processing IP traffic

Solution Article: K35750231

846157-3 : TMM may crash while processing traffic on AWS

Solution Article: K01054113

846137-3 : The icrd returns incorrect route names in some cases

Component: TMOS

Symptoms:
The icrd returns an incorrect route names when a '.' (dot, or period) is present in the subPath, as it treats the subPath as an IP address and the leaf name as a subnet and considers its name as a whole. Also the subPath field is missed in the response route object. This happens only in the case of curl request.

Conditions:
-- The subPath contains a '.' in it.
-- A curl request is made.

Impact:
Result information is not compatible with actual result.

Workaround:
None.

Fix:
The system now verifies whether or not the leafname a numeric valuel, so this issue no longer occurs.

844689-3 : Possible temporary CPU usage increase with unusually large named.conf file

Component: Global Traffic Manager (DNS)

Symptoms:
You might see occasional and temporary CPU usage increases when named.conf file is unusually large.

Conditions:
Unusually large named.conf file and zones are checked for updates (when the SOA expires).

Impact:
When a zone file is updated, a downstream effect is the ZoneRunner process to parse again the named.conf file. The parsing of an unusually large file may cause a temporary increase in CPU usage.

Workaround:
None.

Fix:
ZoneRunner does not issue a reload command when zones are checked for updates, so no CPU usage increases occur.

844085-3 : GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address

Component: TMOS

Symptoms:
With multiple virtual servers that have the same destination address, changing all of them in the GUI to use an address list as their source address will result in the last one changed failing with an error similar to:

01070344:3: Cannot delete referenced virtual address /Common/1.2.3.4.

Conditions:
-- More than one virtual server with the same destination address.
-- Changing all the virtual servers that share the same destination address to use an address list for their source address.

Impact:
Unable to change the source address of a virtual server to an address list.

Workaround:
Use TMSH to manually create a traffic-matching criteria object and assign it to the virtual server:

tmsh create ltm traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination-address-inline <destination address of virtual server> destination-port-inline <destination port of virtual server> source-address-inline 0.0.0.0 source-address-list <address list name>
}

tmsh modify /ltm virtual <virtual server name> traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination 0.0.0.0:any

843801-1 : Like-named previous Signature Update installations block Live Update usage after upgrade★

Component: Application Security Manager

Symptoms:
Signature Update installations using ASU files with the same name on versions before 14.1.0 block Live Update usage after upgrade to 14.1.0 or later.

Conditions:
The same Signature Update file is installed multiple times on the device when running a version earlier than 14.1.0.

Impact:
Signature Update cannot be installed using Live Update, and errors appear in logs.

Workaround:
1. Delete the file: /var/lib/hsqldb/live-update/live-update-import.yaml.
2. Restart tomcat:
bigstart restart tomcat

This causes pre-upgrade records for Signature Update to be lost, but does not have any other functional impact.

** Another Workaround incase the above does not solve the issue:
1. stop the tomcat server:
   > bigstart stop tomcat
2. clean the live update db :
   > cd /var/lib/hsqldb/live-update
   > rm -f liveupdatedb.*
3. remove all *.im files which are not genesis file (factory-default files):
   3.1 get the list of genesis files:
     > less /etc/live-update-genesis.yaml | grep genes | cut -d":" -f2
   3.2 go to update file directory:
     > cd /var/lib/hsqldb/live-update/update-files
   3.3 manually remove the *.im files that are not genesis
4. restart the tomcat server:
   > bigstart start tomcat

843597-3 : Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle

Component: TMOS

Symptoms:
The vmxnet3 driver cannot handle MTUs larger than 9000 bytes.

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with the vmxnet3 driver.
-- Passing packets larger than 9000 bytes.

Impact:
Either packets are dropped, or the hypervisor may crash on some platforms that do not handle this condition gracefully.

Workaround:
Modify the tmm_init.tcl file, adding the following line:

ndal mtu 9000 15ad:07b0

Fix:
We now ensure that the default setting for the vmxnet3 driver MTU is 9000.

843105-1 : Adding multicast stats for multicast bridging over L2 wire transparent VLAN-group (LACP STP LLDP)

Component: Local Traffic Manager

Symptoms:
The BIG-IP system can now be configured to collect multicast statistics for LACP, STP, and LLDP. It is controlled by a sys db variable:

l2.virtualwire.multicast.stats

It is enabled by default.

Conditions:
This is encountered when L2 wire transparent VLAN groups are configured.

Impact:
The ability to collect and read multicast statistics makes it easier to debug l2 wire setups.

Multicast statistics can be viewed in the following tmctl table:
tmctl -w250 tmm/l2_mcast_stat

Workaround:
None.

Fix:
Added new stats available like:
tmctl -w250 tmm/l2_mcast_stat

842937-4 : TMM crash due to failed assertion 'valid node'

Component: Local Traffic Manager

Symptoms:
Under undetermined load pattern TMM may crash with message: Assertion 'valid node' fail.

Conditions:
This can occur while passing traffic with the Ram Cache profile enabled on a Virtual Server. Other conditions are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Refrain from using ramcache may mitigate the problem.

Fix:
Ramcache module stops handling messages after it is teared down, so it does not attempt to use data structures which have already been deinitialized.

842865-1 : Add support for Auto MAC configuration (ixlv)

Component: TMOS

Symptoms:
Mac addresses are forced to be the same for ixlv trunks.

Conditions:
This happens when ixlv trunks are used.

Impact:
Mac addresses may not be as depicted on the device.

Workaround:
None.

Fix:
Unicast mac filters are used for ixlv trunks.

842625-3 : SIP message routing remembers a 'no connection' failure state forever

Component: Service Provider

Symptoms:
When SIP message routing fails to route to a pool member (Triggering a MR_FAILED, MR::message status of 'no connection'), The BIG-IP system caches the failed state and continues to return this even after the pool member becomes reachable again.

Conditions:
When BIG-IP systen fails to route messages to the peer (server) due to unavailability of route or any other issues.

Impact:
The BIG-IP system is never be able to establish connection to the peer.

Workaround:
None.

Fix:
SIP message routing now recovers from a 'no connection' failure state.

842189-2 : Tunnels removed when going offline are not restored when going back online

Component: TMOS

Symptoms:
When a BIG-IP instance goes offline, any functioning tunnel is removed from the active configuration. Upon restoration to online operation, the tunnel is not automatically restored.

Conditions:
-- Configuration includes tunnels.
-- BIG-IP instance goes offline and then comes back online.

Impact:
Failure of tunnel packet traffic.

Workaround:
Manually recreate the tunnel after the BIG-IP instance has been brought back online.

Fix:
Tunnels removed when going offline are now restored when going back online.

842125-4 : Unable to reconnect outgoing SCTP connections that have previously aborted

Component: TMOS

Symptoms:
When an outgoing SCTP connection is created using an ephemeral port, the connection may appear to be open after an SCTP connection halt. This prevents new connections to the same endpoint, as the connection appears to already exist.

Conditions:
-- A virtual server configured with an SCTP profile.
-- An outgoing SCTP connection after an existing connection to the same endpoint has halted.

Impact:
New connections are unable to be created resulting in dropped messages.

Workaround:
None.

Fix:
SCTP connections can now be halted and recreated to the same endpoint.

841953-5 : A tunnel can be expired when going offline, causing tmm crash

Component: TMOS

Symptoms:
When the system transitions from active or next active (standby), e.g., to offline, the internal flow of a tunnel can be expired.

If the device returns to active or standby, and if the tunnel is modified, a double flow removal can cause a tmm crash.

Conditions:
-- System transitions from active or next active.
-- Tunnel is modified.
-- Device returns to active or next active mode.

Impact:
The tmm process restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The tmm process no longer crashes under these conditions.

841577-4 : iControl REST hardening

Solution Article: K20606443

841333-5 : TMM may crash when tunnel used after returning from offline

Component: TMOS

Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.

Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

839749-2 : Virtual server with specific address list might fail to create via GUI

Component: Local Traffic Manager

Symptoms:
When a user tries to create a virtual server with address list, it might fail with below shown error:

01b90011:3: Virtual Server /Common/VS1's Traffic Matching Criteria /Common/testvs1 illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/testvs2 destination address, source address, service port.

Conditions:
-- One or more virtual servers that were created via the GUI already exist on the BIG-IP system.
-- Attempt to use the GUI to create another virtual server with address list.

Impact:
Cannot create the virtual server.

Workaround:
Create the virtual server via tmsh:

-- First create the traffic matching criteria using the address list.
-- Then use the traffic matching criteria to create a virtual server.

Fix:
You can now create virtual servers with address lists directly from the GUI.

839597-4 : Restjavad fails to start if provision.extramb has a large value

Component: Device Management

Symptoms:
Rolling restarts of restjavad occur every few seconds and the following messages are seen in the daemon log:

daemon.log: emerg logger: Re-starting restjavad

The system reports similar message at the command line.

No obvious cause is logged in rest logs.

Conditions:
-- System DB variable provision.extramb has an unusually high value*:
+ above ~2700-2800MB for v12.1.0 and earlier.
+ above ~2900-3000MB for v13.0.0 and later.

-- On v13.0.0 and later, sys db variable restjavad.useextramb needs to have the value 'true'

*A range of values is shown. When the value is above the approximate range specified, constant restarts are extremely likely, and within tens of MB below that point may be less frequent.

To check the values of these system DB varaiables use:
tmsh list sys db provision.extramb

tmsh list sys db restjavad.useextramb

Impact:
This impacts the ability to use the REST API to manage the system

Workaround:
If needing sys db restjavad.useextramb to have the value 'true', keep sys db provision.extramb well below the values listed (e.g., 2000 MB work without issue).

To set that at command line:

tmsh modify sys db provision.extramb value 2000

If continual restarts of restjavad are causing difficulties managing the unit on the command line:

1. Stop restjavad (you can copy this string and paste it into the command line on the BIG-IP system):
tmsh stop sys service restjavad

2. Reduce the large value of provision.extramb if necessary.

3. Restart the restjavad service:
tmsh start sys service restjavad

Fix:
Restjavad memory is now capped at a sensible maximum.
If provision.extramb is set to a value higher than 2500MB it will be considered to be 2500MB for the purposes of restjavad, and a message similar to the one below will be logged in /var/log/ltm, where XXXX is the value of provision.extramb

notice restjavad: JVM heap limit exceeded. Using maximum supported value of 2500 instead of provision.extramb XXXX

839453-4 : lodash library vulnerability CVE-2019-10744

Solution Article: K47105354

839401-3 : Moving a virtual-address from one floating traffic-group to another does not send GARPs out.

Component: Local Traffic Manager

Symptoms:
Gratuitous ARPs (GARPs) are not sent out when moving a virtual-address from one floating traffic-group to another (e.g., from traffic-group-1 to traffic-group-2).

Conditions:
-- Moving a virtual-address from one floating traffic-group to another.
-- The traffic-groups are active on different devices.

Impact:
Application traffic does not immediately resume after the virtual-address is moved. Instead, the surrounding network devices have to ARP out for the IP address after reaching a timeout condition.

Workaround:
After moving the virtual-address, disable and then re-enable the ARP setting for the virtual-address. This forces GARPs to be sent out.

Fix:
GARPs are sent out as expected.

839245-1 : IPother profile with SNAT sets egress TTL to 255

Component: Local Traffic Manager

Symptoms:
BIG-IP may set TTL to 255 on forwarded packets.

Conditions:
Virtual-server with ipother profile and SNAT configured.

Impact:
Traffic leaves with egress TTL set to 255.

Workaround:
None.

Fix:
TTL is now decremented by 1 on forwarded packets.

839145-2 : CVE-2019-10744: lodash vulnerability

Solution Article: K47105354

838881-3 : APM Portal Access Vulnerability: CVE-2020-5853

Solution Article: K73183618

838861-2 : TMM might crash once after upgrading SSL Orchestrator★

Component: Access Policy Manager

Symptoms:
TMM might crash due to SIGABRT.

Conditions:
-- Session check agent is present in APM per-request policy.
-- APM Access Profile scope changes during SSL Orchestrator upgrade.
-- This issue can occur for SSL Orchestrator upgrades from 14.x to 15.x and above.

Impact:
TMM might crash once. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Session check agent now exits and terminates the flow.

838709-1 : Enabling DoS stats also enables page-load-time

Component: Application Visibility and Reporting

Symptoms:
If collect-all-dos-statistic is enabled, AVR 'promises' to the client a JavaScript injection in the response by adding the expected length of the JavaScript to the Content-length header.

Conditions:
Security :: reporting : settings : collect-all-dos-statistic is enabled.

Impact:
In addition to collecting DoS statistics, JavaScript injection also occurs.

Workaround:
Can use iRules to control which pages should get the JavaScript injection.

For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.

Fix:
Changed the condition that insert the JavaScript injection in case that "collect all dos stats" is enabled.

838685-2 : DoS report exist in per-widget but not under individual virtual

Component: Application Visibility and Reporting

Symptoms:
'Undefined entity dosl7_vip was used' error message is reported on widgets whenever a 'Virtual Server' filter is selected on the 'Security :: Reporting : DoS : Custom Page' GUI page.

Conditions:
-- Navigate to Security :: Reporting : DoS : Custom Page in the GUI.
-- Filter widgets results with specific 'Virtual Server'.

Impact:
GUI widgets report errors and cannot show stats.

Workaround:
This GUI fix requires modifying a single PHP file in one location, which you can do directly on your BIG-IP system with a few bash commands:

1. Backup the file '/var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php':
   $ cp /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/

2. Change permissions to allow modifying it:
   $ chmod +w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

3. Change the file to include the fix:
   $ sed -i 's/dosl7_vip/vip/g' /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
   $ sed -i "s/ANALYTICS_MOD_DNS_DOS => 'vip'/ANALYTICS_MOD_DNS_DOS => 'dns_vip'/g" /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

4. Verify that the fix is as expected:
   $ vimdiff /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/dos_custom_overview_commons.php

   (** You should see two lines modified:
       1. ANALYTICS_MOD_DOSL7 => 'dosl7_vip' to ANALYTICS_MOD_DOSL7 => 'vip'.
       2. ANALYTICS_MOD_DNS_DOS => 'vip' to ANALYTICS_MOD_DNS_DOS => 'dns_vip')

5. Revert permissions of the file:
   $ chmod -w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

6. Log out and log back into the GUI, so that the new version of the file loads.

Fix:
GUI configuration for the 'Virtual Server' filter is fixed with the correct dimension name.

838677-3 : lodash library vulnerability CVE-2019-10744

Solution Article: K47105354

838297-1 : Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication

Component: TMOS

Symptoms:
Under certain conditions, the BIG-IP system requires you to change your password on every login.

Furthermore, the login then fails, and loops endlessly asking for the password, even though the password has not expired.

Conditions:
-- BIG-IP 14.0.0 and later.
-- LDAP authentication is used for remote users.
-- Active Directory (AD) user account has shadowLastChange attribute with a value of 0 (or anything lower than the number of days since 1-1-1970).

Impact:
Remote AD BIG-IP users are unable to login to the BIG-IP system using remote LDAP authentication

Workaround:
Clear the value of shadowLastChange within AD.

837837-3 : SSH Client Requirements Hardening

Solution Article: K43404629

837773-2 : Restjavad Storage and Configuration Hardening

Solution Article: K12936322

837637-2 : Orphaned bigip_gtm.conf can cause config load failure after upgrading★

Solution Article: K02038650

Component: Global Traffic Manager (DNS)

Symptoms:
Configuration fails to load after upgrade with a message:

01420006:3: Can't find specified cli schema data for x.x.x.x

Where x.x.x.x indicates an older version of BIG-IP software than is currently running.

Conditions:
-- Orphaned bigip_gtm.conf from an older-version. This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade, leaving behind a bigip_gtm.conf with the old schema.

-- Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.

Impact:
Configuration fails to load after upgrade.

Workaround:
Before upgrading:

If the configuration in bigip_gtm.conf is not needed, then it can be renamed (or deleted) before upgrading:

   mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
   tmsh load sys config gtm-only

After upgrading (i.e., with the system in the Offline state) services must be restarted to pick up the change:

   mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
   tmsh restart sys service all

837269 : Processing ICMP unreachable packets causes FWNAT/CGNAT persistence issues with UDP traffic

Component: Carrier-Grade NAT

Symptoms:
When hosts send ICMP unreachable error messages and processed by the BIG-IP system, subsequent good UDP packets do not get the persistence LSN translation address.

Conditions:
-- Virtual server with FW NAT or CGNAT configuration to accept UDP traffic.
-- Client or/and server randomly sends ICMP unreachable messages.

Impact:
LSN persistence issues. UDP packets from the same client IP address may not get the same translation address every time, even though there exists a persistence entry in the table

Workaround:
None.

Fix:
Processing ICMP unreachable packets no longer causes FWNAT/CGNAT persistence issues with UDP traffic.

836661 : Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet.

Component: Local Traffic Manager

Symptoms:
Packet with unexpected source MAC is seen on the adjacent node to the BIG-IP system.

Conditions:
-- The BIG-IP system is configured in an L2 transparent mode using virtual wires.
-- Traffic forwarded between client and server in an asymmetric manner across virtual wires.

Impact:
Incorrect source MAC is used. Possible impacts to services on nodes adjacent to the BIG-IP system if policy decisions on those nodes are made with the source MAC of the received packet as input.

Workaround:
None.

836357-3 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2

Component: Service Provider

Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.

Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.

Impact:
This causes the BIG-IP system to abort the flow that originates the message.

Workaround:
None.

Fix:
SIP MBLB correctly initiates a new flow from a virtual IP to the client when an existing flow is in the FIN-wait2 stage.

835381-1 : HTTP custom analytics profile 'not found' when default profile is modified

Component: Application Visibility and Reporting

Symptoms:
Adding SMTP config to default HTTP analytics profile results in config parsing failures for child profiles that are assigned to virtual servers. Removing SMTP config resolves the issue. The 'tmsh load sys config' command fails with the following error:

-- 01020036:3: The requested profile (/Common/child-analytics) was not found.
-- Unexpected Error: Validating configuration process failed.

Conditions:
-- Child analytics profile applied to virtual server.
-- Parent analytics profile contains SMTP config.

Impact:
Loading configuration might fail.

Workaround:
None.

Fix:
The system now avoids setting SMTP field for child profiles on MCP validation when in load/merge phase.

834533-2 : Linux kernel vulnerability CVE-2019-15916

Solution Article: K57418558

834373-3 : Possible handshake failure with TLS 1.3 early data

Component: Local Traffic Manager

Symptoms:
During TLS 1.3 early data handshake, a code alert and handshake failure may occur

Conditions:
TLS 1.3 with early data resumption.

Impact:
Handshake failure.

Workaround:
Turn off early data.

Fix:
Fixes a possible TLS 1.3 early data handshake failure and code alert.

834257-3 : TMM may crash when processing HTTP traffic

Solution Article: K25400442

833685-3 : Idle async handlers can remain loaded for a long time doing nothing

Component: Application Security Manager

Symptoms:
Idle async handlers can remain loaded for a long time doing nothing because they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a large XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.

Impact:
Depletion of memory by lingering idle async handlers may deprive other processes of sufficient memory, triggering out-of-memory conditions and process failures.

Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart asm_config_server periodically using cron, as idle handlers are soon created again.

Fix:
Idle async handlers now exit after 5 minutes of not receiving any new calls.

833213-3 : Conditional requests are served incorrectly with AAM policy in webacceleration profile

Component: WebAccelerator

Symptoms:
HTTP 1.1 allows a conditional request with header If-Modified-Since or If-Unmodified-Since to determine whether a resource changed since a specified date and time. If AAM is provisioned and its policy is assigned to a virtual server, it may incorrectly respond with 304 Not Modified, even after the resource was updated.

Conditions:
-- AAM is provisioned and webacceleration policy is attached to a virtual server.
-- Client sends a conditional request with If-Modified-Since or If-Unmodified-Since header.
-- The BIG-IP system responds from AAM cache.

Impact:
Client does not receive an updated resource.

Workaround:
Use webacceleration profile without AAM policy for resources that require conditional checks falling back into Ramcache.

Fix:
The BIG-IP system now respects If-Modified-Since or If-Unmodified-Since header and provides an appropriate response for the requested resource when compared to the date supplied in either header.

833113-3 : Avrd core when sending large messages via https

Component: Application Visibility and Reporting

Symptoms:
When sending large messages (>4KB) via HTTPs may cause avrd to core.

Conditions:
This typically happens when BIG-IP is managed by BIG-IQ and configuration is large and complex or traffic capturing is enabled.

Impact:
Messages to BIG-IQ are lost. In severe cases, analytics functionality may be unavailable due contiguous AVRD cores.

Workaround:
None.

Fix:
Fixed an avrd crash

832885-3 : Self-IP hardening

Solution Article: K05975972

832857 : Support ID on AJAX CAPTCHA popup (SPA) does not match the Support ID in log

Component: Application Security Manager

Symptoms:
The Support ID shown to the ASM end user does not appear in the logs.

Conditions:
-- ASM provisioned.
-- Bot Defense profile attached to a virtual server.
-- Single Page Application (SPA) is enabled in the Bot Defense profile.
-- AJAX request is blocked by bot defense, and CAPTCHA is shown to the ASM end user.

Impact:
ASM end user might complain about CAPTCHA and provide their Support ID to the BIG-IP administrator, but the BIG-IP administrator will not be able to find the Support ID in the logs.

Workaround:
None.

Fix:
Bot defense has been fixed so that the Support ID shown to the ASM end user matches the Support ID in the logs.

832757-5 : Linux kernel vulnerability CVE-2017-18551

Solution Article: K48073202

832569-2 : APM end-user connection reset

Component: Access Policy Manager

Symptoms:
When the URL being accessed exceeds a length of 8 KB, the BIG-IP resets the connection.

Conditions:
-- APM deployed with a per-request policy.
-- The per-request policy includes a category lookup.

Impact:
The APM end-user connection is reset, and the system posts an error message in /var/log/apm:

-- crit tmm[23363]: 01790601:2: [C] 10.62.118.27:65343 -> 65.5.55.254:443: Maximum URL size exceeded.

Workaround:
None.

832205 : ASU cannot be completed after Signature Systems database corruption following binary Policy import

Component: Application Security Manager

Symptoms:
Signatures cannot be updated after signature systems have become corrupted in the configuration database, after a binary policy containing a user-defined Signature Set using an unknown System was imported.

Conditions:
Signature systems are corrupted in configuration database, because a binary policy containing a user-defined Signature Set using an unknown System was imported.

Impact:
Signatures cannot be updated.

Workaround:
Delete signature systems with an ID greater than 38, and re-add them by performing a signature update. You can delete these signature systems by running the following command:

mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "DELETE FROM PLC.NEGSIG_SYSTEMS WHERE system_group = ''"

832021-1 : Port lockdown settings may not be enforced as configured

Solution Article: K73274382

832017-1 : Port lockdown settings may not be enforced as configured

Solution Article: K10251014

831781-5 : AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode

Component: Access Policy Manager

Symptoms:
Both AD Query and LDAP Auth/Query fails.

Conditions:
-- AD Query Agent, LDAP Auth Agent, or LDAP Query Agent is configured in Per-Session or Per-Request Policy.
-- These agents are configured in Direct mode.
-- The AD and LDAP server address is configured as IPv6 address.

Impact:
Users may not be able to login to APM, and hence service is disrupted.

Workaround:
None.

Fix:
Users are now able to login to APM.

831777-3 : Tmm crash in Ping access use case

Component: Access Policy Manager

Symptoms:
Tmm crashes.

Conditions:
Ping access use case.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Properly handle ping traffic.

831661-2 : ASMConfig Handler undergoes frequent restarts

Component: Application Security Manager

Symptoms:
Under some settings and load the RPC handler for the Policy Builder process restarts frequently, causing unnecessary churn and slower learning performance.

Conditions:
Configure one or more policies with automatic policy building enabled and learn traffic with violations

Impact:
Control Plane instability and poor learning performance on the device.

Fix:
The Policy Builder handler is now restored to a more robust process lifecycle.

831517-1 : TMM may crash when Network Access tunnel is used

Component: Access Policy Manager

Symptoms:
TMM may crash.

Conditions:
-- APM session is established.
-- Network Access tunnel is established and used;

Impact:
APM end users experience Network Access tunnel disconnected. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes a tmm crash.

831325-2 : HTTP PSM detects more issues with Transfer-Encoding headers

Solution Article: K10701310

Component: Local Traffic Manager

Symptoms:
HTTP PSM may not detect some invalid Transfer-Encoding headers.

Conditions:
HTTP PSM is used to detect HTTP RFC violations. A request with an invalid Transfer-Encoding header is sent.

Impact:
Traffic is not alarmed/blocked as expected.

Workaround:
None.

Fix:
HTTP PSM detects new cases of invalid Transfer-Encoding headers.

831293-3 : SNMP address-related GET requests slow to respond.

Component: TMOS

Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.

Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.

Impact:
Slow performance.

Workaround:
None.

830833-2 : HTTP PSM blocking resets should have better log messages

Component: Local Traffic Manager

Symptoms:
When reset-cause logging is turned on, or when RST packet logging is used, the reset reason used when rejecting bad HTTP PSM traffic is not descriptive.

Conditions:
This occurs under either of these conditions:

-- HTTP PSM is used, and a request is blocked.
-- Reset cause or RST packet logging is enabled.

Impact:
The reset reason given is not descriptive, making troubleshooting difficult.

Workaround:
None.

Fix:
The reset reason used when rejecting HTTP PSM traffic is more descriptive.

830797-2 : Standby high availability (HA) device passes traffic through virtual wire

Component: Local Traffic Manager

Symptoms:
Virtual wire is forwarding traffic on standby resulting in traffic loops and potential network outage.

Conditions:
-- High availability (HA) configured.
-- Virtual wire configured.

Impact:
Standby device is passing traffic, which may create traffic loops and bring down the network.

Workaround:
Do not configure virtual wire on standby devices.

Fix:
Although you can create this configuration, the standby no longer forwards any traffic, which prevents the traffic loop and potential network outage.

830401-3 : TMM may crash while processing TCP traffic with iRules

Solution Article: K54200228

830073-3 : AVRD may core when restarting due to data collection device connection timeout

Component: Application Visibility and Reporting

Symptoms:
Avrd crashes, one or more core avrd files exist in /var/core

Conditions:
-- A BIG-IP system is managed by BIG-IQ via secure channel
-- Avrd is restarted.

Impact:
Avrd cores as it is shutting down. During avrd shutdown, the BIG-IQ data collection device (DCD) is unreachable for 10 minutes

Workaround:
None.

Fix:
The AVRD HTTPS module now stops any connection attempts when shutdown sequence is in progress, so this issue no longer occurs.

829677-1 : .tmp files in /var/config/rest/ may cause /var directory exhaustion

Component: TMOS

Symptoms:
The /var partition might become completely full on the disk due to tmp files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemon restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open.

This issue is happening because a VIPRION process is not available because of a REST timeout.

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Manually run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Fix:
Increased the rest socket timeout value and shellexecutor timeout value to 6 min to fix the timeout issue of viprion worker

The fix also includes automatic removal of unused tmp files.

829317-6 : Memory leak in icrd_child due to concurrent REST usage

Component: TMOS

Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.

Conditions:
-- The icrd_child process is running.
-- There are multiple users accessing device via REST.

Impact:
Memory slowly leaks in icrd_child.

Workaround:
None.

Fix:
Fixed a memory leak in icrd_child.

829193-2 : REST system unavailable due to disk corruption

Component: TMOS

Symptoms:
-- The iControl REST commands respond with the following:

[INFO] Text: u'{"code":200,"message":"REST system unavailable due to disk corruption! See /var/log/restjavad.*.log for errors.","restOperationId":1472895,"kind":":resterrorresponse"}'

-- The GUI indicates that iAppLX sub-system is unresponsive.

-- On the BIG-IP device, /var/config/rest/storage/LOST-STORAGE.txt exists.

Conditions:
The conditions that trigger this are unknown. It might be due to a previous catastrophic event such as power loss or out-of-memory errors.

Manually creating the file /var/config/rest/storage/LOST-STORAGE.txt can also trigger this error.

Impact:
The iControl REST system is unavailable.

Workaround:
Run the following commands at the BIG-IP command prompt:

bigstart stop restjavad restnoded
rm -rf /var/config/rest/storage
rm -rf /var/config/rest/index
bigstart start restjavad restnoded
rm -f /var/config/rest/downloads/*.rpm
rm -f /var/config/rest/iapps/RPMS/*.rpm
tmsh restart sys service tomcat

Then, reinstall any iAppLX packages that were installed.

829121-3 : State mirroring default does not require TLS

Solution Article: K65720640

829117-3 : State mirroring default does not require TLS

Solution Article: K17663061

828937-3 : Some systems can experience periodic high IO wait due to AVR data aggregation

Solution Article: K45725467

Component: Application Visibility and Reporting

Symptoms:
Systems with a large amount of statistics data collected in the local database (i.e., systems not working with BIG-IQ) can have high IO Wait CPU usage, peaking at 10 minutes, 1 hour, and 24 hours. This is caused by the data aggregation process that is running on the local database. Notice that large memory footprints, particularly for avrd might be a symptom for the phenomenon.

Conditions:
-- The BIG-IP system is collecting statistics locally (i.e., not sending data to BIG-IQ or another external device).
-- There is a large amount of statistics data.
-- May occur even if AVR is not explicitly provisioned.

Impact:
High IO can impact various processes on BIG-IP systems. Some of them can experience timeouts and might restart.

Workaround:
The most effective workaround is to lower the amount of data collected by setting the 'avr.stats.internal.maxentitiespertable' DB variable to a lower value. The recommended values are 20000 (on larger, more powerful systems with more than 16 cores) or 2148 (on smaller systems).

Note: After you lower the database value, continue to monitor the BIG-IP system for long I/O wait times and high CPU usage. If symptoms persist and the system continues to experience resource issues, you may need to reset the BIG-IP AVR statistics. For information about resetting BIG-IP AVR statistics, refer to K14956: Resetting BIG-IP AVR statistics :: https://support.f5.com/csp/article/K14956.

Fix:
Set default value of avr.stats.internal.maxentitiespertable DB variable to 20000. Set it to 2148 on systems with the number of CPU cores fewer than or equal to 8.

828789-3 : Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters

Component: TMOS

Symptoms:
Certificate Subject Alternative Names are limited to 1023 characters.

Conditions:
Using a certificate with a Subject Alternative Name longer than 1023 characters.

Impact:
A certificate's Subject Alternative Name is not correct in the BIG-IP configuration.

This does not impact the BIG-IP system's ability to select the proper Client SSL profile on a virtual server that uses SNI matching to provide distinct certificates.

Workaround:
Specify fewer than 1023 character for the Certificate Subject Alternative Names.

828601-3 : IPv6 Management route is preferred over IPv6 tmm route

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metrics than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the management interface.

Conditions:
-- Create an IPv6 management route, which is going to be a default gateway.

-- Receive another default gateway from a configured peer using any of dynamic routing protocols (BGP, OSPF, etc.)

Impact:
The incorrect routing table sends the traffic that matches the default route to the management interface.

Workaround:
None.

Fix:
IPv6 routes now prioritize TMM interfaces.

826905-1 : Host traffic via IPv6 route pool uses incorrect source address

Component: TMOS

Symptoms:
IPv6 route pool uses an incorrect source address rather than the self IP address. As a side symptom, if there are an even number of members in the pool, only half of the pool members are attempted during load balancing.

Conditions:
--IPv6 route pool is configured.

Impact:
Failed connections from the BIG-IP host that uses an IPv6 pool route.

Workaround:
None.

Fix:
IPv6 route pool uses the correct self IP address.

826601-5 : Prevent receive window shrinkage for looped flows that use a SYN cookie

Component: Local Traffic Manager

Symptoms:
TMM cores.

Conditions:
-- VIP to VIP (looped flow) configuration.
-- SYN cookie is used.
-- Initial receive window is greater than 3.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
-- Set the initial receive window value of the VIP to 3.

Fix:
Receive window shrinkage is prevented for looped flows using SYN cookies.

825805-1 : NTLM Auth may fail due to incorrect handling of EPM response★

Component: Access Policy Manager

Symptoms:
NTLM passthrough authentication may stop working after upgrade.

Conditions:
-- NTLM authentication configured.
-- Upgraded to a BIG-IP software version that contains the implementation for the Microsoft Internet Explorer feature, 'Enhanced protected mode' (EPM).
-- There are more than two protocol sequence towers included in the EPM response.

Impact:
APM end users cannot login.

Workaround:
None.

Fix:
The system can now parse EPM response as expected.

825413-2 : /var/lib/mysql disk is full

Component: Application Security Manager

Symptoms:
PRX.BRUTE_FORCE_* db tables do not have a row_limit, so they can grow to consume all available disk space in /var/lib/mysql.

Conditions:
ASM provisioned

Impact:
/var/lib/mysql can run out of disk space

Workaround:
1. Truncate the two large tables. This clears all the row in those table and should make disk space.
   Note that existing brute force username and IPs reporting data will be lost.

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_USERNAMES"

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_IPS"

2. Add row_limit for the two tables to avoid the same issue in the future.

Add following lines in the bottom of this file, /etc/ts/tools/clean_db.yaml

  PRX.BRUTE_FORCE_MITIGATED_USERNAMES:
    row_limit: 100000
    order_by: brute_force_mitigated_username_id

  PRX.BRUTE_FORCE_MITIGATED_IPS:
    row_limit: 100000
    order_by: brute_force_mitigated_ip_id

Restart clean_db process (there is no impact of restarting this process)

# pkill -f clean_db

Wait 30 sec, and make sure the process came back

# ps aux | grep clean_db

825013-3 : GENERICMESSAGE::message's src and dst may get cleared in certain scenarios

Component: Service Provider

Symptoms:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands may not work properly if iRule processing changes to a different TMM. These commands may return an empty string rather than correct data.

Conditions:
-- Using "GENERICMESSAGE::message src" and/or "GENERICMESSAGE::message dst" iRule commands.
-- iRule processing moves from one TMM to another TMM.

Impact:
Incorrect data returned from "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands.

Fix:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands now return correct data.

824881-2 : A rare TMM crash cause by the fix for ID 816625

Component: Local Traffic Manager

Symptoms:
In rare scenarios involving HTTP unchunking and plugins, the TMM may crash.

Conditions:
Software that contains the fix for ID 816625, which involves HTTP unchunking and some plugins, dynamically removing the unchunking logic when required.

Impact:
In addition, other plugin behavior may abort the unchunking logic in an unexpected way. This causes a double-abort, and triggers a TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The TMM no longer crashes in a rare scenario involving HTTP unchunking and plugins.

824365-3 : Need informative messages for HTTP iRule runtime validation errors

Component: Local Traffic Manager

Symptoms:
For HTTP iRule runtime validation errors, an ERR_NOT_SUPPORTED error message is appended (with rule name and event) to /var/log/ltm, but the message is not informative about the cause of the validation error:

err tmm1[20445]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri".

The system should post a more informative message, in this case:

err tmm[10662]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - can't call after responding - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri"

Conditions:
-- HTTP filter and HTTP iRules are used by a virtual server.
-- An HTTP iRule runtime validation error happens. For example, HTTP::uri is called after HTTP::respond () which is not supported.

Impact:
With no informative error messages, it is difficult to identify the validation error.

Workaround:
There is no workaround at this time.

Fix:
Informative messages are provided for HTTP iRule runtime validation errors.

824149-3 : SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured

Component: Service Provider

Symptoms:
In SIP ALG virtual with source-nat-policy assigned, if traffic processed by the virtual server does not match source-nat-policy, or if it matches source-nat-policy that does not have source-translation configured, tmm cores and restarts.

Conditions:
-- SIP ALG virtual server with an assigned source-nat-policy.
-- Traffic does not match the source-nat-policy, or traffic matches a source-nat-policy that has no source-translation configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure SIP ALG virtual so that the condition never happens. For example, apply a source attribute to the virtual server that filters out traffic that will not match the source-nat-policy. Never use a source-nat-policy that has no source-translation.

824101-1 : Request Log export file is not visible for requests including binary data

Component: Application Security Manager

Symptoms:
Request Log export file is not visible.

Conditions:
Request Log export file contain request with binary data

Impact:
Cannot get data from Request Log export file.

Workaround:
None.

824037-2 : Bot Defense whitelists do not apply for IP 'Any' when using route domains

Component: Application Security Manager

Symptoms:
When defining whitelists in bot defense profiles, when the IP is set to 'Any' and route domains are in use, whitelists are not applied.

Conditions:
-- Bot Defense profile is enabled.
-- Whitelist is configured for IP 'Any' (for URL or GEO),
-- Sending a request that matches the whitelist using route domains.

Impact:
Request will be mitigated.

Workaround:
For url whitelist only:
Add micro service to the bot defense profile, configure:
1. Add required URL.
2. Specify service type 'Custom Microservice Protection'.
3. Set the 'Mitigation and Verification' setting as required (relevant for logging only).
4. In 'Automated Threat Detection', set 'Mitigation Action' to 'None'.
5. Set the microservice 'Enforcement Mode' to 'Transparent'.

This causes the associated URL to never be blocked (but no 'whitelist' will be seen in reporting).

Fix:
Enabling IP 'Any' on route domains now works as expected.

823921-2 : FTP profile causes memory leak

Component: Local Traffic Manager

Symptoms:
When a FTP profile is added to a virtual server, TMM runs with memory leak and eventually system has to terminate connections.

Conditions:
A FTP profile is installed on virtual server and the inherit-parent-profile parameter is enabled or isession is also included on the FTP virtual.

Impact:
TMM runs with memory leak and eventually system has to terminate connections.

Workaround:
Disable the inherit-parent-profile option if fastL4 data-channel is adequate.

Fix:
Fix the internal memory cleanup function bug.

823893-2 : Qkview may fail to completely sanitize LDAP bind credentials

Solution Article: K03318649

822377-2 : CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability

Component: TMOS

Symptoms:
A limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.

Conditions:
This flaw is only exploitable if Proxy* directives are used in Apache httpd configuration. The following command can be used to search for possible vulnerable configurations:

grep -R '^\s*Proxy' /etc/httpd/

Impact:
An attacker could cause the link on the error page to be malformed and instead point to a page of their choice.

Workaround:
This flaw is only exploitable if Proxy* directives are used in Apache httpd configuration. As a Mitigation/Workaround, exclude Proxy* directives in Apache Httpd configuration.

Fix:
Removed request data from many other in-built error messages.

822025-2 : HTTP response not forwarded to client during an early response

Component: Local Traffic Manager

Symptoms:
In early server responses, the client does not receive the intended response from the HTTP::respond iRule. The client instead receives an unexpected 500 internal server error.

Conditions:
-- A slow client.
-- early server response with the HTTP::respond iRule.

Impact:
A client does not receive the redirect from the HTTP::respond iRule.

Workaround:
None.

Fix:
The client now receives the redirect from the HTTP:respond iRule.

821369 : Incomplete Action 'Deny' does not take effect for HTTP-Connect

Component: Access Policy Manager

Symptoms:
Per-request policy's incomplete-action 'Deny' does not take effect for HTTP-Connect request.

Conditions:
-- SSL Orchestrator (SSLO) or APM is licensed and provisioned.
-- Per-request policy is created and attached to a virtual server.
-- Incomplete Action value of per-request policy is set to 'Deny'.

Impact:
The BIG-IP system does not reject the HTTP-Connect request when incomplete-action is set to 'Deny'.

Workaround:
None.

Fix:
Incomplete Action 'Deny' now takes effect for HTTP-Connect request.

821309-3 : After an initial boot, mcpd has a defunct child "systemctl" process

Component: TMOS

Symptoms:
Zombie "systemctl" process, as a child of mcpd.

Conditions:
Reboot of the BIG-IP.

Impact:
Minimal; a single zombie process is created.

Workaround:
To get rid of the process, you can restart mcpd.

