Applies To:
Show Versions
BIG-IP AAM
- 14.1.4
BIG-IP APM
- 14.1.4
BIG-IP Analytics
- 14.1.4
BIG-IP Link Controller
- 14.1.4
BIG-IP LTM
- 14.1.4
BIG-IP PEM
- 14.1.4
BIG-IP AFM
- 14.1.4
BIG-IP DNS
- 14.1.4
BIG-IP FPS
- 14.1.4
BIG-IP ASM
- 14.1.4
Updated Date: 05/28/2022
BIG-IP Release Information
Version: 14.1.4.6
Build: 8.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
| The blue background highlights fixes |
Cumulative fixes from BIG-IP v14.1.4.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.8 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.7 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.6 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.6 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release
Known Issues in BIG-IP v14.1.x
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 830361-4 | CVE-2012-6711 | K05122252 | CVE-2012-6711 Bash Vulnerability | 14.1.4.6 |
| 1087201-4 | CVE-2022-0778 | K31323265 | OpenSSL Vulnerability: CVE-2022-0778 | 14.1.4.6 |
| 1002565-4 | CVE-2021-23840 | K24624116 | OpenSSL vulnerability CVE-2021-23840 | 14.1.4.6 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 818169-3 | 2-Critical | TMM may consume excessive resources when processing DNS profiles with DNS queing enabled | 14.1.4.6, 15.1.0.2 | |
| 1050537-3 | 2-Critical | BT1050537 | GTM pool member with none monitor will be part of load balancing decisions. | 14.1.4.6 |
| 1046669-3 | 3-Major | BT1046669 | The audit forwarders may prematurely time out waiting for TACACS responses | 14.1.4.6 |
| 982697-4 | 4-Minor | ICMP hardening | 14.1.4.6 | |
| 1033837-3 | 4-Minor | REST authentication tokens persist on reboot★ | 14.1.4.6 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 976669-3 | 2-Critical | BT976669 | FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade | 14.1.4.6 |
| 957897-2 | 2-Critical | BT957897 | Unable to modify gateway-ICMP monitor fields in the GUI | 14.1.4.6 |
| 944513-1 | 2-Critical | BT944513 | Apache configuration file hardening | 14.1.4.6, 15.1.4 |
| 915981-2 | 2-Critical | BIG-IP in Appliance Mode does not follow best practices | 14.1.4.6 | |
| 1059185-3 | 2-Critical | iControl REST Hardening | 14.1.4.6 | |
| 1057801-4 | 2-Critical | TMUI does not follow current best practices | 14.1.4.6 | |
| 1051561-3 | 2-Critical | iControl REST request hardening | 14.1.4.6 | |
| 1048141-1 | 2-Critical | BT1048141 | Sorting pool members by 'Member' causes 'General database error' | 14.1.4.6 |
| 999125-3 | 3-Major | BT999125 | After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. | 14.1.4.6 |
| 982341-4 | 3-Major | iControl REST endpoint hardening | 14.1.4.6 | |
| 956589-2 | 3-Major | BT956589 | The tmrouted daemon restarts and produces a core file | 14.1.4.6, 15.1.2.1 |
| 943577-3 | 3-Major | BT943577 | Full sync failure for traffic-matching-criteria with port list under certain conditions | 14.1.4.6 |
| 919317-3 | 3-Major | BT919317 | NSM consumes 100% CPU processing nexthops for recursive ECMP routes | 14.1.4.6 |
| 918409-4 | 3-Major | BT918409 | BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures | 14.1.4.6 |
| 901669-2 | 3-Major | BT901669 | Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change. | 14.1.4.6 |
| 755976-3 | 3-Major | BT755976 | ZebOS might miss kernel routes after mcpd deamon restart | 14.1.4.6 |
| 405329-2 | 3-Major | The imish utility cores while checking help strings for OSPF6 vertex-threshold | 14.1.4.6, 15.1.0.5 | |
| 1066285-1 | 3-Major | BT1066285 | Master Key decrypt failure - decrypt failure. | 14.1.4.6 |
| 1057809-4 | 3-Major | Saved dashboard hardening | 14.1.4.6 | |
| 1056993-4 | 3-Major | 404 error is raised on GUI when clicking "App IQ." | 14.1.4.6 | |
| 1047169-3 | 3-Major | BT1047169 | GTM AAAA pool can be deleted from the configuration despite being in use by an iRule. | 14.1.4.6 |
| 1042009-3 | 3-Major | BT1042009 | Mcpd fails to reply if a request is proxied to another daemon and the connection to that daemon closes | 14.1.4.6 |
| 1022637-3 | 3-Major | BT1022637 | A partition other than /Common may fail to save the configuration to disk | 14.1.4.6, 15.1.5 |
| 1020789-2 | 3-Major | BT1020789 | Cannot deploy a four-core vCMP guest if the remaining cores are in use. | 14.1.4.6 |
| 1019085-2 | 3-Major | BT1019085 | Network virtual-addresses fail to retain the "icmp-echo enabled" property following an upgrade or reload of the configuration from file.★ | 14.1.4.6 |
| 1008269-4 | 3-Major | BT1008269 | Error: out of stack space | 14.1.4.6 |
| 713614-4 | 4-Minor | BT713614 | Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only) | 14.1.4.6, 15.1.0.5 |
| 528894-7 | 4-Minor | BT528894 | Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition | 14.1.4.6, 15.1.5 |
| 1071365-3 | 4-Minor | iControl SOAP WSDL hardening | 14.1.4.6 | |
| 1058677-3 | 4-Minor | BT1058677 | Not all SCTP connections are mirrored on the standby device when auto-init is enabled. | 14.1.4.6 |
| 1051797-3 | 4-Minor | Linux kernel vulnerability: CVE-2018-18281 | 14.1.4.6 | |
| 1046693-2 | 4-Minor | BT1046693 | TMM with BFD confgured might crash under significant memory pressure | 14.1.4.6 |
| 1045549-2 | 4-Minor | BT1045549 | BFD sessions remain DOWN after graceful TMM restart | 14.1.4.6 |
| 1040821-2 | 4-Minor | BT1040821 | Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes | 14.1.4.6 |
| 1034589-3 | 4-Minor | BT1034589 | No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration. | 14.1.4.6 |
| 1031425-1 | 4-Minor | BT1031425 | Provide a configuration flag to disable BGP peer-id check. | 14.1.4.6 |
| 1030645-2 | 4-Minor | BT1030645 | BGP session resets during traffic-group failover | 14.1.4.6 |
| 1024621-2 | 4-Minor | BT1024621 | Re-establishing BFD session might take longer than expected. | 14.1.4.6 |
| 1002809-2 | 4-Minor | BT1002809 | OSPF vertex-threshold should be at least 100 | 14.1.4.6 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 946481-3 | 2-Critical | BT946481 | Virtual Edition FIPS not compatible with TLS 1.3 | 14.1.4.6 |
| 931677-4 | 2-Critical | IPv6 hardening | 14.1.4.6 | |
| 910213-4 | 2-Critical | BT910213 | LB::down iRule command is ineffective, and can lead to inconsistent pool member status | 14.1.4.6 |
| 757407-1 | 2-Critical | BT757407 | Error reading RRD file may induce processes to mutually wait for each other forever | 14.1.4.6 |
| 1064617-3 | 2-Critical | BT1064617 | DBDaemon process may write to monitor log file indefinitely | 14.1.4.6 |
| 1047089-4 | 2-Critical | TMM may terminate while processing TLS/DTLS traffic | 14.1.4.6, 15.1.5 | |
| 1016657-4 | 2-Critical | TMM may crash while processing LSN traffic | 14.1.4.6 | |
| 1000021-4 | 2-Critical | TMM may consume excessive resources while processing packet filters | 14.1.4.6, 15.1.5 | |
| 999901-4 | 3-Major | Certain LTM policies may not execute correctly after a system reboot or TMM restart. | 14.1.4.6 | |
| 993981-4 | 3-Major | TMM may crash when ePVA is enabled | 14.1.4.6 | |
| 987077-4 | 3-Major | BT987077 | TLS1.3 with client authentication handshake failure | 14.1.4.6 |
| 967101-3 | 3-Major | BT967101 | When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out. | 14.1.4.6 |
| 955617-6 | 3-Major | BT955617 | Cannot modify properties of a monitor that is already in use by a pool | 14.1.4.6 |
| 951257-1 | 3-Major | FTP active data channels are not established | 14.1.4.6 | |
| 939085-1 | 3-Major | BT939085 | /config/ssl/ssl.csr directory disappears after creating certificate archive | 14.1.4.6 |
| 919249-3 | 3-Major | NETHSM installation script hardening | 14.1.4.6 | |
| 912517-4 | 3-Major | BT912517 | Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured | 14.1.4.6 |
| 892485-1 | 3-Major | BT892485 | A wrong OCSP status cache may be looked up and re-used during SSL handshake. | 14.1.4.6 |
| 892073-1 | 3-Major | BT892073 | TLS1.3 LTM policy rule based on SSL SNI is not triggered | 14.1.4.6 |
| 838353-3 | 3-Major | BT838353 | MQTT monitor is not working in route domain. | 14.1.4.6 |
| 826349-2 | 3-Major | BT826349 | VXLAN tunnel might fail due to misbehaving NIC checksum offload | 14.1.4.6 |
| 825245-2 | 3-Major | BT825245 | SSL::enable does not work for server side ssl | 14.1.4.6 |
| 803109-2 | 3-Major | BT803109 | Certain configuration may result in zombie forwarding flows | 14.1.4.6 |
| 793929-1 | 3-Major | BT793929 | In-TMM monitor agent might crash during TMM shutdown | 14.1.4.6 |
| 793669-1 | 3-Major | BT793669 | FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value. | 14.1.4.6 |
| 672963-3 | 3-Major | BT672963 | MSSQL monitor fails against databases using non-native charset | 14.1.4.6 |
| 1058469-3 | 3-Major | BT1058469 | Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working. | 14.1.4.6 |
| 1052929-2 | 3-Major | BT1052929 | MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized. | 14.1.4.6 |
| 1043357-2 | 3-Major | BT1043357 | SSL handshake may fail when using remote crypto client | 14.1.4.6 |
| 1043017-2 | 3-Major | BT1043017 | Virtual-wire with standard-virtual fragmentation | 14.1.4.6 |
| 1029897-3 | 3-Major | K63312282, BT1029897 | Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members. | 14.1.4.6 |
| 1023341-3 | 3-Major | HSM hardening | 14.1.4.6, 16.1.1 | |
| 1017533-1 | 3-Major | BT1017533 | Using TMC might cause virtual server vlans-enabled configuration to be ignored | 14.1.4.6 |
| 1016449-1 | 3-Major | BT1016449 | After certain configuration tasks are performed, TMM may run with stale Self IP parameters. | 14.1.4.6 |
| 1016049-3 | 3-Major | BT1016049 | EDNS query with CSUBNET dropped by protocol inspection | 14.1.4.6 |
| 1008501-4 | 3-Major | BT1008501 | TMM core | 14.1.4.6 |
| 838305-4 | 4-Minor | BT838305 | BIG-IP may create multiple connections for packets that should belong to a single flow. | 14.1.4.6 |
| 717806-3 | 4-Minor | BT717806 | In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured | 14.1.4.6 |
| 1026605-3 | 4-Minor | BT1026605 | When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes | 14.1.4.6 |
| 1016441-2 | 4-Minor | RFC Enforcement Hardening | 14.1.4.6 | |
| 873249-3 | 5-Cosmetic | BT873249 | Switching from fast_merge to slow_merge can result in incorrect tmm stats | 14.1.4.6 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 741862-1 | 2-Critical | BT741862 | DNS GUI may generate error or display names with special characters incorrectly. | 14.1.4.6 |
| 1062513-2 | 2-Critical | BT1062513 | GUI returns 'no access' error message when modifying a GTM pool property. | 14.1.4.6 |
| 1044425-4 | 3-Major | NSEC3 record improvements for NXDOMAIN | 14.1.4.6 | |
| 1039205-1 | 3-Major | BT1039205 | DNSSEC key stored on netHSM fails to generate if the key name length is > 24 | 14.1.4.6 |
| 1018613-4 | 3-Major | BT1018613 | Modify wideip pools with replace-all-with results pools with same order 0 | 14.1.4.6 |
| 1011285-3 | 3-Major | BT1011285 | The iControl REST API no longer accepts an empty 'lastResortPool' property for wide IP objects. | 14.1.4.6, 15.1.5 |
| 753821-3 | 4-Minor | BT753821 | Log messages 'TCP RST from remote system' messages logged if GTM/DNS is licensed but not provisioned | 14.1.4.6 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1069449-3 | 2-Critical | ASM attack signatures may not match cookies as expected | 14.1.4.6 | |
| 965785-3 | 3-Major | BT965785 | Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine | 14.1.4.6 |
| 961509-4 | 3-Major | BT961509 | ASM blocks WebSocket frames with signature matched but Transparent policy | 14.1.4.6 |
| 926845-4 | 3-Major | BT926845 | Inactive ASM policies are deleted upon upgrade | 14.1.4.6 |
| 921697-4 | 3-Major | BT921697 | Attack signature updates fail to install with Installation Error.★ | 14.1.4.6, 16.1.2.1 |
| 871881-1 | 3-Major | BT871881 | Apply Policy action is not synchronized after making bulk signature changes | 14.1.4.6 |
| 818889-3 | 3-Major | BT818889 | False positive malformed json or xml violation. | 14.1.4.6 |
| 1072197-3 | 3-Major | Issue with input normalization in WebSocket. | 14.1.4.6 | |
| 1067285-3 | 3-Major | Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.' | 14.1.4.6 | |
| 1060933-3 | 3-Major | Issue with input normalization. | 14.1.4.6 | |
| 1051213-3 | 3-Major | BT1051213 | Increase default value for violation 'Check maximum number of headers'. | 14.1.4.6 |
| 1051209-3 | 3-Major | BD may not process certain HTTP payloads as expected | 14.1.4.6 | |
| 1047389-1 | 3-Major | Bot Defense challenge hardening | 14.1.4.6 | |
| 1045101-2 | 3-Major | Bd may crash while processing ASM traffic | 14.1.4.6, 15.1.5, 16.1.2.1 | |
| 1043385-2 | 3-Major | No Signature detected If Authorization header is missing padding. | 14.1.4.6 | |
| 1038733-2 | 3-Major | Attack signature not detected for unsupported authorization types. | 14.1.4.6 | |
| 1037457-3 | 3-Major | High CPU during specific dos mitigation | 14.1.4.6 | |
| 1030853-3 | 3-Major | BT1030853 | Route domain IP exception is being treated as trusted (for learning) after being deleted | 14.1.4.6 |
| 1023993-2 | 3-Major | Brute Force is not blocking requests, even when auth failure happens multiple times | 14.1.4.6 | |
| 1012221-3 | 3-Major | BT1012221 | Message: childInheritanceStatus is not compatible with parentInheritanceStatus★ | 14.1.4.6 |
| 1011069-4 | 3-Major | Group/User R/W permissions should be changed for .pid and .cfg files. | 14.1.4.6 | |
| 973661 | 4-Minor | BT973661 | Two different 'Attack Signature' updates shown as 'Currently Installed'★ | 14.1.4.6 |
| 844045-2 | 4-Minor | ASM Response event logging for "Illegal response" violations. | 14.1.4.6 | |
| 1055453 | 4-Minor | BT1055453 | Blocking page trims the last digit of the Support ID. | 14.1.4.6 |
| 1050697-2 | 4-Minor | Traffic learning page counts Disabled signatures when they are ready to be enforced | 14.1.4.6 | |
| 1038741-2 | 4-Minor | BT1038741 | NTLM type-1 message triggers "Unparsable request content" violation. | 14.1.4.6 |
| 1036521-4 | 4-Minor | BT1036521 | TMM crash in certain cases | 14.1.4.6 |
| 1034941-3 | 4-Minor | BT1034941 | Exporting and then re-importing "some" XML policy does not load the XML content-profile properly | 14.1.4.6 |
| 1020717-2 | 4-Minor | Policy versions cleanup process sometimes removes newer versions | 14.1.4.6 | |
| 1002385-4 | 4-Minor | Fixing issue with input normalization | 14.1.4.6, 15.1.5, 16.1.2.1 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1038913-2 | 3-Major | The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category | 14.1.4.6 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 992073-1 | 3-Major | APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS | 14.1.4.6 | |
| 868557-3 | 3-Major | Unable to initiate SWG database download from Admin UI when management network has no direct internet connectivity. | 14.1.4.6 | |
| 423519-2 | 3-Major | Bypass disabling the redirection controls configuration of APM RDP Resource. | 14.1.4.6 | |
| 1067993-6 | 3-Major | APM Windows Client installer hardening | 14.1.4.6 | |
| 1019161-5 | 3-Major | Windows installer(VPN through browser components installer) as administrator user uses temporary folder to create files★ | 14.1.4.6 | |
| 1009049-6 | 3-Major | browser based vpn did not follow best practices while logging.★ | 14.1.4.6 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1047053-1 | 2-Critical | TMM may consume excessive resources while processing RTSP traffic | 14.1.4.6, 15.1.5 | |
| 1029397-2 | 2-Critical | BT1029397 | Tmm may crash with SIP-ALG deployment in a particular race condition | 14.1.4.6, 15.1.5 |
| 1007109-4 | 2-Critical | BT1007109 | Flowmap entry is deleted before updating its timeout to INDEFINITE | 14.1.4.6 |
| 957905-3 | 3-Major | BT957905 | SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP. | 14.1.4.6 |
| 1078721-4 | 3-Major | TMM may consume excessive resources while processing ICAP traffic | 14.1.4.6 | |
| 1056933-2 | 3-Major | TMM may crash while processing SIP traffic | 14.1.4.6, 15.1.5 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1058645-3 | 2-Critical | BT1058645 | ipsecalg blocks Sophos ISAKMP negotiation during tunnel setup. | 14.1.4.6 |
| 808893-2 | 3-Major | BT808893 | DNS DoS profile vectors do not function correctly★ | 14.1.4.6 |
| 808889-2 | 3-Major | BT808889 | DoS vector or signature stays hardware-accelerated even when traffic rate is lower than mitigation threshold | 14.1.4.6 |
| 1070033 | 3-Major | BT1070033 | Virtual server may not fully enter hardware SYN Cookie mode. | 14.1.4.6 |
| 1008265-4 | 3-Major | DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond★ | 14.1.4.6 | |
| 756457-2 | 4-Minor | BT756457 | tmsh command 'show security' returning a parsing error | 14.1.4.6 |
| 1072057-3 | 4-Minor | BT1072057 | "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy. | 14.1.4.6 |
| 1069745 | 4-Minor | GUI issues in Security->NetworkFirewall->Active Rules, rule movement to 101, 201 position. | 14.1.4.6 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 756595-1 | 1-Blocking | BT756595 | Traffic redirection to an internal virtual server may fail. | 14.1.4.6 |
| 946325-3 | 3-Major | PEM subscriber GUI hardening | 14.1.4.6 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1019613-2 | 2-Critical | BT1019613 | Unknown subscriber in PBA deployment may cause CPU spike | 14.1.4.6 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 873617-3 | 3-Major | BT873617 | DataSafe is not available with AWAF license after BIG-IP startup or MCP restart. | 14.1.4.6 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1060409-4 | 4-Minor | Behavioral DoS enable checkbox is wrong. | 14.1.4.6 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1052153-1 | 3-Major | Signature downloads for traffic classification updates via proxy fail | 14.1.4.6 |
Protocol Inspection Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 965853-1 | 3-Major | IM package file hardening★ | 14.1.4.6 | |
| 964489-3 | 3-Major | Protocol Inspection IM package hardening | 14.1.4.6 | |
| 940261-2 | 4-Minor | Support IPS package downloads via HTTP proxy. | 14.1.4.6 |
Guided Configuration Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 982757-6 | 3-Major | APM Access Guided Configuration hardening | 14.1.4.6 |
In-tmm monitors Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 944121-3 | 3-Major | BT944121 | Missing SNI information when using non-default domain https monitor running in TMM mode. | 14.1.4.6 |
Cumulative fixes from BIG-IP v14.1.4.5 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 999933-4 | CVE-2022-23017 | K28042514, BT999933 | TMM may crash while processing DNS traffic on certain platforms | 14.1.4.5, 15.1.4.1 |
| 989701-4 | CVE-2020-25212 | K42355373, BT989701 | CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 989637-4 | CVE-2022-23015 | K08476614, BT989637 | TMM may crash while processing SSL traffic | 14.1.4.5, 15.1.4.1 |
| 988549-4 | CVE-2020-29573 | K27238230, BT988549 | CVE-2020-29573: glibc vulnerability | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 910517 | CVE-2022-23012 | K26310765, BT910517 | TMM may crash while processing HTTP traffic | 14.1.4.5, 15.1.4.1 |
| 1032405-4 | CVE-2021-23037 | K21435974, BT1032405 | TMUI XSS vulnerability CVE-2021-23037 | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1028669-4 | CVE-2019-9948 | K28622040, BT1028669 | Python vulnerability: CVE-2019-9948 | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1028573-4 | CVE-2020-10878 | K40508224, BT1028573 | Perl vulnerability: CVE-2020-10878 | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1028497-4 | CVE-2019-15903 | K05295469, BT1028497 | libexpat vulnerability: CVE-2019-15903 | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1012365-3 | CVE-2021-20305 | K33101555, BT1012365 | Nettle cryptography library vulnerability CVE-2021-20305 | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1007489-4 | CVE-2022-23018 | K24358905, BT1007489 | TMM may crash while handling specific HTTP requests★ | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 997193-2 | CVE-2022-23028 | K16101409, BT997193 | TCP connections may fail when AFM global syncookies are in operation. | 14.1.4.5, 15.1.5 |
| 974341-3 | CVE-2022-23026 | K08402414, BT974341 | REST API: File upload | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 941649-4 | CVE-2021-23043 | K63163637, BT941649 | Local File Inclusion Vulnerability | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 940185-3 | CVE-2022-23023 | K11742742, BT940185 | icrd_child may consume excessive resources while processing REST requests | 14.1.4.5, 15.1.5, 16.1.2.1 |
| 823877-2 | CVE-2019-10098 CVE-2020-1927 |
K25126370, BT823877 | CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability | 14.1.4.5 |
| 803965-2 | CVE-2018-20843 | K51011533, BT803965 | Expat Vulnerability: CVE-2018-20843 | 14.1.4.5, 15.1.4, 16.1.2 |
| 1009725-4 | CVE-2022-23030 | K53442005, BT1009725 | Excessive resource usage when ixlv drivers are enabled | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 713754-1 | CVE-2017-15715 | K27757011 | Apache vulnerability: CVE-2017-15715 | 14.1.4.5 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 930633-1 | 3-Major | BT930633 | Delay in using new route updates by existing connections on BIG-IP. | 14.1.4.5 |
| 1015133-2 | 3-Major | BT1015133 | Tail loss can cause TCP TLP to retransmit slowly. | 14.1.4.5, 15.1.5, 16.1.2.1 |
| 985953-2 | 4-Minor | BT985953 | GRE Transparent Ethernet Bridging inner MAC overwrite | 14.1.4.5, 15.1.4.1, 16.1.2 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1042993-1 | 1-Blocking | K19272127, BT1042993 | Provisioning high availability (HA) setup wizard fails to load, reports 'No Access' | 14.1.4.5, 15.1.4.1 |
| 1039049-1 | 1-Blocking | BT1039049 | Installing EHF on particular platforms fails with error "RPM transaction failure" | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 831821-3 | 2-Critical | BT831821 | Corrupted DAG packets causes bcm56xxd core on VCMP host | 14.1.4.5, 15.1.4.1 |
| 1043277-2 | 2-Critical | K06520200, BT1043277 | 'No access' error page displays for APM policy export and apply options. | 14.1.4.5, 15.1.4.1 |
| 1004929-4 | 2-Critical | BT1004929 | During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. | 14.1.4.5, 15.1.5 |
| 996001-2 | 3-Major | BT996001 | AVR Inspection Dashboard 'Last Month' does not show all data points | 14.1.4.5, 15.1.5, 16.1.2.1 |
| 958093-2 | 3-Major | BT958093 | IPv6 routes missing after BGP graceful restart | 14.1.4.5, 15.1.4.1 |
| 935801-3 | 3-Major | BT935801 | HSB diagnostics are not provided under certain types of failures | 14.1.4.5, 15.1.2 |
| 922185-4 | 3-Major | BT922185 | LDAP referrals not supported for 'cert-ldap system-auth'★ | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 900933-2 | 3-Major | BT900933 | IPsec interoperability problem with ECP PFS | 14.1.4.5, 15.1.4.1, 16.0.1.2 |
| 881085-1 | 3-Major | BT881085 | Intermittent auth failures with remote LDAP auth for BIG-IP managment | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1045421-3 | 3-Major | K16107301, BT1045421 | No Access error when performing various actions in the TMOS GUI | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1032077-3 | 3-Major | BT1032077 | TACACS authentication fails with tac_author_read: short author body | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1026549-4 | 3-Major | BT1026549 | Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1015093-4 | 3-Major | BT1015093 | The "iq" column is missing from the ndal_tx_stats table | 14.1.4.5, 15.1.4.1 |
| 1003257-3 | 3-Major | BT1003257 | ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 988533-3 | 4-Minor | BT988533 | GRE-encapsulated MPLS packet support | 14.1.4.5, 15.1.4.1 |
| 889813-1 | 4-Minor | BT889813 | Show net bwc policy prints bytes-per-second instead of bits-per-second | 14.1.4.5 |
| 1030845-3 | 4-Minor | BT1030845 | Time change from TMSH not logged in /var/log/audit. | 14.1.4.5, 15.1.4.1, 16.1.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1005433 | 1-Blocking | BT1005433 | LTM Pool Members may not be updated accurately when multiple identical database monitors are configured | 14.1.4.5 |
| 862885-1 | 2-Critical | BT862885 | Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error | 14.1.4.5, 15.1.4.1 |
| 788813-1 | 2-Critical | BT788813 | TMM crash when deleting virtual-wire config | 14.1.4.5 |
| 750702-1 | 2-Critical | BT750702 | TMM crashes while making changes to virtual wire configuration | 14.1.4.5 |
| 1040361-3 | 2-Critical | BT1040361 | TMM crashes during its startup when TMC destination port list attached/deleted to virtual server. | 14.1.4.5, 15.1.5, 16.1.2 |
| 1019081-2 | 2-Critical | K97045220, BT1019081 | HTTP/2 hardening | 14.1.4.5, 15.1.3.1 |
| 1009161 | 2-Critical | BT1009161 | SSL mirroring protect for null sessions | 14.1.4.5 |
| 999097-4 | 3-Major | BT999097 | SSL::profile may select profile with outdated configuration | 14.1.4.5, 15.1.5, 16.1.2.1 |
| 963705-2 | 3-Major | BT963705 | Proxy ssl server response not forwarded | 14.1.4.5, 15.1.4.1 |
| 904041-4 | 3-Major | BT904041 | Ephemeral pool members may be incorrect when modified via various actions | 14.1.4.5, 15.1.4.1 |
| 872721-1 | 3-Major | BT872721 | SSL connection mirroring intermittent failure with TLS1.3 | 14.1.4.5 |
| 803629-2 | 3-Major | BT803629 | SQL monitor fails with 'Analyze Response failure' message even if recv string is correct | 14.1.4.5, 15.1.4.1, 16.0.1.1 |
| 761477-7 | 3-Major | BT761477 | Client authentication performance when large CRL is used | 14.1.4.5 |
| 1038629-3 | 3-Major | BT1038629 | DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client | 14.1.4.5, 15.1.5, 16.1.2.1 |
| 1034365-1 | 3-Major | BT1034365 | DTLS handshake fails with DTLS1.2 client version | 14.1.4.5, 15.1.5 |
| 1020941-3 | 3-Major | BT1020941 | HTTP/2 header frames decoding may fail with COMPRESSION_ERROR when frame delivered in multiple xfrags | 14.1.4.5, 15.1.4 |
| 1018577-2 | 3-Major | BT1018577 | SASP monitor does not mark pool member with same IP Address but different Port from another pool member | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1017513-2 | 3-Major | BT1017513 | Config sync fails with error Invalid monitor rule instance identifier | 14.1.4.5, 16.1.2.1 |
| 1015161-3 | 3-Major | BT1015161 | Ephemeral pool member may not be created when FQDN resolves to address that matches static node | 14.1.4.5 |
| 1008017-1 | 3-Major | BT1008017 | Validation failure on Enforce TLS Requirements and TLS Renegotiation | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 936557-3 | 4-Minor | BT936557 | Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled. | 14.1.4.5, 15.1.4.1 |
| 890881-3 | 4-Minor | BT890881 | ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address | 14.1.4.5, 15.1.4.1 |
| 1045913-4 | 4-Minor | BT1045913 | COMPRESS::disable/COMPRESS::enable don't work reliably for selective compression | 14.1.4.5 |
| 1018493-3 | 4-Minor | BT1018493 | Response code 304 from TMM Cache always closes TCP connection. | 14.1.4.5, 15.1.4, 16.1.2 |
| 1005109-1 | 4-Minor | BT1005109 | TMM crashes when changing traffic-group on IPv6 link-local address | 14.1.4.5, 15.1.5, 16.1.2.1 |
| 1002945-1 | 4-Minor | BT1002945 | Some connections are dropped on chained IPv6 to IPv4 virtual servers. | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 898929-2 | 5-Cosmetic | BT898929 | Tmm might crash when ASM, AVR, and pool connection queuing are in use | 14.1.4.5, 15.1.5, 16.1.2.1 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1035853-4 | 2-Critical | K41415626, BT1035853 | Transparent DNS Cache can consume excessive resources. | 14.1.4.5, 15.1.5, 16.1.2 |
| 1009037-4 | 2-Critical | BT1009037 | Tcl resume on invalid connection flow can cause tmm crash | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 863917-3 | 3-Major | BT863917 | The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval. | 13.1.4.1, 14.1.4.5, 15.1.3, 16.0.1.2 |
| 756470-5 | 3-Major | BT756470 | Additional logging added to detect when monitoring operations in the configuration exceeds capabilities. | 13.1.3.4, 14.1.4.5 |
| 1024553-3 | 3-Major | BT1024553 | GTM Pool member set to monitor type "none" results in big3d: timed out | 14.1.4.5, 15.1.5 |
| 1021417-4 | 3-Major | BT1021417 | Modifying GTM pool members with replace-all-with results in pool members with order 0 | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1021061-2 | 3-Major | BT1021061 | Config fails to load for large config on platform with Platform FIPS license enabled | 14.1.4.5, 15.1.5, 16.1.2.1 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 993613-4 | 2-Critical | BT993613 | Device fails to request full sync | 14.1.4.5, 15.1.5, 16.1.2.1 |
| 912149-4 | 2-Critical | BT912149 | ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 879841-3 | 2-Critical | BT879841 | Domain cookie same-site option is missing the "None" as value in GUI and rest | 14.1.4.5, 15.1.4.1 |
| 1019853-3 | 2-Critical | K30911244, BT1019853 | Some signatures are not matched under specific conditions | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1011061-1 | 2-Critical | Certain attack signatures may not match in multipart content | 14.1.4.5, 15.1.4.1, 16.1.2 | |
| 984593-3 | 3-Major | BT984593 | BD crash | 14.1.4.5, 15.1.5, 16.1.2.1 |
| 948805-3 | 3-Major | BT948805 | False positive "Null in Request" | 14.1.4.5, 15.1.4.1 |
| 907025-1 | 3-Major | BT907025 | Live update error" 'Try to reload page' | 14.1.4.5, 15.1.5, 16.1.2.1 |
| 886865-2 | 3-Major | BT886865 | P3P header is added for all browsers, but required only for Internet Explorer | 14.1.4.5, 15.1.5 |
| 885765-4 | 3-Major | BT885765 | ASMConfig Handler undergoes frequent restarts | 14.1.4.5, 15.1.5, 16.1.2.1 |
| 857633-2 | 3-Major | BT857633 | Attack Type (SSRF) appears incorrectly in REST result | 14.1.4.5, 15.1.4.1 |
| 842013-4 | 3-Major | BT842013 | ASM Configuration is Lost on License Reactivation★ | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 785873-2 | 3-Major | BT785873 | ASM should treat 'Authorization: Negotiate TlR' as NTLM | 14.1.4.5 |
| 731168-1 | 3-Major | BT731168 | BIG-IP may attempt to write to an out of bounds memory location, causing the bd daemon to crash. | 14.1.4.5 |
| 1042069-3 | 3-Major | Some signatures are not matched under specific conditions. | 14.1.4.5, 15.1.4.1, 16.1.2.1 | |
| 1017153-1 | 3-Major | BT1017153 | Asmlogd suddenly deletes all request log protobuf files and records from the database. | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1005105-4 | 3-Major | BT1005105 | Requests are missing on traffic event logging | 14.1.4.5, 15.1.4, 16.1.1 |
| 1004069-2 | 3-Major | BT1004069 | Brute force attack is detected too soon | 14.1.4.5, 15.1.5, 16.1.2 |
| 883673-1 | 4-Minor | BotDefense JavaScript browser verification can cause low score when using Google Lighthouse tool | 14.1.4.5 | |
| 1031029 | 4-Minor | BT1031029 | "Use of uninitialized value" warning observed during UCS restore. | 14.1.4.5 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 832805-1 | 3-Major | BT832805 | AVR should make sure file permissions are correct (tmstat_tables.xml) | 14.1.4.5, 15.1.4.1 |
| 787677-3 | 3-Major | BT787677 | AVRD stays at 100% CPU constantly on some systems | 14.1.4.5, 15.1.4.1 |
| 1035133-2 | 3-Major | BT1035133 | Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 948113-4 | 4-Minor | BT948113 | User-defined report scheduling fails | 14.1.4.5, 15.1.4.1, 16.1.2 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 883889-1 | 2-Critical | BT883889 | Tmm might crash when under memory pressure | 14.1.4.5, 15.1.5 |
| 860617-2 | 2-Critical | BT860617 | Radius sever pool without attaching the load balancing algorithm will result into core | 14.1.4.5, 15.1.4.1 |
| 1006893-1 | 2-Critical | BT1006893 | Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 993457-3 | 3-Major | BT993457 | TMM core with ACCESS::policy evaluate iRule | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 969317-2 | 3-Major | BT969317 | "Restrict to Single Client IP" option is ignored for vmware VDI | 14.1.4.5, 15.1.4.1, 16.1.2.1 |
| 956645-1 | 3-Major | BT956645 | Per-request policy execution may timeout. | 14.1.4.5 |
| 941393 | 3-Major | BT941393 | Memory leak in SWG | 14.1.4.5 |
| 932213-1 | 3-Major | BT932213 | Local user db not synced to standby device when it is comes online after forced offline state | 14.1.4.5, 15.1.4.1 |
| 924857-4 | 3-Major | BT924857 | Logout URL with parameters resets TCP connection | 14.1.4.5, 15.1.2, 16.0.1.2 |
| 915509-3 | 3-Major | BT915509 | RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true | 14.1.4.5, 15.1.4.1 |
| 853325-3 | 3-Major | BT853325 | TMM Crash while parsing form parameters by SSO. | 14.1.4.5, 15.0.1.3, 15.1.0.2 |
| 828761-3 | 3-Major | BT828761 | APM OAuth - Auth Server attached iRule works inconsistently | 14.1.4.5, 15.1.5, 16.1.2.1 |
| 827393-1 | 3-Major | BT827393 | In rare cases tmm crash is observed when using APM as RDG proxy. | 14.1.4.5, 16.1.2.1 |
| 802381-2 | 3-Major | BT802381 | Localdb authentication fails | 14.1.4.5, 15.0.1.3 |
| 738593-1 | 3-Major | BT738593 | Vmware Horizon session collaboration (shadow session) feature does not work through APM. | 14.1.4.5, 15.1.5, 16.1.2.1 |
| 712857-3 | 3-Major | BT712857 | SWG-Explicit rejects large POST bodies during policy evaluation | 12.1.3.6, 14.1.4.5 |
| 1045229-3 | 3-Major | BT1045229 | APMD leaks Tcl_Objs as part of the fix made for ID 1002557 | 14.1.4.5 |
| 1044121-1 | 3-Major | BT1044121 | APM logon page is not rendered if db variable "ipv6.enabled" is set to false | 14.1.4.5 |
| 1021485-1 | 3-Major | BT1021485 | VDI desktops and apps freeze with Vmware and Citrix intermittently | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1001337 | 3-Major | BT1001337 | Cannot read single sign-on configuration from GUI when logged in as guest | 14.1.4.5, 15.1.4.1 |
| 942965-1 | 4-Minor | BT942965 | Local users database can sometimes take more than 5 minutes to sync to the standby device | 14.1.4.5, 15.1.5 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1007113-4 | 2-Critical | BT1007113 | Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1039329-3 | 3-Major | BT1039329 | MRF per peer mode is not working in vCMP guest. | 14.1.4.5, 15.1.5, 16.1.2.1 |
| 1025529-3 | 3-Major | BT1025529 | TMM generates core when iRule executes a nexthop command and SIP traffic is sent | 14.1.4.5, 15.1.4.1, 16.1.2.1 |
| 1003633-4 | 4-Minor | BT1003633 | There might be wrong memory handling when message routing feature is used | 14.1.4.5, 15.1.4.1, 16.1.2 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1049229-3 | 2-Critical | BT1049229 | When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 995433-4 | 3-Major | BT995433 | IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT | 14.1.4.5, 15.1.4.1 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 956013 | 3-Major | BT956013 | System reports{{validation_errors}} | 14.1.4.5, 15.1.5, 16.1.2.1 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 975593-2 | 3-Major | TMM may crash while processing IPSec traffic | 14.1.4.5 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 922665-1 | 3-Major | BT922665 | The admd process is terminated by watchdog on some heavy load configuration process | 14.1.4.5, 15.1.5 |
| 1023437-4 | 3-Major | Buffer overflow during attack with large HTTP Headers | 14.1.4.5, 15.1.5, 16.1.2.1 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1033829 | 2-Critical | BT1033829 | Unable to load Traffic Classification package | 14.1.4.5 |
| 686783-3 | 4-Minor | BT686783 | UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1032689-4 | 4-Minor | BT1032689 | UlrCat Custom db feedlist does not work for some URLs | 14.1.4.5, 15.1.4.1, 16.1.2 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 873545-1 | 3-Major | BT873545 | SSL Orchestrator Configuration GUI freezes after management IP change. | 14.1.4.5 |
| 761314-2 | 3-Major | BT761314 | OSPF Hello does not work for L2 wire | 14.1.4.5 |
Cumulative fixes from BIG-IP v14.1.4.4 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 981461-3 | CVE-2021-23032 | K45407662, BT981461 | Unspecified DNS responses cause TMM crash | 14.1.4.4, 15.1.3.1 |
| 966901-3 | CVE-2020-14364 | K09081535, BT966901 | CVE-2020-14364: Qemu Vulnerability | 14.1.4.4, 15.1.4.1 |
| 940317-3 | CVE-2020-13692 | K23157312, BT940317 | CVE-2020-13692: PostgreSQL JDBC Driver vulnerability | 14.1.4.4, 15.1.4.1, 16.1.2 |
| 937333-4 | CVE-2022-23013 | K29500533, BT937333 | Incomplete validation of input in unspecified forms | 14.1.4.4, 15.1.4 |
| 550928-4 | CVE-2022-23010 | K34360320, BT550928 | TMM may crash when processing HTTP traffic with a FastL4 virtual server | 14.1.4.4, 15.1.4.1 |
| 1030689-3 | CVE-2022-23019 | K82793463, BT1030689 | TMM may consume excessive resources while processing Diameter traffic | 14.1.4.4, 15.1.4.1, 16.1.2 |
| 1017973-3 | CVE-2021-25215 | K96223611, BT1017973 | BIND Vulnerability CVE-2021-25215 | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 1017965-3 | CVE-2021-25214 | K11426315, BT1017965 | BIND Vulnerability CVE-2021-25214 | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 1009029 | CVE-2021-23035 | K70415522, BT1009029 | TMM may crash while processing HTTP requests | 14.1.4.4 |
| 975589-2 | CVE-2020-8277 | K07944249, BT975589 | CVE-2020-8277 Node.js vulnerability | 14.1.4.4, 15.1.4.1 |
| 973409-4 | CVE-2020-1971 | K42910051, BT973409 | CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference | 14.1.4.4, 15.1.4.1, 16.1.2 |
| 962069-1 | CVE-2021-23047 | K79428827, BT962069 | Excessive resource consumption while processing OSCP requests via APM | 14.1.4.4, 15.1.3.1 |
| 954425-3 | CVE-2022-23031 | K61112120, BT954425 | Hardening of Live-Update | 14.1.4.4, 15.1.4, 16.1.1 |
| 887965-3 | CVE-2022-23027 | K30573026, BT887965 | Virtual server may stop responding while processing TCP traffic | 14.1.4.4, 15.1.4 |
| 1013145-3 | CVE-2021-23052 | K32734107 | APM Hardening | 14.1.4.4 |
| 1008561-5 | CVE-2022-23025 | K44110411, BT1008561 | In very rare condition, BIG-IP may crash when SIP ALG is deployed | 14.1.4.4, 15.1.4, 16.1.1 |
| 1008077-4 | CVE-2022-23029 | K50343028, BT1008077 | TMM may crash while processing TCP traffic with a FastL4 VS | 14.1.4.4, 15.1.4.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 741869-1 | 2-Critical | BT741869 | Enable SysDb variable 'Connection.VgL2Transparent' prior to operating the BIG-IP in L2 transparent mode using VLAN groups. | 14.1.4.4 |
| 923301-1 | 3-Major | BT923301 | ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 911141-4 | 3-Major | BT911141 | GTP v1 APN is not decoded/encoded properly | 14.1.4.4, 15.1.4, 16.1.1 |
| 866073-1 | 3-Major | BT866073 | Add option to exclude stats collection in qkview to avoid very large data files | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 754335-1 | 3-Major | BT754335 | Install ISO does not boot on BIG-IP VE★ | 14.1.4.4, 15.1.4.1 |
| 752542-4 | 3-Major | BT752542 | Automatic eviction of PEM URLCAT cloud cache | 14.1.4.4 |
| 751032-3 | 4-Minor | BT751032 | TCP receive window may open too slowly after zero-window | 14.1.4.4, 15.1.4 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1002109-4 | 1-Blocking | BT1002109 | Xen binaries do not follow security best practices | 14.1.4.4, 15.1.4 |
| 998729 | 2-Critical | BT998729 | Query for virtual address statistics is slow when there are hundreds of virtual address and address lists entries | 14.1.4.4 |
| 980325-4 | 2-Critical | BT980325 | Chmand core due to memory leak from dossier requests. | 14.1.4.4, 15.1.4 |
| 942549-3 | 2-Critical | BT942549 | Dataplane INOPERABLE - Only 7 HSBs found. Expected 8 | 14.1.4.4, 15.1.4.1 |
| 831549-1 | 2-Critical | BT831549 | Marketing name does not display properly for BIG-IP i10010 (C127) | 13.1.3.2, 14.1.4.4 |
| 767013-3 | 2-Critical | BT767013 | Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.4.4 |
| 749332-3 | 2-Critical | BT749332 | Client-SSL Object's description can be updated using CLI and with REST PATCH operation | 14.1.4.4, 15.1.5, 16.1.2.1 |
| 730852-3 | 2-Critical | BT730852 | The tmrouted repeatedly crashes and produces core when new peer device is added | 14.1.4.4 |
| 718573-1 | 2-Critical | BT718573 | Internal SessionDB invalid state | 14.1.4.4 |
| 1034449 | 2-Critical | BT1034449 | Excessive CPU consumption by platform_agent. | 14.1.4.4 |
| 969105-1 | 3-Major | BT969105 | HA failover connections via the management address do not work on vCMP guests running on VIPRION | 14.1.4.4, 15.1.4 |
| 965205-3 | 3-Major | BT965205 | BIG-IP dashboard downloads unused widgets | 14.1.4.4, 15.1.4.1 |
| 958465-3 | 3-Major | BT958465 | in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization | 14.1.4.4, 15.1.3.1, 16.0.1.2 |
| 956293-1 | 3-Major | BT956293 | High CPU from analytics-related REST calls - Dashboard TMUI | 14.1.4.4, 15.1.4 |
| 950849-2 | 3-Major | BT950849 | B4450N blades report page allocation failure.★ | 14.1.4.4, 15.1.3.1 |
| 947529-1 | 3-Major | BT947529 | Security tab in virtual server menu renders slowly | 14.1.4.4, 15.1.4.1 |
| 940885-3 | 3-Major | BT940885 | Add embedded SR-IOV support for Mellanox CX5 Ex adapter | 14.1.4.4, 15.1.4.1 |
| 850193-2 | 3-Major | BT850193 | Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues | 14.1.4.4, 15.1.4 |
| 827033-3 | 3-Major | BT827033 | Boot marker is being logged before shutdown logs | 14.1.4.4, 15.1.4 |
| 809657-2 | 3-Major | BT809657 | HA Group score not computed correctly for an unmonitored pool when mcpd starts | 14.1.4.4, 15.1.4.1 |
| 787881-2 | 3-Major | BT787881 | TMSH displays TSIG keys | 14.1.4.4 |
| 755027-1 | 3-Major | BT755027 | Timer processing taking too long | 14.1.4.4 |
| 741702-3 | 3-Major | BT741702 | TMM crash | 14.1.4.4 |
| 1024877-1 | 3-Major | BT1024877 | Systemd[]: systemd-ask-password-serial.service failed. | 14.1.4.4, 15.1.4.1 |
| 1010393-3 | 3-Major | BT1010393 | Unable to relax AS-path attribute in multi-path selection | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 1009949-1 | 3-Major | BT1009949 | High CPU usage when upgrading from previous version★ | 14.1.4.4, 15.1.4.1, 16.1.2 |
| 1008837-3 | 3-Major | BT1008837 | Control plane is sluggish when mcpd processes a query for virtual server and address statistics | 14.1.4.4, 15.1.4 |
| 898441-4 | 4-Minor | BT898441 | Enable logging of IKE keys | 14.1.4.4, 15.1.4 |
| 884165-2 | 4-Minor | BT884165 | Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG | 14.1.4.4, 15.1.4.1 |
| 851393-3 | 4-Minor | BT851393 | Tmipsecd leaves a zombie rm process running after starting up | 14.1.4.4, 15.1.0.5 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 846217-1 | 2-Critical | BT846217 | Translucent vlan-groups set local bit in destination MAC address | 14.1.4.4, 15.1.2.1 |
| 837617-3 | 2-Critical | BT837617 | Tmm may crash while processing a compression context | 14.1.4.4, 15.1.0.2 |
| 745589-6 | 2-Critical | BT745589 | In very rare situations, some filters may cause data-corruption. | 14.1.4.4 |
| 997929-4 | 3-Major | BT997929 | Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 978833-3 | 3-Major | BT978833 | Use of CRL-based Certificate Monitoring Causes Memory Leak | 14.1.4.4, 15.1.4.1 |
| 969637-3 | 3-Major | BT969637 | Config may fail to load with "FIPS 140 operations not available on this system" after upgrade★ | 14.1.4.4, 15.1.4 |
| 956133-4 | 3-Major | BT956133 | MAC address might be displayed as 'none' after upgrading.★ | 14.1.4.4, 15.1.4 |
| 941481-3 | 3-Major | BT941481 | iRules LX - nodejs processes consuming excessive memory | 14.1.4.4, 15.1.4 |
| 941257-2 | 3-Major | BT941257 | Occasional Nitrox3 ZIP engine hang | 14.1.4.4, 15.1.4 |
| 915773 | 3-Major | BT915773 | Restart of TMM after stale interface reference | 14.1.4.4, 15.1.4.1, 16.1.2 |
| 912945-4 | 3-Major | BT912945 | A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed | 14.1.4.4, 15.1.4, 16.1.1 |
| 910905-2 | 3-Major | BT910905 | TMM crash when processing virtual server traffic with TLS/SSL session cache enabled | 14.1.4.4 |
| 818833-3 | 3-Major | BT818833 | TCP re-transmission during SYN Cookie activation results in high latency | 14.1.4.4, 15.1.4 |
| 778841-2 | 3-Major | BT778841 | Traffic is not passing in virtual wire when Virtual server type is standard & IP profile is ipother | 14.1.4.4 |
| 749608-2 | 3-Major | BT749608 | HTTP Persistence cookies erroneously sent when cookie persistence turned off | 14.1.4.4 |
| 723112-5 | 3-Major | BT723112 | LTM policies does not work if a condition has more than 127 matches | 14.1.4.4, 15.1.4.1 |
| 714372-3 | 3-Major | BT714372 | Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari | 14.1.4.4, 15.0.1.1, 15.1.0.2 |
| 1015209-1 | 3-Major | BT1015209 | Memory may be leaked when handling chunked responses | 14.1.4.4 |
| 1015201-1 | 3-Major | BT1015201 | HTTP unchunking satellite leaks ERR_MORE_DATA which can cause connection to be aborted. | 14.1.4.4, 15.1.5 |
| 1004897-3 | 3-Major | BT1004897 | 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason | 14.1.4.4 |
| 936773-1 | 4-Minor | BT936773 | Improve logging for "double flow removal" TMM Oops | 14.1.4.4, 15.1.4.1 |
| 753925-1 | 4-Minor | BT753925 | CLIENTSSL_CLIENTCERT iRule event may not be triggered on TLSv1.3 connections | 14.1.4.4 |
Performance Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1030665 | 2-Critical | BT1030665 | Apmd crashes during shutdown under certain conditions | 14.1.4.4 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 995853-3 | 2-Critical | BT995853 | Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error. | 14.1.4.4, 15.1.4 |
| 850509-3 | 2-Critical | BT850509 | Zone Trusted Signature inadequately maintained, following change of master key | 14.1.4.4, 15.1.2 |
| 993489-4 | 3-Major | BT993489 | GTM daemon leaks memory when reading GTM link objects | 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1 |
| 864797-1 | 3-Major | BT864797 | Cached results for a record are sent following region modification | 14.1.4.4, 15.1.4 |
| 847105-3 | 3-Major | BT847105 | The bigip_gtm.conf is reverted to default after rebooting with license expired★ | 14.1.4.4, 15.1.4.1 |
| 816277-2 | 4-Minor | BT816277 | Extremely long nameserver name causes GUI Error | 14.1.4.4 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 997137-4 | 2-Critical | CSRF token modification may allow WAF bypass on GET requests | 14.1.4.4, 15.1.4.1 | |
| 996381-4 | 2-Critical | K41503304, BT996381 | ASM attack signature may not match as expected | 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1 |
| 970329-4 | 2-Critical | ASM hardening | 14.1.4.4, 15.1.4, 16.1.1 | |
| 965229-3 | 2-Critical | BT965229 | ASM Load hangs after upgrade★ | 14.1.4.4, 15.1.4, 16.1.1 |
| 920197-2 | 2-Critical | BT920197 | Brute force mitigation can stop mitigating without a notification | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 964245-3 | 3-Major | BT964245 | ASM reports and enforces username always | 14.1.4.4, 15.1.4 |
| 962589-1 | 3-Major | BT962589 | Full Sync Requests Caused By Failed Relayed Call to delete_suggestion | 14.1.4.4, 15.1.4, 16.1.1 |
| 962497-4 | 3-Major | BT962497 | BD crash after ICAP response | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 955017-4 | 3-Major | BT955017 | Excessive CPU consumption by asm_config_event_handler | 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2 |
| 951133-1 | 3-Major | BT951133 | Live Update does not work properly after upgrade★ | 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1 |
| 946081-3 | 3-Major | BT946081 | Getcrc tool help displays directory structure instead of version | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 932133-3 | 3-Major | BT932133 | Payloads with large number of elements in XML take a lot of time to process | 14.1.4.4, 15.1.4.1, 16.1.2 |
| 928717-1 | 3-Major | BT928717 | [ASM - AWS] - ASU fails to sync | 14.1.4.4, 15.1.4 |
| 920149-2 | 3-Major | BT920149 | Live Update default factory file for Server Technologies cannot be reinstalled | 14.1.4.4, 15.1.4.1, 16.1.1 |
| 914277-4 | 3-Major | BT914277 | [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU | 14.1.4.4, 15.1.4.1, 16.0.1.2 |
| 904133-2 | 3-Major | BT904133 | Creating a user-defined signature via iControl REST occasionally fails with a 400 response code | 14.1.4.4, 15.1.4.1 |
| 867825-2 | 3-Major | BT867825 | Export/Import on a parent policy leaves children in an inconsistent state | 14.1.4.4, 15.1.4 |
| 767057-2 | 3-Major | BT767057 | In a sync-only device group, inactive policy is synced to peer, ASM is removed from virtual server | 14.1.4.4 |
| 753715-1 | 3-Major | BT753715 | False positive JSON max array length violation | 14.1.4.4, 15.1.4.1 |
| 712336-1 | 3-Major | BT712336 | bd daemon restart loop | 12.1.5.3, 14.1.4.4 |
| 1022269-3 | 3-Major | BT1022269 | False positive RFC compliant violation | 14.1.4.4, 15.1.4, 16.1.2 |
| 1000741-4 | 3-Major | Fixing issue with input normalization | 14.1.4.4, 15.1.4, 16.1.1 | |
| 952509-1 | 4-Minor | BT952509 | Cross origin AJAX requests are blocked in case there is no Origin header | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 944441-3 | 4-Minor | BT944441 | BD_XML logs memory usage at TS_DEBUG level | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 941249-4 | 4-Minor | BT941249 | Improvement to getcrc tool to print cookie names when cookie attributes are involved | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 746167-1 | 4-Minor | BT746167 | Memory pressure from nsyncd | 14.1.4.4 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 932137-4 | 3-Major | BT932137 | AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade | 14.1.4.4, 15.1.4.1, 16.1.2 |
| 922105-4 | 3-Major | BT922105 | Avrd core when connection to BIG-IQ data collection device is not available | 14.1.4.4, 15.1.4.1, 16.1.2 |
| 909161-4 | 3-Major | BT909161 | A core file is generated upon avrd process restart or stop | 14.1.4.4, 15.1.4, 16.1.1 |
| 1020705-3 | 4-Minor | BT1020705 | tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name | 14.1.4.4, 15.1.3.1, 16.1.2 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 789085-2 | 2-Critical | BT789085 | When executing the ACCESS::session iRule command under a serverside event, tmm may crash | 14.1.4.4 |
| 766921-1 | 2-Critical | BT766921 | Localdbmgr process crashes and generates a core | 14.1.4.4 |
| 1020349-1 | 2-Critical | BT1020349 | APM daemon may crash if CRLDP agent cannot find a certificate to validate CRL | 14.1.4.4 |
| 984765-4 | 3-Major | BT984765 | APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)★ | 14.1.4.4, 15.1.4 |
| 949477-2 | 3-Major | BT949477 | NTLM RPC exception: Failed to verify checksum of the packet | 14.1.4.4, 15.1.4.1 |
| 946125-1 | 3-Major | BT946125 | Tmm restart adds 'Revoked' tokens to 'Active' token count | 14.1.4.4, 15.1.4 |
| 849029-3 | 3-Major | BT849029 | No configurable setting for maximum entries in CRLDP cache | 14.1.4.4 |
| 844781-1 | 3-Major | BT844781 | [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection | 14.1.4.4, 15.0.1.3, 15.1.0.2 |
| 844281-1 | 3-Major | BT844281 | [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files. | 14.1.4.4, 15.0.1.3, 15.1.0.2 |
| 803825-3 | 3-Major | BT803825 | WebSSO does not support large NTLM target info length | 13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2 |
| 744407-3 | 3-Major | BT744407 | While the client has been closed, iRule function should not try to check on a closed session | 13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2 |
| 1007629-2 | 3-Major | BT1007629 | APM policy configured with many ACL policies can create APM memory pressure | 14.1.4.4, 15.1.4.1 |
| 1002557-3 | 3-Major | BT1002557 | Tcl free object list growth | 14.1.4.4, 15.1.4.1 |
| 1001041-2 | 3-Major | BT1001041 | Reset cause 'Illegal argument' | 14.1.4.4, 15.1.4 |
| 939877-2 | 4-Minor | BT939877 | OAuth refresh token not found | 14.1.4.4, 15.1.4, 16.1.2 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 993913-1 | 2-Critical | BT993913 | TMM SIGSEGV core in Message Routing Framework | 14.1.4.4, 15.1.4, 16.1.1 |
| 1012721-2 | 2-Critical | BT1012721 | Tmm may crash with SIP-ALG deployment in a particular race condition | 14.1.4.4, 15.1.4.1, 16.1.1 |
| 996113-4 | 3-Major | BT996113 | SIP messages with unbalanced escaped quotes in headers are dropped | 14.1.4.4, 15.1.4, 16.1.1 |
| 805821-4 | 3-Major | BT805821 | GTP log message contains no useful information | 14.1.4.4, 15.1.4, 16.1.1 |
| 919301-4 | 4-Minor | BT919301 | GTP::ie count does not work with -message option | 14.1.4.4, 15.1.4, 16.1.1 |
| 913413-4 | 4-Minor | BT913413 | 'GTP::header extension count' iRule command returns 0 | 14.1.4.4, 15.1.4, 16.1.1 |
| 913409-4 | 4-Minor | BT913409 | GTP::header extension command may abort connection due to unreasonable TCL error | 14.1.4.4, 15.1.4, 16.1.1 |
| 913393-4 | 5-Cosmetic | BT913393 | Tmsh help page for GTP iRule contains incorrect and missing information | 14.1.4.4, 15.1.4, 16.1.1 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 990461-2 | 3-Major | BT990461 | Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★ | 14.1.4.4 |
| 744204-1 | 3-Major | BT744204 | PCCD may exhaust system memory when compiling | 14.1.4.4 |
| 1012521-4 | 3-Major | BT1012521 | BIG-IP UI file permissions | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 926425 | 4-Minor | BT926425 | Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts | 14.1.4.4 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 913453-3 | 2-Critical | BT913453 | URL Categorization: wr_urldbd cores while processing urlcat-query | 14.1.4.4, 15.1.4 |
| 760961-3 | 2-Critical | BT760961 | TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts | 13.1.1.5, 14.1.4.4 |
| 958085-2 | 3-Major | BT958085 | IM installation fails with error: Spec file not found★ | 14.1.4.4, 15.1.4 |
| 785605-2 | 3-Major | BT785605 | Traffic Intelligence Feed Lists are not usable if created on Standby unit in Traffic Group | 14.1.4.4 |
| 974205-2 | 4-Minor | BT974205 | Unconstrained wr_urldbd size causing box to OOM | 12.1.6, 14.1.4.4, 15.1.4 |
Device Management Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 970829-4 | 2-Critical | K03310534, BT970829 | iSeries LCD incorrectly displays secure mode | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 929213-3 | 3-Major | BT929213 | iAppLX packages not rolled forward after BIG-IP upgrade★ | 14.1.4.4, 15.1.4.1, 16.1.2 |
iApp Technology Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 946185-4 | 3-Major | BT946185 | Unable to view iApp component due to error 'An error has occurred while trying to process your request.'★ | 14.1.4.4, 15.1.4.1, 16.1.2 |
In-tmm monitors Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 822245-5 | 4-Minor | BT822245 | Large number of in-TMM monitors results in some monitors being marked down | 14.1.4.4, 15.1.4 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 918317-3 | 3-Major | BT918317 | SSL Orchestrator resets subsequent requests when HTTP services are being used. | 14.1.4.4, 15.1.4 |
Cumulative fixes from BIG-IP v14.1.4.3 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 989009-4 | CVE-2021-23033 | K05314769, BT989009 | BD daemon may crash while processing WebSocket traffic | 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2 |
| 980125-4 | CVE-2021-23030 | K42051445, BT980125 | BD Daemon may crash while processing WebSocket traffic | 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2 |
| 946377-3 | CVE-2021-23027 | K24301698, BT946377 | HSM WebUI Hardening | 14.1.4.3, 15.1.3.1, 16.0.1.2 |
| 968349-1 | CVE-2021-23048 | K19012930, BT968349 | TMM crashes with unspecified message | 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2 |
| 950017-3 | CVE-2021-23045 | K94941221, BT950017 | TMM may crash while processing SCTP traffic | 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2 |
| 797797-3 | CVE-2019-11811 | K01512680, BT797797 | CVE-2019-11811 kernel: use-after-free in drivers | 14.1.4.3, 15.1.4, 16.0.1.2, 16.1.1 |
| 968733-5 | CVE-2018-1120 | K42202505, BT968733 | CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service | 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2 |
| 939421-4 | CVE-2020-10029 | K38481791, BT939421 | CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow | 14.1.4.3, 15.1.4, 16.0.1.2 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 876937-1 | 3-Major | BT876937 | DNS Cache not functioning | 14.1.4.3, 15.1.4 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 967905-3 | 2-Critical | BT967905 | Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash | 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2 |
| 1004517-3 | 2-Critical | BT1004517 | BIG-IP tenants on VELOS cannot install EHFs | 14.1.4.3 |
| 1000973-2 | 2-Critical | BT1000973 | Unanticipated restart of TMM due to heartbeat failure | 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2 |
| 998221-4 | 3-Major | BT998221 | Accessing pool members from configuration utility is slow with large config | 14.1.4.3, 15.1.4, 16.0.1.2, 16.1.2 |
| 996593-3 | 3-Major | BT996593 | Password change through REST or GUI not allowed if the password is expired | 14.1.4.3, 15.1.4, 16.0.1.2 |
| 994801-4 | 3-Major | SCP file transfer system | 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2 | |
| 908601-4 | 3-Major | BT908601 | System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option | 14.1.4.3, 15.1.4, 16.0.1.2 |
| 841277-5 | 3-Major | BT841277 | C4800 LCD fails to load after annunciator hot-swap | 14.1.4.3, 15.1.4 |
| 804477-4 | 3-Major | BT804477 | Add HSB register logging when parts of the device becomes unresponsive | 13.1.3.4, 14.1.4.3 |
| 819053-2 | 4-Minor | CVE-2019-13232 unzip: overlapping of files in ZIP container | 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2 | |
| 1004417-1 | 4-Minor | BT1004417 | Provisioning error message during boot up★ | 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1007505 | 2-Critical | BT1007505 | TLS handshake times out if intermediate CA cert status cannot be determined | 14.1.4.3 |
| 1001509-1 | 2-Critical | K11162395, BT1001509 | Client going through to BIG-IP SSL forward proxy might not be able to trust forged certificates | 14.1.4.3, 15.1.3 |
| 882549-3 | 3-Major | BT882549 | Sock driver does not use multiple queues in unsupported environments | 14.1.4.3, 15.1.4, 16.0.1.2 |
| 962433-3 | 4-Minor | BT962433 | HTTP::retry for a HEAD request fails to create new connection | 13.1.4.1, 14.1.4.3, 15.1.4 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1017645-3 | 2-Critical | BT1017645 | False positive HTTP compliance violation | 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2 |
| 981785-2 | 3-Major | BT981785 | Incorrect incident severity in Event Correlation statistics | 14.1.4.3, 15.1.4, 16.0.1.2 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 833113-3 | 3-Major | BT833113 | Avrd core when sending large messages via https | 13.1.3.4, 14.1.4.3, 15.0.1.3, 15.1.4 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 660913-3 | 2-Critical | BT660913 | For ActiveSync client type, browscap info provided is incorrect.★ | 12.1.4.1, 13.1.3.4, 14.1.4.3 |
| 924521-1 | 3-Major | BT924521 | OneConnect does not work when WEBSSO is enabled/configured. | 14.1.4.3, 15.1.4 |
| 470346-2 | 3-Major | BT470346 | Some IPv6 client connections get RST when connecting to APM virtual | 14.1.4.3, 15.1.4 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 991037-1 | 3-Major | BT991037 | MR::message can cause tmm crash | 14.1.4.3 |
| 788625-3 | 3-Major | BT788625 | A pool member is not marked up by the inband monitor even after successful connection to the pool member | 14.1.4.3, 15.1.4, 16.0.1.2 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 874677 | 2-Critical | BT874677 | Traffic Classification auto signature update fails from GUI★ | 14.1.4.3, 15.1.3, 16.0.1.1 |
| 976365-1 | 3-Major | BT976365 | Traffic Classification hardening★ | 14.1.4.3, 15.1.3.1 |
Protocol Inspection Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 795329-2 | 3-Major | BT795329 | IM installation fails if 'auto-add-new-inspections' enabled on profile★ | 14.1.4.3, 15.0.1.1 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 947925-4 | 3-Major | BT947925 | TMM may crash when executing L7 Protocol Lookup per-request policy agent | 14.1.4.3, 15.1.4 |
Cumulative fixes from BIG-IP v14.1.4.2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 962341-4 | CVE-2021-23028 | K00602225, BT962341 | BD crash while processing JSON content | 13.1.4, 14.1.4.2, 15.1.3.1, 16.0.1.2 |
| 935433-4 | CVE-2021-23026 | K53854428, BT935433 | iControl SOAP | 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 981693-2 | CVE-2022-23024 | K54892865, BT981693 | TMM may consume excessive resources while processing IPSec ALG traffic | 14.1.4.2, 15.1.4.1 |
| 965485-2 | CVE-2019-5482 | K41523201 | CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 949889-2 | CVE-2019-3900 | K04107324, BT949889 | CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx() | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 942701-3 | CVE-2021-23044 | K35408374, BT942701 | TMM may consume excessive resources while processing HTTP traffic | 13.1.4.1, 14.1.4.2, 15.1.3.1 |
| 937365-4 | CVE-2021-23041 | K42526507, BT937365 | LTM UI does not follow best practices | 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 907245-3 | CVE-2021-23040 | K94255403, BT907245 | AFM UI Hardening | 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 906377-4 | CVE-2021-23038 | K61643620, BT906377 | iRulesLX hardening | 13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2 |
| 803933-2 | CVE-2018-20843 | K51011533, BT803933 | Expat XML parser vulnerability CVE-2018-20843 | 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 1003557-4 | CVE-2021-23015 | K74151369, BT1003557 | Not following best practices in Guided Configuration Bundle Install worker | 13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2 |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1004833-1 | 1-Blocking | BT1004833 | NIST SP800-90B compliance | 14.1.4.2, 15.1.4 |
| 976505-1 | 3-Major | BT976505 | Rotated restnoded logs will fail logintegrity verification. | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 975809-2 | 3-Major | BT975809 | Rotated restjavad logs fail logintegrity verification. | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 959629-3 | 3-Major | BT959629 | Logintegrity script for restjavad/restnoded fails | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 958353-3 | 3-Major | BT958353 | Restarting the mcpd messaging service renders the PAYG VE license invalid. | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 946089-1 | 3-Major | BT946089 | BIG-IP might send excessive multicast/broadcast traffic. | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 932497-1 | 3-Major | BT932497 | Autoscale groups require multiple syncs of datasync-global-dg | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 913849 | 3-Major | BT913849 | Syslog-ng periodically logs nothing for 20 seconds | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 764873-2 | 3-Major | BT764873 | An accelerated flow may transmit packets to an unavailable pool member. | 13.1.3.2, 14.1.4.2, 15.0.1.3 |
| 1009133 | 3-Major | BT1009133 | BIG-IP vCMP guests that have HA Groups configured to include trunk scoring may fail to upgrade properly★ | 14.1.4.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 945997-3 | 2-Critical | BT945997 | LTM policy applied to HTTP/2 traffic may crash TMM | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 980821-1 | 3-Major | BT980821 | Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured. | 14.1.4.2, 15.1.3.1, 16.0.1.2 |
| 895557-1 | 4-Minor | BT895557 | NTLM profile logs error when used with profiles that do redirect | 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2 |
| 773253-3 | 4-Minor | BT773253 | The BIG-IP may send VLAN failsafe probes from a disabled blade | 13.1.4, 14.1.4.2, 15.1.2.1 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 918597-4 | 2-Critical | BT918597 | Under certain conditions, deleting a topology record can result in a crash. | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 717306-1 | 2-Critical | BT717306 | Added ability to use Vip-targeting-Vip with DNS Cache server-side connections | 14.1.4.2 |
| 973261-4 | 3-Major | BT973261 | GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 912001-4 | 3-Major | BT912001 | TMM cores on secondary blades of the Chassis system. | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 835209-1 | 3-Major | BT835209 | External monitors mark objects down | 14.1.4.2, 15.1.3 |
| 746719-1 | 3-Major | BT746719 | SERVFAIL when attempting to view or edit NS resource records in zonerunner | 14.1.4.2 |
| 857953-3 | 4-Minor | BT857953 | Non-functional disable/enable buttons present in GTM wide IP members page | 14.1.4.2, 15.1.4, 16.0.1.2 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 968421-4 | 2-Critical | K30291321, BT968421 | ASM attack signature doesn't matched | 11.6.5.3, 12.1.6, 13.1.4.1, 14.1.4.2, 15.1.2.1, 16.0.1.2 |
| 943913-4 | 2-Critical | K30150004, BT943913 | ASM attack signature does not match | 13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2 |
| 854001-4 | 2-Critical | BT854001 | TMM might crash in case of trusted bot signature and API protected url | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 810497-2 | 2-Critical | BT810497 | Pabnagd cores during device group settings changes | 14.1.4.2 |
| 950917-2 | 3-Major | BT950917 | Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 | 13.1.4.1, 14.1.4.2, 15.1.4 |
| 928685-3 | 3-Major | K49549213, BT928685 | ASM Brute Force mitigation not triggered as expected | 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 922261-4 | 3-Major | BT922261 | WebSocket server messages are logged even it is not configured | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 912089-3 | 3-Major | BT912089 | Some roles are missing necessary permission to perform Live Update | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 907337-4 | 3-Major | BT907337 | BD crash on specific scenario | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 888289-3 | 3-Major | BT888289 | Add option to skip percent characters during normalization | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1 |
| 883853-1 | 3-Major | BT883853 | Bot Defense Profile with staged signatures prevents signature update★ | 14.1.4.2, 15.1.4 |
| 881757-2 | 3-Major | BT881757 | Unnecessary HTML response parsing and response payload is not compressed | 14.1.4.2, 15.1.1, 16.0.1.2 |
| 846181-1 | 3-Major | BT846181 | Request samples for some of the learning suggestions are not visible | 14.1.4.2, 15.1.4 |
| 830341-1 | 3-Major | BT830341 | False positives Mismatched message key on ASM TS cookie | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2.1 |
| 792341-2 | 3-Major | BT792341 | Google Analytics shows incorrect stats. | 13.1.4.1, 14.1.4.2 |
| 673272-4 | 3-Major | BT673272 | Search by "Signature ID is" does not return results for some signature IDs | 13.1.4, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 941929-1 | 4-Minor | BT941929 | Google Analytics shows incorrect stats, when Google link is redirected. | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 911729-1 | 4-Minor | BT911729 | Redundant learning suggestion to set a Maximum Length when parameter is already at that value | 14.1.4.2, 15.1.4, 16.0.1.2 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 981385-4 | 3-Major | BT981385 | AVRD does not send HTTP events to BIG-IQ DCD | 13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 932485-2 | 3-Major | BT932485 | Incorrect sum(hits_count) value in aggregate tables | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 913085-4 | 3-Major | BT913085 | Avrd core when avrd process is stopped or restarted | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 995029 | 2-Critical | BT995029 | Configuration is not updated during auto-discovery | 14.1.4.2, 15.1.4 |
| 783233-2 | 2-Critical | BT783233 | OAuth puts quotation marks around claim values that are not string type | 14.1.4.2 |
| 894885 | 3-Major | BT894885 | [SAML] SSO crash while processing client SSL request | 14.1.4.2, 15.1.4 |
| 866109-1 | 3-Major | BT866109 | JWK keys frequency does not support fewer than 60 minutes | 13.1.4.1, 14.1.4.2, 15.1.4 |
| 757781-3 | 3-Major | BT757781 | Portal Access: cookie exchange may be broken sometimes | 13.1.1.5, 14.0.0.5, 14.1.4.2, 15.0.1.1 |
| 738865-3 | 3-Major | BT738865 | MCPD might enter into loop during APM config validation | 14.1.4.2, 15.1.4 |
| 828773-1 | 4-Minor | BT828773 | Incomplete response to an internal request by Portal Access | 14.1.4.2 |
| 766017-1 | 4-Minor | BT766017 | [APM][LocalDB] Local user database instance name length check inconsistencies★ | 12.1.5.3, 13.1.3.5, 14.1.4.2, 15.1.2, 16.0.1.1 |
| 747234-5 | 4-Minor | BT747234 | Macro policy does not find corresponding access-profile directly | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 974881-1 | 2-Critical | BT974881 | Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 868781-2 | 2-Critical | BT868781 | TMM crashes while processing MRF traffic | 13.1.4.1, 14.1.4.2, 15.1.1 |
| 989753-3 | 3-Major | BT989753 | In HA setup, standby fails to establish connection to server | 14.1.4.2, 15.1.4, 16.0.1.2 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 992213-1 | 3-Major | BT992213 | Protocol Any displayed as HOPTOPT in AFM policy view | 14.1.4.2, 15.1.4, 16.1.1 |
| 988005-3 | 3-Major | BT988005 | Zero active rules counters in GUI | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 783217-1 | 3-Major | BT783217 | Negative numbers of received packets in DoS-sampled log messages for bad actor and attacked destination attacks | 14.1.4.2 |
| 751116-1 | 3-Major | BT751116 | DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring | 13.1.3.4, 14.1.4.2 |
| 716746-1 | 3-Major | BT716746 | Possible tmm restart when disabling single endpoint vector while attack is ongoing | 13.1.0.7, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 685904-2 | 3-Major | BT685904 | Firewall Rule hit counts are not auto-updated after a Reset is done | 14.1.4.2, 15.1.4 |
| 977005-2 | 4-Minor | BT977005 | Network Firewall Policy rules-list showing incorrect 'Any' for source column | 14.1.4.2, 15.1.4 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 981689-1 | 2-Critical | BT981689 | TMM memory leak with IPsec ALG | 14.1.4.2, 15.1.4.1 |
| 994985-1 | 3-Major | BT994985 | CGNAT GUI shows blank page when applying SIP profile | 14.1.4.2, 15.1.4 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 893721-1 | 2-Critical | BT893721 | PEM-provisioned systems may suffer random tmm crashes after upgrading★ | 14.1.4.2, 15.1.4 |
| 948573-2 | 3-Major | BT948573 | Wr_urldbd list of valid TLDs needs to be updated | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 846601-3 | 3-Major | BT846601 | Traffic classification does not update when an inactive slot becomes active after upgrade★ | 14.1.4.2, 15.1.4, 16.0.1.2 |
In-tmm monitors Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 912425-1 | 3-Major | BT912425 | Modifying in-TMM monitor configuration may not take effect, or may result in a TMM crash | 14.1.4.2, 15.1.4, 16.0.1.2 |
Cumulative fixes from BIG-IP v14.1.4.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 980809-3 | CVE-2021-23031 | K41351250, BT980809 | ASM REST Signature Rule Keywords Tool Hardening | 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 990333-4 | CVE-2021-23016 | K75540265, BT990333 | APM may return unexpected content when processing HTTP requests | 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 945109-4 | CVE-2015-9382 | K46641512, BT945109 | Freetype Parser Skip Token Vulnerability CVE-2015-9382 | 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 1002561-1 | CVE-2021-23007 | K37451543, BT1002561 | TMM vulnerability CVE-2021-23007 | 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 933777-2 | 3-Major | BT933777 | Context use and syntax changes clarification | 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 704552-2 | 3-Major | BT704552 | Support for ONAP site licensing | 13.1.0.7, 14.0.0.2, 14.1.4.1 |
| 918097-1 | 4-Minor | BT918097 | Cookies set in the URI on Safari | 14.1.4.1, 15.1.3, 16.0.1.2 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 995629-2 | 2-Critical | BT995629 | Loading UCS files may hang if ASM is provisioned★ | 13.1.4.1, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 876957-2 | 2-Critical | BT876957 | Reboot after tmsh load sys config changes sys FPGA firmware-config value | 14.1.4.1, 15.1.1 |
| 978393 | 3-Major | BT978393 | GUI screen shows blank screen while importing a certificate★ | 14.1.4.1 |
| 969213-2 | 3-Major | BT969213 | VMware: management IP cannot be customized via net.mgmt.addr property | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 922297-3 | 3-Major | BT922297 | TMM does not start when using more than 11 interfaces with more than 11 vCPUs | 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 914245-1 | 3-Major | BT914245 | Reboot after tmsh load sys config changes sys FPGA firmware-config value | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 841649-2 | 3-Major | BT841649 | Hardware accelerated connection mismatch resulting in tmm core | 14.1.4.1, 15.1.2 |
| 839121-1 | 3-Major | K74221031, BT839121 | A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade★ | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 829821-3 | 3-Major | BT829821 | Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured | 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 692218-3 | 3-Major | BT692218 | Audit log messages sent from the primary blade to the secondaries should not be logged. | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 675911-13 | 3-Major | K13272442, BT675911 | Different sections of the GUI can report incorrect CPU utilization | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 601220-3 | 3-Major | BT601220 | Multi-blade trunks seem to leak packets ingressed via one blade to a different blade | 14.1.4.1 |
| 569859-5 | 3-Major | BT569859 | Password policy enforcement for root user when mcpd is not available | 14.1.4.1, 15.1.3 |
| 879189-3 | 4-Minor | BT879189 | Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 658943-2 | 4-Minor | BT658943 | Errors when platform-migrate loading UCS using trunks on vCMP guest | 14.1.4.1 |
| 440599-1 | 4-Minor | BT440599 | Added DB Variable to configure 'difok' variable in password policy | 14.1.4.1 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 908621-3 | 2-Critical | BT908621 | Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core | 14.1.4.1, 15.1.2 |
| 738964-2 | 2-Critical | Instruction logger debugging enhancement | 14.1.4.1, 15.1.3 | |
| 888517-3 | 3-Major | BT888517 | Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.★ | 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 878925-3 | 3-Major | BT878925 | SSL connection mirroring failover at end of TLS handshake | 14.1.4.1, 15.1.2 |
| 760406-3 | 3-Major | BT760406 | HA connection might stall on Active device when the SSL session cache becomes out-of-sync. | 14.1.4.1 |
| 756812-2 | 3-Major | BT756812 | Nitrox 3 instruction/request logger may fail due to SELinux permission error | 14.1.4.1, 15.1.3 |
| 756817-1 | 4-Minor | BT756817 | ZebOS addresses blocks do not reflect RFC5735 changes to reserved address blocks. | 14.1.4.1, 15.0.1.4 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 971297-3 | 3-Major | BT971297 | DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade★ | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 885201-3 | 4-Minor | BT885201 | BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log | 14.1.4.1, 15.1.3 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 956373-3 | 3-Major | BT956373 | ASM sync files not cleaned up immediately after processing | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 947341-3 | 3-Major | BT947341 | MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files. | 14.1.4.1, 15.1.3, 16.0.1.2, 16.1.2 |
| 929001-4 | 3-Major | K48321015, BT929001 | ASM form handling improvements | 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 767077-1 | 3-Major | BT767077 | Loading truncated Live Update file (ASU) completes incorrectly or fails with odd error | 14.1.4.1 |
| 824093-3 | 4-Minor | BT824093 | Parameters payload parser issue | 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 869049-2 | 3-Major | BT869049 | Charts discrepancy in AVR reports | 14.1.4.1, 15.1.3, 16.0.1.2 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 883577-2 | 3-Major | BT883577 | ACCESS::session irule command does not work in HTTP_RESPONSE event | 14.1.4.1, 15.1.3 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 750679-1 | 2-Critical | BT750679 | Tmm crash on standby device and Diameter stats issues | 14.1.4.1 |