821133-2 : Wrong wildcard URL matching when none of the configured URLS include QS

Component: Fraud Protection Services

Symptoms:
Wildcard URLs has a flag (include_query_string) which indicates if the matching should include traffic URL's QS or not

For example, if the traffic URL is '/path?a=b' and configured URL is '/path*b':

1. if include QS enabled, URL is matched
2. otherwise, no match (since matching against '/path' only)

if there are no configured URLs with "Include Query String" enabled, matching may be wrong

Conditions:
1. Wildcard URL configured in anti-fraud profile (URL name contains an asterisk)
2. None of the configured URLs has "Include Query String" enabled
3. Traffic URL contains a query-string

Impact:
URL is incorrectly matched (when it either shouldn't be matched at all or should match another configured URL). Features/signatures might not work as expected.

Workaround:
Configure at least one URL with "Include Query String" enabled

Fix:
FPS should match query string correctly (according to configuration)

820333-3 : LACP working member state may be inconsistent when blade is forced offline

Component: Local Traffic Manager

Symptoms:
Inconsistent (out-of-sync) LACP working member state.
Incorrect trunk high availability (HA) score.

Conditions:
LACP updates while blade is going offline.

Impact:
Incorrect high availability (HA) score may prevent the unit from automatically failing over.

820213-2 : 'Application Service List' empty after UCS restore

Component: TMOS

Symptoms:
The iApps :: Applications LX list does not display anything after restoring a UCS that was taken from a different device.

Conditions:
-- Restoring a UCS from a different device.
-- UCS includes the iAppLX package.

Impact:
Cannot see anything on 'Application Service List', and you are unable to configure the application.

Workaround:
Run the following command before restoring the UCS file:

clear-rest-storage

819397-1 : TMM does not enforce RFC compliance when processing HTTP traffic

Solution Article: K50375550

Component: Local Traffic Manager

Symptoms:
TMM does not require RFC compliance when processing HTTP traffic. This does not impact the performance or security of BIG-IP systems, but may impact connected systems if they expect only compliant traffic to be forwarded.

Conditions:
-- HTTP virtual server
-- Non-compliant HTTP request from client

Impact:
Pool members may be exposed to non-compliant HTTP requests.

Workaround:
None.

Fix:
The HTTP filter now optionally performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.

Behavior Change:
A new BigDB variable has been added.

The new 'Tmm.HTTP.RFC.Enforcement' option may be enabled or disabled. It is disabled by default.

If enabled, the HTTP filter performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.

The checks performed are a subset of those described within the HTTP PSM module. If a blocking page is required, or more detailed control over which checks are performed, configure HTTP PSM or ASM on the virtual server.

If either HTTP PSM or ASM are configured on a virtual server, the state of the 'Tmm.HTTP.RFC.Enforcement' BigDB variable is ignored on that virtual server.

819329-2 : Specific FIPS device errors will not trigger failover

Component: Local Traffic Manager

Symptoms:
When the FIPS device experiences a hardware failure during idle-time, the device may not fail over.

Conditions:
-- FIPS hardware failure occurs, but the device is idle

Impact:
The device may not fail over on FIPS hardware failure.

Fix:
Interpret rare FIPS card failure as failover event.

819197-4 : BIGIP: CVE-2019-13135 ImageMagick vulnerability

Solution Article: K20336394

819189-3 : BIGIP: CVE-2019-13136 ImageMagick vulnerability

Solution Article: K03512441

819009-3 : Dynamic routing daemon mribd crashes if 'mrib debug all' is enabled in high availability (HA) config with Floating Self IP configured for PIM protocol.

Component: TMOS

Symptoms:
The multicast routing protocols are implemented by pimd and mribd daemons. mribd daemon crashes in a specific configuration when debug logging is enabled for this daemon.

Conditions:
1) Dynamic Routing bundle is enabled and PIM protocol is enabled on a route domain.
2) High availability (HA) group/pair with floating self IP address is configured.
3) PIM neighbors are configured for each peer in high availability (HA) group/pair.
4) One of the peers in high availability (HA) is configured to use floating self IP address as an IP address for PIM protocol.

This is done using the 'ip pim use-floating-address' command in the PIM configuration in imish:
# ip pim use-floating-address

5) Multicast routing is configured in imish:
# ip multicast-routing

6) Debug logging for mribd is enabled:
# debug ip mrib all
# debug ipv6 mrib all
---
Note: Although steps 3 and 4 are optional, a practical configuration makes no sense without them.

Impact:
Dynamic routing daemon mribd crashes. Advanced routing not available while mribd restarts.

Workaround:
None.

Fix:
Dynamic routing daemon mribd no longer crashes when mribd debug logging is enabled.

818853-3 : Duplicate MAC entries in FDB

Component: Local Traffic Manager

Symptoms:
Forwarding DataBase (FDB) not updated when a MAC moves among interfaces.

Conditions:
-- Having multiple paths to a MAC in a given configuration.

Impact:
There are duplicate MAC address entries which come from multiple interfaces.

Workaround:
None.

818709-2 : TMSH does not follow current best practices

Solution Article: K36814487

818465-2 : Unnecessary memory allocation in AVR module

Component: Anomaly Detection Services

Symptoms:
Internal Bados indicator is not updated correctly, creating unnecessary memory allocation in AVR module.

Conditions:
Using AVR.

Impact:
Unnecessary memory consumption

Workaround:
None.

818429-4 : TMM may crash while processing HTTP traffic

Solution Article: K70275209

818253-1 : Generate signature files for logs

Component: TMOS

Symptoms:
The BIG-IP system does not generate signature files for logs. As a result, the system stores the audit information (i.e., the log files stored in /var/log folder and other subfolders) in an incorrect format.

Conditions:
Viewing the audit information stored in /var/log and other locations.

Impact:
Messages are stored in an incorrect format.

Workaround:
Disable local logging for audit logs and send them to remote syslog, for example:
tmsh modify sys syslog include "filter f_audit { facility(local0) and not message(AUDIT); }; "

Fix:
There is now a LogIntegrity utility provided to generate signature files for logs.

-- To enable the feature:
tmsh modify sys db logintegrity.support value enable

-- To set the LogIntegrity loglevel:
tmsh modify sys db logintegrity.loglevel value debug

You must create private key and store it in SecureVault before enabling this feature. To do so:

1. Generate a private key with the name logfile_integrity.key, for example:
create sys crypto key logfile_integrity.key key-type rsa-private key-size 2048 gen-certificate security-type password country US city Seattle state WA organization "Example, Inc." ou "Example-Creation Team" common-name www.example.com email-address admin@example.com lifetime 365

2. Generate RSA encrypted private SSL keys:

2a. Go to the filestore location on the BIG-IP system:
cd /config/filestore/files_d/Common_d/certificate_key_d/

ls | grep logfile_integrity:Common:logfile_integrity.key_63031_2

openssl rsa -aes256 -in :Common:logfile_integrity.key_63031_2 -out logfile_integrity_secure.key

2b. Specify the PEM password/passphrase (e.g., root0101) to use to protect the SSL private key (in this example, logfile_integrity_secure.key is the password protected private key):

2c. run command to list the generated files
ls | grep logfile_integrity :Common:logfile_integrity.key_63031_2 logfile_integrity_secure.key

3. Install the generated password protected SSL private key with the same password (e.g., root0101) used in step 2 to store in 'secure vault' on the BIG-IP system:

install sys crypto key logfile_integrity.key passphrase example root0101 from-local-file logfile_integrity_secure.key

Once the feature is enabled and the private key installed, The signature files are generated under /var/log/digest whenever log files get rotated.

If you want to verify Signatures, follow these steps:

1. Go to the filestore location on the BIG-IP system :
cd /config/filestore/files_d/Common_d/certificate_d

2. Execute the following command to generate the public key.
openssl x509 -in :Common:logfile_integrity.key_63031_2 -noout -pubkey > certificatefile.pub.cer

3.Verify the signature file using public key:
openssl dgst -sha256 -verify /config/filestore/files_d/Common_d/certificate_d/certificatefile.pub.cer -signature /var/log/digest/audit.1.sig /var/log/audit.1

818213-2 : CVE-2019-10639: KASLR bypass using connectionless protocols

Solution Article: K32804955

818177-4 : CVE-2019-12295 Wireshark Vulnerability

Solution Article: K06725231

817917-1 : TMM may crash when sending TCP packets

Solution Article: K00025388

817709-2 : IPsec: TMM cored with SIGFPE in racoon2

Component: TMOS

Symptoms:
TMM asserted and cored in racoon2 with this panic message:

panic: iked/ikev2_child.c:2858: Assertion "Invalid Child SA proposal" failed.

Conditions:
When IKEv2 Phase 2 SA has no peer proposal associated with it.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This issue no longer occurs.

817649-2 : AVR statistics for NAT cannot be shown on multi-bladed machine

Component: Application Visibility and Reporting

Symptoms:
The system presents an error messagewhen trying to get AVR statistics for NAT:

Data Input Error: Database is unavailable.

Conditions:
Using AVR reports for NAT on a multi-bladed BIG-IP device.

Impact:
Cannot view AVR statistics for NAT.

Workaround:
1. Back up the file /etc/avr/monpd/monp_tmstat_fw_nat_entities.cfg

2. Run the following command:
sed -i 's/measures=/measures=period,/' /etc/avr/monpd/monp_tmstat_fw_nat_entities.cfg

3. Verify that the only change made to 'sed -i 's/measures=/measures=period,/' /etc/avr/monpd/monp_tmstat_fw_nat_entities.cfg' was adding a 'period,' to the list of measures (can be compared against the backup file).

4. Restart monpd (to pick up the changes):
bigstart restart monpd

Fix:
Fixed formula for statistics to allow using it on a multi-bladed BIG-IP device.

817417-1 : Blade software installation stalled at Waiting for product image★

Component: Local Traffic Manager

Symptoms:
On a chassis system where the active/primary blade is running version 14.1.0 or later and a new blade is inserted that has version 14.0.0 or lower, the secondary blades fail to receive the updated images and the installation stalls. The primary blade reports 'Waiting for product image' when running the tmsh show sys software status command.

Conditions:
Primary blade running version 14.1.0 or above.
Secondary running an earlier version is inserted.

Impact:
Newly inserted blade does not synchronize volumes with the primary blade and cannot be used.

The tmsh show sys software status command reports that one or more blades are in 'waiting for product image' status indefinitely.

Workaround:
Ensure all blades are running the same version. This can be accomplished manually by running the following command at the command prompt (this example is for new blade inserted at slot #3):

scp /shared/images/* slot3:/shared/images

816881-1 : Serverside conection may use wrong VLAN when virtual wire is configured

Component: Local Traffic Manager

Symptoms:
Server syn is flowing on the wrong VLAN, when tmm tries to establish a server connection. The BIG-IP system sends RST packets of unmatched VLAN/MAC combination

Conditions:
-- Virtual wire is configured .
-- Clientside data and handshake come in on different VLANs.

Impact:
Some client connections fail to establish

Workaround:
None.

816625-1 : The TMM may crash in a rare scenario involving HTTP unchunking, and plugins.

Component: Local Traffic Manager

Symptoms:
The TMM crashes while passing traffic.

Conditions:
This occurs rarely on a Virtual Server configured with an HTTP profile that has HTTP response chunking enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The TMM no longer crashes in a rare scenario involving HTTP unchunking and plugins.

816529-2 : If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart.

Component: Traffic Classification Engine

Symptoms:
URLCAT lookups to Custom DB return Unknown result.

Conditions:
-- URL is being looked up against Custom DB
-- wr_urldbd is restarted at the same time

Impact:
Queries will likely fail in highly loaded environments if wr_urldbd is restarted for any reason.

Workaround:
None.

Fix:
Wr_urldbd restores connection to Custom DB after restart.

816413-2 : CVE-2019-1125: Spectre SWAPGS Gadget

Solution Article: K31085564

816273-2 : L7 Policies may execute CONTAINS operands incorrectly.

Component: Local Traffic Manager

Symptoms:
L7 Policies involving CONTAINS operands may execute incorrectly in some cases.

The policy compiler may incorrectly combine some internal states, 'forgetting' degrees of partial evaluation of a CONTAINS operation.

Conditions:
Multiple CONTAINS conditions are used on the same virtual server.

Impact:
The wrong policy actions may be triggered.

Workaround:
It may be possible to reorder the rules in a policy to restore correct operation. However, the more complex the policy, the less likely this is.

Fix:
L7 Policy CONTAINS operations are compiled correctly. Policies with CONTAINS operations no longer trigger the wrong rule actions.

816233-3 : Session and authentication cookies should use larger character set

Component: TMOS

Symptoms:
The session and authentication cookies are created using a limited character set.

Conditions:
Creating session and authentication cookies.

Impact:
Cookies are created with a less broad character set than they could be.

Workaround:
None.

Fix:
JSESSIONIDs and AuthCookies are created using a wider character set.

Behavior Change:
This release changes the format of the BIGIPAuthCookie and JSESSIONID cookies to use a larger alphabet during encoding (case sensitive alphanumeric).

815877-1 : Information Elements with zero-length value are rejected by the GTP parser

Component: Service Provider

Symptoms:
When processing a GTP message containing zero-length IEs (which are allowed by the 3GPP Technical Specification), the message might get rejected.

Conditions:
Virtual server with GTP profile enabled processing GTP traffic.

Impact:
Well-formed GTP messages might get rejected.

Workaround:
Avoid sending GTP messages containing zero-length IEs.

Fix:
Zero-length IEs are now processed correctly.

815689-3 : Azure walinuxagent has been updated to v2.2.42.

Component: TMOS

Symptoms:
Some onboarding features are not available in the current version of walinuxagent.

Conditions:
Attempting to use a feature that is not available in the current version of the Azure walinuxagent that is included in the BIG-IP release.

Impact:
Cannot use new features in the Azure walinuxagent until the Azure walinuxagent is updated.

Workaround:
None.

Fix:
The Azure walinuxagent has been updated to v2.2.42.

815649-1 : Named.config entry getting overwriting on SSL Orchestrator deployment

Component: Device Management

Symptoms:
When topology or general settings are re-deployed, named.config is modified, and entries which do not belong to SSL Orchestrator are overwritten.

Conditions:
This occurs when topology or system settings are re-deployed.

Impact:
Content of named.conf file is lost/overwritten.

Workaround:
Modify named.conf manually or using zoneRunner (DNS :: Zones : ZoneRunner : named Configuration) after SSL orchestrator deployment.

815529-2 : MRF outbound messages are dropped in per-peer mode

Component: Service Provider

Symptoms:
When a Message Routing profile is configured with a peer consisting of an outbound virtual server, transport config, no pool, and per-peer mode, messages may be dropped when the outgoing connection is persisted to a different tmm than the message was received on.

Conditions:
-- Message Routing Profile.
-- A peer configured for outbound traffic with a virtual server and transport config in per-peer mode, no pool.
-- Persistence is enabled.
-- Multiple outbound messages with the same destination address.

Impact:
Outbound traffic with the same destination address may be dropped at random.

Workaround:
Change the peer connection mode to 'Per TMM'.

Fix:
Multiple outbound messages to the same destination address are no longer randomly dropped.

815449-2 : BIG-IP closes connection when an unsized response is served to a HEAD request

Component: Local Traffic Manager

Symptoms:
When HTTP response has neither Content-Length nor Transfer-Encoding and has a body, BIG-IP closes a connection to designate end of the response body. HTTP protocol allows to send HEAD request instead of GET request to obtain a response headers only (without). BIG-IP erroneously closes a connection when a response to HEAD request lacks both Content-Length and Transfer-Encoding.

Conditions:
BIG-IP has a virtual server configured to use an HTTP profile.
The server response does not include the Content-Length or Transfer-Encoding headers in response to a HEAD request, and both client and server sides expects the communication to continue over the same connection.

Impact:
Connection closes and a client may not repeat the corresponding GET request on another connection.

Fix:
Connection keeps opened when an unsized response provided to a HEAD request.

815001-1 : TMM Crash with inbound traffic during high availability (HA) failover

Component: Carrier-Grade NAT

Symptoms:
New standby device's tmm crashes and generates a core after high availability (HA) failover.

Conditions:
1. Enable inbound mode Endpoint Independent Filtering (EIF) in the source translation object.
2. Outbound traffic hits the source translation creating inbound entries.
3. Inbound traffic matches the inbound entry, and this connection stays alive.
4. high availability (HA) failover occurs.
5. Inbound connection closes, and the connection free comes from the BIG-IP system.

Impact:
New standby device's tmm may crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes with inbound traffic during high availability (HA) failover.

814953-3 : TMUI dashboard hardening

Solution Article: K43310520

814761-2 : PostgreSQL monitor fails on second ping with count != 1

Component: Local Traffic Manager

Symptoms:
When using one of the DB monitors (Oracle, MSSQL, MySQL, PostgreSQL) to monitor the health of a server, the pool member may initially be marked UP, but then will be marked DOWN on the next and all subsequent pings.

When this occurs, an error message similar to the following appears in the monitor-instance log under /var/log/monitors:

Database down, see /var/log/DBDaemon.log for details.
Exception in thread "DBPinger-##" java.lang.AbstractMethodError: org.postgresql.jdbc3.Jdbc3Connection.isValid(I)Z
    at com.f5.eav.DB_Pinger.db_Connect(DBDaemon.java:1474)
    at com.f5.eav.DB_Pinger.db_Ping(DBDaemon.java:1428)
    at com.f5.eav.MonitorWorker.run(DBDaemon.java:772)
    at java.lang.Thread.run(Thread.java:748)

Conditions:
This may occur if all of the following conditions are true:
1. You are using a DB monitor (Oracle, MSSQL, MySQL, PostgreSQL) configured with a 'count' value of either '0' or a value of '2' or higher.
2. You are using a version of BIG-IP (including an Engineering Hotfix) which contains the fix for ID 775901.

Impact:
Unable to monitor the health of postgresql server pool members accurately.

Workaround:
To work around this issue, configure a 'count' value of '1' in the postgresql monitor configuration.

Fix:
The DB monitor reports the health of a DB server pool member accurately in conjunction with the fix for ID 775901.

814585-3 : PPTP profile option not available when creating or modifying virtual servers in GUI

Component: TMOS

Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.

Conditions:
Creating or modifying a virtual server in the GUI.

Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.

Workaround:
Use TMSH to add a PPTP profile to the virtual server.

814097-2 : Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.

Component: Service Provider

Symptoms:
When using the Generic Message router to convert SIP messages from TCP to UDP, BIG-IP fails to raise the SERVER_CONNECTED iRule event.

Conditions:
Converting the transport of SIP messages with the Generic Message router.

Impact:
Any code that waits for the SERVER_CONNECTED event will not run.

Fix:
SERVER_CONNECTED event is raised.

814037-4 : No virtual server name in Hardware Syncookie activation logs.

Component: Local Traffic Manager

Symptoms:
Missing virtual server name in Hardware Syncookie activation logs. ltm/logs contains error messages:

notice tmm2[1150]: 01010240:5: Syncookie HW mode activated, server = 0.0.0.0:0, HSB modId = 2.

Conditions:
-- More than one virtual server with same Destination IP e.g., 'x.x.x.x'.
-- Port 'y' configured.
-- Hardware Syncookie activated.

Impact:
Difficult to determine which virtual server actually got the Syncookie activated.

Workaround:
None.

813945-3 : PB core dump while processing many entities

Component: Application Security Manager

Symptoms:
PB core dump.

Conditions:
This may happen when the system is strained and PB is processing large policies (updating many entities may happen during periodic processing, response analysis).

This is a very rarely occurring scenario.

Impact:
PB core dump and restart.

Workaround:
None.

Fix:
PB core dump no longer occurs.

813701-3 : Proxy ARP failure

Component: Local Traffic Manager

Symptoms:
In certain configurations, and when the BIG-IP system does not have a directly connected route to the request sender, proxy ARP may fail, leading to dropped ARP replies.

Conditions:
-- Running v12.1.4.1 or 12.1.3.7 with engineering hotfix 0.89.2.
-- ARP requests and replies are processed by different TMMs.
-- A directly connected route to the request sender is not available.

Impact:
ARP replies are dropped, leading to connection failures.

Workaround:
Create a self IP in the same subnet as the ARP request senders. This creates the necessary directly connected route.

813561-3 : MCPD crashes when assigning an iRule that uses a proc

Component: Local Traffic Manager

Symptoms:
MCPD crashes when assigning an iRule to a Virtual Server or loading a config with an iRule assigned.

Conditions:
The iRule must uses a proc that contains three statements associated with different feature flags.

Impact:
MCPD will crash, unable to use a desired iRule.

Workaround:
None

Fix:
iRules using proc can be assigned to a Virtual Server without crashing MCPD.

813409-1 : BD crash under certain circumstances

Component: Application Security Manager

Symptoms:
BD crashes with an error message:
01230140:3: RST sent from 10.0.1.101:83 to 10.0.1.1:464, [0x2911514:1148] Internal error (ASM requested abort (open error)).

Conditions:
The conditions under which this occurs are unknown.

Impact:
Traffic disruption / failover.

Workaround:
None.

Fix:
This release fixes a bd crash scenario.

813389-1 : TMM Crashes upon failure in Bot Defense Client-Side code

Component: Application Security Manager

Symptoms:
On some cases, when Bot Defense Client-Side code is running on the browser, it causes TMM to crash.

Conditions:
-- Bot Defense is enabled with any JS browser verification (before or after access).
-- Surfing using a browser to an html page.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Adding sanity test so TMM will not crash.

813301 : LSN_PB_UPDATE logs are not generated when subscriber info changes

Component: Advanced Firewall Manager

Symptoms:
LSN_PB_UPDATE logs are not generated when subscriber info changes.

Conditions:
Logging profile indicates that LSN_PB_UPDATE events should be logged.

Impact:
The expected logs are not generated.

Workaround:
None.

812981-4 : MCPD: memory leak on standby BIG-IP device

Component: TMOS

Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.

Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically

Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.

Fix:
MCPD on standby BIG-IP device does not take more memory than the same daemon on active BIG-IP device.

812929-2 : mcpd may core when resetting a DSC connection

Component: TMOS

Symptoms:
In rare circumstances mcpd may core when resetting its DSC connection.

Conditions:
The exact conditions are not known for this to occur. The BIG-IP system must be in a Device Service Cluster, and must have configuration sync enabled. It might be related to when an Administrative BIG-IP user makes manual changes to the device trust group that would cause the trust to be broken (and optionally, re-established).

Impact:
mcpd cores and restarts. This results in a failover to the next active peer.

Workaround:
None.

Fix:
The system now prevents mcpd from coring when it resets it DSC connection.

812341-2 : Patch or Delete commands take a long time to complete when modifying an ASM signature set.

Component: Application Security Manager

Symptoms:
When modifying an ASM signature set that is not attached to any security policy using iControl REST Patch or Delete commands, the command takes a long time to complete.

Conditions:
-- ASM provisioned.
-- Using REST API Patch or Delete command to modify an ASM signature set.

Impact:
Command takes longer (several seconds) to process on detached ASM signature sets than it takes to complete on attached signature sets.

Workaround:
None.

Fix:
Changes to signatures and signatures sets now only recompile policies that are affected by the change.

811965-2 : Some VDI use cases can cause excessive resource consumption

Component: Access Policy Manager

Symptoms:
Under certain conditions, APM may consume excessive resources while processing VDI traffic.

Conditions:
APM is used as VDI proxy.

Impact:
Excessive resource usage, potentially leading to a failover event.

Workaround:
None.

Fix:
APM now processes VDI traffic as expected.

811789-2 : Device trust UI hardening

Solution Article: K57214921

811745-2 : Failover between clustered DIAMETER devices can cause mirror connections to be disconnected

Component: Service Provider

Symptoms:
When using DIAMETER with certain settings, a failover might cause mirror connections to get disconnected.

Conditions:
-- Two or more BIG-IP systems in a high availability (HA) configuration.
-- Aggressive settings for the DIAMETER watchdog timeout and max failures.

Impact:
Loss of mirroring between BIG-IP systems.

Workaround:
None.

Fix:
Mirror connections no longer disconnect during a failover.

811701-1 : AWS instance using xnet driver not receiving packets on an interface.

Component: TMOS

Symptoms:
Packets are being sent to the AWS instance but no packets are seen on interface.

Conditions:
-- AWS instance using xnet driver.
-- Occurs when the instances are idle and then suddenly passes traffic again.
-- Other, more specific conditions are unknown at this time.

Impact:
Loss of packets in the interface, in turn, causing data loss.

Workaround:
A temporary way to avoid the problem is to configure BIG-IP Virtual Edition (VE) to use an alternative network driver in place of the default 'xnet' driver. In releases 14.1.0 and later, this would be the 'sock' driver.

Use The following command sequences from the BIG-IP instance's 'bash' prompt to configure the alternative driver. (Note the use of the 'greater-than' symbol.)

  # echo "device driver vendor_dev 1d0f:ec20 sock" > /config/tmm_init.tcl

[check that the file's contents are correct]

  # cat /config/tmm_init.tcl

[restart the BIG-IP's TMM processes]

  # bigstart restart tmm

[make certain that the 'driver_in_use' is 'sock']

  # tmctl -dblade -i tmm/device_probed

811333-2 : Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile★

Component: Local Traffic Manager

Symptoms:
After upgrade, configuration load fails and the following error is present in /var/log/ltm log:

01070312:3: Invalid keyword 'sslv2' in ciphers list for profile /Common/serverssl-insecure-compatible
Unexpected Error: Loading configuration process failed.

Conditions:
-- BIG-IP system with SSLv2 as ciphers option in SSL profile running software v12.x/v13.x.
-- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.

Impact:
The config is not loaded, and upgrade fails.

Workaround:
If you are encountering this after upgrading, run the following commands from the bash prompt:

1. Backup the configuration:
#cp /config/bigip.conf /config/bigip_backup.conf

2. List the occurrences of 'sslv2' in the bigip.conf:
#more bigip.conf | grep -i sslv2

3. Remove the SSLv2 references:
#sed -i "s/\!SSLv2://g" /config/bigip.conf

4. Check to ensure there are no 'sslv2' references:
#more bigip.conf | grep -i sslv2

5. Verify the configuration:
#tmsh load sys config verify

6. Try loading the configuration:
#tmsh load sys config

Fix:
SSLv2 validation is removed from the configuration and upgrade succeeds.

811161-1 : Tmm crash SIGSEGV - virtual_address_update() in ../mcp/db_vip.c:1992

Component: Local Traffic Manager

Symptoms:
TMM cores when creating a virtual server.

Conditions:
ISO build that includes a fix for the following IDs:
-- ID 718790 :: Bug ID 718790: Traffic does not forward to fallback host when all pool members are marked down :: https://cdn.f5.com/product/bugtracker/ID718790.html.
-- ID 783617 :: Bug ID 783617: Virtual Server resets connections when all pool members are marked disabled :: https://cdn.f5.com/product/bugtracker/ID783617.html.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now handles the case in which the virtual address tags come in different orders.

811157-2 : Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself

Component: Advanced Firewall Manager

Symptoms:
"Global Staged Default Action" message is logged into the firewall log for ICMP traffic targeted to Self-IP or Virtual Server destination address, even though this traffic can never be affected by Global Default Actions.

The "Global Staged Default Action" counter is also incremented.

Conditions:
Logging is enabled for Global Staged Default Action by setting the sys db tm.fw.stagedglobaldefaultrule.log to value "enabled" (this sys db has value "disabled" by default).

There are no special conditions for the "Global Staged Default Action" counter increment.

Impact:
Misleading messages are logged into the firewall log.
The "Global Staged Default Action" counter is incorrectly incremented.

The traffic itself is not affected and there are no other negative effects except the incorrect log message and counter update.

Workaround:
There is no workaround regarding the "Global Staged Default Action" counter increment.

For preventing the misleading log message disable logging of Global Staged Default Action by setting the sys db tm.fw.stagedglobaldefaultrule.log to value "disabled".

Fix:
The "Global Staged Default Action" message is not logged and corresponding counter is not incremented for ICMP traffic targeted to Self-IP or Virtual Server destination address.

811149-1 : Remote users are unable to authenticate via serial console.

Component: TMOS

Symptoms:
Attempts to login to the serial console with remote user credentials (e.g., RADIUS, LDAP, TACACS remote auth) fail with one of the following error messages:

-- 'Cannot load user credentials for user' (v13.1.1.2)
-- 'Session setup problem, abort.' (v14.1.0.1)

Conditions:
Configure system for remote authentication and attempt authentication via serial console.

Impact:
Remote authentication users are unable to login via serial console.

Workaround:
There are two workarounds:
-- Remote authentication users can login using an SSH connection to the BIG-IP system's management IP address.

-- Use the credentials of a local user account to login to the serial console.

811145-2 : VMware View resources with SAML SSO are not working

Component: Access Policy Manager

Symptoms:
Connections to SAML-enabled VMware View resources fail with following error in /var/log/apm:
err vdi[18581]: 019cffff:3: /pathname: {a7.C} Failed to handle View request: Can't find 'artifact' parameter.

Conditions:
VMware View resource is configured with SAML SSO method.

Impact:
Users cannot launch VMware View apps/desktops via SAML-enabled resource.

Workaround:
None.

Fix:
Can now successfully use VMware View resources with SAML SSO.

811105-1 : MRF SIP-ALG drops SIP 183 and 200 OK messages

Component: Service Provider

Symptoms:
SIP 183 and 200 OK messages are dropped after an INVITE in MRF SIP-ALG when media info is present in the Session Description Protocol.

Conditions:
- MRF SIP-ALG default configuration
- INVITE sent with media info in SDP
- Media info contains an rtcp without an IP address

Impact:
SIP calls are unable to establish media connections.

Workaround:
Ensure all RTCP attributes in the SDP have IP addresses.
Example: Change "a=rtcp:29974\r\n" to "a=rtcp:29974 IN IP4 10.10.10.10\r\n"

Fix:
Calls are able to establish media connections in MRF SIP-ALG when media info contains an RTCP with no IP information.

811053-2 : REBOOT REQUIRED prompt appears after failover and clsh reboot

Component: TMOS

Symptoms:
In rare circumstances, when a reboot immediately follows a VIPRION blade failover, a REBOOT REQUIRED prompt will appear on one blade after the system starts up again.

Conditions:
This issue can be created by doing the following:
- using a VIPRION system with at least 2 blades running
- AAM is not provisioned
- reset the primary blade
- immediately following the blade reset, run 'clsh reboot' on a secondary blade.

Impact:
Following the clsh reboot, the REBOOT REQUIRED prompt appears on one blade:
[root@vip4480-r44-s18:/S2-yellow-S::REBOOT REQUIRED:Standalone] config #

Any blade with this prompt must be rebooted again.

Workaround:
None currently known.

811033-2 : MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used

Component: Service Provider

Symptoms:
If a message is routed from one transport protocol (for example TCP) to another transport protocol (for example UDP), messages traveling from the destination to the source of the persistence entry are incorrectly delivered to the destination.

Conditions:
-- A message is routed from one transport protocol (for example TCP) to another transport protocol (for example UDP).
-- Messages are traveling from the destination to the source of the persistence entry.

Impact:
Messages are forwarded to an incorrect endpoint.

Workaround:
None.

Fix:
For all bi-directional persistence records the transport protocol of the connection is not used in the key used to store the record.

810957-2 : Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core

Component: TMOS

Symptoms:
When using dynamic routing, changing a virtual server's address from IPv6 to IPv4 can cause tmrouted to core.

Conditions:
-- Using dynamic routing.
-- Changing a virtual server's destination address from IPv6 to IPv4.
-- The virtual server's state changes.

Impact:
Tmrouted cores and restarts, which causes a temporary interruption of dynamic routing services.

Workaround:
Use TMSH to modify both the destination address and the netmask at the same time, e.g.:

tmsh modify ltm virtual <virtual server name> destination <destination address> mask <netmask>

Fix:
Now preventing tmrouted from coring when a virtual server's address is changed from IPv6 to IPv4.

810821-1 : Management interface flaps after rebooting the device

Component: TMOS

Symptoms:
The Management interface flaps after rebooting the device, which may cause a momentary active-active condition in a high availability (HA) configuration.

Conditions:
This can occur after rebooting the active or standby device in an HA configuration if the final management port configuration completes late in the startup sequence. This can be due to network conditions for the network the management port is connected to.

This problem has been observed only on hardware platforms.

Impact:
Devices go active-active for a few seconds and then resume normal operation.

Workaround:
You may be able to work around this by changing the management port speed to 100/Fixed Duplex.

For more information on changing the interface, see K14107: Configuring the media speed and duplex settings for network interfaces (11.x - 13.x), available at https://support.f5.com/csp/article/K14107.

Fix:
The startup sequence has been changed to confirm that management port configuration is complete before proceeding with HA processing.

810657-2 : Tmm core while using service chaining for SSLO

Solution Article: K21135478

810593-2 : Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade★

Solution Article: K10963690

Component: TMOS

Symptoms:
The vCMP guests go to 'INOPERATIVE' after upgrade.

Conditions:
-- Upgrading the host from v12.1.4.1.
-- Upgrading the host from v13.1.1.5.

Impact:
The vCMP guests go to the 'INOPERATIVE' state and do not pass traffic.

Workaround:
There is no workaround. You must upgrade the VCMP host to a fixed version, for example, 15.1.0.

810557-8 : ASM ConfigSync Hardening

Solution Article: K05123525

810537-2 : TMM may consume excessive resources while processing iRules

Solution Article: K12234501

810533-4 : SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile

Component: Local Traffic Manager

Symptoms:
When the client attempts to connect, even when sending the proper SNI extension, the BIG-IP system resets the connection after the client hello.

Conditions:
-- SNI Required set to true.
-- No Server Name configured in the client SSL profile.

Impact:
SSL connections with valid SNI are closed, and the client cannot connect. With generic alerts enabled, you will see 'SSL alert number 40'. This is because the system does not read the server names from the SAN extension within the certificate.

Workaround:
Specify a valid server name in the server name field of the client SSL profile.

810445-2 : PEM: ftp-data not classified or reported

Component: Local Traffic Manager

Symptoms:
When a virtual server is configured with an FTP profile, and also a PEM or classification profile, the traffic associated with the FTP data stream is not correctly classified or reported.

Conditions:
-- Virtual server is configured with an FTP profile.
-- There is also PEM or classification profile.

Impact:
Traffic associated with ftp-data (i.e., file transfers using FTP) may not be classified or reported.

Workaround:
None.

Fix:
Ftp-data is now correctly classified and reported. Note that the 'inherit-parent-profile' in the FTP profile must be enabled.

810381-4 : The SNMP max message size check is being incorrectly applied.

Component: TMOS

Symptoms:
If the SNMP server receives an SNMPv3 request with a small max message size then, it applies that check to all requests. This can cause SNMPv1 and SNMPv2c requests time out if they are too long or if their responses are too long, for example, large get bulk requests.

Conditions:
An SNMPv3 small max message size received while processing large SNMPv1 and SNMPv2c requests.

Impact:
Responses time out.

Workaround:
Do not send SNMPv3 requests to the BIG-IP system.

Fix:
SNMPv3 requests no longer impact SNMPv1 and SNMPv2c requests.

809729-2 : When HTTP/2 stream is reset by a client, BIG-IP may not respond properly

Component: Local Traffic Manager

Symptoms:
When a client resets the HTTP/2 stream, the BIG-IP system may have several DATA frames ready to send. It drops these frames but does not account back those in a connection-send window. It can reduce this window to the value when no DATA frames are sent over this connection until the client updates the send window.

Conditions:
-- BIG-IP system has a virtual server.
-- HTTP/2 profile is assigned to it.

Impact:
For any subsequent request after the send window loses enough size, DATA frames with payload are not sent to the client over the affected HTTP/2 connection.

Workaround:
None.

Fix:
BIG-IP systems correctly handle dropping DATA frames accounting back their lengths in a connection-send window.

809701-2 : Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist

Component: Local Traffic Manager

Symptoms:
In BIG-IP GUI iRule definitions, when hovering over HTTP::proxy, the help text mentions 'HTTP::proxy dest', which is an invalid command.

Conditions:
The system displays incorrect information when the iRule help text is visible.

Impact:
The help text mentions 'HTTP::proxy dest', which is an invalid command option.

Workaround:
Do not use the invalid 'HTTP::proxy dest' command.

Fix:
The help text now shows 'HTTP::proxy', which is correct.

809597-3 : Memory leak in icrd_child observed during REST usage

Component: Local Traffic Manager

Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.

Conditions:
-- The icrd_child process is running.
-- There are multiple users accessing device via REST.

Impact:
The memory leak is very progressive. Eventually, the icrd_child process runs out of memory.

Workaround:
None.

Fix:
Fixed a memory leak in icrd_child.

809553 : ONAP Licensing - Cipher negotiation fails

Component: TMOS

Symptoms:
Cipher negotiation fails between the BIG-IP and a third-party license server.

Conditions:
This occurs when BIG-IP is deployed in a custom ONAP environment that uses a third-party license server.

Impact:
TLS negotiation fails.

Workaround:
Change the order of ciphers.
Enable only ECDHE ciphers.

809377-6 : AFM ConfigSync Hardening

Solution Article: K05123525

809205 : CVE-2019-3855: libssh2 Vulnerability

Component: TMOS

Symptoms:
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server.

Conditions:
-- Authenticated administrative user with Advanced Shell Access.
-- Use of cURL from the command line to connect to a compromised SSH server.

Impact:
A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

Workaround:
None.

Fix:
libcurl updated

809165-2 : TMM may crash will processing connector traffic

Solution Article: K50046200

809125-2 : CSRF false positive

Component: Application Security Manager

Symptoms:
A CSRF false-positive violation.

Conditions:
CSRF enforcing security policy.

This is a very rare scenario, but it happens due to a specific parameter in the request, so the false-positive might repeat itself many times for the same configuration.

Impact:
False-positive Blocking / Violation

Workaround:
If this happens change the csrf parameter and restart the asm daemon:

1. Change the csrf parameter name internal parameter:
/usr/share/ts/bin/add_del_internal add csrf_token_name <string different than csrt>

2. Restart the asm daemon:
restart asm

808525-2 : TMM may crash while processing Diameter traffic

Solution Article: K55812535

808409-3 : Unable to specify if giaddr will be modified in DHCP relay chain

Component: Local Traffic Manager

Symptoms:
ID746077 changed the dhcprelay behavior in order to comply with RFC 1542 Clarifications and Extensions for BOOTP.

However, as the change also encompasses the DHCP-to-DHCP relay scope, the behavior cannot be configurable with a db key.

Conditions:
DHCP Relay deployments where the giaddr needs to be changed.

Impact:
You are unable to specify whether giaddr will be changed.

Workaround:
None.

Fix:
A new sys db tmm.dhcp.relay.giaddr.overwrite is introduced

The default is :

sys db tmm.dhcp.relay.giaddr.overwrite {
value "enable"
}

On versions with a fix to 746077, the sys db DOES NOT exist and BIG-IP will always retain the source IP

On versions with both this fix and ID748333 fix, this fix overrides the fix for 746077. To change the default, set to "disable" to retain

808301-2 : TMM may crash while processing IP traffic

Solution Article: K04897373

807477-10 : ConfigSync Hardening

Solution Article: K04280042

807453-1 : IPsec works inefficiently with a second blade in one chassis

Component: TMOS

Symptoms:
Under high availability (HA) configurations, a secondary blade does not receive mirrored updates for security associations (SAs).

When a new ike-peer is created, if that peer's IP address is handled by a secondary blade, all IKE negotiation packets are dropped after forwarding between primary and secondary blades.

But an ike-peer that is present from the start is mistakenly assigned to a primary blade, and thus works correctly.

Conditions:
-- More than one blade: a secondary blade in addition to a primary blade.

-- Remote ike-peer IP addresses that happen to hash to a secondary blade by the BIG-IP system disaggregation (DAG) mechanism.

-- Configuration for Active-Standby, which works on Active but fails to mirror SAs to Standby, when the IP address would be handled by a secondary blade.

Impact:
After failover from Active to Standby, missing SAs that could not be mirrored are renegotiated, causing tunnel outage until new negotiation concludes.

After adding a new ike-peer that should negotiate on a secondary blade, all IKE packets vanish, so no tunnel is ever created for such an ike-peer.

In high availability (HA) configurations, tunnels re-establish after renegotiation, for tunnels that would be assigned to a secondary blade. This works, but undercuts the benefit of high availability (HA) for tunnels other than those on a primary blade.

Workaround:
For a new ike-peer assigned to a secondary blade, restart tmm or the blade, and when the system comes back up, this peer is handled on the primary blade.

Note: Although this peer can then create a tunnel, any secondary blade is unused by IPsec.

Fix:
Assignment of blade ownership is now correct after a restart, even when blades are slowly discovered incrementally, or added dynamically after a system has come up.

HA mirroring works, and SAs are present after failover.

Tunnels are negotiated on secondary blades, so ike-peer instances with IP addresses handled on a secondary blade function as well as those on a primary blade.

807337-3 : Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.

Component: TMOS

Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction attempts 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.

Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object (such as delete, create, modify).

Impact:
The GUI shows misleading info about the pool monitor.The monitor-related object may be unchanged, or monitoring may stop for that object.

Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').

Fix:
Behavior is as-expected when a transaction executes multiple commands (such as 'delete', 'create', 'modify') upon the same monitor-related object (pool, pool_member, node_address, monitor).

807177-2 : HTTPS monitoring is not caching SSL sessions correctly

Component: Global Traffic Manager (DNS)

Symptoms:
In situations where a cached SSL session cannot be used, there are conditions where the information for old and new SSL sessions are not properly updated, and valid SSL sessions are not terminated in an orderly fashion.

Conditions:
When using GTM HTTPS monitoring.

Impact:
Information for old and new SSL sessions are not properly updated, and valid SSL sessions are not terminated in an orderly fashion.

Workaround:
Restart big3d by running the following command:

bigstart restart big3d

807005-1 : Save-on-auto-sync is not working as expected with large configuration objects

Component: TMOS

Symptoms:
In device group has enabled 'save sys config' for all auto-sync operations using the following command:
modify cm device-group name save-on-auto-sync true

Warning: Enabling the save-on-auto-sync option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.

Conditions:
-- The save-on-auto-sync option is enabled.
-- Device has large configuration, such as 2,100 virtual servers and ~1100 partitions

Impact:
Configuration is not saved, which leads to out-of-sync condition.

Workaround:
You can avoid this issue by using manual sync instead of auto-sync, or by not enabling 'save-on-auto-sync'.

806985 : Engineering Hotfix installation may fail when Engineering Hotfix contains updated nash-initrd package★

Component: TMOS

Symptoms:
Installation of an Engineering Hotfix based on BIG-IP 14.1.0 or later may fail in some cases if the Engineering Hotfix contains an updated nash-initrd package.

When this issue occurs:
-- The system software status for the affected volume on the new blade shows a status of 'failed (RPM transaction failure.)'
-- The /var/log/liveinstall.log file on the new blade contains a message similar to the following:
info: RPM: error: %post(nash-initrd-5.1.19.6-68.el7.1.0.17.7.x86_64) scriptlet failed, exit status 1.

Conditions:
This issue may occur under some conditions when installing an Engineering Hotfix based on BIG-IP 14.1.0 or later which contains an updated nash-initrd package.

The specific conditions under which this issue may occur have not been confirmed, but are reported to include:
-- Using B4450, B2100, B2150 or B2250 blades in a VIPRION chassis.
-- Installing an affected Engineering Hotfix into a new software volume on all blades in the chassis.
-- Inserting a new blade into a VIPRION chassis where the primary blade is running an affected Engineering Hotfix but the new blade is currently running an older BIG-IP software version (such as v12.1.x).

There may be other conditions under which this problem may occur which have not yet been confirmed.

See BugTracker for updated information as details are confirmed.

Impact:
Unable to install a software image containing an affected Engineering Hotfix to one or more blades in VIPRION chassis.

Workaround:
Specific workarounds for specific reported conditions have not yet been confirmed, but may include:

-- In a VIPRION chassis, booting into a software volume that is not running an affected Engineering Hotfix; inserting the new blade and waiting for all software volumes to be successfully installed/updated; and then booting the blades into the software volume that is running the affected Engineering Hotfix.
-- In a VIPRION chassis, rebooting all blades into a common volume that has been successfully installed (such as v12.1.x); waiting for the failed software installation to be automatically retried; and then rebooting the blades into the software volume that is running the affected Engineering Hotfix.
-- Temporarily installing a new blade into a separate VIPRION chassis with no other blades; manually reinstalling the affected Engineering Hotfix into the affected volume; and then installing the new blade into the existing chassis.
-- In a VIPRION chassis, installing the Release image on which the desired Engineering Hotfix is based into a new volume; booting into the new volume; rebooting into the original volume; installing the Engineering Hotfix into the new volume; and then booting into the new volume.

There may be other workarounds which are effective in avoiding and/or resolving this issue under specific conditions but have not yet been confirmed.

See BugTracker for updated information as details are confirmed.

Fix:
A software image containing an Engineering Hotfix which includes an updated nash-initrd package may be successfully installed into blades in VIPRION chassis.

806825 : Align the behavior of NAT44 and NAT64 when translate-address is disabled under Virtual Configuration with LTM Pool and LSN Pool

Component: Carrier-Grade NAT

Symptoms:
Configure translate-address disabled under Virtual with LTM pool configured.

In the NAT44 case, LTM pool is used as next-hop and packets are L2 forwarded to LTM pool members without destination address translated.

In NAT64 case, packets are dropped if there is no route available to reach the IPv4 destinations (derived from original IPv6 destination). Packets are not L2 forwarded to LTM pool members.

Conditions:
-- Virtual server with LTM pool configured.
-- CGNAT LSN pool configured.
-- Translate-address disabled.

Impact:
If there is no route available to reach the destination, NAT64 packets are dropped.

Workaround:
Configure default gateways/routes to reach the IPv4 destination in NAT64 case.

Fix:
Aligned the behavior of NAT44 and NAT64 when translate-address is disabled under Virtual Configuration with LTM Pool and LSN Pool.

Use LTM pool as next hop for L2 forwarding the NAT64 packets when translate-address is disabled.

806093-1 : Unwanted LDAP referrals slow or prevent administrative login

Component: TMOS

Symptoms:
On a BIG-IP system configured with remote LDAP/Active Directory authentication, attempting to login to the Configuration Utility or to the command-line interface may proceed very slowly or fail.

Conditions:
-- LDAP/Active Directory 'system-auth' authentication configured.
-- The Active Directory enables LDAP referral chasing (the default).
-- There are a number of Active Directory servers in the enterprise, or the BIG-IP system does not have complete network connectivity to all Active Directory servers (caused by firewalls or special routes).

Impact:
The BIG-IP system may chase LDAP referrals that reference LDAP servers that are unreachable, resulting in authentication timeouts/failures.

Workaround:
Which workaround to use to temporarily disable referrals chasing depends on the version you have.

-- For BIG-IP 14.1.0 - 14.1.2.2, and 15.0.0 - 15.0.1.0

   1. Edit the configuration files
   -- /etc/nslcd.conf

   2. Add add the following line to the end of the file:
   referrals no

   3. Restart nslcd service to apply change:
   systemctl restart nslcd

   Important: This change is not persistent, and will be lost whenever MCPD reloads the BIG-IP configuration (tmsh load sys config), or when other changes are made to system-auth configuration values.

-- For BIG-IP 14.1.2.3 (and later 14.1.x releases), and 15.0.1.1 (and later 15.0.x.x releases), a db key has been added to allow this setting to be controlled. After making the db key change, the BIG-IP configuration must be saved and then loaded again, in order to update nslcd.conf

   tmsh modify sys db systemauth.referrals value no
   tmsh save sys config
   tmsh load sys config

Fix:
Changes to LDAP referrals value in configuration are now saved, so this issue no longer occurs.

806085-2 : In-TMM MQTT monitor is not working as expected

Component: Local Traffic Manager

Symptoms:
The monitoring probes are not being sent out to the network. Regardless of the monitor config and sys db variable.

Conditions:
Configuring the in-TMM MQTT monitor.

Impact:
Pool members with attached MQTT monitor state is incorrectly shown as DOWN.

Workaround:
None.

Fix:
In-TMM MQTT monitor now works as expected.

806073-3 : MySQL monitor fails to connect to MySQL Server v8.0

Component: TMOS

Symptoms:
The LTM MySQL health monitor fails to connect to a MySQL server running MySQL Server v8.0.
A pool member configured for a MySQL server running MySQL Server v8.0 and using the MySQL health monitor will be marked DOWN.

Conditions:
This occurs when using the LTM MySQL health monitor to monitor a MySQL server running MySQL Server v8.0.

Impact:
BIG-IP cannot monitor the health of a MySQL server running MySQL Server v8.0 using the MySQL health monitor.

805837-2 : REST does not follow current design best practices

Solution Article: K22441651

805557-2 : TMM may crash while processing crypto data

Solution Article: K43815022

805417-1 : Unable to enable LDAP system auth profile debug logging

Component: TMOS

Symptoms:
Beginning in version 14.1.0, LDAP debugging must be performed on nslcd logs and not pam_ldap logs; however, it is not possible to enable debug logging on nslcd via the configuration file.

Conditions:
This would be encountered only if you (or F5 Support) wanted to do troubleshooting of LDAP connections by enabling debug logging.

Impact:
LDAP system authentication 'debug' parameter does not provide sufficient levels of debug logs, but there is no functional impact to normal system operation.

Workaround:
To enable debug logging and have the system post log messages to the SSH/console window, start the nslcd process with -d option, which causes nslcd to run in the foreground until you press control-c to stop it:

   systemctl stop nslcd
   nslcd -d

Note: The -d setting does not persist, so each time you want to log debug output, you must complete this procedure.

You can increase the amount of debug output by specifying additional -d options (up to 3), e.g., '-ddd' or '-d -d -d'.

When done, stop nslcd with control-c, and then restart it with the default options via the normal systemctl daemon:

   systemctl start nslcd

Fix:
The nslcd logs are now visible on /var/log/secure file.

805353-1 : ASM reporting for WebSocket frames has empty username field

Component: Application Security Manager

Symptoms:
When using ASM to inspect and report WebSocket frames, the username field is always reported as empty or absent.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- WebSocket profile attached to a virtual server.
-- ASM logging profile attached to a virtual server.
-- WebSocket traffic inspected by ASM and logged as event log message or remote logger message.

Impact:
Poor visibility of current logged-in user in the event log for WebSocket frames.

Workaround:
None.

Fix:
ASM populates username field for logged WebSocket frames

805017-2 : DB monitor marks pool member down if no send/recv strings are configured

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle or PostgreSQL database monitor type) is configured without a 'send' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- AnLTM pool or pool members are configured to us an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- No send string is configured for the monitor.

Impact:
With this configuration, the monitor connects to the configured database, but does not issue a query or check for a specific response. Pool members are always marked DOWN when using a database monitor with no 'send' string configured.

Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).

804537-1 : Check SAs in context callbacks

Component: TMOS

Symptoms:
Crypto operations can crash.

Conditions:
Any crypto operation involving an ike-sa or a child-sa.

Impact:
Tunnel outage due to core, lasting until restart and renegotiation.

Workaround:
None.

Fix:
Fixed a crash related to crypto operations and SAs.

804313-2 : MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.

Component: Service Provider

Symptoms:
The mirrored-message-sweeper-interval configuration option has no effect on the BIG-IP.

Conditions:
MRF in use, high availability configured, and a SIP profile is configured to use a specific Mirrored Message Sweeper Interval setting.

Impact:
On a system under high load, the next active device in a high availability (HA) pair could run out of memory.

Workaround:
None

Fix:
Message sweeper interval value now loads correctly.

804309-2 : [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument

Component: TMOS

Symptoms:
Running the command 'tmsh list' on a pool or virtual server with the 'all-properties' argument generates a warning:

[api-status-warning] ltm/virtual, properties : deprecated : urldb-feed-policy

Conditions:
Including the 'all-properties' argument with the 'tmsh list' command.

Impact:
There is no impact to the system. The excessive [api-status-warning] at stderr and /var/log/ltm for tmsh list commands are spurious, benign, and can be ignored.

Workaround:
tmsh modify /mgmt shared settings api-status log resource-property deprecatedApiAllowed false

tmsh modify /mgmt shared settings api-status log resource deprecatedApiAllowed false

804185-2 : Some WebSafe request signatures may not work as expected

Component: Fraud Protection Services

Symptoms:
Request signatures are part of the WebSafe signature mechanism. The request signature is achieved by configuring an FPS-protected URL and a corresponding custom-alert. If the URL is a wildcard, a priority must be assigned to determine the order of matching. URL matching by priority is not working properly. As a result, the signature do not work as expected

Conditions:
There is at least one wildcard URL configured by the request signature update file.

Impact:
A portion of WebSafe request signature do not work as expected:
-- An alert is sent, though it should not be (false-positive).
-- An alert was not sent, though it should be (false-negative).

Workaround:
Configure the same signature manually in the BIG-IP system's GUI/tmsh.

Fix:
FPS now correctly handles signature-based wildcard URL's priority.

803845-2 : When in HA, the Standby device is forwarding traffic causing a loop and subsequent network shutdown

Component: Local Traffic Manager

Symptoms:
Standby is passing traffic when a virtual wire is configured.

Conditions:
-- Virtual wire configured in high availability (HA).

Impact:
Standby device is forwarding traffic traffic when it should not, causing a loop and subsequent network shutdown.

Workaround:
None.

Fix:
The Standby device no longer passes traffic through virtual wire when it should not.

803813-2 : TMM may experience high latency when processing WebSocket traffic

Component: Application Security Manager

Symptoms:
Under certain conditions, TMM may experience higher than usual latency when processing WebSocket traffic.

Conditions:
-- WebSocket traffic.
-- Very long connections or large amounts traffic.
-- Platforms with many CPUs.

Impact:
Increased latency in WebSocket traffic.

Workaround:
None.

Fix:
Fix an issue that could cause a latency with WebSocket traffic.

803809-2 : SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.

Component: Service Provider

Symptoms:
When MRF SIP is configured in per-client mode and preserve-strict source port is enabled on a virtual server, messages may fail to forward due to port collisions when multiple clients try to use the same port (which is expected/accepted behavior with this configuration). After the port has been freed or the configuration changed, messages continue to fail for clients that had previous port collisions.

Conditions:
-- MRF SIP configured with: Per-Client connection mode and virtual server with preserve-strict source port enabled.
-- Multiple clients try to connect using the same local port.
-- Previously failed client connections attempt to connect again after the port has been freed or configuration changed.

Impact:
Calls from one or more clients are unable to be completed.

Workaround:
You can prevent this behavior using either workaround:
-- Configure a different connection mode (Per-TMM, for example).
-- Disable preserve-strict source port on the virtual server.

Fix:
Clients with previous connection failures are now able to connect when the port is no longer in use or the configuration has been changed.

803645-3 : GTMD daemon crashes

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process crashes in response to a call triggered by its own timer event.

Conditions:
The conditions under which this causes this intermittent issue are difficult to reproduce, but it might occur when the system is under heavy load when gtmd is starved of CPU cycles.

Impact:
The gtmd process restarts and produces a core file.

Workaround:
None.

803477-2 : BaDoS State file load failure when signature protection is off

Component: Anomaly Detection Services

Symptoms:
Behavioral DoS (BADoS) loses its learned thresholds.

Conditions:
Restart of admd when signature protection is off.

Impact:
The system must relearn the thresholds, BADoS protection is not available during the learning time.

Workaround:
Turn on signatures detection.

Fix:
BADoS State file successfully loads after admd restart, even without signatures detection.

803445-3 : When adding several mitigation exceptions, the previously configured actions revert to the default action

Component: Application Security Manager

Symptoms:
After adding a new item to the mitigation exception list, you can also change its mitigation action. If you do not save the changes and then add more new exception items, the mitigation actions of the previously added items return to their default value actions.

Conditions:
-- Add mitigation exception to the Bot Configuration.
-- Change mitigation action on that new exception.
-- Add new items to exception list without first saving.

Impact:
Mitigation action exceptions might be saved with their default value actions instead of the actions you configured.

Workaround:
After adding a group of exception items and editing their actions, save the Bot Configuration properties before adding any new mitigation exception items.

Fix:
When adding several mitigation exceptions, the previously configured actions no longer revert to the default action.

803233-3 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable

Component: Local Traffic Manager

Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):

1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:

-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.

2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:

-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.

Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.

Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.

Workaround:
None.

803149-1 : Flow Inspector cannot filter on IP address with non-default route_domain

Component: Advanced Firewall Manager

Symptoms:
Flow Inspector cannot filter on IP address with non-default route_domain.

Conditions:
-- In Flow Inspector.
-- Attempting to filter results.
-- Some results use IP addresses with non-default route domains.

Impact:
Filter does not return results as expected.

Workaround:
None.

Fix:
You can now filter on IP address with non default route_domain In Flow Inspector.

802977-2 : PEM iRule crashes when more than 10 policies are tried to be set for a subscriber

Component: Policy Enforcement Manager

Symptoms:
Tmm crashes.

Conditions:
Using an iRule to apply more than 10 referential policies for a subscriber.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The BIG-IP system validates the number of policies before setting them to a subscriber.

In this release, iRule behavior does not result in a tmm core dump, but the number of policies that can be simultaneously applied to a subscriber through an iRule is limited to 7.

Behavior Change:
In previous releases, the system did not prevent using an iRule to apply more than 10 referential policies for a subscriber. In those cases, however, tmm crashed and generated a core.

In this release, the BIG-IP system validates the number of policies before setting them to a subscriber. iRule behavior does not result in a tmm core dump, but the number of policies that can be simultaneously applied to a subscriber through an iRule is limited to 7.

802961-2 : The 'any-available' prober selection is not as random as in earlier versions

Component: Global Traffic Manager (DNS)

Symptoms:
Some big3d instances can be periodically busier than other big3d instances.

Conditions:
-- When 'any-available' is selected for either the prober-preference or prober-fallback options.
-- A large number of monitors are defined.

Impact:
When the 'any-available' prober option is used, the selection of big3d probers may not be as random as in BIG-IP software versions prior to v13.0.0.

Workaround:
None.

802889 : Problems establishing HA connections on DAGv2 chassis platforms

Component: TMOS

Symptoms:
High availability (HA) mirroring does not work correctly on VIPRION B4400 blades.

Conditions:
- VIPRION B4400 chassis platform with multiple blades.
- HA mirroring is enabled.

Impact:
HA mirroring does not work

Workaround:
None.

Fix:
HA connections on VIPRION B4400 chassis platforms are correctly established.

802873-1 : Manual changes to policy imported as XML may introduce corruption for Login Pages

Component: Application Security Manager

Symptoms:
Manual changes to a policy imported as XML may introduce corruption for Response Pages. The following log appears:
ASM subsystem error (asm_config_server.pl ,F5::PrepareConf::Policy::prepare_alternate_response_file_tbl): failed to parse response headers - please check response page.

Conditions:
-- XML policy file is missing a response header.
-- Import the policy.

Impact:
The affected reponse page is not returned for traffic as expected, and an error is reported instead.

Workaround:
Mitigation:
Ensure that response_header exists in XML policy file before import.

Workaround:
Go to the affected policy's Response Pages: Login Page, click Save and then click Apply Policy.

Fix:
The system now gracefully ignores empty header for Login Page response page.

802865-1 : The iControl REST query request returning empty list for DoS Protected Objects

Component: Advanced Firewall Manager

Symptoms:
DoS Protection profiles are not displayed in the GUI, but they are visible when using the tmsh command:

tmsh list security dos profile | grep "security dos profile"

Conditions:
This is encountered in Security :: DoS Protection : Protection Profiles.

Impact:
DoS Protected Objects are not included in the REST endpoint /mgmt/tm/security/presentation/tmui/virtual-list, so the GUI cannot display the DoS Protected Objects

Workaround:
Use tmsh.

Fix:
DoS Protected Objects are now visible in the GUI

802685-3 : Unable to configure performance HTTP virtual server via GUI

Component: TMOS

Symptoms:
When creating 'performance HTTP' virtual servers via GUI, the following error is reported:
01070734:3: Configuration error: A Virtual Server(/Common/vfasthttp) cannot be associated with both fasthttp and L4 profile.

Conditions:
Use the GUI to create a virtual server of type Performance (HTTP).

Impact:
Failed to create a 'performance HTTP' virtual server.

Workaround:
Use TMSH to configure the performance HTTP virtual server:
tmsh create ltm virtual vfasthttp destination 1.1.1.1:80 ip-protocol tcp profiles add { fasthttp }

802421 : The /var partition may become 100% full requiring manual intervention to clear space

Component: Advanced Firewall Manager

Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.

Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.

802281-1 : Gossip shows active even when devices are missing

Component: TMOS

Symptoms:
Gossip appears Active even when one or more devices go missing from device group. 'restcurl shared/gossip' shows active on both devices, even when the devices are not listed in 'restcurl shared/resolver/device-groups/tm-shared-allBIG-IPs/devices'.

Conditions:
The conditions under which this issue occurs are unknown. This is an intermittent issue.

Impact:
Gossip reports that it is working when it is not.

Workaround:
-- If the missing device is the active device, run the following command on the Active DSC Device:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state

-- If the missing device is the standby device, reboot the device, make it active, and then run the following command:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state

802261-2 : TMM may crash while processing SSL traffic via an HTTP/2 full-proxy

Solution Article: K65372933

802245-1 : When HTTP/2 is negotiated, if the provided cipher suite list cannot be matched, then the last one will be selected.

Component: Local Traffic Manager

Symptoms:
The last provided cipher suite in the list is chosen if HTTP/2 is negotiated and not matched.

Conditions:
-- HTTP/2 negotiation is enabled.
-- The provided cipher suites are not matched.

Impact:
The least-secure cipher suite would be selected.

Workaround:
Put the most secure cipher suite in the end of the list.

Fix:
Now the most secure cipher suite is selected regardless of the order in the list.

801705-4 : When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC

Component: Local Traffic Manager

Symptoms:
The 'HTTP::cookie attribute' irule command allows manipulation of Cookie or Set-Cookie headers in HTTP requests or responses. When this command is used to insert a cookie attribute, it appends the attribute (and a possible value) to the header without a leading space character. A leading space character is a requirement per RFC 6265. When such a header is formed with iRule command 'HTTP::cookie insert' or 'HTTP::cookie attribute insert', the leading space is not provided, violating the RFC.

Conditions:
-- A virtual server with HTTP profile is configured.
-- There is an iRule generating or updating a cookie header with 'HTTP::cookie insert' or 'HTTP::cookie attribute insert' command.

Impact:
There is no space preceding the attribute. RFC is violated.

Workaround:
When inserting a cookie attribute with iRule command, add a leading space to the name of attribute to be inserted.

801497-2 : Virtual wire with LACP pinning to one link in trunk.

Component: Local Traffic Manager

Symptoms:
A virtual-wire that uses interface trunks may use a single interface on egress.

Conditions:
Virtual-wire configured across multi-interface trunks.

Impact:
This may lead to unexpected link saturation.

Workaround:
None.

800453-3 : False positive virus violations

Solution Article: K72252057

Component: Application Security Manager

Symptoms:
False positive ASM virus violations.

Conditions:
Specific connection characteristics between ASM and the antivirus server may cause replies from the antivirus server to be missed by the ASM.

Impact:
ASM reports a virus when the antivirus reply is timed out. False positive blocking or violation reporting.

Workaround:
Configure the EnableASMByPass internal parameter setting to allow the antivirus server to not reply, so it does not issue a violation when it occurs:

/usr/share/ts/bin/add_del_internal add EnableASMByPass 1
bigstart restart asm

Note: When the internal parameter is enabled, ASM also bypasses huge HTTP requests (when they come on multiple connections) instead of resetting them.

Fix:
False positive ASM virus violations no longer occur under these conditions.

800369-2 : The fix for ID 770797 may cause a TMM crash

Component: Local Traffic Manager

Symptoms:
In rare situations the TMM may crash after the original fix for ID 770797 is applied.

Conditions:
HTTP2 is used on the client-side of a virtual server without an MRF http_router profile.

The original fix for ID 770797 is used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The fix for ID 770797 has been altered to prevent the TMM from crashing in rare situations.

800305-2 : VDI::cmp_redirect generates flow with random client port

Component: Local Traffic Manager

Symptoms:
The VDI::cmp_redirect iRule command generates a flow with a randomly-assigned client port.

Conditions:
-- VDI::cmp_redirect iRule command used

Impact:
Client port is not the same as the original client port.

Fix:
The VDI::cmp_redirect iRule command now uses the same port.

800265-2 : Undefined subroutine in bigip_add_appliance_helper message

Component: Global Traffic Manager (DNS)

Symptoms:
When using the -a switch with bigip_add (which instructs bigip_add to use bigip_add_appliance_helper), the script terminates with an error:
Undefined subroutine &gtm_env::get_unique_certs called at /usr/local/bin/bigip_add_appliance_helper line 113.

Conditions:
Use the bigip_add script with the -a switch in appliance mode.

Impact:
BIG-IP_add fails in appliance mode, reporting an error message.

Workaround:
None.

800209-1 : The tmsh recursive list command includes DDoS GUI-specific data info

Component: Advanced Firewall Manager

Symptoms:
DDoS GUI-specific data is included when running the command: tmsh recursive list. This irrelevant information might cause confusion.

Conditions:
This occurs when the AFM module is enabled

Impact:
Extra, irrelevant data is provided in output, which can cause confusion.

Workaround:
This always happens as long as AFM is enabled. You can deprovision the AFM module to disable this command.

Fix:
DDoS GUI-specific data is now filtered out when running the command: tmsh recursive list.

800185-4 : Saving a large encrypted UCS archive may fail and might trigger failover

Component: TMOS

Symptoms:
-- When saving a very large encrypted UCS file, you may encounter an error:

# tmsh save /sys ucs my_ucs passphrase <mysecret>
Saving active configuration...
Can't fork at /usr/local/bin/im line 305.
/var/tmp/configsync.spec: Error creating package

-- If saving UCS is automated you may find related errors in /var/log/audit:

err scriptd[45342]: 014f0013:3: Script (/Common/f5.automated_backup__backup) generated this Tcl error: (script did not successfully complete: (UCS saving process failed. while executing "tmsh::save /sys ucs $fname ))

-- Other services might be restarted due to lack of memory, which might result in failover.

--System management via config utility or command line may be sluggish while UCS saves.

Conditions:
-- Large encrypted UCS files and low free host memory.

-- UCS file sizes in hundreds of MB are much more likely to encounter this issue, along with free memory less than 1 GB.

Impact:
The operation uses at least 1.3 times the UCS file size of RAM. The UCS may not get saved correctly, and if not enough memory is available, low free-memory symptoms become apparent.

The latter may result in services being killed to free memory, resulting in service impact and failover, though it is quite typical for the overly large process saving the UCS to be terminated with no other impact.

Workaround:
A mitigation is to minimise UCS file size. UCS files large enough to encounter this issue typically contain very large files, some of which may not be needed or are no longer necessary.

Remove unnecessary large files from directories that contribute to UCS archives, for example, stray, large files such as packet captures in /config or its subdirectories. (For help understanding what is in UCS archives, see K12278: Removing non-essential files from a UCS when disk space errors are encountered :: https://support.f5.com/csp/article/K12278.)

If using APM, remove unnecessary EPSEC ISO files. (For more information, see K21175584: Removing unnecessary OPSWAT EPSEC packages from the BIG-IP APM system :: https://support.f5.com/csp/article/K21175584.

Fix:
Saving a large UCS file no longer fails.

800101-1 : BIG-IP chassis system may send out duplicated UDP packets to the server side

Component: Local Traffic Manager

Symptoms:
On a BIG-IP chassis based system, a single UDP packet on the client side flow may be duplicated and sent out to the server side.

Conditions:
When the UDP flow has been idle for more than 10 minutes and L2 entries for the flow in the broadcom switch have aged out.

Impact:
Duplicated server side egress packets may cause server side processing error.

Fix:
BIG-IP no longer sends out duplicated UDP egress packets on the server side.

799749-1 : Asm logrotate fails to rotate

Component: Application Security Manager

Symptoms:
ASM logrotate reports errors in /var/log/asm.:

error: error creating output file /ts/log//bd.log.1: File exists

Conditions:
Files ending with .1 exists in the logs directories.

Impact:
Logrotate does not work. May fill disk with logs over time.

Workaround:
Remove or rename all of the .1 logs.

799649-2 : TMM crash

Component: Local Traffic Manager

Symptoms:
TMM SIGSEGV crash due to memory corruption.

Conditions:
HTTP Security profile attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove the HTTP Security profile.

Fix:
HTTP Security profile does not cause TMM crash.

799617-2 : ConfigSync Hardening

Solution Article: K05123525

799589-2 : ConfigSync Hardening

Solution Article: K05123525

799149-2 : Authentication fails with empty password

Component: Access Policy Manager

Symptoms:
Per-req policy authentication fails when an empty password is detected. Following errors are seen in apm logs:

-- err apmd[13930]: 01490301:3: /Common/test_sp::abcdef78/Common/test_auth/XXXXXXX==: Empty session variable value received from tmm.
-- err apmd[13930]: 01490302:3: /Common/test_sp::abcdef78/Common/test_auth/XXXXXXX==: Failed to decrypt session variable 'subsession.logon.last.password' from tmm with error code: 3.

Conditions:
-- APM is licensed and provisioned.
-- Per-req policy is created with at least one Auth agent.

Impact:
APM end users cannot change a password/token or access backend resources.

Workaround:
None.

Fix:
Per-request policy auth no longer complains about empty password. If the backend server accepts an empty password, auth should work fine.

798949-3 : Config-Sync fails when Config-Sync IP configured to management IP

Component: TMOS

Symptoms:
Device Group Sync Fails with error in the GUI: 01070712:3: Caught configuration exception (0), Failed to sync files.

Conditions:
Config-Sync IP configured to management IP:
sys db configsync.allowmanagement value enable

Impact:
Config-Sync of file objects such as SSL certificates fails.

Workaround:
None.

Fix:
Config-Sync has been updated to allow synchronization of file objects over the mgmt port.

798261-2 : APMD fails to create session variables if spanning is enabled on SWG transparent virtual server

Component: Access Policy Manager

Symptoms:
The following logs showed up in APM log and user session was terminated.

Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_finish_set_pipeline()" line: 720 Msg: Error: Set pipeline: While receiving response to 0 cmd set /.*/tmm.session.6833364e.session.assigned.uuid 0 0 32 s
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_server_disconnect()" line: 2533 Msg: Error: bad memcache connection (tmm:1), (fd:205)
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.

The SET command failed because it incorrectly attempted to create session variable in all traffic groups.

Conditions:
1. Virtual address for SWG transparent is 0.0.0.0
2. Spanning on the virtual address is enabled.

Impact:
User sessions will be terminated

Workaround:
Disable virtual address spanning.

Fix:
N/A

798249-2 : TMM may crash while processing HTTP/2 requests

Solution Article: K81557381

798105-1 : Node Connection Limit Not Honored

Component: Local Traffic Manager

Symptoms:
Connection limits on nodes are not honored.

Conditions:
A node with connection limits set.

Impact:
More traffic will pass to the node than the limit is supposed to allow.

Workaround:
Modify the node's limit after the node is created and it will start honoring the limit.

Fix:
The node's limit is now honored.

797977-1 : Self-IP traffic does not preserve the TTL from the Linux host

Component: Local Traffic Manager

Symptoms:
The Egress traffic from TMM has IP TTL set to 255 instead of keeping the TTL from the Linux host.

Conditions:
IP/IPv6 TTL for host traffic.

Impact:
Tools like traceroute do not work because Linux host rejects the packets.

Workaround:
Adjust TTL verification restrictions

Fix:
IP TTL is preserved.

797885-2 : ConfigSync Hardening

Solution Article: K05123525

797829-5 : The BIG-IP system may fail to deploy new or reconfigure existing iApps

Component: TMOS

Symptoms:
The BIG-IP system may fail to deploy new or reconfigure existing iApps. When this happens, a long error message is displayed in the GUI that begins with:

script did not successfully complete: ('source-addr' unexpected argument while executing

The message is also logged to /var/log/audit by scriptd with a severity of 'notice'.

The unexpected argument mentioned in the error varies depending on the iApp being deployed and on the settings you configure. You may also see 'snatpool', 'ldap', etc.

Conditions:
This issue occurs when:

-- The BIG-IP system is configured with multiple users of varying roles.

-- The scriptd daemon has already spawned the maximum number (5) of allowed child processes to serve its queue, and all the processes were assigned a low 'security context'. This can happen, for instance, if a low-privileged user (such as an Auditor) has been looking at the configuration of iApps using the GUI a lot.

-- Subsequently, a high-privileged user (such as an Administrator) attempts to deploy a new iApp or reconfigure an existing one.

Note: You can inspect the number of child processes already created by scriptd by running the following command:

pstree -a -p -l | grep scriptd | grep -v grep

However, it is not possible to determine their current 'security context'.

Impact:
New iApps cannot be deployed. Existing iApps cannot be re-configured.

Workaround:
Restart scriptd. To restart scriptd, run:

bigstart restart scriptd

Running this command has no negative impact on the system.

The workaround is not permanent; the issue may occasionally recur depending on your system usage.

Fix:
The system now stops all scriptd child processes and creates new ones with the new user security-context when the user changes.

797785-2 : AVR reports no ASM-Anomalies data.

Component: Application Visibility and Reporting

Symptoms:
AVR collects data for ASM-Anomalies, which include Brute-Force and Web-Scraping activities. When reported, all metrics and dimensions are hidden. AVR output looks like this:
errdefs_msgno=\"22282253\",Entity=\"ASM_ANOMALIES\

Conditions:
When gathering statistics reporting a Brute-Force or Web-Scraping attack.

Impact:
AVR reports no ASM-Anomalies data.

Workaround:
None.

797541-1 : NTLM Auth may fail when user's information contains SIDS array

Component: Access Policy Manager

Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:

-- Users cannot log in through the BIG-IP APM system.

-- In the /var/log/apm file, the system logs warning messages similar to the following examples:
- warning eca[11256]: 01620002:4: [Common] 192.168.0.1:60294 Authentication with configuration (/Common/server1.example.com) result: user01@USER01 (WORKSTATION): Fail (UNEXP_006C0065)

- warning nlad[11261]: 01620000:4: <0x2b4d27397700> client[46]: DC[10.10.10.12]: schannel[0]: authentication failed for user 'user01', return code: 0x006c0065

Note: The reported return code may be a value other than 0x006c0065 or 0x00000007. However, the larger the size of the SIDS and Attributes array, the more likely the error value will be 0x00000007.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP APM system is configured to provide NTLM front-end authentication.
-- The authentication response contains a non-empty SID_AND_ATTRIBUTES array.

For example, this issue can occur when the user is a member of universal groups from a trusted domain.

Impact:
The authentication process fails and the user cannot log in.

Workaround:
None.

797277-2 : URL categorization fails when multiple segments present in URL path and belong to different categories.

Component: Traffic Classification Engine

Symptoms:
When a URL path contains multiple segments, where each segment belongs to a different URL category, the Webroot URL categorization engine does not store the results correctly and can return the wrong categories for these path segments.

Conditions:
-- URL path contains multiple segments(example: /abc/def/ghi)
-- Each segment belongs to a different URL category
+ abc: News
+ def: Search_Engine
-- URL categorization (Webroot) lookup results in cloud lookup (sending the query to Webroot remote server because of missing match in the local database).

Impact:
URL categorization does not categorize all of the segments in the path correctly when the query results in a cloud lookup to the Webroot BrightCloud server.

Workaround:
None.

Fix:
The system now stores the results of the BrightCloud server lookup correctly and returns the correct categories for each segment in the path.

796993-1 : Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs

Component: Local Traffic Manager

Symptoms:
When a pool contains FQDN nodes as pool members, pool member state changes messages are not logged in /var/log/ltm.

Conditions:
-- Create a pool with fqdn node as it pool members
-- Apply monitor to it
-- Monitor marks the pool member up/down based on reachability

Impact:
-- Status message is not updated in /var/log/ltm logs.
-- There is no functional impact.

796601-4 : Invalid parameter in errdefsd while processing hostname db_variable

Component: TMOS

Symptoms:
Errdefsd crashes, creates a core file, and restarts.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Possible loss of some logged messages.

Workaround:
None.

796469-6 : ConfigSync Hardening

Solution Article: K05123525

795797-2 : AFM WebUI Hardening

Solution Article: K21121741

795769-3 : Incorrect value of Systems in system-supplied signature sets

Component: Application Security Manager

Symptoms:
In properties of system-supplied Attack Signature Sets, the field "Systems" is always displayed with value All.

For example, for Generic Detection Signatures the "Systems" field should be: System Independent, General Database, Various systems

Instead, "Systems" is set to "All".

Conditions:
Only for system-supplied signature sets, while user-defined signatures sets are displayed with correctly assigned Systems.

Impact:
Misleading value of Systems

Workaround:
N/A

Fix:
Correct value of "Systems" is displayed for system-supplied signature sets

795685-2 : Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer

Component: TMOS

Symptoms:
If the BIG-IP system receives a BGP notification for OUT_OF_RESOURCES from its BGP peer, then displaying the peer information on the BIG-IP system causes bgpd to crash (running show ip bgp neighbor).

Conditions:
-- Receive a BGP notification for OUT_OF_RESOURCES from the BGP peer.
-- Run the 'show ip bgp neighbor' command to display the BGP peer information.

Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.

Workaround:
None.

Fix:
All the supporting BGP notification now have the corresponding message to display in show commands.

795649-3 : Loading UCS from one iSeries model to another causes FPGA to fail to load

Component: TMOS

Symptoms:
When loading a UCS file from one iSeries model to a different iSeries model, the FPGA fails to load due to a symlink in the UCS file pointing to the firmware version for the source device.

The system will remain in INOPERATIVE state, and messages similar to the following will be seen repeatedly in /var/log/ltm:

-- emerg chmand[7806]: 012a0000:0: FPGA firmware mismatch - auto update, No Interruption!
-- emerg chmand[7806]: 012a0000:0: No HSBe2_v4 PCIs found yet. possible restart to recover Dataplane.
-- emerg chmand[7806]: 012a0000:0: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
-- err chmand[7806]: 012a0003:3: HAL exception publishing switch config: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2

Conditions:
Loading a UCS from one iSeries model onto another model, for example, from an i7800 onto an i11400-ds, or from an i2600 to an i5600.

Impact:
FPGA fails to load; the BIG-IP system becomes unusable.

Workaround:
1. Update the symbolic link /config/firmware/hsb/current_version to point to the correct firmware file for the hardware model in use. Here are some examples:

-- For the i2800:

# ln -sf /usr/firmware/hsbe2v4_atlantis/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i7800:

# ln -sf /usr/firmware/hsbe2v2_discovery/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i11400-ds:

# ln -sf /usr/firmware/hsbe2_discovery_turbo/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

2. Reboot the system

795437-4 : Improve handling of TCP traffic for iRules

Solution Article: K06747393

795261-2 : LTM policy does not properly evaluate condition when an operand is missing

Component: Local Traffic Manager

Symptoms:
The BIG-IP system provides an LTM policies mechanism to process traffic based on a set of rules. A rule may include a number of conditions and a number of actions to execute when the conditions are satisfied. Conditions use operands to evaluate. When an operand is missing, the BIG-IP system may fail to properly evaluate the condition.

Conditions:
-- A virtual server is configured with an LTM policy.
-- The policy contains a rule with a condition which has an operand and a negative matching type like 'not equals' or 'not starts-with', etc. (e.g., http-referer host not contains { www.example.com }).
-- A processing entity (like HTTP request, etc.) is missing an operand or has an empty value (e.g., header 'Referer' is missing from the request).

Impact:
The policy is improperly evaluated on the processing entity and may produce incorrect results when load balancing a request and/or serving a response.

Workaround:
You can use either workaround:

-- Convert rules into a 'positive' (lacking of negative matching type) whenever possible.

-- Use iRules instead of a policy (might impact performance).

Fix:
The BIG0IP system no longer incorrectly evaluates conditions in LTM policy rules when their operands are missing in a processing entity.

795197-1 : Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Solution Article: K26618426

794581 : Transfer might stall for an object served from WAM cache

Component: Local Traffic Manager

Symptoms:
When HTTP response is served from cache, a transfer stalls due to incorrect value in Content-Length header.

Conditions:
- Virtual server with HTTP profile that has standard chunking settings.
- Web acceleration profile is configured on the virtual server.
- HTTP response is served from AAM cache.

Impact:
Transfer stalls as the client is expecting more bytes from peer (due to Content-Length header being advertised as greater than than object's actual size).

Workaround:
For the HTTP profile used, set request-chunking to selective.