| 982869-3 | 3-Major | BT982869 | With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0 | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 977053-3 | 3-Major | BT977053 | TMM crash on standby due to invalid MR router instance | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 966701-3 | 3-Major | BT966701 | Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP | 14.1.4.1, 15.1.3, 16.0.1.2 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 851745-1 | 2-Critical | BT851745 | High cpu consumption due when enabling large number of virtual servers | 14.1.4.1, 15.1.2 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 914293-1 | 3-Major | BT914293 | TMM SIGSEGV and crash | 14.1.4.1, 15.1.3, 16.0.1.2 |
Protocol Inspection Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 964577-1 | 4-Minor | BT964577 | IPS automatic IM download not working as expected | 14.1.4.1, 15.1.3, 16.0.1.2 |
Cumulative fixes from BIG-IP v14.1.4 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 975233-3 | CVE-2021-22992 | K52510511, BT975233 | Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 973333-3 | CVE-2021-22991 | K56715231, BT973333 | TMM buffer-overflow vulnerability CVE-2021-22991 | 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 955145-3 | CVE-2021-22986 | K03009991, BT955145 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 | 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 954381-3 | CVE-2021-22986 | K03009991, BT954381 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 | 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 953677-3 | CVE-2021-22987, CVE-2021-22988 | K18132488 K70031188, BT953677 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 | 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 951705-3 | CVE-2021-22986 | K03009991, BT951705 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 | 14.1.4, 15.1.2.1, 16.0.1.1 |
| 981169-3 | CVE-2021-22994 | K66851119, BT981169 | F5 TMUI XSS vulnerability CVE-2021-22994 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 959121-2 | CVE-2021-23015 | K74151369, BT959121 | Not following best practices in Guided Configuration Bundle Install worker | 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 953729-3 | CVE-2021-22989, CVE-2021-22990 | K56142644 K45056101, BT953729 | Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 949933-2 | CVE-2021-22980 | K29282483, BT949933 | BIG-IP APM CTU vulnerability CVE-2021-22980 | 13.1.3.6, 14.1.4, 15.1.4, 16.0.1.1 |
| 931837-5 | CVE-2020-13817 | K55376430, BT931837 | NTP has predictable timestamps | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 882633-4 | CVE-2021-23008 | K51213246, BT882633 | Active Directory authentication does not follow current best practices | 12.1.6, 13.1.4, 14.1.4, 15.1.3 |
| 976925-3 | CVE-2021-23002 | K71891773, BT976925 | BIG-IP APM VPN vulnerability CVE-2021-23002 | 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 954429-3 | CVE-2021-23014 | K23203045, BT954429 | User authorization changes for live update | 14.1.4, 15.1.3, 16.0.1.1 |
| 948769-4 | CVE-2021-23013 | K05300051, BT948769 | TMM panic with SCTP traffic | 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 946581-3 | CVE-2020-27713 | K37960100, BT946581 | TMM vulnerability CVE-2020-27713 | 13.1.3.5, 14.1.4 |
| 938233-3 | CVE-2021-23042 | K93231374 | An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization | 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 937637-4 | CVE-2021-23002 | K71891773, BT937637 | BIG-IP APM VPN vulnerability CVE-2021-23002 | 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 935401-4 | CVE-2021-23001 | K06440657, BT935401 | BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 932697-2 | CVE-2021-23000 | K34441555, BT932697 | BIG-IP TMM vulnerability CVE-2021-23000 | 12.1.5.3, 13.1.4, 14.1.4 |
| 903889 | CVE-2021-22999 | K02333782, BT903889 | BIG-IP HTTP/2 vulnerability CVE-2021-22999 | 14.1.4 |
| 877109-3 | CVE-2021-23012 | K04234247 | Unspecified input can break intended functionality in iHealth proxy | 13.1.4, 14.1.4, 15.1.3, 16.0.1.1 |
| 743105-4 | CVE-2021-22998 | K31934524, BT743105 | BIG-IP SNAT vulnerability CVE-2021-22998 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 718189-7 | CVE-2021-23011 | K10751325, BT718189 | Unspecified IP traffic can cause low-memory conditions | 11.6.5.3, 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 912289-3 | 2-Critical | BT912289 | Cannot roll back after upgrading on certain platforms★ | 12.1.6, 13.1.4, 14.1.4, 15.1.1 |
| 945265-3 | 3-Major | BT945265 | BGP may advertise default route with incorrect parameters | 14.1.4, 15.1.3, 16.0.1.1 |
| 913829-3 | 3-Major | BT913829 | i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 867793-3 | 3-Major | BT867793 | BIG-IP sending the wrong trap code for BGP peer state | 14.1.4, 15.1.2.1 |
| 794417-1 | 3-Major | BT794417 | Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not★ | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 742860-3 | 3-Major | BT742860 | VE: Predictable NIC ordering based on PCI coordinates until ordering is saved. | 13.1.3.6, 14.1.4 |
| 719338-2 | 4-Minor | BT719338 | Concurrent management SSH connections are unlimited | 13.1.4, 14.1.4, 15.1.1 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 990849-3 | 2-Critical | BT990849 | Loading UCS with platform-migrate option hangs and requires exiting from the command★ | 13.1.4.1, 14.1.4, 15.1.3, 16.0.1.2 |
| 940021-2 | 2-Critical | BT940021 | Syslog-ng hang may lead to unexpected reboot | 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 932437-4 | 2-Critical | BT932437 | Loading SCF file does not restore files from tar file★ | 14.1.4, 15.1.2.1, 16.0.1.1 |
| 915305-3 | 2-Critical | BT915305 | Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded | 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 908517-1 | 2-Critical | BT908517 | LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)' | 14.1.4, 15.1.3, 16.0.1.1 |
| 888341-5 | 2-Critical | BT888341 | HA Group failover may fail to complete Active/Standby state transition | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 886693-2 | 2-Critical | BT886693 | System might become unresponsive after upgrading.★ | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 817085-4 | 2-Critical | BT817085 | Multicast Flood Can Cause the Host TMM to Restart | 12.1.5.3, 14.1.4 |
| 811973-2 | 2-Critical | BT811973 | TMM may crash when shutting down | 14.1.4 |
| 797221-1 | 2-Critical | BT797221 | BCM daemon can be killed by watchdog timeout during blade-to-blade failover | 14.1.4 |
| 785017-1 | 2-Critical | BT785017 | Secondary blades go offline after new primary is elected | 13.1.4, 14.1.4, 15.1.3 |
| 776393-2 | 2-Critical | BT776393 | Restjavad restarts frequently due to insufficient memory with relatively large configurations | 14.1.4, 15.1.3, 16.0.1.1 |
| 751991-1 | 2-Critical | BT751991 | BIOS update fails with "flashrom not safe for BIOS updates yet" log message | 14.1.4 |
| 739507-1 | 2-Critical | BT739507 | Improve recovery method for BIG-IP system that has halted from a failed FIPS integrity check | 13.1.1.2, 14.1.4, 15.1.0.5 |
| 739505-2 | 2-Critical | BT739505 | Automatic ISO digital signature checking not required when FIPS license active★ | 13.1.1.2, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 973201 | 3-Major | BT973201 | F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions★ | 14.1.4, 15.1.4 |
| 967745-2 | 3-Major | BT967745 | Last resort pool error for the modify command for Wide IP | 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 963017-3 | 3-Major | BT963017 | The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed | 14.1.4, 15.1.3 |
| 946745-3 | 3-Major | BT946745 | 'System Integrity: Invalid' after Engineering Hotfix installation | 14.1.4, 15.1.3 |
| 943793 | 3-Major | BT943793 | Neurond continuously restarting. | 14.1.4 |
| 939541-3 | 3-Major | BT939541 | TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE | 14.1.4, 15.1.3, 16.0.1.1 |
| 930905-1 | 3-Major | BT930905 | Management route lost after reboot. | 14.1.4, 15.1.2.1, 16.0.1.1 |
| 927941-3 | 3-Major | BT927941 | IPv6 static route BFD does not come up after OAMD restart | 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 914081-3 | 3-Major | BT914081 | Engineering Hotfixes missing bug titles | 14.1.4, 15.1.3 |
| 913433-1 | 3-Major | BT913433 | On blade failure, some trunked egress traffic is dropped. | 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 909197-5 | 3-Major | BT909197 | The mcpd process may become unresponsive | 14.1.4, 15.1.4.1, 16.0.1.1 |
| 904785-3 | 3-Major | BT904785 | Remotely authenticated users may experience difficulty logging in over the serial console | 14.1.4, 15.1.2.1, 16.0.1.1 |
| 896817-4 | 3-Major | BT896817 | iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb | 14.1.4, 15.1.2.1, 16.0.1.1 |
| 896553-2 | 3-Major | BT896553 | On blade failure, some trunked egress traffic is dropped. | 13.1.3.6, 14.1.4, 15.1.3 |
| 895837-1 | 3-Major | BT895837 | Mcpd crash when a traffic-matching-criteria destination-port-list is modified | 14.1.4, 15.1.2.1, 16.0.1.1 |
| 893949 | 3-Major | BT893949 | Support TCP directional offload for hardware-accelerated connections | 14.1.4 |
| 893885 | 3-Major | BT893885 | The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation | 14.1.4, 15.1.3 |
| 891337-3 | 3-Major | BT891337 | 'save_master_key(master): Not ready to save yet' errors in the logs | 14.1.4, 15.1.3 |
| 889029-4 | 3-Major | BT889029 | Unable to login if LDAP user does not have search permissions | 14.1.4, 15.1.3, 16.0.1.2 |
| 879829-3 | 3-Major | BT879829 | HA daemon sod cannot bind to ports numbered lower than 1024 | 14.1.4, 15.1.3, 16.0.1.2 |
| 876805-1 | 3-Major | BT876805 | Modifying address-list resets the route advertisement on virtual servers. | 14.1.4, 15.1.3, 16.0.1.1 |
| 862937-2 | 3-Major | BT862937 | Running cpcfg after first boot can result in daemons stuck in restart loop★ | 14.1.4, 15.1.3, 16.0.1.2 |
| 838901-2 | 3-Major | BT838901 | TMM receives invalid rx descriptor from HSB hardware | 13.1.4, 14.1.4, 15.1.2 |
| 830413-4 | 3-Major | BT830413 | Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure★ | 14.1.4, 15.1.2.1, 16.0.1.1 |
| 820845-2 | 3-Major | BT820845 | Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use. | 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 814053-2 | 3-Major | BT814053 | Under heavy load, bcm56xxd can be killed by the watchdog | 14.1.4 |
| 803237-4 | 3-Major | BT803237 | PVA does not validate interface MTU when setting MSS | 14.1.4, 15.1.3 |
| 799001-3 | 3-Major | BT799001 | Sflow agent does not handle disconnect from SNMPD manager correctly | 14.1.4, 15.1.3 |
| 787885-1 | 3-Major | BT787885 | The device status is falsely showing as forced offline on the network map while actual device status is not. | 14.1.4, 15.1.3, 16.0.1.1 |
| 759596-2 | 3-Major | BT759596 | Tcl errors in iRules 'table' command | 12.1.5.3, 13.1.3.6, 14.1.4 |
| 754132-2 | 3-Major | BT754132 | A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command | 13.1.3.6, 14.1.4 |
| 751448-1 | 3-Major | BT751448 | TMM, ZebOS, and Linux routing table may lose dynamic routes on a tmm restart | 14.1.4 |
| 751021-1 | 3-Major | BT751021 | One or more TMM instances may be left without dynamic routes. | 13.1.3.5, 14.1.4 |
| 750194-4 | 3-Major | Moderate: net-snmp security update | 13.1.3.5, 14.1.4 | |
| 749007-2 | 3-Major | BT749007 | South Sudan, Sint Maarten, and Curacao country missing in GTM region list | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 744252-2 | 3-Major | BT744252 | BGP route map community value: either component cannot be set to 65535 | 13.1.3.6, 14.1.4 |
| 719555-5 | 3-Major | BT719555 | Interface listed as 'disable' after SFP insertion and enable | 14.1.4, 15.1.1 |
| 661640-1 | 3-Major | BT661640 | Improve fast failover of PIM-based multicast traffic when BIG-IP is deployed as an Active/Standby high availability (HA) pair. | 14.1.4 |
| 615934-4 | 3-Major | BT615934 | Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. | 13.1.3.5, 14.1.4, 15.1.3 |
| 966277-3 | 4-Minor | BT966277 | BFD down on multi-blade system | 14.1.4, 15.1.3, 16.0.1.1 |
| 959889-1 | 4-Minor | BT959889 | Cannot update firewall rule with ip-protocol property as 'any' | 14.1.4, 15.1.3 |
| 947865-3 | 4-Minor | BT947865 | Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read | 14.1.4, 15.1.3 |
| 774617-1 | 4-Minor | BT774617 | SNMP daemon reports integer truncation error for values greater than 32 bits | 14.1.4, 15.1.0.4 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 926929-2 | 1-Blocking | BT926929 | RFC Compliance Enforcement lacks configuration availability | 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.2 |
| 910653-3 | 2-Critical | BT910653 | iRule parking in clientside/serverside command may cause tmm restart | 14.1.4, 15.1.3, 16.0.1.1 |
| 889209-1 | 2-Critical | BT889209 | Sflow receiver configuration may lead to egress traffic dropped after TMM starts. | 14.1.4, 15.1.1 |
| 882157-2 | 2-Critical | BT882157 | One thread of pkcs11d consumes 100% without any traffic. | 14.1.4, 15.1.3 |
| 876801-3 | 2-Critical | BT876801 | Tmm crash: invalid route type | 13.1.4, 14.1.4, 15.1.2 |
| 812525-3 | 2-Critical | K27551003, BT812525 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1 |
| 968641-1 | 3-Major | BT968641 | Fix for zero LACP priority | 14.1.4, 15.1.3, 16.0.1.2 |
| 965537 | 3-Major | BT965537 | SSL filter does not re-initialize when OCSP validator is modified | 14.1.4 |
| 953845-4 | 3-Major | BT953845 | After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart | 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1 |
| 944641-3 | 3-Major | BT944641 | HTTP2 send RST_STREAM when exceeding max streams | 14.1.4, 15.1.4, 16.0.1.1 |
| 940209-1 | 3-Major | BT940209 | Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout. | 14.1.4, 15.1.2 |
| 932033-1 | 3-Major | BT932033 | Chunked response may have DATA frame with END_STREAM prematurely | 14.1.4, 15.1.2 |
| 928857-3 | 3-Major | BT928857 | Use of OCSP responder may leak X509 store instances | 14.1.4, 15.1.3 |
| 928805-3 | 3-Major | BT928805 | Use of OCSP responder may cause memory leakage | 14.1.4, 15.1.3 |
| 928789-3 | 3-Major | BT928789 | Use of OCSP responder may leak SSL handshake instances | 14.1.4, 15.1.3 |
| 921881-4 | 3-Major | BT921881 | Use of IPFIX log destination can result in increased CPU utilization | 14.1.4, 15.1.3, 16.0.1.2 |
| 892941-4 | 3-Major | K20105555, BT892941 | F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat) | 14.1.4, 15.1.2, 16.0.1.1 |
| 889601-1 | 3-Major | K14903688, BT889601 | OCSP revocation not properly checked | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 889165-1 | 3-Major | BT889165 | "http_process_state_cx_wait" errors in log and connection reset | 14.1.4, 15.1.3 |
| 868209-1 | 3-Major | BT868209 | Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection | 14.1.4, 15.1.2.1 |
| 858701-3 | 3-Major | BT858701 | Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x★ | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 858301-3 | 3-Major | K27551003, BT858301 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1 |
| 858297-3 | 3-Major | K27551003, BT858297 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1 |
| 858289-3 | 3-Major | K27551003, BT858289 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1 |
| 858285-3 | 3-Major | K27551003, BT858285 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1 |
| 845333-3 | 3-Major | BT845333 | An iRule with a proc referencing a datagroup cannot be assigned to Transport Config | 14.1.4, 15.1.3, 16.0.1.1 |
| 825689-3 | 3-Major | Enhance FIPS crypto-user storage | 12.1.6, 13.1.4, 14.1.4, 15.1.1 | |
| 818109-3 | 3-Major | BT818109 | Certain plaintext traffic may cause SSL Orchestrator to hang | 14.1.4, 15.1.2.1 |
| 795501-3 | 3-Major | BT795501 | Possible SSL crash during config sync | 14.1.4 |
| 790845-2 | 3-Major | BT790845 | An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default | 13.1.3.5, 14.1.4, 15.1.2 |
| 785877-2 | 3-Major | BT785877 | VLAN groups do not bridge non-link-local multicast traffic. | 14.1.4, 15.1.3, 16.0.1.2 |
| 767341-3 | 3-Major | BT767341 | If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file. | 14.1.4, 15.1.3, 16.0.1.2 |
| 758099-1 | 3-Major | BT758099 | TMM may crash in busy environment when handling HTTP responses | 14.1.4 |
| 757442-2 | 3-Major | BT757442 | A missed SYN cookie check causes crash at the standby TMM in HA mirroring system | 13.1.3, 14.1.4 |
| 753383-4 | 3-Major | BT753383 | Deadlock While Attaching NDAL Devices | 14.1.4 |
| 719304-1 | 3-Major | BT719304 | Inconsistent node ICMP monitor operation for IPv6 nodes | 13.1.3, 14.1.4 |
| 714642-4 | 3-Major | BT714642 | Ephemeral pool-member state on the standby is down | 13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1 |
| 962177-3 | 4-Minor | BT962177 | Results of POLICY::names and POLICY::rules commands may be incorrect | 13.1.4.1, 14.1.4, 15.1.4, 16.0.1.2 |
| 804157-1 | 4-Minor | BT804157 | ICMP replies are forwarded with incorrect checksums causing them to be dropped | 14.1.4, 15.1.3, 16.0.1.2 |
| 772297-2 | 4-Minor | BT772297 | LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade | 14.1.4 |
| 748333-4 | 4-Minor | BT748333 | DHCP Relay does not retain client source IP address for chained relay mode | 14.1.4, 15.1.3, 16.0.1.1 |
| 743253-3 | 4-Minor | BT743253 | TSO in software re-segments L3 fragments. | 14.1.4, 15.1.3, 16.0.1.2 |
| 738032-1 | 4-Minor | BT738032 | BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed. | 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 960749-3 | 1-Blocking | BT960749 | TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1 |
| 933405-3 | 1-Blocking | K34257075, BT933405 | Zonerunner GUI hangs when attempting to list Resource Records | 14.1.4, 15.1.4.1, 16.0.1.1 |
| 960437-3 | 2-Critical | BT960437 | The BIG-IP system may initially fail to resolve some DNS queries | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1 |
| 905557-6 | 2-Critical | BT905557 | Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure | 14.1.4, 15.1.2 |
| 921625-4 | 3-Major | BT921625 | The certs extend function does not work for GTM/DNS sync group | 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 891093-3 | 3-Major | BT891093 | iqsyncer does not handle stale pidfile | 14.1.4, 15.1.2.1, 16.0.1.1 |
| 858973-3 | 3-Major | BT858973 | DNS request matches less specific WideIP when adding new wildcard wideips | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 885869-4 | 4-Minor | BT885869 | Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime | 14.1.4 |
| 853585-2 | 4-Minor | BT853585 | REST Wide IP object presents an inconsistent lastResortPool value | 12.1.6, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 846057-2 | 2-Critical | BT846057 | UCS backup archive may include unnecessary files | 13.1.4, 14.1.4, 15.1.3 |
| 960369-3 | 3-Major | BT960369 | Negative value suggested in Traffic Learning as max value | 14.1.4, 15.1.3, 16.0.1.2 |
| 941621-3 | 3-Major | K91414704, BT941621 | Brute Force breaks server's Post-Redirect-Get flow | 13.1.4, 14.1.4, 15.1.3, 16.0.1.1 |
| 929077-1 | 3-Major | BT929077 | Bot Defense allow list does not apply when using default Route Domain and XFF header | 14.1.4, 15.1.3, 16.0.1.1 |
| 921677-4 | 3-Major | BT921677 | Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI. | 14.1.4, 15.1.3, 16.0.1.1 |
| 904053-4 | 3-Major | BT904053 | Unable to set ASM Main Cookie/Domain Cookie hashing to Never | 13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1 |
| 867373-2 | 3-Major | BT867373 | Methods Missing From ASM Policy | 14.1.4, 15.1.3 |
| 864677-3 | 3-Major | BT864677 | ASM causes high mcpd CPU usage | 14.1.4, 15.1.3 |
| 964897-4 | 4-Minor | BT964897 | Live Update - Indication of "Update Available" when there is no available update | 14.1.4, 15.1.3, 16.0.1.2 |
| 935293-3 | 4-Minor | BT935293 | 'Detected Violation' Field for event logs not showing | 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1 |
| 922785-4 | 4-Minor | BT922785 | Live Update scheduled installation is not installing on set schedule | 14.1.4, 15.1.3, 16.0.1.2 |
| 767941-1 | 4-Minor | BT767941 | Gracefully handle policy builder errors | 13.1.3.6, 14.1.4 |
| 758336-3 | 4-Minor | BT758336 | Incorrect recommendation in Online Help of Proactive Bot Defense | 12.1.5, 13.1.1.5, 14.1.4, 15.1.2.1 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 965581 | 2-Critical | BT965581 | Statistics are not reported to BIG-IQ | 14.1.4, 15.1.4 |
| 949593-2 | 3-Major | BT949593 | Unable to load config if AVR widgets were created under '[All]' partition★ | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 743826-1 | 3-Major | BT743826 | Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0) | 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 648242-4 | 3-Major | K73521040, BT648242 | Administrator users unable to access all partition via TMSH for AVR reports | 12.1.3.2, 13.1.0.8, 14.0.0.5, 14.1.4, 15.1.2.1, 16.0.1.1 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 894565-2 | 2-Critical | BT894565 | Autodosd.default crash with SIGFPE | 14.1.4, 15.1.3 |
| 976501-3 | 3-Major | BT976501 | Failed to establish VPN connection | 13.1.3.6, 14.1.4, 15.1.3 |
| 952557-1 | 3-Major | BT952557 | Azure B2C Provider OAuth URLs are updated for B2Clogin.com | 14.1.4, 15.1.3 |
| 925573-3 | 3-Major | BT925573 | SIGSEGV: receiving a sessiondb callback response after the flow is aborted | 14.1.4, 15.1.3 |
| 916969-2 | 3-Major | BT916969 | Support of Microsoft Identity 2.0 platform | 14.1.4, 15.1.3 |
| 892937-4 | 3-Major | K20105555, BT892937 | F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat) | 14.1.4, 15.1.1, 16.0.1 |
| 850277-3 | 3-Major | BT850277 | Memory leak when using OAuth | 13.1.3.4, 14.1.4, 15.0.1.3, 15.1.0.2 |
| 774301-4 | 3-Major | BT774301 | Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList | 12.1.5, 14.1.4, 15.0.1.3 |
| 709126-1 | 3-Major | BT709126 | Localdb authentication may fail | 14.1.4 |
| 833049-2 | 4-Minor | BT833049 | Category lookup tool in GUI may not match actual traffic categorization | 13.1.3.5, 14.1.4, 15.1.2 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 952545-3 | 3-Major | BT952545 | 'Current Sessions' statistics of HTTP2 pool may be incorrect | 14.1.4, 15.1.3, 16.0.1.1 |
| 939529-3 | 3-Major | BT939529 | Branch parameter not parsed properly when topmost via header received with comma separated values | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 913373-3 | 3-Major | BT913373 | No connection error after failover with MRF, and no connection mirroring | 14.1.4, 15.1.3, 16.0.1.1 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 969509-3 | 3-Major | BT969509 | Possible memory corruption due to DOS vector reset | 14.1.4, 15.1.3, 16.0.1.2 |
| 965617-1 | 3-Major | BT965617 | HSB mitigation is not applied on BDoS signature with stress-based mitigation mode | 14.1.4, 15.1.3, 16.0.1.1 |
| 963237-1 | 3-Major | BT963237 | Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector. | 14.1.4, 15.1.3, 16.0.1.1 |
| 910417-3 | 3-Major | BT910417 | TMM core may be seen when reattaching a vector to a DoS profile | 14.1.4, 15.1.2, 16.0.1.2 |
| 903561-2 | 3-Major | BT903561 | Autodosd returns small bad destination detection value when the actual traffic is high | 14.1.4, 15.1.3 |
| 887017-2 | 3-Major | BT887017 | The dwbld daemon consumes a large amount of memory | 14.1.4, 15.1.3 |
| 840809-1 | 3-Major | BT840809 | If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged | 14.1.4, 15.1.2 |
| 837233-1 | 3-Major | BT837233 | Application Security Administrator user role cannot use GUI to manage DoS profile | 14.1.4, 15.1.3 |
| 819321-1 | 3-Major | BT819321 | DoS stats table shows drops count on tcp-half-open global vector for packets dropped by ltm syn cookie | 14.1.4 |
| 789857-1 | 3-Major | BT789857 | "TCP half open' reports drops made by LTM syn-cookies mitigation. | 14.1.4, 15.1.1 |
| 773773-2 | 3-Major | BT773773 | DoS auto-threshold detection values are not reloaded correctly after a reboot. | 14.1.4 |
| 760497-1 | 3-Major | BT760497 | Invalid configuration parameters are visible when Dos Vector is in "Auto Detection/Multiplier Based Mitigation" | 14.1.4 |
| 759004-2 | 3-Major | BT759004 | Autodosd history files not loaded correctly after software upgrade★ | 14.1.4 |
| 753141-2 | 3-Major | BT753141 | Hardware returning incorrect type of entry when notifying software might cause tmm crash | 14.1.4 |
| 686043-1 | 3-Major | BT686043 | dos.maxicmpframesize and dos.maxicmp6framesize sys db variables does not work for fragmented ICMP packets | 14.1.4 |
| 967889-2 | 4-Minor | BT967889 | Incorrect information for custom signature in DoS Protection:DoS Overview (non-http) | 14.1.4, 15.1.3 |
| 748561-1 | 4-Minor | BT748561 | Network Firewall : Active Rules page does not list active rule entries for firewall policies associated with any context | 14.1.4, 15.1.3 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 845313 | 2-Critical | BT845313 | Tmm crash under heavy load | 14.1.4, 15.1.2.1 |
| 941169-1 | 3-Major | BT941169 | Subscriber Management is not working properly with IPv6 prefix flows. | 14.1.4, 15.1.2.1 |
| 875401-3 | 3-Major | BT875401 | PEM subcriber lookup can fail for internet side new connections | 14.1.4, 15.1.2.1 |
| 842989-7 | 3-Major | BT842989 | PEM: tmm could core when running iRules on overloaded systems | 14.1.4, 15.1.2 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 928553-1 | 2-Critical | BT928553 | LSN64 with hairpinning can lead to a tmm core in rare circumstances | 14.1.4, 15.1.3, 16.0.1.1 |
| 966681-2 | 3-Major | BT966681 | NAT translation failures while using SP-DAG in a multi-blade chassis | 14.1.4, 15.1.3, 16.0.1.1 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 943889-1 | 2-Critical | BT943889 | Reopening the publisher after a failed publishing attempt | 13.1.3.5, 14.1.4 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 932737-1 | 2-Critical | BT932737 | DNS & BADOS high-speed logger messages are mixed | 14.1.4, 15.1.3, 16.0.1.2 |
| 922597-1 | 3-Major | BT922597 | BADOS default sensitivity of 50 creates false positive attack on some sites | 14.1.4, 15.1.3 |
| 915489-1 | 4-Minor | BT915489 | LTM Virtual Server Health is not affected by iRule Requests dropped | 14.1.4, 15.1.2.1, 16.0.1.1 |
iApp Technology Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 768085-3 | 4-Minor | BT768085 | Error in python script /usr/libexec/iAppsLX_save_pre line 79 | 14.1.4, 15.1.3, 16.0.1.1 |
Protocol Inspection Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 964585-4 | 3-Major | BT964585 | "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update | 14.1.4, 15.1.3, 16.0.1.2 |
| 825501-1 | 3-Major | BT825501 | IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.★ | 14.1.4, 15.1.3, 16.0.1.1 |
Cumulative fixes from BIG-IP v14.1.3.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 950077-3 | CVE-2021-22987, CVE-2021-22988 | K18132488 K70031188, BT950077 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1 |
| 943125-3 | CVE-2021-23010 | K18570111, BT943125 | ASM bd may crash while processing WebSocket traffic | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 941449-4 | CVE-2021-22993 | K55237223, BT941449 | BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 935029-1 | CVE-2020-27720 | K04048104, BT935029 | TMM may crash while processing IPv6 NAT traffic | 14.1.3.1, 15.1.1, 16.0.1 |
| 932065-3 | CVE-2021-22978 | K87502622, BT932065 | iControl REST vulnerability CVE-2021-22978 | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 931513-2 | CVE-2021-22977 | K14693346, BT931513 | TMM vulnerability CVE-2021-22977 | 13.1.3.6, 14.1.3.1, 15.1.1, 16.0.1.1 |
| 928321-3 | CVE-2020-27719 | K19166530, BT928321 | K19166530: XSS vulnerability CVE-2020-27719 | 14.1.3.1, 15.1.1, 16.0.1 |
| 921337-3 | CVE-2021-22976 | K88230177, BT921337 | BIG-IP ASM WebSocket vulnerability CVE-2021-22976 | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 917509-5 | CVE-2020-27718 | K58102101, BT917509 | BIG-IP ASM vulnerability CVE-2020-27718 | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 916821-4 | CVE-2021-22974 | K68652018, BT916821 | iControl REST vulnerability CVE-2021-22974 | 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 908673-3 | CVE-2020-27717 | K43850230, BT908673 | TMM may crash while processing DNS traffic | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 904165-3 | CVE-2020-27716 | K51574311, BT904165 | BIG-IP APM vulnerability CVE-2020-27716 | 14.1.3.1, 15.1.1 |
| 882189-5 | CVE-2020-5897 | K20346072, BT882189 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5897 | 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 882185-5 | CVE-2020-5897 | K20346072, BT882185 | BIG-IP Edge Client Windows ActiveX | 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 881317-4 | CVE-2020-5896 | K15478554, BT881317 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 | 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 881293-5 | CVE-2020-5896 | K15478554, BT881293 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 | 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 754855-2 | CVE-2020-27714 | K60344652, BT754855 | TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile | 13.1.4, 14.1.3.1, 15.1.1 |
| 939845-3 | CVE-2021-23004 | K31025212, BT939845 | BIG-IP MPTCP vulnerability CVE-2021-23004 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 939841-3 | CVE-2021-23003 | K43470422, BT939841 | BIG-IP MPTCP vulnerability CVE-2021-23003 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 928037-3 | CVE-2020-27729 | K15310332, BT928037 | APM Hardening | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 919841-1 | CVE-2020-27728 | K45143221, BT919841 | AVRD may crash while processing Bot Defense traffic | 14.1.3.1, 15.1.1, 16.0.1 |
| 912969-4 | CVE-2020-27727 | K50343630, BT912969 | iAppsLX REST vulnerability CVE-2020-27727 | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 905125-3 | CVE-2020-27726 | K30343902, BT905125 | Security hardening for APM Webtop | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 904937-4 | CVE-2020-27725 | K25595031, BT904937 | Excessive resource consumption in zxfrd | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1 |
| 898949-3 | CVE-2020-27724 | K04518313, BT898949 | APM may consume excessive resources while processing VPN traffic | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.0.5, 16.0.1 |
| 881445-5 | CVE-2020-5898 | K69154630, BT881445 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5898 | 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 880361-3 | CVE-2021-22973 | K13323323, BT880361 | iRules LX vulnerability CVE-2021-22973 | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 842829-3 | CVE-2018-16300 CVE-2018-14881 CVE-2018-14882 CVE-2018-16230 CVE-2018-16229 CVE-2018-16227 CVE-2019-15166 CVE-2018-16228 CVE-2018-16451 CVE-2018-16452 CVE-2018-10103 CVE-2018-10105 CVE-2018-14468 | K04367730, BT842829 | Multiple tcpdump vulnerabilities | 13.1.4.1, 14.1.3.1, 15.1.3 |
| 842717-4 | CVE-2020-5855 | K55102004, BT842717 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5855 | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 832757-5 | CVE-2017-18551 | K48073202, BT832757 | Linux kernel vulnerability CVE-2017-18551 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.3 |
| 831777-3 | CVE-2020-27723 | K42933418, BT831777 | Tmm crash in Ping access use case | 13.1.3.5, 14.1.3.1 |
| 811965-2 | CVE-2020-27722 | K73657294, BT811965 | Some VDI use cases can cause excessive resource consumption | 13.1.3.5, 14.1.3.1, 15.0.1.4 |
| 778049-4 | CVE-2018-13405 | K00854051, BT778049 | Linux Kernel Vulnerability: CVE-2018-13405 | 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1 |
| 693360-4 | CVE-2020-27721 | K52035247, BT693360 | A virtual server status changes to yellow while still available | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1 |
| 852929-7 | CVE-2020-5920 | K25160703, BT852929 | AFM WebUI Hardening | 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1 |
| 825413-2 | CVE-2021-23053 | K36942191, BT825413 | ASM may consume excessive resources when matching signatures | 13.1.3.6, 14.1.3.1, 15.1.3 |
| 818213-2 | CVE-2019-10639 | K32804955, BT818213 | CVE-2019-10639: KASLR bypass using connectionless protocols | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 773693-5 | CVE-2020-5892 | K15838353, BT773693 | CVE-2020-5892: APM Client Vulnerability | 11.6.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 834533-2 | CVE-2019-15916 | K57418558, BT834533 | Linux kernel vulnerability CVE-2019-15916 | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 920961-3 | 3-Major | BT920961 | Devices incorrectly report 'In Sync' after an incremental sync | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 756139-1 | 3-Major | BT756139 | Inconsistent logging of hostname files when hostname contains periods | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 921421-1 | 4-Minor | BT921421 | iRule support to get/set UDP's Maximum Buffer Packets | 14.1.3.1, 15.1.2, 16.0.1.1 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 809553 | 1-Blocking | BT809553 | ONAP Licensing - Cipher negotiation fails | 14.1.3.1 |
| 957337-4 | 2-Critical | BT957337 | Tab complete in 'mgmt' tree is broken | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 954025 | 2-Critical | BT954025 | "switchboot -b HD1.1" fails to reboot chassis | 14.1.3.1 |
| 933409-4 | 2-Critical | BT933409 | Tomcat upgrade via Engineering Hotfix causes live-update files removal★ | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 927033-1 | 2-Critical | BT927033 | Installer fails to calculate disk size of destination volume★ | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 910201-1 | 2-Critical | BT910201 | OSPF - SPF/IA calculation scheduling might get stuck infinitely | 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 896217-4 | 2-Critical | BT896217 | BIG-IP GUI unresponsive | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 860517-3 | 2-Critical | BT860517 | MCPD may crash on startup with many thousands of monitors on a system with many CPUs. | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1 |
| 829277-1 | 2-Critical | BT829277 | A Large /config folder can cause memory exhaustion during live-install★ | 14.1.3.1, 15.1.2.1 |
| 796601-4 | 2-Critical | BT796601 | Invalid parameter in errdefsd while processing hostname db_variable | 13.1.3.5, 14.1.3.1, 15.1.2 |
| 787285 | 2-Critical | BT787285 | Configuration fails to load after install of v14.1.0 or v14.1.2 on BIG-IP 800★ | 14.1.3.1 |
| 770989 | 2-Critical | BT770989 | Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x.★ | 13.1.3.5, 14.1.3.1 |
| 769817-3 | 2-Critical | BT769817 | BFD fails to propagate sessions state change during blade restart | 11.6.5.1, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.4 |
| 706521-4 | 2-Critical | K21404407, BT706521 | The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 934941-3 | 3-Major | BT934941 | Platform FIPS power-up self test failures not logged to console | 14.1.3.1, 15.1.3 |
| 930741-1 | 3-Major | BT930741 | Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot | 13.1.3.6, 14.1.3.1, 15.1.2 |
| 920301-2 | 3-Major | BT920301 | Unnecessarily high number of JavaScript Obfuscator instances when device is busy | 14.1.3.1, 15.1.2 |
| 915825-4 | 3-Major | BT915825 | Configuration error caused by Drafts folder in a deleted custom partition while upgrading. | 13.1.3.5, 14.1.3.1, 15.1.1 |
| 915497-3 | 3-Major | BT915497 | New Traffic Class Page shows multiple question marks. | 14.1.3.1, 15.1.0.5, 16.0.1.1 |
| 911809-1 | 3-Major | BT911809 | TMM might crash when sending out oversize packets. | 14.1.3.1, 15.1.2 |
| 908021-2 | 3-Major | BT908021 | Management and VLAN MAC addresses are identical | 13.1.3.5, 14.1.3.1, 15.1.3 |
| 904845-3 | 3-Major | BT904845 | VMware guest OS customization works only partially in a dual stack environment. | 14.1.3.1, 15.1.1, 16.0.1 |
| 902401-3 | 3-Major | BT902401 | OSPFd SIGSEGV core when 'ospf clear' is done on remote device | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 898705-3 | 3-Major | BT898705 | IPv6 static BFD configuration is truncated or missing | 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 898461-4 | 3-Major | BT898461 | Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context' | 14.1.3.1, 15.1.1, 16.0.1.1 |
| 889041-1 | 3-Major | BT889041 | Failover scripts fail to access resolv.conf due to permission issues | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 886689-4 | 3-Major | BT886689 | Generic Message profile cannot be used in SCTP virtual | 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1 |
| 867181-3 | 3-Major | BT867181 | ixlv: double tagging is not working | 13.1.3.6, 14.1.3.1, 15.1.2 |
| 865241-3 | 3-Major | BT865241 | Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0" | 13.1.3.6, 14.1.3.1, 15.1.2 |
| 865177-2 | 3-Major | BT865177 | Cert-LDAP returning only first entry in the sequence that matches san-other oid | 14.1.3.1, 15.1.2.1, 16.0.1.1 |
| 860317-1 | 3-Major | BT860317 | JavaScript Obfuscator can hang indefinitely | 14.1.3.1, 15.1.2 |
| 851733-1 | 3-Major | BT851733 | Tcpdump messages (warning, error) are sent to stdout instead of stderr | 14.1.3.1 |
| 850777-1 | 3-Major | BT850777 | BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config | 14.1.3.1, 15.1.1 |
| 846441-1 | 3-Major | BT846441 | Flow-control is reset to default for secondary blade's interface | 13.1.3.5, 14.1.3.1, 15.1.2 |
| 846137-3 | 3-Major | BT846137 | The icrd returns incorrect route names in some cases | 13.1.3.5, 14.1.3.1, 15.1.2 |
| 843597-3 | 3-Major | BT843597 | Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle | 13.1.3.6, 14.1.3.1, 15.1.2 |
| 829193-2 | 3-Major | BT829193 | REST system unavailable due to disk corruption | 13.1.3.6, 14.1.3.1, 15.1.0.4 |
| 826905-1 | 3-Major | BT826905 | Host traffic via IPv6 route pool uses incorrect source address | 14.1.3.1, 15.1.2 |
| 806073-3 | 3-Major | BT806073 | MySQL monitor fails to connect to MySQL Server v8.0 | 14.1.3.1, 15.1.2.1, 16.0.1.1 |
| 795649-3 | 3-Major | BT795649 | Loading UCS from one iSeries model to another causes FPGA to fail to load | 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.0.3 |
| 788577-4 | 3-Major | BT788577 | BFD sessions may be reset after CMP state change | 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 783113-4 | 3-Major | BT783113 | BGP sessions remain down upon new primary slot election | 11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.1 |
| 767737-2 | 3-Major | BT767737 | Timing issues during startup may make an HA peer stay in the inoperative state | 13.1.3.5, 14.1.3.1, 15.1.2.1 |
| 755197-3 | 3-Major | BT755197 | UCS creation might fail during frequent config save transactions | 13.1.3.5, 14.1.3.1, 15.1.2 |
| 754971-2 | 3-Major | BT754971 | OSPF inter-process redistribution might break OSPF route redistribution of various types. | 13.1.3.5, 14.1.3.1 |
| 751584-1 | 3-Major | BT751584 | Custom MIB actions can be blocked by SELINUX permissions | 14.1.3.1 |
| 740589-1 | 3-Major | BT740589 | Mcpd crash with core after 'tmsh edit /sys syslog all-properties' | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 737098-2 | 3-Major | BT737098 | ASM Sync does not work when the configsync IP address is an IPv6 address | 13.1.3.5, 14.1.3.1, 15.1.2 |
| 652502-3 | 3-Major | BT652502 | SNMP queries return 'No Such Object available' error for LTM OIDs | 13.1.1.4, 14.1.3.1 |
| 933461-3 | 4-Minor | BT933461 | BGP multi-path candidate selection does not work properly in all cases. | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 924429-3 | 4-Minor | BT924429 | Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 892677-4 | 4-Minor | BT892677 | Loading config file with imish adds the newline character | 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 882713-1 | 4-Minor | BT882713 | BGP SNMP trap has the wrong sysUpTime value | 14.1.3.1, 15.1.2 |
| 864757-2 | 4-Minor | BT864757 | Traps that were disabled are enabled after configuration save | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 722230-3 | 4-Minor | BT722230 | Cannot delete FQDN template node if another FQDN node resolves to same IP address | 12.1.5.2, 13.1.3.4, 14.1.3.1, 15.0.1.4, 15.1.0.2 |
| 591732-5 | 4-Minor | BT591732 | Local password policy not enforced when auth source is set to a remote type. | 12.1.5.1, 13.1.3.5, 14.1.3.1, 15.0.1.4 |
| 583084-8 | 4-Minor | K15101680, BT583084 | iControl produces 404 error while creating records successfully | 13.1.3.5, 14.1.3.1, 15.1.2 |
| 849085-3 | 5-Cosmetic | BT849085 | Lines with only asterisks filling message and user.log file | 14.1.3.1, 15.1.1 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 941089 | 2-Critical | BT941089 | TMM core when using Multipath TCP | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2 |
| 911041-2 | 2-Critical | BT911041 | Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash | 14.1.3.1, 15.1.2.1, 16.0.1.2 |
| 891849-2 | 2-Critical | BT891849 | Running iRule commands while suspending iRule commands that are running can lead to a crash | 14.1.3.1, 15.1.2 |
| 879409-2 | 2-Critical | BT879409 | TMM core with mirroring traffic due to unexpected interface name length | 14.1.3.1, 15.1.1 |
| 851857-3 | 2-Critical | BT851857 | HTTP 100 Continue handling does not work when it arrives in multiple packets | 13.1.3.5, 14.1.3.1, 15.1.1 |
| 851345-2 | 2-Critical | BT851345 | The TMM may crash in certain rare scenarios involving HTTP/2 | 14.1.3.1, 15.1.2 |
| 850873-1 | 2-Critical | BT850873 | LTM global SNAT sets TTL to 255 on egress. | 14.1.3.1, 15.1.2 |
| 824881-2 | 2-Critical | BT824881 | A rare TMM crash cause by the fix for ID 816625 | 14.1.3.1, 15.0.1.1 |
| 811161-1 | 2-Critical | BT811161 | Tmm crash SIGSEGV - virtual_address_update() in ../mcp/db_vip.c:1992 | 14.1.3.1 |
| 766509-1 | 2-Critical | BT766509 | Strict internal checking might cause tmm crash | 14.1.3.1 |
| 705768-1 | 2-Critical | BT705768 | The dynconfd process may core and restart with multiple DNS name servers configured | 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2 |
| 951033-2 | 3-Major | BT951033 | Virtual server resets all the connections for rstcause 'VIP disabled (administrative)' | 13.1.3.5, 14.1.3.1 |
| 949145-4 | 3-Major | BT949145 | Improve TCP's response to partial ACKs during loss recovery | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 948757-3 | 3-Major | BT948757 | A snat-translation address responds to ARP requests but not to ICMP ECHO requests. | 14.1.3.1, 15.1.2, 16.0.1 |
| 915689-4 | 3-Major | BT915689 | HTTP/2 dynamic header table may fail to identify indexed headers on the response side. | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 915605-1 | 3-Major | K56251674, BT915605 | Image install fails if iRulesLX is provisioned and /usr mounted read-write★ | 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 913249-4 | 3-Major | BT913249 | Restore missing UDP statistics | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 901929-4 | 3-Major | BT901929 | GARPs not sent on virtual server creation | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 892385-2 | 3-Major | BT892385 | HTTP does not process WebSocket payload when received with server HTTP response | 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1 |
| 879413-3 | 3-Major | BT879413 | Statsd fails to start if one or more of its *.info files becomes corrupted | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 862597-5 | 3-Major | BT862597 | Improve MPTCP's SYN/ACK retransmission handling | 13.1.3.5, 14.1.3.1, 15.1.0.2 |
| 860005-3 | 3-Major | BT860005 | Ephemeral nodes/pool members may be created for wrong FQDN name | 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2 |
| 857845-6 | 3-Major | BT857845 | TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule | 13.1.3.6, 14.1.3.1, 15.1.2 |
| 851477-3 | 3-Major | BT851477 | Memory allocation failures during proxy initialization are ignored leading to TMM cores | 14.1.3.1, 15.1.1 |
| 851045-3 | 3-Major | BT851045 | LTM database monitor may hang when monitored DB server goes down | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.1 |
| 850145-3 | 3-Major | BT850145 | Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed | 14.1.3.1, 15.1.2 |
| 823921-2 | 3-Major | BT823921 | FTP profile causes memory leak | 14.1.3.1 |
| 820333-3 | 3-Major | BT820333 | LACP working member state may be inconsistent when blade is forced offline | 14.1.3.1, 15.1.2 |
| 819329-2 | 3-Major | BT819329 | Specific FIPS device errors will not trigger failover | 14.1.3.1, 15.1.4, 16.0.1.2 |
| 818853-3 | 3-Major | BT818853 | Duplicate MAC entries in FDB | 13.1.3.5, 14.1.3.1, 15.1.0.2 |
| 809701-2 | 3-Major | BT809701 | Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist | 14.1.3.1, 15.0.1.3, 15.1.2 |
| 805017-2 | 3-Major | BT805017 | DB monitor marks pool member down if no send/recv strings are configured | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.3 |
| 803233-3 | 3-Major | BT803233 | Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable | 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1 |
| 796993-1 | 3-Major | BT796993 | Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs | 12.1.5.3, 13.1.3.4, 14.1.3.1 |
| 787853-2 | 3-Major | BT787853 | BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps. | 14.1.3.1 |
| 786517-3 | 3-Major | BT786517 | Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address | 13.1.3.5, 14.1.3.1, 15.1.0.5 |
| 783617-1 | 3-Major | BT783617 | Virtual server resets connections when all pool members are marked disabled | 13.1.3.5, 14.1.3.1 |
| 776229-2 | 3-Major | BT776229 | iRule 'pool' command no longer accepts pool members with ports that have a value of zero | 13.1.3.4, 14.1.3.1 |
| 759480-3 | 3-Major | BT759480 | HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash | 12.1.5, 13.1.3.4, 14.1.3.1 |
| 759056-2 | 3-Major | BT759056 | stpd memory leak on secondary blades in a multi-blade system | 13.1.3.6, 14.1.3.1 |
| 753805-3 | 3-Major | BT753805 | BIG-IP system failed to advertise virtual address even after the virtual address was in Available state. | 12.1.5.3, 13.1.3.4, 14.1.3.1 |
| 753594-2 | 3-Major | BT753594 | In-TMM monitors may have duplicate instances or stop monitoring | 13.1.3, 14.1.3.1 |
| 750278-4 | 3-Major | K25165813, BT750278 | A sub-second timeout for the SSL alert-timeout option may be desirable in certain cases | 14.1.3.1, 15.0.1.3 |
| 745682-1 | 3-Major | BT745682 | Failed to parse X-Forwarded-For header in HTTP requests | 13.1.3.6, 14.1.3.1 |
| 724824-3 | 3-Major | BT724824 | Ephemeral nodes on peer devices report as unknown and unchecked after full config sync | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2 |
| 722707-2 | 3-Major | BT722707 | mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall | 12.1.5.3, 13.1.3.6, 14.1.3.1 |
| 720440-4 | 3-Major | BT720440 | Radius monitor marks pool members down after 6 seconds | 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.0.5 |
| 718790-1 | 3-Major | BT718790 | Virtual server reports unavailable and resets connection erroneously. | 14.1.3.1 |
| 710930-3 | 3-Major | BT710930 | Enabling BigDB key bigd.tmm may cause SSL monitors to fail | 13.1.3.5, 14.1.3.1 |
| 935593-3 | 4-Minor | BT935593 | Incorrect SYN re-transmission handling with FastL4 timestamp rewrite | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 932937-3 | 4-Minor | BT932937 | HTTP Explicit Proxy configurations can result in connections hanging until idle timeout. | 14.1.3.1, 15.1.1, 16.0.1 |
| 895153-2 | 4-Minor | BT895153 | HTTP::has_responded returns incorrect values when using HTTP/2 | 14.1.3.1, 15.1.2 |
| 895141 | 4-Minor | BT895141 | HTTP::has_responded returns incorrect values when using HTTP/2 | 14.1.3.1 |
| 822025-2 | 4-Minor | BT822025 | HTTP response not forwarded to client during an early response | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.4, 15.1.0.2 |
| 808409-3 | 4-Minor | BT808409 | Unable to specify if giaddr will be modified in DHCP relay chain | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 801705-4 | 4-Minor | BT801705 | When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC | 13.1.3.6, 14.1.3.1 |
| 781225-2 | 4-Minor | BT781225 | HTTP profile Response Size stats incorrect for keep-alive connections | 12.1.5.3, 13.1.3.5, 14.1.3.1 |
| 726983-2 | 4-Minor | BT726983 | Inserting multi-line HTTP header not handled correctly | 12.1.5.3, 13.1.3.5, 14.1.3.1 |
| 859717-3 | 5-Cosmetic | BT859717 | ICMP-limit-related warning messages in /var/log/ltm | 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 919553-3 | 2-Critical | BT919553 | GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets. | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 837637-2 | 2-Critical | K02038650, BT837637 | Orphaned bigip_gtm.conf can cause config load failure after upgrading★ | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 788465-2 | 2-Critical | BT788465 | DNS cache idx synced across HA group could cause tmm crash | 14.1.3.1, 15.1.1, 16.0.1 |
| 926593-3 | 3-Major | BT926593 | GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout' | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 852101-3 | 3-Major | BT852101 | Monitor fails. | 13.1.3.6, 14.1.3.1, 15.1.2 |
| 844689-3 | 3-Major | BT844689 | Possible temporary CPU usage increase with unusually large named.conf file | 14.1.3.1, 15.1.2 |
| 781829-1 | 3-Major | BT781829 | GTM TCP monitor does not check the RECV string if server response string not ending with \n | 13.1.3.5, 14.1.3.1 |
| 644192-4 | 3-Major | K23022557, BT644192 | Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN | 11.6.5.3, 14.1.3.1, 15.1.2, 16.0.1.1 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 940249-3 | 2-Critical | BT940249 | Sensitive data is not masked after "Maximum Array/Object Elements" is reached | 11.6.5.3, 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 927617-3 | 2-Critical | BT927617 | 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 941853-2 | 3-Major | BT941853 | Logging Profiles do not disassociate from virtual server when multiple changes are made | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 940897-2 | 3-Major | BT940897 | Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached | 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 893061-1 | 3-Major | BT893061 | Out of memory for restjavad | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 884425-1 | 3-Major | Creation of new allowed HTTP URL is not possible | 14.1.3.1, 15.1.3 | |
| 868053-1 | 3-Major | BT868053 | Live Update service indicates update available when the latest update was already installed | 14.1.3.1, 15.1.3 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 910097-3 | 2-Critical | BT910097 | Changing per-request policy while tmm is under traffic load may drop heartbeats | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 896709-2 | 2-Critical | BT896709 | Add support for Restart Desktop for webtop in VMware VDI | 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1 |
| 760130-3 | 2-Critical | BT760130 | [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK | 13.1.3, 14.1.3.1 |
| 748572-2 | 2-Critical | BT748572 | Occasionally ramcache might crash when data is sent without the corresponding event. | 14.1.3.1 |
| 924929-1 | 3-Major | BT924929 | Logging improvements for VDI plugin | 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1 |
| 914649-2 | 3-Major | BT914649 | Support USB redirection through VVC (VMware virtual channel) with BlastX | 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 771961-1 | 3-Major | BT771961 | While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core | 14.1.3.1, 15.1.1 |
| 760629-3 | 3-Major | BT760629 | Remove Obsolete APM keys in BigDB | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1 |
| 759356-2 | 3-Major | BT759356 | Access session data cache might leak if there are multiple TMMs | 14.1.3.1 |
| 747020-1 | 3-Major | BT747020 | Requests that evaluate to same subsession can be processed concurrently | 14.1.3.1, 15.1.1, 16.0.1 |
| 739570-3 | 3-Major | BT739570 | Unable to install EPSEC package★ | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 904373-1 | 3-Major | BT904373 | MRF GenericMessage: Implement limit to message queues size | 14.1.3.1, 15.0.1.4, 15.1.0.5, 16.0.1 |
| 891385-4 | 3-Major | BT891385 | Add support for URI protocol type "urn" in MRF SIP load balancing | 14.1.3.1, 15.1.1, 16.0.1 |
| 924349-1 | 4-Minor | DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP | 14.1.3.1, 15.1.1, 16.0.1 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 938165-2 | 2-Critical | BT938165 | TMM Core after attempted update of IP geolocation database file | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 747225-1 | 2-Critical | BT747225 | PCCD may get into crash-loop after BIG-IP upgrade or after BIG-IP restart | 14.1.3.1 |
| 872645 | 3-Major | BT872645 | Protected Object Aggregate stats are causing elevated CPU usage | 14.1.3.1, 15.1.1 |
| 813301 | 3-Major | BT813301 | LSN_PB_UPDATE logs are not generated when subscriber info changes | 14.1.3.1, 15.1.0 |
| 781425 | 3-Major | BT781425 | Firewall rule list configuration causes config load failure | 14.1.3.1 |
| 920361-4 | 4-Minor | BT920361 | Standby device name sent in Traffic Statistics syslog/Splunk messages | 14.1.3.1, 15.1.1 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 783289-1 | 2-Critical | BT783289 | PEM actions not applied in VE bigTCP. | 13.1.3.5, 14.1.3.1 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 815001-1 | 2-Critical | BT815001 | TMM Crash with inbound traffic during high availability (HA) failover | 14.1.3.1 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 940401-3 | 5-Cosmetic | BT940401 | Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection' | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 944785-1 | 3-Major | BT944785 | Admd restarting constantly. Out of memory due to loading malformed state file | 14.1.3.1, 15.1.2, 16.0.1.2 |
| 923125-1 | 3-Major | BT923125 | Huge amount of admd processes caused oom | 14.1.3.1, 15.1.2 |
| 818465-2 | 3-Major | BT818465 | Unnecessary memory allocation in AVR module | 14.1.3.1 |
Device Management Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 767613-2 | 3-Major | BT767613 | Restjavad can keep partially downloaded files open indefinitely | 13.1.3.5, 14.1.3.1 |
Cumulative fixes from BIG-IP v14.1.3 that are included in this release
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 928029 | 2-Critical | BT928029 | Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis | 14.1.3, 15.1.4 |
| 905849 | 3-Major | BT905849 | FastL4 UDP flows might not get offloaded to hardware | 14.1.3 |
| 829317-6 | 3-Major | BT829317 | Memory leak in icrd_child due to concurrent REST usage | 13.1.4, 14.1.3, 14.1.3.1, 15.1.0.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 943101 | 2-Critical | BT943101 | Tmm crash in cipher group delete. | 14.1.3, 15.1.4 |
| 934461 | 2-Critical | BT934461 | Connection error with server with TLS1.3 single-dh-use. | 14.1.3, 15.1.4 |
| 915957 | 2-Critical | BT915957 | The wocplugin may get into a restart loop when AAM is provisioned | 14.1.3, 15.1.2 |
| 939209-3 | 3-Major | BT939209 | FIPS 140-2 SP800-56Arev3 compliance | 14.1.3 |
| 930385 | 3-Major | BT930385 | SSL filter does not re-initialize when an OCSP object is modified | 14.1.3, 15.1.4 |
| 921721-2 | 3-Major | BT921721 | FIPS 140-2 SP800-56Arev3 compliance | 14.1.3, 15.1.3 |
| 809597-3 | 3-Major | BT809597 | Memory leak in icrd_child observed during REST usage | 13.1.4, 14.1.3, 15.1.0.2 |
| 629787-1 | 3-Major | BT629787 | vCMP hypervisor version mismatch may cause connection mirroring problems. | 14.1.3 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 934393 | 1-Blocking | BT934393 | APM authentication fails due to delay in sessionDB readiness | 14.1.3, 15.1.4 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 697331-3 | 3-Major | BT697331 | Some TMOS tools for querying various DBs fail when only a single TMM is running | 14.1.3, 14.1.3.1, 15.1.1 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 892621-2 | 3-Major | BT892621 | Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software | 14.1.3, 15.1.0.4 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 927993-4 | 1-Blocking | K97501254, BT927993 | Built-in SSL Orchestrator RPM installation failure | 12.1.5.3, 13.1.3.6, 14.1.3, 14.1.4, 15.1.2, 16.0.1.1 |
Cumulative fixes from BIG-IP v14.1.2.8 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 935721-4 | CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 | K82252291, BT935721 | ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.0.1 |
| 933741-4 | CVE-2021-22979 | K63497634, BT933741 | BIG-IP FPS XSS vulnerability CVE-2021-22979 | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 911761-4 | CVE-2020-5948 | K42696541, BT911761 | F5 TMUI XSS vulnerability CVE-2020-5948 | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 879745-1 | CVE-2020-5942 | K82530456 | TMM may crash while processing Diameter traffic | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 917469-4 | CVE-2020-5946 | K53821711, BT917469 | TMM may crash while processing FPS traffic | 14.1.2.8, 15.1.1, 16.0.1 |
| 910017-4 | CVE-2020-5945 | K21540525, BT910017 | Security hardening for the TMUI Interface page | 14.1.2.8, 15.1.1, 16.0.1 |
| 907201-1 | CVE-2021-23039 | K66782293, BT907201 | TMM may crash when processing IPSec traffic | 14.1.2.8, 15.1.3, 16.0.1.2 |
| 889557-2 | CVE-2019-11358 | K20455158, BT889557 | jQuery Vulnerability CVE-2019-11358 | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 870273-3 | CVE-2020-5936 | K44020030, BT870273 | TMM may consume excessive resources when processing SSL traffic | 12.1.5.2, 14.1.2.8, 15.1.1 |
| 856961-2 | CVE-2018-12207 | K17269881, BT856961 | INTEL-SA-00201 MCE vulnerability CVE-2018-12207 | 13.1.3.5, 14.1.2.8, 15.0.1.4, 15.1.0.5 |
| 751036-1 | CVE-2020-27721 | K52035247, BT751036 | Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8 |
| 818177-4 | CVE-2019-12295 | K06725231, BT818177 | CVE-2019-12295 Wireshark Vulnerability | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1 |
| 717276-7 | CVE-2020-5930 | K20622530, BT717276 | TMM Route Metrics Hardening | 11.6.5.3, 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.5 |
| 858537-3 | CVE-2019-1010204 | K05032915, BT858537 | CVE-2019-1010204: Binutilis Vulnerability | 14.1.2.8, 15.1.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 890229-3 | 3-Major | BT890229 | Source port preserve setting is not honored | 13.1.3.5, 14.1.2.8, 15.1.1 |
| 747013-3 | 3-Major | BT747013 | Add OCSP server support to IKEv2 negotiation for IPsec peer authentication | 14.1.2.8 |
| 617929-2 | 3-Major | BT617929 | Support non-default route domains | 13.1.3.4, 14.1.2.8, 15.0.1.3 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 920481 | 2-Critical | BT920481 | REST GET on /mgmt/tm/sys/file/ssl-key returns bad/wrong passphrase | 14.1.2.8 |
| 871561-3 | 2-Critical | BT871561 | Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)'★ | 14.1.2.8, 15.1.1, 16.0.1 |
| 860349-1 | 2-Critical | BT860349 | Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication | 14.1.2.8, 15.1.3 |
| 856713-1 | 2-Critical | BT856713 | IPsec crash during rekey | 14.1.2.8, 16.0.1.2 |
| 854493-3 | 2-Critical | BT854493 | Kernel page allocation failures messages in kern.log | 14.1.2.8, 15.1.0.2 |
| 842865-1 | 2-Critical | BT842865 | Add support for Auto MAC configuration (ixlv) | 14.1.2.8, 15.0.1.4, 15.1.0.5 |
| 841953-5 | 2-Critical | BT841953 | A tunnel can be expired when going offline, causing tmm crash | 12.1.5.3, 14.1.2.8, 15.1.0.2 |
| 841333-5 | 2-Critical | BT841333 | TMM may crash when tunnel used after returning from offline | 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.2 |
| 818253-1 | 2-Critical | BT818253 | Generate signature files for logs | 14.1.2.8, 15.1.1, 16.0.1.1 |
| 817709-2 | 2-Critical | BT817709 | IPsec: TMM cored with SIGFPE in racoon2 | 14.1.2.8, 15.1.0.2 |
| 811149-1 | 2-Critical | BT811149 | Remote users are unable to authenticate via serial console. | 14.1.2.8, 15.0.1.4, 15.1.0.2 |
| 807453-1 | 2-Critical | BT807453 | IPsec works inefficiently with a second blade in one chassis | 14.1.2.8 |
| 777229-1 | 2-Critical | BT777229 | IPsec improvements to internal pfkey messaging between TMMs on multi-blade | 14.1.2.8 |
| 774361-2 | 2-Critical | BT774361 | IPsec High Availability sync during multiple failover via RFC6311 messages | 14.1.2.8 |
| 769357-1 | 2-Critical | IPsec debug logging needs more organization and is missing HA-related logging | 14.1.2.8 | |
| 755716-1 | 2-Critical | BT755716 | IPsec connection can fail if connflow expiration happens before IKE encryption | 14.1.2.8 |
| 749249-1 | 2-Critical | BT749249 | IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP | 14.1.2.8 |
| 741676-2 | 2-Critical | BT741676 | Intermittent crash switching between tunnel mode and interface mode | 14.1.2.8 |
| 593536-7 | 2-Critical | K64445052, BT593536 | Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations | 14.1.2.8, 15.1.1 |
| 924493-4 | 3-Major | BT924493 | VMware EULA has been updated | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 904705-3 | 3-Major | BT904705 | Cannot clone Azure marketplace instances. | 14.1.2.8, 15.1.1, 16.0.1 |
| 888497-4 | 3-Major | BT888497 | Cacheable HTTP Response | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1 |
| 887089-3 | 3-Major | BT887089 | Upgrade can fail when filenames contain spaces | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5 |
| 880625-2 | 3-Major | BT880625 | Check-host-attr enabled in LDAP system-auth creates unusable config | 14.1.2.8, 15.1.1, 16.0.1 |
| 880165-1 | 3-Major | BT880165 | Auto classification signature update fails | 14.1.2.8, 15.1.1, 16.0.1 |
| 858197-1 | 3-Major | BT858197 | Merged crash when memory exhausted | 13.1.3.5, 14.1.2.8, 15.1.2, 16.0.1.1 |
| 856953-2 | 3-Major | BT856953 | IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1 | 14.1.2.8, 15.1.4.1 |
| 844085-3 | 3-Major | BT844085 | GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address | 14.1.2.8, 15.1.0.5, 16.0.1 |
| 838297-1 | 3-Major | BT838297 | Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication | 14.1.2.8, 15.1.1 |
| 828789-3 | 3-Major | BT828789 | Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters | 14.1.2.8, 15.1.1 |
| 820213-2 | 3-Major | BT820213 | 'Application Service List' empty after UCS restore | 14.1.2.8 |
| 814585-3 | 3-Major | BT814585 | PPTP profile option not available when creating or modifying virtual servers in GUI | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1 |
| 810381-4 | 3-Major | BT810381 | The SNMP max message size check is being incorrectly applied. | 13.1.3.5, 14.1.2.8, 15.1.0.4 |
| 807337-3 | 3-Major | BT807337 | Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed. | 14.1.2.8, 15.1.1, 16.0.1.1 |
| 804537-1 | 3-Major | BT804537 | Check SAs in context callbacks | 14.1.2.8 |
| 802889 | 3-Major | BT802889 | Problems establishing HA connections on chassis platforms | 14.1.2.8, 14.1.3 |
| 797829-5 | 3-Major | BT797829 | The BIG-IP system may fail to deploy new or reconfigure existing iApps | 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1 |
| 783753-1 | 3-Major | BT783753 | Increase vCPU amount guests can use on i11800-DS platforms. | 14.1.2.8 |
| 761753-2 | 3-Major | BT761753 | BIG-IP system incorrectly flags UDP checksum as failed on x520 NICs | 14.1.2.8 |
| 759564-4 | 3-Major | BT759564 | GUI not available after upgrade | 14.1.2.8, 15.1.1, 16.0.1 |
| 758517-1 | 3-Major | BT758517 | Callback for Diffie Hellman crypto is missing defensive coding | 14.1.2.8 |
| 758516-1 | 3-Major | BT758516 | IKEv2 auth encryption is missing defensive coding that checks object validity | 14.1.2.8 |
| 757862-1 | 3-Major | BT757862 | IKEv2 debug logging an uninitialized variable leading to core | 14.1.2.8 |
| 748443-1 | 3-Major | BT748443 | HiGig MAC recovery mechanism may fail continuously at runtime | 14.1.2.8 |
| 746704-2 | 3-Major | BT746704 | Syslog-ng Memory Leak | 13.1.3.5, 14.1.2.8 |
| 745261-2 | 3-Major | BT745261 | The TMM process may crash in some tunnel cases | 12.1.5.3, 13.1.3.5, 14.1.2.8 |
| 726416-3 | 3-Major | BT726416 | Physical disk HD1 not found for logical disk create | 14.1.2.8 |
| 489572-4 | 3-Major | K60934489, BT489572 | Sync fails if file object is created and deleted before sync to peer BIG-IP | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 431503-3 | 3-Major | K14838, BT431503 | TMSH crashes in rare initial tunnel configurations | 13.1.3.5, 14.1.2.8, 15.1.1 |
| 919745-4 | 4-Minor | BT919745 | CSV files downloaded from the Dashboard have the first row with all 'NaN | 14.1.2.8, 15.1.0.5, 16.0.1 |
| 918209-1 | 4-Minor | BT918209 | GUI Network Map icons color scheme is not section 508 compliant | 14.1.2.8, 15.1.0.5, 16.0.1 |
| 914761-1 | 4-Minor | BT914761 | Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed. | 14.1.2.8, 15.1.1, 16.0.1.1 |
| 906889-1 | 4-Minor | BT906889 | Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows. | 14.1.2.8, 15.1.1, 16.0.1 |
| 902417-4 | 4-Minor | BT902417 | Configuration error caused by Drafts folder in a deleted custom partition★ | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1.1 |
| 890277-2 | 4-Minor | BT890277 | Full config sync to a device group operation takes a long time when there are a large number of partitions. | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 822377-2 | 4-Minor | CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability | 14.1.2.8, 15.1.1 | |
| 779857-1 | 4-Minor | BT779857 | Misleading GUI error when installing a new version in another partition★ | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 777237-1 | 4-Minor | IPsec high availability (HA) for failover confused by runtime changes in blade count | 14.1.2.8 | |
| 751103-4 | 4-Minor | BT751103 | TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop | 14.1.2.8, 15.1.1, 16.0.1 |
| 767269-2 | 5-Cosmetic | Linux kernel vulnerability: CVE-2018-16884 | 14.1.2.8, 15.1.0.5 | |
| 714176-3 | 5-Cosmetic | BT714176 | UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 858429 | 2-Critical | BT858429 | BIG-IP system sends ICMP packets on both virtual wire interfaces. | 14.1.2.8, 15.0.1.4, 15.1.1 |
| 851581-1 | 2-Critical | BT851581 | Server-side detach may crash TMM | 14.1.2.8, 15.1.1 |
| 839749-2 | 2-Critical | BT839749 | Virtual server with specific address list might fail to create via GUI | 14.1.2.8, 15.0.1.1, 15.1.0.5 |
| 813561-3 | 2-Critical | BT813561 | MCPD crashes when assigning an iRule that uses a proc | 13.1.3.4, 14.1.2.8, 15.0.1.3 |
| 726518-3 | 2-Critical | BT726518 | Tmsh show command terminated with CTRL-C can cause TMM to crash. | 13.1.3.6, 14.1.2.8, 15.1.2 |
| 915281-1 | 3-Major | BT915281 | Do not rearm TCP Keep Alive timer under certain conditions | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 816881-1 | 3-Major | BT816881 | Serverside conection may use wrong VLAN when virtual wire is configured | 14.1.2.8, 15.1.1 |
| 810445-2 | 3-Major | BT810445 | PEM: ftp-data not classified or reported | 13.1.3.5, 14.1.2.8 |
| 800101-1 | 3-Major | BT800101 | BIG-IP chassis system may send out duplicated UDP packets to the server side | 14.1.2.8 |
| 788753-4 | 3-Major | BT788753 | GATEWAY_ICMP monitor marks node down with wrong error code | 13.1.3.4, 14.1.2.8, 15.1.0.5 |
| 785701-1 | 3-Major | BT785701 | Changes to a Web Acceleration profile are not instantly applied to virtual servers using the profile | 14.1.2.8 |
| 785481-2 | 3-Major | BT785481 | A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached | 12.1.5.3, 14.1.2.8, 15.0.1.1 |
| 781753-3 | 3-Major | BT781753 | WebSocket traffic is transmitted with unknown opcodes | 13.1.3.2, 14.1.2.8 |
| 766169-2 | 3-Major | BT766169 | Replacing all VLAN interfaces resets VLAN MTU to a default value | 12.1.5.2, 13.1.3.5, 14.1.2.8 |
| 758437-6 | 3-Major | BT758437 | SYN w/ data disrupts stat collection in Fast L4 | 13.1.3.5, 14.1.2.8 |
| 758436-4 | 3-Major | BT758436 | Optimistic ACKs degrade Fast L4 statistics | 13.1.3.5, 14.1.2.8 |
| 745663-3 | 3-Major | BT745663 | During traffic forwarding, nexthop data may be missed at large packet split | 13.1.3.5, 14.1.2.8 |
| 726734-4 | 3-Major | BT726734 | DAGv2 port lookup stringent may fail | 13.1.3.2, 14.1.2.8 |
| 814037-4 | 4-Minor | BT814037 | No virtual server name in Hardware Syncookie activation logs. | 13.1.3.5, 14.1.2.8, 15.1.1 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 783125-2 | 2-Critical | BT783125 | iRule drop command on DNS traffic without Datagram-LB may cause TMM crash | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 800265-2 | 3-Major | BT800265 | Undefined subroutine in bigip_add_appliance_helper message | 14.1.2.8 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 911629 | 2-Critical | BT911629 | Manual upload of LiveUpdate image file results in NULL response | 14.1.2.8, 15.0.1.4 |
| 918933-3 | 3-Major | K88162221, BT918933 | The BIG-IP ASM system may not properly perform signature checks on cookies | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.2.8, 15.1.2, 16.0.1.1 |
| 901061-4 | 3-Major | BT901061 | Safari browser might be blocked when using Bot Defense profile and related domains. | 14.1.2.8, 15.1.1, 16.0.1 |
| 888285-3 | 3-Major | K18304067, BT888285 | Sensitive positional parameter not masked in 'Referer' header value | 14.1.2.8, 15.1.1 |
| 848445-3 | 3-Major | K86285055, BT848445 | Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer★ | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5 |
| 919001-1 | 4-Minor | BT919001 | Live Update: Update Available notification is shown twice in rare conditions | 14.1.2.8, 15.1.2, 16.0.1.1 |
| 879777 | 4-Minor | BT879777 | Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge | 14.1.2.8, 15.1.1 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 908065-4 | 3-Major | BT908065 | Logrotation for /var/log/avr blocked by files with .1 suffix | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 866613-1 | 4-Minor | BT866613 | Missing MaxMemory Attribute | 13.1.3.5, 14.1.2.8, 15.1.1 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 891505-1 | 2-Critical | BT891505 | TMM might leak memory when OAuth agent is used in APM per-request policy subroutine. | 14.1.2.8, 15.1.4 |
| 579219-3 | 2-Critical | BT579219 | Access keys missing from SessionDB after multi-blade reboot. | 14.1.2.8, 15.1.1 |
| 706782-3 | 3-Major | BT706782 | Inefficient APM processing in large configurations. | 14.1.2.8, 15.0.1.3, 15.1.0.2 |
| 679751-1 | 4-Minor | BT679751 | Authorization header can cause a connection reset | 13.1.3.5, 14.1.2.8, 15.1.1 |
| 602396-1 | 4-Minor | BT602396 | EPSEC Upload Package Button Is Greyed Out | 14.1.2.8 |
| 478450-2 | 4-Minor | BT478450 | Improve log details when "Detection invalid host header ()" is logged | 14.1.2.8 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 763121-3 | 2-Critical | BT763121 | Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM. | 13.1.3, 14.1.2.8 |
| 870385-3 | 3-Major | BT870385 | TMM may restart under very heavy traffic load | 14.1.2.8, 15.1.2.1 |
| 811157-2 | 3-Major | BT811157 | Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself | 14.1.2.8 |
| 757555-2 | 3-Major | BT757555 | Network DoS Logging Profile does not work with other logging profiles together | 14.1.2.8 |
| 757279-1 | 3-Major | BT757279 | LDAP authenticated Firewall Manager role cannot edit firewall policies | 13.1.1.5, 14.1.2.8, 15.1.0.5 |
| 746483-2 | 3-Major | BT746483 | The autodosd process consumes a lot of memory and continuously restarts. | 14.1.2.8 |
| 703165-4 | 3-Major | BT703165 | shared memory leakage | 13.1.3.5, 14.1.2.8 |
| 803149-1 | 4-Minor | BT803149 | Flow Inspector cannot filter on IP address with non-default route_domain | 14.1.2.8 |
| 906885 | 5-Cosmetic | BT906885 | Spelling mistake on AFM GUI Flow Inspector screen | 14.1.2.8, 15.1.2.1 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 741213-2 | 3-Major | BT741213 | Modifying disabled PEM policy causes coredump | 14.1.2.8 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 837269 | 3-Major | BT837269 | Processing ICMP unreachable packets causes FWNAT/CGNAT persistence issues with UDP traffic | 14.1.2.8, 15.1.0 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 876581-4 | 3-Major | BT876581 | JavaScript engine file is empty if the original HTML page cached for too long | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 891729-4 | 4-Minor | BT891729 | Errors in datasyncd.log★ | 14.1.2.8, 15.1.1, 16.0.1 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 797277-2 | 3-Major | BT797277 | URL categorization fails when multiple segments present in URL path and belong to different categories. | 14.1.2.8 |
| 761273-2 | 3-Major | BT761273 | wr_urldbd creates sparse log files by writing from the previous position after logrotate. | 13.1.1.5, 14.1.2.8 |
Cumulative fixes from BIG-IP v14.1.2.7 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 912221-2 | CVE-2020-12662 CVE-2020-12663 |
K37661551, BT912221 | CVE-2020-12662 & CVE-2020-12663 | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7, 15.1.0.5 |
| 900905-1 | CVE-2020-5926 | K42830212, BT900905 | TMM may crash while processing SIP data | 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 891457-4 | CVE-2020-5939 | K75111593, BT891457 | NIC driver may fail while transmitting data | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.4, 16.0.1 |
| 888417-4 | CVE-2020-8840 | K15320518, BT888417 | Apache Vulnerability: CVE-2020-8840 | 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1 |
| 846917-3 | CVE-2019-10744 | K47105354, BT846917 | lodash Vulnerability: CVE-2019-10744 | 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.3, 15.1.0.2 |
| 841577-4 | CVE-2020-5922 | K20606443, BT841577 | iControl REST hardening | 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.0.5 |
| 839453-4 | CVE-2019-10744 | K47105354, BT839453 | lodash library vulnerability CVE-2019-10744 | 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.1.1 |
| 788057-5 | CVE-2020-5921 | K00103216, BT788057 | MCPD may crash while processing syncookies | 11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 917005-4 | CVE-2020-8619 | K19807532 | ISC BIND Vulnerability: CVE-2020-8619 | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1 |
| 909837-2 | CVE-2020-5950 | K05204103, BT909837 | TMM may consume excessive resources when AFM is provisioned | 13.1.3.5, 14.1.2.7, 15.1.0.5 |
| 888489-4 | CVE-2020-5927 | K55873574, BT888489 | ASM UI hardening | 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 886085-3 | CVE-2020-5925 | K45421311, BT886085 | BIG-IP TMM vulnerability CVE-2020-5925 | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 832885-3 | CVE-2020-5923 | K05975972, BT832885 | Self-IP hardening | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.0.5 |
| 816413-2 | CVE-2019-1125 | K31085564, BT816413 | CVE-2019-1125: Spectre SWAPGS Gadget | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 888493-4 | CVE-2020-5928 | K40843345, BT888493 | ASM GUI Hardening | 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 839145-2 | CVE-2019-10744 | K47105354, BT839145 | CVE-2019-10744: lodash vulnerability | 14.1.2.7, 15.1.0.5, 16.0.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 816233-3 | 2-Critical | BT816233 | Session and authentication cookies should use larger character set | 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 724556-3 | 2-Critical | BT724556 | icrd_child spawns more than maximum allowed times (zombie processes) | 12.1.5.3, 13.1.3.2, 14.1.2.7 |
| 858189-1 | 3-Major | BT858189 | Make restnoded/restjavad/icrd timeout configurable with sys db variables. | 12.1.5.2, 14.1.2.7, 15.1.1 |
| 802977-2 | 3-Major | BT802977 | PEM iRule crashes when more than 10 policies are tried to be set for a subscriber | 14.1.2.7 |
| 691499-3 | 3-Major | BT691499 | GTP::ie primitives in iRule to be certified | 13.1.3.4, 14.1.2.7, 15.1.0.5 |
| 745465-1 | 4-Minor | BT745465 | The tcpdump file does not provide the correct extension | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 864513-3 | 1-Blocking | K48234609, BT864513 | ASM policies may not load after upgrading to 14.x or later from a previous major version★ | 14.1.2.7, 15.1.1 |
| 891477 | 2-Critical | BT891477 | No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server | 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 829677-1 | 2-Critical | BT829677 | .tmp files in /var/config/rest/ may cause /var directory exhaustion | 13.1.3.5, 14.1.2.7, 15.1.2, 16.0.1.1 |
| 811701-1 | 2-Critical | BT811701 | AWS instance using xnet driver not receiving packets on an interface. | 14.1.2.7, 15.0.1.4, 15.1.0.2 |
| 810593-2 | 2-Critical | K10963690, BT810593 | Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade★ | 13.1.3.5, 14.1.2.7 |
| 805417-1 | 2-Critical | BT805417 | Unable to enable LDAP system auth profile debug logging | 14.1.2.7, 15.1.1 |
| 769581-1 | 2-Critical | BT769581 | Timeout when sending many large iControl Rest requests | 13.1.3.5, 14.0.0.5, 14.1.2.7 |
| 758604-2 | 2-Critical | BT758604 | Deleting a port from a single-port trunk does not work. | 14.1.2.7 |
| 891721-1 | 3-Major | BT891721 | Anti-Fraud Profile URLs with query strings do not load successfully | 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 871657-2 | 3-Major | BT871657 | Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S | 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 867013-1 | 3-Major | BT867013 | Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout | 13.1.3.5, 14.1.2.7, 15.1.1 |
| 842189-2 | 3-Major | BT842189 | Tunnels removed when going offline are not restored when going back online | 12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.2.1 |
| 821309-3 | 3-Major | BT821309 | After an initial boot, mcpd has a defunct child "systemctl" process | 14.1.2.7, 15.1.0.5 |
| 812929-2 | 3-Major | BT812929 | mcpd may core when resetting a DSC connection | 14.1.2.7, 15.0.1.4 |
| 811053-2 | 3-Major | BT811053 | REBOOT REQUIRED prompt appears after failover and clsh reboot | 14.1.2.7, 15.1.2 |
| 810821-1 | 3-Major | BT810821 | Management interface flaps after rebooting the device. | 13.1.3.5, 14.1.2.7, 15.1.2 |
| 807005-1 | 3-Major | BT807005 | Save-on-auto-sync is not working as expected with large configuration objects | 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 806985 | 3-Major | BT806985 | Engineering Hotfix installation may fail when Engineering Hotfix contains updated nash-initrd package★ | 14.1.2.7 |
| 802685-3 | 3-Major | BT802685 | Unable to configure performance HTTP virtual server via GUI | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 793121-3 | 3-Major | BT793121 | Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication | 13.1.3.2, 14.1.2.7, 15.0.1.3, 15.1.0.2 |
| 788949-3 | 3-Major | BT788949 | MySQL Password Initialization Loses Already Written Password | 14.1.2.7 |
| 760950-4 | 3-Major | BT760950 | Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment | 12.1.5.3, 14.1.2.7 |
| 756153-3 | 3-Major | BT756153 | Add diskmonitor support for MySQL /var/lib/mysql | 12.1.4.1, 13.1.3, 14.1.2.7 |
| 753860-3 | 3-Major | BT753860 | Virtual server config changes causing incorrect route injection. | 13.1.3.4, 14.1.2.7 |
| 720610-2 | 3-Major | BT720610 | Automatic Update Check logs false 'Update Server unavailable' message on every run | 13.1.3, 14.1.2.7 |
| 701529-2 | 3-Major | BT701529 | Configuration may not load or not accept vlan or tunnel names as "default" or "all" | 13.1.3.4, 14.1.2.7 |
| 688399-2 | 3-Major | BT688399 | HSB failure results in continuous TMM restarts | 12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4 |
| 683135-1 | 3-Major | BT683135 | Hardware syncookies number for virtual server stats is unrealistically high | 13.1.3.2, 14.1.2.7 |
| 605675-4 | 3-Major | BT605675 | Sync requests can be generated faster than they can be handled | 11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.2 |
| 831293-3 | 4-Minor | BT831293 | SNMP address-related GET requests slow to respond. | 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.2 |
| 804309-2 | 4-Minor | BT804309 | [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument | 13.1.3.5, 14.1.2.7, 15.1.0.5 |
| 755018-2 | 4-Minor | BT755018 | Egress traffic processing may be stopped on one or more VE trunk interfaces | 13.1.3.2, 14.1.2.7, 15.0.1.1 |
| 743815-2 | 4-Minor | BT743815 | vCMP guest observes connflow reset when a CMP state change occurs. | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7 |
| 484683-2 | 4-Minor | BT484683 | Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer. | 13.1.3.2, 14.1.2.7 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 842937-4 | 2-Critical | BT842937 | TMM crash due to failed assertion 'valid node' | 12.1.5.3, 14.1.2.7, 15.1.1 |
| 751589-1 | 2-Critical | BT751589 | In BIG-IP VE, some IP rules may not be created during the first boot up. | 14.1.2.7 |
| 893281-1 | 3-Major | BT893281 | Possible ssl stall on closed client handshake | 14.1.2.7, 15.1.0.5 |
| 852873 | 3-Major | BT852873 | Proprietary Multicast PVST+ packets are forwarded instead of dropped | 14.1.2.7, 15.1.0.2 |
| 848777-1 | 3-Major | BT848777 | Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node. | 14.1.2.7, 15.1.0.4 |
| 828601-3 | 3-Major | BT828601 | IPv6 Management route is preferred over IPv6 tmm route | 13.1.3.5, 14.1.2.7, 15.1.0.3 |
| 813701-3 | 3-Major | BT813701 | Proxy ARP failure | 14.1.2.7, 15.1.0.5 |
| 810533-4 | 3-Major | BT810533 | SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile | 14.1.2.7 |
| 802245-1 | 3-Major | BT802245 | When HTTP/2 is negotiated, if the provided cipher suite list cannot be matched, then the last one will be selected. | 14.1.2.7 |
| 790205-3 | 3-Major | BT790205 | Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core | 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.2.7, 15.0.1.1 |
| 781041-1 | 3-Major | BT781041 | SIP monitor in non default route domain is not working. | 14.1.2.7 |
| 778517-1 | 3-Major | K91052217, BT778517 | Large number of in-TMM monitors results in delayed processing | 13.1.3.4, 14.1.2.7 |
| 760050-2 | 3-Major | BT760050 | "cwnd too low" warning message seen in logs | 13.1.4.1, 14.1.2.7, 15.1.4 |
| 758599-1 | 3-Major | BT758599 | IPv6 Management route is preferred over IPv6 tmm route | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.3 |
| 758041-3 | 3-Major | BT758041 | LTM Pool Members may not be updated accurately when multiple identical database monitors are configured. | 13.1.3.5, 14.1.2.7, 15.1.4.1 |
| 757446-2 | 3-Major | BT757446 | Invoking the HTTP::respond iRule command when the HTTP2 profile is present can cause stalled or malformed responses. | 14.1.2.7 |
| 756494-3 | 3-Major | BT756494 | For in-tmm monitoring: multiple instances of the same agent are running on the Standby device | 13.1.3.4, 14.1.2.7 |
| 752530-1 | 3-Major | BT752530 | TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput. | 13.1.4.1, 14.1.2.7 |
| 752334-1 | 3-Major | BT752334 | Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation | 13.1.4.1, 14.1.2.7 |
| 750473-4 | 3-Major | BT750473 | VA status change while 'disabled' are not taken into account after being 'enabled' again | 11.6.5.2, 12.1.5.3, 14.1.2.7 |
| 746922-6 | 3-Major | BT746922 | When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain. | 12.1.4.1, 13.1.3, 14.0.1.1, 14.1.2.7 |
| 714502-2 | 3-Major | BT714502 | bigd restarts after loading a UCS for the first time | 14.1.2.7, 15.1.0.5 |
| 686059-4 | 3-Major | BT686059 | FDB entries for existing VLANs may be flushed when creating a new VLAN. | 12.1.5.3, 13.1.3.4, 14.1.2.7 |
| 608952-3 | 3-Major | BT608952 | MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2 | 12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.5 |
| 522241-1 | 3-Major | BT522241 | Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 918169-2 | 2-Critical | BT918169 | The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown. | 13.1.3.6, 14.1.2.7, 15.1.2, 16.0.1.1 |
| 744743-1 | 2-Critical | BT744743 | Rolling DNSSEC Keys may stop generating after BIG-IP restart | 14.1.2.7 |
| 803645-3 | 3-Major | BT803645 | GTMD daemon crashes | 13.1.3.3, 14.1.2.7 |
| 789421-2 | 3-Major | BT789421 | Resource-administrator cannot create GTM server object through GUI | 14.1.2.7, 15.1.0.5, 16.0.1 |
| 778365-2 | 3-Major | BT778365 | dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service | 13.1.3.4, 14.1.2.7 |
| 774481-2 | 3-Major | BT774481 | DNS Virtual Server creation problem with Dependency List | 13.1.3.4, 14.1.2.7 |
| 769385-1 | 3-Major | BT769385 | GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message | 14.0.0.5, 14.1.2.7 |
| 758772-3 | 3-Major | BT758772 | DNS Cache RRSET Evictions Stat not increasing | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7 |
| 757464-1 | 3-Major | BT757464 | DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7 |
| 746348-2 | 3-Major | BT746348 | On rare occasions, gtmd fails to process probe responses originating from the same system. | 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.2 |
| 712335-3 | 4-Minor | BT712335 | GTMD may intermittently crash under unusual conditions. | 12.1.6, 13.1.4, 14.1.2.7 |
| 774257-2 | 5-Cosmetic | BT774257 | tmsh show gtm pool and tmsh show gtm wideip print duplicate object types | 14.1.2.7, 15.1.0.5 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 904593-2 | 2-Critical | BT904593 | Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled | 14.1.2.7, 15.1.0.5 |
| 868641-1 | 2-Critical | BT868641 | Possible TMM crash when disabling bot profile for the entire connection | 14.1.2.7, 15.1.1 |
| 865461-3 | 2-Critical | BT865461 | BD crash on specific scenario | 14.1.2.7, 15.1.0.5 |
| 843801-1 | 2-Critical | BT843801 | Like-named previous Signature Update installations block Live Update usage after upgrade★ | 14.1.2.7, 15.1.1 |
| 813409-1 | 2-Critical | BT813409 | BD crash under certain circumstances | 14.1.2.7 |
| 803813-2 | 2-Critical | BT803813 | TMM may experience high latency when processing WebSocket traffic | 13.1.3.4, 14.1.2.7 |
| 903357-3 | 3-Major | BT903357 | Bot defense Profile list is loads too slow when there are 750 or more Virtual servers | 14.1.2.7, 15.1.1, 16.0.1.1 |
| 900797-4 | 3-Major | BT900797 | Brute Force Protection (BFP) hash table entry cleanup | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1 |
| 900793-2 | 3-Major | K32055534, BT900793 | APM Brute Force Protection resources do not scale automatically | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1 |
| 900789-4 | 3-Major | BT900789 | Alert before Brute Force Protection (BFP) hash are fully utilized | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1 |
| 898825-4 | 3-Major | BT898825 | Attack signatures are enforced on excluded headers under some conditions | 14.1.2.7 |
| 898741-4 | 3-Major | BT898741 | Missing critical files causes FIPS-140 system to halt upon boot | 14.1.2.7, 15.1.1 |
| 892653-2 | 3-Major | BT892653 | Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI | 14.1.2.7, 15.1.0.5, 16.0.1 |
| 880789-1 | 3-Major | BT880789 | ASMConfig Handler undergoes frequent restarts | 14.1.2.7, 15.1.0.5 |
| 880753-1 | 3-Major | K38157961, BT880753 | Possible issues when using DoSL7 and Bot Defense profile on the same virtual server | 14.1.2.7, 15.0.1.4, 15.1.1 |
| 874753-1 | 3-Major | Filtering by Bot Categories on Bot Requests Log shows 0 events | 14.1.2.7, 15.1.0.5 | |
| 868721-3 | 3-Major | BT868721 | Transactions are held for a long time on specific server related conditions | 14.1.2.7, 15.1.0.5 |
| 863609-2 | 3-Major | BT863609 | Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies | 14.1.2.7, 15.1.0.5 |
| 850677-2 | 3-Major | BT850677 | Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy | 14.1.2.7, 15.1.0.5 |
| 833685-3 | 3-Major | BT833685 | Idle async handlers can remain loaded for a long time doing nothing | 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.5 |
| 809125-2 | 3-Major | BT809125 | CSRF false positive | 12.1.5.1, 14.1.2.7, 15.1.0.5 |
| 802873-1 | 3-Major | BT802873 | Manual changes to policy imported as XML may introduce corruption for Login Pages | 14.1.2.7, 15.1.4 |
| 799749-1 | 3-Major | BT799749 | Asm logrotate fails to rotate | 14.1.2.7, 15.1.0.5 |
| 793149-3 | 3-Major | BT793149 | Adding the Strict-transport-Policy header to internal responses | 12.1.5.1, 14.1.2.7 |
| 785529-1 | 3-Major | BT785529 | ASM unable to handle ICAP responses which length is greater then 10K | 11.6.5.2, 14.1.2.7 |
| 783165-3 | 3-Major | BT783165 | Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile | 14.1.2.7, 15.1.0.5 |
| 772165-1 | 3-Major | BT772165 | Sync Failed due to Bot Defense profile not found. | 14.1.2.7 |
| 759449-1 | 3-Major | BT759449 | Unable to modify the application language with 'Copy ASM Policy' | 14.1.2.7 |
| 751430-1 | 3-Major | BT751430 | Unnecessary reporting of errors with complex denial-of-service policies | 14.1.2.7 |
| 745324-1 | 3-Major | BT745324 | MCP crash or blocked for a long time when loading configuration | 14.1.2.7 |
| 742549-2 | 3-Major | BT742549 | Cannot create non-ASCII entities in non-UTF ASM policy using REST | 13.1.3.6, 14.1.2.7, 15.1.0.5 |
| 726401-1 | 3-Major | BT726401 | ASM cannot complete initial startup with modified management interface on VE | 14.1.2.7 |
| 722337-1 | 3-Major | BT722337 | Always show violations in request log when post request is large | 13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1.1 |
| 640842-3 | 3-Major | BT640842 | ASM end user using mobile might be blocked when CSRF is enabled | 14.1.2.7, 15.1.0.5 |
| 896285-4 | 4-Minor | BT896285 | No parent entity in suggestion to add predefined-filetype as allowed filetype | 14.1.2.7, 15.1.2, 16.0.1.1 |
| 882769-3 | 4-Minor | BT882769 | Request Log: wrong filter applied when searching by Response contains or Response does not contain | 13.1.3.5, 14.1.2.7, 15.1.2 |
| 852613-1 | 4-Minor | Connection Mirroring and ASM Policy not supported on the same virtual server | 14.1.2.7 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 902485-2 | 3-Major | BT902485 | Incorrect pool member concurrent connection value | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1 |
| 838685-2 | 3-Major | BT838685 | DoS report exist in per-widget but not under individual virtual | 13.1.3.5, 14.1.2.7, 15.1.0.5 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 838861-2 | 2-Critical | BT838861 | TMM might crash once after upgrading SSL Orchestrator★ | 14.1.2.7, 15.1.1 |
| 895313 | 3-Major | BT895313 | Enable manage config setting may fail after upgrade of AGC to version 7.0 on BIG-IP 14.1.0 or 14.1.2 | 14.1.2.7 |
| 831517-1 | 3-Major | BT831517 | TMM may crash when Network Access tunnel is used | 14.1.2.7, 15.1.3 |
| 799149-2 | 3-Major | BT799149 | Authentication fails with empty password | 13.1.3.2, 14.1.2.7 |
| 750631-2 | 3-Major | BT750631 | There may be a latency between session termination and deletion of its associated IP address mapping | 13.1.3, 14.1.2.7 |
| 600985-1 | 3-Major | BT600985 | Network access tunnel data stalls | 13.1.3, 14.1.2.7 |
| 719589-2 | 4-Minor | BT719589 | GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic | 13.1.3.2, 14.1.2.7 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 814097-2 | 2-Critical | BT814097 | Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event. | 11.6.5.2, 13.1.3.4, 14.1.2.7 |
| 898997-4 | 3-Major | BT898997 | GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes | 14.1.2.7, 15.1.1, 16.0.1 |
| 842625-3 | 3-Major | BT842625 | SIP message routing remembers a 'no connection' failure state forever | 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.2 |
| 825013-3 | 3-Major | BT825013 | GENERICMESSAGE::message's src and dst may get cleared in certain scenarios | 14.1.2.7, 15.0.1.1, 15.1.0.2 |
| 815529-2 | 3-Major | BT815529 | MRF outbound messages are dropped in per-peer mode | 13.1.3.4, 14.1.2.7 |
| 803809-2 | 3-Major | BT803809 | SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled. | 13.1.3.4, 14.1.2.7, 15.1.0.2 |
| 782353-6 | 3-Major | BT782353 | SIP MRF via header shows TCP Transport when TLS is enabled | 13.1.3.4, 14.1.2.7 |
| 754658-2 | 3-Major | BT754658 | Improved matching of response messages uses end-to-end ID | 13.1.3.4, 14.1.2.7 |
| 754617-2 | 3-Major | BT754617 | iRule 'DIAMETER::avp read' command does not work with 'source' option | 13.1.3.4, 14.1.2.7 |
| 746731-1 | 3-Major | BT746731 | BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set | 13.1.3.4, 14.1.2.7 |
| 696348-3 | 3-Major | BT696348 | "GTP::ie insert" and "GTP::ie append" do not work without "-message" option | 13.1.3.4, 14.1.2.7, 15.1.0.5 |
| 788513-2 | 4-Minor | BT788513 | Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log | 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 786981-3 | 4-Minor | BT786981 | Pending GTP iRule operation maybe aborted when connection is expired | 13.1.3.4, 14.1.2.7 |
| 793005-3 | 5-Cosmetic | BT793005 | 'Current Sessions' statistic of MRF/Diameter pool may be incorrect | 13.1.3.4, 14.1.2.7, 15.1.0.5 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 802421 | 2-Critical | BT802421 | The /var partition may become 100% full requiring manual intervention to clear space | 14.1.2.7, 15.1.0.5 |
| 755721-1 | 3-Major | BT755721 | A UDP DNS packet may incorrectly match a BDoS signature if such a packet was queued up due to ingress shaper | 14.1.2.7 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 753014-4 | 3-Major | BT753014 | PEM iRule action with RULE_INIT event fails to attach to PEM policy | 12.1.5.3, 13.1.3.2, 14.1.2.7 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 888625-2 | 3-Major | BT888625 | CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks | 14.1.2.7, 15.1.0.3 |
| 806825 | 3-Major | BT806825 | Align the behavior of NAT44 and NAT64 when translate-address is disabled under Virtual Configuration with LTM Pool and LSN Pool | 14.1.2.7 |
| 761517-1 | 4-Minor | BT761517 | nat64 and ltm pool conflict | 14.1.2.7 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 787965-1 | 3-Major | BT787965 | URLCAT by URI does not work if it contains port number | 14.1.2.7 |
| 754257-2 | 3-Major | BT754257 | URL lookup queries not working | 12.1.5, 14.1.2.7 |
Cumulative fixes from BIG-IP v14.1.2.6 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 900757-4 | CVE-2020-5902 | K52145254, BT900757 | TMUI RCE vulnerability CVE-2020-5902 | 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 895525-4 | CVE-2020-5902 | K52145254, BT895525 | TMUI RCE vulnerability CVE-2020-5902 | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 909237-4 | CVE-2020-8617 | K05544642 | CVE-2020-8617: BIND Vulnerability | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 909233-4 | CVE-2020-8616 | K97810133, BT909233 | DNS Hardening | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 905905-3 | CVE-2020-5904 | K31301245, BT905905 | TMUI CSRF vulnerability CVE-2020-5904 | 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 895993-4 | CVE-2020-5902 | K52145254, BT895993 | TMUI RCE vulnerability CVE-2020-5902 | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 895981-4 | CVE-2020-5902 | K52145254, BT895981 | TMUI RCE vulnerability CVE-2020-5902 | 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 895881-3 | CVE-2020-5903 | K43638305, BT895881 | BIG-IP TMUI XSS vulnerability CVE-2020-5903 | 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 742628-3 | 3-Major | BT742628 | A tmsh session initiation adds increased control plane pressure | 12.1.5.3, 13.1.3.4, 14.1.2.6, 14.1.4, 15.0.1.4, 15.1.0.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 897229 | 3-Major | BT897229 | TLS session ticket resumption SNI check | 14.1.2.6 |
Cumulative fixes from BIG-IP v14.1.2.5 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 883717-3 | CVE-2020-5914 | K37466356, BT883717 | BD crash on specific server cookie scenario | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 879025-4 | CVE-2020-5913 | K72752002, BT879025 | When processing TLS traffic, LTM may not enforce certificate chain restrictions | 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.1.0.2 |
| 866013 | CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 |
K78234183, BT866013 | Linux Kernel Vulnerabilities: CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 | 14.1.2.5 |
| 852445-3 | CVE-2019-6477 | K15840535, BT852445 | Big-IP : CVE-2019-6477 BIND Vulnerability | 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.5 |
| 838677-3 | CVE-2019-10744 | K47105354, BT838677 | lodash library vulnerability CVE-2019-10744 | 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 837773-2 | CVE-2020-5912 | K12936322, BT837773 | Restjavad Storage and Configuration Hardening | 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 834257-3 | CVE-2020-5931 | K25400442, BT834257 | TMM may crash when processing HTTP traffic | 13.1.3.6, 14.1.2.5, 15.1.1 |
| 830401-3 | CVE-2020-5877 | K54200228, BT830401 | TMM may crash while processing TCP traffic with iRules | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2 |
| 819197-4 | CVE-2019-13135 | K20336394, BT819197 | BIGIP: CVE-2019-13135 ImageMagick vulnerability | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 819189-3 | CVE-2019-13136 | K03512441, BT819189 | BIGIP: CVE-2019-13136 ImageMagick vulnerability | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 814953-3 | CVE-2020-5940 | K43310520, BT814953 | TMUI dashboard hardening | 14.1.2.5, 15.1.1, 16.0.1 |
| 805837-2 | CVE-2019-6657 | K22441651, BT805837 | REST does not follow current design best practices | 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.5, 15.0.1.1 |
| 802261-2 | CVE-2020-5875 | K65372933, BT802261 | TMM may crash while processing SSL traffic via an HTTP/2 full-proxy | 14.1.2.5, 15.0.1.1 |
| 794561-1 | CVE-2020-5874 | K46901953, BT794561 | TMM may crash while processing JWT/OpenID traffic. | 13.1.4.1, 14.0.1.1, 14.1.2.5, 15.0.1.3 |
| 780601-2 | CVE-2020-5873 | K03585731, BT780601 | SCP file transfer hardening | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.1.2.5, 15.0.1.1 |
| 769589-2 | CVE-2019-6974 | K11186236, BT769589 | CVE-2019-6974: Linux Kernel Vulnerability | 13.1.3.2, 14.1.2.5 |
| 767373-1 | CVE-2019-8331 | K24383845, BT767373 | CVE-2019-8331: Bootstrap Vulnerability | 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.4 |
| 762453-2 | CVE-2020-5872 | K63558580, BT762453 | Hardware cryptography acceleration may fail | 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.5 |
| 745377-1 | CVE-2020-5871 | K43450419, BT745377 | TMM cores in certain scenarios with HTTP virtual server | 14.1.2.5 |
| 739971 | CVE-2018-5391 | K74374841, BT739971 | Linux kernel vulnerability: CVE-2018-5391 | 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.5 |
| 873469-1 | CVE-2020-5889 | K24415506, BT873469 | APM Portal Access: Base URL may be set to incorrectly | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 872673-3 | CVE-2020-5918 | K26464312, BT872673 | TMM can crash when processing SCTP traffic | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 868349-3 | CVE-2020-5935 | K62830532, BT868349 | TMM may crash while processing iRules with MQTT commands | 13.1.3.4, 14.1.2.5, 15.1.1 |
| 864109-3 | CVE-2020-5889 | K24415506, BT864109 | APM Portal Access: Base URL may be set to incorrectly | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 859089-5 | CVE-2020-5907 | K00091341, BT859089 | TMSH allows SFTP utility access | 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4 |
| 858349-1 | CVE-2020-5934 | K44808538, BT858349 | TMM may crash while processing SAML SLO traffic | 14.1.2.5, 15.1.1 |
| 858025-3 | CVE-2021-22984 | K33440533, BT858025 | BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984 | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2 |
| 848405-4 | CVE-2020-5933 | K26244025, BT848405 | TMM may consume excessive resources while processing compressed HTTP traffic | 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.1.1 |
| 838881-3 | CVE-2020-5853 | K73183618, BT838881 | APM Portal Access Vulnerability: CVE-2020-5853 | 11.6.5.2, 12.1.5.2, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 837837-3 | CVE-2020-5917 | K43404629, BT837837 | F5 SSH server key size vulnerability CVE-2020-5917 | 12.1.5.2, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 832021-1 | CVE-2020-5888 | K73274382, BT832021 | Port lockdown settings may not be enforced as configured | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 832017-1 | CVE-2020-5887 | K10251014, BT832017 | Port lockdown settings may not be enforced as configured | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 829121-3 | CVE-2020-5886 | K65720640, BT829121 | State mirroring default does not require TLS | 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.1.0.2 |
| 829117-3 | CVE-2020-5885 | K17663061, BT829117 | State mirroring default does not require TLS | 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.1.0.2 |
| 811789-2 | CVE-2020-5915 | K57214921, BT811789 | Device trust UI hardening | 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 810537-2 | CVE-2020-5883 | K12234501, BT810537 | TMM may consume excessive resources while processing iRules | 13.1.3.2, 14.0.1.1, 14.1.2.5, 15.0.1.1 |
| 805557-2 | CVE-2020-5882 | K43815022, BT805557 | TMM may crash while processing crypto data | 12.1.5.1, 14.1.2.5 |
| 789921-2 | CVE-2020-5881 | K03386032, BT789921 | TMM may restart while processing VLAN traffic | 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2 |
| 775833-2 | CVE-2020-5880 | K94325657, BT775833 | Administrative file transfer may lead to excessive resource consumption | 14.1.2.5, 15.0.1.4 |
| 887637-1 | CVE-2019-3815 | K22040951, BT887637 | Systemd-journald Vulnerability: CVE-2019-3815 | 14.1.2.5, 15.0.1.4, 15.1.1 |
| 868097-1 | CVE-2020-5891 | K58494243, BT868097 | TMM may crash while processing HTTP/2 traffic | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 823893-2 | CVE-2020-5890 | K03318649, BT823893 | Qkview may fail to completely sanitize LDAP bind credentials | 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2 |
| 748122-1 | CVE-2018-15333 | K53620021, BT748122 | BIG-IP Vulnerability CVE-2018-15333 | 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 746091-1 | CVE-2019-19151 | K21711352, BT746091 | TMSH Vulnerability: CVE-2019-19151 | 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 760723-2 | CVE-2015-4037 | K64765350, BT760723 | Qemu Vulnerability | 12.1.5.2, 14.1.2.5, 15.0.1.4 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 870389-1 | 3-Major | BT870389 | Increase size of /var logical volume to 1.5 GiB for LTM-only VE images | 14.1.2.5, 15.1.0.2 |
| 858229-3 | 3-Major | K22493037, BT858229 | XML with sensitive data gets to the ICAP server | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2 |
| 738330-3 | 3-Major | BT738330 | /mgmt/toc endpoint issue after configuring remote authentication | 13.1.3.5, 14.1.2.5, 15.0.1.4 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 819009-3 | 2-Critical | BT819009 | Dynamic routing daemon mribd crashes if 'mrib debug all' is enabled in high availability (HA) config with Floating Self IP configured for PIM protocol. | 14.1.2.5 |
| 792285-2 | 2-Critical | BT792285 | TMM crashes if the queuing message to all HSL pool members fails | 13.1.3.4, 14.1.2.5 |
| 777993-2 | 2-Critical | BT777993 | Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same | 14.1.2.5 |
| 775897-1 | 2-Critical | BT775897 | High Availability failover restarts tmipsecd when tmm connections are closed | 14.1.2.5 |
| 769169-3 | 2-Critical | BT769169 | BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring | 13.1.3.6, 14.0.0.5, 14.1.2.5 |
| 767689-1 | 2-Critical | BT767689 | F5optics_install using different versions of RPM★ | 14.1.2.5 |
| 749388-3 | 2-Critical | BT749388 | 'table delete' iRule command can cause TMM to crash | 12.1.5.2, 13.1.3.2, 14.1.2.5 |
| 748205-3 | 2-Critical | BT748205 | SSD bay identification incorrect for RAID drive replacement★ | 12.1.5, 13.1.3, 14.1.2.5 |
| 699515-2 | 2-Critical | nsm cores during update of nexthop for ECMP recursive route | 13.1.1.5, 14.1.2.5 | |
| 882557-4 | 3-Major | BT882557 | TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher) | 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4 |
| 873877 | 3-Major | BT873877 | Kernel page allocation failure seen on VIPRION blades★ | 14.1.2.5 |
| 866925-3 | 3-Major | BT866925 | The TMM pages used and available can be viewed in the F5 system stats MIB | 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 852001-3 | 3-Major | BT852001 | High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 849405-1 | 3-Major | BT849405 | LTM v14.1.2.1 does not log after upgrade★ | 14.1.2.5, 15.1.0.5 |
| 842125-4 | 3-Major | BT842125 | Unable to reconnect outgoing SCTP connections that have previously aborted | 13.1.3.4, 14.1.2.5, 15.1.0.5 |
| 812981-4 | 3-Major | BT812981 | MCPD: memory leak on standby BIG-IP device | 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 810957-2 | 3-Major | BT810957 | Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core | 12.1.5.3, 14.1.2.5, 15.0.1.4 |
| 802281-1 | 3-Major | BT802281 | Gossip shows active even when devices are missing | 13.1.3.5, 14.1.2.5, 15.1.0.2 |
| 800185-4 | 3-Major | BT800185 | Saving a large encrypted UCS archive may fail and might trigger failover | 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4 |
| 795685-2 | 3-Major | BT795685 | Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer | 14.1.2.5 |
| 772117-3 | 3-Major | BT772117 | Overwriting FIPS keys from the high availability (HA) peer with older config leads to abandoned key on FIPS card | 14.1.2.5 |
| 762073-2 | 3-Major | BT762073 | Continuous TMM restarts when HSB drops off the PCI bus | 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4 |
| 759735-2 | 3-Major | BT759735 | OSPF ASE route calculation for new external-LSA delayed | 13.1.3.2, 14.1.2.5 |
| 759172-1 | 3-Major | BT759172 | Read Access Denied: user (gu, guest) type (Certificate Order Manager) | 14.1.2.5 |
| 758387-2 | 3-Major | BT758387 | BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it | 14.0.0.5, 14.1.2.5, 15.0.1.3 |
| 751573-1 | 3-Major | BT751573 | Updates to HSL pool members may not take effect | 14.1.2.5 |
| 749785-2 | 3-Major | BT749785 | nsm can become unresponsive when processing recursive routes | 12.1.5.3, 13.1.3, 14.1.2.5 |
| 749690-1 | 3-Major | BT749690 | MOS_Image2Disk_Installation- kjournald service error★ | 14.1.2.5 |
| 746861-1 | 3-Major | BT746861 | SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated★ | 14.1.2.5, 15.1.4 |
| 641450-7 | 3-Major | K30053855, BT641450 | A transaction that deletes and recreates a virtual may result in an invalid configuration | 12.1.5.1, 13.1.3.4, 14.1.2.5 |
| 755317-1 | 4-Minor | BT755317 | /var/log logical volume may run out of space due to agetty error message in /var/log/secure | 14.1.2.5, 15.1.0.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 715032-2 | 1-Blocking | K73302459, BT715032 | iRulesLX Hardening | 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 860881-1 | 2-Critical | BT860881 | TMM can crash when handling a compressed response from HTTP server | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 853329-4 | 2-Critical | BT853329 | HTTP explicit proxy can crash TMM when used with classification profile | 11.6.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3 |
| 839401-3 | 2-Critical | BT839401 | Moving a virtual-address from one floating traffic-group to another does not send GARPs out. | 14.1.2.5, 15.0.1.4, 15.1.0.2 |
| 831325-2 | 2-Critical | K10701310, BT831325 | HTTP PSM detects more issues with Transfer-Encoding headers | 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.1 |
| 799649-2 | 2-Critical | BT799649 | TMM crash | 14.1.2.5 |
| 757391-2 | 2-Critical | BT757391 | Datagroup iRule command class can lead to memory corruption | 12.1.5, 13.1.3, 14.1.2.5 |
| 755134-1 | 2-Critical | BT755134 | HTTP/2 connections may leak memory if server-side connection not established | 14.1.2.5 |
| 868889 | 3-Major | BT868889 | BIG-IP may reset a stream with an empty DATA frame as END_STREAM | 14.1.2.5 |
| 853613-2 | 3-Major | BT853613 | Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 851789-3 | 3-Major | BT851789 | SSL monitors flap with client certs with private key stored in FIPS | 12.1.5.3, 14.1.2.5, 15.1.1 |
| 847325-1 | 3-Major | BT847325 | Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior. | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 843105-1 | 3-Major | BT843105 | Adding multicast stats for multicast bridging over L2 wire transparent VLAN-group (LACP STP LLDP) | 14.1.2.5 |
| 809729-2 | 3-Major | BT809729 | When HTTP/2 stream is reset by a client, BIG-IP may not respond properly | 14.1.2.5, 15.0.1.1 |
| 795261-2 | 3-Major | BT795261 | LTM policy does not properly evaluate condition when an operand is missing | 14.1.2.5, 15.0.1.1 |
| 788741-2 | 3-Major | BT788741 | TMM cores in the MQTT proxy under rare conditions | 14.1.2.5 |
| 777269-1 | 3-Major | BT777269 | Gratuitous ARP may be sent for self IPs from incorrect MAC address at startup | 14.1.2.5 |
| 770477-2 | 3-Major | BT770477 | SSL aborted when client_hello includes both renegotiation info extension and SCSV | 12.1.5.3, 13.1.3.2, 14.1.2.5 |
| 761030-2 | 3-Major | BT761030 | tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route | 13.1.3.2, 14.1.2.5 |
| 758631-4 | 3-Major | BT758631 | ec_point_formats extension might be included in the server hello even if not specified in the client hello | 12.1.5, 13.1.3.5, 14.0.1.1, 14.1.2.5 |
| 757827-1 | 3-Major | BT757827 | Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution | 13.1.3.2, 14.1.2.5, 15.0.1.3 |
| 755997-2 | 3-Major | BT755997 | Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address | 12.1.5.3, 14.1.2.5 |
| 755727-2 | 3-Major | BT755727 | Ephemeral pool members not created after DNS flap and address record changes | 12.1.5.2, 13.1.3.2, 14.1.2.5, 15.0.1.3 |
| 755213-1 | 3-Major | BT755213 | TMM cores in certain scenarios with HTTP/2 virtual server | 14.1.2.5 |
| 751052-1 | 3-Major | BT751052 | HTTP iRule event HTTP_REJECT broken | 14.1.2.5 |
| 746078-1 | 3-Major | BT746078 | Upgrades break existing iRulesLX workspaces that use node version 6 | 14.1.2.5 |
| 745923-2 | 3-Major | BT745923 | Connection flow collision can cause packets to be sent with source and/or destination port 0 | 13.1.3.5, 14.1.2.5, 15.0.1.4 |
| 743257-3 | 3-Major | BT743257 | Fix block size insecurity init and assign | 13.1.3.2, 14.0.0.5, 14.1.2.5 |
| 705112-4 | 3-Major | BT705112 | DHCP server flows are not re-established after expiration | 11.5.9, 12.1.4.1, 13.1.3, 14.1.2.5, 15.1.0.2 |
| 636842-2 | 3-Major | K51472519, BT636842 | A FastL4 virtual server may drop a FIN packet when mirroring is enabled | 12.1.5.1, 13.1.3.2, 14.1.2.5 |
| 601189-4 | 3-Major | BT601189 | The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode | 12.1.5.1, 13.1.3.2, 14.1.2.5 |
| 599567-4 | 3-Major | BT599567 | APM assumes SNAT automap, does not use SNAT pool | 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.2.5 |
| 859113-3 | 4-Minor | BT859113 | Using "reject" iRules command inside "after" may causes core | 14.1.2.5, 15.1.0.2 |
| 852373-2 | 4-Minor | BT852373 | HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error | 14.1.2.5, 15.0.1.4, 15.1.1 |
| 839245-1 | 4-Minor | BT839245 | IPother profile with SNAT sets egress TTL to 255 | 14.1.2.5, 15.1.0.2 |
| 830833-2 | 4-Minor | BT830833 | HTTP PSM blocking resets should have better log messages | 13.1.4.1, 14.1.2.5, 15.0.1.1 |
| 760683-1 | 4-Minor | BT760683 | RST from non-floating self-ip may use floating self-ip source mac-address | 13.1.3.2, 14.1.2.5 |
| 757777-3 | 4-Minor | BT757777 | bigtcp does not issue a RST in all circumstances | 14.1.2.5 |
| 746077-4 | 4-Minor | BT746077 | If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified | 12.1.5.3, 13.1.1.5, 14.1.2.5 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 807177-2 | 2-Critical | BT807177 | HTTPS monitoring is not caching SSL sessions correctly | 13.1.3.4, 14.1.2.5 |
| 704198-4 | 2-Critical | K29403988, BT704198 | Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance | 12.1.5.2, 13.1.3.4, 14.1.2.5 |
| 802961-2 | 3-Major | BT802961 | The 'any-available' prober selection is not as random as in earlier versions | 13.1.3.4, 14.1.2.5 |
| 772233-4 | 3-Major | BT772233 | IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV. | 13.1.3.2, 14.1.2.5, 15.0.1.3 |
| 754901-1 | 3-Major | BT754901 | Frequent zone update notifications may cause TMM to restart | 13.1.3, 14.1.2.5 |
| 750213-4 | 3-Major | K25351434, BT750213 | DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records. | 12.1.5, 13.1.3, 14.1.2.5 |
| 744280-2 | 4-Minor | BT744280 | Enabling or disabling a Distributed Application results in a small memory leak | 13.1.3.4, 14.0.0.5, 14.1.2.5 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 852437-1 | 2-Critical | K25037027, BT852437 | Overly aggressive file cleanup causes failed ASU installation | 14.1.2.5, 15.1.0.2 |
| 882377-1 | 3-Major | BT882377 | ASM Application Security Editor Role User can update/install ASU | 14.1.2.5, 15.1.4.1 |
| 871905-1 | 3-Major | K02705117, BT871905 | Incorrect masking of parameters in event log | 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 854177-3 | 3-Major | BT854177 | ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality | 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.1.0.5 |
| 850673-3 | 3-Major | BT850673 | BD sends bad ACKs to the bd_agent for configuration | 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 681010-3 | 3-Major | K33572148, BT681010 | 'Referer' is not masked when 'Query String' contains sensitive parameter | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 838709-1 | 2-Critical | BT838709 | Enabling DoS stats also enables page-load-time | 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 828937-3 | 2-Critical | K45725467, BT828937 | Some systems can experience periodic high IO wait due to AVR data aggregation | 13.1.3.4, 14.1.2.5, 15.1.0.5 |
| 870957-1 | 3-Major | "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage | 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 | |
| 863161-3 | 3-Major | BT863161 | Scheduled reports are sent via TLS even if configured as non encrypted | 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 835381-1 | 3-Major | BT835381 | HTTP custom analytics profile 'not found' when default profile is modified | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 830073-3 | 3-Major | BT830073 | AVRD may core when restarting due to data collection device connection timeout | 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 817649-2 | 3-Major | BT817649 | AVR statistics for NAT cannot be shown on multi-bladed machine | 14.1.2.5, 15.0.1.3 |
| 865053-1 | 4-Minor | BT865053 | AVRD core due to a try to load vip lookup when AVRD is down | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 863069-3 | 4-Minor | BT863069 | Avrmail timeout is too small | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 879401-3 | 2-Critical | K90423190, BT879401 | Memory corruption during APM SAML SSO | 14.1.2.5, 15.1.3 |
| 871761-4 | 2-Critical | BT871761 | Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS | 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 788593-2 | 2-Critical | K43404365, BT788593 | APM logs may contain additional data | 14.1.2.5, 15.0.1.3 |
| 884797-2 | 3-Major | BT884797 | Portal Access: in some cases data is not delivered via WebSocket connection | 14.1.2.5, 15.1.0.5 |
| 866685-3 | 3-Major | BT866685 | Empty HSTS headers when HSTS mode for HTTP profile is disabled | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 866161-3 | 3-Major | BT866161 | Client port reuse causes RST when the security service attempts server connection reuse. | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 852313-2 | 3-Major | BT852313 | VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 832569-2 | 3-Major | BT832569 | APM end-user connection reset | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 831781-5 | 3-Major | BT831781 | AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 798261-2 | 3-Major | BT798261 | APMD fails to create session variables if spanning is enabled on SWG transparent virtual server | 13.1.3.2, 14.1.2.5, 15.0.1.3 |
| 771905-2 | 3-Major | BT771905 | JWT token rejected due to unknown JOSE header parameters | 14.1.2.5 |
| 768025-4 | 3-Major | BT768025 | SAML requests/responses fail with "failed to find certificate" | 13.1.3.2, 14.1.2.5, 15.0.1.3 |
| 749036-2 | 3-Major | BT749036 | Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM | 14.1.2.5 |
| 747725-3 | 3-Major | BT747725 | Kerberos Auth agent may override settings that manually made to krb5.conf | 12.1.4.1, 13.1.3, 14.1.2.5 |
| 747624-2 | 3-Major | BT747624 | RADIUS Authentication over RSA SecureID is not working in challenge mode | 14.1.2.5 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 811105-1 | 2-Critical | BT811105 | MRF SIP-ALG drops SIP 183 and 200 OK messages | 13.1.3.4, 14.1.2.5, 15.0.1.4 |
| 781725-2 | 2-Critical | BT781725 | BIG-IP systems might not complete a short ICAP request with a body beyond the preview | 14.1.2.5 |
| 882273 | 3-Major | BT882273 | MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow | 13.1.3.4, 14.1.2.5 |
| 876077-3 | 3-Major | BT876077 | MRF DIAMETER: stale pending retransmission entries may not be cleaned up | 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 868381-3 | 3-Major | BT868381 | MRF DIAMETER: Retransmission queue unable to delete stale entries | 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 866021-3 | 3-Major | BT866021 | Diameter Mirror connection lost on the standby due to "process ingress error" | 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 853545-3 | 3-Major | BT853545 | MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event | 14.1.2.5, 15.1.0.2 |
| 824149-3 | 3-Major | BT824149 | SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured | 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 815877-1 | 3-Major | BT815877 | Information Elements with zero-length value are rejected by the GTP parser | 11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 811033-2 | 3-Major | BT811033 | MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used | 13.1.3.4, 14.1.2.5 |
| 788093 | 3-Major | BT788093 | MRF iRule command MR::restore with no argument causes tmm to crash | 14.1.2.5 |
| 859721-3 | 4-Minor | BT859721 | Using GENERICMESSAGE create together with reject inside periodic after may cause core | 14.1.2.5, 15.1.0.2 |
| 836357-3 | 4-Minor | BT836357 | SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2 | 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2 |
| 788005-2 | 4-Minor | BT788005 | Bypass MRF SIP LB restriction of conversion from reliable transport (TCP) to unreliable transport (UDP) | 14.1.2.5 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 778869-3 | 2-Critical | K72423000, BT778869 | ACLs and other AFM features (e.g., IPI) may not function as designed | 13.1.3.2, 14.0.1.1, 14.1.2.5 |
| 751292-1 | 2-Critical | BT751292 | mcpd core after changing parent netflow to use version9 | 14.1.2.5 |
| 852289-2 | 3-Major | K23278332, BT852289 | DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector | 13.1.3.4, 14.1.2.5, 15.1.1 |
| 771173-3 | 3-Major | BT771173 | FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.★ | 13.1.3, 14.1.2.5, 15.0.1.3 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 857725 | 3-Major | BT857725 | Anti-Fraud/DataSafe Logging Settings page not found | 14.1.2.5 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 761199-1 | 2-Critical | BT761199 | Wr_urldbd might crash while system is in a restarting loop. | 14.1.2.5 |
| 816529-2 | 3-Major | BT816529 | If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart. | 12.1.5.2, 14.1.2.5 |
Device Management Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 839597-4 | 3-Major | BT839597 | Restjavad fails to start if provision.extramb has a large value | 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 815649-1 | 3-Major | BT815649 | Named.config entry getting overwriting on SSL Orchestrator deployment | 14.1.2.5, 15.0.1.3 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 852557-1 | 2-Critical | BT852557 | Tmm core while using service chaining for SSL Orchestrator | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 759191-1 | 2-Critical | BT759191 | While using explicit or transparent http type service on SSL Orchestrator, TMM cores. | 14.1.2.5 |
| 864329-1 | 3-Major | BT864329 | Client port reuse causes RST when the backend server-side connection is open | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 852481-1 | 3-Major | BT852481 | Failure to check virtual-server context when closing server-side connection | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 852477-1 | 3-Major | BT852477 | Tmm core when SSL Orchestrator is enabled | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 886713-3 | 4-Minor | BT886713 | Error log seen in case of SSL Orchestrator configured with http service during connection close. | 14.1.2.5, 15.1.0.5 |
Cumulative fixes from BIG-IP v14.1.2.4 that are included in this release
Functional Change Fixes
None
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 867413-2 | 2-Critical | BT867413 | The allow-only-in-enterprise LAN feature on Mac OS not working after reboot | 14.1.2.4 |
Cumulative fixes from BIG-IP v14.1.2.3 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 849761-1 | CVE-2019-6675 | K55655944, BT849761 | CVE-2019-6675: LDAP vulnerability | 14.1.2.3, 15.1.0 |
| 846365-3 | CVE-2020-5878 | K35750231, BT846365 | TMM may crash while processing IP traffic | 14.1.2.3, 15.0.1.2, 15.1.0.2 |
| 818709-2 | CVE-2020-5858 | K36814487, BT818709 | TMSH does not follow current best practices | 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.4 |
| 818429-4 | CVE-2020-5857 | K70275209, BT818429 | TMM may crash while processing HTTP traffic | 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.1 |
| 808301-2 | CVE-2019-6678 | K04897373, BT808301 | TMM may crash while processing IP traffic | 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1 |
| 757357-3 | CVE-2019-6676 | K92002212, BT757357 | TMM may crash while processing traffic | 13.1.3.2, 14.1.2.3, 15.0.1.1 |
| 782529-2 | CVE-2019-6685 | K30215839, BT782529 | iRules does not follow current design best practices | 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.3 |
| 761144-4 | CVE-2019-6684 | K95117754, BT761144 | Broadcast frames may be dropped | 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.3 |
| 761112-3 | CVE-2019-6683 | K76328112, BT761112 | TMM may consume excessive resources when processing FastL4 traffic | 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.0.1.1, 14.1.2.3, 15.0.1.4 |
| 725551-2 | CVE-2019-6682 | K40452417, BT725551 | ASM may consume excessive resources | 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.4 |
| 846157-3 | CVE-2020-5862 | K01054113, BT846157 | TMM may crash while processing traffic on AWS | 14.1.2.3, 15.0.1.2, 15.1.0.2 |
| 817917-1 | CVE-2020-5856 | K00025388, BT817917 | TMM may crash when sending TCP packets | 14.1.2.3, 15.0.1.2 |
| 789893-2 | CVE-2019-6679 | K54336216, BT789893 | SCP file transfer hardening | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1 |
| 749324-1 | CVE-2012-6708 | K62532311, BT749324 | jQuery Vulnerability: CVE-2012-6708 | 12.1.5.2, 13.1.3.2, 14.1.2.3 |
| 738236-7 | CVE-2019-6688 | K25607522, BT738236 | UCS does not follow current best practices | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.3 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 819397-1 | 1-Blocking | K50375550, BT819397 | TMM does not enforce RFC compliance when processing HTTP traffic | 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.1 |
| 769193-5 | 3-Major | BT769193 | Added support for faster congestion window increase in slow-start for stretch ACKs | 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.3 |
| 760234-1 | 4-Minor | BT760234 | Configuring Advanced shell for Resource Administrator User has no effect | 12.1.5.3, 14.1.2.3, 15.0.1.4 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 806093-1 | 2-Critical | BT806093 | Unwanted LDAP referrals slow or prevent administrative login | 14.1.2.3, 15.0.1.1 |
| 789169-2 | 2-Critical | BT789169 | Unable to create virtual servers with port-lists from the GUI★ | 14.1.2.3, 15.0.1.4 |
| 780817-5 | 2-Critical | BT780817 | TMM can crash on certain vCMP hosts after modifications to VLANs and guests. | 12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1 |
| 762385 | 2-Critical | BT762385 | Wrong remote-role assigned using LDAP authentication after upgrade to 14.1.x and later★ | 14.1.2.3 |
| 762205-2 | 2-Critical | BT762205 | IKEv2 rekey fails to recognize VENDOR_ID payload when it appears | 13.1.3.4, 14.1.2.3, 15.0.1.4 |
| 809205 | 3-Major | CVE-2019-3855: libssh2 Vulnerability | 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.1, 15.1.3, 16.0.1.2 | |
| 794501-2 | 3-Major | BT794501 | Duplicate if_indexes and OIDs between interfaces and tunnels | 12.1.5.3, 13.1.3.2, 14.1.2.3, 15.0.1.1 |
| 785741-1 | 3-Major | K19131357, BT785741 | Unable to login using LDAP with 'user-template' configuration | 14.1.2.3, 15.0.1.4, 15.1.0.5 |
| 778125-1 | 3-Major | BT778125 | LDAP remote authentication passwords are limited to fewer than 64 bytes | 14.1.2.3, 15.0.1.4 |
| 760439-4 | 3-Major | BT760439 | After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status | 12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1 |
| 760259-3 | 3-Major | BT760259 | Qkview silently fails to capture qkviews from other blades | 14.1.2.3 |
| 759654-1 | 3-Major | BT759654 | LDAP remote authentication with remote roles and user-template failing | 14.1.2.3, 15.0.1.4 |
| 759499-2 | 3-Major | BT759499 | Upgrade from version 12.1.x to version 13.1.x and later failing with error★ | 14.1.2.3, 15.0.1.1 |
| 758781-3 | 3-Major | BT758781 | iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates | 13.1.3.2, 14.1.2.3, 15.0.1.1 |
| 758527-2 | 3-Major | K39604784, BT758527 | BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode | 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.0.5, 14.1.2.3, 15.0.1.3 |
| 757519-1 | 3-Major | K92525101, BT757519 | Unable to logon using LDAP authentication with a user-template | 14.1.2.3, 15.0.1.4 |
| 756450-1 | 3-Major | BT756450 | Traffic using route entry that's more specific than existing blackhole route can cause core | 11.6.5.1, 12.1.5, 13.1.3, 14.1.2.3 |
| 754691-1 | 3-Major | BT754691 | During failover, an OSPF routing daemon may crash. | 14.1.2.3, 15.0.1.4 |
| 750318-3 | 3-Major | BT750318 | HTTPS monitor does not appear to be using cert from server-ssl profile | 13.1.1.5, 14.1.2.3 |
| 746266-3 | 3-Major | BT746266 | A vCMP guest VLAN MAC mismatch across blades. | 12.1.5, 13.1.3, 14.1.2.3 |
| 738943-3 | 3-Major | BT738943 | imish command hangs when ospfd is enabled | 12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1 |
| 705037-7 | 3-Major | K32332000, BT705037 | System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart | 12.1.4, 13.1.3, 14.0.1.1, 14.1.2.3 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 816273-2 | 1-Blocking | BT816273 | L7 Policies may execute CONTAINS operands incorrectly. | 13.1.3.4, 14.1.2.3, 15.0.1.1 |
| 826601-5 | 2-Critical | BT826601 | Prevent receive window shrinkage for looped flows that use a SYN cookie | 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.3 |
| 817417-1 | 2-Critical | BT817417 | Blade software installation stalled at Waiting for product image★ | 14.1.2.3, 15.0.1.4 |
| 816625-1 | 2-Critical | BT816625 | The TMM may crash in a rare scenario involving HTTP unchunking, and plugins. | 14.1.2.3, 15.0.1.1 |
| 800369-2 | 2-Critical | BT800369 | The fix for ID 770797 may cause a TMM crash | 14.1.2.3, 15.0.1.1 |
| 800305-2 | 2-Critical | BT800305 | VDI::cmp_redirect generates flow with random client port | 13.1.3.2, 14.1.2.3, 15.0.1.1 |
| 791057-1 | 2-Critical | BT791057 | MCP may crash when traffic matching criteria is updated | 14.1.2.3, 15.0.1.3 |
| 770797-1 | 2-Critical | BT770797 | HTTP2 streams may get stuck in rare situations | 14.1.2.3 |
| 836661 | 3-Major | BT836661 | Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet. | 14.1.2.3, 15.1.0.2 |
| 834373-3 | 3-Major | BT834373 | Possible handshake failure with TLS 1.3 early data | 14.1.2.3, 15.0.1.1 |
| 830797-2 | 3-Major | BT830797 | Standby high availability (HA) device passes traffic through virtual wire | 14.1.2.3, 15.0.1.1, 15.1.1 |
| 815449-2 | 3-Major | BT815449 | BIG-IP closes connection when an unsized response is served to a HEAD request | 14.1.2.3, 15.0.1.1 |
| 814761-2 | 3-Major | BT814761 | PostgreSQL monitor fails on second ping with count != 1 | 12.1.5.3, 13.1.3.6, 14.1.2.3, 15.0.1.3 |
| 797977-1 | 3-Major | BT797977 | Self-IP traffic does not preserve the TTL from the Linux host | 14.1.2.3, 15.0.1.4 |
| 789365-1 | 3-Major | BT789365 | pkcs11d CPU usage increases after running nethsm self validation test | 14.1.2.3 |
| 772545-3 | 3-Major | BT772545 | Tmm core in SSLO environment | 13.1.3.6, 14.1.2.3, 15.0.1.1 |
| 765517-1 | 3-Major | BT765517 | Traffic Match Criteria validation fails when create Virtual server with address list with overlapping address space but a different ingress VLAN | 14.1.2.3, 15.0.1.4 |
| 761185-2 | 3-Major | K50375550, BT761185 | Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic | 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.1 |
| 760771-1 | 3-Major | BT760771 | FastL4-steered traffic might cause SSL resume handshake delay | 13.1.3, 14.1.2.3 |
| 758992-2 | 3-Major | BT758992 | The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address | 13.1.3.2, 14.1.2.3, 15.0.1.3 |
| 758872-3 | 3-Major | BT758872 | TMM memory leak | 12.1.5, 13.1.3.4, 14.1.2.3 |
| 758655-1 | 3-Major | BT758655 | TMC does not allow inline addresses with non-zero Route-domain. | 14.1.2.3 |
| 753514-3 | 3-Major | BT753514 | Large configurations containing LTM Policies load slowly | 13.1.3, 14.0.1.1, 14.1.2.3 |
| 749689-2 | 3-Major | BT749689 | HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart | 13.1.1.5, 14.1.2.3 |
| 726176-2 | 3-Major | BT726176 | Platforms using RSS hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve | 13.1.3.2, 14.1.2.3, 15.0.1.1 |
| 712919-2 | 3-Major | K54802336, BT712919 | Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server. | 13.1.3, 14.0.1.1, 14.1.2.3 |
| 687887-3 | 3-Major | BT687887 | Unexpected result from multiple changes to a monitor-related object in a single transaction | 12.1.5.3, 13.1.3.2, 14.1.2.3 |
| 824365-3 | 4-Minor | BT824365 | Need informative messages for HTTP iRule runtime validation errors | 13.1.3.6, 14.1.2.3, 15.0.1.1, 15.1.0.2 |
| 806085-2 | 4-Minor | BT806085 | In-TMM MQTT monitor is not working as expected | 14.1.2.3, 15.0.1.1 |
| 791337-1 | 4-Minor | BT791337 | Traffic matching criteria fails when using shared port-list with virtual servers | 14.1.2.3 |
| 769309-2 | 4-Minor | BT769309 | DB monitor reconnects to server on every probe when count = 0 | 12.1.5.3, 13.1.3.2, 14.1.2.3, 15.0.1.1 |
| 754003-3 | 4-Minor | K73202036, BT754003 | Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate | 13.1.3.2, 14.1.2.3, 15.0.1.3 |
| 747628-1 | 4-Minor | BT747628 | BIG-IP sends spurious ICMP PMTU message to server | 13.1.3.2, 14.1.2.3, 15.0.1.1 |
| 744210-2 | 4-Minor | BT744210 | DHCPv6 does not have the ability to override the hop limit from the client. | 13.1.3.2, 14.1.2.3 |
Performance Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 776133-1 | 2-Critical | BT776133 | RSS hash is not used on VE resulting in performance impact on non-SR-IOV devices | 14.1.2.3 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 761032-2 | 3-Major | K36328238, BT761032 | TMSH displays TSIG keys | 13.1.3.2, 14.0.1.1, 14.1.2.3 |
| 760471-3 | 3-Major | BT760471 | GTM iQuery connections may be reset during SSL key renegotiation. | 12.1.5.2, 13.1.3.5, 14.1.2.3, 15.0.1.4, 15.1.0.2 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 813945-3 | 2-Critical | BT813945 | PB core dump while processing many entities | 13.1.3.2, 14.1.2.3 |
| 813389-1 | 2-Critical | BT813389 | TMM Crashes upon failure in Bot Defense Client-Side code | 14.1.2.3 |
| 791669 | 2-Critical | BT791669 | TMM might crash when Bot Defense is configured for multiple domains | 14.1.2.3, 15.1.4, 16.0.1.2 |
| 790349-2 | 2-Critical | BT790349 | merged crash with a core file | 14.1.2.3 |
| 756108-1 | 2-Critical | BT756108 | BD crash on specific cases | 14.1.2.3 |
| 754109-1 | 2-Critical | BT754109 | ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive | 13.1.3.4, 14.1.2.3 |
| 832857 | 3-Major | BT832857 | Support ID on AJAX CAPTCHA popup (SPA) does not match the Support ID in log | 14.1.2.3 |
| 832205 | 3-Major | BT832205 | ASU cannot be completed after Signature Systems database corruption following binary Policy import | 12.1.5.1, 14.1.2.3 |
| 831661-2 | 3-Major | BT831661 | ASMConfig Handler undergoes frequent restarts | 12.1.5.1, 14.1.2.3 |
| 824101-1 | 3-Major | BT824101 | Request Log export file is not visible for requests including binary data | 14.1.2.3 |
| 824037-2 | 3-Major | BT824037 | Bot Defense whitelists do not apply for IP 'Any' when using route domains | 14.1.2.3 |
| 812341-2 | 3-Major | BT812341 | Patch or Delete commands take a long time to complete when modifying an ASM signature set. | 13.1.3.2, 14.1.2.3 |
| 805353-1 | 3-Major | BT805353 | ASM reporting for WebSocket frames has empty username field | 14.1.2.3 |
| 800453-3 | 3-Major | K72252057, BT800453 | False positive virus violations | 13.1.3.2, 14.1.2.3, 15.0.1.3 |
| 793017-1 | 3-Major | BT793017 | Files left behind by failed Attack Signature updates are not cleaned | 14.1.2.3, 15.1.0.2 |
| 786913-2 | 3-Major | BT786913 | Upgrade failure from 13.0.x or earlier when using LTM Policies with DOSL7 | 14.1.2.3 |
| 783513-2 | 3-Major | BT783513 | ASU is very slow on device with hundreds of policies due to logging profile handling | 13.1.3.2, 14.1.2.3 |
| 781021-2 | 3-Major | BT781021 | ASM modifies cookie header causing it to be non-compliant with RFC6265 | 14.1.2.3 |
| 778681-2 | 3-Major | BT778681 | Factory-included Bot Signature update file cannot be installed without subscription★ | 14.1.2.3, 15.0.1.1 |
| 754841-1 | 3-Major | BT754841 | Policy updates stall and never complete | 14.1.2.3 |
| 754425-1 | 3-Major | BT754425 | Exported requests cannot be opened in Internet Explorer or Edge browser | 14.1.2.3 |
| 739618-2 | 3-Major | BT739618 | When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy | 13.1.3.2, 14.1.2.3, 15.1.0.2 |
| 734228 | 3-Major | BT734228 | False-positive illegal-length violation can appear | 13.1.1.4, 14.0.1.1, 14.1.2.3 |
| 795769-3 | 4-Minor | BT795769 | Incorrect value of Systems in system-supplied signature sets | 14.1.2.3, 15.0.1.1 |
| 789817-1 | 4-Minor | BT789817 | In rare conditions info fly-out not shown | 14.1.2.3, 15.0.1.4 |
| 760462-1 | 4-Minor | BT760462 | Live update notification is shown only for provisioned/licensed modules | 14.1.2.3 |
| 758459-1 | 4-Minor | BT758459 | Cross origin AJAX requests are blocked Cross-Origin Resource Sharing (CORS) protection | 14.1.2.3 |
| 620301-1 | 4-Minor | BT620301 | Policy import fails due to missing signature System in associated Signature Set | 12.1.5.1, 14.1.2.3 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 781581-3 | 3-Major | BT781581 | Monpd uses excessive memory on requests for network_log data | 13.1.3.2, 14.1.2.3, 15.0.1.3 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 757782-1 | 2-Critical | BT757782 | OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default | 14.0.1.1, 14.1.2.3 |
| 825805-1 | 3-Major | BT825805 | NTLM Auth may fail due to incorrect handling of EPM response★ | 14.1.2.3, 15.0.1.3 |
| 766577-2 | 3-Major | BT766577 | APMD fails to send response to client and it already closed connection. | 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1 |
| 756363-1 | 3-Major | BT756363 | SSLO or SWG connections using proxy chaining to Explicit Proxy can get reset | 14.1.2.3 |
| 741222-2 | 3-Major | BT741222 | Install epsec1.0.0 into software partition.★ | 14.1.2.3, 15.0.1.3 |
| 643935-4 | 3-Major | BT643935 | Rewriting may cause an infinite loop while processing some objects | 13.1.3.2, 14.0.1.1, 14.1.2.3 |
WebAccelerator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 833213-3 | 3-Major | BT833213 | Conditional requests are served incorrectly with AAM policy in webacceleration profile | 13.1.3.4, 14.1.2.3, 15.0.1.3, 15.1.3 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 802865-1 | 3-Major | BT802865 | The iControl REST query request returning empty list for DoS Protected Objects | 14.1.2.3 |
| 761345-3 | 3-Major | BT761345 | Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode | 13.1.3.2, 14.1.2.3 |
| 738284-2 | 3-Major | BT738284 | Creating or deleting rule list results in warning message: Schema object encode failed | 13.1.3.2, 14.1.2.3, 15.0.1.1 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 821133-2 | 3-Major | BT821133 | Wrong wildcard URL matching when none of the configured URLS include QS | 14.0.1.1, 14.1.2.3, 15.0.1.1 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 748813-3 | 2-Critical | BT748813 | tmm cores under stress test on virtual server with DoS profile with admd enabled | 13.1.1.4, 14.0.0.5, 14.1.2.3 |
| 767045-2 | 3-Major | BT767045 | TMM cores while applying policy | 13.1.3.2, 14.1.2.3 |
Protocol Inspection Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 787845 | 4-Minor | BT787845 | Tmsh command 'show running-config' fails when Protocol Inspection is not licensed. | 14.1.2.3 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 777241-2 | 3-Major | BT777241 | smtps partial_conncount issues and unexpected resets | 14.1.2.3 |
Cumulative fixes from BIG-IP v14.1.2.2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 741163-3 | CVE-2018-3693 | K54252492, BT741163 | RHEL7: Kernel CVE-2018-3693 | 14.1.2.2 |
| 740755-6 | CVE-2018-3620 | K95275140, BT740755 | Kernel vulnerability: CVE-2018-3620 | 14.1.2.2 |
| 721319-1 | CVE-2018-3639 | K29146534, BT721319 | CVE-2018-3639 | 14.1.2.2 |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 815689-3 | 3-Major | BT815689 | Azure walinuxagent has been updated to v2.2.42. | 14.1.2.2 |
| 760574 | 3-Major | BT760574 | Updating BIG-IP 14.1.x Linux kernel to RHEL7.5 | 14.1.2.2 |
| 760468 | 3-Major | BT760468 | Route domains cause diskmonitor errors in logs | 14.1.2.2 |
Cumulative fixes from BIG-IP v14.1.2.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 795437-4 | CVE-2019-6677 | K06747393, BT795437 | Improve handling of TCP traffic for iRules | 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 795197-1 | CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 | K26618426, BT795197 | Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 781377-2 | CVE-2019-6681 | K93417064, BT781377 | tmrouted may crash while processing Multicast Forwarding Cache messages | 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.4 |
| 778077-3 | CVE-2019-6680 | K53183580, BT778077 | Virtual to virtual chain can cause TMM to crash | 11.6.5.1, 12.1.5.1, 13.1.3.4, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 771873-5 | CVE-2019-6642 | K40378764, BT771873 | TMSH Hardening | 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 767653-1 | CVE-2019-6660 | K23860356, BT767653 | Malformed HTTP request can result in endless loop in an iRule script | 13.1.3, 14.0.1.1, 14.1.2.1 |
| 636400-3 | CVE-2019-6665 | K26462555, BT636400 | CPB (BIG-IP->BIGIQ log node) Hardening | 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1, 15.1.0.2 |
| 810657-2 | CVE-2019-6674 | K21135478, BT810657 | Tmm core while using service chaining for SSLO | 14.1.2.1, 15.0.1.1 |
| 809165-2 | CVE-2020-5854 | K50046200, BT809165 | TMM may crash will processing connector traffic | 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.4 |
| 808525-2 | CVE-2019-6686 | K55812535, BT808525 | TMM may crash while processing Diameter traffic | 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.4 |
| 795797-2 | CVE-2019-6658 | K21121741, BT795797 | AFM WebUI Hardening | 12.1.5.1, 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 788773-2 | CVE-2019-9515 | K50233772, BT788773 | HTTP/2 Vulnerability: CVE-2019-9515 | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 788769-2 | CVE-2019-9514 | K01988340, BT788769 | HTTP/2 Vulnerability: CVE-2019-9514 | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 788033 | CVE-2020-5851 | K91171450, BT788033 | tpm-status may return "Invalid" after engineering hotfix installation | 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 781449-2 | CVE-2019-6672 | K14703097, BT781449 | Increase efficiency of sPVA DoS protection on wildcard virtual servers | 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 777737-3 | CVE-2019-6671 | K39225055, BT777737 | TMM may consume excessive resources when processing IP traffic | 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 773673-2 | CVE-2019-9512 | K98053339, BT773673 | HTTP/2 Vulnerability: CVE-2019-9512 | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 768981-2 | CVE-2019-6670 | K05765031, BT768981 | VCMP Hypervisor Hardening | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 761014-2 | CVE-2019-6669 | K11447758, BT761014 | TMM may crash while processing local traffic | 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 758018-5 | CVE-2019-6661 | K61705126, BT758018 | APD/APMD may consume excessive resources | 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1 |
| 756458-3 | CVE-2018-18559 | K28241423, BT756458 | Linux kernel vulnerability: CVE-2018-18559 | 13.1.3.4, 14.1.2.1, 15.0.1.4 |
| 756218-1 | CVE-2019-6654 | K45644893, BT756218 | Improve default management port firewall | 14.1.2.1 |
| 751152-1 | CVE-2018-5407 | K49711130, BT751152 | OpenSSL Vulnerability: CVE-2018-5407 | 14.1.2.1 |
| 751143-1 | CVE-2018-5407 | K49711130, BT751143 | OpenSSL Vulnerability: CVE-2018-5407 | 14.1.2.1 |
| 745103-6 | CVE-2018-7159 | K27228191, BT745103 | NodeJS Vulnerability: CVE-2018-7159 | 13.1.3.4, 14.1.2.1, 15.0.1.3 |
| 798249-2 | CVE-2019-6673 | K81557381, BT798249 | TMM may crash while processing HTTP/2 requests | 14.1.2.1, 15.0.1.1 |
| 779177-2 | CVE-2019-19150 | K37890841, BT779177 | Apmd logs "client-session-id" when access-policy debug log level is enabled | 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.3 |
| 759536-2 | CVE-2019-8912 | K31739796, BT759536 | Linux kernel vulnerability: CVE-2019-8912 | 13.1.3.4, 14.1.2.1, 15.0.1.1 |
| 757617-1 | CVE-2018-16864 CVE-2018-16865 |
K06044762, BT757617 | Systemd vulnerabilities: CVE-2018-16864, CVE-2018-16865 | 14.1.2.1, 15.0.1.4 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 759135-2 | 3-Major | BT759135 | AVR report limits are locked at 1000 transactions | 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 714292-3 | 3-Major | BT714292 | Transparent forwarding mode across multiple VLAN groups or virtual-wire | 14.1.2.1 |
| 788269-3 | 4-Minor | BT788269 | Adding toggle to disable AVR widgets on device-groups | 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.3 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 793045-2 | 2-Critical | BT793045 | File descriptor leak in net-snmpd while reading /shared/db/cluster.conf | 14.1.2.1, 15.0.1.1 |
| 770953 | 2-Critical | BT770953 | 'smbclient' executable does not work | 14.1.2.1 |
| 767877-3 | 2-Critical | BT767877 | TMM core with Bandwidth Control on flows egressing on a VLAN group | 14.1.2.1, 15.0.1.1 |
| 765533-2 | 2-Critical | K58243048, BT765533 | Sensitive information logged when DEBUG logging enabled | 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.1 |
| 760475-1 | 2-Critical | BT760475 | Apache spawns more processes than the configured limit, causing system low memory condition | 14.1.2.1 |
| 755575-1 | 2-Critical | BT755575 | In MOS, the 'image2disk' utility with the '-format' option does not function properly | 14.1.2.1 |
| 726240-1 | 2-Critical | BT726240 | 'Cannot find disk information' message when running Configuration Utility★ | 14.1.2.1 |
| 788557-5 | 3-Major | BT788557 | BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior | 11.6.5.2, 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 788301-5 | 3-Major | K58243048, BT788301 | SNMPv3 Hardening | 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 777261-4 | 3-Major | BT777261 | When SNMP cannot locate a file it logs messages repeatedly | 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 766873 | 3-Major | BT766873 | Omission of lower-layer types from sFlow packet samples | 14.1.2.1 |
| 761993-2 | 3-Major | BT761993 | The nsm process may crash if it detects a nexthop mismatch | 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 761933-1 | 3-Major | BT761933 | Reboot with 'tmsh reboot' does not log message in /var/log/audit | 14.1.2.1 |
| 761160-2 | 3-Major | OpenSSL vulnerability: CVE-2019-1559 | 14.1.2.1, 15.0.1.1 | |
| 760998-1 | 3-Major | BT760998 | F5.ip_forwarding iAPP fails to deploy | 14.1.2.1 |
| 759814-1 | 3-Major | BT759814 | Unable to view iApp component view★ | 14.1.2.1 |
| 758119-6 | 3-Major | K58243048, BT758119 | qkview may contain sensitive information | 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 747592-1 | 3-Major | PHP vulnerability CVE-2018-17082 | 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1 | |
| 724109-2 | 3-Major | BT724109 | Manual config-sync fails after pool with FQDN pool members is deleted | 12.1.5.3, 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 680917-5 | 3-Major | BT680917 | Invalid monitor rule instance identifier | 12.1.5.3, 13.1.3.2, 14.1.2.1 |
| 648621-6 | 3-Major | BT648621 | SCTP: Multihome connections may not expire | 11.6.5.3, 12.1.5.2, 13.1.3.4, 14.1.2.1, 15.0.1.4 |
| 776073-1 | 4-Minor | BT776073 | OOM killer killing tmm in system low memory condition as process OOM score is high | 14.1.2.1, 15.0.1.1 |
| 760680-1 | 4-Minor | K36350541, BT760680 | TMSH may utilize 100% CPU (single core's worth) when set to be a process group leader and SSH session is closed. | 14.1.2.1, 15.0.1.1 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 759968-3 | 1-Blocking | BT759968 | Distinct vCMP guests are able to cluster with each other. | 12.1.5, 13.1.3, 14.1.2.1, 15.0.1.1 |
| 803845-2 | 2-Critical | BT803845 | When in HA, the Standby device is forwarding traffic causing a loop and subsequent network shutdown | 14.1.2.1 |
| 787825-2 | 2-Critical | K58243048, BT787825 | Database monitors debug logs have plaintext password printed in the log file | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 774913-1 | 2-Critical | BT774913 | IP-based bypass can fail if SSL ClientHello is not accepted | 14.1.2.1, 15.0.1.3 |
| 760078-1 | 2-Critical | BT760078 | Incorrect source MAC used when the BIG-IP in L2 transparent mode generates a TCP RST packet. | 14.1.2.1 |
| 758714-1 | 2-Critical | BT758714 | Virtual wire on a BIG-IP does not pass traffic when configured over two terminating link aggregation/trunk ports. | 14.1.2.1 |
| 757578-2 | 2-Critical | BT757578 | RAM cache is not compatible with verify-accept | 12.1.5.2, 13.1.3.4, 14.1.2.1, 15.0.1.1 |
| 757441-4 | 2-Critical | BT757441 | Specific sequence of packets causes Fast Open to be effectively disabled | 13.1.3, 14.0.1.1, 14.1.2.1 |
| 755585-1 | 2-Critical | BT755585 | mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction | 13.1.3, 14.1.2.1 |
| 747858-2 | 2-Critical | BT747858 | OSPF packets are duplicated in the BIG-IP in L2 transparent mode using virtual wires | 14.1.2.1 |
| 746710-1 | 2-Critical | BT746710 | Use of HTTP::cookie after HTTP:disable causes TMM core | 13.1.3, 14.1.2.1 |
| 737985-2 | 2-Critical | BT737985 | BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode. | 14.1.2.1 |
| 734551-3 | 2-Critical | BT734551 | L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server | 14.1.2.1 |
| 801497-2 | 3-Major | BT801497 | Virtual wire with LACP pinning to one link in trunk. | 14.1.2.1, 15.1.1 |
| 798105-1 | 3-Major | BT798105 | Node Connection Limit Not Honored | 14.1.2.1, 15.0.1.4 |
| 794581 | 3-Major | BT794581 | Transfer might stall for an object served from WAM cache | 14.1.2.1 |
| 788325-2 | 3-Major | K39794285, BT788325 | Header continuation rule is applied to request/response line | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 787433-3 | 3-Major | BT787433 | SSL forward proxy: OCSP signer certificate isn't refreshed or regenerated when forward proxy CA key/cert is changed | 14.1.2.1 |
| 784713-3 | 3-Major | BT784713 | When SSL forward proxy is enabled, AKID extension of the OCSP signer certificate on the clientside is not correct | 14.1.2.1 |
| 773821-1 | 3-Major | BT773821 | Certain plaintext traffic may cause SSLO to hang | 14.1.2.1, 15.0.1.3 |
| 773421-1 | 3-Major | BT773421 | Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied | 12.1.5.1, 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 769801-1 | 3-Major | BT769801 | Internal tmm UDP filter does not set checksum | 14.1.2.1, 15.0.1.1, 15.0.1.3 |
| 761385-1 | 3-Major | BT761385 | Without a virtual server, responses from server to client are dropped in a BIG-IP system when the latter is deployed in L2 transparent mode using virtual wire. | 14.1.2.1 |
| 761381-1 | 3-Major | BT761381 | Incorrect MAC Address observed in L2 asymmetric virtual wire | 14.1.2.1 |
| 754525-1 | 3-Major | BT754525 | Disabled virtual server accepts and serves traffic after restart | 14.1.2.1, 15.0.1.1 |
| 748891-2 | 3-Major | BT748891 | Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system. | 14.1.2.1 |
| 742237-4 | 3-Major | BT742237 | CPU spikes appear wider than actual in graphs | 12.1.5, 13.1.3.2, 14.1.2.1 |
| 719300-3 | 3-Major | BT719300 | ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address | 14.1.2.1 |
| 689361-4 | 3-Major | BT689361 | Configsync can change the status of a monitored pool member | 12.1.5.2, 13.1.3.2, 14.1.2.1 |
| 751586 | 4-Minor | BT751586 | Http2 virtual does not honour translate-address disabled | 12.1.4.1, 13.1.3.4, 14.1.2.1, 15.1.4 |
| 747585-3 | 4-Minor | BT747585 | TCP Analytics supports ANY protocol number | 12.1.5, 13.1.3.4, 14.1.2.1 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 783849-2 | 3-Major | BT783849 | DNSSEC Key Generations are not imported to secondary FIPS card | 14.1.2.1 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 781637-2 | 3-Major | BT781637 | ASM brute force counts unnecessary failed logins for NTLM | 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 781605-3 | 3-Major | BT781605 | Fix RFC issue with the multipart parser | 11.6.5.3, 12.1.6, 13.1.3, 14.1.2.1, 15.0.1.1 |
| 781069-2 | 3-Major | BT781069 | Bot Defense challenge blocks requests with long Referer headers | 13.1.3, 14.1.2.1, 15.0.1.1 |
| 773553-2 | 3-Major | BT773553 | ASM JSON parser false positive. | 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 769997-1 | 3-Major | BT769997 | ASM removes double quotation characters on cookies | 14.1.2.1, 15.0.1.1 |
| 769981-2 | 3-Major | BT769981 | bd crashes in a specific scenario | 13.1.3, 14.1.2.1, 15.0.1.1 |
| 764373-3 | 3-Major | BT764373 | 'Modified domain cookie' violation with multiple enforced domain cookies with different paths | 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 753711-1 | 3-Major | BT753711 | Copied policy does not retain signature staging | 14.1.2.1 |
| 751710-4 | 3-Major | BT751710 | False positive cookie hijacking violation | 13.1.1.5, 14.0.0.5, 14.1.2.1 |
| 746394-1 | 3-Major | BT746394 | With ASM CORS set to 'Disabled' it strips all CORS headers in response. | 14.0.1.1, 14.1.2.1 |
| 745802-1 | 3-Major | BT745802 | Brute Force CAPTCHA response page truncates last digit in the support id | 13.1.1.4, 14.0.0.5, 14.1.2.1 |
| 727107-4 | 3-Major | BT727107 | Request Logs are not stored locally due to shmem pipe blockage | 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 803445-3 | 4-Minor | BT803445 | When adding several mitigation exceptions, the previously configured actions revert to the default action | 14.1.2.1, 15.0.1.1 |
| 772473-3 | 4-Minor | BT772473 | Request reconstruct issue after challenge | 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 761088-1 | 4-Minor | BT761088 | Remove policy editing restriction in the GUI while auto-detect language is set | 14.1.2.1, 15.0.1.1 |
| 695878-2 | 4-Minor | BT695878 | Signature enforcement issue on specific requests | 11.5.6, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 761749-2 | 2-Critical | BT761749 | Security pages unavailable after switching RT mode on off few times | 14.1.2.1 |
| 797785-2 | 3-Major | BT797785 | AVR reports no ASM-Anomalies data. | 13.1.3.2, 14.1.2.1, 15.0.1.3 |
| 792265-3 | 3-Major | BT792265 | Traffic logs does not include the BIG-IQ tags | 13.1.3.2, 14.1.2.1, 15.0.1.3 |
| 773925-2 | 3-Major | BT773925 | Sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB tables files | 14.1.2.1 |
| 765785-3 | 3-Major | BT765785 | Monpd core upon "bigstart stop monpd" while Real Time reporting is running | 14.1.2.1 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 811145-2 | 2-Critical | BT811145 | VMware View resources with SAML SSO are not working | 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 797541-1 | 2-Critical | BT797541 | NTLM Auth may fail when user's information contains SIDS array | 14.1.2.1, 15.0.1.1 |