Fix:
Transfer completes for an object served from WAM cache.

794561-1 : TMM may crash while processing JWT/OpenID traffic.

Solution Article: K46901953

794501-2 : Duplicate if_indexes and OIDs between interfaces and tunnels

Component: TMOS

Symptoms:
In certain instances, having a configuration with both tunnels and interfaces can result in duplicate if_indexes between a tunnel and an interface, which also results in duplicate OIDs for SNMP.

Conditions:
There is no completely predictable trigger, but at a minimum, a configuration with at least one interface and at least one tunnel is needed.

Impact:
SNMP OIDs relating to interfaces may yield incomplete results.

Duplicate if_indexes and duplicate OIDs. SNMP logs error messages:

# tmsh list net interface all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net vlan all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net tunnel all-properties | egrep "(^net)|(if-index)"
net interface 0.10 {
 if-index 64 <-------------------------------
net interface mgmt {
 if-index 32
net vlan external {
 if-index 96
net vlan internal {
 if-index 112
net vlan test {
 if-index 128
net vlan tmm_bp {
 if-index 48
net tunnels tunnel http-tunnel {
 if-index 64 <-------------------------------
net tunnels tunnel socks-tunnel {
 if-index 80

# snmpwalk -c public -v 2c localhost >/dev/null; tail /var/log/ltm

-- notice sod[4258]: 010c0044:5: Command: running disable zrd bigstart.
-- notice zxfrd[6556]: 01530007:5: /usr/bin/zxfrd started
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID ZXFRD_Publisher and filterType 1024
-- info bigd[11158]: 0114002b:6: high availability (HA) daemon_heartbeat bigd enabled.
-- info cbrd[6106]: 0114002b:6: high availability (HA) daemon_heartbeat cbrd enabled.
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID cbrd and filterType 1152921504606846976
-- info runsm1_named[6104]: 0114002b:6: high availability (HA) proc_running named enabled.
=========================

-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if_x.c:289

Workaround:
No workaround currently known.

Fix:
Duplicate if_indexes are no longer assigned to tunnels and interfaces. The resulting duplicate SNMP OIDs are prevented.

794413-2 : BIND vulnerability CVE-2019-6471

Solution Article: K10092301

794389-6 : iControl REST endpoint response inconsistency

Solution Article: K89509323

794285 : BIG-IQ reading AFM configuration fails with status 400

Solution Article: K36191493

Component: Protocol Inspection

Symptoms:
When the BIG-IQ tries to read the AFM configuration, using REST, the operations fails with status 400, if AFM is provisioned but the Protocol Inspection module is not licensed.

Conditions:
-- AFM provisioned on BIG-IP system.
-- Protocol Inspection module is not licensed.

Impact:
The operations fails with status 400. BIG-IQ cannot read AFM configuration if Protocol Inspection module is not licensed.

Workaround:
License Protocol Inspection.

793937-1 : Management Port Hardening

Solution Article: K03126093

793149-3 : Adding the Strict-transport-Policy header to internal responses

Component: Application Security Manager

Symptoms:
Some applications requires the Strict-transport-Policy header to appear in all responses. BIG-IP internal responses do not add this header.

Conditions:
- ASM is provisioned with CAPTCHA/CSI challenge enabled
or
- DoS is provisioned with CAPTCHA/CSI enabled
or
- Bot Defense is provisioned with CAPTCHA mitigation/Browser JS verification/Device ID collection is enabled.

Impact:
Responses arrives to the browser without the Strict-transport-Policy header.

Workaround:
Create an iRule to add the header to the response.

Fix:
Adding a BigDB parameter (asm.strict_transport_policy) which allows to add the header to all internal responses. Default is disabled.

793121-3 : Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication

Component: TMOS

Symptoms:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, high availability (HA) status, provisioning, and installed software information.

Conditions:
The TMUI redirect-http-to-https is enabled.

Impact:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, HA status, provisioning, and installed software information.

Workaround:
On the vCMP guest, disable sys httpd redirect-http-to-https.

793045-2 : File descriptor leak in net-snmpd while reading /shared/db/cluster.conf

Component: TMOS

Symptoms:
Net-snmpd is leaking the file descriptors during the SNMP traps add/delete via tmsh.

Observe that the file descriptors used by snmpd increase using 'ls -l /proc/$(pidof snmpd)/fd'

Following error is logging into /var/log/daemon.log
err snmpd[5160]: /proc/stat: Too many open files

Conditions:
Perform add/delete on SNMP traps via tmsh.

Impact:
Failure of snmpd operations on BIG-IP systems.

Workaround:
None.

Fix:
No longer leaks file descriptors in net-snmpd while reading /shared/db/cluster.conf.

793017-1 : Files left behind by failed Attack Signature updates are not cleaned

Component: Application Security Manager

Symptoms:
If an Attack Signature update encounters an error during installation, files that are meant to be temporary are left behind on disk and a not subject to a periodic cleanup. This can eventually lead to disk space issues.

Conditions:
Attack Signature update encounters an error during installation.

Impact:
This can eventually lead to disk space issues.

Workaround:
Old sigfile.tmp.* directories under /var/ts/var/tmp can be safely removed.

Fix:
These directories are now included in the periodic file cleanup task.

793005-3 : 'Current Sessions' statistic of MRF/Diameter pool may be incorrect

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, the LTM pool 'Current Sessions' statistics may show an unusually large number, such as 18446744073709551606.

Conditions:
There is a Diameter answer that does not match a pending request, the answer message is dropped, but BIG-IP system still decrements the 'Current Sessions' counter. If the counter is already zero, it can underflow.

Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue. When it underflows, the number becomes useless, making troubleshooting more difficult.

Workaround:
None.

Fix:
'Current Sessions' statistics of MRF/Diameter pool reports correctly.

792285-2 : TMM crashes if the queuing message to all HSL pool members fails

Component: TMOS

Symptoms:
When a system uses a High Speed Logging (HSL) configuration with the HSL pool, TMM is crashing if the queuing message to all HSL pool members fails.

Conditions:
-- Two-member pool configured as remote-high-speed-log destination.
-- Data-Plane logging using for example but not limited to: iRule HSL::send.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

792265-3 : Traffic logs does not include the BIG-IQ tags

Component: Application Visibility and Reporting

Symptoms:
AVR collects traffic data. When that data is reported to BIG-IQ, it omits the BIG-IQ tags which are required by BIG-IQ.

Conditions:
When AVR collects traffic data and sending it BIG-IQ.

Impact:
There are no BIG-IQ tags in the traffic logs. BIG-IQ is unable to map traffic-capturing logs to applications.

Workaround:
None.

Fix:
Traffic logs now include the BIG-IQ tags.

791669 : TMM might crash when Bot Defense is configured for multiple domains

Component: Application Security Manager

Symptoms:
TMM might crash and generate a core file when using a Bot Defense profile that is configured for multiple domains.

Conditions:
Bot Defense is configured with multiple 'Related Site Domains' and attached to a virtual server.

Impact:
TMM crash with core. Traffic disrupted while tmm restarts.

Workaround:
None,

Fix:
TMM no longer crashes when Bot Defense is configured for multiple domains.

791337-1 : Traffic matching criteria fails when using shared port-list with virtual servers

Component: Local Traffic Manager

Symptoms:
The system reports an error:

01b90011:3: Virtual Server /Common/vs1's Traffic Matching Criteria /Common/vs1_tmc_obj illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs2 destination address, source address, service port.

Conditions:
-- Creating virtual servers with shared object port-list.
-- Using the same port in another virtual server with different protocol with overlapping sources and destination IP address.

Impact:
Config validation failure prevents configuration changes.

Workaround:
Use different IP addresses and ports.

791057-1 : MCP may crash when traffic matching criteria is updated

Component: Local Traffic Manager

Symptoms:
MCP may crash when traffic matching criteria is updated, either directly or as the result of a configuration sync operation.

Conditions:
The specific root cause is unknown, although the crash is related to the update of traffic matching criteria.

Impact:
mcpd restarts. This results in a failover (when DSC is in use) or a halt to traffic processing (when DSC is not in use) while mcpd is restarting.

Workaround:
None.

790349-2 : merged crash with a core file

Component: Application Security Manager

Symptoms:
merged crash and restart.

Conditions:
A tmstat sync operation is occurring in the background.

Impact:
Statistical data is not available for system utilities/graphs while merged restarted. There is no other impact beside the appearance of the core file.

Workaround:
None.

Fix:
merged core scenario fix.

790205-3 : Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core

Component: Local Traffic Manager

Symptoms:
TMM cores when adding a route (either statically or dynamically) to a child route domain.

Conditions:
Adding a more-specific route to a child domain that overrides a route in the default domain.

Impact:
TMM cores. A failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when adding routes to child domains.

789993-1 : Failure when upgrading to 15.0.0 with config move and static management-ip.

Component: TMOS

Symptoms:
Upgrade to 15.0.0 from earlier version fails.

Conditions:
This happens when upgrading to 15.0.0 from earlier versions with static management-ip (dhclient.mgmt set to disabled).

Impact:
As the config move fails, the Management IP address might not be correct on the newly installed 15.0.0 device.

Workaround:
Keep DHCP enabled before upgrading or reset the management-ip after upgrade.

Fix:
Failure when upgrading to 15.0.0 with config move and static management-ip.

789921-2 : TMM may restart while processing VLAN traffic

Solution Article: K03386032

789893-2 : SCP file transfer hardening

Solution Article: K54336216

789817-1 : In rare conditions info fly-out not shown

Component: Application Security Manager

Symptoms:
When the question mark icon ('?') is close to the right upper corner of the page, the info fly-out is not shown when the question mark icon is clicked.

Conditions:
This can occur under the following conditions:
-- On Security :: Application Security screens that display a question mark for a help icon.
-- The ? icon is close to the right upper corner of the page.
-- Clicking the question mark icon to open the fly-out menu.

Impact:
Info fly-out not shown.

Workaround:
Change page size so that the ? icon is not in the right upper corner.

Fix:
Fly-out is shown correctly in all cases.

789421-2 : Resource-administrator cannot create GTM server object through GUI

Component: Global Traffic Manager (DNS)

Symptoms:
Users logged in with a role of resource-administrator are unable to create a GTM server object via GUI. The warning banner reports 'No Access'.

Conditions:
A user with a role of resource-administrator attempts to create a GTM server object.

Impact:
Unable to create GTM server object via the GUI.

Workaround:
Use tmsh or iControl/REST.

789365-1 : pkcs11d CPU usage increases after running nethsm self validation test

Component: Local Traffic Manager

Symptoms:
pkcs11d CPU usage rises from less than 5% to more than 80% after running 'tmsh run sys crypto nethsm-test' command.

Conditions:
pkcs11d is up when running nethsm self-validation test.

Impact:
pkcs11d CPU usage is higher than expected.

Workaround:
Restart pkcs11d to recover CPU usage.

Fix:
Do not subscribe to MCPD for nethsm self=validation test. Instead, use one-time MCPD message passing routine.

789169-2 : Unable to create virtual servers with port-lists from the GUI★

Component: TMOS

Symptoms:
Using the GUI to create a virtual server with a port-list or address-list fails with the following error:

01070096:3: Virtual server <virtual server name> lists profiles incompatible with its protocol.

Conditions:
- The virtual server is created with an ip-protocol set to a value other than 'any'.

- A port-list or address-list is used.

Impact:
Virtual server creation fails.

Workaround:
Create the configuration in tmsh.

1. Create an LTM traffic-matching-criteria object to define the port-list and/or address list. The protocol on the traffic-matching-criteria must be set to the protocol that the virtual server will use.

2. Create the LTM virtual server, and set the traffic-matching-criteria to the name of the traffic-matching-criteria object.

Fix:
While creating virtual server with port-list from the GUI, a traffic-matching-criteria is created internally and mapped to the virtual server. This ensures that the traffic-matching-criteria object uses the same ip-protocol as the virtual server.

788949-3 : MySQL Password Initialization Loses Already Written Password

Component: TMOS

Symptoms:
In some cases, the MySQL root password initialization is not complete. A re-attempt to restart MySQL fails.

Conditions:
-- MySQL startup script is interrupted.
-- Setting the root password fails.

Impact:
Processes may fail to connect to MySQL server.

Workaround:
None.

Fix:
Corrected MySQL startup script so it can recover if an earlier attempt to set the root password fails.

788773-2 : HTTP/2 Vulnerability: CVE-2019-9515

Solution Article: K50233772

788769-2 : HTTP/2 Vulnerability: CVE-2019-9514

Solution Article: K01988340

788753-4 : GATEWAY_ICMP monitor marks node down with wrong error code

Component: Local Traffic Manager

Symptoms:
Pool state shows down when there is no route configured to node.

Conditions:
-- In-tmm gateway_icmp monitor configured for a node or pool member.
-- There is no route to the node or pool member.

Impact:
The pool member or node is marked down and the reason listed is 'timeout', instead of 'no route to host'.

Workaround:
None.

788741-2 : TMM cores in the MQTT proxy under rare conditions

Component: Local Traffic Manager

Symptoms:
TMM may core in the MQTT proxy under unknown conditions.

Conditions:
-- MQTT proxy in use.
-- It is not known what other conditions are required to cause this issue.

Impact:
TMM cores. Failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores in the MQTT proxy.

788593-2 : APM logs may contain additional data

Solution Article: K43404365

Component: Access Policy Manager

Symptoms:
Under certain conditions, APM logs may include more information than was requested.

Conditions:
-APM licensed and enabled.
-ACCESS::log iRule in use.

Impact:
Additional data recorded in the APM log, potentially disrupting log filters or logging unrequested data.

Workaround:
None.

Fix:
APM logs now contain the expected information.

788577-4 : BFD sessions may be reset after CMP state change

Component: TMOS

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
  - Blade reset.
  - Booting up or shutting down.
  - Running 'bigstart restart'.
  - Setting a blade state from/to primary/secondary.

During these events, Bidirectional Forwarding Detection (BFD) session processing ownership might be migrating from old, processing TMMs to new, selected TMMs. This process is rapid and could lead to contest between several TMMs over who should be the next BFD processing owner.

It might also lead to a situation where the BFD session is deleted and immediately recreated.

This problem occurs rarely and only on a chassis with more than one blade.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BFD peering is configured.
-- CMP state change is occurred on one of the blades.
-- BFD connection is redistributed to the processing group (TMMs) on the blade that experienced the CMP state change and the contest between the old TMM owner and the new TMM owner occurs.

Impact:
When the BFD session is recreated, it marks corresponding routing protocol DOWN if it's configured. The protocol might be BGP, OSPF, or any other routing protocols that support BFD.

This causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decision are from networks learnt by affected routing protocols when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There are two workarounds, although the latter is probably impractical:

-- Change CMP hash of affected VLAN to the Default value.
-- Maintain a chassis with a single blade only. Disable or shut down all blades except one.

Fix:
BFD session is no longer reset during CMP state change.

788557-5 : BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior

Component: TMOS

Symptoms:
GRST - BGP graceful reset.

The problem occurs when the routing daemon bgpd restarts/starts (e.g., by terminating the bgpd daemon) its distribution of a process and is not supported. Another way we've found is to call "bigstart restart" command on a primary blade on chassis with more than one blade.

After the new primary blade takes over, BGP and BFD sessions are recreated at around the 'graceful restart' timeout interval.

Conditions:
-- BGP and BFD are configured.
-- BGP router's 'graceful restart' option is configured, enabled (set to 120 by default).
-- The bgpd daemon is terminated.

Another way to trigger the issue is to run 'bigstart restart' on a primary blade on a chassis with more than one blade.

Impact:
If BGP peering is reset, it causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocol from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decisions come from networks learnt by affected routing protocol when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system, typically, the routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
None.

Fix:
BGP and BFD peering is not recreated in GRST timeout anymore.

788513-2 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log

Component: Service Provider

Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:

warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]

This appears to be benign, as the configuration loads successfully, and the script works as expected.

Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name

Instead of:
RADIUS::avp replace USER-NAME "static value"

Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.

Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.

788465-2 : DNS cache idx synced across HA group could cause tmm crash

Component: Global Traffic Manager (DNS)

Symptoms:
DNS cache idx conflicts and tmm crash.

Conditions:
-- High availability (HA) configuration.
-- DNS cache is configured and synced to the peer twice
-- A second DNS cache is configured on the peer.

Impact:
The idx conflicts will be observed. If the second DNS cache is of another type and is added to a virtual server, accessing that virtual server might cause a tmm core. Traffic disrupted while tmm restarts.

Workaround:
On the BIG-IP system that has the DNS cache idx conflicts, restart tmm:
# bigstart restart tmm

788417-2 : Remote Desktop client on macOS may show resource auth token on credentials prompt

Component: Access Policy Manager

Symptoms:
APM uses the 'username' attribute to pass auth token for SSO enabled native RDP resources on macOS. In case Windows policy forces the user to provide credentials, or if Single Sign-on fails, the end user may see a credentials prompt containing the base 64-encoded auth token in the username field.

This behavior is observed only with Remote Desktop Client v10.x for macOS.

Conditions:
-- APM Webtop is configured with Single Sign-on enabled native RDP resource.
-- Try to access the RDP resource from macOS using RDP client v10.x.

Note: This issue is known to occur when Microsoft Group Policy 'Always prompt for password upon connection' is enabled on the target RDP server: Computer Configuration \ Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Security \ Always prompt for password upon connection.

Impact:
Prompt for credentials (contains auth token in username field) causing APM end user confusion.

Workaround:
Apply the following iRule:

Note: With the following iRule implemented, users running RDP client v8 for macOS may see an empty credentials prompt when launching APM native RDP resources.

when HTTP_RESPONSE_RELEASE {
    catch {
        set locationUri [HTTP::header Location]
        if { [HTTP::status] == 302 && $locationUri starts_with "rdp://" &&
                $locationUri contains "username=s:f5_apm"} {
            HTTP::header Location \
                [string map {"username=s:f5_apm" "gatewayaccesstoken=s:"} $locationUri]
        }
    }
}

Fix:
Remote Desktop client on macOS does not show resource auth token on credentials prompt.

788325-2 : Header continuation rule is applied to request/response line

Solution Article: K39794285

Component: Local Traffic Manager

Symptoms:
When a browser communicates with a server over HTTP, it can split a long header into several lines, prepending continuation lines with leading whitespace symbols. This rule does not apply to request or response line, so having leading whitespace in a first header line is invalid. The BIG-IP system parses such line a header with empty value.

Conditions:
A virtual server is configured on the BIG-IP system with HTTP profile.

Impact:
The BIG-IP system can hide some important HTTP headers either passing those to the pool member or failing to properly handle the request (or response) or failing to correctly load balance a connection (or request in case of OneConnect profile).

Workaround:
None.

Fix:
Now, when the BIG-IP system receives an invalid request or response with leading whitespace in first header line, it properly parses the header and handles it correctly.

788301-5 : SNMPv3 Hardening

Solution Article: K58243048

Component: TMOS

Symptoms:
SNMPv3 agents do not follow current best practices.

Conditions:
SNMPv3 agents enabled.

Impact:
SNMPv3 agents do not follow current best practices.

Fix:
SNMPv3 features now follow current best practices.

788269-3 : Adding toggle to disable AVR widgets on device-groups

Component: Application Visibility and Reporting

Symptoms:
Devices on device-group get into state of not-synced when AVR-related widgets are created or modified.

It occurs more frequently when manual config sync is enabled.

It can also occur when visiting a widgets page for the first time that automatically creates default widgets on the first page visit, such as Security :: Overview : Application : Traffic. This can make it appear that a 'read-only' user visiting the page has triggered the need for a config sync.

Conditions:
-- Two or more devices are in a device-group.
-- AVR-related widgets are created or modified.

Impact:
Devices go into a non-synced state.

Workaround:
None.

Fix:
A DB-variable called avr.gui.widgets.sync has been added to disable widgets syncing. Possible values are 'disable' or 'enable', it is enabled by default.

Behavior Change:
This release adds a DB-variable, avr.gui.widgets.sync, to disable widget syncing. Possible values are 'disable' or 'enable'. It is enabled by default.

788093 : MRF iRule command MR::restore with no argument causes tmm to crash

Component: Service Provider

Symptoms:
Executing MRF iRule command MR::restore with no arguments intended to restore all variables saved previously with MR::store causes tmm to crash.

Conditions:
Using iRule command MR::restore with no arguments intended to restore all variables saved previously with MR::store.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use MR::restore command with explicitly mentioned variables intended to be restored.

Fix:
MR:restores works as intended: when no variable is given it brings back all variables saved previously with MR::store.

788057-5 : MCPD may crash while processing syncookies

Solution Article: K00103216

788033 : tpm-status may return "Invalid" after engineering hotfix installation

Solution Article: K91171450

788005-2 : Bypass MRF SIP LB restriction of conversion from reliable transport (TCP) to unreliable transport (UDP)

Component: Service Provider

Symptoms:
The SIP RFC states that if converting a message from a reliable transport to an unreliable transport, the proxy must guarantee delivery.

Conditions:
A adminstator required conversion of SIP messages from TCP to UDP and was willing to forgo the delivery requirement.

Impact:
A system db variable was added to disable the TCP to UDP protection.

Workaround:
None

Fix:
A DB variable has been added, Tmm.Sp.Sip.AllowTcpUdpConversion, possible values are enable|disable, the default value is disable. Enabling the DB variable enables the protection blocking TCP to UDP conversion for SIP messages.

787965-1 : URLCAT by URI does not work if it contains port number

Component: Traffic Classification Engine

Symptoms:
If absolute URI contains port number then URLCAT returns the result: Uncategorized.

Conditions:
Create new connection using CONNECT <absolute_uri> method.

Impact:
AFM rules configured with use of categorization do not work as intended.

Workaround:
Add URI with port number to custom Feed List.

Fix:
URLCAT works if request URI contains port number.

787853-2 : BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system unexpectedly responds to ICMP echo requests to a virtual-address that is unavailable, or unexpectedly does not respond to ICMP echo requests to a virtual-address that is available.

The BIG-IP system fails to remove a dynamic route for a virtual-address that is unavailable or fails to add a dynamic route for a virtual-address that is available.

Conditions:
1. Create two virtual servers with multiple nodes. Set ICMP echo as all or selective/all.
2. Ping from client to virtual address.
3. Bring down nodes.
4. ping fails from client to virtual address as expected
5. Bring up nodes and make sure all virtual servers are online.
6. Start ping from client to virtual address.

Impact:
The BIG-IP system might respond incorrectly to ICMP echo requests sent to a virtual-address.

-- If the virtual-address icmp-echo is set to 'all' or 'any', the BIG-IP system may not respond correctly after a virtual-address availability change.

-- If the virtual-address route-advertisement is set to 'all' or 'any', the route for the virtual-address may not advertise properly after a virtual-address availability change.

The BIG-IP system might fail to insert or remove a dynamic route for a virtual-address. This might cause the network to direct traffic to a down virtual-address or alternatively, not direct traffic to an up virtual-address.

Workaround:
Update virtual address ICMP setting to any or selective/any.

Fix:
This issue has been fixed.

787845 : Tmsh command 'show running-config' fails when Protocol Inspection is not licensed.

Component: Protocol Inspection

Symptoms:
If the Protocol Inspection feature is not licensed then tmsh command 'show running-config' fails with 'Protocol Inspection feature not licensed.' message.

Conditions:
- AFM Protocol Inspection feature is not licensed.

Impact:
'tmsh show running-config' command returns an error: 'Protocol Inspection feature not licensed.'

Workaround:
None.

Fix:
'tmsh show running-config' command works as expected.

787825-2 : Database monitors debug logs have plaintext password printed in the log file

Solution Article: K58243048

Component: Local Traffic Manager

Symptoms:
When monitor instance is in "debug" logging enabled mode for certain monitor types, the resulting monitor instance logs may contain sensitive details like password

Conditions:
When debug mode is enabled for following monitoring types
1. mssql
2. mysql
3. oracle
4. postgresql

Impact:
The user-account password configured in the health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors/.

Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected monitor types. 2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes , remove the resulting log files from the BIG-IP system after troubleshooting is completed.

Fix:
The password filed for monitor will now be redacted by external monitors when monitor debugging is enabled.

787477-2 : Export fails from partitions with '-' as second character

Component: Access Policy Manager

Symptoms:
Attempting to export a profile/policy from partition using the hyphen/dash (-) as the second character results in error message:
'Incorrect arguments: <partition> is not specified' error.

Conditions:
Partition with '-' as second character in the name.

Impact:
Unable to export policy from given partition

Workaround:
Rename partition without '-' as the second character.

Fix:
Export is working as expected in this scenario.

787433-3 : SSL forward proxy: OCSP signer certificate isn't refreshed or regenerated when forward proxy CA key/cert is changed

Component: Local Traffic Manager

Symptoms:
When stapling the OCSP response (and hence OCSP certificate) to the SSL client, the issuer that appears on the OCSP certificate mismatches with what is configured in the client SSL profile as the forward proxy CA cert.

Conditions:
The issue is seen when all the below conditions are met.
-- The BIG-IP system is using SSLO or SSL forward proxy.
-- The client hello sent from the SSL client includes the status request extension. This means that it requests BIG-IP system to staple the OCSP response.
-- The forward proxy CA cert in the client SSL profile is modified.

Impact:
In SSLO or SSL forward proxy mode, the server cert and the OCSP response the BIG-IP system sends to the SSL client should be both signed (issued) by the forward proxy CA cert configured at the client SSL profile. If they are signed by different issuers, it may not pass some of the validation check performed by the SSL client and might lead to SSL client's terminating the SSL handshake.

Workaround:
To updates and regenerates the OCSP signer information, after modifying the forward proxy CA cert, run the command:
bigstart restart tmm

Fix:
The issuer appearing on the OCSP response always matches the forward proxy CA cert configured at the client SSL profile.

787285 : Configuration fails to load after install of v14.1.0 on BIG-IP 800★

Component: TMOS

Symptoms:
When performing an installation of 14.1.0 on the BIG-IP 800 platform, the configuration fails to load after booting and reports an error:

01070920:3: Application error for confpp: iptables-restore v1.4.21: Couldn't load target `ha_multicast':No such file or directory

Conditions:
-- Install or upgrade to 14.1.0.
-- BIG-IP 800 platform.

Impact:
Unable to load configuration.

Workaround:
None.

786981-3 : Pending GTP iRule operation maybe aborted when connection is expired

Component: Service Provider

Symptoms:
When there is a suspended iRule operation (such as the table or after command) in GTP iRule event, the operation may be intermittently aborted when the connection is expired.

Conditions:
This occurs when a connection times out while there is still a pending iRule operation. For example, in one use case, there is a table command in GTP_SIGNALLING_INGRESS event, and the immediate idle timeout is configured in the UDP profile.

Impact:
GTP iRule may not be completely executed.

Workaround:
For the specific use case when immediate idle timeout is used, change idle timeout to some positive value. Then use the iRule to expire the connection after the GTP iRule event is done, for example, by setting 'IP::idle_timeout 0' in SERVER_CONNECTED event.

Fix:
When connection is expired, pending iRule operations in GTP iRule events are now completed.

786913-2 : Upgrade failure from 13.0.x or earlier when using LTM Policies with DOSL7

Component: Application Security Manager

Symptoms:
Upgrade fails when upgrading from 13.0.x or under if the config includes an LTM Policy (CPM) which modifies a DoS Application Profile.

Conditions:
-- LTM Policy is configured to specify a DoSL7 profile name.
-- Upgrade is from version 13.0.x or earlier.

Impact:
Upgrade failure.

Workaround:
1. Manually edit the /config/bigip.conf file, and place all of the 'security dos profile' objects before any 'ltm policy' objects.
2. Load the config.

Fix:
Upgrade no longer fails when using an LTM Policy which specifies a DoSL7 profile name.

786565-2 : MRF Generic Message: unaccepted packets received by GENERIC MESSAGE filter causes subsequent messages to not be forwarded

Component: Service Provider

Symptoms:
When a message is created using the GENERICMESSAGE::message create iRule command during the CLIENT_DATA event, if the TCP payload buffer is not cleared before the event completes, the data in the payload buffer is forwarded to the generic message filter disrupting its statemachine.

Conditions:
-- A message is created using GENERICMESSAGE::message create iRule command during CLIENT_DATA event.
-- TCP payload buffer is not cleared before the event completes.

Impact:
The data in the payload buffer is forwarded to the generic message filter disrupting its statemachine. Subsequent messages are not forwarded.

Workaround:
To fix the problem, add the following to CLIENT_DATA:
TCP::payload replace 0 [TCP::payload length] ""

Fix:
Data left in the TCP payload buffer is now ignored and does not negatively impact the filter.

786517-3 : Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address

Component: Local Traffic Manager

Symptoms:
- Monitors are firing and are being sent to a pool-member or node address rather than a monitor's alias address.

- Running the command 'tmsh load /sys config' reports an error:
01070038:3: Monitor /Common/a-tcp address type requires a port.

Conditions:
-- Create a monitor without an alias address.
-- Modify the monitor later in the TMUI to specify an alias address.

Impact:
Monitors are sent to an incorrect IP address.

tmsh load /sys config will fail to load the configuration.

Workaround:
There are two workarounds:
-- Delete and recreate the monitor and specify the correct alias address at creation time.

-- Fix the monitor definition using tmsh.

786173-1 : UI becomes unresponsive when accessing Access active session information

Component: Access Policy Manager

Conditions:
-- Two vCMP guests or two chassis are set up in high availability mode.
-- If Network Mirroring is toggled between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.

Impact:
Some session variables may be lost, which results in the GUI becoming unresponsive. The Access :: Overview :: Active Sessions page in the Admin UI becomes unusable.

Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.

Fix:
The solution for the reported issue is handled by the fix provided for ID 783817. ID 786173 fixes a null pointer exception that might occur in the specific case of a certain missing session variable, which is relevant only in BIG-IP releases 14.1.0 or later.

785741-1 : Unable to login using LDAP with 'user-template' configuration

Solution Article: K19131357

Component: TMOS

Symptoms:
Unable to login as remote-user.

Conditions:
When the following are true:
-- LDAP remote-auth configured with user-template.
-- Remote-user configured to permit login.

Impact:
Unable to login with remote-user.

Workaround:
Use bind-dn for authentication.

785701-1 : Changes to a Web Acceleration profile are not instantly applied to virtual servers using the profile

Component: Local Traffic Manager

Symptoms:
Changing parameters in a Web Acceleration profile does not change the behavior of virtual servers already using the profile.

Conditions:
This issue is encountered after changing the settings of a Web Acceleration profile already in use by one or more virtual servers.

Impact:
The changes are saved correctly and are visible in the Web UI and tmsh; however, virtual servers already using the profile are not affected by the changes. This may result in some confusion and in the BIG-IP Administrator being unable to apply their desired changes.

Workaround:
After modifying the profile, remove the profile from all virtual servers and then re-add it.

785529-1 : ASM unable to handle ICAP responses which length is greater then 10K

Component: Application Security Manager

Symptoms:
ASM drops ICAP and HTTP connections when a multipart request arrives to the ASM enforcer and then forwarded to the ICAP server for virus inspection, and the ICAP server replies with a large (greater then 10 KB) response.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Antivirus service IP and port defined in the BIG-IP GUI under Options :: Integrated Services.
-- Antivirus protection enabled in the ASM policy.

Impact:
ASM drops ICAP and HTTP connections.

Workaround:
Configure the ICAP server to send back responses smaller than 10 KB.

Fix:
There is new ASM internal parameter introduced to make the ICAP response buffer size configurable within the ASM enforcer. The maximum response buffer size is 250 KB. To set the variable, issue the following commands, in sequence:

-- /usr/share/ts/bin/add_del_internal add icap_response_buff_size 250000
-- bigstart restart asm

785481-2 : A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached

Component: Local Traffic Manager

Symptoms:
Setting the DB variable tm.rejectunmatched to 'false' causes the BIG-IP system to not send RSTs when there is a match but the connection is rejected due to connection limits.

Conditions:
- tm.rejectunmatched is set to 'false'.
- A packet is matching a BIG-IP object.
- The packet is to be rejected because of connection limits.

Impact:
Reset packets are not sent back to clients when they should be.

Workaround:
None.

Fix:
Packets that match a BIG-IP object but fail due to connection limits will now be rejected with an RST.

784989-2 : TMM may crash with panic message: Assertion 'cookie name exists' failed

Component: Access Policy Manager

Symptoms:
TMM crashes with SIGFPE panic

panic: ../modules/hudfilter/http/http_cookie.c:489: Assertion 'cookie name exists' failed.

Conditions:
-- Virtual server with remote desktop or VDI profile attached.
-- VDI logging level is set to Debug.
-- iRule that modifies/reads HTTP cookies.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Increase the log-level for VDI from 'Debug' to a higher level.

Fix:
Fixed TMM crash, which occurred when remotedesktop/VDI profile was used together with custom iRule and Debug level logging.

784713-3 : When SSL forward proxy is enabled, AKID extension of the OCSP signer certificate on the clientside is not correct

Component: Local Traffic Manager

Symptoms:
When SSL forward proxy is configured, or for SSLO, if OCSP or CRL is set on the serverside, the certificate that signs the OCSP response on the clientside does not have the correct Authority Key Identifier (AKID).

Conditions:
Configure SSL forward proxy or enable SSLO and enable OCSP or CRL on serverside/server SSL profiles.

Impact:
Incorrect AKID X509 extension for the OCSP signer certificate on the clientside. Depending on browsers/clients, this may result in the browsers/clients to not be able to use the stapled OCSP response.

Workaround:
None.

Fix:
After the fix, the OCSP signer certificate has the correct AKID X509 extension.

783849-2 : DNSSEC Key Generations are not imported to secondary FIPS card

Component: Global Traffic Manager (DNS)

Symptoms:
When new DNSSEC Key Generations are generated by FIPS card, the Generation is not imported to secondary FIPS card.

Conditions:
BIG-IP has a GTM sync group with FIPS cards in sync. New DNSSEC Key Generation is created.

Impact:
New DNSSEC Key Generation is not imported to secondary FIPS card, but the generation is synced within GTM sync group.

Workaround:
N/A

Fix:
DNSSEC Key Generation is not imported to secondary FIPS card over creation

783817-2 : UI becomes unresponsive when accessing Access active session information

Component: Access Policy Manager

Symptoms:
When accessing Admin UI Access :: Overview :: Active Sessions page, the page status is stuck in 'Receiving configuration data from your device'. TMSH command 'show apm access-info' also hangs.

The following error messages shows up in TMM log:

-- notice mcp error: 0x1020002 at ../mcp/db_access.c:831
-- notice mcp error: 0x1020031 at ../mcp/mcp_config.c:588

Impact:
Some session variables may be lost, which results in UI hang. Admin UI becomes unusable.

Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.

783753-1 : Increase vCPU amount guests can use on i11800-DS platforms.

Component: TMOS

Symptoms:
Users are unable to configure guests with 12 or 16 CPUs on the i11800-DS platforms.

Conditions:
i11800-DS platforms in vCMP mode.

Impact:
Cannot assign 12 or 16 CPUs to guests on i11800-DS platforms.

Workaround:
None

Fix:
12 or 16 CPUs can now be assigned to guests on i11800-DS platforms.

783617-1 : Virtual Server resets connections when all pool members are marked disabled

Component: Local Traffic Manager

Symptoms:
The BIG-IP system immediately responds with a RST against a SYN when all pool members are marked disabled by a monitor.

Conditions:
All the pool members are marked disabled by a monitor or administratively.

Impact:
Cannot use iRules to respond with an HTTP 503 error to incoming traffic.

Workaround:
None.

783565-2 : Upgrade support for DB variable to attach AJAX payload to vToken cookie should be consistent with config in MCP

Component: Fraud Protection Services

Symptoms:
Upgrade support for DB variable to attach AJAX payload to vToken cookie sets 'send in alerts' flag configured on parameters without checking whether automatic transaction detection is turned on on the URL.

Conditions:
-- BIG-IP version 13.1.x or 14.0.x
-- A protected URL is configured with automatic transaction detection turned off.
-- A parameter on that URL is configured with all flags turned off.
-- The DB variable antifraud.internalconfig.flag1 is set to 'enabled' value.
-- Upgrade to 13.1.x or later (with load config) started.

Impact:
After upgrade, the configuration fails to load due to an error during schema change validation

Workaround:
-- Set the DB variable antifraud.internalconfig.flag1 value to 'disabled' before the upgrade.
-- Configure 'send in alerts' flag on the parameters manually.

Fix:
Now upgrade support takes into consideration the automatic transaction detection flag on URL and sets 'send in alerts' flag on URL parameters only for URLs with automatic transaction detection turned on.

783513-2 : ASU is very slow on device with hundreds of policies due to logging profile handling

Component: Application Security Manager

Symptoms:
Signature Update (ASU) is very slow on devices with hundreds of policies due to logging profile handling.

Conditions:
-- There are hundreds of ASM policies on the device.
-- ASU is performed.
-- The BIG-IP is configured for logging profile handling.

Impact:
The ASU process takes hours to complete.

Workaround:
None.

783289-1 : PEM actions not applied in VE bigTCP.

Component: Policy Enforcement Manager

Symptoms:
If PEM virtual server is configured using bigTCP, the return traffic from the server may not return to the same TMM. PEM policies do not get applied.

Conditions:
-- BIG-IP Virtual Edition.
-- bigTCP is configured (FastL4 with PEM/GPA hudfilters).
-- Virtual server uses Source-NAT.

Impact:
PEM policies do not get applied.

Workaround:
To work around this, do the following:
-- Configure bigTCP virtual server not to use source-NAT.
-- Configure destination-IP for hashing in server-vlan (the external VLAN that has the virtual server).

783165-3 : Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile

Component: Application Security Manager

Symptoms:
When creating a whitelist in the Bot Defense profile with url "Any" - after modifying the Bot Defense log profile, the whitelist does not apply anymore.

Conditions:
-- Bot Defense profile is attached to the Virtual Server
-- Adding a whitelist to the Bot Defense profile with url "Any"
-- Modifying the Bot Defense profile afterwards.

Impact:
Whitelist does not apply - users from the defined IP/GEO location might be blocked.

Workaround:
Delete and add the whitelist after modifying the profile.

Fix:
Keep the whitelist as is when updating bot profile.

783125-2 : iRule drop command on DNS traffic without Datagram-LB may cause TMM crash

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may crash and restart when an iRule on a DNS virtual server performs the 'drop' command while the BIG-IP system is handling both a DNS request and DNS response at the same time for the same DNS client IP and port without UDP Datagram-LB.

Conditions:
-- The BIG-IP instance has two or more TMM processes as a result of having two or more physical cores or virtual CPUs.
-- A virtual server with both DNS and UDP profiles and one or more iRules.
-- The UDP profile has Datagram LB disabled.
-- The iRules have a 'drop' command.
-- The iRules have a DNS_REQUEST and/or DNS_RESPONSE event with an iRule command that require coordinating data with another TMM on the system, such as the 'table' command.

Impact:
TMM crash or restart. Traffic impacted. Traffic disrupted while tmm restarts.

Workaround:
F5 strongly recommends using a UDP profile with Datagram-LB enabled for DNS UDP virtual servers.

Alternatively, replace the 'drop' command with DNS::drop in DNS_REQUEST and DNS_RESPONSE events, or with UDP::drop in other iRule events.

See the respective references pages for DNS::drop and UDP::drop for the Valid Events each iRule command is available in:
https://clouddocs.f5.com/api/irules/DNS__drop.html
https://clouddocs.f5.com/api/irules/UDP__drop.html

783113-4 : BGP sessions remain down upon new primary slot election

Component: TMOS

Symptoms:
BGP flapping after new primary slot election.

Conditions:
--- A BFD session is processed on a secondary blade. (It can be identified by running tcpdump.)

-- After a primary blade reset/reboot, the BFD session should be processed by the same tmm on the same blade, which was secondary before the primary blade reset/reboot.

-- The BFD session creation should happens approximately in 30 seconds after the reset/reboot.

Impact:
BGP goes down. BGP flaps cause route-dampening to kick-in on the BGP neighbors.

Workaround:
There is no workaround, but you can stabilize the BIG-IP system after the issue occurs by restarting the tmrouted daemon. To do so, issue the following command:
bigstart restart tmrouted

Fix:
BFD no longer remains DOWN after a blade reset/reboot. There is a convergence period caused by blade changes(blade reset/reboot, new blade installed, blade comes up), which may take a few moments, but after that BFD sessions show correct status.