| 784989-2 | 2-Critical | BT784989 | TMM may crash with panic message: Assertion 'cookie name exists' failed | 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 777173-2 | 2-Critical | BT777173 | Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error | 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 821369 | 3-Major | BT821369 | Incomplete Action 'Deny' does not take effect for HTTP-Connect | 14.1.2.1 |
| 788417-2 | 3-Major | BT788417 | Remote Desktop client on macOS may show resource auth token on credentials prompt | 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 787477-2 | 3-Major | BT787477 | Export fails from partitions with '-' as second character | 13.1.3.2, 14.1.2.1 |
| 786173-1 | 3-Major | BT786173 | UI becomes unresponsive when accessing Access active session information | 14.1.2.1, 15.0.1.1 |
| 783817-2 | 3-Major | BT783817 | UI becomes unresponsive when accessing Access active session information | 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 782569-1 | 3-Major | BT782569 | SWG limited session limits on SSLO deployments | 14.1.2.1, 15.0.1.1 |
| 775621-2 | 3-Major | BT775621 | urldb memory grows past the expected ~3.5GB | 13.1.3, 14.1.2.1, 15.0.1.3 |
| 769853-2 | 3-Major | K24241590, BT769853 | Access Profile option to restrict connections from a single client IP is not honored for native RDP resources | 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 756777-1 | 3-Major | BT756777 | VDI plugin might crash on process shutdown during RDG connections handling | 14.1.2.1 |
| 750823-1 | 3-Major | BT750823 | Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD | 13.1.3, 14.1.2.1 |
| 749161-2 | 3-Major | Problem sync policy contains non-ASCII characters | 13.1.3, 14.1.2.1 | |
| 746768-4 | 3-Major | BT746768 | APMD leaks memory if access policy policy contains variable/resource assign policy items | 12.1.4.1, 13.1.1.4, 14.1.2.1 |
| 697590-2 | 3-Major | BT697590 | APM iRule ACCESS::session remove fails outside of Access events | 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 781445-1 | 4-Minor | BT781445 | Named or dnscached cannot bind to IPv6 address | 14.1.2.1 |
| 759579-1 | 4-Minor | BT759579 | Full Webtop: 'URL Entry' field is available again | 14.1.2.1 |
| 756019-1 | 4-Minor | BT756019 | OAuth JWT Issuer claim requires URI format | 14.1.2.1 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 811745-2 | 3-Major | BT811745 | Failover between clustered DIAMETER devices can cause mirror connections to be disconnected | 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 804313-2 | 3-Major | BT804313 | MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded. | 13.1.3.4, 14.1.2.1, 15.0.1.2 |
| 761685-3 | 3-Major | BT761685 | Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set | 14.0.1.1, 14.1.2.1, 15.0.1.4 |
| 750431-1 | 3-Major | BT750431 | Persistence record is deleted in MRF SIP after updating timeout value with the iRule 'SIP::persist timeout' | 14.1.2.1 |
| 748253-1 | 3-Major | BT748253 | Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection | 13.1.3, 14.1.2.1 |
| 786565-2 | 4-Minor | BT786565 | MRF Generic Message: unaccepted packets received by GENERIC MESSAGE filter causes subsequent messages to not be forwarded | 14.1.2.1, 15.0.1.1 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 938149-3 | 3-Major | BT938149 | Port Block Update log message is missing the "Start time" field | 14.1.2.1, 15.1.2, 16.0.1.1 |
| 800209-1 | 3-Major | BT800209 | The tmsh recursive list command includes DDoS GUI-specific data info | 14.1.2.1 |
| 780837-1 | 3-Major | BT780837 | Firewall rule list configuration causes config load failure | 14.1.2.1, 15.0.1.4 |
| 761234-2 | 3-Major | BT761234 | Changing a virtual server to use an address list should be prevented if the virtual server has a security policy with a logging profile attached | 14.1.2.1, 15.0.1.1 |
| 760355 | 4-Minor | BT760355 | Firewall rule to block ICMP/DHCP from 'required' to 'default'★ | 14.1.2.1, 15.0.1.1 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 760438-3 | 3-Major | BT760438 | PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions | 13.1.3, 14.1.2.1 |
| 759192-3 | 3-Major | BT759192 | TMM core during display of PEM session under some specific conditions | 13.1.3, 14.0.1.1, 14.1.2.1 |
| 756311-4 | 3-Major | BT756311 | High CPU during erroneous deletion | 13.1.3, 14.0.1.1, 14.1.2.1 |
| 753163-4 | 3-Major | BT753163 | PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days | 13.1.3, 14.1.2.1 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 804185-2 | 3-Major | BT804185 | Some WebSafe request signatures may not work as expected | 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 783565-2 | 3-Major | BT783565 | Upgrade support for DB variable to attach AJAX payload to vToken cookie should be consistent with config in MCP | 14.1.2.1, 15.0.1.1 |
| 775013-2 | 3-Major | BT775013 | TIME EXCEEDED alert has insufficient data for analysis | 13.1.3, 14.1.2.1, 15.0.1.1 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 803477-2 | 3-Major | BT803477 | BaDoS State file load failure when signature protection is off | 13.1.3.2, 14.1.2.1, 15.0.1.1 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 759439-1 | 2-Critical | BT759439 | Unable to attach default SSL and FTP profiles to virtual server | 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 781313-1 | 3-Major | BT781313 | AVR dashboard displays incorrect client/server bytes-in/bytes-out stats | 14.1.2.1, 15.0.1.3 |
Cumulative fixes from BIG-IP v14.1.2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 773649-6 | CVE-2019-6656 | K23876153, BT773649 | APM Client Logging | 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.2, 15.0.1.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 771705-1 | 3-Major | BT771705 | You may not be able to log into BIG-IP Cloud Edition if FSCK fails | 14.1.2 |
| 754875-1 | 3-Major | BT754875 | Enable FIPS 140-2 Level 1 Compliant Mode in PAYG VE images on first boot | 14.1.2 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 808129-1 | 2-Critical | BT808129 | Cannot use BIG-IQ to license BIG-IP 14.1.0.3 on AWS. | 14.1.2, 15.0.1 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 753485-1 | 2-Critical | K50285521, BT753485 | AVR global settings are being overridden by high availability (HA) peers | 13.1.3, 14.1.2, 15.0.1 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 757306-3 | 3-Major | BT757306 | SNMP MIBS for AFM NAT do not yet exist | 13.1.3, 14.1.2, 15.0.1 |
Protocol Inspection Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 794285 | 1-Blocking | K36191493, BT794285 | BIG-IQ reading AFM configuration fails with status 400 | 14.1.2 |
Cumulative fixes from BIG-IP v14.1.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 807477-10 | CVE-2019-6650 | K04280042, BT807477 | ConfigSync Hardening | 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
| 797885-2 | CVE-2019-6649 | K05123525, BT797885 | ConfigSync Hardening | 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
| 796469-6 | CVE-2019-6649 | K05123525, BT796469 | ConfigSync Hardening | 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
| 810557-8 | CVE-2019-6649 | K05123525, BT810557 | ASM ConfigSync Hardening | 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
| 809377-6 | CVE-2019-6649 | K05123525 | AFM ConfigSync Hardening | 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
| 799617-2 | CVE-2019-6649 | K05123525, BT799617 | ConfigSync Hardening | 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
| 799589-2 | CVE-2019-6649 | K05123525, BT799589 | ConfigSync Hardening | 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
| 794389-6 | CVE-2019-6651 | K89509323, BT794389 | iControl REST endpoint response inconsistency | 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
| 794413-2 | CVE-2019-6471 | K10092301, BT794413 | BIND vulnerability CVE-2019-6471 | 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
| 793937-1 | CVE-2019-6664 | K03126093, BT793937 | Management Port Hardening | 14.1.2, 15.0.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 744937-8 | 3-Major | K00724442, BT744937 | BIG-IP DNS and GTM DNSSEC security exposure | 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 798949-3 | 3-Major | BT798949 | Config-Sync fails when Config-Sync IP configured to management IP | 14.1.2, 15.0.1 |
| 760622-3 | 3-Major | BT760622 | Allow Device Certificate renewal from BIG-IP Configuration Utility | 15.1.0.5 |
| 760363-1 | 3-Major | BT760363 | Update Alias Address field with default placeholder text | 13.1.3.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 811333-2 | 3-Major | BT811333 | Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile★ | 14.1.2, 15.0.1 |
Cumulative fixes from BIG-IP v14.1.0.6 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 769361-2 | CVE-2019-6630 | K33444350, BT769361 | TMM may crash while processing SSLO traffic | 14.0.0.5, 14.1.0.6 |
| 767401-1 | CVE-2019-6629 | K95434410, BT767401 | TMM may crash while processing TLS traffic | 14.1.0.6 |
| 759343-6 | CVE-2019-6668 | K49827114, BT759343 | MacOS Edge Client installer does not follow best security practices | 11.6.5.1, 12.1.5.1, 14.0.0.5, 14.1.0.6, 15.0.1.1 |
| 758909-1 | CVE-2019-6628 | K04730051, BT758909 | TMM may crash will processing PEM traffic | 14.0.0.5, 14.1.0.6 |
| 758065-4 | CVE-2019-6667 | K82781208, BT758065 | TMM may consume excessive resources while processing FIX traffic | 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1 |
| 757084-2 | CVE-2019-6627 | K00432398, BT757084 | Bypassing SSL interception in SSL Orchestrator may crash TMM if virtual server is SNAT enabled | 14.1.0.6 |
| 757023-2 | CVE-2018-5743 | K74009656, BT757023 | BIND vulnerability CVE-2018-5743 | 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1 |
| 756538-4 | CVE-2019-6645 | K15759349, BT756538 | Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair. | 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6 |
| 754944-1 | CVE-2019-6626 | K00432398, BT754944 | AVR reporting UI does not follow best practices | 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 754345-2 | CVE-2019-6625 | K79902360, BT754345 | WebUI does not follow best security practices | 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 754103-1 | CVE-2019-6644 | K75532331, BT754103 | iRulesLX NodeJS daemon does not follow best security practices | 12.1.4.1, 13.1.3, 14.0.0.5, 14.1.0.6 |
| 753975-2 | CVE-2019-6666 | K92411323, BT753975 | TMM may crash while processing HTTP traffic with webacceleration profile | 13.1.1.5, 14.0.0.5, 14.1.0.6, 15.0.1.1 |
| 753776-2 | CVE-2019-6624 | K07127032, BT753776 | TMM may consume excessive resources when processing UDP traffic | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 748502-1 | CVE-2019-6623 | K72335002, BT748502 | TMM may crash when processing iSession traffic | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 737731-6 | CVE-2019-6622 | K44885536, BT737731 | iControl REST input sanitization | 12.1.5.1, 13.1.1.5, 14.0.1.1, 14.1.0.6 |
| 737574-6 | CVE-2019-6621 | K20541896, BT737574 | iControl REST input sanitization★ | 11.5.9, 11.6.4, 12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 737565-6 | CVE-2019-6620 | K20445457, BT737565 | iControl REST input sanitization | 11.6.5.1, 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6 |
| 726393-2 | CVE-2019-6643 | K36228121, BT726393 | DHCPRELAY6 can lead to a tmm crash | 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6 |
| 726327 | CVE-2018-12120 | K37111863, BT726327 | NodeJS debugger accepts connections from any host | 13.1.1.5, 14.1.0.6 |
| 757455-2 | CVE-2019-6647 | K87920510, BT757455 | Excessive resource consumption when processing REST requests | 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6 |
| 753796-1 | CVE-2019-6640 | K40443301 | SNMP does not follow best security practices | 11.5.9, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 750460-1 | CVE-2019-6639 | K61002104, BT750460 | Subscriber management configuration GUI | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 750298-1 | CVE-2019-6638 | K67825238, BT750298 | iControl REST may fail while processing requests | 14.0.0.5, 14.1.0.6 |
| 750187-1 | CVE-2019-6637 | K29149494, BT750187 | ASM REST may consume excessive resources | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 745371-1 | CVE-2019-6636 | K68151373, BT745371 | AFM GUI does not follow best security practices | 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 745257-1 | CVE-2018-14634 | K20934447, BT745257 | Linux kernel vulnerability: CVE-2018-14634 | 11.6.4, 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6 |
| 742226-6 | CVE-2019-6635 | K11330536, BT742226 | TMSH platform_check utility does not follow best security practices | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 710857-5 | CVE-2019-6634 | K64855220 | iControl requests may cause excessive resource usage | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 702469-7 | CVE-2019-6633 | K73522927, BT702469 | Appliance mode hardening in scp | 11.6.5.1, 12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 673842-6 | CVE-2019-6632 | K01413496, BT673842 | VCMP does not follow best security practices | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 773653-6 | CVE-2019-6656 | K23876153, BT773653 | APM Client Logging | 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1 |
| 773641-6 | CVE-2019-6656 | K23876153, BT773641 | APM Client Logging | 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1 |
| 773637-6 | CVE-2019-6656 | K23876153, BT773637 | APM Client Logging | 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1 |
| 773633-6 | CVE-2019-6656 | K23876153, BT773633 | APM Client Logging | 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1 |
| 773621-6 | CVE-2019-6656 | K23876153, BT773621 | APM Client Logging | 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 749704-2 | 4-Minor | BT749704 | GTPv2 Serving-Network field with mixed MNC digits | 13.1.3, 14.0.1.1, 14.1.0.6 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 774445-1 | 1-Blocking | K74921042, BT774445 | BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2 | 13.1.3, 14.0.0.5, 14.1.0.6 |
| 789993-1 | 2-Critical | BT789993 | Failure when upgrading to 15.0.0 with config move and static management-ip. | 14.1.0.6, 15.0.1.4 |
| 773677-1 | 2-Critical | K72255850, BT773677 | BIG-IP 14.1.0 system-journald write to /run/log/journal cause SWAP usage increase★ | 14.1.0.6 |
| 769809-4 | 2-Critical | BT769809 | The vCMP guests 'INOPERATIVE' after upgrade | 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6 |
| 765801 | 2-Critical | BT765801 | WCCP service info field corrupted in upgrade to 14.1.0 final★ | 14.1.0.6 |
| 760573-1 | 2-Critical | K00730586, BT760573 | TPM system integrity check may return invalid status when booting into BIG-IP 14.1.0★ | 14.1.0.6 |
| 760508-1 | 2-Critical | K91444000, BT760508 | On systems with multiple versions of BIG-IP in use, the 'invalid' System Integrity Status may persist★ | 14.1.0.6 |
| 760408-3 | 2-Critical | BT760408 | System Integrity Status: Invalid after BIOS update★ | 13.1.3, 14.0.0.5, 14.1.0.6 |
| 760164-1 | 2-Critical | BT760164 | BIG-IP VE Compression Offload HA action requires modification of db variable | 14.1.0.6, 15.0.1.1 |
| 757722-2 | 2-Critical | BT757722 | Unknown notify message types unsupported in IKEv2 | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 756402-2 | 2-Critical | BT756402 | Re-transmitted IPsec packets can have garbled contents | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 756071-3 | 2-Critical | BT756071 | MCPD crash | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 755254-1 | 2-Critical | K54339562, BT755254 | Remote auth: PAM_LDAP buffer too small errors★ | 14.1.0.6 |
| 753650-2 | 2-Critical | BT753650 | The BIG-IP system reports frequent kernel page allocation failures. | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 750586-2 | 2-Critical | BT750586 | HSL may incorrectly handle pending TCP connections with elongated handshake time. | 12.1.5, 13.1.1.5, 14.1.0.6 |
| 743803-1 | 2-Critical | BT743803 | IKEv2 potential double free of object when async request queueing fails | 12.1.5, 13.1.1.4, 14.0.0.3, 14.1.0.6 |
| 741503-1 | 2-Critical | BT741503 | The BIG-IP system fails to load base config file when upgrading with static IPv4★ | 14.1.0.6 |
| 726487-4 | 2-Critical | BT726487 | MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change. | 12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.6 |
| 648270-1 | 2-Critical | BT648270 | mcpd can crash if viewing a fast-growing log file through the GUI | 11.6.5.2, 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.0.6 |
| 766365-1 | 3-Major | BT766365 | Some trunks created on VE platform stay down even when the trunk's interfaces are up | 14.1.0.6 |
| 766329-2 | 3-Major | BT766329 | SCTP connections do not reflect some SCTP profile settings | 14.1.0.6, 15.0.1.3 |
| 765033 | 3-Major | BT765033 | Upgrades to versions that restrict resource-admin users from accessing bash may fail under certain conditions★ | 11.6.5.1, 14.1.0.6 |
| 760597-1 | 3-Major | BT760597 | System integrity messages not logged | 14.1.0.6 |
| 760594 | 3-Major | BT760594 | On BIG-IP VE, 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details. | 14.1.0.6 |
| 758879 | 3-Major | BT758879 | BIG-IP VE with ixlv devices does not reliably pass some traffic after hard-boot | 14.1.0.6 |
| 748206-1 | 3-Major | BT748206 | Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position | 13.1.1.4, 14.1.0.6 |
| 748187-4 | 3-Major | BT748187 | 'Transaction Not Found' Error on PATCH after Transaction has been Created | 12.1.4, 13.1.1.5, 14.0.1.1, 14.1.0.6 |
| 746657-1 | 3-Major | BT746657 | tmsh help for FQDN node or pool member shows incorrect default for fqdn interval | 14.1.0.6 |
| 745809-2 | 3-Major | BT745809 | The /var partition may become 100% full, requiring manual intervention to clear space | 13.1.1.4, 14.0.0.5, 14.1.0.6 |
| 740543-1 | 3-Major | BT740543 | System hostname not display in console | 14.1.0.6 |
| 725791-6 | 3-Major | K44895409, BT725791 | Potential HW/HSB issue detected | 11.6.5.2, 12.1.5.2, 13.1.1.5, 14.1.0.6 |
| 718405-2 | 3-Major | BT718405 | RSA signature PAYLOAD_AUTH mismatch with certificates | 13.1.1.4, 14.1.0.6 |
| 581921-5 | 3-Major | K22327083, BT581921 | Required files under /etc/ssh are not moved during a UCS restore | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.1.1, 14.1.0.6 |
| 754500-2 | 4-Minor | BT754500 | GUI LTM Policy options disappearing | 14.1.0.6 |
| 726317-6 | 4-Minor | BT726317 | Improved debugging output for mcpd | 12.1.5, 13.1.3.4, 14.1.0.6 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 759723-1 | 2-Critical | BT759723 | Abnormally terminated connections on server side may cause client side streams to stall | 14.1.0.6 |
| 758465-1 | 2-Critical | BT758465 | TMM may crash or iRule processing might be incorrect | 14.1.0.6 |
| 756356-2 | 2-Critical | BT756356 | External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long | 14.1.0.6 |
| 753912-4 | 2-Critical | K44385170, BT753912 | UDP flows may not be swept | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 752930-3 | 2-Critical | BT752930 | Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state | 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6 |
| 747727-1 | 2-Critical | BT747727 | HTTP Profile Request Header Insert Tcl error | 14.1.0.6 |
| 747239-1 | 2-Critical | BT747239 | TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection | 14.1.0.6 |
| 745533-6 | 2-Critical | NodeJS Vulnerability: CVE-2016-5325 | 13.1.1.5, 14.0.0.5, 14.1.0.6 | |
| 741048-1 | 2-Critical | BT741048 | iRule execution order could change after editing the scripts | 14.1.0.6 |
| 766293-1 | 3-Major | BT766293 | Monitor logging fails on v14.1.0.x releases | 14.1.0.6 |
| 760550-5 | 3-Major | BT760550 | Retransmitted TCP packet has FIN bit set | 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6 |
| 758311-1 | 3-Major | BT758311 | Policy Compilation may cause MCPD to crash | 14.1.0.6 |
| 757985-1 | 3-Major | K79562045, BT757985 | TMM memory leak | 14.1.0.6 |
| 757698-1 | 3-Major | BT757698 | TMM crashes in certain situations of which iRule execution interleaves client side and server side flows | 14.1.0.6 |
| 756270-4 | 3-Major | BT756270 | SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle | 11.5.9, 11.6.4, 12.1.5, 13.1.1.5, 14.1.0.6 |
| 754985-1 | 3-Major | BT754985 | Standby mirrored server SSL connections fail, and tmm may crash while processing mirrored TLS traffic | 14.1.0.6 |
| 752078-2 | 3-Major | BT752078 | Header Field Value String Corruption | 13.1.1.4, 14.1.0.6 |
| 749414-4 | 3-Major | BT749414 | Invalid monitor rule instance identifier error | 11.6.5.2, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6 |
| 747907-2 | 3-Major | BT747907 | Persistence records leak while the high availability (HA) mirror connection is down | 13.1.3.2, 14.1.0.6 |
| 742078-6 | 3-Major | BT742078 | Incoming SYNs are dropped and the connection does not time out. | 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 740959-4 | 3-Major | BT740959 | User with manager rights cannot delete FQDN node on non-Common partition | 12.1.5, 14.1.0.6 |
| 740345-3 | 3-Major | BT740345 | TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled. | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 696755-3 | 3-Major | BT696755 | HTTP/2 may truncate a response body when served from cache | 13.1.0.8, 14.1.0.6, 15.1.3, 16.0.1.2 |
| 696735-2 | 3-Major | BT696735 | TCP ToS Passthrough mode does not work correctly | 14.1.0.6 |
| 504522-4 | 3-Major | BT504522 | Trailing space present after 'tmsh ltm pool members monitor' attribute value | 12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.6 |
| 747968-3 | 4-Minor | BT747968 | DNS64 stats not increasing when requests go through DNS cache resolver | 11.6.5.3, 12.1.4.1, 13.1.1.5, 14.1.0.6 |
Performance Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 777937-3 | 1-Blocking | BT777937 | AWS ENA: packet drops due to bad checksum | 14.1.0.6, 15.0.1 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 759721-2 | 3-Major | K03332436, BT759721 | DNS GUI does not follow best practices | 13.1.3, 14.0.0.5, 14.1.0.6 |
| 749508-1 | 3-Major | BT749508 | LDNS and DNSSEC: Various OOM conditions need to be handled properly | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 749222-1 | 3-Major | BT749222 | dname compression offset overflow causes bad compression pointer | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 748902-5 | 3-Major | BT748902 | Incorrect handling of memory allocations while processing DNSSEC queries | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 746877-1 | 3-Major | BT746877 | Omitted check for success of memory allocation for DNSSEC resource record | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 744707-2 | 3-Major | BT744707 | Crash related to DNSSEC key rollover | 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.6 |
| 723288-4 | 3-Major | BT723288 | DNS cache replication between TMMs does not always work for net dns-resolver | 11.6.5.3, 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.6 |
| 748177-1 | 4-Minor | BT748177 | Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character | 12.1.4.1, 13.1.1.5, 14.1.0.6 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 759360-2 | 2-Critical | BT759360 | Apply Policy fails due to policy corruption from previously enforced signature | 13.1.1.5, 14.1.0.6 |
| 749912-1 | 2-Critical | BT749912 | [BIG-IQ Integration] Deadlock occurs when adding multiple hostnames with transparent enforcement | 14.1.0.6 |
| 723790-3 | 2-Critical | BT723790 | Idle asm_config_server handlers consumes a lot of memory | 12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 765449-1 | 3-Major | Update availability status may be inaccurate | 14.1.0.6 | |
| 763001-1 | 3-Major | K70312000, BT763001 | Web-socket enforcement might lead to a false negative | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 761941-1 | 3-Major | BT761941 | ASM does not remove CSRT token query parameter before forwarding a request to the backend server | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 761194-2 | 3-Major | BT761194 | param data type violation on an Integer parameter, if an integer value is sent via websocket JSON | 14.1.0.6 |
| 760878-3 | 3-Major | BT760878 | Incorrect enforcement of explicit global parameters | 12.1.5, 13.1.1.5, 14.1.0.6 |
| 759483-1 | 3-Major | BT759483 | Message about HTTP status code which are set by default disappeared from the UI | 14.0.0.5, 14.1.0.6 |
| 758085-1 | 3-Major | BT758085 | CAPTCHA Custom Response fails when using certain characters | 14.1.0.6 |
| 756418-1 | 3-Major | BT756418 | Live Update does not authenticate remote users | 14.1.0.6 |
| 742558-1 | 3-Major | BT742558 | Request Log export document fails to show some UTF-8 characters | 14.1.0.6 |
| 687759-3 | 3-Major | BT687759 | bd crash | 12.1.3.6, 13.1.0.8, 14.0.0.5, 14.1.0.6 |
| 774941-1 | 4-Minor | BT774941 | GUI misspelling in Bot Defense logging profile | 14.1.0.6 |
| 768761-2 | 4-Minor | BT768761 | Improved accept action description for suggestions to disable signature/enable metacharacter in policy | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 766357-1 | 4-Minor | BT766357 | Two simultaneously manual installations can cause live-update inconsistency | 14.1.0.6 |
| 765413-1 | 4-Minor | BT765413 | ASM cluster syncs caused by PB ignored suggestions updates | 14.0.0.5, 14.1.0.6, 15.0.1.1 |
| 761921-1 | 4-Minor | BT761921 | avrd high CPU utilization due to perpetual connection attempts | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 761553-2 | 4-Minor | BT761553 | Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 761549-2 | 4-Minor | BT761549 | Traffic Learning: Accept and Stage action is shown only in case entity is not in staging | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 761231-2 | 4-Minor | K79240502, BT761231 | Bot Defense Search Engines getting blocked after configuring DNS correctly | 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1 |
| 759462-1 | 4-Minor | BT759462 | Site names and vulnerabilities cannot be retrieved from WhiteHat server | 14.1.0.6 |
| 755005-1 | 4-Minor | BT755005 | Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations | 12.1.5.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 750689-3 | 4-Minor | BT750689 | Request Log: Accept Request button available when not needed | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 749184-2 | 4-Minor | BT749184 | Added description of subviolation for the suggestions that enabled/disabled them | 13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.3 |
| 747560-5 | 4-Minor | BT747560 | ASM REST: Unable to download Whitehat vulnerabilities | 12.1.5.1, 13.1.3, 14.1.0.6 |
| 769061-2 | 5-Cosmetic | BT769061 | Improved details for learning suggestions to enable violation/sub-violation | 13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.1 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 763349-3 | 2-Critical | BT763349 | AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 756205-1 | 2-Critical | BT756205 | TMSTAT offbox statistics are not continuous | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 756102-2 | 2-Critical | BT756102 | TMM can crash with core on ABORT signal due to non-responsive AVR code | 13.1.3.2, 14.1.0.6, 15.0.1.1 |
| 771025-3 | 3-Major | BT771025 | AVR send domain names as an aggregate | 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.3 |
| 764665-2 | 3-Major | BT764665 | AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 763005-3 | 3-Major | BT763005 | Aggregated Domain Names in DNS statistics are shown as random domain name | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 760356-2 | 3-Major | BT760356 | Users with Application Security Administrator role cannot delete Scheduled Reports | 13.1.1.5, 14.0.0.5, 14.1.0.6, 15.0.1.1 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 770557-3 | 2-Critical | BT770557 | Per-Session RADIUS Acct STOP message is forged based on pool route domain, but is sent through default one | 14.0.0.5, 14.1.0.6 |
| 769281-1 | 2-Critical | BT769281 | Per-request Acess Policy may show user interface pages incorrectly i nlanguages other than English | 14.0.0.5, 14.1.0.6 |
| 755447-1 | 2-Critical | BT755447 | SSLO does not deliver content generated/originated from inline device | 14.1.0.6 |
| 753370-3 | 2-Critical | BT753370 | RADIUS auth might not be working as configured when there is change in RADIUS auth config name. | 13.1.3, 14.0.0.5, 14.1.0.6 |
| 774633-2 | 3-Major | BT774633 | Memory leak in tmm when session db variables are not cleaned up | 14.1.0.6, 15.0.1.1 |
| 774213-1 | 3-Major | BT774213 | SWG session limits on SSLO deployments | 14.1.0.6, 15.0.1.1 |
| 760410-1 | 3-Major | BT760410 | Connection reset is seen when Category lookup agent is used in per-req policy | 14.1.0.6 |
| 760250 | 3-Major | BT760250 | 'Unsupported SSO Method' error when requests sharing the same TCP session | 14.1.0.6 |
| 759868-1 | 3-Major | BT759868 | TMM crash observed while rendering internal pages (like blocked page) for per-request policy | 14.1.0.6 |
| 758764-2 | 3-Major | BT758764 | APMD Core when CRLDP Auth fails to download revoked certificate | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 758701-1 | 3-Major | BT758701 | APM fails to handle Remote Desktop Gateway connections from standalone RDP clients after fresh install | 14.1.0.6 |
| 757992-3 | 3-Major | BT757992 | RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 757360-1 | 3-Major | BT757360 | Category lookup returns wrong category on subsequent traffic following initial HTTP CONNECT traffic through SSLO | 14.1.0.6 |
| 755475-1 | 3-Major | BT755475 | Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 755047-1 | 3-Major | BT755047 | Category lookup returns wrong category on CONNECT traffic through SSLO | 14.1.0.6 |
| 754542-2 | 3-Major | BT754542 | TMM may crash when using RADIUS Accounting agent | 13.1.3, 14.1.0.6 |
| 752875-2 | 3-Major | BT752875 | tmm core while using service chaining for SSLO | 14.0.1.1, 14.1.0.6 |
| 751807-1 | 3-Major | BT751807 | SSL Orchestrator may not activate service connectors if traffic is an HTTP tunnel | 14.1.0.6 |
| 751424-1 | 3-Major | BT751424 | HTTP Connect Category Lookup not working properly | 14.1.0.6 |
| 749057-1 | 3-Major | BT749057 | VMware Horizon idle timeout is ignored when connecting via APM | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 745574-1 | 3-Major | BT745574 | URL is not removed from custom category when deleted | 12.1.4, 13.1.1.4, 14.0.0.5, 14.1.0.6 |
| 738430-3 | 3-Major | BT738430 | APM is not able to do compliance check on iOS devices running F5 Access VPN client | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 734291-1 | 3-Major | BT734291 | Logon page modification fails to sync to standby | 13.1.1.5, 14.1.0.6 |
| 695985-4 | 3-Major | BT695985 | Access HUD filter has URL length limit (4096 bytes) | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 766761-2 | 4-Minor | BT766761 | Ant-server does not log requests that are excluded from scanning | 14.1.0.6 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 766405-2 | 2-Critical | BT766405 | MRF SIP ALG with SNAT: Fix for potential crash on next-active device | 13.1.3.4, 14.1.0.6 |
| 754615-2 | 2-Critical | BT754615 | Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup. | 14.0.1.1, 14.1.0.6 |
| 763157-2 | 3-Major | BT763157 | MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped | 14.0.1.1, 14.1.0.6, 15.0.1.4 |
| 760370-2 | 3-Major | BT760370 | MRF SIP ALG with SNAT: Next active ingress queue filling | 14.0.1.1, 14.1.0.6, 15.0.1.4 |
| 759077-2 | 3-Major | BT759077 | MRF SIP filter queue sizes not configurable | 13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.4 |
| 755630-1 | 3-Major | BT755630 | MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes | 14.0.1.1, 14.1.0.6 |
| 752822-1 | 3-Major | BT752822 | SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type | 13.1.1.5, 14.0.1.1, 14.1.0.6 |
| 751179-1 | 3-Major | BT751179 | MRF: Race condition may create to many outgoing connections to a peer | 11.6.5.2, 13.1.1.5, 14.1.0.6 |
| 746825-1 | 3-Major | BT746825 | MRF SIP ALG with SNAT: Ephemeral listeners not created for unsubscribed outgoing calls | 14.0.1.1, 14.1.0.6 |
| 745947-2 | 3-Major | BT745947 | Add log events for MRF SIP registration/deregistration and media flow creation/deletion | 14.1.0.6 |
| 745590-1 | 3-Major | BT745590 | SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added | 14.0.1.1, 14.1.0.6 |
| 760930-2 | 4-Minor | BT760930 | MRF SIP ALG with SNAT: Added additional details to log events | 14.0.1.1, 14.1.0.6, 15.0.1.4 |
| 747909-5 | 4-Minor | BT747909 | GTPv2 MEI and Serving-Network fields decoded incorrectly | 11.6.5.1, 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.0.6 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 757524 | 1-Blocking | BT757524 | Data operation attempt on object that has not been loaded | 14.1.0.6 |
| 757359-1 | 2-Critical | BT757359 | pccd crashes when deleting a nested Address List | 13.1.3, 14.1.0.6 |
| 754805 | 2-Critical | K97981358, BT754805 | Possible tmm crash when AFM DoS badactor or attacked-dst or endpoint vector configured | 14.1.0.6 |
| 753028-2 | 3-Major | BT753028 | AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule | 13.1.1.4, 14.1.0.6 |
| 756477-2 | 5-Cosmetic | BT756477 | Drop Redirect tab incorrectly named as 'Redirect Drop' | 14.1.0.6 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 744516-4 | 2-Critical | BT744516 | TMM panics after a large number of LSN remote picks | 12.1.4, 13.1.1.4, 14.1.0.6 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 748121-3 | 2-Critical | BT748121 | admd livelock under CPU starvation | 13.1.1.4, 14.0.0.5, 14.1.0.6 |
| 653573-6 | 2-Critical | BT653573 | ADMd not cleaning up child rsync processes | 13.1.1.4, 14.0.0.5, 14.1.0.6, 14.1.2.3 |
| 756877-1 | 3-Major | BT756877 | Virtual server created with Guided Configuration is not visible in Grafana | 14.0.0.5, 14.1.0.6 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 752803-1 | 2-Critical | BT752803 | CLASSIFICATION_DETECTED running reject can lead to a tmm core | 13.1.3, 14.1.0.6 |
| 752047-1 | 2-Critical | BT752047 | iRule running reject in CLASSIFICATION_DETECTED event can cause core | 13.1.1.5, 14.1.0.6 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 758818-2 | 2-Critical | BT758818 | While using explicit or transparent http type service on SSL Orchestrator, TMM cores. | 14.0.1.1, 14.1.0.6 |
| 756167-1 | 3-Major | BT756167 | No URL category data on SSL Orchestrator dashboard and on SSL Orchestrator statistics page after upgrade★ | 14.1.0.6 |
| 748252-2 | 3-Major | BT748252 | Connection reset seen with SSL bypass on a L2 wire setup | 14.1.0.6 |
Cumulative fixes from BIG-IP v14.1.0.5 that are included in this release
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 755817 | 3-Major | BT755817 | v14.1.0.5 includes Guided Configuration 4.1 | 14.1.0.5 |
| 751824-1 | 3-Major | BT751824 | Restore old 'merge' functionally with new tmsh verb 'replace' | 14.1.0.5 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 663819-1 | 3-Major | BT663819 | APM NTLM Authentication for RDP Client Gateway and Microsoft Exchange Proxy are incompatible with Microsoft workaround for MS17-010 (Wannacry / Eternalblue) | 14.1.0.5 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 761173-1 | 2-Critical | BT761173 | tmm crash after extended whitelist modification | 14.1.0.5 |
| 751869-2 | 2-Critical | BT751869 | Possible tmm crash when using manual mode mitigation in DoS Profile | 13.1.1.5, 14.1.0.5 |
| 760393 | 3-Major | BT760393 | GARP is not sent from newly active device after failover for FW NAT policy rule's dest prefixes | 14.1.0.5 |
| 750477-1 | 3-Major | BT750477 | LTM NAT does not forward ICMP traffic | 14.1.0.5 |
| 737035-2 | 3-Major | BT737035 | New and improved infrastructure for BDoS to share learned traffic characteristics within the device group/cluster setup. | 14.0.0.5, 14.1.0.5 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 757088-1 | 2-Critical | BT757088 | TMM clock advances and cluster failover happens during webroot db nightly updates | 12.1.5, 13.1.1.5, 14.1.0.5 |
| 758536 | 3-Major | BT758536 | Traffic Intelligence IM pkg for 14.1.0 fails to install on base build version 14.1.0.x | 14.1.0.5 |
Protocol Inspection Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 737558-1 | 2-Critical | BT737558 | Protocol Inspection user interface elements are active but do not work | 14.1.0.5 |
| 774881 | 3-Major | BT774881 | Protocol Inspection profiles can be added to a virtual server without Protocol Inspection being licensed. | 14.1.0.5 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 760278 | 2-Critical | BT760278 | F5 SSL Orchestrator may fail to install an RPM software package on BIG-IP systems running point release versions★ | 14.1.0.5 |
Cumulative fixes from BIG-IP v14.1.0.4 that are included in this release
Functional Change Fixes
None
Cumulative fixes from BIG-IP v14.1.0.3 that are included in this release
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 745783-1 | 3-Major | BT745783 | Anti-fraud: remote logging of login attempts | 13.1.1.3, 14.1.0.3 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 758667-1 | 2-Critical | BT758667 | BIG-IP VE high availability (HA) actions are not invoked when offload hardware hangs | 14.1.0.3 |
| 754541-2 | 2-Critical | BT754541 | Reconfiguring an iApp that uses a client SSL profile fails | 14.1.0.3 |
| 760222 | 3-Major | BT760222 | SCP fails unexpected when FIPS mode is enabled | 13.1.1.5, 14.0.0.5, 14.1.0.3 |
| 725625-1 | 3-Major | BT725625 | BIG-IP VE Cryptographic Offload updated to Intel QAT 1.7 v4.4.0 SDK | 14.1.0.3 |
Cumulative fixes from BIG-IP v14.1.0.2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 757025-1 | CVE-2018-5744 | K00040234, BT757025 | BIND Update | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 756774-6 | CVE-2019-6612 | K24401914, BT756774 | Aborted DNS queries to a cache may cause a TMM crash | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 750292-2 | CVE-2019-6592 | K54167061, BT750292 | TMM may crash when processing TLS traffic | 12.1.5.3, 13.1.3.4, 14.1.0.2 |
| 749879-2 | CVE-2019-6611 | K47527163, BT749879 | Possible interruption while processing VPN traffic | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 744035-6 | CVE-2018-15332 | K12130880, BT744035 | APM Client Vulnerability: CVE-2018-15332 | 11.6.5.1, 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 757027-1 | CVE-2019-6465 | K01713115, BT757027 | BIND Update | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 757026-1 | CVE-2018-5745 | K25244852, BT757026 | BIND Update | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 745713-4 | CVE-2019-6619 | K94563344, BT745713 | TMM may crash when processing HTTP/2 traffic | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 745387-1 | CVE-2019-6618 | K07702240, BT745387 | Resource-admin user roles can no longer get bash access | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 745165-1 | CVE-2019-6617 | K38941195, BT745165 | Users without Advanced Shell Access are not allowed SFTP access | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 737910-4 | CVE-2019-6609 | K18535734, BT737910 | Security hardening on the following platforms | 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 724680-6 | CVE-2018-0732 | K21665601, BT724680 | OpenSSL Vulnerability: CVE-2018-0732 | 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.2, 14.0.1.1, 14.1.0.2 |
| 703835-5 | CVE-2019-6616 | K82814400, BT703835 | When using SCP into BIG-IP systems, you must specify the target filename | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 702472-7 | CVE-2019-6615 | K87659521, BT702472 | Appliance Mode Security Hardening | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 698376-5 | CVE-2019-6614 | K46524395, BT698376 | Non-admin users have limited bash commands and can only write to certain directories | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 713806-8 | CVE-2018-0739 | K08044291, BT713806 | CVE-2018-0739: OpenSSL Vulnerability | 14.1.0.2 |
| 699977-3 | CVE-2016-7055 | K43570545, BT699977 | CVE-2016-7055: OpenSSL Vulnerability in NodeJS ILX | 14.1.0.2 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 755641-1 | 2-Critical | BT755641 | Unstable asm_config_server after upgrade, 'Event dispatcher aborted' | 14.1.0.2 |
| 744685-2 | 2-Critical | BT744685 | BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension | 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 744188-1 | 2-Critical | BT744188 | First successful auth iControl REST requests will now be logged in audit and secure log files | 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 739432 | 3-Major | BT739432 | F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems | 14.1.0.2 |
| 738108-1 | 3-Major | BT738108 | SCTP multi-homing INIT address parameter doesn't include association's primary address | 14.1.0.2 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 753642-1 | 2-Critical | BT753642 | iHealth may report false positive for Critical Malware | 14.1.0.2 |
| 752835-2 | 2-Critical | K46971044, BT752835 | Mitigate mcpd out of memory error with auto-sync enabled. | 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 750580-1 | 2-Critical | BT750580 | Installation using image2disk --format may fail after TMOS v14.1.0 is installed★ | 14.1.0.2 |
| 707013-3 | 2-Critical | BT707013 | vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest | 13.1.1.5, 14.0.1.1, 14.1.0.2 |
| 668041-4 | 2-Critical | K27535157, BT668041 | Config load fails when an iRule comment ends with backslash in a config where there is also a policy.★ | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 621260-2 | 2-Critical | BT621260 | mcpd core on iControl REST reference to non-existing pool | 11.6.5.1, 12.1.5.1, 13.1.1.5, 14.0.1.1, 14.1.0.2 |
| 753564-1 | 3-Major | BT753564 | Attempt to change password using /bin/passwd fails | 14.1.0.2 |
| 751011-3 | 3-Major | BT751011 | ihealth.sh script and qkview locking mechanism not working | 13.1.1.5, 14.1.0.2 |
| 751009-3 | 3-Major | BT751009 | Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out | 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 750661 | 3-Major | BT750661 | URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied. | 14.1.0.2 |
| 750447-3 | 3-Major | BT750447 | GUI VLAN list page loading slowly with 50 records per screen | 13.1.1.5, 14.1.0.2 |
| 749382-1 | 3-Major | BT749382 | Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater | 14.1.0.2 |
| 746873-1 | 3-Major | BT746873 | Non-admin users are not able to run the tmsh list command due to permissions error for LTM message-routing | 14.1.0.2 |
| 745825-1 | 3-Major | BT745825 | The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading | 13.1.3.2, 14.1.0.2 |
| 737536-2 | 3-Major | BT737536 | Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others. | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 721585-1 | 3-Major | BT721585 | mcpd core processing ltm monitors with deep level of inheritance | 14.1.0.2 |
| 639619-7 | 3-Major | BT639619 | UCS may fail to load due to Master key decryption failure on EEPROM-less systems★ | 11.6.4, 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 751636-1 | 4-Minor | BT751636 | Downgrading from v14.1.0 to a previous release leaves two directories with improper ownership★ | 14.1.0.2 |
| 737423-2 | 4-Minor | Binutils vulnerabilities: CVE-2018-7569 CVE-2018-10373 CVE-2018-13033 | 14.1.0.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 754143-1 | 2-Critical | K45456231, BT754143 | TCP connection may hang after FIN | 13.1.4.1, 14.1.0.2 |
| 747617-2 | 2-Critical | BT747617 | TMM core when processing invalid timer | 12.1.5.2, 13.1.1.5, 14.0.1.1, 14.1.0.2 |
| 742184-3 | 2-Critical | BT742184 | TMM memory leak | 13.1.3, 14.1.0.2 |
| 738945-4 | 2-Critical | BT738945 | SSL persistence does not work when there are multiple handshakes present in a single record | 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 716714-4 | 2-Critical | BT716714 | OCSP should be configured to avoid TMM crash. | 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 750200-3 | 3-Major | BT750200 | DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode | 13.1.1.5, 14.0.1.1, 14.1.0.2 |
| 749294-4 | 3-Major | BT749294 | TMM cores when query session index is out of boundary | 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.0.2 |
| 746131-4 | 3-Major | OpenSSL Vulnerability: CVE-2018-0732 | 14.1.0.2 | |
| 744686-2 | 3-Major | BT744686 | Wrong certificate can be chosen during SSL handshake | 14.1.0.2 |
| 743900-1 | 3-Major | BT743900 | Custom DIAMETER monitor requests do not have their 'request' flag set | 14.1.0.2 |
| 739963-4 | 3-Major | BT739963 | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup | 12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 739349-3 | 3-Major | BT739349 | LRO segments might be erroneously VLAN-tagged. | 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 724327-2 | 3-Major | BT724327 | Changes to a cipher rule do not immediately have an effect | 13.1.1.4, 14.1.0.2 |
| 720219-3 | 3-Major | K13109068, BT720219 | HSL::log command can fail to pick new pool member if last picked member is 'checking' | 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.2 |
| 717896-4 | 3-Major | BT717896 | Monitor instances deleted in peer unit after sync | 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 717100-1 | 3-Major | BT717100 | FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member | 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 716167-2 | 3-Major | BT716167 | The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp | 13.1.3.4, 14.1.0.2 |
| 704450-5 | 3-Major | BT704450 | bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration | 12.1.5.2, 13.1.3.2, 14.1.0.2 |
| 703593-1 | 3-Major | BT703593 | TMSH tab completion for adding profiles to virtual servers is not working as expected | 14.1.0.2 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 756094-2 | 2-Critical | BT756094 | DNS express in restart loop, 'Error writing scratch database' in ltm log | 12.1.4.1, 13.1.1.5, 14.1.0.2 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 752942-1 | 2-Critical | BT752942 | Live Update cannot be used by Administrator users other than 'admin' and 'root' | 14.1.0.2 |
| 750922-1 | 2-Critical | BT750922 | BD crash when content profile used for login page has no parse parameters set | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 749136-1 | 2-Critical | BT749136 | Disk partition /var/log is low on free disk space | 14.1.0.2 |
| 748321-1 | 2-Critical | BT748321 | bd crash with specific scenario | 14.1.0.2 |
| 744347-4 | 2-Critical | BT744347 | Protocol Security logging profiles cause slow ASM upgrade and apply policy | 12.1.4, 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 721741-4 | 2-Critical | BT721741 | BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative | 12.1.3.7, 13.1.1.2, 14.1.0.2 |
| 754420-1 | 3-Major | BT754420 | Missing policy name in exported ASM request details | 14.0.0.5, 14.1.0.2 |
| 754066-1 | 3-Major | BT754066 | Newly added Systems are not added as part of installing a Server Technologies update file | 14.1.0.2 |
| 753295-1 | 3-Major | BT753295 | ASM REST: All signatures being returned for policy Signatures regardless of signature sets | 14.1.0.2 |
| 750973-1 | 3-Major | BT750973 | Import XML policy error | 14.1.0.2 |
| 750793-2 | 3-Major | BT750793 | Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition | 14.0.0.5, 14.1.0.2 |
| 750686-1 | 3-Major | BT750686 | ASE user cannot create or modify a bot signature. | 14.1.0.2 |
| 750683-1 | 3-Major | BT750683 | REST Backwards Compatibility: Cannot modify enforcementMode of host-name | 14.1.0.2 |
| 750668-1 | 3-Major | BT750668 | Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition | 14.1.0.2 |
| 750666-1 | 3-Major | BT750666 | Impossible to create Bot Signature/Bot Category Signature in user partition different from 'Common' | 14.1.0.2 |
| 750356-2 | 3-Major | BT750356 | Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 749500-1 | 3-Major | BT749500 | Improved visibility for Accept on Microservice action in Traffic Learning | 14.1.0.2 |
| 749109-3 | 3-Major | BT749109 | CSRF situation on BIGIP-ASM GUI | 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 748999-3 | 3-Major | BT748999 | invalid inactivity timeout suggestion for cookies | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 748848-2 | 3-Major | BT748848 | Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers | 14.0.0.5, 14.1.0.2 |
| 748409-2 | 3-Major | BT748409 | Illegal parameter violation when json parsing a parameter on a case-insensitive policy | 14.0.0.5, 14.1.0.2 |
| 747977-1 | 3-Major | BT747977 | File manually uploaded information is not synced correctly between blades | 14.1.0.2 |
| 747777-3 | 3-Major | BT747777 | Extractions are learned in manual learning mode | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 747550-3 | 3-Major | BT747550 | Error 'This Logout URL already exists!' when updating logout page via GUI | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 746750-1 | 3-Major | BT746750 | Search Engine get Device ID challenge when using the predefined profiles | 14.1.0.2 |
| 746298-1 | 3-Major | BT746298 | Server Technologies logos all appear as default icon | 14.1.0.2 |
| 745813-1 | 3-Major | BT745813 | Requests are reported to local log even if only Bot Defense remote log is configured | 14.1.0.2 |
| 745624-1 | 3-Major | BT745624 | Tooltips for OWASP Bot Categories and Anomalies were added | 14.1.0.2 |
| 745607-1 | 3-Major | BT745607 | Bot Defense : Bot Traffic - 3 month/last year filter not displayed correctly | 14.1.0.2 |
| 745531-2 | 3-Major | BT745531 | Puffin Browser gets blocked by Bot Defense | 13.1.1.4, 14.1.0.2 |
| 742852-1 | 3-Major | BT742852 | Bot Defense protection blocks Safari browser requests while using cross site redirect protection by 'Location' header | 14.1.0.2 |
| 739945-4 | 3-Major | BT739945 | JavaScript challenge on POST with 307 breaks application | 12.1.4, 13.1.1.5, 14.0.1.1, 14.1.0.2 |
| 738676-1 | 3-Major | BT738676 | Errors when trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests | 14.1.0.2 |
| 737866-2 | 3-Major | BT737866 | Rare condition memory corruption | 14.1.0.2 |
| 754365-5 | 4-Minor | BT754365 | Updated flags for countries that changed their flags since 2010 | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 721724-1 | 4-Minor | BT721724 | LONG_REQUEST notice print incorrect in BD log | 14.1.0.2 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 746941-2 | 2-Critical | BT746941 | Memory leak in avrd when BIG-IQ fails to receive stats information | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 753446-2 | 3-Major | BT753446 | avrd process crash during shutdown if connected to BIG-IQ | 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 749464-2 | 3-Major | BT749464 | Race condition while BIG-IQ updates common file | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 749461-2 | 3-Major | BT749461 | Race condition while modifying analytics global-settings | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 745027-2 | 3-Major | BT745027 | AVR is doing extra activity of DNS data collection even when it should not | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 744595-3 | 3-Major | BT744595 | DoS-related reports might not contain some of the activity that took place | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 744589-3 | 3-Major | BT744589 | Missing data for Firewall Events Statistics | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 715110-1 | 3-Major | BT715110 | AVR should report 'resolutions' in module GtmWideip | 13.1.0.8, 14.1.0.2 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 752592-1 | 2-Critical | BT752592 | VMware Horizon PCoIP clients may fail to connect shortly after logout | 13.1.1.5, 14.1.0.2 |
| 754346-2 | 3-Major | BT754346 | Access policy was not found while creating configuration snapshot. | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 746771-3 | 3-Major | BT746771 | APMD recreates config snapshots for all access profiles every minute | 13.1.1.4, 14.1.0.2 |
| 745654-4 | 3-Major | BT745654 | Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server | 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 743437-3 | 3-Major | BT743437 | Portal Access: Issue with long 'data:' URL | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 749603-1 | 3-Major | BT749603 | MRF SIP ALG: Potential to end wrong call when BYE received | 13.1.1.5, 14.0.1.1, 14.1.0.2 |
| 749227-1 | 3-Major | BT749227 | MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE | 14.0.1.1, 14.1.0.2 |
| 748043-2 | 3-Major | BT748043 | MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP | 13.1.1.5, 14.0.1.1, 14.1.0.2 |
| 747187-2 | 3-Major | BT747187 | SIP falsely detects media flow collision when SDP is in both 183 and 200 response | 12.1.5.2, 13.1.1.5, 14.0.1.1, 14.1.0.2 |
| 745715-2 | 3-Major | BT745715 | MRF SIP ALG now supports reading SDP from a mime multipart payload | 14.1.0.2 |
| 745628-1 | 3-Major | BT745628 | MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message | 13.1.3, 14.0.1.1, 14.1.0.2 |
| 745514-1 | 3-Major | BT745514 | MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message | 13.1.3, 14.0.1.1, 14.1.0.2 |
| 745404-4 | 3-Major | BT745404 | MRF SIP ALG does not reparse SDP payload if replaced | 12.1.5.2, 13.1.3, 14.0.1.1, 14.1.0.2 |
| 744949-1 | 3-Major | BT744949 | MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix | 13.1.1.5, 14.0.1.1, 14.1.0.2 |
| 744275-1 | 3-Major | BT744275 | BIG-IP system sends Product-Name AVP in CER with Mandatory bit set | 13.1.3.4, 14.1.0.2 |
| 742829-1 | 3-Major | BT742829 | SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0 | 13.1.1.4, 14.0.1.1, 14.1.0.2 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 747104-1 | 1-Blocking | K52868493, BT747104 | LibSSH: CVE-2018-10933 | 12.1.4.1, 13.1.1.4, 14.1.0.2 |
| 752363-2 | 2-Critical | BT752363 | Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled | 13.1.3, 14.1.0.2 |
| 749331-3 | 2-Critical | BT749331 | Global DNS DoS vector does not work in certain cases | 14.1.0.2 |
| 747922-3 | 2-Critical | BT747922 | With AFM enabled, during bootup, there is a small possibility of a tmm crash | 13.1.3.2, 14.1.0.2 |
| 748176-1 | 3-Major | BT748176 | BDoS Signature can wrongly match a DNS packet | 14.1.0.2 |
| 748081-1 | 3-Major | BT748081 | Memory leak in Behavioral DoS module | 13.1.1.5, 14.1.0.2 |
| 747926-2 | 3-Major | BT747926 | Rare TMM restart due to NULL pointer access during AFM ACL logging | 13.1.1.4, 14.1.0.2 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 726647-5 | 3-Major | BT726647 | PEM content insertion in a compressed response may truncate some data | 12.1.4.1, 13.1.1.2, 14.0.0.3, 14.1.0.2 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 752782-1 | 3-Major | BT752782 | 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe' | 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 741449-3 | 4-Minor | BT741449 | alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 738677-1 | 4-Minor | BT738677 | Configured name of wildcard parameter is not sent in data integrity alerts | 14.1.0.2 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 755378-1 | 2-Critical | BT755378 | HTTPS connection error from Chrome when BADOS TLS signatures configured | 14.1.0.2 |
| 727136-1 | 3-Major | BT727136 | One dataset contains large number of variations of TLS hello messages on Chrome | 14.1.0.2 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 745733-3 | 3-Major | BT745733 | TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup | 13.1.3.5, 14.1.0.2 |
Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 745629 | 2-Critical | BT745629 | Ordering Symantec and Comodo certificates from BIG-IP | 14.1.0.1 |
| 713817-1 | 3-Major | BT713817 | BIG-IP images are available in Alibaba Cloud | 14.1.0.1 |
| 738891-1 | 4-Minor | BT738891 | TLS 1.3: Server SSL fails to increment key exchange method statistics | 14.1.0.1 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 746424 | 2-Critical | BT746424 | Patched Cloud-Init to support AliYun Datasource | 14.1.0.1 |
| 745851 | 3-Major | BT745851 | Changed Default Cloud-Init log level to INFO from DEBUG | 14.1.0.1 |
| 742251-1 | 4-Minor | BT742251 | Add Alibaba Cloud support to Qkview | 14.1.0.1 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 745774-1 | 3-Major | BT745774 | Creating EC-only client SSL profile for forward-proxy without RSA key certs defined results in invalid profile | 14.1.0.1 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 749774-5 | 3-Major | BT749774 | EDNS0 client subnet behavior inconsistent when DNS Caching is enabled | 11.5.8, 11.6.3.4, 12.1.4, 13.1.1.4, 14.0.0.4, 14.1.0.1 |
| 749675-5 | 3-Major | BT749675 | DNS cache resolver may return a malformed truncated response with multiple OPT records | 11.5.8, 11.6.3.4, 12.1.4, 13.1.1.4, 14.0.0.4, 14.1.0.1 |
Cumulative fix details for BIG-IP v14.1.4.6 that are included in this release
999901-4 : Certain LTM policies may not execute correctly after a system reboot or TMM restart.
Component: Local Traffic Manager
Symptoms:
After a system reboot or TMM restart, LTM policies referencing an external data-group may not execute correctly, regardless of a successful matching condition.
This can cause a wide range of issues, including misrouted traffic, unshaped traffic, the bypassing of ASM, or complete traffic failure (based on the policy actions).
Note that if a virtual server references multiple LTM policies, and only some of those policies reference an external data-group, all LTM policies attached to the virtual server will be affected.
Conditions:
-- LTM policy with an external data-group configured on a virtual server.
-- System reboot or TMM restart.
Impact:
LTM policies may be unable to execute the appropriate action on a successful matching condition, leading to a wide range of traffic-impacting consequences.
Workaround:
Remove and re-add the affected policy to the desired virtual-server. Alternatively, to fix a wider number of affected virtual servers in one go, reload the system configuration by executing 'tmsh load sys config'.
Fix:
TMM now loads LTM policies with external data-groups as expected.
Fixed Versions:
14.1.4.6
999125-3 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.
Links to More Info: BT999125
Component: TMOS
Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.
Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.
Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).
Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.
Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:
tmsh restart sys service sod
Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.
Fix:
Redundant devices remain in the correct failover state following a management IP address change.
Fixed Versions:
14.1.4.6
999097-4 : SSL::profile may select profile with outdated configuration
Links to More Info: BT999097
Component: Local Traffic Manager
Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.
Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.
Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.
Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.
Fix:
The system now makes sure that SSL profiles are properly reloaded after changes are made.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
998729 : Query for virtual address statistics is slow when there are hundreds of virtual address and address lists entries
Links to More Info: BT998729
Component: TMOS
Symptoms:
If there are hundreds of virtual addresses and hundreds of address entries spanning one or more address lists, mcpd might take seconds to reply to a query for virtual address statistics.
One of the more commonly visible signs of this is high CPU usage by mcpd if it's processing a large number of queries for virtual address statistics. It is also likely that snmpd responses will be severely delayed to SNMP agent requests.
Conditions:
-- Hundreds of virtual servers.
-- Hundreds of address entries spanning one or many address lists.
-- Running SNMP queries for virtual address statistics.
Impact:
-- High CPU usage by mcpd.
-- SNMP requests/polling timeouts occur because mcpd takes hundreds of milliseconds to respond.
Note: If the address lists that contain the entries are not used in traffic-matching-criteria (and therefore do not increase the size of the tmstat virtual_address_stat table), mcpd response time is in the tens of milliseconds.
Workaround:
None
Fix:
Improved performance for query for virtual address statistics when there are hundreds of virtual address and address lists entries.
Fixed Versions:
14.1.4.4
998221-4 : Accessing pool members from configuration utility is slow with large config
Links to More Info: BT998221
Component: TMOS
Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.
Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.
Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,
Managing pool members from configuration utility is very slow causing performance impact.
Workaround:
None
Fix:
Optimized the GUI query used for retrieving pool members data.
Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2, 16.1.2
997929-4 : Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic
Links to More Info: BT997929
Component: Local Traffic Manager
Symptoms:
If a virtual server is using a traffic-matching-criteria (TMC) with a destination-inline-port of zero ('any'), and this is later changed (either to a non-zero port value, or to a port-list with non-zero port values) the virtual server stops processing traffic.
If tmm is restarted (which causes an outage) the virtual server resumes accepting traffic using the new ports. In addition, changing the virtual server's port back to 'any' also causes traffic processing to resume.
Conditions:
-- A virtual server using an address list for its destination, and 'any' (zero) for its destination port.
-- Changing the virtual server's destination port to a non-zero value, or to a port-list with non-zero port values.
Impact:
The virtual server stops processing traffic.
Workaround:
To recover, you can do either of the following:
-- Restart tmm:
bigstart restart tmm
-- Change the virtual server's port back to 'any' (0).
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
997137-4 : CSRF token modification may allow WAF bypass on GET requests
Component: Application Security Manager
Symptoms:
Under certain conditions a parameter is not processed as expected.
Conditions:
1. CSRF feature is configured
2. Request contains a crafted parameter
Impact:
Malicious request will bypass signatures and will not raise any attack signature violation
Workaround:
N/A
Fix:
The parameter is now processed as expected.
Fixed Versions:
14.1.4.4, 15.1.4.1
996593-3 : Password change through REST or GUI not allowed if the password is expired
Links to More Info: BT996593
Component: TMOS
Symptoms:
When trying to update the expired password through REST or the GUI, the system reports and error:
Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.
Conditions:
-- Password is expired.
-- Password change is done through either REST or the GUI.
Impact:
Expired password cannot be updated through REST or the GUI.
Workaround:
Update password using tmsh:
tmsh modify auth password <username>
Fix:
You can now change an expired password through REST or the GUI.
Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2
996381-4 : ASM attack signature may not match as expected
Links to More Info: K41503304, BT996381
Component: Application Security Manager
Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.
Conditions:
- Attack signature 200000128 enabled.
Impact:
Processed traffic may not match all expected attack signatures
Workaround:
N/A
Fix:
Attack signature 200000128 now matches as expected.
Fixed Versions:
13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
996113-4 : SIP messages with unbalanced escaped quotes in headers are dropped
Links to More Info: BT996113
Component: Service Provider
Symptoms:
Dropped SIP messages.
Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote
Impact:
Certain SIP messages are not being passed via MRF.
Workaround:
None
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
996001-2 : AVR Inspection Dashboard 'Last Month' does not show all data points
Links to More Info: BT996001
Component: TMOS
Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.
Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.
Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.
Workaround:
None
Fix:
Viewing a 'Last Month' graph now reports ~30 days worth of data, rather than a variable amount of data based on actual calendar periods.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
995853-3 : Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error.
Links to More Info: BT995853
Component: Global Traffic Manager (DNS)
Symptoms:
Unable to create GLSB Server object with both IPv4 and IPv6 self IPs as device IPs.
Conditions:
-- DNS and LTM services enabled.
-- Configure two self IPs on the box for IPv4 and IPv6.
-- GLSB Server object creation with IPv4 and IPv6 addresses in device tab along with Virtual Server Discovery enable.
Impact:
GSLB Server object creation fails.
Workaround:
TMSH is not impacted. Use TMSH to create GSLB Server objects.
Fix:
GSLB Server object creation no longer fails.
Fixed Versions:
14.1.4.4, 15.1.4
995629-2 : Loading UCS files may hang if ASM is provisioned★
Links to More Info: BT995629
Component: TMOS
Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.
Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.
Impact:
-- UCS load might fail.
-- Config save and load operations fail while the UCS load hangs. The failure of those operations may not be obvious, leaving the BIG-IP saved configuration different from the running configuration.
Workaround:
If you encounter this, run 'load sys config default' to de-provision ASM. The UCS file should then load successfully.
Note: If loading a UCS archive with the 'platform-migrate' argument, then there is no workaround. See: https://cdn.f5.com/product/bugtracker/ID990849.html
Fix:
Loading UCS files no longer hangs if ASM is provisioned.
Fixed Versions:
13.1.4.1, 14.1.4.1, 15.1.3, 16.0.1.2
995433-4 : IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT
Links to More Info: BT995433
Component: Advanced Firewall Manager
Symptoms:
The PPTP log entries for NAT64 traffic have a truncated IPv6 address.
Conditions:
This is encountered when viewing PPTP log entries.
Impact:
IPV6 addresses in PPTP logs are truncated.
Workaround:
None
Fix:
The full IPv6 address is now logged in PPTP logs.
Fixed Versions:
14.1.4.5, 15.1.4.1
995029 : Configuration is not updated during auto-discovery
Links to More Info: BT995029
Component: Access Policy Manager
Symptoms:
Auto-discovery fails, resulting in OAuth failure. In /var/log/apm:
-- OAuth Client: failed for server '<server>' using 'authorization_code' grant type (<grant type>), error: None of the configured JWK keys match the received JWT token
Conditions:
JSON Web Token (JWT) auto-discovery is enabled via JSON Web Keys (JWK).
Impact:
JWT auto-discovery fails and the configuration is not updated.
Workaround:
Use the GUI to manually retrieve the JWKs by clicking the 'Discovery' button for OpenID URI in 'Access :: Federation : OAuth Client / Resource Server : Provider :: <name of provider>.
Fix:
Fixed an issue with auto-discovery and JWKs.
Fixed Versions:
14.1.4.2, 15.1.4
994985-1 : CGNAT GUI shows blank page when applying SIP profile
Links to More Info: BT994985
Component: Carrier-Grade NAT
Symptoms:
The virtual server properties GUI page shows blank when a SIP profile is applied to the virtual server.
Conditions:
-- Create virtual server and attach a SIP profile.
-- Navigate to virtual server properties page.
Impact:
The virtual server properties page does not display the configuration.
Workaround:
None.
Fix:
The GUI shows virtual server config page with all config values
Fixed Versions:
14.1.4.2, 15.1.4
994801-4 : SCP file transfer system
Component: TMOS
Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.
Conditions:
A user assigned to a role, such as Resource Administrator, without Advanced Shell access can run arbitrary commands SCP file transfer.
Impact:
Users without Advanced Shell access can run SCP file trasnfer commands.
Workaround:
None
Fix:
This issue is fixed. The SCP file transfer system now follows current best practices. Users without Advanced Shell access cannot run SCP file transfer commands.
Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
993981-4 : TMM may crash when ePVA is enabled
Component: Local Traffic Manager
Symptoms:
When ePVA is enabled on the BIG-IP system, Increased CMP redirections can cause tmm to core and report an error:
tmm SIGFPE "nexthop ref valid".
Conditions:
-- ePVA acceleration is enabled on the BIG-IP system.
-- High rate of CMP redirections.
Impact:
Traffic disrupted while TMM restarts, and systems configured as part of a high availability (HA) group may failover.
Workaround:
Disable ePVA acceleration option.
Note: Performing this procedure may increase CPU use because TCP connections are subsequently processed in software by the Traffic Management Microkernel (TMM).
Fix:
TMM now operates as expected with ePVA enabled.
Fixed Versions:
14.1.4.6
993913-1 : TMM SIGSEGV core in Message Routing Framework
Links to More Info: BT993913
Component: Service Provider
Symptoms:
TMM crashes on SIGSEGV.
Conditions:
This can occur while passing traffic through the message routing framework.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
993613-4 : Device fails to request full sync
Links to More Info: BT993613
Component: Application Security Manager
Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs
Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.
Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage
Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
993489-4 : GTM daemon leaks memory when reading GTM link objects
Links to More Info: BT993489
Component: Global Traffic Manager (DNS)
Symptoms:
The gtmd process memory consumption is higher than expected.
Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.
Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.
Workaround:
None
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
993457-3 : TMM core with ACCESS::policy evaluate iRule
Links to More Info: BT993457
Component: Access Policy Manager
Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.
Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.
Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM no longer crashes and generates a core file during the ACCESS::policy evaluate iRule under these conditions.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
992213-1 : Protocol Any displayed as HOPTOPT in AFM policy view
Links to More Info: BT992213
Component: Advanced Firewall Manager
Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.
Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.
Impact:
GUI shows an incorrect value.
Workaround:
None
Fix:
GUI Shows correct value for rule protocol option.
Fixed Versions:
14.1.4.2, 15.1.4, 16.1.1
992073-1 : APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS
Component: Access Policy Manager
Symptoms:
End user clients frequently get a prompt to enter credentials when they should not.
Conditions:
APM Access Profile with NTLM authentication enabled.
Impact:
NTLM handshake failure causing user authentication failures.
Workaround:
N/A
Fix:
APM now processes NTLM requests as expected.
Fixed Versions:
14.1.4.6
991037-1 : MR::message can cause tmm crash
Links to More Info: BT991037
Component: Service Provider
Symptoms:
The iRule command MR::message drop can occasionally trigger a memory corruption and tmm crash.
Conditions:
The iRule command MR::message drop is used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
14.1.4.3
990849-3 : Loading UCS with platform-migrate option hangs and requires exiting from the command★
Links to More Info: BT990849
Component: TMOS
Symptoms:
The UCS loading process with platform-migrate stops responding and hangs after printing:
Platform migrate loaded successfully. Saving configuration.
Conditions:
Load UCS with platform-migrate option:
tmsh load sys ucs <ucs_name> platform-migrate
Note: If you are loading a UCS archive created on a system running a different software version that also has an ASM configuration, there are other other aspects to consider. See: https://cdn.f5.com/product/bugtracker/ID995629.html
Impact:
The UCS loading process stops responding, causing the device to be in an INOPERATIVE state.
Workaround:
None.
Fix:
Loading UCS with the platform-migrate option executes smoothly without getting stuck.
Fixed Versions:
13.1.4.1, 14.1.4, 15.1.3, 16.0.1.2
990461-2 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★
Links to More Info: BT990461
Component: Advanced Firewall Manager
Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.
Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.
Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.
Workaround:
Manually update the SYN cookie threshold values after an upgrade.
Fixed Versions:
14.1.4.4
989753-3 : In HA setup, standby fails to establish connection to server
Links to More Info: BT989753
Component: Service Provider
Symptoms:
In a high availability (HA) setup, standby fails to establish a connection to the server with the log message:
err tmm[819]: 01850008:3: MR: Received HA message targeting missing transport-config
Conditions:
In MRF (diameter/SIP) HA setup with connection mirroring enabled.
Impact:
Standby BIG-IP system fails to establish a connection to the server.
Workaround:
None.
Fix:
Standby is now able to establish a connection to the server.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
989701-4 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response
988533-3 : GRE-encapsulated MPLS packet support
Links to More Info: BT988533
Component: TMOS
Symptoms:
There no facility to accept packets using GRE-encapsulated MPLS. The GUI gives only encapsulation options for IP address (0x0800) and transparent ethernet bridging (0x6558).
Conditions:
This is encountered when attempting to configure BIG-IP systems to handle GRE-encapsulated MPLS.
Impact:
Packets get dropped when they are GRE-encapsulated with MPLS.
Workaround:
None
Fix:
Encapsulated MPLS packets over GRE is now supported in a way similar to IP address and transparent ethernet bridging.
Fixed Versions:
14.1.4.5, 15.1.4.1
988005-3 : Zero active rules counters in GUI
Links to More Info: BT988005
Component: Advanced Firewall Manager
Symptoms:
When accessing Security :: Network Firewall :: Active Rules in UI, the active rules count is stuck at 0 (zero).
Conditions:
Access the following menu path:
Security :: Network Firewall :: Active Rules
Impact:
Incorrect information on active rules count is seen in the UI.
Workaround:
Disable firewall inline editor.
Fix:
The active rules count column now displays the correct number of times a rule has been hit.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
987077-4 : TLS1.3 with client authentication handshake failure
Links to More Info: BT987077
Component: Local Traffic Manager
Symptoms:
SSL handshakes are failing, and TLS clients send 'Bad Record MAC' errors.
Conditions:
-- LTM authentication profile using OCSP and TLS1.3.
-- Client application data arrives during LTM client authentication iRule.
Impact:
A handshake failure occurs.
Workaround:
Use TLS1.2 or use TLS1.3 without LTM authentication profile.
Fix:
Handshake completes if using TLS1.3 with client authentication and LTM auth profile.
Fixed Versions:
14.1.4.6
985953-2 : GRE Transparent Ethernet Bridging inner MAC overwrite
Links to More Info: BT985953
Component: TMOS
Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.
Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.
Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.
Workaround:
None
Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
984765-4 : APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)★
Links to More Info: BT984765
Component: Access Policy Manager
Symptoms:
NTLM User logon authentication fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) from the Active Directory (AD) server.
Conditions:
-- Upgrading from legacy versions to BIG-IP v14.1.2 or later.
-- AD servers are updated with latest security patches from Microsoft.
Impact:
NTLM Authentication fails after a week. APM end user client logon (such as Outlook users, Remote Desktop Users, and Browser-based NTLM Auth logons that use BIG-IP APM as forward/reverse proxy) fails, and the service is down.
Workaround:
To resolve the issue temporarily, use either of the following:
-- Reset the NTLM Machine Account with the 'Renew Machine Password' option.
-- Run the command:
bigstart restart nlad
The problem can reappear after a week, so you must repeat these steps each time the issue occurs.
Fixed Versions:
14.1.4.4, 15.1.4
984593-3 : BD crash
Links to More Info: BT984593
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
982869-3 : With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0
Links to More Info: BT982869
Component: Service Provider
Symptoms:
Tmm may crash.
Conditions:
This occurs when auto initialization is enabled for one or more Message Routing peers and during CMP transition when tmm_total_active_npus value is 0.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Tmm no longer crashes under these conditions.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
982757-6 : APM Access Guided Configuration hardening
Component: Guided Configuration
Symptoms:
APM Guided Configuration does not follow current best practices
Conditions:
- APM provisioned
- Authenticated administrative user
Impact:
Guided Configuration does not follow current best practices.
Workaround:
N/A
Fix:
Guided Configuration now follows current best practices.
Fixed Versions:
14.1.4.6
982697-4 : ICMP hardening
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM does not follow current best practices for ICMP traffic.
Conditions:
- ICMP traffic
- DNS in use
Impact:
TMM does not follow current best practices.
Workaround:
N/A
Fix:
TMM now follows current best practices while processing ICMP traffic.
Behavior Change:
The change randomly adjusts the BIG-IP's ICMP rate limit to within 1/8% of the configured rate. While the average rate will remain the same, the number of ICMP packets issued second-to-second will vary randomly.
Fixed Versions:
14.1.4.6
982341-4 : iControl REST endpoint hardening
Component: TMOS
Symptoms:
iControl REST endpoints do not apply current best practices.
Conditions:
- Authenticated administrative user
- Request to iControl endpoint
Impact:
iControl REST endpoints do not follow current best practices.
Workaround:
N/A
Fix:
iControl REST endpoints now follow current best practices.
Fixed Versions:
14.1.4.6
981785-2 : Incorrect incident severity in Event Correlation statistics
Links to More Info: BT981785
Component: Application Security Manager
Symptoms:
When reported to AVR, incident severity reads "correlation" instead of "high" or "medium".
Conditions:
Usually happens for the first incident after ASM startup.
Impact:
Incorrect statistics in Event Correlation summary (Incident Severity graph), and also in tmsh analytics report.
Workaround:
Use severity info from the Incidents list.
Fix:
Event Correlation engine was fixed and now incident severity is reported properly to AVR.
Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2
981689-1 : TMM memory leak with IPsec ALG
Links to More Info: BT981689
Component: Carrier-Grade NAT
Symptoms:
TMM crash due to out of memory.
Conditions:
-- IPsec ALG virtual server in BIG-IP passes traffic normally.
-- IPsec ALG connections are aborted. A common cause of IPsec ALG failure is CGNAT translation failures.
Impact:
TMM reaches memory limits. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm memory leak related to IPsec ALG connections.
Fixed Versions:
14.1.4.2, 15.1.4.1
981385-4 : AVRD does not send HTTP events to BIG-IQ DCD
Links to More Info: BT981385
Component: Application Visibility and Reporting
Symptoms:
AVRD does not send HTTP events to BIG-IQ data collection device (DCD).
Conditions:
This happens under normal operation.
Impact:
AVRD does not write Traffic Capture logs for analysis. Cannot analyze issues when Traffic Capture does not provide event information.
Workaround:
None.
Fixed Versions:
13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2
980821-1 : Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured.
Links to More Info: BT980821
Component: Local Traffic Manager
Symptoms:
Traffic is directed to a virtual server that is configured with port any even though there is a virtual server with a specific port that the traffic should match.
Conditions:
There are two virtual servers configured:
- One with a specific port and ip-protocol 'any'
- One with port any and a specific ip-protocol
Impact:
Traffic destined to the port matches the any-port virtual server rather than the specific port virtual server.
Workaround:
Create individual listeners for specific protocols.
For example, given the configuration:
ltm virtual vs-port80-protoAny {
destination 10.1.1.1:80
ip-protocol any
...
}
ltm virtual vs-portAny-protoTCP {
destination 10.1.1.1:0
ip-protocol TCP
...
}
Replace the vs-port80-protoAny with virtual servers configured for the specific protocols desired:
ltm virtual vs-port80-protoTCP {
destination 10.1.1.1:80
ip-protocol TCP
...
}
ltm virtual vs-port80-protoUDP {
destination 10.1.1.1:80
ip-protcol UDP
...
}
Fix:
More specific virtual server now gets more priority than wildcard virtual server to process traffic.
Fixed Versions:
14.1.4.2, 15.1.3.1, 16.0.1.2
980325-4 : Chmand core due to memory leak from dossier requests.
Links to More Info: BT980325
Component: TMOS
Symptoms:
Chmand generates a core file when get_dossier is run continuously.
Due to excessive dossier requests, there is a high consumption of memory. The program is terminated with signal SIGSEGV, Segmentation fault.
Conditions:
Repeated/continuous dossier requests during licensing operations.
Impact:
Chmand crashes; potential traffic impact while chmand restarts.
Workaround:
None.
Fixed Versions:
14.1.4.4, 15.1.4
978833-3 : Use of CRL-based Certificate Monitoring Causes Memory Leak
Links to More Info: BT978833
Component: Local Traffic Manager
Symptoms:
TMM memory use increases and the aggressive mode sweeper activates.
Conditions:
CRL certificate validator is configured.
Impact:
TMM ssl and ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart.
Workaround:
None.
Fix:
Use of CRL-based certificate monitoring no longer causes memory leak.
Fixed Versions:
14.1.4.4, 15.1.4.1
978393 : GUI screen shows blank screen while importing a certificate★
Links to More Info: BT978393
Component: TMOS
Symptoms:
When you click the import button of an existing certificate, the screen goes blank.
Go to:
1. System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: existing_certificate.crt ::
2. Click the 'Import' button at the bottom of the page.
Conditions:
-- Device is upgraded from 13.1.x to 14.1.x.
-- Attempting to import a certificate that was created prior to the upgrade.
Impact:
You are unable to import from a certificate using the GUI.
Workaround:
There are three workarounds:
-- Use the GUI to download and reimport:
1. Download the cert and key.
2. Delete the cert and key from system.
3. Import it back.
-- Use the GUI to rename and save:
1. Rename the cert and key, removing extensions from the file.
2. Update the config file accordingly. The Import button works successfully.
-- Use tmsh to update the certs.
Fix:
Certificates can now be imported via the GUI after upgrade.
Fixed Versions:
14.1.4.1
977053-3 : TMM crash on standby due to invalid MR router instance
Links to More Info: BT977053
Component: Service Provider
Symptoms:
In high availability (HA) setup, TMM on the standby device may crash due to an invalid Message Routing (MR) router instance.
Conditions:
-- HA environment.
-- Connection mirroring is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM on the standby device no longer crashes under these conditions.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
977005-2 : Network Firewall Policy rules-list showing incorrect 'Any' for source column
Links to More Info: BT977005
Component: Advanced Firewall Manager
Symptoms:
Network Firewall Policy rules-list shows incorrect 'Any' for source column.
Conditions:
- Create a policy under Security :: Network Firewall : Policies.
- Create a rules list with some rules in it.
- Add the rules list to the Policy.
- Verify the GUI shows 'any' under the source column of the root tree of the policy.
Impact:
GUI shows 'Any' extra text under the source column
Workaround:
None
Fix:
The GUI no longer shows extra text
Fixed Versions:
14.1.4.2, 15.1.4
976669-3 : FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade
Links to More Info: BT976669
Component: TMOS
Symptoms:
After rebooting or replacing a secondary blade, the FIPS integrity check fails for other secondary blades and they fail to fully boot.
Conditions:
This can occur after rebooting or replacing a secondary blade.
Impact:
When the FIPS integrity checks fail the blades won't fully boot.
Workaround:
On the secondary blade reboot, the following critical files are deleted from other secondary blades which leads to FIPS integrity check failure:
/root/.ssh/authorized_keys
/root/.ssh/known_hosts
To mitigate, copy the missing files from the primary blade to the secondary blade.
From the primary blade, issue the following command towards the secondary blade(s).
rsync -avz -e ssh /root/.ssh/* root@<Secondary Blade>:/root/.ssh/
Fix:
Critical files are not deleted during secondary blade reboot.
Fixed Versions:
14.1.4.6
976505-1 : Rotated restnoded logs will fail logintegrity verification.
Links to More Info: BT976505
Component: TMOS
Symptoms:
On enabling the logintegrity feature, the rotated restnoded logs fail logintegrity verification.
Conditions:
Logintegrity support feature is enabled:
list sys db logintegrity.support
sys db logintegrity.support {
value "enable"
}
Impact:
Rotated restnoded logs fail logintegrity verification.
Workaround:
None
Fix:
Restnoded logs are now verified successfully by the logintegrity utility.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
976501-3 : Failed to establish VPN connection
Links to More Info: BT976501
Component: Access Policy Manager
Symptoms:
VPN client exits with message "Failed to establish VPN connection"
Conditions:
-- Connect to Network Access using web browser.
-- Disconnect and then click on the Network Access resource again in the Webtop
-- Internet Explorer browser
Impact:
Client will be unable to launch the VPN tunnel from the browser.
Workaround:
Clear cache in the browser and retry.
Disable caching in the browser.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3
976365-1 : Traffic Classification hardening★
Links to More Info: BT976365
Component: Traffic Classification Engine
Symptoms:
Traffic Classification IM packages do not follow current best practices.
Conditions:
- Traffic Classification enabled
- IM packages updated by an authenticated administrative user
Impact:
Traffic Classification IM packages do not follow current best practices.
Workaround:
No Workaround
Fix:
Traffic Classification IM packages now follow current best practices.
Fixed Versions:
14.1.4.3, 15.1.3.1
975809-2 : Rotated restjavad logs fail logintegrity verification.
Links to More Info: BT975809
Component: TMOS
Symptoms:
After enabling the logintegrity feature, the rotated restjavad logs fail logintegrity verification.
Conditions:
Logintegrity support feature is enabled:
list sys db logintegrity.support
sys db logintegrity.support {
value "enable"
}
Impact:
Rotated restjavad logs fail logintegrity verification.
Workaround:
None
Fix:
Restjavad logs are now verified successfully by the logintegrity utility.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
975593-2 : TMM may crash while processing IPSec traffic
Component: Carrier-Grade NAT
Symptoms:
Under certain conditions, TMM may crash while processing IPSec traffic.
Conditions:
-IPSecAGL enabled
Impact:
TMM crash leading to a failover event.
Workaround:
N/A
Fix:
TMM now processes IPSec traffic as expected.
Fixed Versions:
14.1.4.5
974881-1 : Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic
Links to More Info: BT974881
Component: Service Provider
Symptoms:
Currently, for diameter, a SNAT iRule can be configured with MR_INGRESS and MR_FAILED events. Certain events can cause tmm to crash.
Conditions:
A SNAT iRule is configured with the events CLIENT_ACCEPTED, DIAMETER_INGRESS and DIAMETER_EGRESS for diameter
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm crash related to handling certain events in an iRule.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
974205-2 : Unconstrained wr_urldbd size causing box to OOM
Links to More Info: BT974205
Component: Traffic Classification Engine
Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.
Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.
Impact:
The device eventually runs out of memory (OOM condition).
Workaround:
Restart the wr_urldbd process:
restart sys service wr_urldbd
Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.
Added two sys DB variables:
-- wr_urldbd.cloud_cache.log.level
Value Range:
sys db wr_urldbd.cloud_cache.log.level {
value "debug"
default-value "none"
value-range "debug none"
}
-- wr_urldbd.cloud_cache.limit
Value Range:
sys db wr_urldbd.cloud_cache.limit {
value "5500000"
default-value "5500000"
value-range "integer min:5000000 max:10000000"
}
Note: Both these variables are introduced for debugging purpose.
Fixed Versions:
12.1.6, 14.1.4.4, 15.1.4
973661 : Two different 'Attack Signature' updates shown as 'Currently Installed'★
Links to More Info: BT973661
Component: Application Security Manager
Symptoms:
After upgrade system to version 14.1.x the system shows 2 different 'Attack Signature' update packages as 'Currently Installed'
Conditions:
Upgrade from version 12.1.x to version 14.1.x.
Impact:
Additional BIG-IP system restart is required.
Workaround:
None
Fixed Versions:
14.1.4.6
973261-4 : GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects
Links to More Info: BT973261
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d does not try to open TCP connections if a HTTPS monitor contains a cert/key.
/var/log/gtm shows:
err big3d[19217]: 01333001:3: Start: SSL error:02001002:system library:fopen:No such file or directory
err big3d[19217]: 01333001:3: Start: SSL error:20074002:BIO routines:FILE_CTRL:system lib
err big3d[19217]: 01333001:3: Start: SSL error:140CE002:SSL routines:SSL_use_RSAPrivateKey_file:system lib
err big3d[19217]: 01330014:3: CSSLSocket:: Unable to get the session.
Conditions:
GTM HTTPS monitor with non-default cert/key.
Impact:
Unable to use HTTPs monitor.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
973201 : F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions★
Links to More Info: BT973201
Component: TMOS
Symptoms:
Releases prior to BIG-IP 14.1.4 allow the installation of incompatible versions of BIG-IP software and cause the tenant to become unusable in F5OS.
Conditions:
This happens when you upload an incompatible version of BIG-IP software into the F5OS BIG-IP tenant and begins a live upgrade.
Impact:
Tenant is unusable when upgrading to an unsupported F5OS BIG-IP version.
Workaround:
None
Fix:
F5OS BIG-IP v14.1.4 and later prevents installation of an invalid F5OS BIG-IP version.
Fixed Versions:
14.1.4, 15.1.4
971297-3 : DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade★
Links to More Info: BT971297
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC keys which are stored on netHSM type is changed from FIPS external to internal during the upgrade.
Conditions:
-- BIG-IP with a NetHSM license
-- BIG-IP uses external DNSSEC keys stored in the NetHSM
-- The BIG-IP device is upgraded
Impact:
The keys are stored locally following the upgrade.
Workaround:
None.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
970829-4 : iSeries LCD incorrectly displays secure mode
Links to More Info: K03310534, BT970829
Component: Device Management
Symptoms:
On iSeries platforms, the LCD continuously displays secure mode and does not respond to user input.
Conditions:
This occurs if the admin password is anything other than the default on iSeries platforms.
Impact:
The LCD does not respond to user input. The LCD continuously displays secure mode. The /var/log/touchscreen_lcd fills up with error messages:
-- err lcdui[1236]: URL: http://127.4.2.1/mgmt/tm/sys/failover, result: 'Host requires authentication' (204), HTTP method 2, status 401.
The restjavad-audit.*.log may contain similar messages
[I][19005][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/shared/identified-devices/config/device-info","status":401,"from":"127.4.2.2"}
[I][19007][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/global-settings","status":401,"from":"127.4.2.2"}
[I][19009][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/failover","status":401,"from":"127.4.2.2"}
Workaround:
None
Fix:
The LCD now functions normally, and no authentication errors appear in the logs.
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
970329-4 : ASM hardening
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM does not follow current best practices.
Conditions:
- ASM provisioned
Impact:
Attack detection is not triggered as expected
Workaround:
N/A
Fix:
Attack detection is now triggered as expected
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
969637-3 : Config may fail to load with "FIPS 140 operations not available on this system" after upgrade★
Links to More Info: BT969637
Component: Local Traffic Manager
Symptoms:
After upgrade, configuration load fails with a log:
"FIPS 140 operations not available on this system"
Conditions:
-- A small subset of the following BIG-IP platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
Impact:
Configuration load fails and the device does not come online.
Fixed Versions:
14.1.4.4, 15.1.4
969509-3 : Possible memory corruption due to DOS vector reset
Links to More Info: BT969509
Component: Advanced Firewall Manager
Symptoms:
Unpredictable result due to possible memory corruption
Conditions:
DOS vector configuration change
Impact:
Memory corruption
Fix:
Added correct logic to reset DOS vector.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
969317-2 : "Restrict to Single Client IP" option is ignored for vmware VDI
Links to More Info: BT969317
Component: Access Policy Manager
Symptoms:
The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI.
Conditions:
- Configure APM Webtop with vmware VDI.
- Set "Restrict to Single Client IP" option in Access Profile.
- Try to launch vmware desktop on one client. Copy the launch URI
- Try to launch vmware desktop from other client using the copied URI.
Impact:
A connection from the second client is allowed, but it should not be allowed.
Fix:
Restrict to Single Client IP is honored for VMware VDI for both PCOIP and Blast protocols.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2.1
969213-2 : VMware: management IP cannot be customized via net.mgmt.addr property
Links to More Info: BT969213
Component: TMOS
Symptoms:
IP addresses provided for VM customization in VMware are ignored. net.mgmt.addr and net.mgmt.gw properties supposed to be used when customization of IP addresses during VM setup is desired. But the addresses are ignored.
Conditions:
VMware only. Happens in any of the ways in which address are supplied via net.mgmt.addr and net.mgmt.gw. See https://clouddocs.f5.com/cloud/public/v1/vmware/vmware_setup.html for scenario where net.mgmt.addr and net.mgmt.gw can be set. VM customization profiles still work properly.
Impact:
Management IP cannot be customized in VMware during the VM setup.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
969105-1 : HA failover connections via the management address do not work on vCMP guests running on VIPRION
Links to More Info: BT969105
Component: TMOS
Symptoms:
A high availability (HA) failover connection using the management IP addresses does not work on vCMP guests running on a VIPRION device.
BIG-IP instances running directly on hardware, on Virtual Edition, and as vCMP guests running on an appliance are unaffected.
HA failover connections using self IPs are unaffected.
Conditions:
-- vCMP guest running on a VIPRION device
-- high availability (HA) failover connection using the management IP addresses (unicast and/or multicast)
Impact:
Failover state determination over the management port is permanently down.
Workaround:
While self IP-based high availability (HA) failover connections are not affected by this issue, F5 recommends configuring failover connections over both management IPs and self IPs (as detailed in K37361453: Configuring network failover for redundant VIPRION systems :: https://support.f5.com/csp/article/K37361453).
To mitigate this issue, run the following command on each blade of every guest:
touch /var/run/chmand.pid
The workaround does not survive a reboot, so a more permanent workaround is to edit the file /config/startup and add a line to touch /var/run/chmand.pid.
Add this line to the end of /config/startup:
(sleep 120; touch /var/run/chmand.pid) &
Note: The sleep time of 120 seconds should be tested as it depends on how quickly or slowly the Guest starts up, so the appropriate value for one system may differ from another system.
Alternatively, You can use instructions in K11948: Configuring the BIG-IP system to run commands or scripts upon system startup :: https://support.f5.com/csp/article/K11948 to issue commands at system startup after verification if mcpd is up and ready, e.g.:
#!/bin/bash
source /usr/lib/bigstart/bigip-ready-functions
wait_bigip_ready
# Customized startup command(s) can be added below this line.
touch /var/run/chmand.pid
# Customized startup command(s) should end above this line.
You may also request an Engineering Hotfix from F5.
Fixed Versions:
14.1.4.4, 15.1.4
968733-5 : CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service
968641-1 : Fix for zero LACP priority
Links to More Info: BT968641
Component: Local Traffic Manager
Symptoms:
A LACP priority of zero prevents connectivity to Cisco trunks.
Conditions:
LACP priority becomes 0 when system MAC address has 00:00 at the end.
Impact:
BIG-IP may be unable to connect to Cisco trunks.
Workaround:
None.
Fix:
Eliminate LACP priority equal 0
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
968421-4 : ASM attack signature doesn't matched
Links to More Info: K30291321, BT968421
Component: Application Security Manager
Symptoms:
A specific attack signature doesn't match as expected.
Conditions:
Undisclosed conditions.
Impact:
Attack signature does not match as expected, request is not logged.
Workaround:
N/A
Fix:
Attack signature now matches as expected.
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4.1, 14.1.4.2, 15.1.2.1, 16.0.1.2
967905-3 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash
Links to More Info: BT967905
Component: TMOS
Symptoms:
Tmm crashes.
Conditions:
-- static bwc
-- virtual to virtual chain
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the static bwc on a virtual chain.
Fix:
Fixed a tmm crash.
Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
967889-2 : Incorrect information for custom signature in DoS Protection:DoS Overview (non-http)
Links to More Info: BT967889
Component: Advanced Firewall Manager
Symptoms:
Custom signature of virtual server shows incorrect attack information.
Conditions:
-- Virtual server has a custom signature
-- An attack is mitigated
-- View the custom signature information via Security :: DoS Protection : DoS Overview (non-HTTP)
Impact:
GUI shows incorrect information for custom signature
Fix:
GUI shows correct information for custom signature
Fixed Versions:
14.1.4, 15.1.3
967745-2 : Last resort pool error for the modify command for Wide IP
Links to More Info: BT967745
Component: TMOS
Symptoms:
System reports error for the modify command for Wide IP.
01b60021:3: Last resort pool type not specified for Wide IP 9084.example.com of type A.
Conditions:
Running the modify command involving last-resort-pool and not specifying a type or name for the object.
Impact:
The object is not modified, and the system reports an error.
Workaround:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.
Append the command with last-resort-pool a <pool_name>, for example:
modify a 9084.example.com aliases replace-all-with { 9084.example1.com } last-resort-pool a pool1_test
Fix:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.
Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1
967101-3 : When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out.
Links to More Info: BT967101
Component: Local Traffic Manager
Symptoms:
Gratuitous ARP (GARP) messages are dropped at the time of sending GARP because the number of links up in the trunk is 0 (which returns "error 18" ... ERR_NOT_FOUND)
Conditions:
-- Two BIG-IP systems with switchless configuration, such as i2xxx and i4xxx.
-- Bring down and up the interfaces at the same time in the trunk.
Impact:
Neighboring device arp table is not updated about the BIG-IP interface status, because no gratuitous ARP message is sent out.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
14.1.4.6
966701-3 : Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP
Links to More Info: BT966701
Component: Service Provider
Symptoms:
Client connections are aborted when the generic message router profile is used in conjunction with the SCP transport profile.
Conditions:
-- SCTP transport profile
-- MRF generic msg router profile
Impact:
BIG-IP is unable to process the traffic received over the SCTP transport for MRF generic message routing
Fix:
Enable the return type in generic msg filter when data received over SCTP transport
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
966681-2 : NAT translation failures while using SP-DAG in a multi-blade chassis
Links to More Info: BT966681
Component: Carrier-Grade NAT
Symptoms:
NAT translation fails
Conditions:
-- VIPRION multi-blade chassis
-- Configure AFM NAT/CGNAT and attach the AFM NAT Policy / lsnpool to the virtual server
-- Configure sp-dag on the vlans
Impact:
Traffic failure, performance degraded
Workaround:
Change the DB variable tm.lsn.retries to the maximum value of 4096
Fix:
Increase the number of attempts in selecting local translation IP (an IP when used makes the return packet to land on the same TMM where the NAT selection is happening). This can be controlled with DB variable tm.lsn.retries. The actual attempts is 16 times the value set in this db variable.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
966277-3 : BFD down on multi-blade system
Links to More Info: BT966277
Component: TMOS
Symptoms:
After a secondary blade reboots in a multi-blade system, bi-directional forwarding detection (BFD) stops functioning.
Conditions:
-- Multi-blade VIPRION environment
-- BFD enabled
-- A secondary blade reboots
Impact:
BFD flaps on the secondary blade that was rebooted. The BFD session flap clears the routes on the peer.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
965853-1 : IM package file hardening★
Component: Protocol Inspection
Symptoms:
IM package file uploads do not follow current best practices.
Conditions:
- IM package file uploaded to BIG-IP
Impact:
IM package file uploads do not follow current best practices.
Workaround:
N/A
Fix:
IM package file uploads now follow current best practices.
Fixed Versions:
14.1.4.6
965785-3 : Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine
Links to More Info: BT965785
Component: Application Security Manager
Symptoms:
DCC.HSL_DATA_PROFILES table on standby machine stay empty after sync process. Error for DB insert failure into table DCC.HSL_DATA_PROFILES thrown in asm_config_server.log.
Conditions:
There is no specific condition, the problem occurs rarely.
Impact:
Sync process requires an additional ASM restart
Workaround:
Restart ASM after sync process finished
Fixed Versions:
14.1.4.6
965617-1 : HSB mitigation is not applied on BDoS signature with stress-based mitigation mode
Links to More Info: BT965617
Component: Advanced Firewall Manager
Symptoms:
BDoS signature attacks are mitigated in software rather than via HSB
Conditions:
Dynamic or custom signature in stress-based mitigation mode on appliance with HSB support
Impact:
More resources loading during DDoS attack
Fix:
Correct free spot search with offloading to HSB
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
965581 : Statistics are not reported to BIG-IQ
Links to More Info: BT965581
Component: Application Visibility and Reporting
Symptoms:
After a BIG-IP system is attached to BIG-IQ, there are no statistics reported. The 'avrd' process periodically fails with a core on the BIG-IP system.
Conditions:
A BIG-IP system is attached to BIG-IQ.
Impact:
No statistics collected.
Fix:
The avrd process no longer fails, and statistics are collected as expected.
Fixed Versions:
14.1.4, 15.1.4
965537 : SSL filter does not re-initialize when OCSP validator is modified
Links to More Info: BT965537
Component: Local Traffic Manager
Symptoms:
The client SSL or server SSL profile can specify an OCSP object for client or server certificate status validation.
After modifying the DNS resolver of the OCSP object, the new nameserver is never picked up. In other words, an incorrect OCSP responder will be contacted.
Conditions:
OCSP object is configured in Client Certificate Constrained Delegation (C3D) client SSL or in server SSL and is later modified.
Impact:
The incorrect (or the original) OCSP responder is contacted to get the peer certificate revocation status.
Workaround:
None
Fix:
When an OCSP validator is modified, the system now reloads the SSL profile to pick up the new DNS resolver.
Fixed Versions:
14.1.4
965485-2 : CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL
Links to More Info: K41523201
965229-3 : ASM Load hangs after upgrade★
Links to More Info: BT965229
Component: Application Security Manager
Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------
In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
info tsconfig.pl[24675]: ASM initial configration script launched
info tsconfig.pl[24675]: ASM initial configration script finished
info asm_start[25365]: ASM config loaded
err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------
Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade
Impact:
ASM post upgrade config load hangs and there are no logs or errors
Workaround:
None
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
965205-3 : BIG-IP dashboard downloads unused widgets
Links to More Info: BT965205
Component: TMOS
Symptoms:
The BIG-IP dashboard page downloads all widgets, even widgets that are not visible on the dashboard.
Conditions:
This occurs when viewing the BIG-IP dashboard.
Impact:
Slower-than-necessary GUI response, and the dashboard shows higher-than-necessary CPU utilization.
Workaround:
None.
Fixed Versions:
14.1.4.4, 15.1.4.1
964897-4 : Live Update - Indication of "Update Available" when there is no available update
Links to More Info: BT964897
Component: Application Security Manager
Symptoms:
Live Update notifies you that an update is available even though there is no available update.
Conditions:
The latest file is installed but not present on the system and the second-latest file has an 'error' status
Impact:
Live Update erroneously indicates that an update is available.
Workaround:
1. upload the latest file that is not present on the system with scp to '/var/lib/hsqldb/live-update/update-files/'
2. restart 'tomcat' service:
> bigstart restart tomcat
Fix:
Fixed an issue with Live Update notification.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
964585-4 : "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update
Links to More Info: BT964585
Component: Protocol Inspection
Symptoms:
- Protocol Inspection autoupdate logs "Non OK return code (400) received from API call" when the F5 download site does not contain Protocol Inspection Update container for the BIG-IP version.
Conditions:
- Protocol Inspection auto update is enabled.
- The BIG-IP version does not have the ProtocolInspection container in the relevant download section on F5 downloads.
Impact:
- The error message does not accurately explain the cause of the problem.
Workaround:
None.
Fix:
- More context is added to the log message when Protocol Inspection file is not present on the downloads site.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
964577-1 : IPS automatic IM download not working as expected
Links to More Info: BT964577
Component: Protocol Inspection
Symptoms:
IPS automatic download of IM packages from the F5 Downloads site does not complete as expected.
IPS automatic IM download considers the BIG-IP software major and minor version numbers.
However, the IPS library is dependent only on major version numbers. The site should constrain IM package download only to those that are compatible with the major version.
Conditions:
Auto download of IM package for IPS.
Impact:
New minor releases, such as BIG-IP v15.1.1 and later, cannot download IPS IM packages.
Workaround:
Manually download the IM package and upload it onto the BIG-IP system.
Fix:
Minor releases of BIG-IP software can now automatically download the IM package without issue.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
964489-3 : Protocol Inspection IM package hardening
Component: Protocol Inspection
Symptoms:
Protocol Inspection IM packages do not follow current best practices.
Conditions:
- Authenticated administrative user
- Protocol Inspection IM packages uploaded to BIG-IP
Impact:
Protocol Inspection IM packages do not follow current best practices.
Workaround:
N/A
Fix:
Protocol Inspection IM packages now follows current best practices.
Fixed Versions:
14.1.4.6
964245-3 : ASM reports and enforces username always
Links to More Info: BT964245
Component: Application Security Manager
Symptoms:
When session tracking is enabled and configured to enforce usernames for a specific list of login URLs, the username which arrives in an Authorization header is being enforced even if the request to the URL with the Authorization is not configured at all as a login URL.
Conditions:
Session tracking is enabled for login URLs with the Username Threshold set to 1.
Impact:
Username from the Authorization appears with status = BLOCK-ALL in the session tracking status list, even though session tracking is not configured for that URL.
Workaround:
None
Fix:
Username from the Authorization not appearing with status = BLOCK-ALL in session tracking status list.
Fixed Versions:
14.1.4.4, 15.1.4
963705-2 : Proxy ssl server response not forwarded
Links to More Info: BT963705
Component: Local Traffic Manager
Symptoms:
A server response may not be forwarded after TLS renegotiation.
Conditions:
-- Proxy ssl enabled
-- A server renegotiation occurs
Impact:
Server response may not be not forwarded
Fix:
Proxy ssl will now forward server response after renegotiation
Fixed Versions:
14.1.4.5, 15.1.4.1
963237-1 : Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector.
Links to More Info: BT963237
Component: Advanced Firewall Manager
Symptoms:
When a client sends a DNS request to a NON EDNS capable server, the server may send a legitimate response with RCODE FORMERR and no DNS data. The MALFORM DNS vector blocks those requests.
Conditions:
-- The client sends a DNS request to NON EDNS capable server
-- The server replies with RCODE FORMERR and no DNS data.
Impact:
AFM erroneously detects an attack and mitigates it, and the client does not get a responses from the EDNS server
Workaround:
Disable DNS MALFORM vector mitigation or put the EDNS server in allow list.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
963017-3 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed
Links to More Info: BT963017
Component: TMOS
Symptoms:
Upon booting a BIG-IP hardware system running an Engineering Hotfix version of BIG-IP v14.1.0 or later, messages of the following form may be logged in the LTM log file (/var/log/ltm):
err tpm-status[####]: System Integrity Status: Invalid
info tpm-status-check[####]: System Integrity Status: Invalid
In addition, a message similar to the following may appear on the serial console while the system is booting:
[ ###.######] tpm-status-check[####]: Checking System Integrity Status
[ ###.######] tpm-status-check[####]: sh: /bin/rpm: Permission denied
[ ###.######] tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid
Similar messages appear when viewing the status of the tpm-status-check service via the systemctl utility:
# systemctl -l status tpm-status-check.service
* tpm-status-check.service - F5 Trusted Platform Module
Loaded: loaded (/usr/lib/systemd/system/tpm-status-check.service; static; vendor preset: enabled)
Active: failed (Result: exit-code) since <...>
Main PID: #### (code=exited, status=1/FAILURE)
<...> tpm-status-check[####]: Checking System Integrity Status
<...> tpm-status-check[####]: sh: /bin/rpm: Permission denied
<...> tpm-status[####]: TPM Status Version 15.1.1.0.6.6
<...> tpm-status[####]: TMOS BIG-IP 15.1.1-0.0.6.0
<...> tpm-status[####]: BIOS 0614 v3.10.032.0
<...> tpm-status[####]: BIOS SIRR 2019-05-30_08-46-02
<...> tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid
<...> systemd[1]: tpm-status-check.service: main process exited, code=exited, status=1/FAILURE
<...> systemd[1]: Unit tpm-status-check.service entered failed state.
<...> systemd[1]: tpm-status-check.service failed.
However, checking the System Integrity Status using the 'tpm-status' or 'tmsh run sys integrity status-check' command shows 'System Integrity Status: Valid'.
Conditions:
This may occur under the following conditions:
-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
- ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
- ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
-- Using hardware platforms that include a Trusted Platform Module (TPM), including:
- BIG-IP i2000, i4000, i5000, i7000, i10000, i11000, i15000 Series appliances
- VIPRION B4450 blades
Impact:
The tpm-status-check service inaccurately indicates that the System Integrity Status is not Valid.
This is incorrect, and conflicts with the accurate System Integrity Status provided by the 'tpm-status' utility and 'tmsh run sys integrity status-check' command.
Workaround:
To observe the correct System Integrity Status, do either of the following:
-- Use the 'tpm-status' utility.
-- Run the command:
tmsh run sys integrity status-check
Fix:
This incorrect status reporting has been corrected.
Fixed Versions:
14.1.4, 15.1.3
962589-1 : Full Sync Requests Caused By Failed Relayed Call to delete_suggestion
Links to More Info: BT962589
Component: Application Security Manager
Symptoms:
When using parent policies with learning enabled in an auto-sync device group, in some use cases deleting an ignored suggestion on a parent policy will cause a full sync to occur.
This can cause unexpected delays in configuration being synchronized between peers, and in the event of repeated instances in quick succession could fill the /var partition
Conditions:
1) Device Group with ASM and auto-sync enabled
2) Parent Policies with learning are in use.
3) Ignored Suggestions are deleted on the parent policy after they have 0 suggesting children left.
Impact:
ASM configuration requests a full sync which can cause unexpected slowness in config synchronization and may fill the /var partition if done multiple times in quick succession.
A full /var partition can lead to bd cores.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
962497-4 : BD crash after ICAP response
Links to More Info: BT962497
Component: Application Security Manager
Symptoms:
BD crash when checking ICAP job after ICAP response
Conditions:
BD is used with ICAP feature
Impact:
Traffic disrupted while BD restarts.
Workaround:
N/A
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
962433-3 : HTTP::retry for a HEAD request fails to create new connection
Links to More Info: BT962433
Component: Local Traffic Manager
Symptoms:
In case of a HEAD request, BIG-IP fails to set up a new connection to the server with the HTTP::retry iRule.
Conditions:
1.) Basic HTTP profile is configured on BIG-IP
2.) BIG-IP sends the HEAD request to the server and gets error response
3.) iRule with HTTP::retry is configured
4.) The system is using the default (non-debug) TMM version
Impact:
BIG-IP might send the retry HEAD request after the connection is closed, more specifically after the server has sent a FIN, the retry is leaked on the network.
Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4
962177-3 : Results of POLICY::names and POLICY::rules commands may be incorrect
Links to More Info: BT962177
Component: Local Traffic Manager
Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.
Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.
Impact:
Traffic processing may not provide expected results.
Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.
Fixed Versions:
13.1.4.1, 14.1.4, 15.1.4, 16.0.1.2
961509-4 : ASM blocks WebSocket frames with signature matched but Transparent policy
Links to More Info: BT961509
Component: Application Security Manager
Symptoms:
WebSocket frames receive a close frame
Conditions:
-- ASM provisioned
-- ASM policy attached to a virtual server
-- WebSocket profile attached to a virtual server
-- ASM policy transparent mode enabled
Impact:
WebSocket frame blocked in transparent mode
Workaround:
Change signatures blocking settings to Learn = Yes, Alarm = Yes, Block = No
Fix:
WebSocket frame blocking condition now takes into account global transparent mode setting.
Fixed Versions:
14.1.4.6
960749-3 : TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic
Links to More Info: BT960749
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes, dumps a core file, and restarts.
Conditions:
-- The configuration includes one or more 'DNS Cache' or 'Network DNS Resolver' objects.
-- The DNS Cache or Network DNS Resolver objects receive traffic.
Impact:
Traffic disrupted while tmm restarts. A redundant unit will fail over.
Fix:
TMM no longer crashes when 'DNS Cache' or 'Network DNS Resolver' objects handle traffic.
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
960437-3 : The BIG-IP system may initially fail to resolve some DNS queries
Links to More Info: BT960437
Component: Global Traffic Manager (DNS)
Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.
Subsequent queries for the same domain name, however, work as expected.
Only some domain names are affected.
Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.
- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).
- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.
Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure is returned to the client.
In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.
For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.
Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.
1a. Go to DNS :: Caches :: Cache list.
OR
1b. Go to Network :: DNS Resolvers :: DNS Resolver list.
2. Select the item you want to update in the list.
3. Uncheck 'Use IPv6'
4, Select Update.
You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.
Fix:
DNS resolution works as expected, with domains resolving the first time they are queried.
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
960369-3 : Negative value suggested in Traffic Learning as max value
Links to More Info: BT960369
Component: Application Security Manager
Symptoms:
Negative value suggested in Traffic Learning as max value
Conditions:
A huge parameter value is seen in traffic
Impact:
Wrong learning suggestion issued
Workaround:
Manually change maximum allowed value on the parameter to ANY
Fix:
After fix correct suggestion is issued - suggest to change maximum parameter value to ANY
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
959889-1 : Cannot update firewall rule with ip-protocol property as 'any'
Links to More Info: BT959889
Component: TMOS
Symptoms:
Cannot update the firewall rule with 'any' value as the ip-protocol from the BIG-IP system GUI.
Conditions:
-- Create a rule and set protocol to TCP or UDP
-- From the GUI, change the protocol to "Any" and update
Impact:
Cannot update the firewall rule from GUI.
Fix:
The GUI now allows updating firewall rules with 'any' as an ip-protocal.
Fixed Versions:
14.1.4, 15.1.3
959629-3 : Logintegrity script for restjavad/restnoded fails
Links to More Info: BT959629
Component: TMOS
Symptoms:
The logintegrity script used to rotate the signature files for restnoded results in frequent cron errors similar to:
find: '14232restnoded_log_pattern': No such file or directory.
Conditions:
When the logintegrity script runs.
Impact:
If the logintegrity script runs, the signature files for restnoded will not be in sync.
Workaround:
Modify the script file /usr/bin/rest_logintegrity:
1. mount -o remount,rw /usr
2. cp /usr/bin/rest_logintegrity /usr/bin/rest_logintegrity_original
3. vi /usr/bin/rest_logintegrity
4. Replace the following lines:
restnoded_log_pattern=/var/log/restnoded/restnoded.[1-9]*.log
restjavad_log_pattern=/var/log/restjavad*.[1-9]*.log
With the lines:
restjavad_log_pattern=/var/log/restjavad*[1-9]*.log
restnoded_log_pattern=/var/log/restnoded/restnoded[1-9]*.log
5. Replace the line:
wc_restnoded=$(find $$restnoded_log_pattern -cnewer $filename | wc -l)
With the line:
wc_restnoded=$(find $restnoded_log_pattern -cnewer $filename | wc -l)
6. mount -o remount,ro /usr
Fix:
When logintegrity is enabled, signature files for restnoded log files are now generated and rotated.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
958465-3 : in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization
Links to More Info: BT958465
Component: TMOS
Symptoms:
TMM may prematurely shut down during its initialization when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):
MCP connection aborted, exiting.
Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).
Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.
Workaround:
None.
Fix:
A new TCL configuration element was added: "max_poll_pre_rfw", with a default value of 4, to modulate the function of "max_poll" in TMMs which are not yet Ready-For-World.
The value of "max_poll_pre_rfw" can be configured in the "tmm_base.tcl" file.
Fixed Versions:
14.1.4.4, 15.1.3.1, 16.0.1.2
958353-3 : Restarting the mcpd messaging service renders the PAYG VE license invalid.
Links to More Info: BT958353
Component: TMOS
Symptoms:
Upon mcpd service restart, the pay as you grow Virtual Edition license becomes invalid.
Conditions:
Restarting the mcpd messaging service.
Impact:
The license becomes expired. A message is displayed in the console:
mcpd[5122]: 01070608:0: License is not operational (expired or digital signature does not match contents).
Workaround:
If you cannot avoid restarting the mcpd messaging service, then you must issue the reloadlic command, or reboot the BIG-IP (using your preferred method).
Fix:
Fixed an issue with pay as you grow licenses following a mcpd restart.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
958093-2 : IPv6 routes missing after BGP graceful restart
Links to More Info: BT958093
Component: TMOS
Symptoms:
When BGP graceful restart is configured for peers in IPv4 unicast and IPv6 unicast address families, after graceful restart for both IPv4 and Ipv6 address families, routes from IPv6 unicast address family might be missing.
Conditions:
- Different BGP peers configured in IPv4 unicast and IPv6 unicast address families.
- BGP graceful restart happens for both IPv4 unicast and IPv6 unicast.
Impact:
Routes from IPv6 peers are missing. They are also not present in the RIB.
Fixed Versions:
14.1.4.5, 15.1.4.1
958085-2 : IM installation fails with error: Spec file not found★
Links to More Info: BT958085
Component: Traffic Classification Engine
Symptoms:
IM installation fails with an error message:
ERROR Error during switching: Spec file not found
Conditions:
This can occur when deleting an IM file that is actively installing on one volume, and the BIG-IP system is booted from another volume.
Impact:
Upgrading/Downgrading to another IM does not work until you install a new BIG-IP image on the same disk.
Workaround:
None.
Fix:
During the init process, the system now installs FactoryDefaults if the active IM file is not found on disk.
Fixed Versions:
14.1.4.4, 15.1.4
957905-3 : SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP.
Links to More Info: BT957905
Component: Service Provider
Symptoms:
SIP Requests that don't contain a content_length header are accepted and forwarded by the BIG-IP to the server.
SIP Responses that don't contain a content_length header are accepted and forwarded to the client.
The sipmsg parser does not treats the content_length header as a required header as part of the SIP Request / Response.
Conditions:
SIP request / response without content_length header.
Impact:
RFC 6731 non compliance.
Workaround:
N/A
Fix:
BIG-IP now aborts the connection of any TCP SIP request / response that does not contain a content_length header.
content_length header is treated as optional for UDP and SCTP.
Fixed Versions:
14.1.4.6
957897-2 : Unable to modify gateway-ICMP monitor fields in the GUI
Links to More Info: BT957897
Component: TMOS
Symptoms:
While modifying a gateway-ICMP monitor you see the following error:
01070374:3: Cannot modify the address type of monitor /Common/<monitor_name>.
Conditions:
-- Using the GUI to modify a Gateway-ICMP monitor field.
-- The monitor is attached with a pool that has one or more pool members.
Impact:
You cannot update the Gateway-ICMP monitor fields via the GUI.
Workaround:
Use the tmsh command:
tmsh modify ltm monitor gateway-icmp <monitor_name> [<field> <new_value>]
For example, to update the description of a monitor named gw_icmp, use the following command:
modify ltm monitor gateway-icmp gw_icmp description new_description
Fix:
You can now update the Gateway-ICMP monitor fields via the GUI.
Fixed Versions:
14.1.4.6
957337-4 : Tab complete in 'mgmt' tree is broken
Links to More Info: BT957337
Component: TMOS
Symptoms:
TMSH Command: "list mgmt shared <tab>" does not display the tab complete option. You may see an error:
(tmos)# list mgmt shared echo *tab*
Unexpected Error: "Object contains no "method" child value"
Conditions:
When mgmt is used in a tmsh command and you attempt to tab complete
Impact:
You are unable to configure objects in mgmt.
This issue also prevents users with the admin role from accessing the following REST endpoints:
shared/authz/users
shared/echo-js
The error returned was HTTP/1.1 401 F5 Authorization Required
Fix:
Fixed an issue with tab completion for certain commands in the 'mgmt' tree.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
956645-1 : Per-request policy execution may timeout.
Links to More Info: BT956645
Component: Access Policy Manager
Symptoms:
When attempting to access a resource that requires subsession validation, the client may receive an HTTP 503 "Service Unavailable" response, and the logs indicate that per-request policy execution time has expired.
Conditions:
Multiple connections are accessing the same subsession, triggering subsession lock contention.
Impact:
Some clients will fail to connect to their destination.
Workaround:
Add criteria to the gating criteria to enable more fine-grained subroutines to reduce subsession contention. For example, add category, or application name, to the gating criteria. In the case of API protection, consider concatenating credentials with the resource hostname (plus port).
Increase the per-request policy execution timeout value, controlled by the variable tmm.access.prp_global_timeout, to a higher value.
Fix:
Subesssion lock contention wait time is reduced. Clients will not fail to connect due to subsession lock contention.
Fixed Versions:
14.1.4.5
956589-2 : The tmrouted daemon restarts and produces a core file
Links to More Info: BT956589
Component: TMOS
Symptoms:
The tmrouted daemon restarts and produces a core file.
Conditions:
Exact trigger is unknown, but the issue was seen on a chassis setup during a blade failover
Impact:
Traffic disrupted while tmrouted restarts.
Workaround:
None
Fix:
Tmrouted daemon should not restart during blade reset
Fixed Versions:
14.1.4.6, 15.1.2.1
956373-3 : ASM sync files not cleaned up immediately after processing
Links to More Info: BT956373
Component: Application Security Manager
Symptoms:
Some ASM sync files remain on disk after config sync finishes. They remain until periodic clean-up tasks activate
Conditions:
-- ASM provisioned
-- BIG-IP devices are in a sync group
-- Relatively small "/var" partition
Impact:
If the files are large it may lead to "lack of disk space" problem.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
956293-1 : High CPU from analytics-related REST calls - Dashboard TMUI
Links to More Info: BT956293
Component: TMOS
Symptoms:
When opening the GUI > Main > Statistics > Dashboard - the control plane CPU usage is around 7-15% on a completely empty system and Java consumes 3-5% CPU.
Conditions:
Leaving UI dashboard page left open.
Impact:
System performance is impacted if the dashboard page is kept open.
Fixed Versions:
14.1.4.4, 15.1.4
956133-4 : MAC address might be displayed as 'none' after upgrading.★
Links to More Info: BT956133
Component: Local Traffic Manager
Symptoms:
The MAC Address of a BIG-IP Virtual Edition network interface is displayed as 'none' after upgrading.
Conditions:
1. The VLAN MTU is set to less than 1280 bytes on a BIG-IP network interface.
2. Upgrade BIG-IP to 14.1.0 or above from BIG-IP versions below 14.1.0.
Impact:
Traffic disrupted when the MAC address is set to 'none'.
Workaround:
N/A
Fix:
IPv6 link-local addresses are now created with MTU greater than 1280, so this issue is resolved.
Fixed Versions:
14.1.4.4, 15.1.4
956013 : System reports{{validation_errors}}
Links to More Info: BT956013
Component: Policy Enforcement Manager
Symptoms:
A {{validation_errors}} at Subscriber Management :: Control Plane Listeners and Data Plane Listeners with ipv6 addresses
Conditions:
Specifying an IPv6 address in the expression in Subscriber Management :: Control Plane Listeners and Policy Enforcement :: Data Plane Listeners.
Impact:
Cannot access the BIG-IP GUI through IPv6 address from any web browser. Admin/User cannot enter input through GUI.
Workaround:
None.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
955617-6 : Cannot modify properties of a monitor that is already in use by a pool
Links to More Info: BT955617
Component: Local Traffic Manager
Symptoms:
Modifying monitor properties gives error, if it is attached to a pool with Node/Pool member instance.
0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor
Conditions:
-- Monitor with alias address field as default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.
Impact:
Monitor properties can't be modified if they are in use by a pool.
Workaround:
Remove monitor, modify it, and then add it back.
Fixed Versions:
14.1.4.6
955017-4 : Excessive CPU consumption by asm_config_event_handler
Links to More Info: BT955017
Component: Application Security Manager
Symptoms:
Asm_config_event_handler is consuming a lot of CPU while processing signatures after sync
Conditions:
This is encountered during a UCS load, or by a high availability (HA) configuration sync.
Impact:
Asm_config_server_rpc_handler.pl consumes excessive CPU and takes an exceedingly long time to complete.
Workaround:
Disable the signature staging action item for all policies.
Fixed Versions:
13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2
954025 : "switchboot -b HD1.1" fails to reboot chassis
Links to More Info: BT954025
Component: TMOS
Symptoms:
Changing the default boot image with "switchboot -b HD1.1" fails to reboot the chassis.
Conditions:
-- Install 14.1.x-tmos-bugs 14.1.2.8 Build 434.0 on HD1.2 of a chassis with two blades and boot to HD1.2 .
-- Execute switchboot -b HD1.1
Impact:
Switchboot command does not work and you are unable to change the default boot image.
Fix:
You can now change the default boot image.
Fixed Versions:
14.1.3.1
953845-4 : After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart
Links to More Info: BT953845
Component: Local Traffic Manager
Symptoms:
When re-initializing an onboard HSM on particular platforms, BIG-IP may disconnect from the HSM after a second restart of the MCPD daemon.
This can occur when using administrative commands such as:
-- tmsh run util fips-util init
-- fipsutil init
-- tmsh run util fips-util loginreset -r
-- fipsutil loginreset -r
Conditions:
-- Using the following platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
+ vCMP guest on i5820-DF / i7820-DF
+ vCMP guest on 10350v-F
Impact:
BIG-IP is unable to communicate with the onboard HSM.
Workaround:
The last step in using "fipsutil init" is to restart all system services ("tmsh restart sys service all") or reboot.
Immediately before doing this:
-- open /config/bigip.conf in a text editor (e.g. vim or nano)
-- locate and delete the configuration "sys fipsuser f5cu" stanza, e.g.:
sys fipsuser f5cu {
password $M$Et$b3R0ZXJzCg==
}
Fix:
Fixed an issue with re-initializing the onboard FIPS HSM.
Fixed Versions:
12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
953729-3 : Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990
953677-3 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
952557-1 : Azure B2C Provider OAuth URLs are updated for B2Clogin.com
Links to More Info: BT952557
Component: Access Policy Manager
Symptoms:
Microsoft has deprecated login.microsoftonline.com OAuth Azure Active Directory B2C (Azure AD B2C) URLs. The OAuth Provider templates are updated to support the newer URLs B2Clogin.com.
Conditions:
Azure AD B2C Provider may be non functional if URLs are using logic.microsoftonline.com.
Impact:
Older AD B2C URLs using login.microsoftonline.com may not be functional.
Workaround:
Update existing URLs when creating OAuth B2C providers to use B2Clogin.com.
For more information, see Azure Active Directory B2C is deprecating login.microsoftonline.com :: https://azure.microsoft.com/en-us/updates/b2c-deprecate-msol/.
Fix:
Azure B2C Provider OAuth URLs have been updated to use B2Clogin.com.
Fixed Versions:
14.1.4, 15.1.3
952545-3 : 'Current Sessions' statistics of HTTP2 pool may be incorrect
Links to More Info: BT952545
Component: Service Provider
Symptoms:
In HTTP2 full proxy deployment, the LTM pool 'cur_sessions' statistics may show an unusually large number, such as 18446743927680663552
Conditions:
-- HTTP2 full proxy deployment
-- A client sends multiple requests over multiple streams
Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue and it can underflow.
Workaround:
None.
Fix:
'Current Sessions' statistics of HTTP2 pool reports correctly.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
952509-1 : Cross origin AJAX requests are blocked in case there is no Origin header
Links to More Info: BT952509
Component: Application Security Manager
Symptoms:
When using Single Page Application, if a CORS request is sent without an Origin, the "Access-Control-Allowed-Origin" header is not set and the request is blocked.
Conditions:
-- ASM policy / DoS (with application) profile / Bot Defense Profile are attached to VS, with a "Single Page Application" flag enabled.
-- Client is using dosl7.allowed_origin option
-- CORS Request is sent without an Origin header.
Impact:
Request is blocked.
Workaround:
Use an iRule to add the Origin header according to the domain in the Referrer header.
Fix:
Check referrer header also when modifying CORS headers.
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
951257-1 : FTP active data channels are not established
Component: Local Traffic Manager
Symptoms:
Under certain conditions FTP active data channels may not be established as expected.
Conditions:
-- The FTP profile has "allow-active-mode" enabled and "port" set to a non-zero value.
Impact:
FTP transfers with active data channels are not processed as expected.
Workaround:
- Disable 'active' FTP and only use passive FTP or
- Use a custom FTP profile with port set to '0' on FTP virtual servers.
Fix:
FTP active data channels are now established as expected.
Fixed Versions:
14.1.4.6
951133-1 : Live Update does not work properly after upgrade★
Links to More Info: BT951133
Component: Application Security Manager
Symptoms:
After upgrading BIG-IP version the Live Update "Check for Update" button does not respond.
Conditions:
Upgrading from a version that did not have Live Update to a new version which includes Live Update
Impact:
Live Update can't query for new updates.
Workaround:
Restart tomcat process:
> bigstart restart tomcat
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
951033-2 : Virtual server resets all the connections for rstcause 'VIP disabled (administrative)'
Links to More Info: BT951033
Component: Local Traffic Manager
Symptoms:
Virtual server resets all the connections for rstcause 'VIP disabled (administrative)', after all the conditions are met.
Once it happens, the virtual server starts resetting all the incoming connections for rstcause 'VIP disabled (administrative)'. This continues even after the connection limit is deactivated.
Conditions:
-- There is at least one pool member that is DISABLED.
-- Other pool members have a connection limit configured.
-- A configuration change occurs while the connection limit is activated, and the change lowers the connection limit value, for example, the value is changed from 10 to 5.
Impact:
A virtual server continues resetting new connections.
Workaround:
Use Forced offline instead of disabled to prevent this issue.
Fix:
The BIG-IP system no longer continually resets new connections when the connection limit is lowered while it is being enforced.
Fixed Versions:
13.1.3.5, 14.1.3.1
950917-2 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034
Links to More Info: BT950917
Component: Application Security Manager
Symptoms:
Following Signature Update (-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:
01310027:2: subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )
Conditions:
Signature Update -SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.
Impact:
Apply policy fails.
Workaround:
You can use any of the following workarounds:
-- Install an older signature update -SignatureFile_20200917_175034
-- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.
-- Run the following SQL command to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4
950849-2 : B4450N blades report page allocation failure.★
Links to More Info: BT950849
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures on B4450N blades to the /var/log/kern.log file like the following:
swapper/16: page allocation failure: order:2, mode:0x104020
After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This occurs on B4450N blades regardless of configuration.
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You must perform the workaround on each blade installed in the system.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands:
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID950849' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID950849' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
Fix:
The BIG-IP system no longer experiences kernel page allocation failures on B4450 (A114) blades.
Fixed Versions:
14.1.4.4, 15.1.3.1
950077-3 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
949889-2 : CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()
949593-2 : Unable to load config if AVR widgets were created under '[All]' partition★
Links to More Info: BT949593
Component: Application Visibility and Reporting
Symptoms:
When upgrading to or loading saved configuration on BIG-IP software v13.0.0 or later, if the configuration contains AVR widgets created under a partition of '[All]', the config load fails.
Conditions:
This occurs if one or more AVR widgets in the configuration was created under the read-only '[All]' pseudo-partition.
This could have occurred if you were running a version of BIG-IP which did not include the fix for ID 721408.
Impact:
Upgrading to or loading an affected configuration on BIG-IP v13.x or later fails.
Workaround:
Manually edit the /config/bigip.conf configuration file and change '[All]' to 'Common':
# sed -i 's/\\\[All\]/Common/g' /config/bigip.conf
# tmsh load sys config
# tmsh save sys config
This should be done before upgrading to BIG-IP v13.x or later, or before saving configuration to be loaded later, or before loading a saved configuration from the config files.
Fix:
It is possible to successfully upgrade from or load a configuration containing one or more AVR widgets created under the read-only '\[All]' pseudo-partition or under other not existing partitions. With the current fix all partitions are changed to "Common" during upgrade.
Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2
949477-2 : NTLM RPC exception: Failed to verify checksum of the packet
Links to More Info: BT949477
Component: Access Policy Manager
Symptoms:
NTLM authentication fails with the error:
RPC exception: Failed to verify checksum of the packet.
Conditions:
-- Start nlad process with 'encryption'.
-- Configure a user, and map that user to a huge number of groups.
-- Configure NTLM front-end authentication.
Impact:
User authentication fails.
Workaround:
1. Run the 'nlad' process with '-encrypt no' in the file /etc/bigstart/startup/nlad.
2. Disable encryption for nlad:
# vim /etc/bigstart/startup/nlad
change:
exec /usr/bin/${service} -use-log-tag 01620000
to:
exec /usr/bin/${service} -use-log-tag 01620000 -encrypt no
3. Restart nlad to make the change effective, and to force the schannel to be re-established:
# bigstart restart nlad
Fixed Versions:
14.1.4.4, 15.1.4.1
949145-4 : Improve TCP's response to partial ACKs during loss recovery
Links to More Info: BT949145
Component: Local Traffic Manager
Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.
Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.
Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.
Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.
Fix:
Partial ACK handling during loss recovery is improved.
Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
948805-3 : False positive "Null in Request"
Links to More Info: BT948805
Component: Application Security Manager
Symptoms:
A false positive violation "Null in Request" is thrown erroneously.
Conditions:
-- BIG-IP receives a query string in the "Referrer" header
Impact:
False positive violation "Null in Request" is thrown
Workaround:
None
Fix:
Fixed a false positive violation.
Fixed Versions:
14.1.4.5, 15.1.4.1
948757-3 : A snat-translation address responds to ARP requests but not to ICMP ECHO requests.
Links to More Info: BT948757
Component: Local Traffic Manager
Symptoms:
A snat-translation address with ARP enabled responds to ARP requests but not ICMP ECHO requests.
Conditions:
A snat-translation address is configured with ARP enabled.
Impact:
Application traffic should not be impacted, as external hosts trying to resolve the snat-translation and return traffic to it should still be able to do so; however, ping is an important network troubleshooting tool, and not being able to ping the address may create confusion.
Workaround:
None.
Fix:
A snat-translation now correctly responds to both ARP requests and ICMP ECHO requests.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1
948573-2 : Wr_urldbd list of valid TLDs needs to be updated
Links to More Info: BT948573
Component: Traffic Classification Engine
Symptoms:
Several new TLDs have been added and need to be classified. The classification results return "Unknown" when the new TLD is being queried.
Conditions:
New TLD is being queried
Impact:
The URL query with new TLDs can not be blocked with custom feed list.
Custom, Webroot, and Cloud returns Unknown category.
Workaround:
Configure CPM policy to classify traffic based on hostname or SNI rather than urlcat.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
948113-4 : User-defined report scheduling fails
Links to More Info: BT948113
Component: Application Visibility and Reporting
Symptoms:
A scheduled report fails to be sent.
An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
Because : Unknown column ....... in 'order clause'
Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report
Impact:
Internal error for AVR report for ASM pre-defined.
Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr
Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});
The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm
Lastly, remount /usr back to read-only:
mount -o remount,ro /usr
Fix:
Using 'sort-by' measure when building PDF (instead of the first value on measure-list)
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
947925-4 : TMM may crash when executing L7 Protocol Lookup per-request policy agent
Links to More Info: BT947925
Component: SSL Orchestrator
Symptoms:
TMM may crash when executing the L7 Protocol Lookup per-request policy agent.
Conditions:
-- APM or SSL Orchestrator is licensed and provisioned.
-- L7 Protocol Lookup agent is included in the per-request policy for APM/SWG use cases.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM does not crash anymore when executing the L7 Protocol Lookup agent in the per-request policy.
Fixed Versions:
14.1.4.3, 15.1.4
947865-3 : Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read
Links to More Info: BT947865
Component: TMOS
Symptoms:
Pam-authenticator cores. There is a log message in /var/log/user/log:
err pam-authenticator: tac_author_read: short author header, -1 of 12: Connection reset by peer
Conditions:
-- TACACS auth configured on BIG-IP
-- A BIG-IP user authenticates and the user is a TACACS user
-- The TACACS server resets the connection.
Impact:
Pam-authenticator fails with segfault or sigabrt, and the user is unable to authenticate to BIG-IP.
Fixed Versions:
14.1.4, 15.1.3
947529-1 : Security tab in virtual server menu renders slowly
Links to More Info: BT947529
Component: TMOS
Symptoms:
When a large number of virtual servers use the same ASM policy from a manually-created LTM Traffic policy, the Security tab of the virtual server takes a long time to load.
Conditions:
Large number of virtual servers using the same ASM policy
Impact:
Loading of Security tab of a virtual server takes a long time
Workaround:
NA
Fix:
Security tab of a virtual server loads fast
Fixed Versions:
14.1.4.4, 15.1.4.1
947341-3 : MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files.
Links to More Info: BT947341
Component: Application Security Manager
Symptoms:
1) var/lib/mysql/mysqld.err is filled with log entries that contain:
------------
200824 11:04:43 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
200824 11:18:46 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
200824 11:35:58 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
------------
2) There are a lot of PRX.REQUEST_LOG partitions, in some cases up to 1024, many of which are empty.
Conditions:
ASM/AVR provisioned
Impact:
MySQL runs out of resources when opening the file
PRX.REQUEST_LOG and an error message states the file is corrupt.
Workaround:
1. If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
https://support.f5.com/csp/article/K14956
https://support.f5.com/csp/article/K42497314
2. To identify the empty partitions, look into:
mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G"
3. For every partition that is empty, manually (or via shell script) execute this sql:
mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "ALTER TABLE PRX.REQUEST_LOG DROP PARTITION <empty_partition_name>;"
Note: <empty_partition_name> must be substituted with the partition name, for example p100001.
4. Increase 'open_files_limit' to '10000'.
--------------------------------
In the /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter to 10000.
2. Restart MySQL:
bigstart restart mysql
--------------------------------
5. pkill asmlogd
Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.
Fix:
This release increases the default 'open_files_limit' to '10000'.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2, 16.1.2
946745-3 : 'System Integrity: Invalid' after Engineering Hotfix installation
Links to More Info: BT946745
Component: TMOS
Symptoms:
The 'tmsh run sys integrity status-check -a -v' or 'tpm-status' commands incorrectly report system integrity status as 'Invalid' even when the system software has not been modified.
Conditions:
This occurs if all of the following conditions are true:
-- BIG-IP software v14.1.0 or later version.
-- Engineering Hotfix installed on TPM-supported BIG-IP platform.
-- The Engineering Hotfix contains a fix for ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html).
-- The Engineering Hotfix contains an updated 'sirr-tmos' package.
Impact:
Incorrect presentation of system software status; the status shows INVALID when it is actually valid.
Workaround:
None.
Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status when an Engineering Hotfix is installed.
Fixed Versions:
14.1.4, 15.1.3
946481-3 : Virtual Edition FIPS not compatible with TLS 1.3
Links to More Info: BT946481
Component: Local Traffic Manager
Symptoms:
A TLS 1.3 handshake failure occurs when using openssl's AES-GCM cipher in FIPS mode.
Conditions:
FIPS mode and attempting TLS 1.3 with cipher AES-GCM
Impact:
Handshake failure for TLS 1.3
Workaround:
Disable FIPS mode, or alternately use non AES-GCM cipher for TLS 1.3.
Fix:
TLS 1.3 AES-GCM in FIPS mode now works correctly.
Fixed Versions:
14.1.4.6
946325-3 : PEM subscriber GUI hardening
Component: Policy Enforcement Manager
Symptoms:
The PEM subscriber GUI does not follow current best practices.
Conditions:
- Authenticated administrative user
- PEM GUI request
Impact:
PEM subscriber GUI does not follow current best practices.
Workaround:
N/A
Fix:
PEM subscriber GUI now follows current best practices.
Fixed Versions:
14.1.4.6
946185-4 : Unable to view iApp component due to error 'An error has occurred while trying to process your request.'★
Links to More Info: BT946185
Component: iApp Technology
Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:
An error has occurred while trying to process your request.
Conditions:
-- With or without Partitions configured.
-- Navigate to GUI iApps :: Application Services : Applications, to view a custom iApp.
-- More likely to occur after upgrade.
Impact:
Unable to view/modify iApps via GUI iApps :: Application Services : Applications screen.
Workaround:
To reconfigure the iApp, do the following:
1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List
2. Click the Application Link :: Reconfigure.
Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.
Fix:
Viewing Application Service components now reports no errors in the GUI under these conditions.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
946125-1 : Tmm restart adds 'Revoked' tokens to 'Active' token count
Links to More Info: BT946125
Component: Access Policy Manager
Symptoms:
End users are unable to access an application even though the active tokens are far less than allowed limit, with this error:
/Common/my_oauth:Common: Request Access Token from Source ID <id> IP <ip> failed. Error Code (access_denied) Error Description (This user has reached configured access token limit.)
Conditions:
1. configure per user access token limit
2. revoke some tokens
3. restart tmm
Impact:
User is denied access even though token limit per user is not reached
Fix:
Fixed an issue where users were unable to log in after a tmm restart.
Fixed Versions:
14.1.4.4, 15.1.4
946089-1 : BIG-IP might send excessive multicast/broadcast traffic.
Links to More Info: BT946089
Component: TMOS
Symptoms:
BIG-IP might transmit excessive multicast/broadcast traffic.
Conditions:
-- BIG-IP Virtual Edition with more than one TMM.
-- Number of excessive packets is directly proportional to the number of TMMs.
Impact:
Excessive multicast/broadcast traffic.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
946081-3 : Getcrc tool help displays directory structure instead of version
Links to More Info: BT946081
Component: Application Security Manager
Symptoms:
When getcrc tool displays help to the end user, it displays a directory structure instead of version.
Conditions:
Displaying help in getcrc utility.
Impact:
Version information is not displayed.
Fix:
Getcrc utility help now displays version information.
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
945997-3 : LTM policy applied to HTTP/2 traffic may crash TMM
Links to More Info: BT945997
Component: Local Traffic Manager
Symptoms:
When an LTM policy is applied to HTTP/2 traffic and refers to TCL expression(s), TMM may crash.
Conditions:
-- A virtual is configured with http and http2 profiles.
-- An LTM policy is published and refers to TCL expression(s).
-- The policy is attached to the virtual server.
Impact:
Traffic disrupted while tmm restarts.
Fix:
BIG-IP properly processes LTM policy with TCL expression(s) when it is applied to a virtual handling HTTP/2 traffic.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
945265-3 : BGP may advertise default route with incorrect parameters
Links to More Info: BT945265
Component: TMOS
Symptoms:
If a BGP neighbor is configured with 'default originate,' the nexthop advertised for the default route may be incorrect.
Conditions:
-- Dynamic routing enabled.
-- Using BGP.
-- BGP neighbor configured with 'default originate'.
Impact:
The default route advertised via BGP is not acceptable to peers until the BGP session is cleared.
Workaround:
In imish, run the command:
clear ip bgp <affected neighbor address>
Fix:
BGP suppresses a route advertisement between BGP speakers configured in the same AS with the same router-id.
Behavior Change:
BGP now suppresses a route advertisement between BGP speakers configured in the same AS with the same router-id.
Previously, the route was not acceptable to peers until the BGP session was cleared, resulting in potentially incorrect parameters.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
944785-1 : Admd restarting constantly. Out of memory due to loading malformed state file
Links to More Info: BT944785
Component: Anomaly Detection Services
Symptoms:
Admd consumes more than 10GB of RSS
Wrong signature statistics and possible memory corruption, potentially results in high memory consumption.
Conditions:
-- Upgrading from 13.x, 14.x to 15.x
-- Device service clustering configuration
-- App-Protect-DOS signatures configured.
Impact:
ADMD not working, ADMD constantly restarting, consuming all of the system memory. Out of memory. ADMD killed due to memory consumption
Workaround:
Make sure that all the devices within a cluster are running compatible state file version (either all with versions before 15.1.0.x or after), if not, then:
1. Stop ADMD on all of those devices: bigstart stop admd
2. Upgrade or Downgrade the BIG-IP version to match the above criteria.
3. Remove the old state files: rm -rf /var/run/adm/*
4. Start ADMD: bigstart start ADMD
If there is an issue on a single blade device, then:
1. Stop ADMD on all of those machines: bigstart stop admd
2. Remove the old state files: rm -rf /var/run/adm/*
3. Start ADMD: bigstart start ADMD
Fix:
No more memory corruption, no OOM nor ADMD restarts.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.2
944641-3 : HTTP2 send RST_STREAM when exceeding max streams
Links to More Info: BT944641
Component: Local Traffic Manager
Symptoms:
If the SETTINGS_MAX_CONCURRENT_STREAMS setting is exceeded, BIG-IP sends a GOAWAY frame; however, browsers expect a RST_STREAM and the GOAWAY frame results in a half-rendered web page.
Conditions:
The maximum streams setting is exceeded on a HTTP/2 connection.
Impact:
BIG-IP sends a GOAWAY frame, and the browser shows a half-rendered page.
Workaround:
None.
Fix:
BIG-IP now sends a RST_STREAM if the maximum streams setting is exceeded.
Fixed Versions:
14.1.4, 15.1.4, 16.0.1.1
944513-1 : Apache configuration file hardening
Links to More Info: BT944513
Component: TMOS
Symptoms:
Apache configuration file did not follow security best practice.
Conditions:
Normal system operation with httpd enabled.
Impact:
Apache configuration file did not follow security best practice.
Workaround:
None
Fix:
Apache configuration file has been hardened to follow security best practice.
Fixed Versions:
14.1.4.6, 15.1.4
944441-3 : BD_XML logs memory usage at TS_DEBUG level
Links to More Info: BT944441
Component: Application Security Manager
Symptoms:
There are two messages in BD_XML logs that the system reports at the TS_DEBUG log level, but they should be logged as TS_INFO.
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1687|after create of profile 754. (xml memory 5111702493 bytes)
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1586|add profile 755. name: /ws/replanifierIntervention_V1-0 is soap? 1 (xml memory before add 5111702493 bytes)
Conditions:
These messages can occur when XML/JSON profiles are configured.
Impact:
Messages that should be logged at the TS_INFO level are logged at the TS_DEBUG level. These are informational log messages.
Workaround:
None
Fix:
The relevant two BD_XML logs are now categorized as TS_INFO.
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
944121-3 : Missing SNI information when using non-default domain https monitor running in TMM mode.
Links to More Info: BT944121
Component: In-tmm monitors
Symptoms:
In-TMM https monitors do not send the SNI (Server Name Indication) information for non-default route domain pool members.
In-TMM monitors do not send any packet when TLS1.3 monitor is used.
Conditions:
-- SNI is configured in serverssl profile
-- serverssl profile is assigned to in-tmm https monitors
-- https monitors are monitoring pool members that are in a non-default route domain.
- Another Condition :
TLS1.3 Monitor is used
Impact:
The TLS connection might fail in case of SNI
No SYN packet is sent in case of TLS1.3 monitor
Workaround:
N/A
Fix:
N/A
Fixed Versions:
14.1.4.6
943913-4 : ASM attack signature does not match
Links to More Info: K30150004, BT943913
Component: Application Security Manager
Symptoms:
When processing certain traffic, ASM attack signatures may not match as intended.
Conditions:
- ASM enabled
- Undisclosed attack signature variation
Impact:
ASM attack signature does not match or trigger further processing.
Workaround:
N/A
Fix:
ASM now processes traffic as expected.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2
943889-1 : Reopening the publisher after a failed publishing attempt
Links to More Info: BT943889
Component: Fraud Protection Services
Symptoms:
TMM crashes repeatedly on SIGSEGV.
Conditions:
This can occur after a HSL disconnect and re-connect.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system publishes data to HSL publisher on a second attempt successfully (after a reconnect).
Fixed Versions:
13.1.3.5, 14.1.4
943793 : Neurond continuously restarting.
Links to More Info: BT943793
Component: TMOS
Symptoms:
Neurond continuously restarts.
Conditions:
-- BIG-IP iSeries hardware platform
-- issuing the command "service --status-all"
Impact:
Neuron communications will be impacted.
Workaround:
N/A
Fix:
Fix for handling neurond.init script treating unknown arg as "start": Added code for default case to handle all unknown args.
Fixed Versions:
14.1.4
943577-3 : Full sync failure for traffic-matching-criteria with port list under certain conditions
Links to More Info: BT943577
Component: TMOS
Symptoms:
Performing a full configuration sync with traffic-matching-criteria (TMC) under specific conditions fails with errors similar to:
err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 245 6869100131892804717 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..
Conditions:
This may occur on a full-load config sync (not an incremental sync)
On the device receiving the ConfigSync:
- a traffic-matching-criteria is attached to a virtual server
- the traffic-matching-criteria is using a port-list
On the device sourcing the ConfigSync:
- the same traffic-matching-criteria is attached to the same virtual server
- the original port-list is modified (e.g. a description is changed)
- the TMC is changed to reference a _different_ port-list
Impact:
Unable to sync configurations.
Workaround:
Copy the "net port-list" and "ltm traffic-matching-criteria" objects from the source to target system, merge them with "tmsh load sys config merge", and then perform a force-full-load-push sync from source to target.
If the BIG-IP systems are using device groups with auto-sync enabled, disable auto-sync temporarily while performing this workaround.
1. On the source system (the system whose configuration you want to sync to peer), save the configuration and extract the ltm traffic-matching-criteria and port-lists:
tmsh save sys config
(shopt -s nullglob; echo "#"; echo "# $HOSTNAME"; echo "# generated $(date +"%F %T %z")"
cat /config{/partitions/*,}/bigip{_base,}.conf |
awk '
BEGIN { p=0 }
/^(ltm traffic-matching-criteria|net port-list) / { p=1 }
/^}/ { if (p) { p=0; print } }
{ if (p) print; }
' ) > /var/tmp/portlists-and-tmcs.txt
2. Copy /var/tmp/portlists-and-tmcs.txt to the target system
3. On the target system, load that file:
tmsh load sys config replace file /var/tmp/portlists-and-tmcs.txt
3a. If loading the config file on the target system fails with the same error message seen during a ConfigSync, follow the procedure in
K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.
tmsh save sys config
clsh touch /service/mcpd/forceload
clsh reboot
4. On the source system, force a full-load sync to the device-group:
tmsh run cm config-sync force-full-load-push to-group <name of sync-group>
Fixed Versions:
14.1.4.6
943101 : Tmm crash in cipher group delete.
Links to More Info: BT943101
Component: Local Traffic Manager
Symptoms:
Deleting a cipher group associated with multiple profiles could cause tmm crash.
Conditions:
Deleting a cipher group associated with multiple profiles.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed an issue with cipher group delete.
Fixed Versions:
14.1.3, 15.1.4
942965-1 : Local users database can sometimes take more than 5 minutes to sync to the standby device
Links to More Info: BT942965
Component: Access Policy Manager
Symptoms:
Local db sync to standby devices take more than 5 minutes to sync
Conditions:
High availability (HA) setup
- add a local db user in the active device
- Wait for it to get synced to the standby device
- Sometimes the sync may not happen in 5 minutes.
Impact:
Sync of the changes to the local user db may take several minutes to sync to the standby devices.
Workaround:
None.
Fixed Versions:
14.1.4.5, 15.1.5
942549-3 : Dataplane INOPERABLE - Only 7 HSBs found. Expected 8
Links to More Info: BT942549
Component: TMOS
Symptoms:
During boot of a i15xxx system you see the message:
Dataplane INOPERABLE - Only 7 HSBs found. Expected 8
Conditions:
This issue can occur on any i15xxx device, although some devices exhibit the failure consistently and others never exhibit the issue.
Impact:
When this failure occurs in a system, the system is inoperable.
Workaround:
In order to workaround this issue, the system must be updated to install a script that is capable of resetting the hardware device during the HSB load process.
If it's not possible to install an EHF with the updated script or a version of BIG-IP with the fix, then it can be installed manually by providing the fw_update_post.init file and replacing it in /etc/init.d/fw_update_post. It is recommended that the existing fw_update_post is backed-up and this is only done in cases where the EHF or a fixed version of BIG-IP cannot be installed.
Fix:
A 'Dataplane INOPERABLE - Only 7 HSBs found. Expected 8' condition caused by a PCIE linking failure is resolved by an updated HSB load script which correctly resets BIG-IP i15xxx system hardware during boot.
Persistent 'Dataplane INOPERABLE' messages, after this fix is installed, indicate an unrelated failure.
Fixed Versions:
14.1.4.4, 15.1.4.1
941929-1 : Google Analytics shows incorrect stats, when Google link is redirected.
Links to More Info: BT941929
Component: Application Security Manager
Symptoms:
When server respond with a redirect, ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.
Conditions:
-- Google link is responded to (by the server) with a redirect.
-- Bot defense profile or DoS Application profile attached to a virtual server with challenge mitigation enabled.
Impact:
Incorrect data is displayed in the Google Analytics dashboard.
Workaround:
None
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
941853-2 : Logging Profiles do not disassociate from virtual server when multiple changes are made
Links to More Info: BT941853
Component: Application Security Manager
Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.