782569-1 : SWG limited session limits on SSLO deployments

Component: Access Policy Manager

Symptoms:
SWG limited session limits are enforced on SSLO deployments that enable Explicit proxy authentication.

Conditions:
-- SSLO with Explicit proxy authentication is deployed.
-- Many concurrent SSLO connections that use custom category lookup (beyond the SWG limited session limit).

Impact:
SSLO fails to connect when the SWG limited session limit is reached.

Workaround:
None.

Fix:
If there is an SSLO profile paired with either an APM or SSLO per-request policy on a virtual server, and the operation has done a custom category only lookup, an SWG limited license is no longer consumed. This answers the case where there is auth (APM) on one virtual server, and the transparent virtual server is SSLO with custom category lookup only.

782529-2 : iRules does not follow current design best practices

Solution Article: K30215839

782353-6 : SIP MRF via header shows TCP Transport when TLS is enabled

Component: Service Provider

Symptoms:
When an SSL Client Profile (TLS) is enabled on a SIP Message-Routing Virtual Server, the via header shows an incorrect transport protocol when SIP messages are sent out the client side of MRF. For example, the via header contains 'SIP/2.0/TCP' or 'SIP/2.0/UDP', when it should read 'SIP/2.0/TLS'.

Conditions:
Sending SIP messages from the client side of the SIP MRF when an SSL client profile is enabled on the SIP Message-Routing virtual server.

Impact:
The via header is not correct and violates the SIP RFC.

Workaround:
Create an iRule that replaces the incorrect via header with a correct one, for example:

when SIP_REQUEST_SEND {
    if { [clientside] } {
        SIP::header replace Via [string map [list "SIP/2.0/TCP " "SIP/2.0/TLS " "SIP/2.0/UDP " "SIP/2.0/TLS "] [SIP::header Via 0]] 0

    }
}

Fix:
The via headers show the correct text (e.g., SIP/2.0/TLS) when an SSL Client Profile is enabled on a SIP Message-Routing virtual server.

781829-1 : GTM TCP monitor does not check the RECV string if server response string not ending with \n

Component: Global Traffic Manager (DNS)

Symptoms:
GTM TCP monitor marks resource down.

Conditions:
TCP server respond string not ending with '\n'.

Impact:
Available resources are marked down.

Workaround:
If the TCP server is sending a text response, reconfigure the server to make sure it terminates the output with '\n'.

If the TCP server can not be changed (for example if it produces binary output), it may be possible to create an external gtm monitor instead.

781753-3 : WebSocket traffic is transmitted with unknown opcodes

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not preserve WebSocket frames. Frame headers and payload may be reordered such that a header for a second frame may be sent out in the middle of a first frame's payload. Frame boundaries get skewed and payload gets interpreted as headers.

Conditions:
A request logging profile is configured on a WebSocket virtual server.

Impact:
WebSocket frames are not preserved such that traffic appears to be garbage.

-- If request logging is enabled, client frames may not be preserved.
-- If response logging is enabled, server frames may not be preserved.

Workaround:
Remove the request logging profile.

781725-2 : BIG-IP systems might not complete a short ICAP request with a body beyond the preview

Component: Service Provider

Symptoms:
An ICAP request (REQMOD or RESPMOD) body goes out to the ICAP server as far as a preview. If the server responds 100-continue, only a single chunk of the remaining payload might be sent to the server. Eventually the connection times out.

Conditions:
-- An ICAP profile is configured with a preview.
-- The HTTP request or response to be modified has a body that is more than one chunk longer than the preview length, yet short enough to be completely buffered in BIG-IP system before the preview is sent to the ICAP server.
-- The ICAP server responds with 100-continue.

Impact:
Only the first chunk of payload is sent after the preview, and eventually the connection times out.

Workaround:
None.

Fix:
The BIG-IP system now sends the complete ICAP request to the server, and the transaction completes normally.

781637-2 : ASM brute force counts unnecessary failed logins for NTLM

Component: Application Security Manager

Symptoms:
False positive brute force violation raised and login request is blocked

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM Brute force protection enabled for NTLM login type

Impact:
login request blocked by asm policy

Workaround:
Define higher thresholds in brute force protection settings

Fix:
asm code has been fixed and do not count unnecessary failed logins for NTLM

781605-3 : Fix RFC issue with the multipart parser

Component: Application Security Manager

Symptoms:
False positive or false negative attack signature match on multipart payload.

Conditions:
Very specific parsing issue.

Impact:
A parameter specific excluded signature may be matched or un-matched.

Workaround:
N/A

Fix:
Multi part parser issue was fixed.

781581-3 : Monpd uses excessive memory on requests for network_log data

Component: Application Visibility and Reporting

Symptoms:
Monpd allocates excessive memory on multi-blade devices, and in some cases the kernel may kill monpd. The following log signature may be encountered in /var/log/kern.log:

err kernel: : [1537424.588160] Out of memory: Kill process 28371 (monpd) score 117 or sacrifice child

Conditions:
This can occur in a multi-blade BIG-IP environment when you are displaying pages that query for network_log data, for example Bot Defense requests in the event log, or realtime AVR data.

Impact:
Large fluctuations in host memory usage, occasionally leading to OOM events.

Workaround:
None.

Fix:
A db variable has been added: avr.eventlogsreportrownumber, which controls the number of logs displayed. The db variable default is 10000, and supports a range from 100 through 1000000.

Note: Using the maximum value may trigger the behavior described here. The system behavior depends on the specific machine hardware.

781449-2 : Increase efficiency of sPVA DoS protection on wildcard virtual servers

Solution Article: K14703097

781445-1 : named or dnscached cannot bind to IPv6 address

Component: Access Policy Manager

Symptoms:
In some scenarios, the named process cannot bind to IPv6 addresses. This occurs because the dnscached process listens to the wildcard IPv6 address port 53 (i.e., :::53) so it cannot respond to queries sent to IPv6 addresses.

Following message is reported in ltm log:

err named[16593]: binding TCP socket: address in use.

Conditions:
-- The named and dnscached processes are not running.
-- The dnscached process is started first.
-- The named process is started later.

Impact:
The named process does not respond to the queries that are sent to IPv6 addresses at port 53.

Workaround:
1) Stop both named and dnscached process.
2) Edit the startup script for dnscached to start in IPv4-only mode.
2a) On BIG-IP system, open the file /etc/bigstart/startup/dnscached.
2b) Add "-4" to the command line option of dnscached.
3) Restart the processes:
bigstart restart named dnscached

Fix:
The dnscached startup script has been modified to start in IPv4-only mode, so it does not listen on any IPv6 address.

781425 : Firewall rule list configuration causes config load failure

Component: Advanced Firewall Manager

Symptoms:
'tmsh load sys config' has a syntax error.

The syntax error is reported on 'security firewall rule-list rule' configuration.

Conditions:
This occurs only if any of the rule-list rule ip-protocol contains one of the following protocols:

-- BBN-RCC-MON
-- NVP-II
-- DCN-MEAS
-- OSPFIGP
-- CRUDP

Impact:
The system fails to load the configuration.

Workaround:
Manually edit the configuration file: /config/bigip_base.conf

1. Replace the ip-protocol name from rule-list configuration:

-- Change BBN-RCC-MON to bbn-rcc.
-- Change NVP-II to nvp.
-- Change DCN-MEAS to dcn.
-- Change OSPFIGP to ospf.
-- Change CRUDP to crudp.

2. Save the file.
3. Issue the command:
tmsh load sys config.

The configuration now loads without syntax errors.

781377-2 : tmrouted may crash while processing Multicast Forwarding Cache messages

Solution Article: K93417064

781225-2 : HTTP profile Response Size stats incorrect for keep-alive connections

Component: Local Traffic Manager

Symptoms:
The HTTP profile Response Size static is incorrectly updated per-response using the cumulative number of response bytes seen for the lifetime of the connection, rather than the bytes seen per-response.

Conditions:
-- HTTP profile configured
-- HTTP connection reused for multiple requests/responses

Impact:
The HTTP profile Response Size statistics may be incorrectly reported and do not correlate to actual traffic seen.

Workaround:
None.

Fix:
The HTTP Response Size statistics are correctly updated using per-response values.

781069-2 : Bot Defense challenge blocks requests with long Referer headers

Component: Application Security Manager

Symptoms:
The Bot Defense challenge may block the client if the Referer header is between about 1400 characters and 3072 characters long.
This client may get blocked by TCP RST, or suffer from a challenge loop.

Conditions:
-- Bot Defense with Verify before Access, or Proactive Bot Defense are configured
-- Request has a Referer header that is between ~1400 and 3072 characters long

Impact:
Legitimate browsers may get blocked or suffer from a challenge loop

Workaround:
Use an iRule to override the Referer header from the HTTP_REQUEST event, to make it shorter.

Fix:
Challenges with long Referer headers no longer block legitimate clients.

781041-1 : SIP monitor in non default route domain is not working.

Component: Local Traffic Manager

Symptoms:
SIP pool members in non-default route domain are being marked as unavailable even though they are available. This may be intermittent depending on which device is assigned to do the monitoring.

Conditions:
- SIP pool members in non default route domain.
- Probing device attempts to probe from anything other than route domain 0.

Impact:
SIP service unavailable.

781021-2 : ASM modifies cookie header causing it to be non-compliant with RFC6265

Component: Application Security Manager

Symptoms:
When ASM strips the cookie header from the ASM cookies, it leaves the cookie header in a way that is not compliant with RFC6265 on two aspects:
-- No space after the semicolon
-- A cookie with no value is sent without the equals sign

Conditions:
-- ASM Security Policy is used.
-- Request includes an ASM cookie.

Impact:
Some web servers may refuse to handle non-compliant Cookie headers, causing the application flow to break.

Workaround:
Disable the cookie stripping by modifying the DB variable as follows:
tmsh modify sys db asm.strip_asm_cookies value false

Fix:
ASM now strips the ASM cookies from the request in a way that is compliant with RFC6265.

780837-1 : Firewall rule list configuration causes config load failure

Component: Advanced Firewall Manager

Symptoms:
'tmsh load sys config' reports a syntax error.

The syntax error is reported on 'security firewall rule-list rule' configuration.

Conditions:
This occurs only if any of the rule-list rule ip-protocol contains one of the following protocols:

Note: You can see the mismatched protocol names in the /etc/protocols listing file (column 1 and column 3 differ):

bbn-rcc 10 BBN-RCC-MON # BBN RCC Monitoring
nvp 11 NVP-II # Network Voice Protocol
dcn 19 DCN-MEAS # DCN Measurement Subsystems
ospf 89 OSPFIGP # Open Shortest Path First IGP
crdup 127 CRUDP # Combat Radio User Datagram

Impact:
The system fails to load the configuration.

780817-5 : TMM can crash on certain vCMP hosts after modifications to VLANs and guests.

Component: TMOS

Symptoms:
TMM crashes and produces a core file. TMM logs show the crash was of type SIGFPE, with the following panic message:

notice panic: ../base/vcmp.c:608: Assertion "guest has vlan ref" failed.

Conditions:
-- The vCMP host is a platform with more than one tmm process per blade or appliance.

+ VIPRION B4300, B4340, and B44xx blades.
+ BIG-IP iSeries i15x00 platforms

-- A VLAN is assigned to a vCMP guest.
-- The TAG of the VLAN is modified.
-- The VLAN is removed from the vCMP guest.

Impact:
While TMM crashes and restarts on the host, traffic is disrupted on all the guests running on that system.

Guests part of a redundant pair may fail over.

Workaround:
None.

Fix:
TMM no longer crashes on certain vCMP hosts after modifications to VLANs and guests.

780601-2 : SCP file transfer hardening

Solution Article: K03585731

779857-1 : Misleading GUI error when installing a new version in another partition★

Component: TMOS

Symptoms:
While installing a new version in another partition, the GUI displays an error for a brief time:

'Install Status':Failed Troubleshooting

Conditions:
Install a new version in another partition.

Impact:
The GUI error is misleading. It is showing the install status as 'Failed Troubleshooting' even though the installation is proceeding normally. The installation process is proceeding normally; only the error is incorrect and does not indicate a problem with the installation.

Workaround:
If you click on the 'Troubleshooting' link on the GUI screen, the GUI indicates that it is actually installing properly without any error.

779177-2 : Apmd logs "client-session-id" when access-policy debug log level is enabled

Solution Article: K37890841

778869-3 : ACLs and other AFM features (e.g., IPI) may not function as designed

Solution Article: K72423000

Component: Advanced Firewall Manager

Symptoms:
Under certain conditions, ACLs, IPI and other AFM features may not function as designed.

Conditions:
AFM provisioned and configured.
TCP mitigations active.

Impact:
AFM features do not function as designed.

Workaround:
None.

Fix:
ACLs and other AFM rules (e.g., IPI) features now function as designed.

778681-2 : Factory-included Bot Signature update file cannot be installed without subscription★

Component: Application Security Manager

Symptoms:
After upgrade, the factory-included Bot Signature update file cannot be installed without subscription, even if it is already installed.

Conditions:
Device is upgraded to 14.1.0 from previous version, and does not have a Bot Signatures subscription.

Impact:
The factory-included Bot Signature update file cannot be installed.

778517-1 : Large number of in-TMM monitors results in delayed processing

Solution Article: K91052217

Component: Local Traffic Manager

Symptoms:
A monitor may continue to probe for a while after it has been removed from pool / member / node. Duplicate monitor instances may get created after associating a monitor to a server.

Conditions:
Device has a large number of in-TMM monitors.

Impact:
-- Monitor target may appear down when responding correctly.
-- Monitor may continue to run after removed from pool / member / node.
-- Increased monitoring load on server.

Workaround:
Disable in-tmm monitors:
tmsh modify sys db bigd.tmm value disable

Fix:
Large numbers of in-TMM monitors are processed in a timely fashion.

778365-2 : dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service

Component: Global Traffic Manager (DNS)

Symptoms:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS. If there is DNS service running on the LDNS, RTT metrics should be collected successfully as expected. However if there is no DNS service on the LDNS, there should not be any RTT metrics collected. But BIG-IP still populates the RTT values giving users a "false positive" results.

Conditions:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS and there is no DNS service running on the LDNS.

Impact:
RTT metrics are collected even though no response from the DNS service is present giving users wrong impression that there is.

Fix:
RTT metrics are collected only when the DNS service is present otherwise zero RTT values are returned.

778125-1 : LDAP remote authentication passwords are limited to fewer than 64 bytes

Component: TMOS

Symptoms:
The LDAP remote authentication password is limited to fewer than 64 bytes.

Conditions:
Configured for remote authentication with a password is longer than or equal to 64 bytes.

Impact:
Unable to login as remote-user with long password.

Workaround:
Set password that is shorter than 64 bytes.

778077-3 : Virtual to virtual chain can cause TMM to crash

Solution Article: K53183580

778049-4 : Linux Kernel Vulnerability: CVE-2018-13405

Solution Article: K00854051

777993-2 : Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same

Component: TMOS

Symptoms:
Egress TCP/UDP traffic with same L4 source port and destination port to an external trunk is pinned to one link only.

Conditions:
This happens on BIG-IP hardware platforms with broadcom switch chip, so BIG-IP 2000/4000 and i2000/i4000 series are not impacted.

Impact:
Performance degradation as only a portion of the trunk bandwidth is utilized.

Workaround:
None.

Fix:
Egress TCP/UDP traffic with same L4 source port and destination port is now evenly distributed among trunk ports.

777937-3 : AWS ENA: packet drops due to bad checksum

Component: Performance

Symptoms:
-- Lower throughput and tps.
-- High availability (HA) heartbeat is getting dropped, resulting in an active-active configuration.

Conditions:
AWS Elastic Network Adapter (ENA) NIC is in use.

Impact:
Performance degradation and invalid HA configuration.

Workaround:
On the BIG-IP system, turn off checksum offloading in on TX as follows:

modify sys db tm.tcpudptxchecksum value Software-only

Important: This workaround negatively affects NICs other than ENA. Therefore, the workaround is recommended exclusively when ENA is the only dataplane NICs in use in the BIG-IP system.

Fix:
AWS ENA: no packet drops due to bad checksum.

777737-3 : TMM may consume excessive resources when processing IP traffic

Solution Article: K39225055

777269-1 : Gratuitous ARP may be sent for self IPs from incorrect MAC address at startup

Component: Local Traffic Manager

Symptoms:
The Address Resolution Protocol is used to allow IP endpoints to advertise their L2 (Ethernet MAC) addresses, and to query their network peers to request needed associations. Typically, TMM will immediately broadcast an ARP announcing its IP-MAC association (sometimes called a "gratuitous" ARP), so that switches can begin directing traffic to the self-ip immediately.

When BIGIP-VE starts with interfaces provided by some hypervisors, it may not immediately know the MAC address assigned to the interface until several milliseconds after the interface is created. In these cases, the gratuitous ARP will contain the MAC address 00:98:76:54:32:10, which is a valid but incorrect MAC address.

Normally, this is harmless, because the correct MAC address is immediately announced once it is known. However, it may be possible for a L2 switch upstream from multiple BIGIP-VE instances to believe a L2 loop has developed, and block one or both ports through which it saw the gratuitous ARPs.

Conditions:
BIG-IP VE, version 13.0.0 or later, running with the virtio driver on an OpenStack-compatible hypervisor.

Impact:
If an upstream switch sees gratuitous ARPs from multiple downstream BIG-IP instances on the same L2 LAN, it might block connectivity to one or more ports through which the gratuitous ARPs are seen. The self IP may appear to have connectivity for some time after it comes up, before connectivity is blocked at the upstream switch.

Fix:
Gratuitous ARPs sent with an incorrect MAC address are no longer broadcast.

777261-4 : When SNMP cannot locate a file it logs messages repeatedly

Component: TMOS

Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.

Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.

Impact:
This can fill up the log with errors.

Fix:
The SNMP daemon has been fixed to log this error once.

777237-1 : IPsec HA for failover confused by runtime changes in blade count

Component: TMOS

Symptoms:
Security Associations (SAs) for IPsec could fail to mirror to standby correctly when multiple blades are involved, because tmm ownership of SAs on active could be assigned both before and after the blade count stabilized. (Initialization of peer descriptions started before the blade count finished stabilizing, which made them stale with respect to mirroring, after blade count change.) Missing SAs on standby would then be renegotiated after failover.

Conditions:
An IPsec config running under high availability where multiple blades are present in the chassis.

Impact:
Failure to properly mirror some SAs to standby caused them to be renegotiated after failover, which delays tunnel service until a new SA can be established.

Workaround:
No workaround is known.

Fix:
When blade count changes dynamically at runtime (which happens because IPsec init starts before blade count stablizes), all previously initialized peers are visited to update their idea of tmm ownership to reflect the new blade count.

777229-1 : IPsec improvements to internal pfkey messaging between TMMs on multi-blade

Component: TMOS

Symptoms:
There is no known performance degradation. This work eliminates unnecessary duplication of internal messages.

Conditions:
- IPsec tunnel configured.
- Multi-blade system.

Impact:
Extra logging in the TMM log due to duplicated internal messaging.

Workaround:
For vCMP systems, provision the Guest on one blade only. There is no workaround for bare-metal systems.

Fix:
Duplication of inter-tmm messaging has been eliminated.

777173-2 : Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error

Component: Access Policy Manager

Symptoms:
When administrator runs Citrix vdi iApp in APM standalone deployment (LTM is not licensed), iApp fails with the following error:
01070356:3: HTTP header transformation feature not licensed

This is result of a license check added for HTTP header transformation.

Conditions:
- APM is licensed as stand alone (no LTM license)
- Admin tries to run Citrix vdi iApp

Impact:
Administrator is not able to use the iApp to configure Citrix vdi access

Workaround:
Adding LTM module license will resolve the error.

Fix:
Citrix vdi iApp now can be used to configure Citrix vdi access in an APM standalone deployment.

776229-2 : iRule 'pool' command no longer accepts pool members with ports that have a value of zero

Component: Local Traffic Manager

Symptoms:
Values of 0 (zero) are no longer accepted for pool member ports in iRule 'pool' commands. The system reports an error similar to the following in /var/log/ltm:

err tmm3[12179]: 01220001:3: TCL error: /Common/_user_script_member <CLIENT_ACCEPTED> - bad port in 'pool member <addr> <port>' cmd while executing "pool test_pool member 10.1.30.10 0"

Conditions:
-- Configure an iRule to use the 'pool' command to go to the pool member using a zero port in the CLIENT_ACCEPTED event.
-- Attach the iRule to the virtual server.
-- Run traffic through it.

Impact:
The iRule rejects traffic when the pool member's port number is 0.

Workaround:
Configure any iRule using the 'pool' command to go to apool member using a non-0 port in the CLIENT_ACCEPTED event.

Fix:
No longer blocking access to pool members that use port number 0 (zero) from iRule 'pool' commands.

776133-1 : RSS hash is not used on VE resulting in performance impact on non-SR-IOV devices

Component: Performance

Symptoms:
RSS hash is not used on BIG-IP Virtual Edition (VE).

You can run the following command to see the 'n' (no) for RSS results:

tmctl -d blade -i tmm/ndal_dev_status

Example:
iface device pci if_up link_up rcso lro sw_lro lro_no_md rvho rss tcso tso
1.1 vmxnet3 11:0.0 n n y:n y:n n y y:n n y:y y

Conditions:
This is encountered on BIG-IP VE.

Impact:
Performance degradation on non-SR-IOV devices.

Workaround:
None.

776073-1 : OOM killer killing tmm in system low memory condition as process OOM score is high

Component: TMOS

Symptoms:
When BIG-IP system running under low memory situation, Out-Of-Memory killer more likely selects tmm to kill and release the resources.

Conditions:
BIG-IP version 13.0.x or later installed and system running with low memory.
AFM provisioned makes the tmm process more likely to be selected by the oom killer

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Adjust OOM score of "tmm" process through oom_score_adj proc setting.

echo "-500" > /proc/<pid_of_tmm>/oom_score_adj

Fix:
OOM score for "tmm" process is adjusted such that OOM killer will not prioritize "tmm" during system low memory condition.

775897-1 : High Availability failover restarts tmipsecd when tmm connections are closed

Component: TMOS

Symptoms:
All security associations (SAs) can be deleted when tmipsecd restarts as a result of closing tmm connections during failover from active to standby.

Conditions:
When failover happens for high availability (HA), tmipsecd aims to close tmm connections when on standby, because tmm must connect instead to the daemon running in the active system. But a side effect of this restarts tmipsecd, resulting in deletion of all SAs when tmipsecd came back up.

Impact:
tmipsecd restarts. All IPsec tunnels experience an interruption of service until new SAs are negotiated.

Workaround:
None.

Fix:
Now tmipsecd no longer restarts when the tmm connections are closed in response to failover from active to standby.

775833-2 : Administrative file transfer may lead to excessive resource consumption

Solution Article: K94325657

775621-2 : urldb memory grows past the expected ~3.5GB

Component: Access Policy Manager

Symptoms:
When using the categorization engine (urldb), memory may increase when real-time update databases are downloaded (once every ten minutes, as available).

Conditions:
-- SWG provisioned.
-- Using urldb.
-- Real-time database updates occurring.

Impact:
Memory increases, and if there is not enough room on the BIG-IP system, urldb can core.

Workaround:
None.

Fix:
The system no longer preloads the database into memory, so memory no longer grows past what is expected.

775013-2 : TIME EXCEEDED alert has insufficient data for analysis

Component: Fraud Protection Services

Symptoms:
The time-exceeded alert does not include sufficient alert details to troubleshoot the process. It is difficult to determine whether or not the alert is valid, or how long past the request time the alert occurred.

Conditions:
Viewing alert logs for time-exceeded messages.

Impact:
Makes troubleshooting and/or analysis difficult.

Workaround:
None.

Fix:
All encryption failures alert now provides additional details to assist in troubleshooting the process.

774941-1 : GUI misspelling in Bot Defense logging profile

Component: Application Security Manager

Symptoms:
There is a misspelling in the logging profile for Bot Defense: Log Requests by Classificaiton.

Conditions:
Go to Security :: Event Logs : Logging Profiles :: Logging Profile :: Bot Defense :: Request Log.

Impact:
GUI shows misspelled word. There is no functional impact to this issue.

Workaround:
None needed. This is a cosmetic issue only.

Fix:
The text has been corrected: Log Requests by Classification.

774913-1 : IP-based bypass can fail if SSL ClientHello is not accepted

Component: Local Traffic Manager

Symptoms:
IP-based bypass can fail for SSL stream if the client sends a ClientHello that is not accepted by the BIP-IP system.

Conditions:
Client's SSL ClientHello message is not accepted by the BIG-IP system.

Impact:
Connection drop.

Workaround:
None.

Fix:
Check SSL bypass policy before parsing ClientHello message.

774881 : Protocol Inspection profiles can be added to a virtual server without Protocol Inspection being licensed.

Component: Protocol Inspection

Symptoms:
Protocol Inspection profiles can be added to a virtual server but are not applied to traffic.

To add a Protocol Inspection profile now it is required to have an AFM standalone license or to have an add-on AFM license, which includes Protocol Inspection module. Otherwise a error message is shown.

Conditions:
-- AFM is licensed as an add-on module without Protocol Inspection feature.

-- Protocol Inspection profile is configured and added to a virtual server or referenced in a firewall rule.

Impact:
It might appear that the configured Protocol Inspection profile attached to a virtual server or referenced in a firewall rule should work, but in fact, it is not applied to the actual traffic.

Workaround:
None.

Fix:
An error message is shown when trying to apply a Protocol Inspection profile to a virtual server or to a firewall rule having no Protocol Inspection license.

774633-2 : Memory leak in tmm when session db variables are not cleaned up

Component: Access Policy Manager

Symptoms:
There are some session db variables created as part of the split session proxy that have an indefinite timeout. If there is an error path or a failure with an inline service, the delete never gets called and these session keys build up over time, causing memory to leak in tmm.

Conditions:
SSLO setup with a service connector that fails.

Impact:
tmm eventually runs out of memory and generates a core file.

Workaround:
None.

Fix:
Variables have been set with a timeout so that they don't leak memory if the inline service fails.

774481-2 : DNS Virtual Server creation problem with Dependency List

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use the GUI to create virtual servers with dependent virtual server.

Conditions:
This occurs when creating a virtual server that contains a dependent virtual server.

Impact:
Cannot use the GUI to create the virtual server that contains a dependent virtual server in one step.

Workaround:
You can use either of the following workarounds:

-- Use tmsh;
-- Create the virtual server through GUI without dependent virtual server first and then edit the virtual server to add dependency.

774445-1 : BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2

Solution Article: K74921042

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) does not pass traffic when deployed on ESXi 6.7 Update 2 hypervisors, when the VE is using VMXNET 3 network interfaces (VMXNET 3 interfaces are the default).

Conditions:
-- BIG-IP VE running on VMware ESXi 6.7 Update 2 (build number 13006603) hypervisor.
-- VMXNET 3 NICs.

Impact:
Traffic does not pass through non-mgmt interfaces.

Workaround:
You can use the following workarounds:

-- Until this issue is fixed in a Point-Release for your software branch, you can contact F5 Networks Technical Support to obtain an Engineering Hotfix to address the issue. This workaround allows TMM to continue to use the VMXNET3 driver, which is preferable.

-- On BIG-IP version 14.1.0, you can switch to the 'sock' driver.

-- On BIG-IP versions earlier than 14.1.0, you can switch to the 'unic' driver.

Note: The workarounds that switch driver must be applied individually to devices, as they do not synchronize via ConfigSync.

IMPORTANT: The driver must be configured the same way on all devices in a sync-failover device group.

To switch driver:

1. Add a line to /config/tmm_init.tcl that reads 'device driver vendor_dev 15ad:07b0 DRIVER' (replacing DRIVER with 'unic' or 'sock', as appropriate). For example:

    echo "device driver vendor_dev 15ad:07b0 sock" >> /config/tmm_init.tcl

2. Restart tmm for the changes to take effect (restarting tmm disrupts traffic):

    bigstart restart tmm

3. After tmm restarts, confirm the driver in use by examining the output of:

    tmctl -d blade tmm/device_probed

Fix:
BIG-IP VE now passes traffic on ESXi 6.7 Update 2.

774361-2 : IPsec High Availability sync during multiple failover via RFC6311 messages

Component: TMOS

Symptoms:
After multiple failover events, BIG-IP can fail to coordinate with a remote peer via RFC6311 protocol messages, whose content can present the wrong message IDs, which are also marshalled in host byte order instead of network byte order.

Conditions:
When active and standby systems failover multiple times, and a newly active system must sync IDs with the newly standby system before exchanging messages with a remote peer to synchronize expected ID sequences.

Impact:
IPsec tunnels experience a temporary outage until new security associations are negotiated.

Workaround:
No workaround is known at this time.

Fix:
The following changes have been applied to RFC6311 messages:
-- Values are now passed in bigendian network byte order.
-- BIG-IP is willing to send messages after multiple failovers.
-- Active always syncs with standby before putting IDs into messages.

774257-2 : tmsh show gtm pool and tmsh show gtm wideip print duplicate object types

Component: Global Traffic Manager (DNS)

Symptoms:
Tmsh show gtm pool and show gtm wideip commands with field-fmt will display the object type twice in the output. For example:

tmsh> show gtm pool a field-fmt
gtm pool pool emptypool:A

tmsh> show gtm wideip a field-fmt
gtm wideip wideip testwip.f5.com:A

Conditions:
This occurs when running the following tmsh commands:

tmsh show gtm pool <poolname> field-fmt
tmsh show gtm wideip <wideipname> field-fmt

Impact:
The output type is printed twice

Workaround:
None.

Fix:
The output becomes like this after fix:

gtm pool a emptypool

gtm wideip a testwip.f5.com

774213-1 : SWG session limits on SSLO deployments

Component: Access Policy Manager

Symptoms:
SWG session limits are enforced on SSLO deployments that enable Explicit proxy authentication.

Conditions:
-- SSLO with Explicit proxy authentication is deployed.
-- Many concurrent SSLO connections (beyond the SWG session limit).

Impact:
SSLO fails to connect when the SWG session limit is reached.

Workaround:
None.

Fix:
If there is an SSLO profile paired with either an APM or SSLO per-request policy on a virtual server, and the operation has done a hostname only lookup, an SWG license is no longer consumed. This answers the case where there is auth (APM) on one virtual server, and the transparent virtual server is SSLO with hostname Category Lookup only.

773925-2 : Sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB tables files

Component: Application Visibility and Reporting

Symptoms:
For unknown reasons, sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB table files. MySQL starts reporting error 24 in its error log:

190228 8:21:17 [ERROR] mysqld: Can't open file: './AVR/AVR_STAT_FW_NAT_TRANS_DEST_H.frm' (errno: 24)
190228 8:45:36 [ERROR] mysqld: Can't open file: './AVR/AVR_STAT_ASM_NETWORK_T.frm' (errno: 24)
190228 9:12:22 [ERROR] mysqld: Can't open file: './AVR/AVR_STAT_ASM_NETWORK_T.frm' (errno: 24)

Conditions:
-- Statistics are collected locally on the BIG-IP system (that is, the BIG-IP system is not associated with a BIG-IQ device).
-- There is a considerable amount of traffic.

Impact:
Statistic reports stop working. In some cases DB becomes corrupted.

Workaround:
In /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter from 2500 to 5000.
2. Add the following parameter (right after 'open_files_limit'):
table_open_cache=2000
3. Restart MySQL:
bigstart restart mysql

Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.

Fix:
Embed MariaDB configuration change into the standard BIG-IP versions.

773821-1 : Certain plaintext traffic may cause SSLO to hang

Component: Local Traffic Manager

Symptoms:
SSLO relies on SSL hudfilter to detect non-SSL traffic; but certain plaintext can be mistaken as SSL traffic, which can cause a hang.

Conditions:
Initial plaintext traffic resembles SSLv2 hello message or has less than enough bytes for SSL to process.

Impact:
SSLO hangs, unable to bypass traffic.

Workaround:
None.

Fix:
Improve SSL hello parser.

773693-5 : CVE-2020-5892: APM Client Vulnerability

Solution Article: K15838353

773677-1 : BIG-IP 14.1.0 system-journald write to /run/log/journal cause SWAP usage increase★

Solution Article: K72255850

Component: TMOS

Symptoms:
The system-journald process writes to temporary storage /run/log/journal when storage mode is set to 'auto'. The persistent directory /var/log/journal that controls where the log goes (temporary or persistent memory) is usually created during BIG-IP system reboot. In some cases, /var/log/journal is not created. In the absence of this, system-journald writes to temporary storage /run/log/journal.

Conditions:
BIG-IP upgraded from versions prior to v14.1.0 to version 14.1.0 or later.

Impact:
As it writes to temporary memory, system SWAP memory usage increases, impacting overall system performance and may result in the kernel out-of-memory killer running and killing system processes.

Workaround:
Perform these steps while running the upgraded 14.1.x system.

1. Create system-journald persistent log directory manually:

mkdir /var/log/journal
chown root:systemd-journal /var/log/journal
chmod 2755 /var/log/journal
chcon system_u:object_r:var_log_t:s0 /var/log/journal

2. Reboot the system.

Fix:
The system-journald persistent directory is always created during reboot or when the system-journald storage option is set to 'persistent'.

773673-2 : HTTP/2 Vulnerability: CVE-2019-9512

Solution Article: K98053339

773653-6 : APM Client Logging

Solution Article: K23876153

773649-6 : APM Client Logging

Solution Article: K23876153

773641-6 : APM Client Logging

Solution Article: K23876153

773637-6 : APM Client Logging

Solution Article: K23876153

773633-6 : APM Client Logging

Solution Article: K23876153

773621-6 : APM Client Logging

Solution Article: K23876153

773553-2 : ASM JSON parser false positive.

Component: Application Security Manager

Symptoms:
False positive JSON malformed violation.

Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.

Impact:
HTTP request is blocked or an alarm is raised.

Workaround:
There is no workaround other than disabling the JSON profile.

Fix:
JSON parser has been fixed as per RFC8259.

773421-1 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied

Component: Local Traffic Manager

Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.

Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).

-- OneConnect is applied.

-- proxy-mss is enabled (the default value starting in v12.0.0).

Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.

Workaround:
Disable proxy-mss in the configured TCP profile.

Fix:
OneConnect prevents sending ICMP fragmentation needed messages to servers.

772545-3 : Tmm core in SSLO environment

Component: Local Traffic Manager

Symptoms:
Unexpected SSL events can occur in SSLO configuration, possibly resulting in tmm core.

Conditions:
SSLO environment which can cause serverside ssl to become enabled during clientside handshake causing unexpected events.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Enabling SSL forward proxy verified-handshake setting available in 14.0.

772473-3 : Request reconstruct issue after challenge

Component: Application Security Manager

Symptoms:
False positive on Content-Type header in GET request.

Conditions:
After challenge is completed, the server responds to the reconstructed request with a 302-redirect.

Impact:
The BIG-IP adds to the next request (GET request) a Content-Type header.

Workaround:
There is no workaround at this time.

Fix:
The BIG-IP no longer reconstructs the next request after a redirect.

772233-4 : IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.

Component: Global Traffic Manager (DNS)

Symptoms:
When probing DNS Path, the metric round trip time (RTT) is not set correctly if the collection protocols used are NDS_DOT or DNS_REV.

The problem occurs only if the Path involves an IPv6 address; IPv4 address works fine.

Conditions:
-- Path involves IPv6 addresses.
-- Collection protocol used is either DNS_DOT or DNS_REV.

Impact:
RTT metric is not set at all.

Workaround:
Use collection protocols - ICMP instead.

Fix:
The problem for both collection protocols - DNS_DOT and DNS_REV no longer occurs, and the RTT is set correctly.

772165-1 : Sync Failed due to Bot Defense profile not found

Component: Application Security Manager

Symptoms:
A sync failure might happen in a sync-failover device group after manually editing the /config/bigip.conf file and removing the Bot Defense profiles, and then performing a config sync.

The system reports a sync error message similar to this:
FODG (Sync Failed): A validation error occurred while syncing to a remote device.
- Sync error on device-b: Load failed from /Common/device-a 01020036:3: The requested profile (/Common/bot-defense-device-id-generate-before-access) was not found.
- Recommended action: Review the error message and determine corrective action on the device.

Conditions:
Manually editing the /config/bigip.conf file and removing the Bot Defense profile, then loading the config, and performing a config sync.

Impact:
Sync failure.

Workaround:
Reload the config from the receiving device, and then perform a force sync in the opposite direction, overriding the previous changes. This should bring the system back to in sync.

Fix:
Sync failures no longer happen when removing Bot Defense profiles from the config file and loading config.

772117-3 : Overwriting FIPS keys from the high availability (HA) peer with older config leads to abandoned key on FIPS card

Component: TMOS

Symptoms:
A key being overwritten is not removed from the FIPS card, so it becomes an abandoned key in the FIPS card, which cannot be used and properly tracked by the BIG-IP system.

An abandoned key appears similar to the following:

[root@big8:Active:Standalone] config # tmsh show sys crypto fips
-------------------------------------------
FIPS 140 Hardware Device
-------------------------------------------
=== private keys (1)
ID MOD.LEN(bits)
d3d8ecc5a489c64b8dfd731945d59950 2048 <==== properly tracked and configured key in BIG-IP
/Common/fffff.key

e35e900af8b269d2f10b20c47e517fd1 2048 <==== no name, abandoned

Conditions:
The issue is seen when all the following conditions are met:
1. High availability (HA) setup formed by multiple BIG-IP systems with FIPS cards.
2. An Administrator of one of the BIG-IP systems deletes its FIPS key, and creates another FIPS key using the same name.
3. high availability (HA) sync occurs from another BIG-IP system (with the older config) back to the first BIG-IP system (i.e., the operation overwrites the newly created FIPS key with the old FIPS key).

Impact:
It leads to orphan keys on the FIPS card, meaning that the keys are not present in the BIG-IP configuration as a configured key, so the key cannot be used by the BIG-IP system.

Workaround:
Manually delete the abandoned key from the FIPS card using the following command.

tmsh delete sys crypto fips key <key-id>

For example, for the abandoned key specified earlier, use the following command:
tmsh delete sys crypto fips key "e35e900af8b269d2f10b20c47e517fd1"

Fix:
Now, the overwritten key is successfully removed, so there is no longer an abandoned key present on the FIPS card.

771961-1 : While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core

Component: Access Policy Manager

Symptoms:
If the device is active at the time and is passing traffic, if the SSL Orchestrator configuration is deleted, tmm can core.

Conditions:
SSL Orchestrator device is active and passing traffic while being deleted.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm core related to deleting SSL Orchestrator.

771905-2 : JWT token rejected due to unknown JOSE header parameters

Component: Access Policy Manager

Symptoms:
JWT token rejected and OAuth Scope Agent fails.

Conditions:
When JWT access token contains unregistered JSON Object Signing and Encryption (JOSE) header parameters (e.g., nonce).

Impact:
Unregistered JOSE header parameters causes JWT access token to be rejected. OAuth Scope Agent fails.

Workaround:
None.

Fix:
If an unregistered parameter in the JOSE header is present in the JWT token, the system ignores the parameter instead of rejecting the token.

771873-5 : TMSH Hardening

Solution Article: K40378764

771705-1 : You may not be able to log into BIG-IP Cloud Edition if FSCK fails

Component: TMOS

Symptoms:
During BIG-IP Cloud Edition bootup, if FSCK fails and requires manual intervention to recover, you may not be able to proceed. This occurs because login requires the password for root, which is not typically set.

Conditions:
-- BIG-IP Cloud Edition.
-- FSCK failure on bootup requires manual intervention to recover.

Impact:
Cannot log in to BIG-IP Cloud Edition.

Important: There is no way to recover if the FSCK failure has already occurred. You must begin the BIG-IP Cloud Edition configuration again. You should implement the Workaround to prevent the issue from occurring.