Conditions:
Multiple Logging Profile changes are made in a single update.
Impact:
The previous Logging Profiles are not disassociated from the virtual server.
Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
941621-3 : Brute Force breaks server's Post-Redirect-Get flow
Links to More Info: K91414704, BT941621
Component: Application Security Manager
Symptoms:
Brute Force breaks server's Post-Redirect-Get flow
Conditions:
ASM policy is attached to VS
Brute force protection is enabled.
CSI challenge or Captcha are in use.
Server implements Post-Redirect-Get flow.
Impact:
Brute Force breaks server's Post-Redirect-Get flow
Workaround:
None
Fix:
Support PRG mechanism in brute force mitigations.
Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.1
941481-3 : iRules LX - nodejs processes consuming excessive memory
Links to More Info: BT941481
Component: Local Traffic Manager
Symptoms:
iRule LX nodejs processes can leak memory. The iRule LX plugin nodejs processes memory usage climbs over time and does not return to prior levels.
You can check the iRule LX plugins memory usage using the command:
tmsh show ilx plugin <PLUGIN_NAME>' under 'Memory (bytes):
Memory (bytes)
Total Virtual Size 946.8M
Resident Set Size 14.5K
Conditions:
-- iRulesLX in use.
Impact:
iRule LX nodejs processes memory usage keeps growing.
The unbounded memory growth can eventually impact other Linux host daemons.
Workaround:
Restart the iRule LX plugin that is leaking memory:
tmsh restart ilx plugin <PLUGIN_NAME>
Fixed Versions:
14.1.4.4, 15.1.4
941393 : Memory leak in SWG
Links to More Info: BT941393
Component: Access Policy Manager
Symptoms:
A memory leak was observed in TMM during internal stress testing.
Conditions:
SWG provisioned. Real-world conditions are unknown.
Impact:
System can run out of memory resource.
Workaround:
No workaround
Fix:
Release execution context when done.
Fixed Versions:
14.1.4.5
941257-2 : Occasional Nitrox3 ZIP engine hang
Links to More Info: BT941257
Component: Local Traffic Manager
Symptoms:
Occasionally the Nitrox3 ZIP engine hangs.
In /var/log/ltm:
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.
Conditions:
BIG-IP appliance that uses the Nitrox 3 hardware compression chip: 5xxx, 7xxx, 12250 and B2250.
You can check if your platform has the nitrox3 by running the following command:
tmctl -w 200 compress -s provider
provider
--------
bzip2
lzo
nitrox3 <--------
zlib
Impact:
The Nitrox3 hardware compression system becomes unavailable and the compression mode switches to software compression. This can lead to high CPU usage.
Workaround:
Disable http compression
Fixed Versions:
14.1.4.4, 15.1.4
941249-4 : Improvement to getcrc tool to print cookie names when cookie attributes are involved
Links to More Info: BT941249
Component: Application Security Manager
Symptoms:
The name provided by getcrc tool provides incorrect ASM cookie name when cookie attributes path or/and domain is/are present in response from server
Conditions:
This is applicable when domain and path cookie attributes are present in response from server
Impact:
ASM cookie name which is displayed is incorrect
Workaround:
None
Fix:
More options need to be added to getcrc tool such that it caters for path/domain cookie attribute/s
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
941169-1 : Subscriber Management is not working properly with IPv6 prefix flows.
Links to More Info: BT941169
Component: Policy Enforcement Manager
Symptoms:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted.
Conditions:
When IPv6 prefix flows are configured on PEM (i.e., sys db variable tmm.pem.session.ipv6.prefix.len is configured with a value other than 128).
Impact:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted. Resources are not released from the system.
Workaround:
None.
Fixed Versions:
14.1.4, 15.1.2.1
941089 : TMM core when using Multipath TCP
Links to More Info: BT941089
Component: Local Traffic Manager
Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.
Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than to disable MPTCP.
Fix:
TMM no longer produces a core.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2
940897-2 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached
Links to More Info: BT940897
Component: Application Security Manager
Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".
Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.
Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.
Workaround:
N/A
Fix:
No false positives detected.
Fixed Versions:
12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
940885-3 : Add embedded SR-IOV support for Mellanox CX5 Ex adapter
Links to More Info: BT940885
Component: TMOS
Symptoms:
The Mellanox CX5 Ex adapter is not supported by the BIG-IP with a tmm embedded SR-IOV network driver.
Conditions:
A BIG-IP Virtual Edition system configured to use one or more Mellanox CX5 Ex adapters in SR-IOV mode.
Impact:
Systems using a CX5 Ex adapter will have to use the sock driver rather than the Mellanox driver.
Fix:
Added the CX5 Ex device ID to the BIG-IP's Mellanox SR-IOV driver so that it can be used with that adapter.
Fixed Versions:
14.1.4.4, 15.1.4.1
940401-3 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'
Links to More Info: BT940401
Component: Fraud Protection Services
Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.
Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.
Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.
Workaround:
None.
Fix:
Section now reads 'Rooting Detection'.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
940261-2 : Support IPS package downloads via HTTP proxy.
Component: Protocol Inspection
Symptoms:
IPS package download via HTTP proxy does not work.
2021-08-31 16:59:59,793 WARNING Download file failed. Retrying.
--
The error repeats continuously.
Conditions:
-- The global db key 'sys management-proxy-config' is configured
-- An IPS download is triggered
Impact:
The IPS IM package fails to download.
Workaround:
No workaround.
Fix:
IPS package downloads can now be successfully performed through an HTTP proxy.
Fixed Versions:
14.1.4.6
940249-3 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached
Links to More Info: BT940249
Component: Application Security Manager
Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.
Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.
Impact:
Data after last allowed element is not masked.
Fix:
Now the values are masked.
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
940209-1 : Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout.
Links to More Info: BT940209
Component: Local Traffic Manager
Symptoms:
When an HTTP/2 profile is configured on the client side, chunked responses are always sent unchunked. When a connection to a client is congested, the BIG-IP system may not properly close established server-side connections causing subsequent HTTP/2 requests to stall.
Conditions:
-- A virtual server with an HTTP/2 profile configured on the client side.
-- A server responds with a chunked response.
Impact:
HTTP/2 requests intermittently stall due to the existing server-side TCP connection remaining open.
Workaround:
Configure an HTTP profile on the client side with a value of 'unchunk' on the response-chunking option.
Fix:
HTTP/2 requests no longer stall, as the server side TCP connection is properly closed.
Fixed Versions:
14.1.4, 15.1.2
940021-2 : Syslog-ng hang may lead to unexpected reboot
Links to More Info: BT940021
Component: TMOS
Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to unexpected reboot.
The BIG-IP may unexpectedly reboot after a host watchdog timeout when syslog-ng gets hung up.
Logs via syslog-ng are no longer written, though logging not via syslog-ng continues unaffected.
This happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.
At this time syslog-ng typically spins, using near 100% CPU (just one core equivalent, not all CPU capacity on system).
Typically things appear fine on rest of system - there will usually be adequate CPU and memory.
Hours or days later graphs will have a gap of usually tens of minutes to hours before an unexpected reboot.
Post reboot logs (in /var/log/sel for iSeries or ltm log otherwise) show this is a host watchdog reboot.
After reboot the system runs correctly, though if the syslog-ng remote server was invalid this remains the case.
Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.
A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.
Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
The final log will of a broken connection only, usually one minute after the last established/broken pair.
Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.
Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable.
Fix:
Fixed an issue with syslog-ng hang occasionally causing a system restart.
This fix is not a complete fix. You will still need to remove unused syslog-ng servers from the BIG-IP configuration.
ID 1040277 tracks the remaining issue.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
939877-2 : OAuth refresh token not found
Links to More Info: BT939877
Component: Access Policy Manager
Symptoms:
When an OAuth client sends a refresh token to renew the access token, BIG-IP reports an error:
err tmm[13354]: 01990004:3: /Common/my_OAuth_v1:Common: Request Refresh Token from Source ID ... failed. Error Code (id_not_found) Error Description (The refresh token is not found)
Conditions:
-- The refresh token expiration interval is longer than authcode and accesstoken.
-- The Authorization code table entry does not exist because of an internal clearing/purging operation.
-- tmm restarts or failover to standby thus losing refresh-token value from primarydb
Impact:
OAuth APM client end user fails to renew the access token even with a valid refresh token.
Workaround:
Clear/reset the Authorization code column value manually:
As a root user run below BIG-IP shell
(tmos)# list apm oauth db-instance
apm oauth db-instance oauthdb { db-name <db_name> description "Default OAuth DB." }
Copy the value corresponding to <db_name>.
Log into mysql from the bash prompt:
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw)
mysql> use <db_name>;
mysql> update master set auth_code = NULL where refresh_token='affected_refresh_token_id';
(Substitute the affected refresh token ID with affected_refresh_token_id in the previous command.)
Fix:
Do not report error if the Authorization code does not exist when a valid refresh-token/access-token exists.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.2
939541-3 : TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE
Links to More Info: BT939541
Component: TMOS
Symptoms:
TMM may prematurely shut down (during its initialization) when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):
MCP connection aborted, exiting.
Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).
Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.
Workaround:
None.
Fix:
TMM no longer shuts down prematurely during initialization.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
939529-3 : Branch parameter not parsed properly when topmost via header received with comma separated values
Links to More Info: BT939529
Component: Service Provider
Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.
Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.
Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:
SIP/2.0 481 Call/Transaction Does Not Exist.
Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.
Fix:
The BIG-IP system now ensures the branch field inserted in the via header same for INVITE and CANCEL messages.
Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
939421-4 : CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow
939209-3 : FIPS 140-2 SP800-56Arev3 compliance
Links to More Info: BT939209
Component: Local Traffic Manager
Symptoms:
BIG-IP is not compliant with a NIST revision to the SP800-56A standard for cryptographic algorithms.
Conditions:
Using cryptographic algorithms covered by this revision in a FIPS 140-2 deployment.
Impact:
BIG-IP will comply with the older standard.
Fix:
Updated cryptographic algorithms and self-tests according to the SP800-56Arev3 standard.
Fixed Versions:
14.1.3
939085-1 : /config/ssl/ssl.csr directory disappears after creating certificate archive
Links to More Info: BT939085
Component: Local Traffic Manager
Symptoms:
Creating a certificate archive removes the /config/ssl/ssl.csr directory.
Conditions:
This occurs while creating a certificate archive.
Impact:
Missing /config/ssl/ssl.csr directory is causing Integrity Check to fail on an intermittent basis.
Workaround:
Recreate /config/ssl/ssl.csr directory and set correct file permissions:
mkdir /config/ssl/ssl.csr
chmod 755 /config/ssl/ssl.csr/
chcon -R --reference=/config/ssl/ssl.crt/ /config/ssl/ssl.csr
Fix:
The ssl.csr directory is no longer deleted on archive creation.
Fixed Versions:
14.1.4.6
938233-3 : An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization
Links to More Info: K93231374
938165-2 : TMM Core after attempted update of IP geolocation database file
Links to More Info: BT938165
Component: Advanced Firewall Manager
Symptoms:
TMM crashes while running traffic that uses AFM Firewall policies.
Conditions:
-- Update IP geolocation database file to the latest version.
-- Configure AFM policies with logging enabled.
-- Run traffic which hits the AFM policies and triggers logging.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Revert to using the previously working version of the IP-geolocation file.
For more information, see K11176: Downloading and installing updates to the IP geolocation database :: https://support.f5.com/csp/article/K11176#restore.
Fix:
The BIG-IP system now validates the region/country strings returned by the geolocation database for IP addresses used in the traffic.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
938149-3 : Port Block Update log message is missing the "Start time" field
Links to More Info: BT938149
Component: Advanced Firewall Manager
Symptoms:
Port Block Update log message is missing the "Start time" field.
Conditions:
-- Configure PBA mode in AFMNAT/CGNAT with subscriber awareness.
-- Trigger PBA Update log messages with change in susbsriber name for the same client IP address.
Impact:
NAT Log information is not usable for accounting purpose.
Fix:
Set the "start time" and "duration" log fields for all types of PBA log messages.
Fixed Versions:
14.1.2.1, 15.1.2, 16.0.1.1
936773-1 : Improve logging for "double flow removal" TMM Oops
Links to More Info: BT936773
Component: Local Traffic Manager
Symptoms:
/var/log/tmm contains this entry
notice Oops @ 0x286feeb:1127: double flow removal
Conditions:
The conditions under which this message is logged are unknown or may vary. This item is for logging the flow tuple and virtual server name to aid in diagnosing the cause.
Impact:
None
Fixed Versions:
14.1.4.4, 15.1.4.1
936557-3 : Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled.
Links to More Info: BT936557
Component: Local Traffic Manager
Symptoms:
As the BIG-IP system attempts to open a TCP connection to a server-side object (e.g., a pool member), retransmissions of the initial SYN segment incorrectly use a non-zero acknowledgement number.
Conditions:
This issue occurs when the following conditions are true:
-- Standard TCP virtual server.
-- TCP profile with Verified Accept enabled.
-- Receipt of the client's ACK (as part of the client-side TCP 3-way handshake) is delayed. Due to Verified Accept being enabled, this delay causes the BIG-IP system to retransmit its SYN to the server until the client's ACK is received.
Impact:
Depending on the specific server implementation, or the security devices present on the BIG-IP system's server-side before the server, a SYN containing a non-zero acknowledgement number may be rejected. In turn, this may cause connections to fail to establish.
Workaround:
If compatible with your application and specific needs, you can work around this issue by disabling Verified Accept in the TCP profile.
Fix:
SYN segment retransmissions now correctly use 0 as the acknowledgement number.
Fixed Versions:
14.1.4.5, 15.1.4.1
935801-3 : HSB diagnostics are not provided under certain types of failures
Links to More Info: BT935801
Component: TMOS
Symptoms:
In rare cases where the HSB detects an error and triggers a high-availability (HA) failover, HSB-specific diagnostic data is not provided.
An example are XLMAC errors, which can be seen in the TMM logs:
<13> Jul 25 18:49:41 notice The number of the HSB XLMAC recovery operation 11 or fcs failover count 0 reached threshold 11 on bus: 3.
<13> Jul 25 18:49:41 notice high availability (HA) failover action is triggered due to XLMAC/FCS erros on HSB1 on bus 3.
Conditions:
The HSB detects an internal error.
Impact:
There is less HSB data for analysis when an internal HSB occurs.
Workaround:
None.
Fix:
Dump HSB registers on all HSB-initiated high-availability (HA) failovers.
Fixed Versions:
14.1.4.5, 15.1.2
935593-3 : Incorrect SYN re-transmission handling with FastL4 timestamp rewrite
Links to More Info: BT935593
Component: Local Traffic Manager
Symptoms:
FastL4 profiles configured with the TCP timestamp rewrite option enabled does not treat retransmitted SYNs in a correct manner.
Conditions:
FastL4 profile with TCP timestamp rewrite option is in use.
Impact:
Timestamp on some TCP packets sent by BIG-IP systems might be incorrect.
Workaround:
Do not use TCP timestamp rewrite.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
935293-3 : 'Detected Violation' Field for event logs not showing
Links to More Info: BT935293
Component: Application Security Manager
Symptoms:
Violation is missing/details not populated in the event log page, when a POST request with large number of parameters are sent to the BIG IP system.
Conditions:
-- A large POST request with lots of parameters is sent to BIG-IP system.
-- 'Learn New Parameters' is enabled.
Impact:
You cannot see the violation details.
Workaround:
Disabling parameter learning helps.
Note: This happens only with a large number of parameters. Usually it works as expected.
Fix:
The eventlog is reserving space for violations.
Fixed Versions:
13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
934941-3 : Platform FIPS power-up self test failures not logged to console
Links to More Info: BT934941
Component: TMOS
Symptoms:
The BIG-IP system does not log FIPS power-up self-test failures to the console.
Conditions:
A FIPS failure occurs during the power-up self test.
Impact:
Platform FIPS failures are made more difficult to identify and diagnose, because the system console fails to include anything at all that indicates a failure.
Workaround:
None.
Fixed Versions:
14.1.3.1, 15.1.3
934461 : Connection error with server with TLS1.3 single-dh-use.
Links to More Info: BT934461
Component: Local Traffic Manager
Symptoms:
Connection failure with TLS1.3 and single-dh-use configured.
Conditions:
14.1 with TLS1.3 single-dh-use.
Impact:
Connection failure in 14.1 versions.
Workaround:
Disable single-dh-use, or disable tls1.3.
Fix:
14.1 now supports TLS1.3 single-dh-use and hello retry on serverside.
Fixed Versions:
14.1.3, 15.1.4
934393 : APM authentication fails due to delay in sessionDB readiness
Links to More Info: BT934393
Component: Access Policy Manager
Symptoms:
APM Authentication fails, and apmd cores when trying to connect to sessionDB.
Conditions:
-- APM configured.
-- SAML SP configured.
Impact:
It takes a long time to create the configuration snapshot. Authentication fails and apmd cores.
Workaround:
Restart all services by entering the following command:
tmsh restart /sys service all
Note: Restarting all services causes temporary traffic disruption.
Fix:
The sessionDB readiness has been corrected so that authentication succeeds.
Fixed Versions:
14.1.3, 15.1.4
933777-2 : Context use and syntax changes clarification
Links to More Info: BT933777
Component: Application Visibility and Reporting
Symptoms:
There are two context and syntax-related issues:
-- In v14.x, the context for tmsh analytics commands related to server side connections changed. For example, 'total-server-side-conns' became a simple 'server-side-conns'.
-- In v13.x and 14.x, the calculation method for 'max-tps' changed from cumulative to commutative.
Conditions:
This occurs in either of the following scenarios:
-- Using tmsh analytics commands related to max-tps in v13.x or later.
-- Using tmsh analytics commands related to server side connections in BIG-IP v14.x and later.
Impact:
Stats names do not reflect their actual values. The 'max-tps' value is no longer valid for client IP context. These changes might have varied impacts, depending on your configuration.
Workaround:
None
Fix:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).
-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.
Behavior Change:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).
-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.
Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
933461-3 : BGP multi-path candidate selection does not work properly in all cases.
Links to More Info: BT933461
Component: TMOS
Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.
Conditions:
An inbound route-map exists that modifies a route's path selection attribute.
Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.
Workaround:
None.
Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
933409-4 : Tomcat upgrade via Engineering Hotfix causes live-update files removal★
Links to More Info: BT933409
Component: TMOS
Symptoms:
After applying an Engineering Hotfix ISO that contains an updated tomcat package, live-update files are inadvertently removed and live update no longer works properly.
Conditions:
Occurs after installing an Engineering Hotfix that contains the tomcat package.
Impact:
Live-update functionality does not work properly.
Workaround:
Although there is no workaround, you can install an updated Engineering Hotfix that uses a fixed version of the live-install package.
Fix:
Fixed an issue with inadvertently removing live-update files while applying an Engineering Hotfix.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
933405-3 : Zonerunner GUI hangs when attempting to list Resource Records
Links to More Info: K34257075, BT933405
Component: Global Traffic Manager (DNS)
Symptoms:
Zonerunner GUI hangs when attempting to list Resource Records; mcpd times out.
Conditions:
Attempt to list Resource Records in Zonerunner GUI.
Impact:
Zonerunner hangs.
Workaround:
Zonerunner GUI is unusable until this issue is resolved. Use tmsh.
Fixed Versions:
14.1.4, 15.1.4.1, 16.0.1.1
932937-3 : HTTP Explicit Proxy configurations can result in connections hanging until idle timeout.
Links to More Info: BT932937
Component: Local Traffic Manager
Symptoms:
After an HTTP return code of 400 Bad Request or 403 Forbidden, connection table entries may not be removed from the connection table until they reach the idle timeout threshold.
Conditions:
-- HTTP Explicit Proxy Configuration.
-- BIG-IP HTTP response contains a 400 Bad Request or 403 Forbidden status code.
Impact:
The hanging connection table entries can cause subsequent connections from the same source port to fail. Also, the subsequent connection attempts can cause the idle timer to be reset.
Workaround:
Use an iRule to prevent connections from hanging:
when HTTP_REJECT {
after 1
}
Fix:
HTTP Explicit Proxy configurations no longer results in connections hanging until idle timeout.
Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1
932737-1 : DNS & BADOS high-speed logger messages are mixed
Links to More Info: BT932737
Component: Anomaly Detection Services
Symptoms:
Both DNS and BADOS messages use the same family ID, and the reported messages are categorized together.
Conditions:
BADOS & DNS are run together and application is under attack (BADOS). At this point, BIG-IP will generate BADOS messages using an ID that conflicts with DNS messages.
Impact:
Reporting will be confusing.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
932497-1 : Autoscale groups require multiple syncs of datasync-global-dg
Links to More Info: BT932497
Component: TMOS
Symptoms:
Datasync-global-dg is in 'sync pending' status and is not automatically synced as expected.
Conditions:
Browser Challenges update image is automatically downloaded.
Impact:
Peers are not synced.
Workaround:
Manually sync datasync-global-db group.
Fix:
Perform full sync for each change when having multiple live update changes in a row.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
932485-2 : Incorrect sum(hits_count) value in aggregate tables
Links to More Info: BT932485
Component: Application Visibility and Reporting
Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.
Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.
Impact:
The system reports incorrect values in AVR tables when dealing with large numbers
Workaround:
None.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
932437-4 : Loading SCF file does not restore files from tar file★
Links to More Info: BT932437
Component: TMOS
Symptoms:
Loading an SCF configuration file does not restore file objects from the SCF's associated tar file.
Restoring the SCF fails with an error similar to this if the running configuration does not already contain the file:
01070712:3: Failed: name (/Common/test-crt) Cache path (/config/filestore/files_d/Common_d/certificate_d/:Common:test-crt) does not exist and there is no copy in trash-bin to restore from.
Unexpected Error: Loading configuration process failed.
Conditions:
Restore an SCF archive that references file objects, e.g.:
-- SSL certificates
-- SSL keys
-- iFiles
Impact:
Restoring SCF does not restore contents of file objects.
Workaround:
None.
Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1
932213-1 : Local user db not synced to standby device when it is comes online after forced offline state
Links to More Info: BT932213
Component: Access Policy Manager
Symptoms:
Local user db is not synced to the standby device when it comes online after being forced offline.
Conditions:
Valid high availability (HA) configuration.
- Make the standby device forced offline
- create a new local db user in the online device
- bring back the standby device online.
Impact:
The newly created user is not synced to the standby device unless localdbmgr is restarted on the standby.
Workaround:
None
Fix:
Fixed the issue by handling the forced offline scenario.
Fixed Versions:
14.1.4.5, 15.1.4.1
932137-4 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade
Links to More Info: BT932137
Component: Application Visibility and Reporting
Symptoms:
After upgrade, AFM statistics show non-relevant data.
Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.
Impact:
Non-relevant data are shown in AFM statistics.
Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
932133-3 : Payloads with large number of elements in XML take a lot of time to process
Links to More Info: BT932133
Component: Application Security Manager
Symptoms:
ASM experiences high CPU and latency usage while processing a large XML request.
Conditions:
-- ASM provisioned
-- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser.
Impact:
High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request.
Workaround:
None
Fix:
This fix includes performance improvements for large XML payloads.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
932033-1 : Chunked response may have DATA frame with END_STREAM prematurely
Links to More Info: BT932033
Component: Local Traffic Manager
Symptoms:
When an HTTP/2 profile is configured on the client side, chunked responses are always sent unchunked. When a connection to a client is congested, BIG-IP systems may send the END_STREAM flag before transmitting a whole payload.
Conditions:
-- A virtual server with an HTTP/2 profile configured on the client side.
-- A server responds with a chunked response.
Impact:
A browser may not receive the whole payload, or it may not recognize that the payload has been delivered fully (partially prior to the DATA frame with END_STREAM flag, partially after the frame).
Workaround:
Configure an HTTP profile on the client side with a value of 'unchunk' on the response-chunking option.
Fix:
BIG-IP systems no longer send a DATA frame with END_STREAM flag prematurely when a connection to a client is congested.
Fixed Versions:
14.1.4, 15.1.2
931677-4 : IPv6 hardening
Component: Local Traffic Manager
Symptoms:
Under certain conditions, handling of IPv6 traffic to BIG-IP owned addressed (e.g. self-IPs) do not follow current best practices.
Conditions:
-- IPv6 strict compliance is enabled (tmsh modify sys db ipv6.strictcompliance value true)
-- IPv6 traffic to BIG-IP owned addresses
Impact:
Handling of IPv6 traffic does not follow current best practices.
Workaround:
Disable IPv6 strict compliance with the command:
tmsh modify sys db ipv6.strictcompliance value false
Fix:
BIG-IP now handles IPv6 traffic in compliance with current best practices.
Fixed Versions:
14.1.4.6
930905-1 : Management route lost after reboot.
Links to More Info: BT930905
Component: TMOS
Symptoms:
Management route lost after reboot, leading to no access to BIG-IP systems via management address.
Conditions:
-- 2NIC BIG-IP Virtual Edition template deployed in GCP (see https://github.com/F5Networks/f5-google-gdm-templates/tree/v3.0.3/supported/standalone/2nic/existing-stack/byol).
-- The instance is rebooted.
Impact:
After rebooting, the default route via the management interface no longer exists in the routing table. BIG-IP administrators are unable to connect to BIG-IP Virtual Edition via the management address.
Workaround:
Use either of the following workarounds:
-- Delete the route completely and reinstall the route.
-- Restart mcpd:
bigstart restart mcpd
Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1
930741-1 : Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot
Links to More Info: BT930741
Component: TMOS
Symptoms:
If there is a truncated BIG-IP software image in /shared/images, a kernel lockup and reboot could occur.
One way to have a truncated image in /shared/images is by using iControl/SOAP to upload the image. Using SOAP, the image is uploaded in chunks, so until the last chunk is uploaded, the image is not complete/is truncated.
Conditions:
-- Truncated BIG-IP image in /shared/images
-- Using SOAP to upload the image.
Impact:
Traffic disruption caused by the reboot.
Workaround:
If you are using SOAP to upload BIG-IP software images, upload them to /shared first and then move them to /shared/images.
Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2
930633-1 : Delay in using new route updates by existing connections on BIG-IP.
Links to More Info: BT930633
Component: TMOS
Symptoms:
If routes are updated in BIG-IP by static or dynamic methods, the existing connections will not use the new routes until ~1-8 seconds later.
Conditions:
Routes for existing connections on the BIG-IP are updated.
Impact:
Performance might be degraded when routes are updated for existing connections on BIG-IP.
Fix:
Added DB varible "tmm.inline_route_update". When enabled, packets are checked for new routes before sending out. Its disabled by default.
Behavior Change:
A new db variable has been added, called tmm.inline_route_update. It is disabled by default. When enabled, packets are checked for new routes before sending out.
Fixed Versions:
14.1.4.5
930385 : SSL filter does not re-initialize when an OCSP object is modified
Links to More Info: BT930385
Component: Local Traffic Manager
Symptoms:
Create an OCSP object using DNS resolver ns1, associate the OCSP object to SSL profile and a virtual.
Then, modify the OCSP object to DNS resolver ns2.
After the modification, wait for cache-timeout and cache-error-timeout and then connect to virtual again. The nameserver contacted is still ns1.
Conditions:
An OCSP object is configured and modified.
Impact:
The wrong nameserver is used after modification to the OCSP object.
Fix:
After the fix, the correct nameserver will be contacted after the OCSP object is modified.
Fixed Versions:
14.1.3, 15.1.4
929213-3 : iAppLX packages not rolled forward after BIG-IP upgrade★
Links to More Info: BT929213
Component: Device Management
Symptoms:
Certain iAppLX packages are not rolled forward after a BIG-IP upgrade or restoring a UCS file generated from an affected system, and will be unavailable for use.
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm
Conditions:
-> Installing any of the below iAppLX packages
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm
-> Performing an upgrade
-> Trying to access the LX packages from GUI by navigating to iApps -> Package Management LX
Impact:
After upgrading or restoring a UCS file generated from an affected system, the cloud-failover, service discovery, and telemetry iAppLX apps are not available for use, and will result in 404 error, while accessing them from GUI
Workaround:
The package needs to be uninstalled and installed again for use.
Steps:
-> From GUI, Navigate to iApps -> Package Management LX
-> select the package to uninstall and click on Uninstall
-> click on Import and provide the path of package to install again
Fix:
All installed package management LX such as AS3, DO, telemetry, failover extension, service discovery are available after upgrade
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
929077-1 : Bot Defense allow list does not apply when using default Route Domain and XFF header
Links to More Info: BT929077
Component: Application Security Manager
Symptoms:
When configuring an IP address allow list in Bot Defense Profile, using a default Route Domain, and a request with an X-Forwarded-For header the request might not be added to the allow list.
Conditions:
-- Bot Defense Profile is attached to virtual server.
-- Bot Defense Profile has an IP address allow list configured.
-- Using default Route Domain.
-- Sending a request with X-Forwarded-For header.
-- Might require heavy traffic.
Impact:
Request from an IP address that is on the allow list is blocked.
Workaround:
Allow the IP address using an iRule.
Fix:
The system now sets the correct route domain, and IP addresses on the allow list are allowed.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
929001-4 : ASM form handling improvements
Links to More Info: K48321015, BT929001
Component: Application Security Manager
Symptoms:
Under certain conditions, the ASM form handler may not enforce as expected.
Conditions:
- Brute force protection is configured
Impact:
Enforcement not triggered as expected.
Workaround:
N/A
Fix:
ASM now processes forms as expected.
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
928857-3 : Use of OCSP responder may leak X509 store instances
Links to More Info: BT928857
Component: Local Traffic Manager
Symptoms:
The use of OCSP responder may cause X509 certificate store instances to be leaked, eventually causing memory pressure.
Conditions:
OCSP responder configured.
Impact:
TMM ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fixed Versions:
14.1.4, 15.1.3
928805-3 : Use of OCSP responder may cause memory leakage
Links to More Info: BT928805
Component: Local Traffic Manager
Symptoms:
Use of OCSP responder may cause small amounts of SSL memory to be leaked, eventually leading to memory pressure.
Conditions:
OCSP responder configured.
Impact:
TMM SSL memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fixed Versions:
14.1.4, 15.1.3
928789-3 : Use of OCSP responder may leak SSL handshake instances
Links to More Info: BT928789
Component: Local Traffic Manager
Symptoms:
Use of OCSP responder may cause SSL handshake instances to be leaked eventually leading to memory pressure.
Conditions:
OCSP responder configured.
Impact:
TMM ssl_hs memory usage grows over time, eventually causing memory pressure, and potentially a traffic disruption due to TMM restart.
Workaround:
No workaround.
Fixed Versions:
14.1.4, 15.1.3
928717-1 : [ASM - AWS] - ASU fails to sync
Links to More Info: BT928717
Component: Application Security Manager
Symptoms:
Live Update configuration is not updated.
Conditions:
-- The BIG-IP device being removed from the device group is also the last commit originator. (You might encounter this on AWS as a result of auto-scale.)
-- A new device is added to the device group.
-- Initial sync is pushed to the new device.
Impact:
Automatic signature updates (ASU) fail to sync.
Workaround:
Make a spurious change to Live Update from another device in the group and sync it to the group, for example:
1. Set the 'Installation of Automatically Downloaded Updates' to Scheduled and save.
2. Then return the setting to its previous state, and save again.
Fixed Versions:
14.1.4.4, 15.1.4
928685-3 : ASM Brute Force mitigation not triggered as expected
Links to More Info: K49549213, BT928685
Component: Application Security Manager
Symptoms:
Under certain conditions the Brute Force mitigation will not be triggered.
Conditions:
- ASM enabled
- Brute Force mitigation enabled
Impact:
Brute Force mitigation is not triggered as expected.
Workaround:
The following iRule will look for an issue with the authorization header and will raise an custom violation when this is happening:
when ASM_REQUEST_DONE
{
if { [catch { HTTP::username } ] } {
log local0. "ERROR: bad username";
ASM::raise bad_auth_header_custom_violation
}
}
Fix:
Brute Force mitigation is now triggered as expected.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
928553-1 : LSN64 with hairpinning can lead to a tmm core in rare circumstances
Links to More Info: BT928553
Component: Carrier-Grade NAT
Symptoms:
LSN64 with hairpinning configured can lead to a tmm core in rare circumstances.
Conditions:
- LSN64 virtual server.
- Hairpinning enabled.
- FLOW_INIT iRule.
- Full proxy config.
Impact:
Tmm cores. Traffic disrupted while tmm restarts.
Workaround:
Disable full proxy config of hairpinning.
Fix:
Tmm does not crash anymore.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
928029 : Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis
Links to More Info: BT928029
Component: TMOS
Symptoms:
Wrong popup message for switchboot popup "This will restart the chassis. Continue?".
Conditions:
Run "switchboot" command
Impact:
A confusing popup message is displayed.
Workaround:
NA
Fix:
Updated the switchboot popup message "This will restart BIG-IP tenant. Continue?"
Fixed Versions:
14.1.3, 15.1.4
927993-4 : Built-in SSL Orchestrator RPM installation failure
Links to More Info: K97501254, BT927993
Component: SSL Orchestrator
Symptoms:
Attempting to install the built-in SSL Orchestrator RPM results in the following error:
Failed to load IApp artifacts from f5-iappslx-ssl-orchestrator: java.lang.IllegalStateException: Failed to post templates to block collection.
Conditions:
In the BIG-IP TMUI, the BIG-IP administrator navigates to the SSL Orchestrator Configuration page. This would automatically invoke the installation of the built-in SSL Orchestrator RPM, resulting in the failure.
Impact:
The built-in SSL Orchestrator RPM is not installed and SSL Orchestrator management is not possible.
Workaround:
Step 1. Run the following commands in the BIG-IP command line:
# Get ID for f5-ssl-orchestrator-dg-data:
id1=$(restcurl shared/iapp/blocks/ | jq -r '.items[] | select(.name == "f5-ssl-orchestrator-dg-data") | .id')
# Get ID for f5-ssl-orchestrator-dg-template:
id2=$(restcurl shared/iapp/blocks/ | jq -r '.items[] | select(.name == "f5-ssl-orchestrator-dg-template") | .id')
# Temporarily unlink the "f5-ssl-orchestrator-dg-data" (id1) dependency on "f5-ssl-orchestrator-dg-template" (id2).
restcurl -X PATCH -d "{\"baseReference\": {\"link\": \"https://localhost/mgmt/shared/iapp/blocks/$id1\"}}" shared/iapp/blocks/$id1
# Remove all SSL Orchestrator block templates.
restcurl shared/iapp/blocks | jq -r '.items[] | select(.state == "TEMPLATE") | select(.name | startswith("f5-ssl-orchestrator")) | .id' | for x in $(cat) ; do restcurl -X DELETE shared/iapp/blocks/$x; done
# Remove the SSL Orchestrator RPM installation references (if any).
restcurl -X DELETE shared/iapp/global-installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
restcurl -X DELETE shared/iapp/installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
---
Step 2. Use the BIG-IP TMUI:
Log in to the TMUI and navigate to SSL Orchestrator > Configuration. This would refresh the related page and install the SSL Orchestrator RPM. Wait for the SSL Orchestrator configuration page to complete loading.
---
Step 3. Run the following commands in the BIG-IP command line:
# Restore the "f5-ssl-orchestrator-dg-data" dependency on "f5-ssl-orchestrator-dg-template".
restcurl -X PATCH -d "{\"baseReference\": {\"link\": \"https://localhost/mgmt/shared/iapp/blocks/$id1\"}}" shared/iapp/blocks/$id2
---
Step 4. Use the BIG-IP TMUI:
Refresh the SSL Orchestrator > Configuration page.
Fix:
Built-in SSL Orchestrator RPM installation failure
Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3, 14.1.4, 15.1.2, 16.0.1.1
927941-3 : IPv6 static route BFD does not come up after OAMD restart
Links to More Info: BT927941
Component: TMOS
Symptoms:
The Bidirectional Forwarding Detection (BFD) session for an IPv6 static route is not shown in response to the command:
imish -e "show bfd session"
Conditions:
-- BFD is configured with static route IPv6.
-- Restart the oamd process.
Impact:
BFD session is not shown in 'show bfd session'.
Workaround:
Restart tmrouted:
bigstart restart tmrouted
Fix:
IPv6 static route BFD session now comes up after restarting the oamd process.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
927617-3 : 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value
Links to More Info: BT927617
Component: Application Security Manager
Symptoms:
A valid request that should be passed to the backend server is blocked.
Conditions:
-- A cookie name is defined in Security :: Application Security : Headers : Cookies List :: New Cookie, with Base64 Decoding enabled.
-- The cookie header that contain the valid cookie value is encoded to base64.
Impact:
A request is blocked that should not be.
Workaround:
Disable 'Base64 Decoding' for the desired cookie.
Fix:
Requests with valid base64 encoding cookies are now correctly passed by the enforcer.
Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
927033-1 : Installer fails to calculate disk size of destination volume★
Links to More Info: BT927033
Component: TMOS
Symptoms:
Installation fails with a 'Disk full (volume group)' error in var/log/liveinstall.log:
error: tm_install::Process::Process_full_install -- predicted size for BIGIP14125 is 12315728, current location size is 11120640, and vg has 0 remaining.
Conditions:
Platforms with software RAID that also have a symlink in /dev/md that looks like the following:
[root@bigip1] images # ls -l /dev/md/
total 8
-rw-r--r--. 1 root root 5 2020-07-09 16:12 autorebuild.pid
lrwxrwxrwx. 1 root root 8 2020-07-09 16:51 localhost:0 -> ../md127
-rw-------. 1 root root 66 2020-07-09 16:11 md-device-map
Impact:
Unable to successfully upgrade.
Workaround:
Create the expected symlink manually:
cd /dev/md
ln -s ../md127 _none_\:0
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
926929-2 : RFC Compliance Enforcement lacks configuration availability
Links to More Info: BT926929
Component: Local Traffic Manager
Symptoms:
Earlier versions contained fixes that enforce several RFC compliance items for HTTP request and response processing by BIG-IP systems. Enforcement for some of these items is unavoidable, but might cause issues for certain applications.
Conditions:
The configuration has a virtual server with an HTTP profile.
Impact:
Some applications that require certain constructions after a header name may not function.
Workaround:
None
Fix:
A configuration item has been introduced to manage RFC-compliance options.
In releases 13.1.4, 14.1.4, 15.1.2.1 and 16.0.1.2 and in subsequent releases in those families, a global flag is used to control the enforcement:
sys db tmm.http.rfc.allowwsheadername
The possible values are "enabled" and "disabled"; the default is "enabled".
In release 16.1.0 and subsequent releases, there are two per-profile options; these have been added to the Configuration Utility's configuration page for HTTP profiles, in the 'Enforcement' section:
-- Enforce RFC Compliance
-- Allow Space Header Name
The following sample output shows how the RFC-compliance and whitespace-enforcement settings might appear in tmsh, if enabled:
(tmos)# list ltm profile http http-wsheader
ltm profile http http-wsheader {
app-service none
defaults-from http
enforcement {
allow-ws-header-name enabled
rfc-compliance enabled
}
proxy-type reverse
}
Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.2
926845-4 : Inactive ASM policies are deleted upon upgrade
Links to More Info: BT926845
Component: Application Security Manager
Symptoms:
Upon upgrade, active ASM policies are preserved, and inactive policies are deleted.
Conditions:
-- Configuration contains active and inactive ASM policies.
-- Upgrade the BIG-IP system to any later version.
-- You can check existing ASM policies in tmsh:
tmsh list asm policy
Impact:
Only the active ASM policies are preserved; the inactive policies are deleted.
Workaround:
None.
Fixed Versions:
14.1.4.6
926593-3 : GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'
Links to More Info: BT926593
Component: Global Traffic Manager (DNS)
Symptoms:
The GTM/DNS gateway_icmp monitor for IPv6 virtual servers sometimes returns 'state: timeout' even though big3d receives the packet successfully.
Conditions:
- GTM/DNS provisioned.
- IPv6 virtual server with gateway_icmp GTM/DNS monitor.
Impact:
IPv6 virtual servers are marked down unexpectedly.
Workaround:
Use a different gtm monitor type than gateway_icmp for IPv6 targets
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
926425 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
Links to More Info: BT926425
Component: Advanced Firewall Manager
Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection continue to be unsupported until hardware SYN cookies are disabled.
Conditions:
SYN Cookie activated on Neuron-capable platforms:
+ VIPRION B4450N blade
+ BIG-IP iSeries devices (ix800) except the i850, ix2800, and ix4800:
-- BIG-IP i5800 Series
-- BIG-IP i7800 Series
-- BIG-IP i11800 Series
-- BIG-IP i15800 Series
Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.
Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options are not taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.
Workaround:
You can use any of the following to clear the HSB issue:
-- Restart neurond.
-- Restart TMM,
-- Reboot the device.
Fix:
Now, BIG-IP systems differentiate virtual servers regardless of whether they are using the same destination in the same or a different route domain.
Fixed Versions:
14.1.4.4
925573-3 : SIGSEGV: receiving a sessiondb callback response after the flow is aborted
Links to More Info: BT925573
Component: Access Policy Manager
Symptoms:
A SIGSEGV error occurs after a connection is ended. This is an intermittent issue that inconsistently recurs.
Conditions:
APM Per-Request is processing a flow that has already been reset (RST) by another filter, such as HTTP or HTTP/2.
Impact:
Connections might reset. You might experience a tmm crash. This is an intermittent issue. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
14.1.4, 15.1.3
924929-1 : Logging improvements for VDI plugin
Links to More Info: BT924929
Component: Access Policy Manager
Symptoms:
If the Virtual Desktop Interface (VDI) plugin aborts, the names of the events are not logged in the APM log file.
Conditions:
- Virtual Desktop Interface (VDI) configured
- The plugin encounters a problem and aborts
Impact:
Event names are not displayed in the APM log.
Workaround:
None.
Fix:
Event names along with the exceptions are also seen in the APM log file.
Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
924857-4 : Logout URL with parameters resets TCP connection
Links to More Info: BT924857
Component: Access Policy Manager
Symptoms:
TCP connection reset when 'Logout URI Include' configured.
Conditions:
-- Access Policy with a valid 'Logout URI Include' string, e.g.:
/logoff.html
-- Request to 'Logout URI Include' URI from user-agent that includes a query parameter string, e.g.:
/logoff.html?a=b
Impact:
TCP connection resets, reporting BIG-IP APM error messages.
'Logout URI Include' does not support custom query strings in logout URIs to include. For example, with a 'Logout URI Include' value of /logoff.html, if a user-agent sends a logout URI request in the form of /logoff.html?a=b, logout URI validation resets the connection and reports an error:
-- Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_check_uri_type.
Note: BIG-IP APM prohibits the configuration of 'Logout URI Include' from containing a query string on the BIG-IP system. For example, attempting to configure 'Logout URI Include' with a URI in the form of /logoff.html?a=b fails and displays error messages:
-- Configuration error: Configured URI (/logoff.html?a=b) is not allowed to contain query parameter.
Workaround:
None
Fix:
The system now ignores unsupported query parameters.
Fixed Versions:
14.1.4.5, 15.1.2, 16.0.1.2
924521-1 : OneConnect does not work when WEBSSO is enabled/configured.
Links to More Info: BT924521
Component: Access Policy Manager
Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and does not reuse pooled connections.
Conditions:
Virtual server configured with both a WEBSSO and a OneConnect profile.
Impact:
Idle server-side connections that should be eligible for reuse by the virtual server are not used. This might lead to buildup of idle server-side connections, and may result in unexpected 'Inet port exhaustion' errors.
Workaround:
None.
Fix:
OneConnect now works when WEBSSO is enabled/configured, so that the system reuses the pooled server-side connections.
Fixed Versions:
14.1.4.3, 15.1.4
924493-4 : VMware EULA has been updated
Links to More Info: BT924493
Component: TMOS
Symptoms:
The End User License Agreement (EULA) presented in VMware is out of date.
Conditions:
The EULA is presented to the user when deploying an OVF template.
Impact:
The current EULA is version: DOC-0355-16 (as explained in K12902: End User License Agreement Change Notice :: https://support.f5.com/csp/article/K12902).
Although the OVA EULA for 16.0.0 shows: DOC-0355-12, the EULA presented during license activation is the EULA in force for this instance, so you can safely ignore the discrepancy; there is no functional impact.
Workaround:
None needed. The EULA presented during license activation is the EULA in force for this instance.
Fix:
The EULA presented in VMware was out of date and has been updated.
Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
924429-3 : Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values
Links to More Info: BT924429
Component: TMOS
Symptoms:
While restoring a UCS archive, you get an error similar to the following example:
/var: Not enough free space
535162880 bytes required
326418432 bytes available
/shared/my.ucs: Not enough free disk space to install!
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.
As part of restoring UCS archives, some files (for example, the contents of the filestore) are temporarily copied to the /var/tmp directory.
The script that ensures enough free disk space is available for the UCS restore operation incorrectly reports the /var filesystem's free disk space for the /var/tmp directory.
This is incorrect, as /var/tmp is a symlink to /shared/tmp, and so the free disk space of the /shared filesystem should be used instead.
Conditions:
-- Restoring a UCS file.
-- The UCS file contains large items that are temporarily stored under the /var/tmp directory (for example, many EPSEC files, many large external data-groups, etc.).
-- The /var filesystem has limited free disk space.
Impact:
The UCS installation fails even if /var/tmp has sufficient disk space.
Workaround:
None.
Fix:
The UCS installation script now reports the correct free disk space for the /var/tmp directory, allowing UCS archive installations to complete.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
924349-1 : DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP
Component: Service Provider
Symptoms:
Current Diameter CER/CEA messages does not advertise all HostIPAddresses.
Conditions:
-- Exchange Diameter messages CER/CEA between peers, configure a SNAT pool and an alternate address in the SCTP profile.
-- The CER from BIG-IP contains snatpool IP addresses
-- The CEA from BIG-IP contains alternate addresses
Impact:
Unable to see multiple HostIPAddress in CER/CEA
Fix:
Able to validate HostIpAddress as per RFC6733 on Diameter over SCTP.
Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1
923301-1 : ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group
Links to More Info: BT923301
Component: Application Security Manager
Symptoms:
From 14.1.0.2 and after, for ASMs in a device group, only the active device would update and install the attack signature update (ASU) and the ASU would then be synchronized and installed on other peer ASMs within the device group during a config sync.
Conditions:
Automatic installation of ASU on manual sync setup.
Impact:
- Since the standby ASM does not download/install the ASU during scheduled update, on a manual sync setup this would cause a difference in signature between the Active and Standby devices until a config sync takes place.
- When a failover occurs, the newly active device does not have the latest signature.
Workaround:
Manually sync the device group.
Fix:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.
Behavior Change:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
923125-1 : Huge amount of admd processes caused oom
Links to More Info: BT923125
Component: Anomaly Detection Services
Symptoms:
The top command shows that a large number of admd processes are running.
Conditions:
-- Configuration with Sync-Failover device groups and BADOS.
-- Some stressful (unknown) condition occurs.
Impact:
Memory is exhausted.
Workaround:
Restart admd:
bigstart restart admd
Fix:
This issue no longer occurs.
Fixed Versions:
14.1.3.1, 15.1.2
922785-4 : Live Update scheduled installation is not installing on set schedule
Links to More Info: BT922785
Component: Application Security Manager
Symptoms:
A scheduled live update does not occur at the scheduled time.
Conditions:
A scheduled installation is set for only a single day, between 00:00-00:14.
Impact:
Automated installation does not initiate
Workaround:
There are two options:
1. Install the update manually.
2. Set two consecutive days where the second day is the day with the schedule set between 00:00-00:14
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
922665-1 : The admd process is terminated by watchdog on some heavy load configuration process
Links to More Info: BT922665
Component: Anomaly Detection Services
Symptoms:
The watchdog process in the BIG-IP ASM monitors terminates the admd process.
Conditions:
On some heavy load configuration process, such as version upgrade.
Impact:
Restart of admd daemon. The restarts may be continuous. No stress-based anomaly detection or behavioral statistics aggregation until admd restarts.
Workaround:
For the case of continuous restarts, a partial solution is to disable admd during busy periods such as upgrades. To do so, issue the following two commands, in sequence, after the upgrade is complete:
bigstart stop admd
bigstart start admd
Fixed Versions:
14.1.4.5, 15.1.5
922597-1 : BADOS default sensitivity of 50 creates false positive attack on some sites
Links to More Info: BT922597
Component: Anomaly Detection Services
Symptoms:
False DoS attack detected. Behavioral DoS (ASM) might block legitimate traffic.
Conditions:
This can occur for some requests that have high latency and low TPS.
Impact:
False DoS attack detected. Behavioral DoS (ASM) can block legitimate traffic.
Workaround:
Modify the default sensitivity value from 50 to 500:
tmsh modify sys db adm.health.sensitivity value 500
For some sites with server latency issues, you might also have to increase the health.sensitivity value; 1000 is a reasonable number.
The results is that the attack is declared later than for the default value, but it is declared and the site is protected.
Fix:
Default sensitivity value 500 now illuminates false positive DoS attacks declaration.
Fixed Versions:
14.1.4, 15.1.3
922297-3 : TMM does not start when using more than 11 interfaces with more than 11 vCPUs
Links to More Info: BT922297
Component: TMOS
Symptoms:
TMM may not start when using more than 11 network interfaces with more than 11 vCPUs configured.
You see the following log entries in /var/log/tmm:
-- notice ixlv(1.1)[0:5.0]: Waiting for tmm10 to reach state 1...
In the TMM log for that TMM, you can see that it is waiting for tmm0, e.g.:
-- notice ixlv(1.10)[0:6.0]: Waiting for tmm0 to reach state 2...
Conditions:
-- BIG-IP Virtual Edition (VE).
-- More than 11 interfaces configured.
-- More than 11 vCPUs configured.
Impact:
TMM does not start.
Workaround:
Configure fewer network interfaces or vCPUs.
Fix:
Fixed a TMM startup deadloop stuck issue (when there are more than 10 interfaces and tmms/vCPUs).
Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
922261-4 : WebSocket server messages are logged even it is not configured
Links to More Info: BT922261
Component: Application Security Manager
Symptoms:
BIG-IP systems send unexpected WebSocket server messages to the remote logging server.
Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- More than one remote logging profile is attached to a virtual server.
-- One of the remote loggers has response-logging=all.
Impact:
Remote logging server overloaded with unexpected WebSocket messages.
Workaround:
Set response-logging=illegal in all remote logging profiles.
Fix:
BIG-IP sends WebSocket server messages to a remote logger only when it is enabled in the logging profile.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
922185-4 : LDAP referrals not supported for 'cert-ldap system-auth'★
Links to More Info: BT922185
Component: TMOS
Symptoms:
Admin users are unable to log in.
Conditions:
-- Remote LDAP auth enabled.
-- Administrative users are authenticated with the 'cert-ldap' source.
-- The admin user tries to log in.
Impact:
The cert-ldap authentication does not work, so login fails.
Workaround:
Manually edit the /etc/nslcd.conf and set the referrals to no.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
922105-4 : Avrd core when connection to BIG-IQ data collection device is not available
Links to More Info: BT922105
Component: Application Visibility and Reporting
Symptoms:
When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated.
Conditions:
BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons.
Impact:
No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere.
Workaround:
Attempts to connect to BIG-IQ can be disabled manually by the following command:
tmsh modify analytics global-settings use-offbox disabled
Fix:
Avrd no longer cores when the connection to the BIG-IQ data collection device is not available.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
921881-4 : Use of IPFIX log destination can result in increased CPU utilization
Links to More Info: BT921881
Component: Local Traffic Manager
Symptoms:
-- Increased baseline CPU.
- The memory_usage_stats table shows a continuous increase in mds_* rows.
Conditions:
Configure IPFIX log destination and make regular changes to the associated configuration.
Impact:
Increased baseline CPU may result in exhaustion of CPU resources.
Workaround:
Limiting changes to associated configuration can slow the effects of this issue.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
921721-2 : FIPS 140-2 SP800-56Arev3 compliance
Links to More Info: BT921721
Component: Local Traffic Manager
Symptoms:
BIG-IP is not compliant with a NIST revision to the SP800-56A standard for cryptographic algorithms.
Conditions:
Using cryptographic algorithms covered by this revision in a FIPS 140-2 deployment.
Impact:
BIG-IP will comply with the older standard.
Workaround:
Updated cryptographic key assurances and pair-wise consistency checks according to the SP800-56Arev3 standard.
Fixed Versions:
14.1.3, 15.1.3
921697-4 : Attack signature updates fail to install with Installation Error.★
Links to More Info: BT921697
Component: Application Security Manager
Symptoms:
Installing a new Attack Signature Update (ASU) file on ASM/AWAF device that has large number of active policies can result in a failure due to memory exceptions. The following errors can be observed:
/var/log/ts/asm_config_server.log:
F5::ASMConfig::Handler::handle_error,,Code: 406 , Error message = Process size (232341504) has exceeded max size (200000000)
/var/log/asm
crit perl[19751]: 01310027:2: ASM subsystem error (apply_asm_attack_signatures ,F5::LiveUpdate::PayloadHandler::clean_fail): Fail load update files: TSocket: timed out reading 1024 bytes from n.n.n.n:9781
Conditions:
1. Adding and activating a large number of policies on a BIG-IP system configured with ASM/AWAF. It is not known exactly how many policies are required to encounter this, but it appears to be between 50 and 90 where this becomes a risk.
2. Installing a new ASU file
Impact:
The attack signature update fails.
Workaround:
Impact of workaround:
Performing this workaround requires restarting ASM, so it affects traffic processing briefly; therefore, it is recommended that you perform this during a maintenance window.
Increase 'max memory size' from the default ~200 MB (200000000) to 300 MB:
1. Take a backup of the original file.
# cp /etc/ts/tools/asm_config_server.cfg /var/tmp/asm_config_server.original.cfg
2. Add the following to the end of file /etc/ts/tools/asm_config_server.cfg:
# AsyncMaxMemorySize=314572800
3. Restart ASM.
# bigstart restart asm
Fixed Versions:
14.1.4.6, 16.1.2.1
921677-4 : Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI.
Links to More Info: BT921677
Component: Application Security Manager
Symptoms:
When deleting (via tmsh) bot-related ordered list items like bot white-lists, bot-microservices, and bot-microservices URLs, an error occurs when adding and saving new items via GUI:
Bot defense profile <profile full name> error: match-order should be unique.
Conditions:
1.Create three items with consecutive match-orders values via tmsh, for example: three bot allow list items, the first with match-order 1, the second with match-order 2, and the third with match-order 3.
2. Delete item with the value: match-order 2 (in tmsh), and save.
3. Switch to the GUI, add new allow list item, and save.
Impact:
The system reports an error, and the bot configuration cannot be saved via GUI. However, dragging between items (and then dragging back) overcomes this error.
Workaround:
Drag between two items, and then drag back.
Fix:
Deletion of bot-related ordered items via tmsh no longer causes errors when adding new items via GUI.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
921625-4 : The certs extend function does not work for GTM/DNS sync group
Links to More Info: BT921625
Component: Global Traffic Manager (DNS)
Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.
As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.
The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.
You might see messages similar to the following:
-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....
Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device, which results in that file being larger than 4000 bytes.
-- Configuration is as follows:
1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
2. GTMDNS1 has a self-authorized CA cert.
3. You add a BIG-IP server that is reachable but with which GTMDNS1 has not exchanged SSL certs.
Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.
Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
921421-1 : iRule support to get/set UDP's Maximum Buffer Packets
Links to More Info: BT921421
Component: Local Traffic Manager
Symptoms:
UDP profiles have a setting to set the Maximum Buffer Packets for UDP connections. This value cannot be modified with an iRule.
Conditions:
-- UDP profile is used.
-- You need to dynamically change the max buffer packets setting in an iRule.
Impact:
Unable to dynamically change the max buffer packets setting in an iRule.
Workaround:
None
Fix:
You can now dynamically change the max buffer packets setting in an iRule. The setting is UDP::max_buf_pkts
Behavior Change:
A new iRule command has been added, UDP::max_buf_pkts. This allows you to dynamically override the maximum number of packets setting in the UDP profile.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
920961-3 : Devices incorrectly report 'In Sync' after an incremental sync
Links to More Info: BT920961
Component: Application Security Manager
Symptoms:
The security policies assigned to a virtual server are different among the devices in a traffic-group.
Conditions:
-- ASM provisioned.
-- Manual Sync Active-Standby Failover Device Group with ASM sync enabled.
-- An L7 ASM security policy is manually changed on a virtual server (not using the ASM wizard).
Impact:
After incremental sync, devices report 'In Sync' but there is a configuration discrepancy in the security policy assigned to the virtual server.
Workaround:
Modify the underlying LTM policy to be 'legacy':
# tmsh modify ltm policy <LTM Policy Name> legacy
Fix:
An internal config parameter is now available to work around this issue. In order to use the workaround, you must enable a db variable.
To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1
Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------
NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.
Behavior Change:
There is now an internal config parameter that enables a workaround for this issue. In order to use the workaround, you must enable a db variable.
To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1
Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------
NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
920481 : REST GET on /mgmt/tm/sys/file/ssl-key returns bad/wrong passphrase
Links to More Info: BT920481
Component: TMOS
Symptoms:
GET request on REST endpoint /mgmt/tm/sys/file/ssl-key returns the incorrect value for passphrase.
Conditions:
This occurs when getting the ssl-key information, and the key contains a passphrase.
-- Using BIG-IP v14.1.2.5 or v14.1.2.6 to deploy Amazon Machine Image (AMI).
Impact:
Passphrase value is incorrect. Autoscale AWS deployments fail when trying to deploy a BIG-IP v14.1.2.5 or v14.1.2.6 AMI. This is the result of a change in how ssl-key passphrases are being returned in REST calls.
Workaround:
None.
Fix:
Can now deploy from BIG-IP v14.1.2.5 or v14.1.2.6 AMI when using passphrase from a GET request on REST endpoint /mgmt/tm/sys/file/ssl-key.
Fixed Versions:
14.1.2.8
920361-4 : Standby device name sent in Traffic Statistics syslog/Splunk messages
Links to More Info: BT920361
Component: Advanced Firewall Manager
Symptoms:
'Traffic Statistics' syslog/Splunk messages are sent with the hostname of the standby device.
Conditions:
When a virtual server is configured with a security logging profile enabled for DoS Protection logging.
Impact:
'Traffic Statistics' syslog/Splunk messages show the wrong hostname. It should show the active device hostname.
Workaround:
None.
Fix:
Corrected Traffic Statistics syslog/Splunk messages to show the hostname of the active instead of the standby device in logging messages.
Fixed Versions:
14.1.3.1, 15.1.1
920301-2 : Unnecessarily high number of JavaScript Obfuscator instances when device is busy
Links to More Info: BT920301
Component: TMOS
Symptoms:
When the device has high CPU or I/O rate, it can cause the JavaScript Obfuscator to run multiple times simultaneously, causing even higher CPU usage.
Conditions:
-- ASM/DoS/FPS are provisioned.
-- BIG-IP device is experiencing a high CPU or I/O rate.
Impact:
High CPU Usage.
Workaround:
None.
Fix:
The system now avoids creating multiple JavaScript Obfuscator processes.
Fixed Versions:
14.1.3.1, 15.1.2
920197-2 : Brute force mitigation can stop mitigating without a notification
Links to More Info: BT920197
Component: Application Security Manager
Symptoms:
A brute force attack coming from an entity (such as an IP address, etc.) may be stopped prematurely.
Conditions:
-- Many brute force attacks are happening at once, coming from many sources.
-- Distributed attack is not detected (due to configuration).
Impact:
At some point, an entity might not be mitigated due to the sheer number of mitigated entities. When this occurs, there is no notification.
Workaround:
None.
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
920149-2 : Live Update default factory file for Server Technologies cannot be reinstalled
Links to More Info: BT920149
Component: Application Security Manager
Symptoms:
Live Update default factory file for Server Technologies cannot be reinstalled once it is no longer the currently installed update file.
Conditions:
This occurs:
-- Once another update file for Server Technologies has been installed (most likely, a newer file).
-- If the device has been upgraded from a prior release such that the currently installed Server Technologies file is from the previous release, and is not the default factory file for the current release.
Impact:
Live Update default factory file for Server Technologies cannot be reinstalled.
Workaround:
None.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.1
919745-4 : CSV files downloaded from the Dashboard have the first row with all 'NaN
Links to More Info: BT919745
Component: TMOS
Symptoms:
In the Dashboard .csv file, all of the values in the first row are set to 'NaN'
Conditions:
This is encountered when loading the downloaded Dashboard .csv files with historical data from the GUI.
Impact:
The first row of the downloaded .csv from Dashboard shows all the values as 'NaN'.
Workaround:
None.
Fix:
Fixed an issue with 'NaN' being reported in the first line of the downloaded dashboard .csv files.
Fixed Versions:
14.1.2.8, 15.1.0.5, 16.0.1
919553-3 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.
Links to More Info: BT919553
Component: Global Traffic Manager (DNS)
Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.
Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).
Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.
Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.
Fix:
GTM/DNS monitors based on the TCP protocol no longer fail when the server's response spans multiple packets.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
919317-3 : NSM consumes 100% CPU processing nexthops for recursive ECMP routes
Links to More Info: BT919317
Component: TMOS
Symptoms:
The NSM process might enter a state where it gets stuck at 100% CPU usage.
Conditions:
ECMP routes reachable via recursive nexthops.
Impact:
NSM is stuck at 100% CPU usage.
Workaround:
Avoid using EMCP routes reachable via recursive nexthops.
Fixed Versions:
14.1.4.6
919301-4 : GTP::ie count does not work with -message option
Links to More Info: BT919301
Component: Service Provider
Symptoms:
The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error:
wrong # args: should be "-type <ie-path>"
Conditions:
Issue the 'GTP::ie count' command with -message command, for example:
GTP::ie count -message $m -type apn
Impact:
iRules fails and it could cause connection abort.
Workaround:
Swap order of argument by moving -message to the end, for example:
GTP::ie count -type apn -message $m
There is a warning message due to iRules validation, but the command works in runtime.
Fix:
'GTP::ie' count is now working with -message option.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
919249-3 : NETHSM installation script hardening
Component: Local Traffic Manager
Symptoms:
The nethsm-safenet-install.sh script does not follow current best practices when installing the Safenet NETHSM.
Conditions:
- Installation of the Safenet NETHSM
Impact:
The nethsm-safenet-install.sh script does not follow current best practices.
Workaround:
N/A
Fix:
The nethsm-safenet-install.sh script now follows current best practices when installing the Safenet NETHSM.
Fixed Versions:
14.1.4.6
919001-1 : Live Update: Update Available notification is shown twice in rare conditions
Links to More Info: BT919001
Component: Application Security Manager
Symptoms:
When entering Live Update page, sometimes Update Available notification is shown twice.
Conditions:
This can be encountered on the first load of the Live Update page.
Impact:
Notification is shown twice.
Workaround:
None.
Fix:
Notification is shown only once in all cases.
Fixed Versions:
14.1.2.8, 15.1.2, 16.0.1.1
918933-3 : The BIG-IP ASM system may not properly perform signature checks on cookies
Links to More Info: K88162221, BT918933
Component: Application Security Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Impact:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Workaround:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Fix:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.2.8, 15.1.2, 16.0.1.1
918597-4 : Under certain conditions, deleting a topology record can result in a crash.
Links to More Info: BT918597
Component: Global Traffic Manager (DNS)
Symptoms:
During a topology load balancing decision, TMM can crash.
Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.
Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Topology record changes are now done in a way that prevents the possibility of TMM crashing when making load balancing decisions in which the record is used.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
918409-4 : BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures
Links to More Info: BT918409
Component: TMOS
Symptoms:
If a BIG-IP device has more than 24 tmm instances and one of the tmm processes above the 24th cpu loops (e.g., in response to an internal issue), it loops indefinitely.
Conditions:
-- BIG-IP i15600 / i15800 platforms.
-- Another issue occurs that that causes a tmm process greater than the 24th tmm process to loop.
Impact:
Traffic disrupted on the tmm process that is looping indefinitely.
Workaround:
1. Manually change /defaults/daemon.conf to include the appropriate tmm number and respective heartbeat action if the supported tmm is not listed.
Note: The change does not persist across software installs.
a. mount -o remount,rw /usr
b. Edit /defaults/daemon.conf and put these contents at the top of the file:
sys daemon-ha tmm24 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}
sys daemon-ha tmm25 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}
sys daemon-ha tmm26 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}
sys daemon-ha tmm27 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}
c. mount -o remount,ro /usr
2. After performing the edit, load the changes into the running configuration via 'tmsh load sys config partitions all'.
3. Verify that sod is now correctly monitoring tmm instances above tmm24 using a command such as:
tmsh show sys ha-status all-properties | grep "daemon-heartbeat" | grep tmm
Fixed Versions:
14.1.4.6
918317-3 : SSL Orchestrator resets subsequent requests when HTTP services are being used.
Links to More Info: BT918317
Component: SSL Orchestrator
Symptoms:
When connections are reused for subsequent requests, the subsequent requests might get aborted with reset cause 'connector service reconnected'.
Conditions:
SSL Orchestrator with HTTP services and multiple requests in a connection.
Impact:
Subsequent requests might get aborted with reset cause 'connector service reconnected'.
Workaround:
None
Fix:
SSL Orchestrator no longer aborts subsequent requests in the same connection.
Fixed Versions:
14.1.4.4, 15.1.4
918209-1 : GUI Network Map icons color scheme is not section 508 compliant
Links to More Info: BT918209
Component: TMOS
Symptoms:
Network Map color scheme is not compliant with Section 508 of the Rehabilitation Act (section 508). There is no clear difference between a green/active node and the blue/square items. With the new system colors and flat shapes, the icons are nearly identical. Other than shape (circle vs. square), the new colors appear identical; the blue and green are nearly appearing as one color.
Conditions:
Accessing Network Map from GUI via Local Traffic :: Network Map.
Impact:
There is no clear color difference between a green/active node icon and the blue/square icon.
Workaround:
None.
Fix:
Modified the color codes. Now the Network Map icons color scheme is section 508 compliant.
Fixed Versions:
14.1.2.8, 15.1.0.5, 16.0.1
918169-2 : The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.
Links to More Info: BT918169
Component: Global Traffic Manager (DNS)
Symptoms:
The GTM/DNS HTTPS monitor may fail to find the configured receive string in a HTTP response, causing the monitored service to be incorrectly marked down.
Conditions:
This issue occurs when all of the following conditions are true:
-- The server being monitored performs an unclean shutdown of the SSL session (the underlying TCP connection is closed without first issuing a close notify alert at the SSL level).
-- The server's HTTP response does not terminate with a newline.
Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.
Workaround:
This issue can be worked around by performing any one of the following actions:
-- Ensure the server issues a close notify alert before it closes the underlying TCP connection.
-- Ensure the server's HTTP response ends with a newline.
Fix:
The GTM/DNS HTTPS monitor no longer fails when the SSL peer performs an unclean shutdown.
Fixed Versions:
13.1.3.6, 14.1.2.7, 15.1.2, 16.0.1.1
918097-1 : Cookies set in the URI on Safari
Links to More Info: BT918097
Component: Application Security Manager
Symptoms:
When Bot Defense performs a 307 Redirect, the cookie is set on the URL if Bot Defense detects the Safari browser.
Conditions:
-- Bot Defense profile is attached to virtual server.
-- 'Browser Verification' set to 'Verify Before Access' or 'Verify After Access'.
-- 'Cross Domain Requests' set to 'Validate Upon Request'.
-- Surfing on Safari browser to a related domain.
Impact:
A cookie is set on the URL.
Workaround:
None.
Fix:
A new db variable has been added, botdefense.safari_redirect_no_cookie_mode, to allow you to control whether the cookie is added to the URL.
Behavior Change:
BIG-IP systems now have an option to set the cookie using a set-cookie header in the response and not save it as part of the URL.
This is done by a new BigDB variable:
tmsh modify botdefense.safari_redirect_no_cookie_mode value disable
Default value is the original behavior (enable), which sets the cookie in the URl.
NOTE: If the site is using iFrames, changing this BigDB variable might cause the cookie to be ignored and therefore for requests to be blocked.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
917005-4 : ISC BIND Vulnerability: CVE-2020-8619
Links to More Info: K19807532
916969-2 : Support of Microsoft Identity 2.0 platform
Links to More Info: BT916969
Component: Access Policy Manager
Symptoms:
BIG-IP does not support Template for Microsoft Identity Platform 2.0.
Conditions:
This is encountered if you want to use Template for Microsoft Identity Platform 2.0 as an identity provider.
Impact:
Unable to configure Microsoft Identity Platform 2.0 on BIG-IP.
Workaround:
OAuth provider has a custom template which provides the ability to configure and discover using new endpoints.
Fixed Versions:
14.1.4, 15.1.3
915981-2 : BIG-IP in Appliance Mode does not follow best practices
Component: TMOS
Symptoms:
While in FIPS/CC mode not all filesystem protections follow current best practices.
Conditions:
- FIPS/CC mode active
- Authenticated root administrator
- Filesystem access
Impact:
FIPS/CC mode does not follow current best practices for filesystem protection.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
14.1.4.6
915957 : The wocplugin may get into a restart loop when AAM is provisioned
Links to More Info: BT915957
Component: Local Traffic Manager
Symptoms:
When AAM is provisioned the wocplugin resource allocation may fail, which could result in a restart loop of the plugin. This renders the AAM module nonfunctional.
Conditions:
Application Acceleration Manager (AAM) is provisioned
Impact:
AAM is not functional
Workaround:
None
Fix:
The wocplugin is now correctly provisioned and runs without restarts.
Fixed Versions:
14.1.3, 15.1.2
915825-4 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.
Links to More Info: BT915825
Component: TMOS
Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.
Configuration error: Can't associate folder (/User/Drafts) folder does not exist.
Conditions:
This occurs in the following scenario:
1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.
Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.
Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1
915773 : Restart of TMM after stale interface reference
Links to More Info: BT915773
Component: Local Traffic Manager
Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
915689-4 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.
Links to More Info: BT915689
Component: Local Traffic Manager
Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already stored in the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.
Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.
Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers are incrementally indexed on subsequent responses instead of using the existing table index.
Workaround:
None.
Fix:
HTTP/2 response headers now properly use the dynamic header table index when possible.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
915605-1 : Image install fails if iRulesLX is provisioned and /usr mounted read-write★
Links to More Info: K56251674, BT915605
Component: Local Traffic Manager
Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.
tmsh show software status will report the status for the target volume as one of the following:
-- Could not access configuration source.
-- Unable to get hosting system product info.
Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.
Impact:
Unable to upgrade or more generally install an image on a new or existing volume.
Workaround:
Re-mount /usr as read-only:
mount -o remount,ro /usr
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
915509-3 : RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true
Links to More Info: BT915509
Component: Access Policy Manager
Symptoms:
After enabling 'show-extended-error' on the RADIUS Auth agent, instead of seeing the expected message: 'The username or password is not correct. Please try again.', the system reports the message: (error: Access-Reject).
Conditions:
RADIUS Auth with 'show-extended-error' enabled.
Impact:
The content of the Reply Message is not reported. The actual reported error message is confusing and provides no assistance in resolving the condition causing the access error: username, password, passcode, or tokencode.
Workaround:
None.
Fixed Versions:
14.1.4.5, 15.1.4.1
915497-3 : New Traffic Class Page shows multiple question marks.
Links to More Info: BT915497
Component: TMOS
Symptoms:
When you navigate to the traffic class creation page by clicking Create button in the Traffic Class list page, Chinese characters are displayed with multiple question marks.
Conditions:
This is encountered when creating a new Traffic Class.
Impact:
Multi-byte characters are displayed incorrectly.
Workaround:
None.
Fix:
Fixed an issue with rendering multi-byte characters on the Traffic Class screen.
Fixed Versions:
14.1.3.1, 15.1.0.5, 16.0.1.1
915489-1 : LTM Virtual Server Health is not affected by iRule Requests dropped
Links to More Info: BT915489
Component: Anomaly Detection Services
Symptoms:
Virtual Server Health should not take into account deliberate drop requests.
Conditions:
-- DoS profile is attached to Virtual Server.
-- iRule that drops requests on some condition is also attached to the virtual server.
Impact:
Server Health reflects it is overloading status more precisely.
Workaround:
Do not use iRules to drop requests when Behavioral DoS is configured.
Fix:
Virtual Server Health is no longer affected while dropping requests using iRules.
Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1
915305-3 : Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded
Links to More Info: BT915305
Component: TMOS
Symptoms:
Dynamic routing changes do not cause point-to-point tunnel flows to refresh their connection entries causing tunneled traffic to be dropped/discarded.
Conditions:
Path to a remote tunnel endpoint is provided by a dynamic routing.
Impact:
Tunneled traffic might be dropped/discarded by the BIG-IP system.
Workaround:
Use static routing to provide a path to remote tunnel endpoint.
Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1
915281-1 : Do not rearm TCP Keep Alive timer under certain conditions
Links to More Info: BT915281
Component: Local Traffic Manager
Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.
Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.
Impact:
Continuous rearming results in consuming CPU resources unnecessarily.
Workaround:
None.
Fix:
Rearming of TCP Keep Alive timer is improved.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
914761-1 : Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.
Links to More Info: BT914761
Component: TMOS
Symptoms:
Using crontab to automatically backup UCS file by scheduling cronjobs fails due to SELinux permissions. The failure produces the following error:
Unexpected Error: UCS saving process failed.
Conditions:
This is encountered when 'tmsh save sys ucs' is executed through a cronjob.
Impact:
UCS file is not successfully saved and backup fails.
Workaround:
None.
Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1.1
914649-2 : Support USB redirection through VVC (VMware virtual channel) with BlastX
Links to More Info: BT914649
Component: Access Policy Manager
Symptoms:
USB is unavailable after opening VMware View Desktop.
Conditions:
1. Secure Tunnel disabled on VCS
2. Launch view virtual desktop via native view client from an APM webtop or from the View client
Impact:
USB is unavailable after opening VMware View Desktop
Workaround:
None.
Fix:
USB is now available after opening VMware View Desktop
Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
914293-1 : TMM SIGSEGV and crash
Links to More Info: BT914293
Component: Anomaly Detection Services
Symptoms:
Tmm crash when using iRule to reject connections when Behavioral DoS is enabled.
Conditions:
This can occur due to an interaction between a Behavioral DoS policy and an iRule designed to potentially drop some of the connections.
Impact:
With heavy traffic, the tmm process might crash. Traffic disrupted while tmm restarts.
Workaround:
Do not use iRules to reject connections that are bound to a virtual server with a Behavioral DoS policy attached.
Fix:
Fixed a tmm crash related to iRules and Behavioral DoS policies.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
914277-4 : [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU
Links to More Info: BT914277
Component: Application Security Manager
Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, Live Update configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the master device, before the master has a chance to sync the configuration to the new device, causing the configuration in the master device to be overwritten.
Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.
-- New ASU is automatically downloaded by Live Update at the new host.
Impact:
Live Update configuration of all devices in the Auto Scale group is overwritten.
Workaround:
Disable ASM Live Update Automatic Download.
This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.
For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping
-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable
In order to still have automatic updates for the group, the db variable can be enabled for the master device. Then this setting will be applied on every new host after joining the group and receiving the initial sync from the master.
Fix:
Automatic downloads are quietly synced and do not have an impact on the device group sync status.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.0.1.2
914245-1 : Reboot after tmsh load sys config changes sys FPGA firmware-config value
Links to More Info: BT914245
Component: TMOS
Symptoms:
As a part of FPGA firmware update, "tmsh load sys config" fails.
Chmand reports errors:
chmand[19052]: FPGA firmware mismatch - auto update, No Interruption!
chmand[19052]: 012a0006:6: FPGA HSB firmware uploading now...use caution!
Reloading fw_update_post configuration (via systemctl): [FAILED]
Conditions:
Running either of the following commands:
tmsh load sys config
/etc/init.d/fw_update_post reload
Impact:
Firmware update fails.
Workaround:
Use this procedure:
1. Mount /usr:
mount -o rw,remount /usr
2. Add the following line to the '/usr/lib/systemd/system/fw_update_post.service' file:
ExecReload=/etc/init.d/fw_update_post reload
3. Reload systemctl:
systemctl daemon-reload
4. Reload the file:
/etc/init.d/fw_update_post reload
Fix:
Added the reload option in fw_update_post service file.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
914081-3 : Engineering Hotfixes missing bug titles
Links to More Info: BT914081
Component: TMOS
Symptoms:
BIG-IP Engineering Hotfixes may not show the summary titles for fixed bugs (as appear for the affected bugs published via Bug Tracker).
-- The 'tmsh show sys version' command displays the bug numbers for fixes included in Engineering Hotfixes.
-- If a given bug has been published via Bug Tracker, the summary title of the bug is expected to be displayed as well.
-- Running BIG-IP Engineering Hotfixes built on or after March 18, 2019.
Conditions:
For affected BIG-IP Engineering Hotfixes, titles are not displayed for any bugs fixed in the Engineering Hotfix.
Impact:
Cannot see the summaries of the bugs fixed by running the 'tmsh show sys version' command.
Workaround:
For bugs that are published via Bug Tracker, you can query for the affected bug in Bug Tracker (https://support.f5.com/csp/bug-tracker).
Note: Not all bugs fixed in BIG-IP Engineering Hotfixes are published to Bug Tracker.
For information on such bugs, consult F5 support, or the original Service Request submitted to F5 in which the affected Engineering Hotfix was requested.
Fix:
BIG-IP Engineering Hotfixes now include the summary titles for fixed bugs that have been published via Bug Tracker.
Fixed Versions:
14.1.4, 15.1.3
913849 : Syslog-ng periodically logs nothing for 20 seconds
Links to More Info: BT913849
Component: TMOS
Symptoms:
Once per minute, syslog-ng logs nothing for 20 seconds.
Conditions:
-- A remote syslog server is specified by hostname, forcing syslog-ng to resolve it.
-- the DNS resolution times out (for example, if the DNS server is unreachable)
Impact:
When using DNS names to specify remote syslog destinations and DNS is unreachable, syslog-ng re-attempts to resolve the name every 60 seconds. This resolution has a 20 seconds timeout, and blocks the syslog process from writing logs to disk during that time.
Note that the logs are buffered, not lost, and will still be written to disk (with the correct timestamps) once the DNS query times out.
Workaround:
None.
Fix:
F5 patched syslog-ng to use a lower 1-second, 0-retries timeout back in 13.0.0, but this patch was made ineffective by the upgrade to centos 7 in 14.1.0. This fixes the patch so that it works again.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
913829-3 : i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence
Links to More Info: BT913829
Component: TMOS
Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic
Conditions:
Source ports used to connect to i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades form an arithmetic sequence.
For example, some client devices always use even source port numbers for ephemeral connections they initiate. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.
Impact:
Traffic imbalance may result in tmm threads on different CPU cores having imbalanced workloads. While this can sometimes impact on performance, an overloaded tmm thread can usually redistribute load to less loaded threads in a way that does not impact performance. However the loads on the CPU cores will appear imbalanced still.
Workaround:
Where possible, configure devices to draw from the largest possible pool of source ports when connecting via a BIG-IP system.
Behavior Change:
This release introduces a new variable to mitigate this issue:
dagv2.pu.table.size.multiplier.
You must set the variable to 2 or 3 on the host, and then restart tmm on all host blades and then all guests to mitigate the issue. dag2.pu.table.size.multiplier.
Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2
913453-3 : URL Categorization: wr_urldbd cores while processing urlcat-query
Links to More Info: BT913453
Component: Traffic Classification Engine
Symptoms:
The webroot daemon (wr_urldbd) cores.
Conditions:
This can occur while passing traffic when webroot is enabled.
Impact:
The wr_urldbd daemon cores. URL Categorization functionality may not work as expected.
Workaround:
None.
Fix:
Fixed a core with wr_urldb.
Fixed Versions:
14.1.4.4, 15.1.4
913433-1 : On blade failure, some trunked egress traffic is dropped.
Links to More Info: BT913433
Component: TMOS
Symptoms:
When a blade fails, other blades may try to forward traffic using trunked interfaces on the down blade.
Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- A blade is pulled or powered off.
Impact:
Some traffic is dropped until the failed blade is detected by clusterd (10 seconds by default.)
Workaround:
None.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
913413-4 : 'GTP::header extension count' iRule command returns 0
Links to More Info: BT913413
Component: Service Provider
Symptoms:
The 'GTP::header extension count' iRule command always returns 0 (zero).
Conditions:
This is encountered when using 'GTP::header extension count' in an iRule.
Impact:
The command returns false information.
Workaround:
None
Fix:
'GTP::header extension count' command now returns number of header extension correctly.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
913409-4 : GTP::header extension command may abort connection due to unreasonable TCL error
Links to More Info: BT913409
Component: Service Provider
Symptoms:
When running "GTP::header extension" iRule command with some conditions, it may cause a TCL error and abort the connection.
Conditions:
Running "GTP::header extension" iRule command is used with some specific arguments and/or specific condition of GTP message
Impact:
TCL error log is shown and connection is aborted
Workaround:
None
Fix:
GTP::header extension command no longer abort connection due to unreasonable TCL error
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
913393-4 : Tmsh help page for GTP iRule contains incorrect and missing information
Links to More Info: BT913393
Component: Service Provider
Symptoms:
In the tmsh help page for the GTP iRule command, it contains incorrect and missing information for GTP::header and GTP::respond command.
Conditions:
When running "tmsh help ltm rule command GTP::header", information regarding GTP::header and GTP::respond iRule command may be incorrect or missing.
Impact:
User may not be able to use related iRule command properly.
Workaround:
None
Fix:
Tmsh help page for GTP iRule is updated
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
913373-3 : No connection error after failover with MRF, and no connection mirroring
Links to More Info: BT913373
Component: Service Provider
Symptoms:
-- Unable to establish MRF connection after failover.
-- Error reports 'no connection'.
Conditions:
- MRF configured.
- Using iRule for routing.
-- Failover occurs.
Impact:
Unable to establish new connection until existing sessions time out. No message is reported explaining the circumstances.
Workaround:
Any of the following:
-- Enable connection mirroring on the virtual server.
-- Disable session mirroring.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
913249-4 : Restore missing UDP statistics
Links to More Info: BT913249
Component: Local Traffic Manager
Symptoms:
The following UDP statistics are missing:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes
Conditions:
Viewing UDP statistics.
Impact:
Unable to view these UDP statistics.
Workaround:
None.
Fix:
The following UDP statistics are now restored:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
913085-4 : Avrd core when avrd process is stopped or restarted
Links to More Info: BT913085
Component: Application Visibility and Reporting
Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.
Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.
Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.
Workaround:
None.
Fix:
Avrd no longer cores when avrd process is stopped or restarted.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1
912945-4 : A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed
Links to More Info: BT912945
Component: Local Traffic Manager
Symptoms:
In a virtual configured with multiple client SSL profiles, the profile with ECDSA-signed cert is not selected even though its CN/SAN matching the SNI extension of ClientHello.
Conditions:
-- A virtual server with multiple client SSL profiles.
-- The SNI of,,lientHello does not match the 'server name' of any profile.
-- The cert in the profile is ECDSA-signed and its CN/SAN matches SNI extension of ClientHello.
-- That profile in is not selected.
Impact:
The incorrect client SSL profile is selected.
Workaround:
Configure the 'Server Name' option in the client SSL profile.
Fix:
Fixed an issue with client SSL profile selection.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
912517-4 : Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured
Links to More Info: BT912517
Component: Local Traffic Manager
Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.
Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.
Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.
Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).
Fix:
Database monitor no longer marks pool member down if 'send' is configured but no 'receive' strings are configured.
Fixed Versions:
14.1.4.6
912425-1 : Modifying in-TMM monitor configuration may not take effect, or may result in a TMM crash
Links to More Info: BT912425
Component: In-tmm monitors
Symptoms:
Modification of in-TMM monitors may result in TMM crashing, or the changes to the monitor configuration not taking effect, or only taking effect for some monitor instances.
Conditions:
TMM may crash under some of the following conditions:
-- Performing configuration sync
-- Deleting and recreating monitor and SSL profile configurations.
Changes to monitor configuration may not take effect under the following conditions:
-- Modifying the SSL profile assigned to a monitor.
-- A monitor instance is currently in progress.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
Disable in-TMM monitors.
Fix:
This issue is now fixed.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
912289-3 : Cannot roll back after upgrading on certain platforms★
Links to More Info: BT912289
Component: Local Traffic Manager
Symptoms:
On certain platforms, after upgrade to particular software versions, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.
- BIG-IP v12.1.6 or later in the v12.x branch of code
- BIG-IP v13.1.4 or later in the v13.x branch of code
- BIG-IP v14.1.4 or later in the v14.x branch of code
- BIG-IP v15.1.1 or later in the v15.x branch of code
- BIG-IP v16.0.0 or later
Conditions:
-- Using the following platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
-- Upgrade the software to one of the following software versions:
+ BIG-IP v12.1.6 or later in the v12.x branch of code
+ BIG-IP v13.1.4 or later in the v13.x branch of code
+ BIG-IP v14.1.4 or later in the v14.x branch of code
+ BIG-IP v15.1.1 or later in the v15.x branch of code
+ BIG-IP v16.0.0 or later
-- Attempt to roll back to a previous version.
Impact:
Cannot boot into a previous version. Contact F5 Support for the reversion process if this is required.
Workaround:
None.
Fix:
Contact F5 Support for the reversion process if this is required.
Behavior Change:
On certain platforms, after upgrade to particular software versions, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.
The particular platforms are:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
The particular software versions are:
+ BIG-IP v12.1.6 or later in the v12.x branch of code
+ BIG-IP v13.1.4 or later in the v13.x branch of code
+ BIG-IP v14.1.4 or later in the v14.x branch of code
+ BIG-IP v15.1.1 or later in the v15.x branch of code
+ BIG-IP v16.0.0 or later
Fixed Versions:
12.1.6, 13.1.4, 14.1.4, 15.1.1
912149-4 : ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476'
Links to More Info: BT912149
Component: Application Security Manager
Symptoms:
The system exhibits various symptoms related to sync and control plane, and reports errors similar to the following:
/var/log/:
asm:
-- (asm_config_server.pl,F5::Cgc::Channel::send): Failed to send a message, error:15638476.
ts_debug.log:
-- |ZEROMQ|May 21 23:27:31.840|24813|25914|25914|epoll.cpp:0060|~epoll_t()|(zmq_assert) Assertion failed: load.get () == 0
Conditions:
-- Two devices in a sync-failover/sync-only device group.
-- Other conditions required to reproduce this issue are under investigation.
Note: The occurrences of the Cgc::Channel message in the /var/log/ and /var/log/ts/asm_config_server logs are the most reliable indicator of this issue.
Impact:
-- Config-sync does not work, resulting in a different configuration among the devices in a sync group.
-- Security log profile changes are not propagated to other devices.
-- Portions of the GUI hang, e.g.: Security module tab, and 'security' menu under virtual server.
-- Policies with learning enabled do not generate learning suggestions.
Workaround:
Restart asm_config_server on the units in the device group.
# pkill -f asm_config_server
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
912089-3 : Some roles are missing necessary permission to perform Live Update
Links to More Info: BT912089
Component: Application Security Manager
Symptoms:
Certain roles, such as Resource Administrator and Application Security Operations Administrator, do not have sufficient permission levels to perform Live Update.
Conditions:
-- User with Resource Administrator or Application Security Operations Administrator role assigned.
-- Attempt to perform Live Update.
Impact:
Users with Resource Administrator and Application Security Operations Administrator role cannot perform Live Update.
Workaround:
None.
Fix:
The following roles can now perform live-update:
- Administrator
- Web Application Security Administrator
- Resource Administrator
- Application Security Operations Administrator
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
912001-4 : TMM cores on secondary blades of the Chassis system.
Links to More Info: BT912001
Component: Global Traffic Manager (DNS)
Symptoms:
When using DNS Cache on chassis systems with a forward zone pointing at a self IP for communication with local BIND, the following assert triggers:
tmm_panic (... "../net/loop.c:572: %sIDX set on listener%s") at ../lib/stdio.c:1307
Conditions:
-- Chassis system is used.
-- Secondary TMMs core dump.
-- Primary works as expected.
Impact:
TMMs on secondary blades core dump. Traffic disrupted while tmm restarts.
Workaround:
1) Create another virtual server with a DNS profile to use configured to use the local bind server.
2) Set the forward zones to point to that virtual server instead of the self IP as name servers.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
911809-1 : TMM might crash when sending out oversize packets.
Links to More Info: BT911809
Component: TMOS
Symptoms:
TMM crashes with an assert; Drop assertion similar to the following:
notice panic: ../dev/ndal/ndal.c:758: Assertion "pkt length cannot be greater than MAX_PKT_LEN" failed.
Conditions:
-- Xnet driver is used in BIG-IP Virtual Edition (VE).
-- TMM tries to send oversize packets.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
14.1.3.1, 15.1.2
911729-1 : Redundant learning suggestion to set a Maximum Length when parameter is already at that value
Links to More Info: BT911729
Component: Application Security Manager
Symptoms:
Policy Builder is issuing a learning suggestion to set a specific maximum length for a parameter when that parameter already has that exact maximum length already configured.
Conditions:
-- Response learning is turned on
-- Response parameter length is less than, but close to, the currently configured maximum length limit.
Impact:
Redundant learning suggestion is issued.
Workaround:
You can either:
-- Ignore the learning suggestion (Click the Ignore button).
-- Turn off Learn from response.
Fix:
Learning suggestion is no longer issued with already configured maximum parameter length value.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
911629 : Manual upload of LiveUpdate image file results in NULL response
Links to More Info: BT911629
Component: Application Security Manager
Symptoms:
When uploading a LiveUpdate image file from the GUI, the upload fails.
In /var/log/restjavad.0.log you see the following error:
[SEVERE][768][25 May 2020 05:38:20 UTC][com.f5.rest.workers.liveupdate.LiveUpdateFileTransferWorker] null
Conditions:
LiveUpdate images are uploaded manually.
Impact:
LiveUpdate images fail to upload.
Workaround:
1. Upload the file to LiveUpdate files directory '/var/lib/hsqldb/live-update/update-files' on the host.
2. Send a POST request with the filename for inserting the file to the LiveUpdate
database:
* url : https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/update-files
* payload - json:
{ "filename": "<FILE_NAME>",
"fileLocationReference": {"link": "<FILE_NAME>"}}
3. Get the file link reference:
https://{{big_ip1}}/mgmt/tm/live-update/asm-attack-signatures/update-files?$filter=filename eq '<FILE_NAME>'
4. From the response copy the "selfLink" part :
"selfLink": "https://localhost/mgmt/tm/live-update/asm-attack-signatures/update-files/<UPDATE_FILE_ID>"
5. Create a POST request with the value above for creating a new installation record:
* url : https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/installations
* payload - json:
{ "updateFileReference": {
"link": "https://localhost/mgmt/tm/live-update/asm-attack-signatures/update-files/<UPDATE_FILE_ID>"}
}
6. Now the file is available to install it from the GUI.
7. Another option is to install it via the PATCH request and the installation_id from the response received at step 5:
* url: https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/installations/<INSTALLATION_ID>
* payload: { "status" : "install" }
Fixed Versions:
14.1.2.8, 15.0.1.4
911141-4 : GTP v1 APN is not decoded/encoded properly
Links to More Info: BT911141
Component: Service Provider
Symptoms:
GTP v1 APN element was decoded/encoded as octetstring and Only GTP v2 APN element is decoded/encoded as DNS encoding.
Conditions:
- GTP version 1.
- APN element.
Impact:
iRules become more complex when dealing with GTP v1 APN element, as it may need to convert between octetstring and dotted style domain name value after decoding or before encoding the data.
Workaround:
Use iRules to convert between octetstring and dotted style domain name values.
Fix:
GTP version 1 APN information element is now decoded/encoded as DNS encoding.
Behavior Change:
GTP v1 apn element is now decoded/encoded using DNS-like encoding. Previously, it was decoded/encoded as octetstring.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
911041-2 : Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash
Links to More Info: BT911041
Component: Local Traffic Manager
Symptoms:
An iRule executing on the FLOW_INIT event can suspend. If it does so while connecting to a virtual-to-virtual flow, it can cause a TCP crash, which results in a tmm restart.
Conditions:
An iRule executing on the FLOW_INIT event suspends while connecting to a virtual-to-virtual flow.
Impact:
Tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
Do not include any iRules that suspend processing in FLOW_INIT.
Fix:
Suspending the iRule FLOW_INIT on a virtual-to-virtual flow no longer leads to a crash.
Fixed Versions:
14.1.3.1, 15.1.2.1, 16.0.1.2
910905-2 : TMM crash when processing virtual server traffic with TLS/SSL session cache enabled
Links to More Info: BT910905
Component: Local Traffic Manager
Symptoms:
A tmm core occurs unexpectedly and causes a failover event.
Conditions:
This can occur while tmm is in normal operation. An internal error occurs when deleting an old SSL session during SSL handshake.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed incorrect internal deletion of expired SSL sessions.
Fixed Versions:
14.1.4.4
910653-3 : iRule parking in clientside/serverside command may cause tmm restart
Links to More Info: BT910653
Component: Local Traffic Manager
Symptoms:
If an iRule utilizing the clientside or serverside command causes parking to occur while in the clientside/serverside command (table or after commands, for example), the connection is aborted while parked, and a subsequent iRule event attempts to run (CLIENT_CLOSED, for example), tmm may restart.
Conditions:
-- iRule using clientside or serverside command.
-- Use of commands that may park while in the clientside/serverside command.
-- Flow is aborted while iRule is parked.
-- iRule also has CLIENT_CLOSED or SERVER_CLOSED event handler.
For more information on the conditions that trigger iRule parking, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Rework iRules to avoid use of clientside/serverside command.
-- Eliminate parking within the clientside/serverside commands.
Fix:
iRule parking in clientside/serverside command no longer causes tmm to restart.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
910417-3 : TMM core may be seen when reattaching a vector to a DoS profile
Links to More Info: BT910417
Component: Advanced Firewall Manager
Symptoms:
TMM core resulting in potential loss of service.
Conditions:
Attaching and deleting the vector to a DoS profile multiple times while the traffic is ongoing.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now validates the tracker when deleting to ensure delete of the same tracker that was created, so there is no error.
Fixed Versions:
14.1.4, 15.1.2, 16.0.1.2
910213-4 : LB::down iRule command is ineffective, and can lead to inconsistent pool member status
Links to More Info: BT910213
Component: Local Traffic Manager
Symptoms:
Use of the LB::down command in an iRule may not have the desired effect, or may result in pool members that are down for load balancing, but indicate up/available in the GUI and CLI.
Specifically, the pool member is marked down within the tmm instance executing the iRule, but the status change is not updated to mcpd, or to other tmm instances.
As a result, the message 'Pool /Common/mypool member /Common/1.1.1.1:80 monitor status iRule down' does not appear in the log, and the status of the pool member is not updated when viewed in the GUI or via 'tmsh show ltm pool xxxx members'.
Note: If [event info] is logged in the LB_FAILED event, it will indicate that the load balancing decision failed due to "connection limit"
Conditions:
Using the LB::down command in an iRule.
Impact:
Because mcpd believes the pool member to be up, it does not update tmm's status, so tmm continues to regard it as down indefinitely, or until a monitor state change occurs.
If the LB::down command is used on all members of a pool, the affected tmms cannot load balance to that pool, even though the GUI/tmsh indicate that the pool has available members.
Because pool member status is stored on per-tmm basis and incoming connections are distributed across tmms using a hash, this can lead to apparently inconsistent results, where some traffic (traffic hitting a particular tmm) is rejected with an RST cause of 'No pool member available'.
Workaround:
- Delete and recreate affected pool members
(or) Restart tmm
(or) Restart the BIG-IP.
There is no direct workaround, but the use of an inband monitor instead of the LB::down command may be effective. You must tune the inband monitor's settings to values consistent with the desired behavior.
Fixed Versions:
14.1.4.6
910201-1 : OSPF - SPF/IA calculation scheduling might get stuck infinitely
Links to More Info: BT910201
Component: TMOS
Symptoms:
After SPF/IA calculation gets suspended, it might enter a state where it never fires again.
Conditions:
SPF/IA calculation gets suspended;
This occurs for various reasons; BIG-IP end users have no influence on it occurring.
Impact:
OSPF routes are visible in the OSPF database, but not installed in the routing table.
Workaround:
Restart the routing daemons:
# bigstart restart tmrouted
Running this command allows you to recover from this situation, but does not prevent the event from reoccurring.
If due to a topology, SPF/IA calculation suspension occurs again after a restart, this workaround essentially has no effect.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
910097-3 : Changing per-request policy while tmm is under traffic load may drop heartbeats
Links to More Info: BT910097
Component: Access Policy Manager
Symptoms:
Cluster failover, tmm restart, and tmm killed due to missed heartbeats. tmm crash
Conditions:
TMM is under load due to heavy traffic while MCP attempts to configure per-request policy. This can be caused by a modification to the policy or one of its agents, or by a restart of the TMM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
When making changes to per-request policies, use a scheduled maintenance window so that impact to traffic is minimized.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
909237-4 : CVE-2020-8617: BIND Vulnerability
Links to More Info: K05544642
909197-5 : The mcpd process may become unresponsive
Links to More Info: BT909197
Component: TMOS
Symptoms:
-- The mcpd process is killed with SIGABRT by the sod watchdog due to failed heartbeat check.
-- There is high memory usage by the mcpd process prior to getting killed.
-- There is an mcpd core file contains a very long string. The core might contain a repeating pattern of '{ } { } { } ...'.
Conditions:
The mcpd process receives a malformed message from one of the control plane daemons.
Impact:
-- There is a temporary lack of responsiveness related to actions of inspecting and/or modifying system configuration: GUI, TMSH, etc., operations may fail or time out.
-- SNMP queries might go unanswered.
-- System daemons restart.
-- Traffic disrupted while mcpd restarts.
Workaround:
None.
Fix:
Fixed handling of malformed messages by mcpd, so the problem should no longer occur.
Fixed Versions:
14.1.4, 15.1.4.1, 16.0.1.1
909161-4 : A core file is generated upon avrd process restart or stop
Links to More Info: BT909161
Component: Application Visibility and Reporting
Symptoms:
Sometime when avrd process is stopped or restarted, a core is generated.
Conditions:
Avrd process is stopped or restarted.
Impact:
Avrd creates a core file but there is no other negative impact to the system.
Workaround:
None
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
908621-3 : Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core
Links to More Info: BT908621
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
-- Virtual server has HTTP and HTTP Router profiles attached to it.
-- Certain scenarios where the proxy goes into passthrough mode.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now correctly manages proxy handling of passthrough mode in specific scenarios, so the tmm crash no longer occurs.
Fixed Versions:
14.1.4.1, 15.1.2
908601-4 : System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option
Links to More Info: BT908601
Component: TMOS
Symptoms:
When the BIG-IP system boots, mcpd continually restarts.
Conditions:
This may occur after you issue the 'diskinit' command with the '--style=volumes' option in the MOS (Maintenance Operating System) shell, install BIG-IP into the new volume, then boot into the new installation of the BIG-IP system.
Impact:
The BIG-IP system is unable to complete the boot process and become active.
Workaround:
In the MOS shell, do not issue the 'diskinit' command with the '--style=volumes' option.
Instead, on BIG-IP v14.1.2.1 and later, you may use the 'image2disk' utility with the '-format' option to recreate the desired volume.
You also can achieve the same result by following the shell guidance. To begin, type 'start<enter>'.
If the system is already in the defective state, use this shell command, and then reboot:
touch /.tmos.platform.init
The problem should be resolved.
Fix:
Running 'diskinit' from MOS with the '--style=volumes' option no longer causes continuous mcpd restarts.
Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2
908517-1 : LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)'
Links to More Info: BT908517
Component: TMOS
Symptoms:
LDAP authentication fails with an error message:
err nslcd[2867]: accept() failed: Too many open files
Conditions:
This problem occurs when user-template is used instead of Bind DN.
Impact:
You cannot logon to the system using LDAP authentication.
Workaround:
None.
Fix:
LDAP authentication now succeeds when user-template is used.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
908065-4 : Logrotation for /var/log/avr blocked by files with .1 suffix
Links to More Info: BT908065
Component: Application Visibility and Reporting
Symptoms:
AVR logrotate reports errors in /var/log/avr:
error: error creating output file /var/log/avr/avrd.log.1: File exists
/var/log/avr/avrd.log will remain unchanged
/var/log/avr/avrd.log.1 will remain unchanged
Conditions:
Files ending with .1 exist in the log directory.
Impact:
Logrotate does not work. This might fill the disk with logs over time.
Workaround:
Remove or rename all of the .1 log files.
Fix:
Fixed an issue with logrotate failing when files ending with .1 exist in the log directory.
Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
908021-2 : Management and VLAN MAC addresses are identical
Links to More Info: BT908021
Component: TMOS
Symptoms:
The 'tmsh show sys mac-address' command indicates the management interface is using the same MAC address as a VLAN.
Conditions:
This can occur on chassis based systems and on VCMP guests. The MAC address pool does not reserve specific MAC addresses for the management interfaces and so pool entries may be reused for VLANs.
Impact:
The management MAC address is the same as the VLAN MAC address, resulting in issues relating to the inability to differentiate traffic to the management port or to traffic ports.
Workaround:
None.
Fix:
The issue has been fixed for hardware platforms. That is, MAC addresses in the MAC address pool have been reserved for the management port. Due to the small MAC pool size for a few platforms (see K14513: MAC address assignment for interfaces, trunks, and VLANs :: https://support.f5.com/csp/article/K14513#vlans), entries cannot be reserved for VCMP guest management interfaces.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.3
907337-4 : BD crash on specific scenario
Links to More Info: BT907337
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
A specific scenario that results in memory corruption.
Impact:
Failover, traffic disturbance. Traffic disrupted while BD restarts.
Workaround:
None.
Fix:
This BD crash no longer occurs.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
907025-1 : Live update error" 'Try to reload page'
Links to More Info: BT907025
Component: Application Security Manager
Symptoms:
When trying to update Attack Signatures. the following error message is shown:
Could not communicate with system. Try to reload page.
Conditions:
Insufficient disk space to update the Attack Signature.
Impact:
Live Update unable to restore the database during startup. Device runs out of disk space, which leads to failure in writing live update hsqldb log file. The liveupdatedb.script file, which is based on the .log file, is truncated and missing necessary settings in order to initialize the live update database.
Workaround:
This following procedure restores the database to its default, initial state:
1. Remove the sigfile.tmp.* directories under /var/ts/var/tmp.
2. Delete the script:
delete /var/lib/hsqldb/live-update/liveupdatedb.script
3. Create a new script:
create new /var/lib/hsqldb/live-update/liveupdatedb.script.
4. Add the following lines to create the live update database schema and set the SA user as expected:
CREATE SCHEMA PUBLIC AUTHORIZATION DBA
CREATE MEMORY TABLE AVAILABILITY(ID VARCHAR(255) NOT NULL,ERRORMESSAGE VARCHAR(255),LASTCHECKDATETIME BIGINT,LASTCHECKUPDATEFILE VARCHAR(255),STATUS VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT AVAILABILITY_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLSCHEDULE(ID VARCHAR(255) NOT NULL,APPLYATALLTIMES BOOLEAN,APPLYONALLDAYS BOOLEAN,APPLYONFRIDAYS BOOLEAN,APPLYONMONDAYS BOOLEAN,APPLYONSATURDAYS BOOLEAN,APPLYONSUNDAYS BOOLEAN,APPLYONTHURSDAYS BOOLEAN,APPLYONTUESDAYS BOOLEAN,APPLYONWEDNESDAYS BOOLEAN,ENDTIME VARCHAR(255),FREQUENCY VARCHAR(255),STARTTIME VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT INSTALLSCHEDULE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE UPDATEFILE(ID VARCHAR(255) NOT NULL,CREATEDATETIME BIGINT,FILELOCATION VARCHAR(255),FILENAME VARCHAR(255),ISFILEAVAILABLE BOOLEAN,ISFILEMANUALLYUPLOADED BOOLEAN,ISGENESIS BOOLEAN,MD5 VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT UPDATEFILE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLATION(ID VARCHAR(255) NOT NULL,ADDEDENTITIESCOUNT INTEGER,DELETEDENTITIESCOUNT INTEGER,ERRORMESSAGE VARCHAR(255),LASTREADMEFILENAME VARCHAR(255),LASTUPDATEMICROS BIGINT,LOADDATETIME BIGINT,MODIFIEDENTITIESCOUNT INTEGER,README VARCHAR(500000),STATUS VARCHAR(255),"TYPE" VARCHAR(255),UPDATEFILE_ID_OID VARCHAR(255),CONSTRAINT INSTALLATION_PK PRIMARY KEY(ID),CONSTRAINT INSTALLATION_FK1 FOREIGN KEY(UPDATEFILE_ID_OID) REFERENCES UPDATEFILE(ID))
CREATE INDEX INSTALLATION_N49 ON INSTALLATION(UPDATEFILE_ID_OID)
CREATE MEMORY TABLE INSTALLATION_DELETEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_DELETEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_DELETEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_DELETEDENTITYLIST_N49 ON INSTALLATION_DELETEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_MODIFIEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_MODIFIEDENTITYLIST_N49 ON INSTALLATION_MODIFIEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_ADDEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_ADDEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_ADDEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_ADDEDENTITYLIST_N49 ON INSTALLATION_ADDEDENTITYLIST(ID_OID)
CREATE USER SA PASSWORD ""
GRANT DBA TO SA
SET WRITE_DELAY 20
SET SCHEMA PUBLIC
5. Restart the tomcat process:
bigstart restart tomcat
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
906889-1 : Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
Links to More Info: BT906889
Component: TMOS
Symptoms:
Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
Conditions:
Viewing New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
Impact:
Calculation mistake in the GUI: shows 8 times the actual values, for example:
Packets In 2 shows as 016 in the GUI
Packets Out 0 shows as 8 in the GUI
Workaround:
View statistics in tmsh.
Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1
906885 : Spelling mistake on AFM GUI Flow Inspector screen
Links to More Info: BT906885
Component: Advanced Firewall Manager
Symptoms:
On the AFM GUI Flow Inspector screen, there is a spelling mistake 'Additinal Info'. It should read 'Additional Info'.
Conditions:
You can locate the spelling error by following these steps:
1. Navigate to Security :: Debug :: Flow Inspector :: Get Flows (should be blank).
2. Select New Flows and then Get Flows.
3. Select the flow (i.e., click anywhere on the result except the hyperlink).
Impact:
There is a spelling mistake on the word 'Additional'. There is no functional impact to the system; this is a cosmetic issue only.
Workaround:
None.
Fixed Versions:
14.1.2.8, 15.1.2.1
905849 : FastL4 UDP flows might not get offloaded to hardware
Links to More Info: BT905849
Component: TMOS
Symptoms:
In some cases one side - client or server - of a fastL4 UDP flow might not get offloaded to hardware.
Conditions:
FastL4 UDP virtual server
Impact:
One side of the UDP flow is not accelerated by hardware.
Workaround:
None
Fix:
Both sides of the fastL4 UDP flow are now offloaded correctly.
Fixed Versions:
14.1.3
905557-6 : Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure
Links to More Info: BT905557
Component: Global Traffic Manager (DNS)
Symptoms:
A TMM daemon logs a SIGSEGV error, halts, and then be restarted.
Conditions:
-- A BIG-IP system configured to perform DNS/GTM Global Server Load Balancing.
-- High Speed Logging (HSL) is configured.
-- Multiple HSL destinations are configured.
-- The enabled HSL settings include 'replication'.
-- At least one HSL destination is up.
-- At least one HSL destination is down.
-- A pool resource changes state from up to down.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure HSL with only a single log destination.
Fixed Versions:
14.1.4, 15.1.2
904845-3 : VMware guest OS customization works only partially in a dual stack environment.
Links to More Info: BT904845
Component: TMOS
Symptoms:
The result of guest OS customization depends on the DHCP state on the management (mgmt) interface and the applied customization profile (i.e., IPv4 only, IPv4 and IPv6, or IPv6 with IPv4 prompt).
By default, DHCP is enabled on the management interface.
During configuration, you can customize only one IPv4 or one IPv6 address in a dual stack environment.
Conditions:
Applying a customization profile to VMware VM in a dual stack environment.
Impact:
You can only partially customize the mgmt interface IP profiles for VMware VMs in a dual stack environment.
Workaround:
Configure the mgmt interface addresses using the config script.
Fix:
VMware customization works only partially in a dual stack environment. To avoid misconfiguration, set the desired mgmt interface addresses using the config script.
Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1
904785-3 : Remotely authenticated users may experience difficulty logging in over the serial console
Links to More Info: BT904785
Component: TMOS
Symptoms:
-- When a remotely authenticated user attempts login over the serial console, the username and password are accepted, but the session closes immediately thereafter.
-- Login over SSH is successful for the same user
Conditions:
-- Remote authentication (e.g., RADIUS, TACACS, LDAP) and role mapping configured on the BIG-IP system.
-- Attempted login over the serial console for a remotely authenticated user who has been assigned a role.
Impact:
Remotely authenticated users cannot log in over the serial console.
Workaround:
Using either of the following workaround:
-- Log in over SSH instead
-- If acceptable (taking into account security considerations), enable terminal access for all remote users regardless of assigned role, using 'tmsh modify auth remote-user remote-console-access tmsh' or within the GUI.
Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1
904705-3 : Cannot clone Azure marketplace instances.
Links to More Info: BT904705
Component: TMOS
Symptoms:
Cannot clone Azure marketplace instances because cloned instances do not properly retrieve publisher and product code from the metadata service.
Conditions:
Applies to any Azure marketplace instance.
Impact:
Cannot clone Azure marketplace instances.
Workaround:
None.
Fix:
Updated the version of the API used to get data from the metadata service. Cloned instances now properly retrieve the publisher and product code from the metadata service.
Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1
904593-2 : Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled
Links to More Info: BT904593
Component: Application Security Manager
Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, the configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the primary device, before the primary has a chance to sync the configuration to the new device, causing the configuration in the primary device to be overwritten.
Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.
Impact:
Configuration of all devices in the Auto Scale group is overwritten.
Workaround:
Disable ASM Live Update Automatic Download.
This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.
For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping
-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable
Fixed Versions:
14.1.2.7, 15.1.0.5
904373-1 : MRF GenericMessage: Implement limit to message queues size
Links to More Info: BT904373
Component: Service Provider
Symptoms:
The GenericMessage filter does not have a configurable limit to the number of messages that can be received.
Conditions:
If a message is waiting for an asynchronous iRule operation during a GENERICMESSAGE_INGRESS or GENERICMESSAGE_EGRESS iRule event, new messages are placed in either the ingress or egress queue. As the number of messages increase, more memory is required.
Impact:
If too many messages are queued, the system may exceed an internal count which could lead to a core.
Workaround:
None.
Fix:
The existing max_pending_messages attribute of the message router profile is used to limit the size of the queues.
Fixed Versions:
14.1.3.1, 15.0.1.4, 15.1.0.5, 16.0.1
904133-2 : Creating a user-defined signature via iControl REST occasionally fails with a 400 response code
Links to More Info: BT904133
Component: Application Security Manager
Symptoms:
Creating user-defined signature via iControl REST occasionally fails with a 400 response code.
Conditions:
You create a user-defined signature via iControl REST via this endpoint:
POST https://<BIG-IP>/mgmt/tm/asm/signatures
Impact:
Signature creation fails with 400 response code:
{
"code": 400,
"message": "remoteSender:10.10.10.10, method:POST ",
"originalRequestBody": "{...}",
"referer": "10.10.10.10",
"restOperationId": 6716673,
"kind": ":resterrorresponse"
}
Fix:
Creating user-defined signatures via REST works correctly.
Fixed Versions:
14.1.4.4, 15.1.4.1
904053-4 : Unable to set ASM Main Cookie/Domain Cookie hashing to Never
Links to More Info: BT904053
Component: Application Security Manager
Symptoms:
Disabling ASM Main Cookie/Domain Cookie hashing in a Policy's Learning and Blocking Setting with 'Never (wildcard only)' does not stop the ASM Main Cookie from continuing to hash server-provided cookies.
Conditions:
-- ASM enabled.
-- Learning mode enabled for Policy.
-- Learn New Cookies set to 'Never (wildcard only)' instead of default 'Selective'.
Impact:
A sufficient number of ASM Main Cookies and/or a sufficiently large number of cookies for each ASM Main cookie to hash can result in the HTTP header becoming prohibitively large, causing traffic to be refused by the server.
Workaround:
Disable Learning mode for the Policy disables Cookie hashing.
Note: This affects all learning, not just Cookie hashing.
Fix:
Cookie hashing can now be disabled at the policy level in the Cookie subsection of an ASM Policy's Learning and Blocking Settings by setting Learn New Cookies to "Never (wildcard only)".
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1
904041-4 : Ephemeral pool members may be incorrect when modified via various actions
Links to More Info: BT904041
Component: Local Traffic Manager
Symptoms:
Ephemeral pool members may not be in the expected state if the corresponding FQDN template pool member is modified by one of several actions.
For example:
A. Ephemeral pool members may be missing from a pool in a partition other than Common, after reloading the configuration of that partition.
B. Ephemeral pool members may not inherit the 'session' state from the corresponding FQDN template pool member if the FQDN template pool member is disabled (session == user-disabled), the config is synced between high availability (HA) members, and BIG-IP is restarted.
Conditions:
Scenario A may occur when reloading the configuration of non-'Common' partition, e.g.:
-- tmsh -c "cd /testpartition; load sys config current-partition"
Scenario B may occur when an FQDN template pool member is disabled (session == user-disabled), the config is synced between HA members, and BIG-IP is restarted.
Impact:
Impacts may include:
- Missing ephemeral pool members, inability to pass traffic as expected.
- Ephemeral pool members becoming enabled and receiving traffic when expected to be disabled.
Workaround:
For scenario A, reload the entire configuration instead of just the individual partition.
For scenario B, it may be possible to work around this issue by checking the status of ephemeral pool members after BIG-IP restart, and toggling the 'session' value between user-enabled and user-disabled.
Fix:
FQDN ephemeral pool members now better reflect expected states after the corresponding FQDN template pool member is modified by one of several actions such as config load, config sync and BIG-IP restart.
Fixed Versions:
14.1.4.5, 15.1.4.1
903561-2 : Autodosd returns small bad destination detection value when the actual traffic is high
Links to More Info: BT903561
Component: Advanced Firewall Manager
Symptoms:
Bad destination detection threshold cannot accurately reflect the actual traffic pattern.
Conditions:
-- Enable bad destination and fully automatic mode.
-- Actual traffic is high.
Impact:
A small bad destination detection value is returned.
Workaround:
None.
Fix:
Fixed the threshold update algorithm.
Fixed Versions:
14.1.4, 15.1.3
903357-3 : Bot defense Profile list is loads too slow when there are 750 or more Virtual servers
Links to More Info: BT903357
Component: Application Security Manager
Symptoms:
Security :: Bot Defense : Bot Defense Profiles page loading takes a long time when there are profiles configured with hundreds of virtual servers. For example: a configuration with 750 virtual servers takes about 40 seconds to load the page. Configuration with 1300 virtual servers takes more than 70 seconds.
Conditions:
At least one Bot profile attached to hundreds of virtual servers. For 750 and more virtual servers attached the slow loading is significant.
Impact:
Bot Defense list page loading time can take more than 30 seconds.
Workaround:
None.
Fixed Versions:
14.1.2.7, 15.1.1, 16.0.1.1
902485-2 : Incorrect pool member concurrent connection value
Links to More Info: BT902485
Component: Application Visibility and Reporting
Symptoms:
In AVR pool-traffic report, 'server-concurrent-conns' reports a larger value than 'server-max-concurrent-conns'.
Conditions:
This is encountered when viewing the pool-traffic report.
Impact:
Incorrect stats reported in the pool-traffic report table
Workaround:
In /etc/avr/monpd/monp_tmstat_pool_traffic_measures.cfg, change the formula of server_concurrent_connections:
From this:
formula=round(sum(server_concurrent_conns),2)
Change it to this:
formula=round(sum(server_concurrent_conns)/count(distinct time_stamp),2)
Fix:
Changed the calculation formula of 'server-concurrent-conns' so it reports the correct statistics.
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
902417-4 : Configuration error caused by Drafts folder in a deleted custom partition★
Links to More Info: BT902417
Component: TMOS
Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.
01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.
Conditions:
Create draft policy under custom partition
Impact:
Impacts the software upgrade.
Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1.1
902401-3 : OSPFd SIGSEGV core when 'ospf clear' is done on remote device
Links to More Info: BT902401
Component: TMOS
Symptoms:
The ospfd process generates a core.
Conditions:
-- IA routes.
-- OSPF is in FULL/DR state.
Impact:
An OSPF daemon generates a core, potentially losing routing information and OSPF dynamic routes for a moment while the ospfd daemon restarts.
Workaround:
None.
Fix:
OSPF no longer cores when running 'clear ip ospf' on remote.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
901929-4 : GARPs not sent on virtual server creation
Links to More Info: BT901929
Component: Local Traffic Manager
Symptoms:
When a virtual server is created, GARPs are not sent out.
Conditions:
-- Creating a new virtual server.
Impact:
Traffic could be impacted if other systems have the virtual server address already in their ARP caches.
Workaround:
After creating the virtual server, disable and re-enable the ARP setting on the corresponding virtual address.
Fix:
GARPs are now sent when a virtual server is created.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
901669-2 : Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change.
Links to More Info: BT901669
Component: TMOS
Symptoms:
-- The 'tmsh show cm failover-status' command shows a status of 'Error' when the command is run on a peer of a device that underwent a management IP address change.
-- Should the sod_tg_conn_stat or sod_tg_msg_stat tmstat tables be inspected using the tmctl command, the tables show stale information in the entry_key column.
Note: Additionally, in certain cases, it is possible for failover functionality to be broken after the management IP address change, meaning devices remain stuck in an improper Active/Active or Standby/Standby state. This further aspect of the issue is tracked under ID999125. This ID tracks only the cosmetic defect.
Conditions:
-- Two or more devices in a sync-failover device-group.
-- The management IP address is changed on one of the devices.
The error appears under either of these conditions:
-- The 'tmsh show cm failover-status' is run on a peer of the device that underwent the management IP address change.
-- The sod_tg_conn_stat or sod_tg_msg_stat tmstat tables are inspected using the tmctl command.
Impact:
The 'tmsh show cm failover-status' command indicates an error.
Workaround:
You can work around this issue by running the following command on the peers of the device which underwent a management IP address change:
tmsh restart sys service sod
Fixed Versions:
14.1.4.6
901061-4 : Safari browser might be blocked when using Bot Defense profile and related domains.
Links to More Info: BT901061
Component: Application Security Manager
Symptoms:
As a fix to ID879777 (https://cdn.f5.com/product/bugtracker/ID879777.html), when navigating to a related domain using Safari, requests might be blocked.
Conditions:
- Using Bot Defense profile, with "Cross Domain Requests" mode "Validate Upon Request"
- BIG-IP version containing fix of ID879777 (16.0 and higher or EngHF)
- Surfing the site using Safari browser.
Impact:
Some requests might be blocked.
Workaround:
None.
Fix:
Set the cookie so all requests in the target domain will contain it.
Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1
900933-2 : IPsec interoperability problem with ECP PFS
Links to More Info: BT900933
Component: TMOS
Symptoms:
IPsec tunnels fails to remain established after initially working.
On the first ESP Security Associations (SAs) establishment, an IPsec tunnel works. After the expiry of the SAs causes a re-key, the keys are calculated incorrectly by the BIG-IP system. The BIG-IP system sends ESP packets to the remote peer, but the remote peer cannot decrypt the packet. Likewise, the BIG-IP system cannot decrypt packets from the remote peer.
This may also immediately present as a problem when trying to establish a second tunnel to the same peer.
Conditions:
- IPsec IKEv2 tunnel.
- A remote peer that is not another BIG-IP system.
- Elliptic curve groups (ECP) is used for Perfect Forward Secrecy (PFS).
Impact:
Multiple IPsec tunnels to the same remote peer cannot be established concurrently, or tunnels fail after a period of time.
Workaround:
Do not use ECP for PFS.
Fix:
The ECP PFS state is now correctly maintained and will interoperate with other vendor IPsec products.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.0.1.2
900797-4 : Brute Force Protection (BFP) hash table entry cleanup
Links to More Info: BT900797
Component: Application Security Manager
Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.
Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.
Impact:
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.
Workaround:
N/A
Fix:
Mitigated entries are kept in the hash table.
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
900793-2 : APM Brute Force Protection resources do not scale automatically
Links to More Info: K32055534, BT900793
Component: Application Security Manager
Symptoms:
Under certain conditions, resources for Brute Force Protection must be manually scaled by administrators to provide full protection.
Conditions:
-- Many virtual server (hundreds) that have web application protection with brute force protection enabled.
-- Numerous failed login requests coming to all virtual servers all the time.
Impact:
Administrators must manually change the hash size upon need instead of relying on the automatic configuration.
Workaround:
Set the internal parameter external_entity_hash_size to 0 to allow automatic recalculation of the correct value.
Fix:
Brute Force Protection resources are now scaled automatically based on available system resources.
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
900789-4 : Alert before Brute Force Protection (BFP) hash are fully utilized
Links to More Info: BT900789
Component: Application Security Manager
Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IP addresses and usernames. There is a separate hash table for each virtual server. When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed without logging a warning.
Conditions:
This can be encountered when Brute Force Protection is enabled and the hash table reaches its maximum capacity.
Impact:
No alert is sent when entries are evicted.
Workaround:
None.
Fix:
Alert/Warning is now announced in ASM logs, describing the status of the hash table.
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
898997-4 : GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes
Links to More Info: BT898997
Component: Service Provider
Symptoms:
GTP message parsing fails and log maybe observed as below:
GTP:../modules/hudfilter/gtp/gtp_parser.c::242 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser_ver_2.c::153 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser.c::103 (Failing here).
Conditions:
- GTP profile is applied to virtual or GTP::parse command is used
- GTP message contains IE (information element) which is larger than 2048 bytes
Impact:
- message parsing fails, traffic maybe interupted
Fix:
GTP profile and GTP::parse iRules now support IE larger than 2048 bytes
Fixed Versions:
14.1.2.7, 15.1.1, 16.0.1
898929-2 : Tmm might crash when ASM, AVR, and pool connection queuing are in use
Links to More Info: BT898929
Component: Local Traffic Manager
Symptoms:
TMM crashes and generates a core file.
Conditions:
-- System is provisioned for at least ASM, AVR, and LTM.
-- An LTM pool is configured to use connection queuing.
-- The LTM pool is used on a virtual server with an analytics profile.
Impact:
Tmm might crash. Traffic disrupted while tmm restarts.
Workaround:
Disable connection queuing on the pool.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
898825-4 : Attack signatures are enforced on excluded headers under some conditions
Links to More Info: BT898825
Component: Application Security Manager
Symptoms:
Attack signatures are marked as detected when they should be marked as excluded (i.e., a false positive).
Conditions:
-- A 100-continue transaction occurs in HTTP.
-- The internal parameter answer_100_continue is set to a non-default value of 0.
Impact:
False positive enforcement for header signature.
Workaround:
Set the answer_100_continue to 1 (default) on versions later than 15.0.0.
Fixed Versions:
14.1.2.7
898741-4 : Missing critical files causes FIPS-140 system to halt upon boot
Links to More Info: BT898741
Component: Application Security Manager
Symptoms:
After activating a FIPS 140-2 license on a device and rebooting, the device fails to boot.
Conditions:
-- Device is licensed for FIPS 140 mode
-- A critical system file is missing
Impact:
System halts during boot because of sys-eicheck.py failure.
Workaround:
Prior to rebooting into FIPS 140-2 mode, ensure that there are no missing critical files by running the sys-eicheck command.
If the missing files are due to missing signature update files:
- Manually upload the missing images in System ›› Software Management : Live Update - this will ensure that the image is associated with an installation record.
Fixed Versions:
14.1.2.7, 15.1.1
898705-3 : IPv6 static BFD configuration is truncated or missing
Links to More Info: BT898705
Component: TMOS
Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.
-- IPv6 static BFD configuration entries go missing during a daemon restart.
Conditions:
IPv6 static BFD configuration.
Impact:
The IPv6 static BFD configuration does not persist during reloads.
-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.
Workaround:
None.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
898461-4 : Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'
Links to More Info: BT898461
Component: TMOS
Symptoms:
The following SCTP iRule commands:
-- SCTP::mss
-- SCTP::ppi
-- SCTP::collect
-- SCTP::respond
-- SCTP::client_port
-- SCTP::server_port
Are unavailable in the following MRF iRule events:
-- GENERICMESSAGE_EGRESS
-- GENERICMESSAGE_INGRESS
-- MR_EGRESS
-- MR_INGRESS
Attempts to use these commands in these events result in errors similar to:
01070151:3: Rule [/Common/sctp_TC] error: /Common/sctp1: error: [command is not valid in current event context (GENERICMESSAGE_EGRESS)][SCTP::ppi 46].
Conditions:
-- Using MRF and SCTP.
-- Using the specified set of iRule commands within the listed iRule events.
Impact:
Unable to use these iRule commands within these iRule events.
Workaround:
None.
Fix:
These iRule commands are now available within these iRule events.
Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1.1
898441-4 : Enable logging of IKE keys
Links to More Info: BT898441
Component: TMOS
Symptoms:
IPsec debug level logging does not provide encryption and authentication key information for IKEv1 IKE negotiation. This information is commonly logged by IPsec vendors in order to allow network administrators the ability to decrypt failing ISAKMP exchanges.
Conditions:
-- The BIG-IP system has an IPsec IKEv2 tunnel configured.
-- debug level logging is enabled.
Impact:
Without the encryption and authentication key information, an ISAKMP negotiation cannot be inspected when troubleshooting tunnel negotiation.
Workaround:
None, although the remote peer may log this information.
Fix:
Added sys db variable 'ipsec.debug.logsk' to enable logging of IKE SA keys.
Fixed Versions:
14.1.4.4, 15.1.4
897229 : TLS session ticket resumption SNI check
Links to More Info: BT897229
Component: Local Traffic Manager
Symptoms:
A TLS session ticket might be used for session resumption if the SNI does not match the original session ticket.
Conditions:
-- TLS 1.2 or 1.3.
-- Session ticket resumption.
-- SNI does not match the original session ticket.
Impact:
Session resumption might occur when the current session ticket extension SNI does not match session ticket SNI.
Workaround:
None.
Fix:
Session resumption with session ticket is now resumed only when the SNI matches the original session ticket.
Fixed Versions:
14.1.2.6
896817-4 : iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb
Links to More Info: BT896817
Component: TMOS
Symptoms:
When merging a configuration that modifies the list of iRules a virtual server uses, you may encounter an error similar to:
01070621:3: Rule priorities for virtual server (/Common/virtual1) must be unique.
Conditions:
-- Merging a configuration using the TMSH 'replace' verb.
-- Replacing a virtual server's iRule in a way that adjusts priorities of the iRules.
Impact:
Unable to replace configuration using TMSH's 'replace' verb.
Workaround:
None.
Fix:
When merging a configuration that modifies the list of iRules a virtual server uses using the TMSH 'replace' verb, no error is encountered.
Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1
896709-2 : Add support for Restart Desktop for webtop in VMware VDI
Links to More Info: BT896709
Component: Access Policy Manager
Symptoms:
VMware has a restart desktop option to reboot the Horizon Agents, but APM does not support this feature on the webtop.
Conditions:
You wish to use the VMware Restart desktop feature for the Horizon Agents that are managed by the vCenter Server.
Impact:
Cannot restart the desktop (Horizon Agent) from the webtop by clicking the restart icon.
Workaround:
None.
Fix:
APM now supports restart desktop option on webtop for VMware VDI.
Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
896553-2 : On blade failure, some trunked egress traffic is dropped.
Links to More Info: BT896553
Component: TMOS
Symptoms:
When a blade fails (but not administratively disabled), other blades take 10 seconds (configured with db variable clusterd.peermembertimeout) to detect its absence. Until the blade failure is detected, egress traffic which used the failed blade's interfaces is dropped.
Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- Some blades do not have directly attached interfaces.
-- A blade which does have directly attached interfaces fails.
Impact:
Some traffic is dropped until the failed blade is detected (10 seconds by default.)
Workaround:
Attach interfaces to all blades.
Fix:
Failed blades are detected within a second.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3
896285-4 : No parent entity in suggestion to add predefined-filetype as allowed filetype
Links to More Info: BT896285
Component: Application Security Manager
Symptoms:
No parent entity appears in an ASM Policy Builder suggestion to add to the policy a predefined-filetype to the allowed filetypes list.
Conditions:
The issue is encountered when filetypes are configured with learning mode which allows new filetypes to be added to the policy. Relevant learning modes to this issue are: Always, Selective and Compact.
Impact:
No parent entity appears in the sugestion.
Workaround:
None.
Fix:
Suggestions to add filetypes to the allowed-filetypes list in the policy now contain parent entity.
Fixed Versions:
14.1.2.7, 15.1.2, 16.0.1.1
896217-4 : BIG-IP GUI unresponsive
Links to More Info: BT896217
Component: TMOS
Symptoms:
When you try to log into the GUI via the management IP, you see only a single gray bar displayed in the middle of the window.
Conditions:
-- A GUI session expired while you were logged on.
-- The partition on which the GUI session expires is deleted.
-- You log on again.
Impact:
GUI becomes unresponsive.
Workaround:
Restart tomcat via SSH:
# bigstart restart tomcat
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
895837-1 : Mcpd crash when a traffic-matching-criteria destination-port-list is modified
Links to More Info: BT895837
Component: TMOS
Symptoms:
Virtual server configured with:
-- Destination address in a non-default route-domain, for example:
0.0.0.0%100/0
-- The configuration uses a destination port list.
Conditions:
Modify the virtual server's port-list to a different one.
Impact:
Mcpd generates a core, and causes services to restart and failover.
Workaround:
None.
Fix:
Mcpd no longer crashes when modifying a traffic-matching-criteria's destination port list.
Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1
895557-1 : NTLM profile logs error when used with profiles that do redirect
Links to More Info: BT895557
Component: Local Traffic Manager
Symptoms:
As of BIG-IP version 14.1, HTTP iRule commands that inspect HTTP state after the commands HTTP::respond, HTTP::redirect, and HTTP::retry returns errors instead of returning corrupt data (https://support.f5.com/csp/article/K23237429).
When the NTLM profile is configured, it does the same through a built-in TCL rule where among several things, it tries to check if HTTP::cookie exists. If a profile like HTTP exists wherein a redirect/respond/retry is configured, it results in a TCL error informing the admin that they are accessing an invalid HTTP state.
Conditions:
-- NTLM profile is configured alongside HTTP profile
-- One of the redirect/respond/retry commands has been executed before the NTLM profile accesses the state of HTTP (for ex. HTTP::collect, HTTP::close, HTTP::cookie, etc.).
Impact:
Tcl error is seen in /var/log/ltm informing the admin that the iRule operation executed after HTTP::redirect/retry/respond is not supported.
For example -
TCL error: _plugin_rule_/Common/ntlm_default_iis <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::cookie exists [PROFILE::ntlm insert_cookie_name]"
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2
895313 : Enable manage config setting may fail after upgrade of AGC to version 7.0 on BIG-IP 14.1.0 or 14.1.2
Links to More Info: BT895313
Component: Access Policy Manager
Symptoms:
Clicking to change the Enable Manage Config setting may fail after upgrade, and reports an error message:
transaction failed:01020036:3: The requested AAA OAuth Provider (/Common/test.app/test_oauthProvider_test) was not found.
Conditions:
This issue occurs in the following scenario:
-- Run BIG-IP software 14.1.0 or 14.1.2.
-- Upgrade AGC to version 7.0.
-- A configuration such as SAML SP is created and deployed.
-- Click the Disable Manage Config lock icon to set it to Enable Manage Config; This enables editing the configuration using the GUI or tmsh.
-- Use the GUI or tmsh to edit a configuration option related to that SAML SP instance.
-- Navigate to the AGC-created instance of the configuration, and click the Enable Manage Config lock icon.
Impact:
Attempting to Enable Manage Config fails. The changes you made using the GUI or tmsh are lost. The associated instance becomes unusable from AGC.
Note: You can still use the instance outside of AGC.
Workaround:
To prevent the issue from happening, do not edit AGC-created configurations using the GUI or tmsh; only modify the configuration using AGC.
Fix:
Clicking Enable Manage Config in AGC now retains changes made outside the AGC use case.
Fixed Versions:
14.1.2.7
895153-2 : HTTP::has_responded returns incorrect values when using HTTP/2
Links to More Info: BT895153
Component: Local Traffic Manager
Symptoms:
HTTP::has_responded is not detected in an iRule when the request comes across via HTTP/2. Instead, HTTP::has_responded always return the value 'false'.
Conditions:
-- HTTP/2 profile.
-- iRule containing the command HTTP::has_responded.
Impact:
Calls to HTTP::respond or HTTP::redirect are not correctly identified by HTTP::has_responded when using HTTP/2.
Workaround:
None.
Fix:
HTTP::has_responded is now properly detected in iRules where HTTP/2 is used.
Fixed Versions:
14.1.3.1, 15.1.2
895141 : HTTP::has_responded returns incorrect values when using HTTP/2
Links to More Info: BT895141
Component: Local Traffic Manager
Symptoms:
HTTP::has_responded is not detected in an iRule when the request comes across via HTTP/2. Instead, HTTP::has_responded always returns the value 'false'.
Conditions:
-- HTTP/2 profile.
-- iRule containing the command HTTP::has_responded.
Impact:
Calls to HTTP::respond or HTTP::redirect are not correctly identified by HTTP::has_responded when using HTTP/2.
Workaround:
None.
Fix:
HTTP::has_responded is properly detected in iRules where HTTP/2 is used.
Fixed Versions:
14.1.3.1
894885 : [SAML] SSO crash while processing client SSL request
Links to More Info: BT894885
Component: Access Policy Manager
Symptoms:
-- Tmm crashes while processing a client SSO request.
-- Graphs show a high SWAP consumption and there are also some OOM events, although the process being terminated is avrd.
Log messages:
-- notice sod[4759]: 01140045:5: HA reports tmm NOT ready.
-- notice sod[4759]: 010c0050:5: Sod requests links down.
Conditions:
SAML SSO is configured and passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a crash that occurred while handling SSL Orchestrator traffic.
Fixed Versions:
14.1.4.2, 15.1.4
894565-2 : Autodosd.default crash with SIGFPE
Links to More Info: BT894565
Component: Access Policy Manager
Symptoms:
The autodosd process crashes occasionally due to the division by zero.
Conditions:
It happens when the autodosd process receives zero value from tmm.
Impact:
Autodosd is rebooted.
Fix:
The autodosd process does not crash with SIGFPE.
Fixed Versions:
14.1.4, 15.1.3
893949 : Support TCP directional offload for hardware-accelerated connections
Links to More Info: BT893949
Component: TMOS
Symptoms:
TCP connections are hardware accelerated for both client- and server-side traffic, but there is no way to specify the TCP hardware acceleration for only client-side or only server-side traffic.
Conditions:
The BIG-IP device has TCP hardware accelerated flows.
Impact:
This change allows you to specify TCP hardware acceleration for only client-side traffic, only server-side traffic, or both. Both is the default behavior.
Note that setting TCP directional offload based on this change is global. There is no per-Fast L4 profile setting.
For more information, see K03799525: Overview of the ePVA offload priority features, available at https://support.f5.com/csp/article/K03799525.
Workaround:
None.
Fixed Versions:
14.1.4
893885 : The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation
Links to More Info: BT893885
Component: TMOS
Symptoms:
The tpm-status command incorrectly reports system integrity status as 'Invalid' even when system software is not modified.
Conditions:
-- BIG-IP software v14.1.0 or later version.
-- Engineering Hotfix installed on Trusted Platform Module (TPM)-supported BIG-IP platforms.
Impact:
Incorrect presentation of system software status; the status shows INVALID when it is actually valid.
Workaround:
None.
Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status.
Fixed Versions:
14.1.4, 15.1.3
893721-1 : PEM-provisioned systems may suffer random tmm crashes after upgrading★
Links to More Info: BT893721
Component: Traffic Classification Engine
Symptoms:
TMM crashes with SIGSEGV and a core file is written to /var/core/
Conditions:
This affects systems where PEM is provisioned and where the classification engine is running.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
None
Fixed Versions:
14.1.4.2, 15.1.4
893281-1 : Possible ssl stall on closed client handshake
Links to More Info: BT893281
Component: Local Traffic Manager
Symptoms:
If a client connection closes before finishing client ssl handshake, in some cases BIG-IP ssl does not close and connection remains until idle timeout.
Conditions:
Client ssl handshake and client FIN must arrive while BIG-IP server ssl finished is in crypto.
Impact:
Some ssl client connection remain until idle timeout.
Fix:
Allow transmit of any pending crypto during ssl shutdown.
Fixed Versions:
14.1.2.7, 15.1.0.5
893061-1 : Out of memory for restjavad
Links to More Info: BT893061
Component: Application Security Manager
Symptoms:
REST framework not available due to Out of memory error
Conditions:
Long list of Live Update installations
Impact:
Live Update GUI is not responding.
Workaround:
1) Increase memory assigned to the Linux host: (value dependant on platform)
# tmsh modify sys db provision.extramb value 1000
2) Allow restjavad to access the extra memory:
# tmsh modify sys db restjavad.useextramb value true
3) Save the config:
# tmsh save sys config
4) The re-provisioning will trigger a restart of the services. Wait until the unit is online again.
5) Increase the restjavad maxMessageBodySize property:
# curl -s -f -u admin: -H "Content-Type: application/json" -d '{"maxMessageBodySize":134217728}' -X POST http://localhost:8100/mgmt/shared/server/messaging/settings/8100 | jq .
{
"maxMessageBodySize": 134217728,
"localhostRestnodedConnectionLimit": 8,
"defaultEventHandlerTimeoutInSeconds": 60,
"minEventHandlerTimeoutInSeconds": 15,
"maxEventHandlerTimeoutInSeconds": 60,
"maxActiveLoginTokensPerUser": 100,
"generation": 6,
"lastUpdateMicros": 1558012004824502,
"kind": "shared:server:messaging:settings:8100:restservermessagingpoststate",
"selfLink": "https://localhost/mgmt/shared/server/messaging/settings/8100"
}
Ensure the command returns output showing the limit has been increased (as shown above).
6) Reboot the unit.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
892941-4 : F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)
Links to More Info: K20105555, BT892941
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Impact:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Workaround:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Fix:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Fixed Versions:
14.1.4, 15.1.2, 16.0.1.1
892937-4 : F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)
Links to More Info: K20105555, BT892937
Component: Access Policy Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Impact:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Workaround:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Fix:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Fixed Versions:
14.1.4, 15.1.1, 16.0.1
892677-4 : Loading config file with imish adds the newline character
Links to More Info: BT892677
Component: TMOS
Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.
In particular, this affects the bigip_imish_config Ansible module.
Conditions:
Loading a config with 'imish -f <f_name>' commands.
Note: This command is used with the bigip_imish_config Ansible module.
Impact:
Regex expressions are not created properly.
Workaround:
You can use either of the following workarounds:
-- Delete and re-add the offending commands using the imish interactive shell.
-- Restart tmrouted:
bigstart restart tmrouted
Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
892653-2 : Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI
Links to More Info: BT892653
Component: Application Security Manager
Symptoms:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.
Conditions:
This is encountered when configuring the Splunk Logging Format in the GUI
Impact:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.
Workaround:
Use tmsh to define the maximum query string size and maximum request size. For more information, see the tmsh command reference for the security log profile at https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/security/security-log-profile.html
Fix:
Maximum Query String Size and Maximum Request Size fields will be shown in the GUI in case the Splunk Logging Format is selected.
Fixed Versions:
14.1.2.7, 15.1.0.5, 16.0.1
892621-2 : Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software
Links to More Info: BT892621
Component: Advanced Firewall Manager
Symptoms:
BDoS Signature mitigated in software.
Conditions:
IP packets size metric in BDoS signature.
Impact:
BDoS Signature with IP packet size metric mitigated only in software for IPv6 packets.
Workaround:
None.
Fix:
IP packets size metric bin calculation algorithm for IPv6 packets in software now matches hardware version.
Fixed Versions:
14.1.3, 15.1.0.4
892485-1 : A wrong OCSP status cache may be looked up and re-used during SSL handshake.
Links to More Info: BT892485
Component: Local Traffic Manager
Symptoms:
A wrong OCSP status entry in SessionDB is returned during a cache lookup due to using a wrong input parameter - certificate serial number. The result is wrong OCSP status is used in the SSL handshake.
Conditions:
If OCSP object is configured in a clientSSL or serverSSL profile.
Impact:
A wrong OCSP status may be reported in the SSL handshake.
Fix:
After the fix, the correct OCSP status entry is returned and SSL handshake continues with the correct OCSP status.
Fixed Versions:
14.1.4.6
892385-2 : HTTP does not process WebSocket payload when received with server HTTP response
Links to More Info: BT892385
Component: Local Traffic Manager
Symptoms:
WebSocket connection hangs on the clientside if the serverside WebSocket payload is small and received in the same TCP packet with server HTTP response.
Conditions:
-- Virtual contains HTTP and WebSocket filters.
-- HTTP response and a small WebSocket payload is received in the same TCP packet from the server.
-- Small WebSocket payload is not delivered on the clientside.
Impact:
-- WebSocket connection hangs.
Workaround:
None.
Fix:
HTTP processes WebSocket payload without delay when payload is received with server HTTP response.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1
892073-1 : TLS1.3 LTM policy rule based on SSL SNI is not triggered
Links to More Info: BT892073
Component: Local Traffic Manager
Symptoms:
A policy rule based on SSL SNI at SSL client hello is not triggered for a TLS1.3 connection.
Conditions:
-- LTM policy rule specifying SSL client hello SNI.
-- TLS1.3 connection.
Impact:
Policy rule not triggered for TLS1.3.
Workaround:
None.
Fix:
LTM policy rules at client hello SNI are now triggered for TLS1.3.
Fixed Versions:
14.1.4.6
891849-2 : Running iRule commands while suspending iRule commands that are running can lead to a crash
Links to More Info: BT891849
Component: Local Traffic Manager
Symptoms:
Running iRule commands while suspending iRule commands that are running can lead to a crash.
Conditions:
-- Running iRule commands.
-- iRule commands that suspend iRules are running.
For more information on the conditions that trigger iRule suspend, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.
Impact:
Tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Running iRule commands while suspending iRule commands are running no longer results in a tmm crash.
Fixed Versions:
14.1.3.1, 15.1.2
891729-4 : Errors in datasyncd.log★
Links to More Info: BT891729
Component: Fraud Protection Services
Symptoms:
An error exists in datasyncd.log:
DATASYNCD|ERR |Mar 13 12:47:54.079|16301| datasyncd_main.c:1955|tbl_gen_state_machine: cannot start the generator for table CS_FPM
Conditions:
Upgrades from version 13.x to 14.0.0 or higher.
Impact:
FPS has a maximum of ~990 rows instead of 1001, and there are errors in datasyncd.log. However, the upgrade completes normally, and the system operates as expected.
Workaround:
These are benign error messages that you can safely ignore. Upgrade completes successfully, and the system operates as expected.
If you prefer, however, you can perform a clean install instead instead of upgrading. This has an impact on your configuration, as that information will be lost when you do a clean install.
Fix:
Now the max rows number is 1001 when upgrading from any version prior to 14.0.0.
Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1
891721-1 : Anti-Fraud Profile URLs with query strings do not load successfully
Links to More Info: BT891721
Component: TMOS
Symptoms:
When a URL containing a query string is added to an anti-fraud profile, the BIG-IP config load fails:
010719d8:3: Anti-Fraud URL '/url\?query=string' is invalid. Every protected URL should be a valid non-empty relative path specified in lower case in the case insensitive Anti-Fraud profile '/Common/antifraud'.
Unexpected Error: Loading configuration process failed.
Conditions:
Adding a query string to a URL for an anti-fraud profile.
Impact:
After a BIG-IP config save, loading of new bigip.conf fails.
Workaround:
Follow this procedure:
1. Remove the escaping characters \ (backslash) for ? (question mark) in the bigip.conf file.
2. Load the configuration.
Fix:
The issue has been fixed: Now Anti-fraud profile URLs support query strings such as /uri?query=data, and they can be successfully loaded.
Fixed Versions:
14.1.2.7, 15.0.1.4, 15.1.0.5
891505-1 : TMM might leak memory when OAuth agent is used in APM per-request policy subroutine.
Links to More Info: BT891505
Component: Access Policy Manager
Symptoms:
TMM leaks memory and eventually crashes when it cannot allocate any more memory.
Conditions:
OAuth agent is used in APM per-request policy subroutine and authentication fails.
Impact:
Over a period of time, TMM crashes, as it is unable to allocate any more memory. Traffic is disrupted while tmm restarts.
Workaround:
None.
Fix:
When fixed, TMM works as expected and no longer leaks memory.
Fixed Versions:
14.1.2.8, 15.1.4
891477 : No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server
Links to More Info: BT891477
Component: TMOS
Symptoms:
When a bandwidth control policy is applied on a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.
Both static bandwidth control policies and dynamic bandwidth control policies can cause the problem.
Conditions:
This issue occurs when both of the following conditions are met:
-- Virtual server configured with a bandwidth control policy.
-- Standard type of virtual server.
Impact:
The BIG-IP system does not retransmit unacknowledged data segments.
Workaround:
None.
Fixed Versions:
14.1.2.7, 15.0.1.4, 15.1.0.5
891385-4 : Add support for URI protocol type "urn" in MRF SIP load balancing
Links to More Info: BT891385
Component: Service Provider
Symptoms:
MRF SIP load balancing does not support the urn URI protocol type.
Conditions:
-- Using MRF SIP in LB mode.
-- Clients are using the urn protocol type in their URIs.
Impact:
SIP messages with urn URIs are rejected.
Fix:
Added support for the urn URI protocol type.
Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1
891337-3 : 'save_master_key(master): Not ready to save yet' errors in the logs
Links to More Info: BT891337
Component: TMOS
Symptoms:
During config sync, you see error messages in the logs:
save_master_key(master): Not ready to save yet.
Conditions:
UCS load or configuration synchronization that includes encrypted objects.
Impact:
Many errors seen in the logs.
Workaround:
None.
Fix:
Fixed an issue causing 'save_master_key(master): Not ready to save yet' errors.
Fixed Versions:
14.1.4, 15.1.3
891093-3 : iqsyncer does not handle stale pidfile
Links to More Info: BT891093
Component: Global Traffic Manager (DNS)
Symptoms:
Stale /var/run/iqsyncer.pid file is causing a new iqsyncer application to exit immediately after start.
Conditions:
iqsyncer applications is killed by Linux kernel or any other reason causing a stale iqsyncer pid file
Impact:
Gtm config changes and gtm_add operations are blocked
Workaround:
Remove iqsyncer pid file manually or reboot
Fix:
Stale iqsyncer pid file condition handled in iqsyncer application
Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1
890881-3 : ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address
Links to More Info: BT890881
Component: Local Traffic Manager
Symptoms:
Traffic drop occurs.
Conditions:
Source MAC in the ARP header and the Ethernet header do not match.
Impact:
The BIG-IP system drops these packets.
Workaround:
None.
Fixed Versions:
14.1.4.5, 15.1.4.1
890277-2 : Full config sync to a device group operation takes a long time when there are a large number of partitions.
Links to More Info: BT890277
Component: TMOS
Symptoms:
When a full config sync is done to a device group with large number of partitions:
-- The config sync operation takes a long time to complete.
-- There is a spike in CPU usage on the device where config push is initiated.
-- The mcpd daemon is unresponsive to other daemons, such tmsh, GUI etc., as it is busy pushing the config sync.
-- iQuery connections are terminated due to high CPU utilization.
Conditions:
Full config sync on device with large number of partitions.
Impact:
The operation takes a long time to complete, minutes on a BIG-IP Virtual Edition (VE) configurations, and varies by platform and the size of the configuration. For example, config sync on a medium BIG-IP VE setup running v15.1.0.1 with 512 partitions takes ~3 minutes.
Impedes management of device as well as terminates iQuery connections to GTM/DNS devices.
Workaround:
Enable Manual Incremental Sync.
Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
890229-3 : Source port preserve setting is not honored
Links to More Info: BT890229
Component: Local Traffic Manager
Symptoms:
The source port is always changed in source-port preserve mode even if the original source port with the other parameters would hash to the same TMM.
Conditions:
This issue occurs when both of the following conditions are met:
-- The virtual server is configured with source-port preserve (the default).
-- The system uses one of the following hash configurations including IP addresses.
- Using RSS DAG as a default hash on BIG-IP Virtual Edition (VE) (Z100) or on 2000- and 4000-series devices.
- Configuring a VLAN's 'CMP Hash' setting to a non-default value.
- Using a special variable such as non-default udp.hash or tcp.hash.
Impact:
Applications relying on a specific, fixed source port might not work as expected.
Workaround:
Set source-port to preserve-strict.
Fix:
Now source-port preserve setting does best effort to preserve the source port.
Behavior Change:
Beginning with v16.0.0, the TM.PortFind.Src_Preserve BigDB variable introduced in v15.1.0 is no longer supported.
The source-port preserve setting now does best effort to preserve the source port.
Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1
889813-1 : Show net bwc policy prints bytes-per-second instead of bits-per-second
Links to More Info: BT889813
Component: TMOS
Symptoms:
The 'tmsh show net bwc policy' is printing out bits-per-second in the value field, but the name field says 'bytesPerSec'.
Conditions:
Running the tmsh command:
tmsh show net bwc policy
Impact:
The stats are in bits-per-second, but the label says bytesPerSec. Although there is no functional impact, the incorrect label could cause confusion.
Workaround:
None.
Fixed Versions:
14.1.4.5
889601-1 : OCSP revocation not properly checked
Links to More Info: K14903688, BT889601
Component: Local Traffic Manager
Symptoms:
The revocation status of un-trusted intermediate CA certs are not checked when ocsp object is configured.
Conditions:
When OCSP object revocation checking is configured in client and server SSL profiles
Impact:
The SSL handshake continues eve if a certificate is revoked.
Fix:
OCSP revocation checking now working properly.
Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2
889209-1 : Sflow receiver configuration may lead to egress traffic dropped after TMM starts.
Links to More Info: BT889209
Component: Local Traffic Manager
Symptoms:
Active Sflow receiver configuration may lead to all egress traffic getting dropped after TMM starts.
Conditions:
Enabled sflow receiver is configured.
Impact:
Egress traffic is dropped.
Workaround:
Disable Sflow receiver, save configuration, reboot. (You should not re-enable the sflow receiver in versions where this bug is present)
Fixed Versions:
14.1.4, 15.1.1
889165-1 : "http_process_state_cx_wait" errors in log and connection reset
Links to More Info: BT889165
Component: Local Traffic Manager
Symptoms:
Large POST requests are getting occasionally reset and you see the following in /var/log/ltm:
err tmm[19279]: 011f0007:3: http_process_state_cx_wait - Invalid action:0x100011 clientside
Conditions:
-- An HTTP iRule is configured on a virtual server
-- A large POST request arrives on the virtual server
Impact:
Possible connection failure.
Fix:
Fixed incorrect early release of HUDEVT_ACCEPTED during ssl handshake irules.
Fixed Versions:
14.1.4, 15.1.3
889041-1 : Failover scripts fail to access resolv.conf due to permission issues
Links to More Info: BT889041
Component: TMOS
Symptoms:
When a failover is triggered, the floating IP addresses do not migrate to the newly active device. In /var/log/auditd/audit.log, you see the following errors:
/var/log/auditd/audit.log:type=AVC msg=audit(1583426470.463:27492): avc: denied { read } for pid=26865 comm="curl" name="resolv.conf" dev="dm-5" ino=32804 scontext=system_u:system_r:f5config_failover_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file
Conditions:
-- A failover event occurs.
-- oci-curl will be called when failover happens, which may be unable to read /etc/resolv.conf.
Impact:
Failover does not complete. Floating IP addresses do not move to the active device.
Workaround:
Run two commands:
tmsh modify sys db failover.selinuxallowscripts enable
setenforce 0
Impact of workaround: these commands disable SELinux policy enforcement.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
889029-4 : Unable to login if LDAP user does not have search permissions
Links to More Info: BT889029
Component: TMOS
Symptoms:
A user is unable to log in using remote LDAP.
Conditions:
-- BIG-IP systems are configured to use LDAP authentication.
-- Remote user has no search permissions on directory
Impact:
Authentication does not work.
Workaround:
Grant search permissions to the user in LDAP.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
888625-2 : CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks
Links to More Info: BT888625
Component: Carrier-Grade NAT
Symptoms:
There is a difference in active port block counter between statistics collected in TMM and actual allocations in 'lsndb list pba'.
Conditions:
The issue happens when the port block allocation process fails after incrementing the active port blocks counter.
Impact:
No functional impact. But the stats counters will be incorrect.
Fix:
Update the active port block counter correctly when port block allocation fails.
Fixed Versions:
14.1.2.7, 15.1.0.3
888517-3 : Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.★
Links to More Info: BT888517
Component: Local Traffic Manager
Symptoms:
Tmm is running at 100% CPU even under light network load. The 'tmctl tmm/ndal_tx_stats' command shows a high number of packet drops. The 'tmctl tmm/ndal_tx_stats' indicates a large number of queue full events.
Conditions:
-- BIG-IP Virtual Edition.
-- There are underlying network performance issues causing the transmit queue to be full (e.g., a non-SR-IOV virtual machine environment).
-- Upgrading from BIG-IP v12.x to BIG-IP v14.x.
Impact:
NDAL's busy polling runs the tmm CPU usage to 100%.
Workaround:
Correct the underlying networking/virtualization issue.
Fix:
NDAL needs to provide visible information, for example, a log entry, when busy polling over a period of time.
Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
888497-4 : Cacheable HTTP Response
Links to More Info: BT888497
Component: TMOS
Symptoms:
JSESSIONID, BIGIPAUTHCOOKIE, BIGIPAUTH can be seen in the browser's debugging page.
Conditions:
-- Accessing the BIG-IP system using the GUI.
-- Viewing the browser's stored cache information.
Impact:
HTTPS session information is captured/seen in the browser's local cache, cookie.