Workaround:
To prevent the issue from occurring, run the following command for every filesystem:
tune2fs -i 0 <file system>

Following is a list of file systems (replace '1' with the relevant slot number if the active slot is not 1):

/dev/vg-db-vda/set.1.root
/dev/mapper/vg--db--vda-set.1._var
/dev/mapper/vg--db--vda-set.1._usr
/dev/mapper/vg--db--vda-set.1._config
/dev/mapper/vg--db--vda-dat.share
/dev/mapper/vg--db--vda-dat.log
/dev/mapper/vg--db--vda-dat.appdata

Fix:
FSCK is disabled BIG-IP Virtual Edition (VE) for both cloud and hypervisor configurations, so this issue no longer occurs.

Note: Disabling FSCK in virtual machines is considered standard operating procedure. In BIG-IP VE, FSCK is disabled upon the image creation and during live install of the full ISO. It is disabled for all file systems on all slots (boot locations). Although it is not recommended, you can manually reenable FSCK in Linux, in particular, using tune2fs to set the FSCK schedule, and updating /etc/fstab to allow it.

Behavior Change:
FSCK is now disabled in BIG-IP Virtual Edition (VE) for both cloud and hypervisor, preventing failure during bootup. FSCK disablement also persists during a downgrade. F5 Networks does not recommend reenabling FSCK. However, you can reenable it in Linux by updating /etc/fstab, so you can use tune2fs to set the FSCK schedule.

771173-3 : FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.★

Component: Advanced Firewall Manager

Symptoms:
The system does not roll forward the FastL4 profile syn-cookie-enable attribute after upgrading from 12.x to 13.x and beyond.

Conditions:
This happens when upgrading from 12.x to 13.x and beyond.

Impact:
If syn cookies are explicitly disabled on a FastL4 profile prior to upgrading, they may be enabled.

Workaround:
You can fix the configuration by modifying it manually after upgrading.

In tmsh:
tmsh modify ltm profile fastl4 <profile_name> syn-cookie-enable <enabled|disabled>

771025-3 : AVR send domain names as an aggregate

Component: Application Visibility and Reporting

Symptoms:
AVR sends domain name as an aggregate of a number of domain names.

Conditions:
-- AVR receives more than the number of domain names it can handle.
-- After AVR gets DNS calls with different domain name, it no longer clears the domain name.
-- When AVR receives the maximum number of total domain names, it start to aggregate all the new domain names.

Impact:
Cannot see the correct domain name.

Workaround:
None.

Fix:
AVR now removes old domain names, so it can add new ones and send the actual domain names it collected.

770989 : Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x.★

Component: TMOS

Symptoms:
F5optics installation can fail with RPM database corruption on B4450 blades and iSeries platforms when installing 14.1.x.

Conditions:
-- Using B4450 blades or iSeries platforms.

-- Clean install (i.e., a completely new installation) of 14.1.0 from either an external drive or PXE without taking over license:

image2disk --format=volumes --nosaveconfig --nosavelicense BIGIP-14.1.0-0.0.116.iso

Impact:
-- After 14.1.0 boots up, when you check /shared/lib/rpm RPM database (by running the command: /opt/bin/rpm --dbpath /shared/lib/rpm -qa), you see errors if the RPM database has already been corrupted.

+ rpmdb: /shared/lib/rpm/Name: unexpected file type or format.
+ error: cannot open Name index using db3 - Invalid argument (22).

-- No default f5optics package is reported when running the command: tmsh show net f5optics. No f5optics packages is present in the /shared/f5optics/images/ directory (even the /shared/f5optics/images/ directory is not created).

Due to corruption of '/shared/lib/rpm' RPM database, additional component 'f5optics' installation can fail with RPM error. Other components such as geoip or epsec might also be affected due to corrupted '/shared/lib/rpm' RPM database.

Other symptoms may be that the Link Controller linkcost library (Non-US patch) may be unable to install, showing the error message:
DB_VERSION_MISMATCH: Database environment version mismatch.

Workaround:
Remove the RPM database and manually install the f5_optics RPM package.

Steps
=====
1. Remove corrupted RPM database:
   # rm -rf /shared/lib/rpm/

2. Initialize rpm database and update
   # /opt/bin/rpm --root /shared --dbpath /lib/rpm --initdb
   # /opt/bin/rpm --dbpath /shared/lib/rpm -qa

3. For iSeries platform:
   # /usr/bin/f5optics_install

   For VIPRION platform
   # tmsh install net f5optics slot all

770953 : 'smbclient' executable does not work

Component: TMOS

Symptoms:
Service Message Block (SMB) monitor is not functional.

Conditions:
This occurs under all conditions.

Impact:
SMB monitors fail. This occurs because the 'smbclient' executable is not functional.

Workaround:
None.

Fix:
'smbclient' executable is runnable and SMB monitoring is working.

770797-1 : HTTP2 streams may get stuck in rare situations

Component: Local Traffic Manager

Symptoms:
If HTTP2 is used in a 'gateway' configuration on a virtual server, without the use of an MRF http_router profile, HTTP connections are used to connect to the back-end servers.

The HTTP connections are pooled, and may be reused between streams. In rare situations, an HTTP connection is reused whilst it is in the process of shutting down. This may cause the corresponding HTTP2 stream to get into an unexpected state, and get 'stuck'.

The stuck streams persist until the client closes the HTTP2 connection. If a client keeps opening new streams on the affected connection, it may eventually run out of the total allowed streams limited by the HTTP2 profile. The client may then deadlock, waiting for streams to close.

Conditions:
An HTTP2 profile is used on a virtual server without an MRF http_router profile.

Impact:
The impact depends on client behavior. Some clients will open new connections for stuck streams, so the impact will be minimal. Others will show loss of performance or hang waiting for resources that will never be delivered.

Workaround:
None.

Fix:
HTTP2 streams no longer get stuck in rare situations.

770557-3 : Per-Session RADIUS Acct STOP message is forged based on pool route domain, but is sent through default one

Component: Access Policy Manager

Symptoms:
The per-Session RADIUS Acct STOP message is forged based on the pool route domain, but is sent through the default one.

Conditions:
1. Deploy the BIG-IP system with two route domains
2. Under each route domains you have a path to the RADIUS server.
3. Create Access Policy with a Logon Page, RADIUS Acct agent fallback-to-Deny ending.
4. Attach it to the virtual server.
5. Run tcpdump -i any port 1813 -ne on the BIG-IP system.
5. Navigate to the virtual server.
6. Wait 20 seconds till STOP packets arrive.

Impact:
The BIG-IP system sends the STOP packets according to the default routing table instead of the configured route domain RADIUS server.

Workaround:
None.

Fix:
The BIG-IP system now sends the STOP packets according to the configured route domain RADIUS server.

770477-2 : SSL aborted when client_hello includes both renegotiation info extension and SCSV

Component: Local Traffic Manager

Symptoms:
Client SSL reports an error and terminates handshake.

Conditions:
Initial client_hello message includes both signaling mechanism for secure renegotiation: empty renegotiation_info extension and TLS_EMPTY_RENEGOTIATION_INFO_SCSV.

Impact:
Unable to connect with SSL.

Workaround:
None.

Fix:
Allow both signaling mechanism in client_hello.

769997-1 : ASM removes double quotation characters on cookies

Component: Application Security Manager

Symptoms:
ASM removes the double quotation characters on the cookie.

Conditions:
Cookie sent that contains double quotation marks.

Impact:
The server returns error as the cookie is changed by ASM.

Workaround:
Set asm.strip_asm_cookies to false using the following command:

tmsh modify sys db asm.strip_asm_cookies value false

Fix:
ASM no longer removes the double quotation characters on the cookie.

769981-2 : bd crashes in a specific scenario

Component: Application Security Manager

Symptoms:
bd crash with a core file.

Conditions:
-- XML profile with schema validation is attached to a security policy.

-- The bd.log shows out-of-memory messages relating to XML.

Impact:
Failover; traffic disruption.

Workaround:
Increase the memory XML uses by using the internal parameters total_xml_memory and/or additional_xml_memory_in_mb. For more information, see K10803: Customizing the amount of memory allocated to the BIG-IP ASM XML processing engine available at https://support.f5.com/csp/article/K10803

769853-2 : Access Profile option to restrict connections from a single client IP is not honored for native RDP resources

Solution Article: K24241590

Component: Access Policy Manager

Symptoms:
When launching a native RDP resource (desktop/application) from APM Webtop, APM provides an RDP file to the browser and the browser invokes the native RDP client to launch the resource with the parameters specified in the RDP file.

When Access profile option 'Restrict to Single Client IP' option is enabled, user should only be allowed to launch the resource from the client that initiated the request.

Conditions:
-- APM Webtop is configured with native RDP resource.
-- 'Restrict to Single Client IP' option is enabled in Access Profile.

Impact:
RDP file provided by APM can be used for launching the RDP resource on a client machine that did not initiate the APM session.

Workaround:
None.

Fix:
When Access Profile option 'Restrict to Single Client IP' is enabled, APM restricts native RDP resource launch from the client that initiated the APM session.

769817-3 : BFD fails to propagate sessions state change during blade restart

Component: TMOS

Symptoms:
BFD fails to propagate sessions state change during blade restart.

Conditions:
-- On a chassis with multiple blades, several routing protocol sessions are established, (e.g., BGP sessions).
-- BFD sessions are configured for each BGP session to sustain fast failover of BGP sessions.
-- There is a BGP session that can be established only via specific blade and the corresponding BFD session of this BGP session is processed on the same blade.
-- This blade is restarted (e.g., using the bladectl command) or experienced a blade failure.

Impact:
The BFD session remains in the BFD sessions table and remains there until BGP session is timed out by hold the timer (90 seconds, by default). Dynamic routes, which are learnt via affected BGP session, remain in the routing table until the hold time is reached.

Workaround:
Change BGP hold time to reasonable lower value.

Fix:
The affected BFD session is removed from the BFD table after blade reset during the period configured for this BFD session.

769809-4 : The vCMP guests 'INOPERATIVE' after upgrade

Component: TMOS

Symptoms:
After upgrading the host or creating new vCMP guests, the prompt in the vCMP guests report as INOPERATIVE.

Conditions:
-- The system truncates the unit key. (Note: This occurs because the unit key is designed to be a certain length, and the internally generated unit key for the guest has a NULL in it.)
-- Upgrading the host.
-- Creating new guests.

Impact:
The vCMP guests are sent a truncated unit key and fail to decrypt the master key needed to load the config. vCMP Guests report 'INOPERATIVE' after upgrade.

Workaround:
Important: If you upgrade vCMP hosts from an affected version to a version unaffected by this issue (ID 769809), ensure that the upgrade version contains the fix for Bug ID 810593: Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade :: https://cdn.f5.com/product/bugtracker/ID810593.html.

Upon encountering this issue, it may be best to roll back to the previously used, unaffected version on the vCMP host, and then install a version unaffected by this issue (i.e., versions later than 12.1.4.1 or later than 13.1.1.5).

Fix:
The system now handles a guest unit key that has a NULL in it, so vCMP guests are no longer 'INOPERATIVE' after upgrade

769801-1 : Internal tmm UDP filter does not set checksum

Component: Local Traffic Manager

Symptoms:
An internal tmm UDP filter does not set checksum for outgoing UDP packets.

Conditions:
-- An internal tmm UDP filter is in use.

Impact:
Even though a UDP packet with no checksum is permitted, it could cause some problems with some firewalls/servers.

Workaround:
For internal tmm udp filters, add the following to the UDP profile in use:

no_cksum 0

Fix:
Internal tmm UDP filters set checksum for outgoing UDP packets.

769589-2 : CVE-2019-6974: Linux Kernel Vulnerability

Solution Article: K11186236

769581-1 : Timeout when sending many large requests iControl Rest requests

Component: TMOS

Symptoms:
After sending hundreds of REST requests, REST requests eventually begins to time out. This is the case for applications such as an AS3, with requests with 700 services.

Conditions:
1. Download and install the AS3 iApp. This adds the /mgmt/shared/appsvcs/ endpoint to the the BIG-IP system.

2. Deploy config with AS3:
curl -X POST \
 https://<$IP_address>/mgmt/shared/appsvcs/declare \
 -H 'Content-Type: application/json' \
 -d //This should be the data from an AS3 body

3. While deployment in step 2 is happening, make a GET to the tasks:
curl -X GET \
 https://<$IP_address>/mgmt/shared/appsvcs/task \
 -H 'Content-Type: application/json'

4. Delete configuration:
curl -X DELETE \
 https://<$IP_address>/mgmt/shared/appsvcs/declare

It may take 3 or 4 times repeating steps 2 through 4 for the issue to show up. When it appears, you will start seeing messages in the AS3 task response like the following:

-- 'message': 'failed to save BIG-IP config (POST http://<$USERNAME>:<$PASSWORD>@<$IP_address>:8100/mgmt/tm/task/sys/config create task save sys config response=400 body={\"code\":400,\"message\":\"remoteSender:Unknown, method:POST \",\"originalRequestBody\":\"{\\\"command\\\":\\\"save\\\"}\",\"referer\":\"Unknown\",\"restOperationId\":6924816,\"kind\":\":resterrorresponse\"})'

Impact:
Saving new configuration data does not work. Any new transaction tasks fail.

Workaround:
1. Restart restjavad and all iControl Rest (icrd_child) instances.
2. Wait longer for large requests to finish before performing additional requests.

Fix:
Changes to handle the new transaction iControl Rest creation process creation properly when the existing process was killed with a timeout operation.

769385-1 : GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message

Component: Global Traffic Manager (DNS)

Symptoms:
GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message:

err mcpd[7649]: error: crypto codec New token is smaller with added values.

Conditions:
Two or more GTM devices with internal FIPS modules are configured with DNSSEC keys with 'use-fips internal' set, and GTM config sync between the devices is configured and enabled.

Impact:
DNSSEC keys are not imported into the FIPS cards of devices that receive the key via a synchronization from another device.

Workaround:
None.

769361-2 : TMM may crash while processing SSLO traffic

Solution Article: K33444350

769357-1 : IPsec debug logging needs more organization and is missing HA-related logging

Component: TMOS

Symptoms:
After a failover between active and standby systems, the internal mechanisms that support high availability (HA) cannot be examined and diagnosed using logs generated with log-level set to debug or better.

Conditions:
-- log-level set to debug or better.
-- Failover between active and standby systems.
-- Viewing logs.

Impact:
Any problems involving HA cannot be diagnosed from logs after failover. What logging does appear tends to be verbose, unclear, and often difficult to correlate with specific security associations.

Workaround:
None.

Fix:
IPsec logging has been partially restructured, with some logging under control of bitflags that can be enabled or disabled via commands added to the description string of any ipsec-policy instance.

Logging for HA now appears when log-level is debug, provided lowercase bitflags for 'h' and 'a' are also enabled. For example, this would do so:

tmsh create net ipsec ipsec-policy dummy description " env { cmd='flag +ha' }"

769309-2 : DB monitor reconnects to server on every probe when count = 0

Component: Local Traffic Manager

Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.

Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).

Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.

Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.

Fix:
The LTM database monitor keeps the network connection to the monitored database server open indefinitely when configured with the default 'count' value of 0 (zero).

769281-1 : Per-request Acess Policy may show user interface pages incorrectly i nlanguages other than English

Component: Access Policy Manager

Symptoms:
If per-request Access Policy contains a user interface page (logon page, message box, etc.), this page may not be shown correctly in the browser if English is not the preferred language.

Conditions:
-- Browser with preferred language other than English.
-- Per-request Access Policy with support of this language.
-- Access Policy Agent with user interface included in the policy (logon page, message box, decision box, various forms of Rejected Ending Agent).

Impact:
The browser shows incorrect items on the response page presented to the APM end user (e.g., the page displays incorrect language strings).

Workaround:
None.

Fix:
Now, user interface pages in non-English languages are shown correctly by per-request Access Policy Agents.

769193-5 : Added support for faster congestion window increase in slow-start for stretch ACKs

Component: Local Traffic Manager

Symptoms:
When Appropriate Byte Counting is enabled (the default), TCP's congestion window increases slower in slow-start when the data receiver sends stretch ACKs.

Conditions:
-- TCP data sender receives stretch ACKs (ACKs that acknowledges more than 2*MSS bytes of data).
-- Appropriate Byte Counting (ABC) is enabled in slow-start.

Impact:
ABC limits the increase of congestion window by 2*MSS bytes per ACK. TCP's congestion window is increased slower in slow-start, which may lead to longer transfer times.

Workaround:
There is no workaround at this time.

Fix:
A new sys db (TM.TcpABCssLimit) is provided to set TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received. If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.

Behavior Change:
There is a new db variable, TM.TcpABCssLimit for specifying TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received.

Note: If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.

769169-3 : BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring

Component: TMOS

Symptoms:
BIG-IQ sends a lot of request to the BIG-IP system to collect the stats it makes the BIG-IP slow and eventually GUI goes unresponsive.

Conditions:
-- BIG-IQ monitoring a large BIG-IP configuration.
-- With a very large number of requests, and with resource-expensive requests.

Impact:
ICRD requests wait longer in the ICRD queue, which can make the BIG-IP system becomes unresponsive. Policy Creation, Device Overview, and stats pages take more time to respond, and eventually, the GUI becomes unresponsive on these three pages.

Lot of process terminated/re-created messages in restjavad logs.

Workaround:
Remove the BIG-IP device from the BIG-IQ and restart the mcpd.

Fix:
The system now handles the queue so that there is time for BIG-IP system to recover and become responsive.

769061-2 : Improved details for learning suggestions to enable violation/sub-violation

Component: Application Security Manager

Symptoms:
The title for the entity in suggestions to enable violation/sub-violation is 'Match violation'/'Matched HTTP Check', though these suggestions are created when there is no match in the observed traffic.

Conditions:
There are learning suggestions to enable violations/sub-violation in the policy

Impact:
Misleading suggestion details.

Workaround:
None.

Fix:
The misleading word 'Matched' was removed from the title.

768981-2 : VCMP Hypervisor Hardening

Solution Article: K05765031

768761-2 : Improved accept action description for suggestions to disable signature/enable metacharacter in policy

Component: Application Security Manager

Symptoms:
It is difficult to understand the description for suggestions to disable signature or enable metacharacter on parameter/URL alternative action (accept for all entities).

Conditions:
There are suggestions to disable signature or enable metacharacter on parameter/URL.

Impact:
Action description can be difficult to understand.

Workaround:
None.

Fix:
'Accept for Any Entity' action has been renamed to 'Accept Globally'. The 'Charset' type is now mentioned in the action description for better understanding of the applied action.

768025-4 : SAML requests/responses fail with "failed to find certificate"

Component: Access Policy Manager

Symptoms:
BIG-IP as SP and BIG-IP as IdP fail to generate signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after the certificate that is used for signing is modified.

Conditions:
The certificate used for signing SAML requests/responses or SAML SLO requests/responses is modified or re-imported.

Impact:
When this issue occurs, SAML services are impacted when BIG-IP is configured as SP or IdP. Subsequent SAML/SAML SLO requests/responses fail with the error 'failed to find certificate'.

-- When BIG-IP is configured as IdP, then SAML Authentication fails and SAML/SAML SLO services do not work.

-- When BIG-IP is configured as SP, resources that need SAML Authentication cannot be accessed. Also, SAML SLO service does not work.

Workaround:
-- When BIG-IP as IdP is affected, configure a different certificate associated with SAML IdP configuration that is used for signing, change it back to the original certificate, and then the apply policy.

-- Similarly, when BIG-IP as SP is affected, configure a different certificate associated with SAML SP configuration that is used for signing, change it back to the original certificate, and then apply the policy.

Fix:
BIG-IP as SP and BIG-IP as IdP works as expected while generating signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after certificate that is used for signing is modified.

767877-3 : TMM core with Bandwidth Control on flows egressing on a VLAN group

Component: TMOS

Symptoms:
TMM cores during operation.

Conditions:
Known condition:
1. BWC attached to serverside connflow
2. Serverside traffic traversing/egressing VLAN group

Impact:
Traffic disrupted while tmm restarts.

767737-2 : Timing issues during startup may make an HA peer stay in the inoperative state

Component: TMOS

Symptoms:
When two BIG-IP systems are paired, it is possible during startup for the network connection to be made too early during the boot sequence. This may leave a peer in the inoperative state.

Conditions:
This is a timing-related issue that might occur during boot up of high availability (HA) peers.

Impact:
An HA peer does not become ACTIVE when it should.

Workaround:
None.

767689-1 : F5optics_install using different versions of RPM★

Component: TMOS

Symptoms:
Symptoms have been observed only in one case: A bare metal install to BIG-IP 14.1.0. In this case, a messages indicating the RPM database under /shared is corrupted.

Conditions:
Bare metal installation via PXE boot or USB install.

Impact:
The /shared/lib/rpm database must be recreated and f5optics manually installed.

Workaround:
1. Backup the current Packages file:

    cp /shared/lib/rpm/Packages /shared/tmp/

2. Remove all the files from the database directory"

    rm -f /shared/lib/rpm/*

3. Initiate the database by using the old version RPM:

    /opt/bin/rpm --dbpath /shared/lib/rpm --initdb

4. Restore the Packages file (Press 'y' when promoted by 'cp: overwrite'):

    cp /shared/tmp/ /shared/lib/rpm/Packages

Now you should be able to install the package.

Fix:
With these changes, the corruption of the /shared/lib/rpm database is no longer observed.

767653-1 : Malformed HTTP request can result in endless loop in an iRule script

Solution Article: K23860356

767613-2 : Restjavad can keep partially downloaded files open indefinitely

Component: Device Management

Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client does not complete the download. Since these files remain open, the total number of available file handles for the process decreases, and the disk space for the files cannot be recovered. Symptoms may include errors like 'Too many open files', low disk space even after deleting the associated files, and items listed with '(deleted)' in lsof output.

Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.

Impact:
Various errors ('Too many open files.'), low disk space, items listed with '(deleted)' when listed using lsof.

Workaround:
To free the file handles, restart restjavad:
tmsh restart sys service restjavad

Files that were deleted now have their space reclaimed.

Fix:
The restjavad process now internally clears the file handles of such partially downloaded files if they remain untouched for two hours.

767401-1 : TMM may crash while processing TLS traffic

Solution Article: K95434410

767373-1 : CVE-2019-8331: Bootstrap Vulnerability

Solution Article: K24383845

767269-2 : Linux kernel vulnerability: CVE-2018-16884

Component: TMOS

Symptoms:
Linux kernel NFS41+ subsystem use-after-free vulnerability when node have NFSv41+ mounts inside several net namespaces.

Conditions:
NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic.

Impact:
BIG-IP is not exposed to this vulnerability. use-after-free causes system panic, subsequent system reset.

Workaround:
None.

Fix:
Updated kernel to include patches for CVE-2018-16884.

767045-2 : TMM cores while applying policy

Component: Anomaly Detection Services

Symptoms:
TMM core and possible cores of other daemons.

Conditions:
The exact conditions are unknown.

Occurrences have been seen during specialized internal testing and while applying a copied and edited ASM policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

766873 : Omission of lower-layer types from sFlow packet samples

Component: TMOS

Symptoms:
The packet samples transmitted from BIG-IP to an sFlow receiver may contain only 'http' samples, with no 'vlan' or 'interface' FLOW samples appearing. sFlow will continue to transmit CNTR (counter) telemetry packets.

Conditions:
When the BIG-IP system is configured with one or more sFlow receivers, with non-zero sampling-rate configured for 'vlan' or 'interface' types.

Impact:
External network-monitoring or management systems, which may depend on sFlow packet samples from BIG-IP systems and from other equipment, are unable properly to characterize the flow of data throughout the network.

Workaround:
None.

Fix:
This issue no longer occurs.

766761-2 : Ant-server does not log requests that are excluded from scanning

Component: Access Policy Manager

Symptoms:
Based on Request/Response Analytics agent 'Exclude Types' settings, the requests that are excluded from scanning should log a message that states, 'Response content is in excluded content list'.

Conditions:
Response or Request Analytics agent in the Per-Request Policy.

Impact:
These particular logs are not available.

Workaround:
None.

Fix:
Appropriate messages now get logged.

766577-2 : APMD fails to send response to client and it already closed connection.

Component: Access Policy Manager

Symptoms:
APMD fails to send response to client and produces error message:
err apmd[8353]: 01490085:3: /pt-qp-campus/apm-cdp-qp-qa:pt-qp-campus:bb651ae6: Response could not be sent to remote client. Socket error: Connection reset by peer

APMD does most of its action with backend authentication servers (e.g., AD, LDAP, RADIUS). If the backend server response is very slow (because of various reasons such as network issues), it might cause slow apmd client response. Sometimes, the client has already closed the connection to the virtual server, so the client connection is no longer valid.

Conditions:
Backend server is slow, causing longer-than-usual response times.

Impact:
This causes the client to close the connection. APMD fails to respond to the client.

The cumulative slowness of the backend server causes delay in response. Most of the time, the client connection is already closed. As a result, the request queue gets full. When apmd starts processing the request from the queue, the client connection is already closed for some of them, and processing those requests still continues, which is unnecessary and causes more delay.

Fix:
The system now tests the client connection after picking up the request from the request queue and before processing.
-- If the connection is already closed, the system drops the request.
-- If the request is already in progress, the system checks the client connection before saving the session variables and sending the response to client.

766509-1 : Strict internal checking might cause tmm crash

Component: Local Traffic Manager

Symptoms:
Overly strict internal validation can cause TMM to raise an OOPS when it does not need to.

Conditions:
Device instability.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Set 'tmm.oops' to a value other than 'panic':

tmsh modify sys db tmm.oops value silent
tmsh modify sys db tmm.oops value log

Fix:
Loosened internal validation so OOPS does not occur.

766405-2 : MRF SIP ALG with SNAT: Fix for potential crash on next-active device

Component: Service Provider

Symptoms:
The next active device may crash with a core when attempting to create media flows.

Conditions:
The names for the LSN pool and router profile are longer than expected.

Impact:
The TMM on the next active device may core. Traffic disrupted while tmm restarts; If the next-active device was not carrying traffic for a traffic group, traffic is not disrupted.

Workaround:
None.

Fix:
Device no longer cores.

766365-1 : Some trunks created on VE platform stay down even when the trunk's interfaces are up

Component: TMOS

Symptoms:
Trunk configured on BIG-IP Virtual Edition (VE) does not pass traffic because it is in 'down' state

Conditions:
Trunk is created on VADC for NICs that use XNet drivers.

Note: In this release, XNet drivers are used by Mellanox and AWS ENA NICs on the VE platform only

Impact:
Trunk marked 'down'; traffic does not pass through the trunk.

Workaround:
None.

Fix:
Drivers that suffered from this problem now set speed correctly for the interface.

766357-1 : Two simultaneously manual installations can cause live-update inconsistency

Component: Application Security Manager

Symptoms:
When running two manual installations of the same update type simultaneously from different browser instances, live-update may encounter inconsistencies, and one of the installations gets stuck in the 'installing' state.

Conditions:
-- Two different installations of the same update type exists.
-- Manual installation occurs both at the same time from different browser instances.

Impact:
-- One of the installations stays in the 'installing' state.
-- Cannot install other installations (.im files).

Workaround:
Run the following command:
bigstart restart tomcat

Live-update changes the status of the installation from 'installing' to 'error' and allows subsequent installation operations.

Fix:
Live-update now queues all manual installations, so they start one after another. After all installations end, only one installation has the 'installed' status.

766329-2 : SCTP connections do not reflect some SCTP profile settings

Component: TMOS

Symptoms:
The effective receive-chunks, transmit-chunks, in-streams, and out-streams parameters in SCTP traffic do not match the settings from the configured SCTP profile:

  -- The in-streams setting alters both the in-streams parameter and the tx-chunks parameter.
  -- The out-streams setting alters both the out-streams parameter and the rx-chunks parameter.
  -- The tx-chunks setting has no effect.
  -- The rx-chunks setting has no effect.

Conditions:
An SCTP virtual server is configured.

Impact:
Unexpected SCTP parameters are negotiated on SCTP connections.

Workaround:
None.

Fix:
The SCTP profile settings are now used during SCTP connection negotiation.

766293-1 : Monitor logging fails on v14.1.0.x releases

Component: Local Traffic Manager

Symptoms:
With a fresh install of v14.1.0.x, you attempt to enable monitor logging for a node or pool member, an error message appears in /var/log/ltm. Also the log file to be created fails to be created.

This behavior is due to SELinux changes. /var/log/auditd/audit.log show the SELinux violations logs.

System reports messages similar to the following in /var/log/ltm:

-- info bigd[12457]: Couldn't open logging file /var/log/monitors/Common_Splunk_HTTP_monitor-Common_node1-8088.log for monitor /Common/Splunk_HTTP_monitor on node /Common/node1.

Conditions:
-- Clean installation of v14.1.0.x software.
-- Enable monitor logging for a node or pool member.

Impact:
Monitor logging fails. Error messages logged.

Workaround:
None.

Fix:
Updated bigd SELinux rules to allow the monitor log file creations.

766169-2 : Replacing all VLAN interfaces resets VLAN MTU to a default value

Component: Local Traffic Manager

Symptoms:
When the last physical interface is removed from a VLAN, VLAN's MTU is reset to default value of 1500. However when replacing all interfaces belonging to a VLAN with a new ones (e.g., with a command 'tmsh modify net vlan [name] interfaces replace-all-with {...}'), even if it does not look like removing all interfaces, it is actually done by removing all interfaces immediately followed by adding new ones. Because all interfaces are removed first, the VLAN MTU is reset to the default value even if the original value is perfectly valid for newly added interfaces. As it is done automatically inside TMM, it is not reflected in the configuration. TMSH and Configuration Utility continue to report original value.

Conditions:
Issue is visible only when removing or replacing all interfaces in a VLAN which has MTU value different than default 1500. Added interfaces must also have MTU values larger than 1500.

Impact:
VLAN MTU is set to 1500 despite Configuration Utility and TMSH still reporting original value.

Workaround:
There are two workarounds:

-- Reset desired MTU value after each operation of replacing all interfaces in a VLAN.
-- Avoid replace-all-with operation by adding new interfaces before removing unneeded ones.

Fix:
VLAN MTU value is left unchanged after the last interface is removed. It is recalculated upon adding a new interface anyway, so there is no risk it will be too large.

765801 : WCCP service info field corrupted in upgrade to 14.1.0 final★

Component: TMOS

Symptoms:
WCCP 'Here I am' packets from BIG-IP to routers have corrupted service info. No 'I see you' response received from routers due to mismatched service flags information.

Conditions:
No specific condition other than WCCP configuration on BIG-IP 14.1.0.x version.

Impact:
Unable to deploy WCCP on BIG-IP in version 14.1.0.x.

Workaround:
None.

Fix:
Corrected WCCP service flags during initialization.

765785-3 : Monpd core upon "bigstart stop monpd" while Real Time reporting is running

Component: Application Visibility and Reporting

Symptoms:
Monpd cores upon "bigstart stop monpd" while Real Time reporting is running

Conditions:
Real Time UI view is active.

Impact:
None.

Workaround:
None.

Fix:
Fixed a monpd core.

765533-2 : Sensitive information logged when DEBUG logging enabled

Solution Article: K58243048

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048

Conditions:
For more information see: https://support.f5.com/csp/article/K58243048

Impact:
For more information see: https://support.f5.com/csp/article/K58243048

Workaround:
For more information see: https://support.f5.com/csp/article/K58243048

Fix:
For more information see: https://support.f5.com/csp/article/K58243048

765517-1 : Traffic Match Criteria validation fails when create Virtual server with address list with overlapping address space but a different ingress VLAN

Component: Local Traffic Manager

Symptoms:
When two virtual servers are created and they have same address list but different incoming VLANs, Traffic Match Criteria validation fails.

Conditions:
Create 2 virtual servers and they have same address list but different incoming VLANs.

Impact:
System validation fails.

Workaround:
Use non-overlapping address lists.

765449-1 : Update availability status may be inaccurate

Component: Application Security Manager

Symptoms:
Under certain condition the UI may indicate that attack signature updates are available.

Conditions:
ASM provisioned.

Impact:
Attack signature updates are listed as available when the latest signatures are already installed.

Workaround:
An accurate status for availability of updates is available in System::Software Management::Live Update

Fix:
The UI now displays an accurate availability status for attack signatures.

765413-1 : ASM cluster syncs caused by PB ignored suggestions updates

Component: Application Security Manager

Symptoms:
Frequent syncs occurring within an ASM device group.

Conditions:
Several (updating) suggestions are marked 'ignored'.

Impact:
Syncs appear in the logs (no actual performance degradation).

Workaround:
-- Remove the Ignored Suggestions. (Note: These might be re-added and you must refrain from clicking the Ignore button).

-- Remove the Ignored Suggestions and uncheck the Learn flag for the violation that causes it. (Note: The impact is that the system does not learn this violation anymore, so any future suggestions to amend the policy for that violation will not be created.)

Fix:
Policy Builder (PB) no longer updates Ignored Suggestions, so unnecessary sync operations no longer occur.

765033 : Upgrades to versions that restrict resource-admin users from accessing bash may fail under certain conditions★

Component: TMOS

Symptoms:
Some versions of BIG-IP software have removed the ability to access bash from users that have resource-admin roles. Upgrades to one of these versions may fail to load the configuration on the upgraded volume with a message in /var/log/ltm similar to:

err mcpd[14994]: 01070825:3: Access denied - Administrators only: Custom shells only available to administrators, not testuser.

Conditions:
-- Users with the resource-admin role also have bash access.

-- Upgrading to an affected version from certain versions.

Impact:
The upgraded volume's configuration does not load.

Workaround:
You can use either of the following workarounds:

-- Ensure that all users with the resource-admin role do not have bash access prior to upgrading.

-- Hand-edit the bigip_user.conf to remove bash from any users with the resource-admin role and reload the configuration using the following command:
tmsh load sys config

Fix:
Upgrades no longer fail under these conditions.

764665-2 : AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change

Component: Application Visibility and Reporting

Symptoms:
When BIG-IP is registered on BIG-IQ system, sometimes avrd crashes with core.

Conditions:
-- BIG-IP is registered at BIG-IQ.
-- BIG-IQ sends configuration update to BIG-IP.

Impact:
Avrd cores and restarts. Functionality is not impacted, stats data are sent to BIG-IQ.

Workaround:
None.

Fix:
Corrected issue in setting value for internal flag.

764373-3 : 'Modified domain cookie' violation with multiple enforced domain cookies with different paths

Component: Application Security Manager

Symptoms:
When the server sends enforced cookies with the same name for different paths, a false-positive 'Modified domain cookie' violation is reported.

Conditions:
Server sends enforced cookies with the same name but with different paths.

Impact:
A valid request might be rejected.

Workaround:
None.

Fix:
The system now checks all enforced cookies correctly, so this issue no longer includes.

763349-3 : AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out

Component: Application Visibility and Reporting

Symptoms:
avrd application on BIG-IP crashes; core is generated.

Conditions:
-- The BIG-IP is configured to send data to BIG-IQ DCD node via the HTTPS protocol.

-- Connection to DCD is established but response does not arrive within the timeout interval, so the connection times out.

Impact:
avrd crashes, and a core is generated.

Workaround:
None.

Fix:
avrd now reconnects to BIG-IQ DCD in a different sequence so this issue no longer occurs.

763157-2 : MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped

Component: Service Provider

Symptoms:
Processing the response to an outbound request at the same time as an inbound request message on the same connection could cause internal state generated to be confused and the inbound request to be dropped.

Conditions:
Processing the response to an outbound request at the same time as an inbound request message on the same connection.

Impact:
The inbound request will be dropped.

Workaround:
None.

Fix:
The internal state generated is no longer confused so the inbound request is no longer dropped.

763121-3 : Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM.

Component: Advanced Firewall Manager

Symptoms:
TMM crashes and produces a core file. The crash is a SIGFPE accompanied by the following panic string:

Assertion "packet must already have an ethernet header" failed.

Conditions:
This issue occurs when all of the following conditions are met:

- The system is provisioned for AFM.
- A TCP Half Open attack to the system is underway.
- A BIG-IP Administrator attempts to use the AFM Packet Tester tool, and simulates sending a TCP segment with the SYN flag set.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the AFM Packet Tester tool while a TCP Half Open attack is underway.

Fix:
TMM no longer crashes when utilizing the AFM Packet Tester tool.

763005-3 : Aggregated Domain Names in DNS statistics are shown as random domain name

Component: Application Visibility and Reporting

Symptoms:
Many DNS queries (e.g., 50000) with different query domain names are sent and AVR aggregates data it shows aggregated names using a random name taken from the first lookup table record.

Conditions:
-- Run 50000 DNS queries, all with different domain names.
-- View Statistics :: Analytics :: DNS, and choose View By : Domain Names.

Impact:
There is one random domain name with a high counter value, other domains are shown with counter 1.

Workaround:
None.

763001-1 : Web-socket enforcement might lead to a false negative

Solution Article: K70312000

Component: Application Security Manager

Symptoms:
A request that should be blocked will be passed to server.

Conditions:
Parse parameters flag in json profile is enabled.
Requests are sent in json websocket.

Impact:
Bad requests may be passed to the server

Workaround:
Disable parse parameters flag in json profile

Fix:
Web-socket enforcement now filters requests as expected.

762453-2 : Hardware cryptography acceleration may fail

Solution Article: K63558580

762385 : Wrong remote-role assigned using LDAP authentication after upgrade to 14.1.x and later★

Component: TMOS

Symptoms:
When multiple attributes in a list match multiple roles, the wrong role may be assigned. Alternatively, authentication may fail when check-roles-group is disabled.

Conditions:
LDAP server replies with a list of attributes (e.g., list of memberOf) where more than one match existing role.

Impact:
BIG-IP assigns the user to the last attribute in the list that matches a role, potentially yielding a more restrictive set of permissions.

Authentication may fail when check-roles-group is disabled.

Workaround:
None.

Fix:
The correct remote-role is now assigned using LDAP authentication.

762205-2 : IKEv2 rekey fails to recognize VENDOR_ID payload when it appears

Component: TMOS

Symptoms:
Rekey with non BIG-IP systems can fail when a response contains a VENDOR_ID payload.

Conditions:
- IKEv2 Responder sends VENDOR_ID payload in rekey response.
- The ipsec.log misleadingly reports:
[I] [PROTO_ERR]: unexpected critical payload (type 43)
Note: This message may be correctly present under other conditions, with different type constants not equal to 43.

Impact:
BIG-IP as the initiator of rekey drops the rekey negotiation without making further progress when the responder included a VENDOR_ID payload in a response. This will result in deleting the SA for good when the hard lifetime expires, causing a tunnel outage.

Workaround:
No workaround is known at this time.

Fix:
Handling of payload types during rekey will now ignore VENDOR_ID when it appears, the same way we ignore VENDOR_ID in other messages during IKE negotiation.

762073-2 : Continuous TMM restarts when HSB drops off the PCI bus

Component: TMOS

Symptoms:
In the unlikely event that HSB drops off the PCI bus, TMM continuously restarts until the BIG-IP system is rebooted.

Conditions:
The conditions under which the issue occurs are unknown, but it is a rarely occurring issue.

Impact:
Repeated TMM restarts. Traffic disrupted until you reboot the BIG-IP system. The HSB reappears and is functional after reboot.

Workaround:
Manually reboot the BIG-IP system.

Fix:
TMM no longer gets stuck in a restart loop, as a reboot is now automatic in this scenario.

761993-2 : The nsm process may crash if it detects a nexthop mismatch

Component: TMOS

Symptoms:
If there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop, nsm may crash and restart.

Conditions:
-- Dynamic routing is in use.
-- A mismatch between tmrouted and nsm for the interface index or gateway of a nexthop exists.

Impact:
There is a temporary interruption to dynamic routing while nsm is restarted.

Workaround:
None.

Fix:
Prevented nsm crashing when there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop.

761941-1 : ASM does not remove CSRT token query parameter before forwarding a request to the backend server

Component: Application Security Manager

Symptoms:
CSRT query parameter observed in tcpdump on the BIG-IP system's server side.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- CSRF enabled in ASM policy.

Impact:
Backend app gets CSRT parameter, which might impact its business logic.

Workaround:
You can remove a CSRT query parameter using a URI modification iRule on the server side.

Fix:
The system now removes the csrt query parameter before forwarding a request to the backend server

761933-1 : Reboot with 'tmsh reboot' does not log message in /var/log/audit

Component: TMOS

Symptoms:
The tmsh reboot command is missing from /var/log/audit.

Conditions:
-- Reboot a system using the command 'tmsh reboot'.
-- View the /var/log/audit log.

Impact:
The system does not log the tmsh reboot operation in the /var/log/audit log. A message similar to the following should be reported:

notice tmsh[19115]: 01420002:5: AUDIT - pid=19115 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=reboot.

Workaround:
None.

761921-1 : avrd high CPU utilization due to perpetual connection attempts

Component: Application Security Manager

Symptoms:
avrd shows high CPU utilization. Repeated retries on auth token client failed connection attempts.

Conditions:
-- The BIG-IQ system is not available (even though it is configured).
-- Frequent connection retries.

Impact:
avrd consumes a large amount of CPU.

Workaround:
Correct BIG-IQ availability and restart avrd.

Fix:
avrd now waits between connection retries, so this issue does not occur.

761753-2 : BIG-IP system incorrectly flags UDP checksum as failed on x520 NICs

Component: TMOS

Symptoms:
When UDP checksum is 0 (zero), a BIG-IP device with an x520 NIC causes the packets to be marked as 'checksum failed'.

Conditions:
-- Using BIG-IP Virtual Edition (VE).
-- VE is using x520 VF.

Impact:
UDP Packets with 0 checksum are dropped.

Workaround:
None.

Fix:
UDP checksum failed packets are marked by the ixvf driver as 'not checksummed by hardware'. This makes software re-verify checksum instead of relying on hardware-indicated checksum pass/fail.

761749-2 : Security pages unavailable after switching RT mode on off few times

Component: Application Visibility and Reporting

Symptoms:
Security dashboard and analytics pages display "Unable to load application" and no statistics available.

Conditions:
A BIG-IP configured to collect statistics from security modules and new statistics are generated periodically.
The problem may appear when a user switches real-time mode on off few times.

Impact:
Security dashboard and analytics pages unavailable for at least few hours and some real-time statistics are lost.

Fix:
Added timeout for fetching data from statistics module.

761685-3 : Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set

Component: Service Provider

Symptoms:
Systems desiring to create a unique connection per connection client may silently end up with clients sharing an outgoing connection if routing uses a virtual server as the outgoing connection transport definition, and the virtual server has the source-port attribute set to preserve-strict.

Conditions:
-- Routing using a virtual server as the transport definition for the outgoing connection.
-- The virtual server has the source-port attribute set to preserve-strict.

Impact:
Systems desiring to create a unique connection per connection client may silently end up sharing an outgoing connection.

Workaround:
None.

Fix:
Per-client mode is now maintained when routing to a virtual server, even when preserve-strict is selected.

761553-2 : Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic

Component: Application Security Manager

Symptoms:
Text for analyzed requests might be misleading for suggestions that are created as result of an absence of violations in traffic:

X requests triggered this suggestion from date:time until date:time.

Actually:
-- 'X requests' did not trigger a violation, and no sampled are requests provided.

-- The format of the time in 'from date:time until date:time' is difficult to parse.

Conditions:
There are suggestions that were created as result of an absence of violations in traffic in the policy.

Impact:
Text might be misleading.

Workaround:
None.

Fix:
Improved text for analyzed requests for suggestions that were created as result of absence of violations in traffic

761549-2 : Traffic Learning: Accept and Stage action is shown only in case entity is not in staging

Component: Application Security Manager

Symptoms:
Accept and Stage action is available, even for entities that are in staging already.

Conditions:
Create suggestion for the entity (e.g., Attack signature on parameter) that is in staging.

Impact:
Action that is not relevant is shown.

Workaround:
None.

Fix:
Accept and Stage action is available only for suggestions on entities that are not in staging

761517-1 : nat64 and ltm pool conflict

Component: Carrier-Grade NAT

Symptoms:
When a pool is assigned to a virtual server with nat64, the destination address is changed to the one of the pool, regardless if address translation is enabled or not.

Conditions:
vs with nat64 and pool configured.

Impact:
nat64 does not happen, even if the translate-address option is set to disable.

Workaround:
none

Fix:
When a nat64 virtual server has a pool and translate-address is disabled, the pool is utilized but nat64 is performed.

761385-1 : Without a virtual server, responses from server to client are dropped in a BIG-IP system when the latter is deployed in L2 transparent mode using virtual wire.

Component: Local Traffic Manager

Symptoms:
Responses from a server are not received by the client.

Conditions:
-- BIG-IP system deployed in L2 transparent mode using virtual wire.
-- No virtual server is configured.

Impact:
Responses from server to client are dropped. Loss of service.

Workaround:
None.

Fix:
Set the L2 transparent flag for the server-side flow if the client-side flow has this flag set.

761381-1 : Incorrect MAC Address observed in L2 asymmetric virtual wire

Component: Local Traffic Manager

Symptoms:
Incorrect MAC Address observed in L2 asymmetric virtual wire for ICMP unreachable on UDP traffic.

Conditions:
L2 asymmetric virtual wire is configured.

Impact:
Incorrect MAC Address in teh packet when the BIG-IP system sends ICMP unreachable on UDP traffic

Workaround:
None.

Fix:
The correct MAC address is seen in the packet that is flowing from the BIG-IP system.

761345-3 : Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode

Component: Advanced Firewall Manager

Symptoms:
When manual config-sync mode is enabled for a HA setup, additional config-sync may be required after firewall blob compilation.

Conditions:
Firewall rule configuration modified on a high availability (HA) setup with manual config-sync mode enabled.

Impact:
Additional config-sync may be required after compilation completion.
A warning may be given: "There is a possible change conflict between <device1> and <device2>.", and full sync may be forced.

Workaround:
Enable auto config-sync instead of manual config-sync.

Fix:
Additional config-sync is not required in these conditions.

761273-2 : wr_urldbd creates sparse log files by writing from the previous position after logrotate.

Component: Traffic Classification Engine

Symptoms:
After log rotation, the wr_urldbd daemon continues to write at the pre-rotate offset into the file, so the next message is written at offset N, making the file sparse, with all characters prior to position being read as nulls.

Conditions:
System rotates log files.

Impact:
Some automated systems might not be able to read log file.

Workaround:
None.

Fix:
Log file preserves text file type after log rotation.

761234-2 : Changing a virtual server to use an address list should be prevented if the virtual server has a security policy with a logging profile attached

Component: Advanced Firewall Manager

Symptoms:
If you create a virtual server with a single address ('Host' in the GUI) for both its source and destination, then configure the virtual server's security policy with a logging profile, and then (after creating the virtual server) modify the source or destination to use a traffic matching condition, the system reports no error when updating the configuration.

Conditions:
Attempting to use a virtual server with a security policy attached that uses a logging profile with an address list as the virtual server's source or destination.

Impact:
An invalid configuration is not caught. When later loading the configuration, the system reports a validation error, and the configuration does not load.

Workaround:
None.

Fix:
An error is now generated under these conditions.

761231-2 : Bot Defense Search Engines getting blocked after configuring DNS correctly

Solution Article: K79240502

Component: Application Security Manager

Symptoms:
Bot Defense performs a reverse DNS for requests with User-Agents of known Search Engines.

A cache is stored for legal / illegal requests to prevent querying the DNS again.

This cache never expires, so in case of an initial misconfiguration, after fixing the DNS configuration, or routing or networking issue, the Search Engines may still be blocked until TMM is restarted.

Conditions:
-- Initial misconfiguration of DNS or routing or networking issue.
-- Cache stores requests to prevent future queries to DNS.
-- Correct the misconfiguration.

Impact:
Cache does not expire and is never updated, so it retains the misconfigured requests. As a result, valid Search Engines are getting blocked by Bot Defense.

Workaround:
Restart TMM by running the following command:
bigstart restart tmm

Fix:
The internal DNS cache within Bot Defense and DoSL7 now expires after five minutes.

761199-1 : Wr_urldbd might crash while system is in a restarting loop.

Component: Traffic Classification Engine

Symptoms:
Webroot daemon (wr_urldbd) crashes if it gets back to back SIGTERM signals. Subsequent SIGTERM is handled by default signal handler instead of registered one.

As a result wr_urldbd's threads are not prevented from starting if wr_urldbd is in the process of shutting down.

Conditions:
-- System configuration is changing
-- wr_urldbd is restarting continuously at the same time

Impact:
Wr_urldbd crashes during restart and generates core file.

Workaround:
None.

Fix:
Wr_urldbd handles all signals with registered handler and does not crash.

761194-2 : param data type violation on an Integer parameter, if an integer value is sent via websocket JSON

Component: Application Security Manager

Symptoms:
A false positive occurs with 'Illegal parameter data type' violation on an integer parameter, on websocket messages

Conditions:
An explicit parameter with type integer is configured.

Impact:
A false positive can occur, 'Illegal parameter data type' is reported.

Workaround:
N/A

Fix:
Fixed a false positive with integer values

761185-2 : Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic

Solution Article: K50375550

Component: Local Traffic Manager

Symptoms:
For more information please see: https://support.f5.com/csp/article/K50375550

Conditions:
For more information please see: https://support.f5.com/csp/article/K50375550

Impact:
For more information please see: https://support.f5.com/csp/article/K50375550

Workaround:
For more information please see: https://support.f5.com/csp/article/K50375550

Fix:
For more information please see: https://support.f5.com/csp/article/K50375550

761173-1 : tmm crash after extended whitelist modification

Component: Advanced Firewall Manager

Symptoms:
tmm might crash and restart.

Conditions:
Modifying the whitelist extended entry in tmsh.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The tmm process no longer crashes when modifying the whitelist extended entry in tmsh.

761160-2 : OpenSSL vulnerability: CVE-2019-1559

Component: TMOS

Symptoms:
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).

Conditions:
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).

Impact:
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).

Workaround:
None.

Fix:
Update OpenSSL to 1.0.2s.

761144-4 : Broadcast frames may be dropped

Solution Article: K95117754

761112-3 : TMM may consume excessive resources when processing FastL4 traffic

Solution Article: K76328112

761088-1 : Remove policy editing restriction in the GUI while auto-detect language is set

Component: Application Security Manager

Symptoms:
While policy language was set to auto-detect, the policy editing was not allowed.

Conditions:
Create a new policy and set the language to auto-detect.

Impact:
While policy language was set to auto-detect, the policy editing was not allowed.

Workaround:
The policy language must be set to something other than auto-detect to allow user to edit the policy from GUI. However, policy editing is possible using REST API.

Fix:
The GUI restriction was removed. User can modify the policy while the language is set to auto-detect.

761032-2 : TMSH displays TSIG keys

Solution Article: K36328238

Component: Global Traffic Manager (DNS)

Symptoms:
TSIG key is displayed when related configuration is listed in TMSH.

Conditions:
Authenticated administrative user.
Listing TSIG keys using TMSH.

Impact:
Displaying TSIG keys is a security exposure.

Workaround:
None.

Fix:
TMSH no longer displays TSIG keys when listing configuration.

761030-2 : tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route

Component: Local Traffic Manager

Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not shown using the show net route lookup command.

Conditions:
-- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.
-- Dynamic Routing protocols such as OSPFv3 configured.

Impact:
Cannot see any dynamic routes added while IPv4-mapped IPv6 addresses are configured.

Workaround:
None.

Fix:
The query for IPv4-mapped IPv6 addresses now shows dynamic routes added while IPv4-mapped IPv6 is configured.

761014-2 : TMM may crash while processing local traffic

Solution Article: K11447758

760998-1 : F5.ip_forwarding iAPP fails to deploy

Component: TMOS

Symptoms:
F5.ip_forwarding iApp fails to deploy due to a syntax error in the tmsh command for syn-cookie-enable.

Conditions:
Deployment of the f5.ip_forwarding iApp fails unless you specify an existing FastL4 profile.

Impact:
Cannot deploy the f5.ip_forwarding iApp template.

Workaround:
To deploy the f5.ip_forwarding iApp, select 'Advanced' configuration mode and choose an existing FastL4 profile for the question 'What Fast L4 profile do you want to use?'

Fix:
The f5.ip_forwarding iApp template deploys the recommended FastL4 profile without error.

760950-4 : Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment

Component: TMOS

Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.

Note: A previous bug had this same symptom, but was due to a different root cause.

Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.

Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.

Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.

Fix:
The advertised next-hop in BGP is now the smallest floating-IP active on the current BIG-IP system.

760930-2 : MRF SIP ALG with SNAT: Added additional details to log events

Component: Service Provider

Symptoms:
Subscriber name is not included in debug log events for temporary subscriber registration creation and deletion.

Conditions:
debug log events for temporary subscriber registration creation and deletion.

Impact:
No functional impact, but the associated MRF SIP ALG with SNAT issue might be difficult to debug.

Workaround:
None.

Fix:
Subscriber ID is now included in the log events.

760878-3 : Incorrect enforcement of explicit global parameters

Component: Application Security Manager

Symptoms:
A false positive or false negative enforcement of explicit global parameter.

Conditions:
-- A configuration with more than 255 security policies.
-- Policies configured with an explicit parameter that is unique (for example, 'static', a disabled signature, etc.).
-- Attempt to enforce that parameter.

Impact:
Wrong blocking/violations. The parameter is not found, and the wildcard * parameter is enforced instead.

Workaround:
Make the explicit parameters a wildcard parameter.

Fix:
Explicit parameters are enforced correctly on all parameters.

760771-1 : FastL4-steered traffic might cause SSL resume handshake delay

Component: Local Traffic Manager

Symptoms:
When a FastL4 virtual server steers traffic to another SSL-enabled virtual server, there can be a delay on SSL session resumption because SSL is unable to identify the connection flow.

Additionally, it has been observed that if fallback persistence is configured, the BIG-IP system might fail to start the connection serverside.

Conditions:
-- FastL4 virtual server.
-- iRule is used to steer traffic to another virtual server with client SSL enabled.
-- Multiple tmm's.

Impact:
-- Potential impact to SSL performance.
-- Possible connection failure.

Workaround:
To workaround this issue:
-- Disable FastL4.
-- Enable OneConnect.

Fix:
FastL4-steered traffic no longer causes SSL resume handshake delay.

760723-2 : Qemu Vulnerability

Solution Article: K64765350

760683-1 : RST from non-floating self-ip may use floating self-ip source mac-address

Component: Local Traffic Manager

Symptoms:
A RST from non-floating self-ip may use floating self-ip source mac-address when AFM or ASM is enabled.

Conditions:
-- AFM or ASM is enabled.
-- RST generated from non-floating self-ip address.

Impact:
An L2 switch may update the fwd table incorrectly.

Workaround:
None.

Fix:
The system now uses the correct source mac-address under these conditions.

760680-1 : TMSH may utilize 100% CPU (single core's worth) when set to be a process group leader and SSH session is closed.

Solution Article: K36350541

Component: TMOS

Symptoms:
TMSH does not correctly handle absence of input stream after closing an interactive SSH session and remains active in an infinite loop using 100% CPU.

Conditions:
If TMSH is a process group leader, it is not killed when the parent shell is terminated upon SSH session close.

This is a rare case, as TMSH must be deliberately promoted to a process group leader, e.g., with the 'setsid' command.

Usually the shell process is a group leader and, when it is terminated upon SSH session close, it kills its child processes, including TMSH.

Impact:
The equivalent of one CPU core is utilized to 100% by the TMSH process. It may be mostly scheduled on one core or spread over multiple control plane cores.

Workaround:
TMSH should not be intentionally promoted to a process group leader.

You can kill all TMSH processes using the command:

killall -9 tmsh

Warning: This command kills both abandoned and in-use TMSH processes. The latter can include other users' TMSH shells, and even system-level processes invoking the TMSH utility internally. Killing all TMSH processes can lead to various unexpected failures. You can use the 'top' command to see which TMSH process is using high CPU (e.g., 90% or more), and kill just those, as those are the likely zombie processes. pstree may also show the problem TMSH processes with no sshd ancestor.

You can kill specific TMSH processes using the command:
kill -9 <pid>

Where <pid> is the process ID of the TMSH instance to kill.

Possible mitigation
===================
Set a CLI idle timeout to a value lower than the sshd idle timeout (which is not set by default):

tmsh modify cli global-settings idle-timeout <timeout in minutes>

Fix:
I/O error handling in TMSH has been corrected, so it no longer ignores absence of input stream, which led to infinite loop.

760629-3 : Remove Obsolete APM keys in BigDB

Component: Access Policy Manager

Symptoms:
Several APM/Access BigDB keys are obsolete and should be removed as they only add confusion

Conditions:
--BigIp is UP and Running

Impact:
Though those keys are not being used they create confusion as a placeholder

Workaround:
Remove those keys from BigDB and control plane side as those are not being used. But don't remove the keys which has still dependancies with other modules and also don/'t remove those keys used in upgrade

Fix:
Remove those keys from BigDB and control plane side as those are not being used. But don't remove the keys which has still dependancies with other modules and also don/'t remove those keys used in upgrade

760622-3 : Allow Device Certificate renewal from BIG-IP Configuration Utility

Component: TMOS

Symptoms:
Unable to renew Device Certificate from System :: Certificate Management : Device Certificate Management : Device Certificate :: server.crt in non-English BIG-IP configurations.

Conditions:
Attempting to renew a device certificate on the System :: Certificate Management : Device Certificate Management : Device Certificate :: using the server.crt-equivalent on a non-English BIG-IP system.

Impact:
Unable to renew Device Certificate from the BIG-IP Configuration Utility.

Workaround:
Use a command of the following syntax, replacing key name, cert name, and # of days with your values:

openssl req -new -x509 -key ../ssl.key/server.key -days <# of days> -out server.crt

For example, to renew the siteserver.key and siteserver.crt for 90 days, use the following command:

openssl req -new -x509 -key ../ssl.key/siteserver.key -days 90 -out siteserver.crt

Fix:
The system now allows Device Certificate renewal from BIG-IP Configuration Utility.

760597-1 : System integrity messages not logged

Component: TMOS

Symptoms:
On TPM-equipped platforms, log messages indicating recovery from a very rarely triggered condition, where the TPM chip needs to be cleared, are not being recorded in the logs on boot.

Conditions:
-- TPM-equipped platforms.
-- Rarely triggered condition in which the TPM chip needs to be cleared.

Impact:
No message indicating the need to clear the TPM.

Note: The need to clear the TPM does not affect the subsequent operation of system integrity checks.

Workaround:
None. The TPM is automatically cleared on boot. Once cleared, it operates normally.

Using remote attestation by submitting a QKview file to iHealth and checking the System Integrity status in the resulting report will reliably indicate any tampering in the BIOS or system startup files.

Fix:
TPM needing to be cleared message is now logged.

760594 : On BIG-IP VE, 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details.

Component: TMOS

Symptoms:
Executing 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details.

Conditions:
BIG-IP Virtual Edition

Impact:
The snmpwalk command shows the details of all partitions on previous versions. It now shows only the '/appdata' details.

Workaround:
No workaround exists for this issue currently.

760574 : Updating BIG-IP 14.1.x Linux kernel to RHEL7.5

Component: TMOS

Symptoms:
The kernel for the BIG-IP 14.1.x Linux kernel needs updating to RHEL7.5.

Conditions:
Using the most current version of the BIG-IP software.

Impact:
The Linux kernel update is a typical function of ongoing BIG-IP software development.

Workaround:
None.

Fix:
Below are the advantages of kernel update:
-- Ease of maintenance.
-- Security fixes part of RHEL 7.5.
-- New / Enhanced feature support.

760573-1 : TPM system integrity check may return invalid status when booting into BIG-IP 14.1.0★

Solution Article: K00730586

Component: TMOS

Symptoms:
The Trusted Platform Module (TPM) system integrity check may return an invalid status.

As a result of this issue, you may encounter one or more of the following symptoms:

-- While the system boots to BIG-IP 14.1.0, you observe an error message that appears similar to the following example:
tpm-status-check[5025]: System Integrity Status: Invalid

-- After rebooting the system to different volumes, you continue to observe the previous error message.

Conditions:
This issue occurs when the following condition is met:

You reboot a system running either BIG-IP 13.1.x or 14.0.0 (including their point releases) to BIG-IP 14.1.0.

Impact:
The BIG-IP system reports an invalid TPM status and TPM is non-functional.

Workaround:
To recover from this issue, you must delete the grub configuration file and reboot the system twice for an automatic repair to occur. To do so, perform the following procedure:

Impact of workaround: The system will not be available while performing multiple reboots. F5 recommends that you perform this procedure during an appropriate maintenance window.

1. Log in to the command line of the affected system.
2. Mount the boot partition by typing the following command:
mkdir -p /mnt/boot; mount /dev/mapper/$(ls /dev/mapper | grep boot) /mnt/boot

3. Delete the grub.multiboot.cfg file by typing the following command:
rm -f /mnt/boot/grub2/grub.multiboot.cfg

4. Reboot the system by typing the following command:
reboot

Note: The system software fixes the grub.multiboot.cfg file automatically upon booting.

5. When the system has completed booting, log in to the command line and reboot the system again by typing the following command:
reboot

This final step properly boots the system with TPM enabled.

Fix:
Rebooting a system no longer returns the TPM error.

760550-5 : Retransmitted TCP packet has FIN bit set

Component: Local Traffic Manager

Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.

Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.

Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.

Workaround:
Set Nagle to disabled in the TCP profile.

Fix:
The incorrect FIN bit is removed.

760508-1 : On systems with multiple versions of BIG-IP in use, the 'invalid' System Integrity Status may persist★

Solution Article: K91444000

Component: TMOS

Symptoms:
The system security state reported by the shell utility 'tpm-state' may report 'Invalid'.

Conditions:
-- The system contains a volume running BIG-IP software version that does not support Trusted Platform Module (TPM).

-- You install a version that does support TPM.

-- The system is rebooted, from the old (non-TPM-capable) BIG-IP version to the new, TPM-capable version.

Impact:
The BIG-IP system reports an invalid TPM status upon the first boot of the upgraded BIG-IP 14.1.0 slot.

Workaround:
Rebooting the system again into 14.1.0 after initially booting into 14.1.0 resolves the issue.

760475-1 : Apache spawns more processes than the configured limit, causing system low memory condition

Component: TMOS

Symptoms:
Apache (httpd) process count MaxClients on BIG-IP systems is set to '10' in the configuration. When more requests are received, Apache spawns more processes than 10, consuming more memory.

Conditions:
Numerous clients trying to connect simultaneously to the BIG-IP GUI.

Impact:
System low memory condition can severely impact application/system performance, and sometimes triggers Out-Of-Memory (OOM) Killer, so critical applications might be terminated.

Workaround:
Complete the following procedure:

1. Modify /etc/httpd/conf/httpd.conf to have the following configuration outside of the prefork module (global):

MaxClients 10

2. Run the following command:
bigstart restart httpd

760471-3 : GTM iQuery connections may be reset during SSL key renegotiation.

Component: Global Traffic Manager (DNS)

Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.

Conditions:
This occurs occasionally during routine renegotiation.

Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.

Workaround:
There is no workaround.

Fix:
GTM iQuery renegotiations no longer cause the error that reset the connection.

760468 : Route domains cause diskmonitor errors in logs

Component: TMOS

Symptoms:
Configuring a non-default route-domain results in frequent diskmonitor error in the LTM log file:

warning diskmonitor[14972]: 011d0002:4: Skipping net:[4026532306]. Stat returned message: /usr/bin/stat: cannot read file system information for net:[4026532306]: No such file or directory.

Conditions:
-- BIG-IP system running v14.1.x.
-- Non-default route-domain configured.

Impact:
There is no functional impact. The message logged does not indicate functional issues. However, the issue might occur frequently, which can be erroneously concerning.

Workaround:
This issue can be worked around with two methods.

The first is by creating a syslog-ng filter.

1. Log in to the TMOS shell (tmsh) by typing the following command:
-----
tmsh
-----

2. To edit syslog, type the following command:
-----
edit /sys syslog
-----

3. When syslog configuration opens in the vi text editor, copy and paste the entire entries below:

============ CUT BELOW ==============
modify syslog {
include "

# Workaround for ID760468 to remove diskmonitor messages

filter f_no_audit {
   not message(\"AUDIT|diskmonitor.*Skipping net:\");
};"

}
============ CUT ABOVE ==============

4. Exit the text editor by typing the following key sequence:
-----
:wq!
-----

5a. At the following prompt, type y to save the changes to the file:
Save changes? (y/n/e)

The tmsh utility prompt returns.

5b. If the syslog filter contains syntax errors, the tmsh utility returns the following prompt:

There were errors. Continue editing (y) or discard changes (n) (y/n)

Correct the errors until there are no more errors flagged.

6. Save the configuration by typing the following command:
-----
save /sys config
-----

The second is by modifying the diskmonitor script as follows.

Note: This change does not replicate between blades, does not ConfigSync, is not preserved as part of a UCS archive, and is not preserved across software installs on a system.

1. Mount /usr as rw (read-write).
2. Open /usr/bin/diskmonitor in an editor, locate the line that references '/shared/em', and add this immediately above it:
    || substr($mountline[1], 0, 4) eq 'net:'
3. Mount /usr as ro (read-only).

Here is a one-line command string you can use:

    mount /usr -o remount,rw && if [ ! -f /usr/bin/diskmonitor.id760468 ]; then /bin/cp /usr/bin/diskmonitor{,.id760468}; fi && sed -ie "/^.*shared\/em.*\$/i\ || substr(\$mountline[1], 0, 4) eq 'net:'" /usr/bin/diskmonitor && (perl -c /usr/bin/diskmonitor || echo "WARNING: DISKMONITOR SCRIPT IS NO LONGER VALID PERL") && mount /usr -o remount,ro

Fix:
Configuring a non-default route-domain no longer results in diskmonitor errors in the LTM log.

760462-1 : Live update notification is shown only for provisioned/licensed modules

Component: Application Security Manager

Symptoms:
Live update notification in the left top corner of the screen was shown even when you cannot install updates, e.g., no permissions or no license/provisioning.

Conditions:
-- There is update for non-provisioned/licensed module.
-- Attempt to install the update.

Impact:
A notification appears and it cannot be removed.

Workaround:
None.

Fix:
Live update notification is now shown only for provisioned/licensed modules.

760439-4 : After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status

Component: TMOS

Symptoms:
After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status (e.g., transitions to standby or active).

Conditions:
Installing UCS that was taken in forced-offline state on clean installed unit.

Impact:
Unit may become active/standby before intended (e.g., during maintenance).

Workaround:
After installing the UCS, ensure that the unit is in forced-offline state as intended. If not in forced-offline state, force the unit offline before proceeding.

760438-3 : PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions

Component: Policy Enforcement Manager

Symptoms:
tmm coredump

Conditions:
-- Using an iRule to apply a referential policy in a rigorous loop.
-- This is a rarely occurring timing issue.

Impact:
Traffic impact due to tmm coredump. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The BIG-IP system now validates session presence before applying the policy.

760410-1 : Connection reset is seen when Category lookup agent is used in per-req policy

Component: Access Policy Manager

Symptoms:
The BIG-IP system sends reset to client when Category Lookup agent is used in per-req policy.

Conditions:
-- APM or SSLO is licensed and provisioned.
-- URLDB and SWG are not provisioned.
-- Category Lookup agent is used in the policy to process custom categories.

Impact:
Connection reset is seen on client from APM/SSLO box.

Workaround:
Modify Category Lookup agent 'lookup-type' property to 'custom-only' via TMSH, for example, by using a command similar to the following:

modify apm policy agent category-lookup example_prp_act_category_lookup_ag lookup-type custom-only

Fix:
Category lookup agent in per-req policy now successfully processes custom categories, so the reset no longer occurs.

760408-3 : System Integrity Status: Invalid after BIOS update★

Solution Article: K23438711

Component: TMOS

Symptoms:
When BIG-IP system boots, it performs a System Integrity Check. The System Integrity Status may return one of three states: Valid, Unavailable, or Invalid.

This issue causes the System Integrity Status to return a value of 'Invalid'.

Conditions:
-- BIG-IP systems that have been manufactured using a earlier BIOS version.
-- Updating to a newer BIOS version.

Impact:
The System Integrity Status returns a status of Invalid, which may falsely indicate that the system BIOS or OS has been compromised.

Workaround:
Install the new BIOS, which fixes the issue that causes the 'Invalid' status to be reported, and, on systems where the BIOS and OS have not been compromised, returns a status of 'Valid'.

Fix:
The System Integrity Status check now return 'Valid' for systems that have not been compromised.

760393 : GARP is not sent from newly active device after failover for FW NAT policy rule's dest prefixes

Component: Advanced Firewall Manager

Symptoms:
After failover, there is no GARP from the newly active device for FW NAT policy rule's dest prefixes.

Conditions:
Configure FW NAT policy rules with proxy arp enabled for destination prefixes. After failover no GARP is sent for those destinations prefixes.

Impact:
After failover traffic can fail/degrade.

Workaround:
No workaround other than forcing the initial active HA device to be active again.

Fix:
The system now sets the high availability (HA) unit correctly for FW NAT policy.

760370-2 : MRF SIP ALG with SNAT: Next active ingress queue filling

Component: Service Provider

Symptoms:
When running MRF SIP ALG with SNAT, the ingress queue may fill, causing messages to be dropped on the next-active device.

Conditions:
-- The active device determines that an operation can be skipped because the details are already discovered processing a previous message.
-- The next-active device has not yet processed the previous message and is not able to skip the operation.

Impact:
Mirroring state is lost for the connection.

Workaround:
None.

Fix:
When the connection is mirrored, the processing operation is not skipped on either the active or next-active device.

760363-1 : Update Alias Address field with default placeholder text

Component: TMOS

Symptoms:
Unable to update Alias Address field with the default value under Local Traffic :: Monitors :: [MonitorName] after removing everything from the input field and updating again with the placeholder text.

Conditions:
-- Using a system running software in which the GUI supports Chinese characters.
-- Remove content from the Alias Address field under Local Traffic :: Monitors:: [MonitorName].
-- Enter the default placeholder text.

Impact:
Unable to update the Alias Address input field with default placeholder text after replacing the said field with blank text or a valid value.

Workaround:
Pass empty value or ::

Fix:
Allow monitors to update with default placeholder text for Alias Address

760356-2 : Users with Application Security Administrator role cannot delete Scheduled Reports

Component: Application Visibility and Reporting

Symptoms:
User accounts configured with the Application Security Administrator role cannot delete scheduled reports, while they can create/view/edit them.

Conditions:
-- Logged on with a user account configured as an Application Security Administrator.
-- Attempting to delete a scheduled report.

Impact:
Cannot complete the delete operation. Deleting scheduled reports requires root/admin intervention.

Workaround:
Use root or a user account configured as Administrator to delete scheduled reports.

Fix:
User accounts configured with the Application Security Administrator role can now delete Scheduled Reports

760355 : Firewall rule to block ICMP/DHCP from 'required' to 'default'★

Component: Advanced Firewall Manager

Symptoms:
If firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.

Conditions:
-- Firewall is configured on the management port.
-- Firewall is configured with an ICMP rule to block.

Impact:
ICMP packets cannot be blocked with a firewall rule to drop on management port. ICMP packets are allowed from the management port.

Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.

# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP

Fix:
ICMP firewall rule has been moved from the f5-required to f5-default.

760259-3 : Qkview silently fails to capture qkviews from other blades

Component: TMOS

Symptoms:
When capturing a qkview on a chassis, there are no warnings provided if the qkview utility is run to gather a qkview from other blades.

Conditions:
-- On a chassis system, rename/move the qkview binary from a given blade.

-- Execute qkview on another blade, verify that no warnings or errors are produced.

Impact:
There is no warning that the qkview failed for a given blade.

Workaround:
There is no workaround other than running the qkview on the actual blade.

760250 : 'Unsupported SSO Method' error when requests sharing the same TCP session

Component: Access Policy Manager

Symptoms:
In API Protection configurations, 'Unsupported SSO Method' error occurs when requests sharing the same TCP session, and some branch selects Single-Sign On (SSO).

Conditions:
-- On the virtual server, the OneConnect profile is selected.
-- Requests sharing the same TCP session.

Impact:
Some requests are rejected.

Workaround:
Remove the OneConnect profile from the virtual server.

Fix:
Reset the SSO selection for each request, regardless of whether requests share the same TCP connection.

760234-1 : Configuring Advanced shell for Resource Administrator User has no effect

Component: TMOS

Symptoms:
Advanced shell is present in the Terminal Access dropdown list when creating a Resource Administrator User, but the functionality is not available.

Conditions:
Configuring Advanced shell for Resource Administrator User.

Impact:
There is no warning message, but the setting has no effect. Gives the false impression that you can configure a Resource Administrator User to have Advanced shell access when the role does not support it.

Workaround:
None.

Fix:
The Advanced shell option is no longer present in the Resource Administrator User Terminal Access dropdown list.

Behavior Change:
Resource Administrator User can no longer select Advanced shell. The option has been removed from the dropdown list in the GUI for the Resource Administrator User.

760222 : SCP fails unexpected when FIPS mode is enabled

Component: TMOS

Symptoms:
Secure Copy (scp) to some locations fails with the following message:
Path not allowed.

Conditions:
-- FIPS mode is enabled.
-- Copying a file to a restricted location using SCP.

Impact:
Cannot use SCP to copy to restricted locations on the BIG-IP system.

Workaround:
None.

Fix:
This scp issue no longer occurs when FIPS cards are installed.

760164-1 : BIG-IP VE Compression Offload HA action requires modification of db variable

Component: TMOS

Symptoms:
When TMM detects a compression offload device hang it does not invoke the configured high availability (HA) action.

Conditions:
This occurs when the following conditions exist:
-- BIG-IP Virtual Edition (VE) Cryptographic Offload is licensed.
-- BIG-IP VE VM has been assigned QuickAssist Virtual Functions (VFs).
-- A QuickAssist endpoint associated with one of the VFs hangs.
-- BIG-IP VE executes compression operations.

Impact:
The configured HA action does not occur when a compression offload device hangs. Clients compression requests eventually time out.

Workaround:
Disable the pfmand by running the following commands:
tmsh modify sys db pfmand.healthstatus value disable
tmsh save sys config

The configured HA action will now occur when a compression offload device hangs.

Note: The pfmand daemon is not needed for BIG-IP VE, so disabling the db variable has no impact for BIG-IP VE configurations.

760130-3 : [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK

Component: Access Policy Manager

Symptoms:
-- Increased overall TMM memory usage, which eventually forces TMM to start closing connections to reduce memory usage.
-- connflow memory usage keeps increasing. Memory usage can be observed with this command:
# tmctl -f /var/tmstat/blade/tmm0 memory_usage_stat -w200

Conditions:
1. Using PingAccess.
2. Errors are being logged in /var/log/paa.

Impact:
-- Memory leak.
-- Eventually TMM starts closing connections randomly.

Workaround:
None.

Fix:
When PingAccess encounters an error after sending traffic data to PingAccess SDK, TMM no longer leaks memory.

760078-1 : Incorrect source MAC used when the BIG-IP in L2 transparent mode generates a TCP RST packet.

Component: Local Traffic Manager

Symptoms:
Packet with unexpected source MAC seen on the adjacent node to the BIG-IP.

Conditions:
- BIG-IP configured in an L2 transparent mode using virtual wires
- Traffic forwarded between client and server in an asymmetric manner across virtual wires.

Impact:
Possible impacts to services on nodes adjacent to the BIG-IP if policy decisions on those nodes are made with the source MAC of the received packet as input.

760050-2 : cwnd warning message in log

Component: Local Traffic Manager

Symptoms:
The following benign message appears in the log: cwnd too low.

Conditions:
The TCP congestion window has dropped below one Maximum Segment Size, which should not happen.

Impact:
None. TCP resets the congestion window to 1 MSS.

Workaround:
This message does not indicate a functional issue, so you can safely ignore this message. There is no action to take, but the presence of the message can be useful information for debugging other TCP problems.

759968-3 : Distinct vCMP guests are able to cluster with each other.

Component: Local Traffic Manager

Symptoms:
-- Distinct vCMP guests are able to cluster with each other.

-- Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:

clsh tmctl -d blade tmm/vcmp -w 200 -s vcmp_name,tmid,rebroad_mac

Check the 'rebroad_mac' field for duplicate mac addresses.

vcmp_name tmid rebroad_mac
--------- ---- -----------------
default 0 02:01:23:45:01:00
vcmp1 0 00:00:00:00:00:00
vcmp5 0 02:01:23:45:01:04
vcmp6 0 00:00:00:00:00:00
vcmp7 0 02:01:23:45:01:06
vcmp8 0 00:00:00:00:00:00
vcmp9 0 02:01:23:45:01:08
vcmp10 0 02:01:23:45:01:0A <--------------
vcmp11 0 02:01:23:45:01:0A <--------------

Conditions:
-- It is not yet clear under what circumstances the issue occurs.

-- One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate 'rebroad_mac' on one or more slots.

Impact:
Only the vCMP guest acting as primary will be operative.

Workaround:
-- Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:

modify sys db clusterd.communicateovertmmbp value false.

To disable the db variable on the affected guest use the following procedure:

1. Stop sys service clusterd.
2. Modify sys db clusterd.communicateovertmmbp value false.
3. Start sys service clusterd.
4. Save sys conf.

Afterwards, the affected guest might still have the wrong management IP address. To resolve that, log into the vCMP Hypervisor and force a management IP update such as changing the netmask.

With the above steps, the duplicated rebroadcaster MAC still shows, but the vguests are in stable states. To fix the duplicated MAC problem, apply the workaround (on all blades) documented in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.

Important: Applying procedure described in K13030 interrupts traffic.

Fix:
The vCMP guests no longer end up having a non-null and duplicate 'rebroad_mac' on one or more slots. Distinct vCMP guests are no longer able to cluster with each other.

759868-1 : TMM crash observed while rendering internal pages (like blocked page) for per-request policy

Component: Access Policy Manager

Symptoms:
TMM crashes.

Conditions:
-- SSLO/SWG configured.
-- Rendering internal pages (like a blocked page).
-- Per-request policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores while rendering internal pages (like blocked page) for per-request policy.

759814-1 : Unable to view iApp component view★

Component: TMOS

Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:
An error has occurred while trying to process your request.

Conditions:
-- Upgrade to v14.1.x.
-- Create a new iApp with an SSL, ASM, or Traffic policy profile.
-- Or, attempt to view an iApp containing ASM information

Impact:
Unable to access the iApp Component view. Cannot reconfigure the iApp directly (iApp : Application Services : application : any app).

Workaround:
To reconfigure the iApp, do the following:

1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List.
2. Click the Application Link :: Reconfigure.

Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.

759735-2 : OSPF ASE route calculation for new external-LSA delayed

Component: TMOS

Symptoms:
External link-state advertisement (LSA) update does not trigger OSPF ASE route calculation, resulting in delay for route state changes from external LSA.

Conditions:
-- OSPF enabled.
-- More than 20 updated external LSA.
-- No updated router and network LSA.

Impact:
Delay of route update from external LSA.

Workaround:
Manually clear ip ospf process.

Fix:
OSPF ASE route calculation from external LSA are happening as normal.

759723-1 : Abnormally terminated connections on server side may cause client side streams to stall

Component: Local Traffic Manager

Symptoms:
The BIG-IP system provides HTTP/2 Gateway configuration when an HTTP/2 client is served by HTTP/1.x pool members. When a server-side connection terminates abnormally, TMM may crash.

Conditions:
-- A virtual server with HTTP/2 Gateway configuration is configured on the BIG-IP system.
-- Traffic on the server side has some abnormalities, resulting in aborted or unclosed connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash when a virtual server is configured as a HTTP/2 gateway.

759721-2 : DNS GUI does not follow best practices

Solution Article: K03332436

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS WebUI does not follow best security practices.

Conditions:
DNS services provisioned, enabled, and configured

Impact:
The DNS WebUI does not follow best security practices.

Workaround:
None.

Fix:
The DNS WebUI now follows best security practices.

759654-1 : LDAP remote authentication with remote roles and user-template failing

Component: TMOS

Symptoms:
The directory server that performs authentication requests refuses a query for authorization (user attributes), which prevents the BIG-IP user from logging on with remote authentication.

BAD_NAME errors are usually present in LDAP communication.

Conditions:
-- Configure LDAP remote authentication with remote roles and a user template.
-- As a remote user, attempt to logon.

Impact:
The query request sent to the directory server is refused because the password is not included in the request, and the server does not accept an anonymous bind request. The refused request prevents a lookup of the user account attributes on the directory server. As a result, the BIG-IP user cannot logon.

Workaround:
Remove user-template. bind-dn must be used to authenticate against LDAP server.

759579-1 : Full Webtop: 'URL Entry' field is available again

Component: Access Policy Manager

Symptoms:
'URL Entry' field is no longer visible from full webtop.

Conditions:
Using Portal Access full webtop screen.

Impact:
It is not possible to open Portal Access session with arbitrary URL from full webtop screen.

Workaround:
None.

Fix:
Now 'URL Entry' field can be enabled and used on full webtop.

759564-4 : GUI not available after upgrade

Component: TMOS

Symptoms:
After installing over the top of a previous version, the Management GUI is inaccessible while SSH access works. You may see one or more of the following conditions

    Shell prompt may show logger[1234]: Re-starting named
    bigstart restart httpd fails
    bigstart start httpd fails

Conditions:
Installation over a previously used Boot Volume

Impact:
Corrupt install

Workaround:
Boot back to previous boot volume and then delete the boot volume containing the failed install.

759536-2 : Linux kernel vulnerability: CVE-2019-8912

Solution Article: K31739796

759499-2 : Upgrade from version 12.1.3.7 to version 14.1.0 failing with error★

Component: TMOS

Symptoms:
Upgrade from version 12.1.3.7 to version 14.1.0 fails. Running 'tmsh show sys software' shows the following message:
failed (Could not access configuration source; sda,n)

Conditions:
1. Install BIG-IP version 12.1.3.7 in new volume.
2. From 12.1.3.7, try to install 14.1.0 in new volume.

Impact:
Upgrade fails.

Workaround:
To work around this issue, delete the 14.1.0 volume and try the installation again.

The second installation of 14.1.0 succeeds in this scenario.

759483-1 : Message about HTTP status code which are set by default disappeared from the UI

Component: Application Security Manager

Symptoms:
When creating a new policy using the policy-creation page, there are status codes (200-399) that are enabled by default. There is no message about HTTP status codes that are set by default does not appear in the GUI.

Conditions:
Open Create a New Policy page.

Impact:
The message is not shown on Create Policy page

Workaround:
None.

Fix:
The message was added and shown always next to Allowed Response Status Codes input.

759480-3 : HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash

Component: Local Traffic Manager

Symptoms:
When a request is sent to the virtual server which meets the conditions specified, TMM may crash.

Conditions:
When all of the following conditions are met:

-- Virtual server configured with iRule that contains HTTP::respond or HTTP::redirect in an LB_FAILED event.

-- A command in an LB_FAILED event (does not have to be in the same iRule as the previous point, but must be attached to the same virtual server), that parks the iRule (e.g., table, session, persist, after, HSL).

-- A CLIENT_CLOSED event is present.

-- The pool member fails in some manner, triggering LB_FAILED

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Add reject command to LB_FAILED event to force the serverside of the connection closed before response is sent to the client.

759462-1 : Site names and vulnerabilities cannot be retrieved from WhiteHat server

Component: Application Security Manager

Symptoms:
Site names and/or vulnerabilities cannot be retrieved from WhiteHat's server, and you get this error:

Failed to get site names
500 Can't connect to 63.128.163.17:443

Additionally, if configured, the HTTP/HTTPS proxy is not used.

Conditions:
You attempt to retrieve site names and/or vulnerabilities from WhiteHat's server.

Impact:
The site names and/or vulnerabilities cannot be retrieved.

Workaround:
You can manually enter site name in the field 'WhiteHat Site Name' on the Security :: Application Security :: Vulnerability Assessments :: Settings page, and vulnerabilities can be downloaded from the WhiteHat server and uploaded to ASM.

Fix:
Site names and vulnerabilities can now be retrieved directly from WhiteHat's server.

759449-1 : Unable to modify the application language with 'Copy ASM Policy'

Component: Application Security Manager

Symptoms:
When using the 'Copy policy' feature, if you select another application language, it copies the actual policy without taking account of the modification on GUI, and it remains UTF-8 if it originally was UTF-8.

Conditions:
1. Go to Security :: Application Security : Security Policies : Policies List.
2. Select an ASM Policy.
3. Click 'Copy policy'.
4. Modify application language to anything else.
5. Click Save.

Impact:
Newly copied policy carries the application language setting that was active before the change, so the copy does not match the original.

Workaround:
None.

Fix:
In this release, if the encoding is different from the source policy encoding, copy now handles the operation so that the resulting policy has the correct application language.

759360-2 : Apply Policy fails due to policy corruption from previously enforced signature

Component: Application Security Manager

Symptoms:
Apply Policy fails due to policy corruption in PLC database from a previously enforced signature.

Conditions:
1. Export a policy containing a signature with an enforced rule.
2. Update ASM Signatures (ASU).
3. Import that previously exported policy.
4. Apply the newly imported policy.

Impact:
Apply policy fails.

Workaround:
As a workaround, run the following SQL, and then apply the policy:

----------------------------------------------------------------------
UPDATE PLC.PL_POLICY_NEGSIG_SIGNATURES SET previous_enforced_rule_md5 = '' WHERE previous_enforced_rule = '' and previous_enforced_rule_md5 != ''
----------------------------------------------------------------------

759356-2 : Access session data cache might leak if there are multiple TMMs

Component: Access Policy Manager

Symptoms:
Due to asynchronicity in the TMM subsystem, it is possible that the session data cache might be created after the session is terminated. As a result, that session data cache never gets released.

Conditions:
-- Transparent SWG.
-- The BIG-IP system has more than one TMM.

Impact:
TMM memory might be exhausted eventually.

Workaround:
None.

759343-6 : MacOS Edge Client installer does not follow best security practices

Solution Article: K49827114

759192-3 : TMM core during display of PEM session under some specific conditions

Component: Policy Enforcement Manager

Symptoms:
TMM crashes during display of PEM session if the session has multiple IP addresses added under certain conditions.

Conditions:
-- Session has multiple IP addresses added.
-- When the session was created, addition of multiple IP addresses was not allowed.

Impact:
TMM restart. Traffic disrupted while tmm restarts.

Workaround:
Do not change the value of sys db variable tmm.pem.session.ip.addr.max while some sessions are already created.

Fix:
TMM core during display of PEM session no longer occurs.

759172-1 : Read Access Denied: user (gu, guest) type (Certificate Order Manager)

Component: TMOS

Symptoms:
GUI guest user is supposed to see Key properties (which includes cert order manager association details) and Certificate Order Manager object itself, but reports an error:
-- General database error retrieving information.
-- err mcpd[6586]: 01070823:3: Read Access Denied: user (gu) type (Certificate Order Manager)

Conditions:
-- BIG-IP Virtual Edition (VE).
-- Guest user attempts to view Key properties (including cert order manager association details) and Certificate Order Manager object information.

Impact:
Certificate Manager role does not allow users to create certificates. They can upload and delete certificates, but when trying to create one, the GUI stays blank and the logs show a Read Access Denied error.

Workaround:
None.

759135-2 : AVR report limits are locked at 1000 transactions

Component: Application Visibility and Reporting

Symptoms:
AVR reports are limited to 1000 transactions. This is due to a hard-coded limit.

Conditions:
Using AVR reports for more than 1000 transactions.

Impact:
Unable to create reports with more than 1000 rows.

Workaround:
None.

Fix:
A db variable avr.stats.reportrownumberlimit has been added, that can be controlled via TMSH. The variable controls the number of rows in report within the range of 1 to 100000.

For example, for a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:

tmsh modify sys db avr.stats.reportrownumberlimit value 10000

Behavior Change:
There is a new db variable avr.stats.reportrownumberlimit available in TMSH, which controls the number of rows in an AVR report. Valid values are from 1 to 100000.

For example, to create a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:

tmsh modify sys db avr.stats.reportrownumberlimit value 10000

759077-2 : MRF SIP filter queue sizes not configurable

Component: Service Provider

Symptoms:
The ingress and egress queues of the MRF SIP filter have fixed sizes that cannot be configured.

Conditions:
If the hard-coded queue size of 512 messages or 65535 bytes are exceeded, the filter enables its flow control logic.

Impact:
Messages may be dropped.

Workaround:
None.

Fix:
The max-pending-messages and max-pending-bytes values in the SIP router profile will be used as the limits for the SIP filter's queues. If the configured value is less than the existing hard-coded limits (512 bytes or 65535 bytes), the hard-coded limits will be used.

759056-2 : stpd memory leak on secondary blades in a multi-blade system

Component: Local Traffic Manager

Symptoms:
On secondary blades in a multi-blade system, stpd shows continued increased memory usage.

Conditions:
A non passthru STP mode (STP, RSTP or MSTP) is enabled on the system.

Impact:
System performance is degraded due to needless memory usage by stpd.

Workaround:
None.

Fix:
Stpd no longer leaks memory.

758992-2 : The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address

Component: Local Traffic Manager

Symptoms:
tmm may use a combination of the traffic-group MAC address and the per-VLAN MAC address for traffic associated with the traffic-group.

Conditions:
All of the following:
-- The traffic-group has a MAC address set.
-- The sys db variable 'tm.macmasqaddr_per_vlan' is set to true.
-- There are multiple tmm processes running on the BIG-IP system.

Note: BIG-IP Virtual Edition is not affected since there is only one tmm process.

Impact:
Incorrect MAC address used for traffic associated with the traffic-group.

Workaround:
None.

Fix:
tmm uses the proper MAC address when there is a traffic-group mac address defined and 'tm.macmasqaddr_per_vlan' is set to true.

758909-1 : TMM may crash will processing PEM traffic

Solution Article: K04730051

758879 : BIG-IP VE with ixlv devices does not reliably pass some traffic after hard-boot

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) with ixlv devices (Intel X710/XL710/XXV710 family) might not reliably pass traffic after a hard boot of the host on which it runs.

The tmm log contains messages similar to the following:

ixlv[0:8.0]: Error: AQ returned error -1 to request 10!
ixlv[0:8.0]: Error: Error -1 waiting for PF to complete operation 4
ixlv[0:8.0]: Error: WARNING: Error adding VF mac filter!
ixlv[0:8.0]: Error: WARNING: Device may not receive traffic!

The host's kernel log might contain messages similar to the following:

i40e 0000:06:00.0: VF is not trusted, switch the VF to trusted to add more functionality

Conditions:
-- BIG-IP VE with one or more virtual functions that utilize the ixlv driver within tmm.
-- Hard reboot the host and observe traffic.

Note: This issue might be dependent upon the version of the PF driver in the host, and has been observed with at least 2.1.4 and 2.4.10, but this list is incomplete.

Impact:
IPv6 and other network traffic may be handled unreliably.

Workaround:
Reboot the guest. This problem has been observed only on the very first boot after a hard boot of the host.

758872-3 : TMM memory leak

Component: Local Traffic Manager

Symptoms:
When a Clustered Multiprocessing (CMP) disabled virtual server enters syncookie mode the flows created on TMM instances other than tmm0 are not removed, resulting in a TMM memory leak.

Note: CMP-disabled virtual servers are not distributed among the available TMM processes, but instead are processed on tmm0.

Conditions:
-- Virtual server is CMP disabled.
-- The same virtual server enters syncookie mode.

Impact:
Elevated memory utilization that may impact performance. In extreme cases, it might lead to out-of-memory crash.

Workaround:
Make sure the virtual server is not CMP disabled, for example, avoid using global variables in iRules.

Fix:
Flows of CMP-disabled virtual servers are now properly removed from all TMM instances.

758781-3 : iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates

Component: TMOS

Symptoms:
The following commands take a long time to complete when there are a large number of certificates:
get_certificate_list()
get_certificate_list_v2()
get_certificate_list_v3()

Conditions:
-- Using the get_certificate_list(), get_certificate_list_v2(), and get_certificate_list_v3() commands to get certificate information.
-- A large number of certificates (typically in the thousands) are installed on the BIG-IP system.

Impact:
Slowness might cause timeouts in applications that are calling these functions.

Workaround:
Use iControl REST API corresponding to sys/file/ssl-cert.

758772-3 : DNS Cache RRSET Evictions Stat not increasing

Component: Global Traffic Manager (DNS)

Symptoms:
In the DNS Cache stats, the 'Resource Record Cache' statistic of 'Evictions' does not increase.

Conditions:
This occurs when the cache is full enough for records to be evicted.

Impact:
The 'Evictions' statistics do not increase when those records are evicted. Incorrect statistics accounting.

Workaround:
None.

Fix:
Fixed an issue preventing the DNS Cache's 'Resource Record Cache' statistic from counting 'Evictions'.

758764-2 : APMD Core when CRLDP Auth fails to download revoked certificate

Component: Access Policy Manager

Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.

Conditions:
Empty revoked-certificate list handling.

Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.

Workaround:
None.

Fix:
The system now checks for empty revoked certificate lists (for NULL) and lets the validation OK (because there is nothing to validate against).

758714-1 : Virtual wire on a BIG-IP does not pass traffic when configured over two terminating link aggregation/trunk ports.

Component: Local Traffic Manager

Symptoms:
Traffic does not pass through the BIG-IP system.

Conditions:
- Configure two trunk/LAG ports on a BIG-IP system.
- Create a virtual wire across it.

Impact:
Loss of service across the virtual wire.

Workaround:
None.

Fix:
Corrected the faulty validation checks during configuration that were a result of collateral damage.

758701-1 : APM fails to handle Remote Desktop Gateway connections from standalone RDP clients after fresh install

Component: Access Policy Manager

Symptoms:
Remote Desktop (RD) Gateway connections from standalone RDP clients on Mac/iOS/Android fail against a fresh APM installation.

Following error is logged into /var/log/ltm:
... 01220001:3: TCL error: /Common/_sys_APM_Citrix_SmartAccess <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::path"

Conditions:
- Fresh APM installation.
- Standalone Mac/iOS/Android RDP client uses APM as RD Gateway.

Impact:
Connection can't be established.

Workaround:
Disable "tmm.http.tcl.validation" variable:
# tmsh modify sys db tmm.http.tcl.validation value disable

Fix:
Remote Desktop (RD) Gateway connections from standalone RDP clients on Mac/iOS/Android are not failing anymore against fresh APM installation.

758667-1 : BIG-IP VE high availability (HA) actions are not invoked when offload hardware hangs

Component: TMOS

Symptoms:
When TMM detects a crypto or compression offload device hang it does not invoke the configured high availability (HA) action.

Impact:
Client requests eventually time out.

Workaround:
None.

758655-1 : TMC does not allow inline addresses with non-zero Route-domain.

Component: Local Traffic Manager

Symptoms:
When trying to create a traffic-matching-criteria with inline addresses with non-zero Route-domain, receive an error:

TMC(/Common/tmc333) and addresses within the address list have different route domain.

Conditions:
Attempting to creating a traffic-matching-criteria with inline address (source or destination) and non-zero route-domain, e.g.:

create ltm traffic-matching-criteria tmc333 destination-address-inline 111.111.111.194 source-address-inline 0.0.0.0 route-domain 100

Impact:
Cannot create the traffic-matching-criteria.

Workaround:
None.

Fix:
You can now create a traffic-matching-criteria with inline addresses with non-zero Route-domain.

758631-4 : ec_point_formats extension might be included in the server hello even if not specified in the client hello

Component: Local Traffic Manager

Symptoms:
RFC 5246 states that if an extension does not exist in the client hello, it must not exist in the server hello. When an EC cipher suite is selected, the server might send the ec_point_formats extension, even if none exists in the client hello.

Conditions:
-- An EC cipher suite is selected.
-- The client does not send an ec_point_formats extension.

Impact:
Some clients abort the connection in this case.

Workaround:
There is no workaround other than not configuring any EC cipher suites.

Fix:
With this change, the server does not send an unsolicited ec_point_formats extension.

758604-2 : Deleting a port from a single-port trunk does not work.

Component: TMOS

Symptoms:
Deleting a port from a single-port trunk does not work.

Conditions:
1. Disable all ports for a trunk, for example by disabling them on a directly connected switch. The last port is not deleted correctly.
2. Re enable some other ports, the trunk now also uses the disabled port.

Impact:
No user connectivity depending on which port is used.

Workaround:
None.

Fix:
Fixed deleting a port from a single-port trunk.

758599-1 : IPv6 Management route is preferred over IPv6 tmm route

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metric than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the mgmt interface.

Conditions:
Create an IPv6 mgmt route and a static IPv6 tmm route on the same BIG-IP system. IPv6 routes from TMM are injected at metric 1024.

Impact:
The incorrect routing table sends the traffic that matches the default route to the mgmt interface.

Workaround:
None.

Fix:
The IPv4 and IPv6 management routes now have a metric value of 4096. Default value of static routes are 1 for IPv4 and 1024 for IPv6. This makes static routes (TMM routes) preferred over management routes, which is correct behavior.

758536 : Traffic Intelligence IM pkg for 14.1.0 fails to install on base build version 14.1.0.x

Component: Traffic Classification Engine

Symptoms:
Traffic Intelligence IM pkg for v14.1.0 fails to install on base build version v14.1.0.1 through v14.1.0.4. This is due to strict version check in upgrade scripts.

Conditions:
When hitless upgrade for traffic intelligence with version 14.1.0 is used on base build v14.1.0.1 through v14.1.0.4.

Impact:
The process fails to load/install. The system does not receive the latest traffic intelligence signatures.

Workaround:
There is no workaround other than requesting a purpose-built traffic intelligence IM for that particular build.

Fix:
You can now install 14.1.0 IM on any other 14.1.0.x with minor version update.

758527-2 : BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode

Solution Article: K39604784

Component: TMOS

Symptoms:
Under certain conditions BIG-IP may forward VLAN-tagged frames even if the VLAN is not defined on the ingress interface.

Conditions:
Tagged VLANs in use.
STP pass-through mode enabled.

Impact:
Frames not delivered as expected.

Workaround:
Disable global STP.

Fix:
Frames now delivered as expected.

758517-1 : Callback for Diffie Hellman crypto is missing defensive coding

Component: TMOS

Symptoms:
Destruction of objects during Diffie Hellman crypto callback does not first check for object validity.

Conditions:
Async callback for Diffie Hellman crypto call when objects no longer look valid.

Impact:
IPsec tunnels down during tmm core in rare cases.

Workaround:
No work around is known at this time.

Fix:
Add defensive coding to forestall action when objects look invalid.

758516-1 : IKEv2 auth encryption is missing defensive coding that checks object validity

Component: TMOS

Symptoms:
Auth signature crypto callback does not check objects for validity before encryption.

Conditions:
Encryption during auth signature callback processing for IKE_AUTH.

Impact:
IPsec tunnels go down when tmm cores in rare situations.

Workaround:
No workaround is known at this time.

Fix:
Add defensive coding that checks object validity during auth encryption.

758465-1 : TMM may crash or iRule processing might be incorrect

Component: Local Traffic Manager

Symptoms:
After modifying an iRule:
- The iRules on one or more virtual servers might fire in the wrong order.
- The iRules on one or more virtual servers might not fire at all.
- TMM might crash if the iRule event is modified again.
- TMM might crash if a virtual server is modified.

Conditions:
This occurs when all of the following conditions are met:

- An iRule is in use on more than one virtual server.
- The iRule occupies a different position in the iRule list on various virtual servers, and one or more of the other iRules define the same event.
- The iRule event is modified.

Impact:
Traffic interruption while TMM restarts.
Incorrect iRule processing.

Workaround:
None.

758459-1 : Cross origin AJAX requests are blocked Cross-Origin Resource Sharing (CORS) protection

Component: Application Security Manager

Symptoms:
When enabling Single Page Application (SPA) option in ASM, cross origin AJAX requests are resulting in the following error in the browser console, and site application might not work:

Access to XMLHttpRequest at 'https://x.com' from origin 'https://www.y.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Conditions:
-- ASM with SPA enabled
-- App is sending cross-origin requests

Impact:
App does not work as expected.

Workaround:
Using an iRule, add the following headers to the response:

-- Access-Control-Allow-Origin with originating domain.
-- Access-Control-Allow-Credentials: true.

Fix:
This release adds the relevant CORS fields to responses.

758437-6 : SYN w/ data disrupts stat collection in Fast L4

Component: Local Traffic Manager

Symptoms:
Fast L4 analytics reports very large integers for goodput.

Conditions:
BIG-IP receives SYNs with attached data.

Impact:
Goodput data is unreliable.

Workaround:
None.

Fix:
Data coupled with the SYN breaks the check for a Fast L4 state change. The connection can still function normally, but statistics collection is reliant on the state change to initialize things properly. The system now ensures the correct state under these conditions, so statistics are measured correctly.

758436-4 : Optimistic ACKs degrade Fast L4 statistics

Component: Local Traffic Manager

Symptoms:
Fast L4 Analytics reports very large integers for goodput.

Conditions:
Endpoints send ACKs for data that has not been sent.

Impact:
Goodput statistics are not usable in certain data sets.

Workaround:
None.

Fix:
Additional checks prevent analytics from trusting optimistic ACKs.

758387-2 : BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it

Component: TMOS

Symptoms:
In STP 'passthru' mode, any packet sent to the BIG-IP system with a destination MAC of 01-80-c2-00-00-00 is treated as an STP bridge protocol data unit (BPDU), and is flooded to the VLAN.

Conditions:
-- The BIG-IP system is configured for STP 'passthru' mode
-- The BIG-IP system receives a packet with MAC 01-80-c2-00-00-00.

Impact:
A packet that is not an STP BPDU, but is sent to the same destination MAC address may be flooded as if it was a BPDU.

Workaround:
None.

Fix:
Added an STP drop rule for certain LLDP-type packets sent to STP destination MAC:

# list sys db bcm56xxd.rules.lldp_drop
sys db bcm56xxd.rules.lldp_drop {
value "disable"
}

It is disabled by default. You must manually set it to cause the LLDP frames to be dropped in STP passthrough mode.

758311-1 : Policy Compilation may cause MCPD to crash

Component: Local Traffic Manager

Symptoms:
If a policy has rules involving IPv6 addresses, and the addresses differ only on 32-bit boundaries, then the compilation of that policy may cause MPCD to crash.

Conditions:
-- A policy is attached to a virtual server.

-- That policy contains conditions that involve IPv6 addresses.

-- The addresses in different rules differ only on 32-bit boundaries.

Impact:
MCPD cores, and then restarts. The policy is not usable.

Workaround:
You can try either of the following:

-- It may be possible to create multiple rules from a given rule by altering the netmask.

-- Another possibility is to add a placeholder rule with no action that matches IP addresses differently.

Fix:
Policies involving matching IP addresses now compile correctly.

758119-6 : qkview may contain sensitive information

Solution Article: K58243048

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048

Conditions:
For more information see: https://support.f5.com/csp/article/K58243048

Impact:
For more information see: https://support.f5.com/csp/article/K58243048

Workaround:
For more information see: https://support.f5.com/csp/article/K58243048

Fix:
For more information see: https://support.f5.com/csp/article/K58243048

758085-1 : CAPTCHA Custom Response fails when using certain characters

Component: Application Security Manager

Symptoms:
When setting the CAPTCHA Custom Response in the Bot Defense GUI, saving the profile fails when using certain characters.

For example, using the following response will return the error: 'black' unknown property

This question is for testing whether you are a human visitor and to prevent automated spam submission.


 
%BOTDEFENSE.captcha.image% %BOTDEFENSE.captcha.change%
 
What code is in the image\?
%BOTDEFENSE.captcha.solution%
 
%BOTDEFENSE.captcha.submit%
 
 
Your support ID is: %BOTDEFENSE.captcha.support_id%.

Conditions:
Attempting to configure custom CAPTCHA response in the Bot Defense profile GUI.

Impact:
Cannot configure custom CAPTCHA response in the Bot Defense Profile GUI.

Workaround:
Use TMSH or REST API to configure the CAPTCHA Custom Response.

Fix:
Configuring custom CAPTCHA response page in the Bot Defense Profile no longer fails when using certain characters.

758065-4 : TMM may consume excessive resources while processing FIX traffic

Solution Article: K82781208

758041-3 : Pool Members may not be updated accurately when multiple identical database monitors configured

Component: Local Traffic Manager

Symptoms:
When two or more database monitors (MSSQL, MySQL, PostgreSQL, Oracle) with identical 'send' and 'recv' strings are configured and applied to different pools (with at least one pool member in each), the monitor status of some pool members may not be updated accurately.

Other parameters of the affected monitors that differ (such as 'recv row' or 'recv column' indicating where the specified 'recv' string should be found in the result set) may cause pool members using one of the affected monitors to connect to the same database to be marked UP, while pool members using another affected monitor may be marked DOWN.

As a result of this issue, pool members that should be marked UP or DOWN by the configured monitor may instead be marked according to another affected monitor's configuration, resulting in the affected pool members being intermittently marked with an incorrect state.

After the next monitor ping interval, affected pool members members may be marked with the correct state.

Conditions:
This may occur when multiple database monitors (MSSQL, MySQL, PostgreSQL, Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different pools/members.

For example:
ltm monitor mysql mysql_monitor1 {
...
    recv none
    send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
    recv none
    send "select version();"
...
}

Impact:
Monitored pool members using a database monitor (MSSQL, MySQL, PostgreSQL, Oracle) randomly go offline/online.

Workaround:
To avoid this issue, configure each database monitor with values that make the combined parameters unique by changing either the 'send' or the 'recv' parameters, or both.

For example:
ltm monitor mysql mysql_monitor1 {
...
    recv none
    send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
    recv 5.7
    send "select version();"
...
}

Fix:
The system now correctly updates pool members when multiple identical database monitors are configured.

758018-5 : APD/APMD may consume excessive resources

Solution Article: K61705126

757992-3 : RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup

Component: Access Policy Manager

Symptoms:
RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup

Conditions:
-- Configure Floating IP with route domain.
-- Configure RADIUS accounting server with Pool Setup.
-- Configure the virtual server containing the access policy to use the RADIUS Accounting server.
-- Access the virtual server.

Impact:
-- START message is being sent through proper egress floating IP address.
-- STOP message is not sent, and the system logs the following error message:
-- err tmm1[11193]: 01490586:3: (null):Common:8a505e8c: Processing radius acct stop message failed, connection failure.
-- err tmm1[11193]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_RTE. File: ../modules/hudfilter/access/access_session.c, Function: access_session_final_callback, Line: 4439.

Workaround:
This issue is present only when the floating IP address is configured with a non-default route domain. It works fine with the default route domain. Use of default route domain is recommended.

Fix:
RADIUS Acct STOP message is now sent as expected.

757985-1 : TMM memory leak

Solution Article: K79562045

Component: Local Traffic Manager

Symptoms:
-- TMM memory utilization baseline is slowly increasing.
-- The 'allocated' column of the 'tcl' row in the memory_usage_stat tmctl table is high and is close to the 'max_allocated' value.

Conditions:
-- The header-insert option in a custom HTTP profile is configured.
-- The profile is attached to a virtual server.

Impact:
Degraded performance, and eventual out-of-memory condition that may trigger a TMM crash. Traffic disrupted while tmm restarts.

Workaround:
Instead of the profile header-insert, use HTTP::header iRule commands.

Fix:
The header-insert option can now be configured in HTTP profiles without causing a TMM memory leak.

757862-1 : IKEv2 debug logging an uninitialized variable leading to core

Component: TMOS

Symptoms:
Logging an internal error might result in core.

Conditions:
When ike_sa variable is uninitialized.

Impact:
Loss of tunnels due to core.

Workaround:
None.

Fix:
Ike_sa is now initialized to hold a valid value before logging takes place.

757827-1 : Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution

Component: Local Traffic Manager

Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP reboot operation.

Conditions:
This may occur on affected BIG-IP versions when:
-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.

-- DNS queries to resolve these FQDN names occur almost simultaneously.

-- The BIG-IP version in use contains the fix for ID 726319 :: Bug ID 726319: 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses :: https://cdn.f5.com/product/bugtracker/ID726319.html.

The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.

Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected. As a result, some pools may not have any active pool members, and do not pass traffic.

This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.

Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes ('##' is the desired number of seconds between successive DNS queries to resolve the configure FQDN name):

tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }

Fix:
When using FQDN nodes and pool members, ephemeral pool members are now created as expected following a configuration-load or BIG-IP reboot operation.

However, messages similar to the following may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name:

-- err mcpd[20479]: 01020066:3: The requested Node (****) already exists in partition ****.
-- err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.

These are benign messages that do not affect BIG-IP functionality.

757782-1 : OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default

Component: Access Policy Manager

Symptoms:
Invalid 'sub' claim in JWT access token that is generated by OAuth Authorization Server.

Conditions:
-- OAuth Authorization Server is configured to return JWT access token.
-- Subject field is configured to be a session variable other than the default '%{session.assigned.uuid}'.

Impact:
Invalid value in 'sub' claim in JWT access token. If OAuth resource server depends on the value of 'sub' claim, then that functionality does not work.

Workaround:
Add Variable assign agent after OAuth Authorization agent, and assign session.assigned.oauth.authz.token.subject with the session variable name such as the following:
session.logon.last.logonname.

Fix:
OAuth Authorization Server sends valid value in 'sub' claim in the generated JWT token when subject is configured to use a session variable.

757777-3 : bigtcp does not issue a RST in all circumstances

Component: Local Traffic Manager

Symptoms:
bigtcp does not issue a TCP reset, e.g. when using the iRule reject command on CLIENT_ACCEPTED

Conditions:
bigtcp in use, tcp connection, connection ungracefully shut down via a 'reject' command in an iRule

Impact:
TCP RST is not sent, and the SYN is silently dropped.

Workaround:
none

Fix:
bigtcp virtuals send now a TCP RST if needed.

757722-2 : Unknown notify message types unsupported in IKEv2

Component: TMOS

Symptoms:
IKE negotiation fails when an unrecognized notify payload type is seen in a message processed by IKEv2.

Conditions:
Receiving an IKE message that contains a notify payload whose numeric type value is unrecognized by IKEv2.

Impact:
Negotiation fails with an aborted connection, preventing tunnel creation.

Workaround:
A peer can suppress notification payloads with advisory values that get rejected by IKEv2 within the BIG-IP system.

Fix:
All unknown notify types are now logged and then ignored.

757698-1 : TMM crashes in certain situations of which iRule execution interleaves client side and server side flows

Component: Local Traffic Manager

Symptoms:
TMM crashes in certain situations in which iRule execution interleaves client-side and server-side flows.

Conditions:
The exact conditions that cause this issue are unknown, although appear to happen in at least one configuration: OneConnect with an iRule whose execution leads to that, inside TMM, the client-side and server-side flow operations interleave.

Impact:
TMM crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
iRule clears the right side data after execution.

757617-1 : Systemd vulnerabilities: CVE-2018-16864, CVE-2018-16865

Solution Article: K06044762

757578-2 : RAM cache is not compatible with verify-accept

Component: Local Traffic Manager

Symptoms:
The TCP profile's verify-accept option is not compatible with the RAM cache feature

Conditions:
A TCP profile is used with the 'verify-accept' option enabled, together with a Web Acceleration via RAM cache.

Impact:
There may be a log message in /var/log/tmm# describing an 'Invalid Proxy Transition'. The RAM cache feature may not handle later pipelined requests due to the proxy shutting down the connection.

Workaround:
Do not use TCP's verify-accept option together with RAM cache.

Fix:
RAM cache now works correctly when the TCP profile enables the verify-accept option.

757555-2 : Network DoS Logging Profile does not work with other logging profiles together

Component: Advanced Firewall Manager

Symptoms:
When the network DoS logging profile is configured with other logging profiles, such as AFM ACL logging profile, on the same virtual server, DoS logging does not occur.

Conditions:
Configure DoS logging profile on a virtual server with other logging profiles, such as AFM ACL logging profile.

Impact:
When DoS attack happens, no DoS attack is being logged.

Workaround:
Configure one general log profile for all DoS and AFM logging.

Fix:
Both logging profiles now work together.

757524 : Data operation attempt on object that has not been loaded

Component: Advanced Firewall Manager

Symptoms:
While assigning VLANs to Traffic Matching Criteria, you get an error:

01070712:3: Data operation attempt on object that has not been loaded.

Conditions:
This occurs while trying to add or modify VLANs on a Traffic Matching Criteria.

Impact:
Error is reported; unable to add or modify VLAN assignment to Traffic Matching Criteria.

Workaround:
None.

Fix:
Fixed the issue to allow configuration of VLANs to Traffic Matching Criteria object.

757519-1 : Unable to logon using LDAP authentication with a user-template

Solution Article: K92525101

Component: TMOS

Symptoms:
Cannot logon using remote LDAP authentication. This occurs because LDAP with user-template configured uses the user-template value as the distinguished name (DN) for the LDAP search, instead of a properly formed X.500 name, for example:
cn=xxx,ou=xxx,dc=example,dc=org

Conditions:
-- LDAP authentication configuration includes the user-template value as the DN.
-- Attempt to logon.

Impact:
Remote LDAP authentication users are unable to login.

Note: The user-template value is not a valid DN.

Workaround:
You can use either of the following workarounds:

-- Create a specific user for bind by configuring bind-dn and bind-pw, and remove user-template.

-- Switch to local authentication.

757464-1 : DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record

Component: Global Traffic Manager (DNS)

Symptoms:
Attempt to delete a DNS Validating Resolver cache record from the 'Key' cache does not remove the record. Also displays a negative TTL for that record.

tmm crash

Conditions:
-- Populate the DNS Validating Resolver Cache.
-- Attempt to delete a record from the 'Key' cache.

Impact:
Undesired behavior due to records not being deleted as instructed. Also negative TTL.

Workaround:
The only workaround is to restart tmm to generate a completely empty DNS cache. Traffic disrupted while tmm restarts.

Fix:
Fixed an issue preventing records from a DNS Validating Resolver's 'Key' sub-cache from being deleted when utilizing the TMSH command:
delete ltm dns cache records key cache

757455-2 : Excessive resource consumption when processing REST requests

Solution Article: K87920510

757446-2 : Invoking the HTTP::respond iRule command when the HTTP2 profile is present can cause stalled or malformed responses.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system stalls a connection instead of sending the intended HTTP response, or sends a malformed response.

Conditions:
This issue occurs when all of the following conditions are met:

-- The virtual server uses the http2 profile.

-- The virtual server uses an iRule that invokes the HTTP::respond command under the HTTP_REQUEST or HTTP_RESPONSE event.

Impact:
Clients do not get the expected responses, leading to application failures.

Workaround:
None.

Fix:
The HTTP::respond iRule command works as expected under these conditions.

757441-4 : Specific sequence of packets causes Fast Open to be effectively disabled

Component: Local Traffic Manager

Symptoms:
You see this warning in the logs:

warning tmm[21063]: 01010055:4: Syncookie embryonic connection counter -1 exceeded sys threshold 64000.

Conditions:
-- TCP Fast Open and ECN are both enabled.
-- There are multiple RST segments from the receive window received in SYN_RECEIVED state.

Impact:
TCP Fast open is disabled, as the pre_established_connections becomes very large (greater than a threshold).

Workaround:
TCP ECN option can be disabled.

Fix:
TCP Fast Open is prevented from being disabled when some conditions are met.

757391-2 : Datagroup iRule command class can lead to memory corruption

Component: Local Traffic Manager

Symptoms:
When using the iRule command to access datagroups within a foreach loop, memory can be corrupted and tmm can crash.

Conditions:
A [class] command used within a foreach loop.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround aside from removing that iRule.

Fix:
tmm no longer crashes under these conditions.

757360-1 : Category lookup returns wrong category on subsequent traffic following initial HTTP CONNECT traffic through SSLO

Component: Access Policy Manager

Symptoms:
Category lookup returns the wrong category on subsequent traffic following initial HTTP CONNECT traffic through F5 SSL Orchestrator (SSLO).

Conditions:
-- Outbound deployment configured in SSLO, where SSLO behaves as a transparent proxy.
-- A policy has a branch to lookup category using HTTP Connect.
-- An HTTPS client generates HTTPS traffic via an explicit proxy on the local network with a private address through SSLO as the gateway.

Impact:
Category Match is not performed on subsequent requests, resulting in fallback branch to be taken.

Workaround:
None.

Fix:
Category lookup now works correctly in this scenario.

757359-1 : pccd crashes when deleting a nested Address List

Component: Advanced Firewall Manager

Symptoms:
When removing a nested Address List or Port List, the pccd process might crash.

Conditions:
This might occur under the following conditions:

Subscriptions

Product Usage

Trials

Registration Keys

Downloads

Applies To:

BIG-IP AAM

BIG-IP APM

BIG-IP Analytics

BIG-IP Link Controller

BIG-IP LTM

BIG-IP PEM

BIG-IP AFM

BIG-IP DNS

BIG-IP FPS

BIG-IP ASM

Cumulative fix details for BIG-IP v14.1.3.1 that are included in this release

957337-4 : Mgmt in tmsh broken

954025 : "switchboot -b HD1.1" fails to reboot chassis

949145-4 : Improve TCP's response to partial ACKs during loss recovery

948757-3 : A snat-translation address responds to ARP requests but not to ICMP ECHO requests.

944785-1 : Admd restarting constantly. Out of memory due to loading malformed state file

943125-3 : Web-Socket request with JSON payload causing core during the payload parsing

943101 : Tmm crash in cipher group delete.

941853-2 : Logging Profiles do not disassociate from virtual server when multiple changes are made

941089 : TMM core when using Multipath TCP

940897-2 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached

940401-3 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'

940249-3 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached

939209-3 : FIPS 140-2 SP800-56Arev3 compliance

938165-2 : TMM Core after attempted update of IP geolocation database file

935721-4 : ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

935593-3 : Incorrect SYN re-transmission handling with FastL4 timestamp rewrite

935029-1 : TMM may crash while processing IPv6 NAT traffic

934941-3 : Platform FIPS power-up self test failures not logged to console

934461 : Connection error with server with TLS1.3 single-dh-use.

934393 : APM authentication fails due to delay in sessionDB readiness

933741-4 : Security hardening in FPS GUI

933461-3 : BGP multi-path candidate selection does not work properly in all cases.

933409-4 : Tomcat upgrade via Engineering Hotfix causes live-update files removal★

932937-3 : HTTP Explicit Proxy configurations can result in connections hanging until idle timeout.

932065-3 : iControl REST framework exception handling hardening

931513-2 : Some sequence of HTTP packets may cause TMM to crash

930741-1 : Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot

930385 : SSL filter does not re-initialize when an OCSP object is modified

928321-3 : Hardening of HSM UI

928037-3 : APM Hardening

928029 : Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis

927617-3 : "Illegal Base64 value" violation is detected for cookie with valid base64 value

927033-1 : Installer fails to calculate disk size of destination volume★

926593-3 : GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'

924929-1 : Logging improvements for VDI plugin

924493-4 : VMware EULA has been updated

924429-3 : Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values

924349-1 : DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP

923125-1 : Huge amount of admd processes caused oom

921721-2 : FIPS 140-2 SP800-56Arev3 compliance

921421-1 : iRule support to get/set UDP's Maximum Buffer Packets

921337-3 : ASM processes some web-sockets requests longer than usual

920961-3 : Devices incorrectly report 'In Sync' after an incremental sync

920481 : REST GET on /mgmt/tm/sys/file/ssl-key returns bad/wrong passphrase

920361-4 : Standby device name sent in Traffic Statistics syslog/Splunk messages

920301-2 : Unnecessarily high number of JavaScript Obfuscator instances when device is busy

919841-1 : AVRD may crash while processing Bot Defense traffic

919745-4 : CSV files downloaded from the Dashboard have the first row with all 'NaN

919553-3 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.

919001-1 : Live Update: Update Available notification is shown twice in rare conditions

918933-3 : Some ASM attack signatures do not match on cookies

918209-1 : GUI Network Map icons color scheme is not section 508 compliant

918169-2 : The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.

917509-5 : ASM processes some requests longer than usual

917469-4 : TMM may crash while processing FPS traffic

917005-4 : ISC BIND Vulnerability: CVE-2020-8619

916821-4 : An authenticated user on iControlREST may gain elevated privilege level

915957 : The wocplugin may get into a restart loop when AAM is provisioned

915825-4 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.

915689-4 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.

915605-1 : Image install fails if iRulesLX is provisioned and /usr mounted read-write★

915497-3 : New Traffic Class Page shows multiple question marks.

915281-1 : Do not rearm TCP Keep Alive timer under certain conditions