Note: The BIG-IP system does not display and/or return sensitive data in the TMUI. Content that is marked appropriately as sensitive is never returned, so it is never cached. Data that is cached for TMUI in the client browser session is not considered secret.
Workaround:
Disable caching in browsers.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1
888341-5 : HA Group failover may fail to complete Active/Standby state transition
Links to More Info: BT888341
Component: TMOS
Symptoms:
After a long uptime interval (i.e., the sod process has been running uninterrupted for a long time), HA Group failover may not complete despite an HA Group score change occurring. As a result, a BIG-IP unit with a lower HA Group score may remain as the Active device.
Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime, e.g.:
-- 1 floating traffic group: 2485~ days.
-- 2 floating traffic groups: 1242~ days.
-- 4 floating traffic groups: 621~ days.
-- 8 floating traffic groups: 310~ days.
-- 9 floating traffic groups: 276~ days.
Note: You can confirm sod process uptime in tmsh:
# tmsh show /sys service sod
Conditions:
HA Group failover configured.
Note: No other failover configuration is affected except for HA Group failover, specifically, these are not affected:
o VLAN failsafe failover.
o Gateway failsafe failover.
o Failover triggered by loss of network failover heartbeat packets.
o Failover caused by system failsafe (i.e., the tmm process was terminated on the Active unit).
Impact:
HA Group Active/Standby state transition may not complete despite HA Group score change.
Workaround:
There is no workaround.
The only option is to reboot all BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.
Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2
888289-3 : Add option to skip percent characters during normalization
Links to More Info: BT888289
Component: Application Security Manager
Symptoms:
An attack signature is not detected.
Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.
Impact:
An attack goes undetected.
Workaround:
Turn on the bad unescape violation or the metacharacter violation.
Fix:
Added an internal parameter, normalization_remove_percents. Its default is 0 (zero), meaning that the previous behavior is maintained. When enabled, the normalization of the data before running the signature removes the percent characters (as it does to high ASCII and space characters).
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1
888285-3 : Sensitive positional parameter not masked in 'Referer' header value
Links to More Info: K18304067, BT888285
Component: Application Security Manager
Symptoms:
When the URI and 'Referer' header share the same positional parameter, the 'Referer' positional parameter is not masked in logs.
Conditions:
Sending a request with positional parameter in URI and 'Referer' header.
Impact:
'Referer' header positional parameter value is not masked in logs.
Workaround:
None.
Fix:
'Referer' positional parameter value is masked as expected.
Fixed Versions:
14.1.2.8, 15.1.1
887089-3 : Upgrade can fail when filenames contain spaces
Links to More Info: BT887089
Component: TMOS
Symptoms:
Filenames with spaces in /config directory can cause upgrade/UCS load to fail because the im upgrade script that backs up the config, processes the lines in a file spec using white space characters. The number of spaces in the filename is significant because it determines how the process separates the name into various fields, including a path to the file, an md5sum, and some file properties (notably size). If the path contains white space, when the upgrade/UCS load process attempts to use a field, the operation encounters a value other than what it expects, so the upgrade/UCS load fails.
The file's content is also significant because that determines the md5sum value.
Although rarely occurring, a tangential issue exists when the sixth word is a large number. The sixth field is used to determine the amount of space needed for the installation. When the value is a very large number, you might see an error message at the end of the upgrade or installation process:
Not enough free disk space to install!
Conditions:
Filenames with spaces in /config directory.
Impact:
Upgrade or loading of UCS fails.
Workaround:
Remove the spaces in filenames and try the upgrade/UCS load again.
Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5
887017-2 : The dwbld daemon consumes a large amount of memory
Links to More Info: BT887017
Component: Advanced Firewall Manager
Symptoms:
The dwbld daemon shows very large memory consumption after adding addresses to the shun-list.
Conditions:
-- Adding a large number of IP addresses to the shun-list (millions of IP addresses).
-- Viewing dwbl memory usage using:
config # top -p $(pidof dwbld)
Impact:
Excessive memory consumption. If memory is exhausted, enforcement does not occur.
Workaround:
None.
Fix:
Improvements to dwbld memory handling have been implemented.
Fixed Versions:
14.1.4, 15.1.3
886865-2 : P3P header is added for all browsers, but required only for Internet Explorer
Links to More Info: BT886865
Component: Application Security Manager
Symptoms:
The Bot Defense profile adds P3P headers to every response when a cookie is set, even if the client browser is something other than Microsoft Internet Explorer.
Conditions:
Bot Defense Profile is attached to a virtual server.
Impact:
Deprecated P3P header is inserted in all responses, even though it is only required for Internet Explorer.
Workaround:
The value of the P3P header is globally configurable in the DB variable dosl7.p3p_header.
It is also possible to set the value to '<null>' and thus prevent the P3P header from appearing, but this may cause legitimate Internet Explorer browsers to be be blocked from accessing the web application.
Fix:
The profile now adds the P3P header only to Internet Explorer browsers. There is still the option to add the header to all browsers (i.e., keep the old behavior, in case there is another browser that requires this) by setting a db variable:
tmsh modify sys db botdefense.always_add_p3p_header value enable
Fixed Versions:
14.1.4.5, 15.1.5
886713-3 : Error log seen in case of SSL Orchestrator configured with http service during connection close.
Links to More Info: BT886713
Component: SSL Orchestrator
Symptoms:
An error is logged:
tmm2[24575]: 01c50003:3: Service : encountered error: ERR_UNKNOWN File: ../modules/hudfilter/service/service.c Function: hud_service_handler, Line: 778
Conditions:
SSL Orchestrator is configured with a http service and a connection closes.
Impact:
An error is logged, but it can be safely ignored.
Workaround:
N/A
Fix:
Error log is no longer seen in case of SSL Orchestrator configured with http service.
Fixed Versions:
14.1.2.5, 15.1.0.5
886693-2 : System might become unresponsive after upgrading.★
Links to More Info: BT886693
Component: TMOS
Symptoms:
After upgrading, the system encounters numerous issues:
-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.
Conditions:
-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.
Exact conditions that trigger this issue are unknown and could be varied. In the environment in which it occurs, a datagroup is deleted, but an iRule still references it, see: https://cdn.f5.com/product/bugtracker/ID688629.html
Impact:
-- System down, too busy to process traffic.
-- Difficulty logging in over SSH might require serial console access.
Workaround:
Reboot to an unaffected, pre-upgrade volume.
-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.
-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.
Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.
For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.
Fix:
The system should now remain responsive if the configuration fails to load during an upgrade on the following platforms:
-- BIG-IP 2000s / 2200s
-- BIG-IP 4000s / 4200v
-- BIG-IP i850 / i2600 / i2800
Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2
886689-4 : Generic Message profile cannot be used in SCTP virtual
Links to More Info: BT886689
Component: TMOS
Symptoms:
When creating virtual server or transport config containing both SCTP and Generic Message profile, it will fail with an error:
01070734:3: Configuration error: Profile(s) found on /Common/example_virtual that are not allowed: Only (TCP Profile, SCTP Profile, DIAMETER Profile, Diameter Session Profile, Diameter Router Profile, Diameter Endpoint, SIP Profile, SIP Session Profile, SIP Router Profile, DoS Profile, profile statistics)
Conditions:
Create virtual server or transport config which contains both SCTP and Generic Message profile.
Impact:
You are unable to combine the Generic Message profile with the SCTP profile.
Fix:
Generic Message profile can be used in SCTP virtual
Fixed Versions:
14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1
885869-4 : Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime
Links to More Info: BT885869
Component: Global Traffic Manager (DNS)
Symptoms:
iQuery incorrectly interprets iQuery SSL certificate times when they are using GenericTime instead of UTCTime.
Conditions:
An iQuery certificate using GenericTime instead of UTCTime.
Note that this would only occur with a date beyond the year 2049.
Impact:
Internal years are interpreted to be much later than they should be.
Workaround:
Use SSL certificates with UTCTime instead of GenericTime.
Fix:
Fixed an issue in iQuery SSL where GenericTime-formatted years interpreted incorrectly.
Fixed Versions:
14.1.4
885765-4 : ASMConfig Handler undergoes frequent restarts
Links to More Info: BT885765
Component: Application Security Manager
Symptoms:
Under some settings and load the RPC handler for the tsconfd process restarts frequently.
Conditions:
When processing a large number of configuration updates.
Impact:
The RPC handler for the tsconfd process restarts frequently, causing unnecessary churn and noisy logs
Workaround:
None
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
885201-3 : BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log
Links to More Info: BT885201
Component: Global Traffic Manager (DNS)
Symptoms:
Err (error) level messages in /var/log/gtm log when DNS (GTM) SSL monitors such as https are used and are unable to connect to the monitored target IP address:
err big3d[4658]: 01330014:3: CSSLSocket:: Unable to get the session.
These messages do not indicate the IP address or port of the target that failed to connect, and this ambiguity may cause concern.
Conditions:
-- SSL-based DNS (GTM) monitor assigned to a target, for example https
-- TCP fails to connect due to a layer 2-4 issue, for example:
- No route to host.
- Received a TCP RST.
- TCP handshake timeout.
Impact:
The system reports unnecessary messages; the fact that the monitor failed is already detailed by the pool/virtual status change message, and the target changing to a red/down status.
These messages can be safely ignored.
Workaround:
If you want to suppress these messages, you can configure a syslog filter.
For more information, see K16932: Configuring the BIG-IP system to suppress sending SSL access and request messages to remote syslog servers :: https://support.f5.com/csp/article/K16932.
Fix:
Added debug messages for SSL probing with attached DB variable
Fixed Versions:
14.1.4.1, 15.1.3
884797-2 : Portal Access: in some cases data is not delivered via WebSocket connection
Links to More Info: BT884797
Component: Access Policy Manager
Symptoms:
If a client browser opens a WebSocket connection, Portal Access may not send data to the client if the first message in the new connection comes from the server.
Conditions:
- Web application with WebSocket connection
- First data in WebSocket connection is sent from server to client
Impact:
Data is not delivered to the client browser via the WebSocket connection.
Fix:
Now Portal Access can deliver data to the client browser via the WebSocket connection when the first data is sent from the server.
Fixed Versions:
14.1.2.5, 15.1.0.5
884425-1 : Creation of new allowed HTTP URL is not possible
Component: Application Security Manager
Symptoms:
When pressing 'Create' button in
Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs page, the requested page is not loaded.
Conditions:
Policy with about 5000 and more parameters causes long loading time, which results in loading failure.
Impact:
The requested page (New Allowed HTTP URL...) is not loaded.
Workaround:
Use fewer parameters (less than 5000) per policy.
Fixed Versions:
14.1.3.1, 15.1.3
884165-2 : Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG
Links to More Info: BT884165
Component: TMOS
Symptoms:
Frequent config syncs and spamming of logs are occurring on BIG-IP devices in a high availability (HA) configuration.
Conditions:
Datasync CAPTCHA table is re-generated while CAPTCHA is being consumed by users.
Impact:
Sync to the datasync groups cause the sync status of the devices to fluctuate.
Fixed Versions:
14.1.4.4, 15.1.4.1
883889-1 : Tmm might crash when under memory pressure
Links to More Info: BT883889
Component: Access Policy Manager
Symptoms:
Tmm might crash and restart when under memory pressure
Conditions:
SSL Orchestrator with service chaining (Security policy uses services).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
A condition where high tmm memory utilization results in memory corruption has been resolved.
Fixed Versions:
14.1.4.5, 15.1.5
883853-1 : Bot Defense Profile with staged signatures prevents signature update★
Links to More Info: BT883853
Component: Application Security Manager
Symptoms:
When a trying to install a new bot defense signature, the installation fails with the following log message:
com.f5.liveupdate.update.dosbotsignatures.file.Update.applyChanges.pl|INFO|Feb 10 13:22:12.924|7347|F5::Dos::BotSignatures::load_from_xml,,Cannot send updated objects to mcp: 01070265:3: The Bot Defense Signature (/Common/Headless Chromium, Chrome) cannot be deleted because it is in use by a Bot Defense Profile Signature Staging.
Conditions:
-- A Bot Defense Profile has a staged signature.
-- The staged signature points to something that does not exist in the update file.
Impact:
The new file cannot be installed.
Workaround:
Enforce the staged signature.
Fix:
Before deleting the signature, the installation process checks to see whether the signature is staged, and if it is, the process unstages it.
Fixed Versions:
14.1.4.2, 15.1.4
883673-1 : BotDefense JavaScript browser verification can cause low score when using Google Lighthouse tool
Component: Application Security Manager
Symptoms:
Browser Verification JavaScript (type=11), can cause low score on Google Lighthouse tool on some cases.
Type=11 appears as the suggestion for 'Reduce JavaScript execution time'.
Conditions:
-- Bot Defense profile is attached to a virtual server, with 'Verify After Access' Browser Verification.
-- Using specific backend server.
-- Using Google Lighthouse tool for performance test.
Impact:
Low performance score on Google Lighthouse tool.
Workaround:
None.
Fix:
Adding bigdb for running the script with 'async' or 'defer'.
Fixed Versions:
14.1.4.5
883577-2 : ACCESS::session irule command does not work in HTTP_RESPONSE event
Links to More Info: BT883577
Component: Access Policy Manager
Symptoms:
When ACCESS::session irule is used in HTTP_RESPONSE event, the APM session creation fails with the following log in /var/log/ltm
No HTTP data available - command unsupported in event (line XX)session creation failed - Operation not supported (line XX)
Conditions:
Using ACCESS::session create command under HTTP_RESPONSE.
Impact:
Cannot create APM session using the ACCESS::session irule command.
Workaround:
The same irule ACCESS::session can be used under HTTP_REQUEST to create the APM session.
Fixed Versions:
14.1.4.1, 15.1.3
882769-3 : Request Log: wrong filter applied when searching by Response contains or Response does not contain
Links to More Info: BT882769
Component: Application Security Manager
Symptoms:
When searching by "Response contains" or "Response does not contain", an incorrect filter is applied and displayed
Conditions:
This occurs in the GUI when selecting "Response contains" or "Response does not contain" filter
Impact:
You are unable to search by response in the GUI
Workaround:
There is no way to search in GUI, but you can search using REST API
Fix:
Correct filter applied and displayed for Response contains or Response does not contain filters
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.2
882713-1 : BGP SNMP trap has the wrong sysUpTime value
Links to More Info: BT882713
Component: TMOS
Symptoms:
The timestamp value of sysUpTime in SNMP traps reported by BGP is incorrect.
Conditions:
BGP connection with a peer flaps, and sends traps for the following:
bgpSnmpNotifyEstablished
bgpSnmpNotifyBackwardTransition
Impact:
The sysUpTime in the trap generated by BGP is incorrect.
Workaround:
None.
Fix:
Fixed an incorrect calculation of sysUpTime.
Fixed Versions:
14.1.3.1, 15.1.2
882557-4 : TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)
Links to More Info: BT882557
Component: TMOS
Symptoms:
If the underlying virtio platform specifies RX and/or TX queue sizes that are 4096 or larger, the BIG-IP system cannot allocate enough contiguous memory space to accommodate this. Errors similar to these are seen in the tmm log files:
ndal Error: Failed to allocate 2232336 (2228224 + 4096 + 16) bytes
virtio[0:7.0]: Error: Failed to allocate descriptor chain
virtio[0:7.0]: Error: Failed allocate indirect rx buffers
Conditions:
-- Using a BIG-IP Virtual Edition (VE) with virtio drivers.
-- The underlying platform specifies RX and/or TX queue sizes of 4096 or larger.
Impact:
TMM continually restarts.
Workaround:
Use the sock driver instead of virtio.
In your BIG-IP VE VM execute the lspci command to determine which virtio driver is present:
# lspci -nn | grep -i eth | grep -i virtio
00:03.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:04.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:0b.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
Configure a socket driver:
echo "device driver vendor_dev 1af4:1000 sock" > /config/tmm_init.tcl
Reboot the instance
Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4
882549-3 : Sock driver does not use multiple queues in unsupported environments
Links to More Info: BT882549
Component: Local Traffic Manager
Symptoms:
In some unsupported environments, the underlying sock driver uses only only 1 queue. You can confirm whether it does so by executing the tmctl command to check the rxq column (which shows 0):
tmctl -d blade -i tmm/ndal_rx_stats' and
You can verify this on the tx side as well.
Conditions:
This occurs in certain unsupported environments.
Note: When you run 'ethtool -l', you can see: 'command not supported'.
Impact:
When multi-q is present, the use of single queue can impact performance when using the sock driver.
Workaround:
Use other available drivers.
You can check the available drivers by executing the tmctl command:
tmctl -d blade -i tmm/device_probed
Fix:
Fixed an issue with the sock driver.
Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2
882377-1 : ASM Application Security Editor Role User can update/install ASU
Links to More Info: BT882377
Component: Application Security Manager
Symptoms:
Live Update modifications are allowed for Application Security Editor Role.
Conditions:
Login as Application Security Editor user and try to install ASU.
Impact:
Application Security Editor Role role is permitted to update Attack Signatures when it shouldn't be.
Fixed Versions:
14.1.2.5, 15.1.4.1
882273 : MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow
Links to More Info: BT882273
Component: Service Provider
Symptoms:
Memory leak can cause tmm to crash and memory usage to grow.
Conditions:
-- Diameter transmission setting is enabled and action should be retrans.
-- auto-init should be enabled.
-- And server is down.
Impact:
Memory corruption will lead to tmm crash in longer run and memory leak make memory usage to grow in linear order. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
When server is down BIG-IP keeps creating new connection to it. there is memory leak need to be fixed.
Fixed Versions:
13.1.3.4, 14.1.2.5
882157-2 : One thread of pkcs11d consumes 100% without any traffic.
Links to More Info: BT882157
Component: Local Traffic Manager
Symptoms:
One thread of pkcs11d consumes 100% without any traffic.
Conditions:
-- The BIG-IP system is licensed with NetHSM, and service pkcs11d is running.
-- The MCDP service is restarted.
Impact:
NetHSM configurations and statistics updates are not updated.
Workaround:
Restart the pkcs11d service:
tmsh restart sys service pkcs11d
Fix:
The system now watches for errors and prevents this error from occurring.
Fixed Versions:
14.1.4, 15.1.3
881757-2 : Unnecessary HTML response parsing and response payload is not compressed
Links to More Info: BT881757
Component: Application Security Manager
Symptoms:
When either DoS Application Profile or Bot Defense profiles are used, or a complex LTM policy is used, the Accept-Encoding request header is removed by the BIG-IP system, which causes the backend server to respond with uncompressed payload.
Second effect is that the Bot Defense Profile and L7 DoS profile are always, not conditionally, considered internally as a profile that modifies a body that satisfies HTTP profile chunking configuration 'sustain' (default mode) triggering client-side chunking. This causes a response in the server-side that is unchunked to be always chunked in client-side with the mode set to 'sustain'.
Conditions:
One of these options:
-- Bot Defense Profile is associated with the Virtual Server.
-- DoS Profile is associated with the Virtual Server and has Application (L7) enabled.
-- Policy is associated with the Virtual Server and has complex LTM Policy: multiple Policies, or additional rules.
Impact:
-- Response payload sent by the backend server is uncompressed.
-- Performance impact caused by response parsing.
Workaround:
For version 15.1.0 and later, you can use the following workaround:
Disable the option for modification of Referer header:
tmsh modify sys db asm.inject_referrer_hook value false
Note: Using this brings back the impact of ID792341 (see https://cdn.f5.com/product/bugtracker/ID792341.html).
For versions earlier than 15.1.0, there is no workaround.
Fix:
The system no longer removes the Accept-Encoding header and no longer parses response payload if not needed based on configuration.
Fixed Versions:
14.1.4.2, 15.1.1, 16.0.1.2
881085-1 : Intermittent auth failures with remote LDAP auth for BIG-IP managment
Links to More Info: BT881085
Component: TMOS
Symptoms:
There are intermittent auth failures when accessing the BIG-IP administration interfaces via SSH or the GUI.
Conditions:
-- Remote LDAP auth is configured.
-- An idle timeout RST is received on the LDAP connection before the configured auth LDAP idle-timeout expires. This RST might be generated by tmm (if the connection to the LDAP server is via a defined VLAN), some other intervening device on the network, or from the LDAP server itself (depending on its connection time limit).
Impact:
There might be intermittent remote-auth failures.
Workaround:
Set the auth ldap idle-timeout to a smaller value, for example, via tmsh:
modify auth ldap system-auth idle-timeout 299
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
880789-1 : ASMConfig Handler undergoes frequent restarts
Links to More Info: BT880789
Component: Application Security Manager
Symptoms:
Under some settings and load, the RPC handler for the botd process restarts frequently, causing unnecessary churn and message-cluttered logs.
Conditions:
-- Bot protection is enabled.
-- A high volume of bot attacks are handled.
Impact:
The RPC handler for the botd process restarts frequently, causing unnecessary churn and noisy logs
Workaround:
None.
Fix:
The botd handler is now restored to a more robust process lifecycle.
Fixed Versions:
14.1.2.7, 15.1.0.5
880753-1 : Possible issues when using DoSL7 and Bot Defense profile on the same virtual server
Links to More Info: K38157961, BT880753
Component: Application Security Manager
Symptoms:
When DoSL7 and Bot Defense profiles are configured together on the same Virtual Server, some requests might not be handled by the Bot Defense profile.
Conditions:
-- DoSL7 profile is attached to the virtual server (with Application).
-- Bot Defense profile is attached to the virtual server.
-- Another security module is attached to the virtual server (WebSafe, MobileSafe, ASM).
Impact:
Some requests might not be processed by the Bot Defense profile.
Workaround:
Disable dosl7.idle_fast_path:
tmsh modify sys db dosl7.idle_fast_path value disable
Fix:
The mechanism which caused this issue is now correctly enabled.
Fixed Versions:
14.1.2.7, 15.0.1.4, 15.1.1
880625-2 : Check-host-attr enabled in LDAP system-auth creates unusable config
Links to More Info: BT880625
Component: TMOS
Symptoms:
When configuring system auth to use LDAP, if you set check-host-attr to enabled, the resulting /config/bigip/pam.d/ldap/system-auth.conf that is generated cannot be parsed by nslcd.
Conditions:
-- Configuring system auth to use LDAP.
-- Setting check-host-attr to enabled.
Impact:
LDAP-based auth does not function.
Workaround:
None.
Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1
880165-1 : Auto classification signature update fails
Links to More Info: BT880165
Component: TMOS
Symptoms:
During classification update, you get an error:
"Error: Exception caught in script. Check logs (/var/log/hitless_upgrade.log) for details"
An additional diagnostic is that running the command "/usr/bin/crt_cache_path" reports "none".
Conditions:
This is encountered while updating the classification signatures or the protocol inspection updates.
It can occur when something goes wrong during license activation, but license activation ultimately succeeds.
Impact:
When this issue occurs, auto classification signature update will fail.
Workaround:
You may be able to recover by re-activating the BIG-IP license via tmsh.
Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1
879841-3 : Domain cookie same-site option is missing the "None" as value in GUI and rest
Links to More Info: BT879841
Component: Application Security Manager
Symptoms:
There isn't an option to add to a domain cookie with the attribute "SameSite=None". The value "None" which appears as an option is used will not add the attribute at all.
Conditions:
You want to have SameSite=none attribute added to a domain cookie.
Impact:
You are unable to set SameSite=None
Workaround:
Set the SameSite=None cookie value in the application. An iRule could also be added that inserts the cookie. For more information on the iRule, see the following DevCentral article: https://devcentral.f5.com/s/articles/iRule-to-set-SameSite-for-compatible-clients-and-remove-it-for-incompatible-clients-LTM-ASM-APM
Fixed Versions:
14.1.4.5, 15.1.4.1
879829-3 : HA daemon sod cannot bind to ports numbered lower than 1024
Links to More Info: BT879829
Component: TMOS
Symptoms:
If the network high availability (HA) daemon sod is configured to use a port number that is lower than 1024, the binding fails with a permission-denied error. This affects binding to ports on both management and self IP addresses.
Example log messages:
/var/log/ltm
err sod[2922]: 010c003b:3: bind fails on recv_sock_fd addr 1.2.3.4 port 1023 error Permission denied.
notice sod[2992]: 010c0078:5: Not listening for unicast failover packets on address 1.2.3.4 port 1023.
/var/log/auditd/audit.log
type=AVC msg=audit(1578067041.047:17108): avc: denied { net_bind_service } for pid=2922 comm="sod" capability=10 scontext=system_u:system_r:f5sod_t:s0 tcontext=system_u:system_r:f5sod_t:s0 tclass=capability
Conditions:
-- high availability (HA) daemon sod is configured to use a port lower than 1024 for network high availability (HA) operations.
-- Version 13.1.0 or later.
Impact:
A network high availability (HA) connection configured to use a port number lower than 1024 on an affected version does not function.
Workaround:
Change the port number to 1024 or higher.
Note: UDP port 1026 is the default.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
879777 : Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge
Links to More Info: BT879777
Component: Application Security Manager
Symptoms:
After configuring the "validate upon request" option in "Cross Domain Requests" in a Bot Defense profile, JS challenges continue to be sent.
Conditions:
-- Bot Defense profile is enabled
-- "Cross Domain Request":"validate upon request" option is enabled
-- A browser navigates to a qualified (HTML) page from a related domain.
Impact:
Browser receives another JS challenge, instead of retrieving the cookie from the related domain. This causes extra latency for the client.
Workaround:
Use "validate in a bulk" option.
Fix:
Retrieving the cookie from the related domain even if the page is qualified.
Fixed Versions:
14.1.2.8, 15.1.1
879745-1 : TMM may crash while processing Diameter traffic
Links to More Info: K82530456
879413-3 : Statsd fails to start if one or more of its *.info files becomes corrupted
Links to More Info: BT879413
Component: Local Traffic Manager
Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd fails to load it and ends up restarting continuously. You see the following messages in /var/log/ltm:
-- err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'.
-- err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.
Conditions:
Corrupted *.info file in /var/rrd.
Impact:
Stats are no longer accurate.
Workaround:
It might take multiple attempts to repair the *.info files. You might have to run the following command several times for different .info files, where <filename> is the actual name of the file (e.g., 'throughput.info'):
found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done
Fix:
The system now detects corrupt *.info files and deletes and recreates them.
Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
879409-2 : TMM core with mirroring traffic due to unexpected interface name length
Links to More Info: BT879409
Component: Local Traffic Manager
Symptoms:
TMM cores.
Conditions:
-- Platform: B4400 Blade (BIG-IP VPR-B4450N).
-- High availability (HA) mirroring is set up.
-- Provisioned modules: LTM, AFM.
-- HA mirroring messages are received with unexpected interface name length.
Impact:
Processing of invalid length can cause memory corruption. The tmm process generates a core. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now validates the length of the interface name before processing the HA message at the receiver side and ignores the HA message if the interface name length is wrong.
Fixed Versions:
14.1.3.1, 15.1.1
879401-3 : Memory corruption during APM SAML SSO
Links to More Info: K90423190, BT879401
Component: Access Policy Manager
Symptoms:
During processing of SAML SSO single logout (SLO) requests, a block of tmm memory may become corrupted. You might experience several types of unexpected actions, including a TMM restart and core-file generation.
Conditions:
-- BIG-IP system is configured as SAML SP.
-- External SAML IdP sends SLO request.
Impact:
Various possible negative effects, including TMM core. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
BIG-IP systems configured as SAML SP no longer cause memory corruption when handling certain traffic.
Fixed Versions:
14.1.2.5, 15.1.3
879189-3 : Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section
Links to More Info: BT879189
Component: TMOS
Symptoms:
Network map shows error message: One or more profiles are inactive due to unprovisioned modules.
Conditions:
-- ASM provisioned.
-- A profile is attached to a virtual server, but the module supporting the profile is not provisioned.
Impact:
The Network Map shows an error message.
Workaround:
Provision the module that supports the profile.
Fix:
The button text has been modified to be more informative.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
878925-3 : SSL connection mirroring failover at end of TLS handshake
Links to More Info: BT878925
Component: Local Traffic Manager
Symptoms:
In some cases, HTTP requests may fail if system failover occurs immediately after the TLS handshake finishes.
Conditions:
-- System failover to standby device with SSL connection mirroring.
-- Failover occurs immediately after the TLS handshake completes but before the HTTP request.
Impact:
Connection might fail the HTTP request; in some cases, the server may reset HTTP 1.0 requests.
Workaround:
None.
Fix:
System now updates the high availability (HA) state at end of the TLS handshake to prevent this issue if failover occurs at end of the handshake but before client/server data.
Fixed Versions:
14.1.4.1, 15.1.2
877109-3 : Unspecified input can break intended functionality in iHealth proxy
Links to More Info: K04234247
876957-2 : Reboot after tmsh load sys config changes sys FPGA firmware-config value
Links to More Info: BT876957
Component: TMOS
Symptoms:
As a part of FPGA firmware update, "tmsh load sys config" fails.
Chmand reports errors:
chmand[19052]: FPGA firmware mismatch - auto update, No Interruption!
chmand[19052]: 012a0006:6: FPGA HSB firmware uploading now...use caution!
Reloading fw_update_post configuration (via systemctl): [FAILED]
Conditions:
Running either of the following commands:
tmsh load sys config
/etc/init.d/fw_update_post reload
Impact:
Firmware update fails.
Workaround:
Use this procedure:
1. Mount /usr:
mount -o rw,remount /usr
2. Add the following line to the '/usr/lib/systemd/system/fw_update_post.service' file:
ExecReload=/etc/init.d/fw_update_post reload
3. Reload systemctl:
systemctl daemon-reload
4. Reload the file:
/etc/init.d/fw_update_post reload
Fix:
Added the reload option in fw_update_post service file.
Fixed Versions:
14.1.4.1, 15.1.1
876937-1 : DNS Cache not functioning
Links to More Info: BT876937
Component: TMOS
Symptoms:
DNS queries are not being cached on the BIG-IP device.
Conditions:
-- DNS cache is enabled (System :: Configuration : Device : DNS Cache).
-- Device receives DNS queries.
Impact:
DNS queries are forwarded, but the BIG-IP system does not cache them.
Workaround:
None.
Fix:
DNS queries are now cached when DNS Cache is enabled.
Behavior Change:
Full DNS cache functionality has been restored. This results in performance degradation. You might notice it in OCSP performance, when compared to releases in which full DNS cache functionality is not present.
By default, DNS cache is disabled. To recapture performance, enable DNS cache.
Fixed Versions:
14.1.4.3, 15.1.4
876805-1 : Modifying address-list resets the route advertisement on virtual servers.
Links to More Info: BT876805
Component: TMOS
Symptoms:
If you modify an address list associated with a virtual server, any modifications done to virtual addresses are lost when the address list is modified.
This issue has also been shown to cause inconsistent ICMP response behavior when 'selective' mode is used.
Conditions:
This occurs in the following scenario:
-- Create an address list.
-- Assign it to a Virtual Server.
-- Modify some or all virtual addresses.
-- Modify the address list.
Impact:
-- Modifications made to virtual addresses are lost.
-- Possible ICMP response issues when 'selective' mode is used (e.g., responses when all pool members are disabled, or no responses when pool members are enabled).
Workaround:
None
Fix:
Virtual address properties are now preserved when an address list is modified.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
876801-3 : Tmm crash: invalid route type
Links to More Info: BT876801
Component: Local Traffic Manager
Symptoms:
Tmm crashes. /var/log/tmm contains the log entries:
tmm1: notice panic: invalid route type
tmm1: notice ** SIGFPE **
Conditions:
The issue is intermittent.
1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. A new routing entry for child route domain is added.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
There is no way to workaround a problem, but there is a safe way to add and delete routes without putting a BIG-IP into a state where it could encounter this issue.
Safe way to add/delete a route.
1) Add routes to child route domains first, then to parent route domain.
2) Delete routes from parent route domain first, then from child route domain.
Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table and it's not causing a TMM crash anymore.
Fixed Versions:
13.1.4, 14.1.4, 15.1.2
876581-4 : JavaScript engine file is empty if the original HTML page cached for too long
Links to More Info: BT876581
Component: Fraud Protection Services
Symptoms:
JavaScript engine file is empty.
Conditions:
Original HTML page with FPS injected content is cached for too long due to some caching headers (e.g., ETag), so the JavaScript engine link becomes invalid.
Impact:
No FPS protection for that HTML page.
Workaround:
You can use either workaround:
-- Use an iRule to disable caching for protected HTML pages.
-- Set caching time for protected HTML pages to the same value as the datasync tables regeneration timer according to the active datasync profile (default value is two 2 days).
Fix:
FPS now also removes ETag headers from protected HTML pages.
Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
876077-3 : MRF DIAMETER: stale pending retransmission entries may not be cleaned up
Links to More Info: BT876077
Component: Service Provider
Symptoms:
DIAMETER router messages queued for retransmission may not be deleted until the connection closes.
Conditions:
-- Diameter transmission setting is enabled and a DIAMETER message is queued for retransmission.
-- The retransmission for the message is not triggered
Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.
Workaround:
None.
Fix:
Stale pending retransmission entries are cleaned up properly.
Fixed Versions:
14.1.2.5, 15.0.1.4, 15.1.0.5
875401-3 : PEM subcriber lookup can fail for internet side new connections
Links to More Info: BT875401
Component: Policy Enforcement Manager
Symptoms:
PEM subcriber lookup can fail for internet side new connections, as PEM might use the remote address to look up the session, which is not the subscriber.
Conditions:
-- PEM enabled and configured
-- Subscriber session has multiple IP's
-- Each IP lands on a different tmm
Impact:
PEM subscriber lookup can fail on the internet side
Workaround:
No workaround.
Fix:
PEM subcriber lookup now always succeeds for internet side new connections,
Fixed Versions:
14.1.4, 15.1.2.1
874753-1 : Filtering by Bot Categories on Bot Requests Log shows 0 events
Component: Application Security Manager
Symptoms:
A log that has 'Browser Automation’ as the ‘Bot Category’ exists.
When filtering for only Bot Category: Browser Automation, nothing Shows up.
Conditions:
-- ASM provisioned.
-- Filtering by Bot Categories on Bot Requests Log
Impact:
Legitimate requests being blocked but cannot filter on the category to narrow down their focus.
Workaround:
None.
Fix:
Filtering by Bot Categories on Bot Requests Log is now fixed on the GUI page.
Fixed Versions:
14.1.2.7, 15.1.0.5
874677 : Traffic Classification auto signature update fails from GUI★
Links to More Info: BT874677
Component: Traffic Classification Engine
Symptoms:
Beginning in BIG-IP software v14.1.0, Traffic Classification auto signature update fails when performed using the GUI.
The system reports an error:
Error: Exception caught in the script. Check logs (/var/log/hitless_upgrade.log) for details.
Conditions:
Performing Traffic Classification auto signature update using the GUI.
Impact:
Fails to update the classification signature automatically.
Workaround:
You can use either of the following:
-- Perform Traffic Classification auto signature update operations from the CLI.
-- Use the GUI to manually update Traffic Classification signatures.
Fix:
Fixed the hitless upgrade script to download the IM packages from the EDSM server for point releases.
Fixed Versions:
14.1.4.3, 15.1.3, 16.0.1.1
873877 : Kernel page allocation failure seen on VIPRION blades★
Links to More Info: BT873877
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file:
warning kernel: : [7673174.106142] swapper/6: page allocation failure: order:2, mode:0x104020
Conditions:
This issue is known to occur on the following VIPRION blade models:
- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.
It is recommend to increase this as follows:
-- 64 MB (65536 KB for B2250 blades).
-- 48 MB (49152 KB for B4300 blades).
-- 128 MB (131072 KB forB4450 blades).
You must do this on each blade installed in the system.
When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
Fixed Versions:
14.1.2.5
873617-3 : DataSafe is not available with AWAF license after BIG-IP startup or MCP restart.
Links to More Info: BT873617
Component: Fraud Protection Services
Symptoms:
DataSafe is not available with an AWAF license.
Conditions:
-- AWAF license
-- BIG-IP startup or MCP restart
Impact:
DataSafe is not available.
Workaround:
Reset to default license.antifraud.id variable.
tmsh modify sys db license.antifraud.id reset-to-default.
Fix:
Additional DataSafe license validation during MCP startup after license information is loaded.
Fixed Versions:
14.1.4.6
873545-1 : SSL Orchestrator Configuration GUI freezes after management IP change.
Links to More Info: BT873545
Component: SSL Orchestrator
Symptoms:
Changing the management IP address of the SSL Orchestrator BIG-IP device can result in an unresponsive SSL Orchestrator configuration interface in the TMUI. All other menus continue to work fine.
Conditions:
Change the management IP address of the SSL Orchestrator BIG-IP device.
Impact:
The SSL Orchestrator configuration interface in the TMUI becomes unresponsive and the BIG-IP SSL Orchestrator device administrator is not able to perform SSL Orchestrator management and configuration tasks.
Workaround:
After the SSL Orchestrator BIG-IP device management IP address change, use the following steps to get the SSL Orchestrator user interface to render correctly:
1. Wait for the management IP address change to become effective: (That is, the BIG-IP admin/user can log in to the BIG-IP console using the new management IP address).
2. In the BIG-IP terminal run the following commands:
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
restcurl -X POST -d '{}' tm/shared/bigip-failover-state
3. The SSL Orchestrator UI/topology should become available in approximately 30 - 60 seconds (subject to topology size, etc.)
Fix:
SSL Orchestrator Configuration GUI freezes after management IP change.
Fixed Versions:
14.1.4.5
873249-3 : Switching from fast_merge to slow_merge can result in incorrect tmm stats
Links to More Info: BT873249
Component: Local Traffic Manager
Symptoms:
TMM stats are reported incorrectly. For example, the system may report double the number of running TMMs or an incorrect amount of available memory.
Conditions:
Changing the DB key merged.method from fast_merge to slow_merge.
Impact:
Incorrect reporting for TMM stats.
Workaround:
Remove the file /var/tmstat/cluster/blade0-performance.
These files are roll-ups and will be re-created as necessary.
Fixed Versions:
14.1.4.6
872721-1 : SSL connection mirroring intermittent failure with TLS1.3
Links to More Info: BT872721
Component: Local Traffic Manager
Symptoms:
Intermittent failure of standby connection mirroring TLS1.3 handshake.
Conditions:
TLS1.3 and connection mirroring. More easily reproduces with ecdsa signature.
Impact:
Standby device fails tls handshake, active success so connection succeeds but not mirrored.
Fix:
Standby device now uses correct signature size if it differs from active device.
Fixed Versions:
14.1.4.5
872645 : Protected Object Aggregate stats are causing elevated CPU usage
Links to More Info: BT872645
Component: Advanced Firewall Manager
Symptoms:
Due to a large number of tables containing 'Protected Object Aggregate stats', the merged daemon might cause elevated CPU usage on odd-numbered CPU cores.
Conditions:
AFM, ASM, or DoS features are provisioned.
Impact:
Elevated CPU usage on odd-numbered cores caused by merged daemon.
Workaround:
None.
Fix:
Protected Object Aggregate stats no longer cause elevated CPU usage.
Fixed Versions:
14.1.3.1, 15.1.1
871905-1 : Incorrect masking of parameters in event log
Links to More Info: K02705117, BT871905
Component: Application Security Manager
Symptoms:
When using CSRF protection, sensitive parameters values can be masked incorrectly in the event log.
Conditions:
The request contains a CSRF token and sensitive parameters.
Impact:
Sensitive parameters values can be masked incorrectly in the event log.
Workaround:
None.
Fix:
Sensitive parameters values are now correctly masked in the event log when request contains CSRF token.
Fixed Versions:
14.1.2.5, 15.0.1.4, 15.1.0.5
871881-1 : Apply Policy action is not synchronized after making bulk signature changes
Links to More Info: BT871881
Component: Application Security Manager
Symptoms:
After an action that affects thousands of objects, a subsequent Apply Policy may be missed by a peer.
Conditions:
-- Devices are in an auto-sync device group with ASM sync enabled.
-- A bulk action that affects thousands of objects is performed (e.g., enforcing or disabling all signatures).
-- An Apply Policy action is taken immediately afterwards.
Impact:
Peer devices that are still busy processing the large request miss the Apply Policy action, and it is never sent again.
Workaround:
Make a spurious change and reapply the policy.
Fixed Versions:
14.1.4.6
871761-4 : Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS
Links to More Info: BT871761
Component: Access Policy Manager
Symptoms:
APM virtual server user's GUI (e.g., 'Logon page') cannot be rendered by browsers.
Conditions:
This issue is encountered when an XML profile is configured for the APM virtual server.
Impact:
APM end users are unable to get a logon page.
Workaround:
Disable the XML profile for the APM virtual server.
Fix:
There is no unexpected traffic interruption from the APM virtual server when the XML profile is configured for the virtual server.
Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
871657-2 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S
Links to More Info: BT871657
Component: TMOS
Symptoms:
Mcpd restarts and produces a core file.
Conditions:
This can occur while adding a pool member to a NAPTR GTM pool where the flag used is an uppercase 'A' or 'S' character.
Impact:
Mcpd crash and restart results in high availability (HA) failover.
Workaround:
Use a lowercase 'a' or 's' as the flag value.
Fix:
Mcpd no longer crashes under these conditions. The flag value is always stored in lowercase regardless of the case used as input in the REST call or tmsh command, etc.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
871561-3 : Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)'★
Links to More Info: BT871561
Component: TMOS
Symptoms:
Software upgrades to an Engineering Hotfix on a vCMP guest might fail with one of the following messages:
failed (Software compatibility tests failed.)
failed (The requested product/version/build is not in the media.)
The failed installation is also indicated by log messages in /var/log/ltm similar to:
-- info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (Software compatibility tests failed.)
-- info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (The requested product/version/build is not in the media.)
Conditions:
This may occur when performing a software upgrade to an engineering hotfix on a vCMP guest running affected versions of BIG-IP software, when the software images are present on the vCMP host.
This can be accomplished by running the following command from the vCMP guest console:
tmsh install sys software block-device-hotfix <hotfix-image-name> volume <volume.name>
Impact:
Unable to perform software installations on vCMP guests using installation media located on the vCMP host.
Workaround:
Option 1:
===========
Make sure that the .iso files for both base image and engineering hotfix are copied to the vCMP guest (under /shared/images) before starting the installation. If installing the software from the command line, use syntax similar to the following:
tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>
Option 2:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. You can restart the vCMP guest and perform a hotfix installation on top of already installed base image, using syntax similar to the following:
tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>
Option 3:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. Ensure there is copy of the engineering hotfix image locally within the vCMP Guest.
Then restart the lind service on the vCMP Guest:
tmsh restart sys service lind
If running the vCMP Guest on multiple slots, you may need to restart lind on all slots. From the primary slot on the vCMP Guest, run:
clsh tmsh restart sys service lind
The hotfix installation should begin again, this time using the hotfix from within the /shared/images/ location on the vCMP Guest.
Option 4:
===========
Manually eject the CD from the vCMP guest's virtual CD drive, and then restart lind. On the vCMP Guest:
1. Confirm the wrong ISO image is still locked (inserted in the CD drive):
isoinfo -d -i /dev/cdrom
Note: Pay attention to the volume ID in the output from within the vCMP guest.
2. Unlock (eject) the image:
eject -r -F /dev/cdrom && vcmphc_tool -e
3. Verify the CD drive is now empty:
isoinfo -d -i /dev/cdrom
The output should report an error that includes:
<...> Sense Code: 0x3A Qual 0x00 (medium not present) Fru 0x0 <…>
4. Restart lind:
tmsh restart sys service lind
If running the vCMP Guest on multiple slots, you may need to restart lind on all vCMP Guest slots. From the primary slot on the vCMP Guest, run:
clsh tmsh restart sys service lind
Fix:
Software upgrades on a vCMP guest complete successfully even when the software images are present on the vCMP hypervisor.
Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1
870957-1 : "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage
Component: Application Visibility and Reporting
Symptoms:
TMM CPU utilization around 100 percent under Security ›› Reporting : ASM Resources : CPU Utilization.
Conditions:
No special conditions. Only viewing at the stats of TMM CPU in 'Security ›› Reporting : ASM Resources : CPU Utilization'. They will always be in wrong scale, but when the TMM has ~1% CPU usage, it will be presented as 100% CPU usage.
Impact:
Wrong scale is presented and might cause machine's state to be interpreted wrongly.
Workaround:
1. Backup /etc/avr/monpd/monp_asm_cpu_info_measures.cfg file.
2. Run the following:
$ sed -i 's|tmm_avg_cpu_util)/(count(distinct time_stamp)|tmm_avg_cpu_util)/(count(distinct time_stamp)*100|g' /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
3. Compare the backup file to /etc/avr/monpd/monp_asm_cpu_info_measures.cfg:
Make sure that there are two lines modified, and that the modification is multiplying with 100 the denominator (i.e., actually dividing the TMM value with 100).
4. To make those changes take affect, run the following command:
$ bigstart restart monpd
Fix:
Dividing the TMM value with 100 to fit correct scale.
Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
870389-1 : Increase size of /var logical volume to 1.5 GiB for LTM-only VE images
Links to More Info: BT870389
Component: TMOS
Symptoms:
The /var logical volume size of 950 MiB for LTM-only BIG-IP Virtual Edition (VE) images may be too small for some deployments. This can result in result in loss of SSH access.
Conditions:
This applies to deployments that use declarative onboarding for configuration.
Impact:
Complex declarative onboarding configurations may fill the /var logical volume. You are locked out because of the too-small volume.
Workaround:
The workaround is to manually extend the /var logical volume.
For more information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952.
Fix:
The size of the /var logical volume was increased from 950 MiB to 1.5 GiB for LTM-only VE images.
Behavior Change:
The size of the /var logical volume was increased from 950MiB to 1.5GiB for LTM-only Virtual Edition images.
Fixed Versions:
14.1.2.5, 15.1.0.2
870385-3 : TMM may restart under very heavy traffic load
Links to More Info: BT870385
Component: Advanced Firewall Manager
Symptoms:
TMM occasionally restarts when running heavy workloads. The crash is a timing-related issue between different tmm threads, and thus happens only occasionally.
Conditions:
-- AFM is provisioned with DoS functionality.
-- The BIG-IP system is under heavy workload.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer restarts under these conditions.
Fixed Versions:
14.1.2.8, 15.1.2.1
869049-2 : Charts discrepancy in AVR reports
Links to More Info: BT869049
Component: Application Visibility and Reporting
Symptoms:
Discrepancy in AVR reports. When filtering on the 'last month' interval, a specific number of total requests per virtual server is shown. Then when filtering to the present day from a date that encompasses that month, a lower number is reported.
Conditions:
-- Number of records in database exceeds the maximum mount of data that AVR can aggregate between different table-resolutions.
-- There are metrics on the report other than the default one (hits-count).
Impact:
Stats on DB get corrupted and incorrect.
Workaround:
None.
Fix:
Aggregation store-procedure is now fixed.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
868889 : BIG-IP may reset a stream with an empty DATA frame as END_STREAM
Links to More Info: BT868889
Component: Local Traffic Manager
Symptoms:
HTTP/2 defines END_STREAM flag in a frame as an end of a stream. A peer can send an empty (with no payload) DATA frame to designate a last one in a stream. When BIG-IP receives an empty DATA frame, it handles it incorrectly, sending RST_STREAM to a client.
Conditions:
-- The BIG-IP system has a virtual server configured with an HTTP/2 profile on the client side.
-- The client sends a request containing a payload over a stream, ending the stream with empty DATA frame.
Impact:
The BIG-IP system may reset the stream.
Workaround:
A client should resend the request handling more data.
Fix:
When empty DATA frame with END_STREAM flag is handled by the BIG-IP system, it terminates the stream accordingly.
Fixed Versions:
14.1.2.5
868781-2 : TMM crashes while processing MRF traffic
Links to More Info: BT868781
Component: Service Provider
Symptoms:
TMM panic occurs when processing overflowed the MPI messages due to incorrectly calculated master key length:
../dev/mpi/mpi_mem.c:1129: Assertion "tail not past head" failed.
Conditions:
-- Message Routing Framework (MRF) traffic of type Diameter and SIP.
-- Auto-initialization enabled on peer, but can happen without auto-initialization enabled, just at a less-predictable rate.
Impact:
Tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM crash no longer occurs under these conditions.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.1
868721-3 : Transactions are held for a long time on specific server related conditions
Links to More Info: BT868721
Component: Application Security Manager
Symptoms:
Long request buffers are kept around for a long time in bd.
Conditions:
-- The answer_100_continue internal parameter is turned off (non default) or the version is pre 15.1
-- The server closes the connection while request packets are accumulated.
Impact:
The long request buffers are consumed. You may see a "Too many concurrent long requests" log message and requests with large content lengths will get reset.
Workaround:
There is no workaround that can be done from ASM configuration.
If possible, change the server application settings to wait longer for the request payload in 100-continue request or change the client side application to not work with 100-continue.
Fix:
Add a check for this scenario so transactions will be released correctly.
Fixed Versions:
14.1.2.7, 15.1.0.5
868641-1 : Possible TMM crash when disabling bot profile for the entire connection
Links to More Info: BT868641
Component: Application Security Manager
Symptoms:
When using an iRule to disable bot profile, and causing it to be disabled (for the entire connection) during a CAPTCHA challenge -- TMM will crash.
Conditions:
-- Bot Defense profile is attached to the Virtual Server, with a CAPTCHA mitigation.
-- An iRule is attached to the virtual server, which disables bot profile.
-- Sending a request that is responded with a CAPTCHA, then sending (in the same connection), a request that disable the bot profile, and then answering the CAPTCHA.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
When using an iRule to disable bot defense profile on certain conditions, add an "else" clause for re-enabling the profile, taking note that all ::disable iRule commands are effective for the entire connection, and not just the transaction.
Fix:
TMM no longer crashes when disabling bot defense profile for the entire connection.
Fixed Versions:
14.1.2.7, 15.1.1
868557-3 : Unable to initiate SWG database download from Admin UI when management network has no direct internet connectivity.
Component: Access Policy Manager
Symptoms:
If the management network is not directly connected to the internet, 'Download Now' action on 'Access ›› Secure Web Gateway : Database Settings : Database Download' fails the connectivity check and refuses to start database download.
Conditions:
-- Configure proxy in the same subnet and block BIG-IP management traffic on the gateway
-- Remove default routes from linux routing table and add route to the proxy server if necessary.
Impact:
Database download fails and you see an error message:
"Database download server (download.websense.com) could not be reached. Please verify the correctness of the DNS lookup server configured on this BIG-IP system."
Workaround:
-- Run the following tmsh command:
tmsh modify sys url-db download-schedule urldb download-now true
-or-
-- Configure download settings and wait until the scheduled database download.
Fixed Versions:
14.1.4.6
868381-3 : MRF DIAMETER: Retransmission queue unable to delete stale entries
Links to More Info: BT868381
Component: Service Provider
Symptoms:
DIAMETER messages queued for retransmission that do not receive answer responses may be missed by the sweeper logic and not be deleted until the connection closes.
Conditions:
-- A DIAMETER message is queued for retransmission without a timeout to tigger retransmission.
-- No answer response is received.
Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.
Workaround:
None.
Fix:
The retransmission queue has been fixes so all stale messages are deleted as expected.
Fixed Versions:
14.1.2.5, 15.0.1.4, 15.1.0.5
868209-1 : Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection
Links to More Info: BT868209
Component: Local Traffic Manager
Symptoms:
When BIG-IP is configured with transparent vlan-group and traffic is matching a standard or fastl4 virtual-server and traffic hitting BIG-IP does not have a destination MAC address that belongs to BIG-IP - traffic will be L2 forwarded and pool member selection will not happen.
This defect will also cause active FTP data connections over vlan-group to fail.
Conditions:
All conditions must be met:
- Traffic over transparent vlan-group.
- Standard or fastl4 virtual-server.
- Traffic has a destination MAC address that does not belong to BIG-IP.
OR
- Standard virtual server with FTP profile is configured.
- Active FTP session is in use.
- Traffic flows over vlan-group.
Impact:
Server-side connections will fail.
Workaround:
Use opaque vlan-group instead.
OR
disable db variable connection.vgl2transparent (15.0+)
Fixed Versions:
14.1.4, 15.1.2.1
868053-1 : Live Update service indicates update available when the latest update was already installed
Links to More Info: BT868053
Component: Application Security Manager
Symptoms:
When downloading and installing the latest ASU file manually the Live Update indicator located at the top left of the screen still indicates that there is a new update available.
Conditions:
-- The Live Update scheduler is not in auto mode (System :: Software Management :: Live Update :: Installation of Automatically Downloaded Updates = Disabled).
-- Upload and update the latest ASU file manually.
Impact:
The Live Update indicator continues to indicate on a new update though the latest file was installed.
Workaround:
None.
Fix:
The Live Update service no longer displays a false message regarding updates available.
Fixed Versions:
14.1.3.1, 15.1.3
867825-2 : Export/Import on a parent policy leaves children in an inconsistent state
Links to More Info: BT867825
Component: Application Security Manager
Symptoms:
When overwriting a parent policy with import/replace, elements from the parent policy that were deleted remain in the child policies.
Conditions:
-- A parent policy exists with a child policy that inherits a section in which new configuration elements can be created in the parent policy (like ip address exceptions).
-- An element is deleted from the parent policy, and then the parent policy is exported.
-- The parent policy is then imported to replace a parent policy on a different device to perform the same changes on its children.
Impact:
The children on the different devices are left unexpectedly in different states.
Fix:
Import/Replace for a parent policy for sections that remain inherited will now delete elements that were removed from the parent policy instead of disinheriting them.
Fixed Versions:
14.1.4.4, 15.1.4
867793-3 : BIG-IP sending the wrong trap code for BGP peer state
Links to More Info: BT867793
Component: TMOS
Symptoms:
When BGP peer is going down, the BIG-IP system sends the wrong 'bgpPeerState: 6(established)' with its SNMP trap.
Conditions:
-- BIG IP system is connected with a Cisco router to verify the traps.
-- BGP peer between the BIG-IP system and the Cisco router is going down.
-- Both devices release an SNMP trap.
Impact:
The BIG-IP system sends the wrong code with its SNMP trap. It should be 'bgpPeerState: idle(1)' when the peer is not connected.
Workaround:
None.
Fix:
BIG-IP now sends the correct trap code for BGP peer state.
Behavior Change:
The bgpPeerState for bgpBackwardTransNotification now reports the state after the state machine transition, i.e., the state into which the system is transitioning. In earlier releases, it reported the state prior to the state machine transition, which would always report idle because all backwards state transitions are into idle.
Fixed Versions:
14.1.4, 15.1.2.1
867413-2 : The allow-only-in-enterprise LAN feature on Mac OS not working after reboot
Links to More Info: BT867413
Component: Access Policy Manager
Symptoms:
Firewall feature on Mac devices does not work after reboot, if the device connects to a hotspot network immediately after reboot
Conditions:
-- End user client is using a Mac device.
-- Edge Client is in 'Always Connected' mode.
-- allow-only-in-enterprise LAN is enabled.
-- The Mac device is rebooted.
Impact:
The device is able to connect to the Internet after reboot, but not to the internal network.
Workaround:
None.
Fix:
The allow-only-in-enterprise LAN feature now works correctly on a Mac device after a reboot.
Fixed Versions:
14.1.2.4
867373-2 : Methods Missing From ASM Policy
Links to More Info: BT867373
Component: Application Security Manager
Symptoms:
If the ASM http-methods are missing from the MCP configuration, importing an XML ASM policy creates a policy that has no allowed methods and will block all traffic.
Conditions:
-- BIG-IP system configuration is loaded without the required asm_base.conf.
-- An XML ASM policy is loaded.
Impact:
All traffic is blocked for the policy.
Workaround:
Recreate the required methods (GET, POST, etc.) in the policy.
Fix:
Lack of defined ASM http-methods in MCP no longer affects policy loading.
Fixed Versions:
14.1.4, 15.1.3
867181-3 : ixlv: double tagging is not working
Links to More Info: BT867181
Component: TMOS
Symptoms:
If a VLAN tag is configured on the Virtual Function in the host, and the BIG-IP guest is configured to use a tagged VLAN, packets that egress the host on this VLAN contain only the VLAN tag configured on the host (i.e. the BIG-IP's VLAN tag is lost).
Conditions:
- Using a BIG-IP VE.
- A VLAN tag is configured on both the host VF and on the BIG-IP.
Impact:
The BIG-IP's VLAN tag is lost.
Fix:
Both VLAN tags are now present in packets.
Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2
867013-1 : Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout
Links to More Info: BT867013
Component: TMOS
Symptoms:
You are unable to associate new ASM policies to LTM policies, due to REST timeout.
Conditions:
This can be encountered when there are a large number of policies configured in ASM.
Impact:
Unable to associate new ASM policies to LTM policies, due to rest timeout.
Workaround:
None.
Fix:
Modified REST query to get only fullPath to display the list of policies, so the timeout no longer occurs.
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.1
866925-3 : The TMM pages used and available can be viewed in the F5 system stats MIB
Links to More Info: BT866925
Component: TMOS
Symptoms:
The memory pages available and in use are tracked with system statistics. Previously those statistics were available only with the tmctl command in the shell.
Conditions:
When system resource decisions are being made, the information about memory usage is important.
Impact:
It is not feasible to query each BIG-IP device separately.
Workaround:
None.
Fix:
You can query these statistics with SNMP through the F5-BIGIP-SYSTEM-MIB::sysTmmPagesStat table.
Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
866685-3 : Empty HSTS headers when HSTS mode for HTTP profile is disabled
Links to More Info: BT866685
Component: Access Policy Manager
Symptoms:
HTTP Strict-Transport-Security (HSTS) headers have an empty value for some APM Access Policy-generated responses.
Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS mode=disabled (which it is by default).
-- HTTP requests for APM renderer content, including CSS, JS, and image files from the webtop.
Impact:
Some audit scanners can consider the empty value of Strict-Transport-Security headers as a vulnerability. For browsers, the empty HSTS value equals no HSTS in response.
Workaround:
1. Enable HSTS mode for the HTTP profile.
2. Use an iRule to remove the empty HSTS header from responses:
when HTTP_RESPONSE_RELEASE {
if { [HTTP::header value "Strict-Transport-Security"] eq "" } {
HTTP::header remove "Strict-Transport-Security"
}
}
Fix:
When the HTTP profile is configured with HSTS mode=disabled, responses from APM renderer content are now sent without an HSTS header.
Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2
866613-1 : Missing MaxMemory Attribute
Links to More Info: BT866613
Component: Application Visibility and Reporting
Symptoms:
The MaxMemory Attribute is not reported in the System Monitor statistics report.
Conditions:
This is encountered when viewing the System Monitor report.
Impact:
No 'MaxMemory' value label appears in System Monitor statistics. Instead, there are duplicate AvgMemory fields, for example:
...(AvgMemory='3818',AvgMemory='3818').
Workaround:
Use the AvgMemory value that is the higher of the two to represent MaxMemory.
Note: Sometimes, the AvgMemory and MaxMemory values are the same. In that case, use the second value.
Fix:
The MaxMemory attribute is now reported in System Monitor statistics.
Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1
866161-3 : Client port reuse causes RST when the security service attempts server connection reuse.
Links to More Info: BT866161
Component: Access Policy Manager
Symptoms:
If the security service attempts server connection reuse, client port reuse causes RST on new connections.
Conditions:
-- Service profile is attached to virtual server.
or
-- SSL Orchestrator (SSLO) is licensed and provisioned and Service chain is added in the security policy.
-- Security service reuses server-side connection.
-- Client reuses the source port.
Impact:
The BIG-IP system or SSLO rejects new connection from clients when a client reuses the port.
Workaround:
None.
Fix:
The BIG-IP system or SSLO no longer rejects the client connection when the service tries to the reuse server connection and the client reuses the port.
Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2
866109-1 : JWK keys frequency does not support fewer than 60 minutes
Links to More Info: BT866109
Component: Access Policy Manager
Symptoms:
When configuring the OAuth provider and trying to set the task frequency to fewer than 60 minutes, the BIG-IP reports an error:
01b70003:3: Discovery interval (10) for OAuth provider must be greater than (60) minutes.
Conditions:
This occurs when configuring the frequency interval of an OAuth provider to a value lower than 60 minutes.
Impact:
You are unable to create a provider with a frequency interval of fewer than 60 minutes.
Workaround:
Use a value of 60 minutes or higher.
Fix:
Auto discovery frequency now supported values lower than 60 minutes.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4
866073-1 : Add option to exclude stats collection in qkview to avoid very large data files
Links to More Info: BT866073
Component: TMOS
Symptoms:
Statistics collection may cause qkview files to be too large for the iHealth service to parse, or may cause memory allocation errors:
qkview: tmstat_map_file: mmap: Cannot allocate memory
qkview: tmstat_subscribe: /var/tmstat/blade/tmm5: Cannot allocate memory at 0xa08a938
Conditions:
Qkview is executed on an appliance or chassis that has a very large configuration.
Impact:
Qkview files may not be able to be parsed by the iHealth service.
Also, memory allocation error messages may be displayed when generating qkview.
Workaround:
None.
Fix:
Qkview now has a -x option that can be used to exclude statistics collection in the stat_module.xml file.
Behavior Change:
Qkview now has a -x option that can be used to exclude statistics collection.
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
866021-3 : Diameter Mirror connection lost on the standby due to "process ingress error"
Links to More Info: BT866021
Component: Service Provider
Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.
Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.
Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.
Fix:
Diameter mirror connection no longer lost due to "process ingress error" when there is high mirror traffic.
Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
865461-3 : BD crash on specific scenario
Links to More Info: BT865461
Component: Application Security Manager
Symptoms:
BD crash on specific scenario
Conditions:
A brute force attack mitigation using captcha or client side challenge.
Impact:
BD crash, failover.
Workaround:
Add an iRule that removes the query string from the referrer header only for the login page POSTs.
Fixed Versions:
14.1.2.7, 15.1.0.5
865241-3 : Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"
Links to More Info: BT865241
Component: TMOS
Symptoms:
When BGP tries to print the address of the default route's peer but there is no matching address for IPv4 or IPv6 so the system returns a NULL and attempting to print results in a crash.
Conditions:
-- Running the show command: sh bgp ipv6 ::/0.
-- There is no matching IPv4 or IPv6 address for the peer.
The conditions that cause this to occur are unknown.
Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.
Workaround:
None.
Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2
865177-2 : Cert-LDAP returning only first entry in the sequence that matches san-other oid
Links to More Info: BT865177
Component: TMOS
Symptoms:
Certificate-ldap only returns the first matching oid from the certificate file even though multiple matching san-other entries exists
Conditions:
When Certificate-ladp attribute ssl-cname-field set to san-other and certificate with multiple san-other oids
Impact:
Only the first matching oid is returned.
Fixed Versions:
14.1.3.1, 15.1.2.1, 16.0.1.1
865053-1 : AVRD core due to a try to load vip lookup when AVRD is down
Links to More Info: BT865053
Component: Application Visibility and Reporting
Symptoms:
AVRD cores during startup.
Conditions:
Avrd receives a SIGTERM while it is starting.
Impact:
This can lead to an AVRD core.
Fix:
Added some more checks while loading new configuration. Suppose to reduce the frequent of these occurrences. Still can happen in very rare occasions.
Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2
864797-1 : Cached results for a record are sent following region modification
Links to More Info: BT864797
Component: Global Traffic Manager (DNS)
Symptoms:
Changing the contents of a topology region record may result in DNS queries temporarily being directed as if the change had not happened for queries from the IP address of the last end user client to use topology load balancing.
Conditions:
-- A client at a single IP address makes multiple queries that are load balanced using topology, both before and after a change to a topology region record, where that change also modifies the result the single client receives.
-- If a query from a different client IP address is received and load balanced using topology, then the issue is corrected until the next change to a topology region record.
Impact:
After changing the contents of a topology region record, the last end user client to send a query before the change may receive the wrong load balancing decision if the change affected that decision. Queries from other end user clients are load balanced correctly and cause the issue to go away until the next topology region record change.
Workaround:
This issue can be temporarily corrected by sending a DNS query that is load balanced using topology after making changes to region records.
Fix:
The system now handles regions item changes as expected, so this issue no longer occurs.
Fixed Versions:
14.1.4.4, 15.1.4
864757-2 : Traps that were disabled are enabled after configuration save
Links to More Info: BT864757
Component: TMOS
Symptoms:
The ifLinkUpDownTrapEnable setting is not saved to config files nor UCS. If you have disabled 'link up/down' traps for an interface, save the config, and then load the config files or UCS, all interfaces will have traps enabled, even the ones that were explicitly disabled.
Conditions:
-- Disable 'link up/down' traps for an interface.
-- Save the configuration or UCS.
-- Reload the configuration or load the UCS.
Impact:
All interfaces have traps enabled, even the ones that were explicitly disabled.
Workaround:
None.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
864677-3 : ASM causes high mcpd CPU usage
Links to More Info: BT864677
Component: Application Security Manager
Symptoms:
-- CPU utilization is high on the odd-numbered cores.
-- Messages appear at 60-second intervals in /var/log/ts/asm_start.log:
update_GTM_score
Conditions:
-- One or more virtual servers have FTP/SMTP/WEBSEC profiles attached to it.
-- ASM configured.
Impact:
Elevated CPU usage.
Workaround:
-- On the BIG-IP system, edit the file /etc/ts/tools/nwd.cfg to change the value EnforcerCpuReportTimeInterval from 60 to a higher value, e.g., 3600 for once an hour, or even larger.
-- Restart ASM:
bigstart restart asm
Fix:
This issue has been resolved so that CPU usage is no longer elevated under these conditions.
Fixed Versions:
14.1.4, 15.1.3
864513-3 : ASM policies may not load after upgrading to 14.x or later from a previous major version★
Links to More Info: K48234609, BT864513
Component: TMOS
Symptoms:
ASM policies may not load immediately after upgrade due to SELinux policies issues relating to the upgrade process.
Conditions:
1. ASM is provisioned.
2. One or more ASM Security Policies is attached to one or more virtual servers.
3. Upgrade from v12.x or v13.x to v14.x or later.
Impact:
Traffic is not processed properly after upgrade due to failure to load ASM policies.
Workaround:
You can use either of the following workarounds.
-- Remove ASM Policies while upgrading:
1. Prior to upgrade, remove all ASM Security Policies from all virtual servers.
2. Upgrade.
3. Reassociate each ASM Security Policy with its original virtual server.
-- Restore the UCS on a new boot location after upgrade:
1. Prior to upgrade, create a UCS.
2. Upgrade or create a new instance of the software version at the target location.
3. Restore the UCS at the new location.
Fix:
ASM policies now load as expected after upgrading to 14.x or later from a previous major version.
Fixed Versions:
14.1.2.7, 15.1.1
864329-1 : Client port reuse causes RST when the backend server-side connection is open
Links to More Info: BT864329
Component: SSL Orchestrator
Symptoms:
The BIG-IP system or SSL Orchestrator does not close server-side connections when the security service closes the connection with the BIG-IP or SSL Orchestrator. So if client reuses the port, SSL Orchestrator rejects new connections by sending RST.
Conditions:
-- Service profile is attached to virtual server.
or
-- SSL Orchestrator is licensed and provisioned and Service chain is added in the security policy.
-- Security service closes the server-side connection with SSL Orchestrator.
-- Client reuses the source port.
Impact:
The BIG-IP system or SSL Orchestrator rejects new connection from clients when a client reuses the port.
Workaround:
None.
Fix:
The BIG-IP system or SSL Orchestrator no longer rejects the client connection when the client reuses the port.
Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2
863917-3 : The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval.
Links to More Info: BT863917
Component: Global Traffic Manager (DNS)
Symptoms:
Messages similar to the following may be seen in the DNS (GTM) logs:
The list processing time (32 seconds) exceeded the interval value. There may be too many monitor instances configured with a 30 second interval.
This message was introduced in 15.0.0 as an aid to help identifying overloaded DNS (GTM) systems, but it triggers too easily and can be logged when the device is not overloaded.
Conditions:
-- DNS (GTM) servers are present.
-- Virtual servers are configured on those DNS (GTM) servers.
-- A monitor is applied to the DNS (GTM) server.
Impact:
Messages are logged that imply the system is overloaded when it is not.
Workaround:
Create a log filter to suppress the messages
sys log-config filter gtm-warn {
level warn
message-id 011ae116
source gtmd
}
Fixed Versions:
13.1.4.1, 14.1.4.5, 15.1.3, 16.0.1.2
863609-2 : Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies
Links to More Info: BT863609
Component: Application Security Manager
Symptoms:
After changing a parent policy's learning mode or other learning attributes in policy-builder settings, deploying the policy will result in differences in the child policies.
Conditions:
On BIG-IP and BIG-IQ:
1. Parent policy has a policy-building section that is inherited.
2. Child policy has wildcard default (*) elements such as urls.
On BIG-IQ:
3. Change parent learning mode from manual to disabled or vice versa
4. Deploy changes
Impact:
There are differences after deploy.
Workaround:
Discover and deploy again from BIG-IQ
Fix:
Changes are deployed from BIG-IQ without causing unexpected changes.
Fixed Versions:
14.1.2.7, 15.1.0.5
863161-3 : Scheduled reports are sent via TLS even if configured as non encrypted
Links to More Info: BT863161
Component: Application Visibility and Reporting
Symptoms:
The scheduled report email is sent from BIG-IP using TLS even if configured to not use encryption. When the mail server TLS is outdated it may lead to failure of the mail delivery.
Conditions:
The scheduled reports are enabled and configured to use a mail server which reports TLS capability.
Impact:
The minor impact is unexpected behaviour. In rare cases it may lead to malfunction of the scheduled reports.
Fix:
The automatic TLS connection was introduced via udate of the phpmailer module. The current fix disables automatic behaviour such that encryption will be used according to BIG-IP configuration.
Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
863069-3 : Avrmail timeout is too small
Links to More Info: BT863069
Component: Application Visibility and Reporting
Symptoms:
AVR report mailer times out prematurely and reports errors:
AVRExpMail|ERROR|2019-11-26 21:01:08 ECT|avrmail.php:325| PHPMailer exception while trying to send the report: SMTP Error: data not accepted.
Conditions:
Configure reports, which will be sent to e-mail
Impact:
Error response from SMTP server, and the report is not sent
Workaround:
Increase timeout in avrmail.php via bash commands
Fix:
The timeout was increased in avrmail.php
Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2
862937-2 : Running cpcfg after first boot can result in daemons stuck in restart loop★
Links to More Info: BT862937
Component: TMOS
Symptoms:
After running cpcfg and booting into the volume, daemons such as named and gtmd are stuck restarting. Additionally the SELinux audit log contains denial messages about gtmd and named being unable to read unlabeled_t files.
Conditions:
Running cpcfg on a volume that has already been booted into.
Impact:
Services do not come up.
Workaround:
In the bash shell, force SELinux to relabel at boot time. Then reboot:
# touch /.autorelabel
# reboot
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
862885-1 : Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error
Links to More Info: BT862885
Component: Local Traffic Manager
Symptoms:
A configuration with a virtual server-to-virtual server flow established, for example by the 'virtual' iRule command, and using a TCP stack with 'Tail Loss Probe' enabled, might encounter a race between the delayed ACK and the tail loss probe, which can lead to a tmm_panic or an OOPs message:
no trailing data.
Conditions:
-- Virtual server-to-virtual server flow established.
-- TCP profile with 'Tail Loss Probe' enabled.
-- Certain timing related traffic scenario.
Impact:
TMM generates a core and reports an OOPs message:
no trailing data.
Workaround:
Do not use a TCP stack with 'Tail Loss Probe' enabled in conjunction with a virtual server-to-virtual server flow configuration.
Fix:
Virtual server-to-virtual server with 'Tail Loss Probe' enabled can now be used without error.
Fixed Versions:
14.1.4.5, 15.1.4.1
862597-5 : Improve MPTCP's SYN/ACK retransmission handling
Links to More Info: BT862597
Component: Local Traffic Manager
Symptoms:
- MPTCP enabled TCP connection is in SYN_RECEIVED state.
- TMM cores.
Conditions:
- MPTCP is enabled.
- SYN/ACK (with MP_JOIN or MP_CAPABLE) sent by the BIG-IP is not ACKed and needs to be retransmitted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable MPTCP option in the TCP profile.
Fix:
MPTCP's SYN/ACK retransmission handling is improved.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.0.2
860881-1 : TMM can crash when handling a compressed response from HTTP server
Links to More Info: BT860881
Component: Local Traffic Manager
Symptoms:
TMM crashes while handling HTTP response
Conditions:
HTTP virtual server performing decompression of response data from a server, e.g. because a rewrite profile is attached to the virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable compression on the server.
Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2
860617-2 : Radius sever pool without attaching the load balancing algorithm will result into core
Links to More Info: BT860617
Component: Access Policy Manager
Symptoms:
Tmm crashes after configuring a radius server pool.
Conditions:
-- Radius server pool exists
-- Radius server pool does not have a designated load balancing algorithm.
Impact:
TMM will core while radius accounting stops. Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Pool selection counter gets incremented and message will be freed.
Fixed Versions:
14.1.4.5, 15.1.4.1
860517-3 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.
Links to More Info: BT860517
Component: TMOS
Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.
As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash
Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.
Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.
Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.
Fix:
The memory efficiency of MCPD has been improved. This allows very large BIG-IP configurations to be used successfully.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1
860349-1 : Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication
Links to More Info: BT860349
Component: TMOS
Symptoms:
After upgrading BIG-IP to 14.1 the LDAP/AD remote authentication will fail .
The /var/log/secure will show :
/secure:
Dec 6 15:27:44 hostname err httpd[9402]: pam_ldap(httpd:auth): error opening connection to nslcd: No such file or directory
Dec 6 15:27:44 hostname notice httpd[9402]: pam_ldap(httpd:auth): auth server unavailable, trying fallback
Dec 6 15:27:44 hostname warning httpd[9402]: pam_unix(httpd:auth): check pass; user unknown
Dec 6 15:27:44 hostname notice httpd[9402]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=192.168.227.145
/var/log/daemon.log will show ;
/daemon:
Dec 6 15:29:40 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:29:40 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:29:40 hostname warning systemd[1]: nslcd.service failed.
Dec 6 15:35:47 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:35:47 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:35:47 hostname warning systemd[1]: nslcd.service failed.
> Dec 06 15:35:47 hostname systemd[1]: Started Naming services LDAP client daemon..
> Dec 06 15:35:47 hostname systemd[1]: Starting Naming services LDAP client daemon....
> Dec 06 15:35:47 hostname nslcd[8050]: nslcd: /etc/nslcd.conf:15: usertemplate: too may arguments
> ===================== > This is the hint that user-template is at fault
Conditions:
LDAP/nslcd config , remote authentication , user-template used
The values within user-template include white spaces :
example: uid=%s,CN=my home,OU=Generic Users,OU=good Users,OU=users,DC=users,DC=org
Impact:
LDAP/nslcd process failed with "error opening connection to nslcd" when user-template includes white spaces.
Workaround:
Replace the white-space character with underscore "_" in the user-template if possible, or remove the user-template and restart nslcd daemon
Fixed Versions:
14.1.2.8, 15.1.3
860317-1 : JavaScript Obfuscator can hang indefinitely
Links to More Info: BT860317
Component: TMOS
Symptoms:
High CPU usage by obfuscator for an extended period of time.
Conditions:
Occurs very rarely, when FPS or L7 DDoS protection are enabled.
Impact:
High CPU Usage.
Workaround:
Kill the obfuscator process
Fix:
Datasyncd daemon kills hanging obfuscator processes if they stop responding.
Fixed Versions:
14.1.3.1, 15.1.2
860005-3 : Ephemeral nodes/pool members may be created for wrong FQDN name
Links to More Info: BT860005
Component: Local Traffic Manager
Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.
Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.
The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.
Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.
Workaround:
It may be possible to mitigate this issue by one or more of the following actions:
-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.
-- Reducing the number of FQDN template nodes (FQDN names to be resolved).
-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.
Fixed Versions:
12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2
859721-3 : Using GENERICMESSAGE create together with reject inside periodic after may cause core
Links to More Info: BT859721
Component: Service Provider
Symptoms:
In iRules, when "GENERICMESSAGE::message create" is called after "reject" command inside "after -periodic", it may cause core. Below is an example iRules.
when CLIENT_ACCEPTED {
... omitted ...
after 1000 -periodic {
... omitted ...
reject
GENERICMESSAGE::message create "test"
}
}
This relates to ID 859113.
Conditions:
GENERICMESSAGE::message create" is called after "reject" inside "after -periodic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event
Fix:
Using GENERICMESSAGE create together with reject inside periodic after no longer cause core
Fixed Versions:
14.1.2.5, 15.1.0.2
859717-3 : ICMP-limit-related warning messages in /var/log/ltm
Links to More Info: BT859717
Component: Local Traffic Manager
Symptoms:
'ICMP error limit reached' warning messages in /var/log/ltm:
warning tmm3[23425]: 01200015:4: Warning, ICMP error limit reached.
Conditions:
Viewing /var/log/ltm.
Impact:
Potentially numerous error messages, depending on the traffic and the BIG-IP configuration. No clear indication of how to remedy the situation.
Workaround:
None.
Fix:
The system better tracks what kind of traffic triggers the 'ICMP error limit reached' logs so the issue can be mitigated.
Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
859113-3 : Using "reject" iRules command inside "after" may causes core
Links to More Info: BT859113
Component: Local Traffic Manager
Symptoms:
In iRules, when "reject" is used inside "after -periodic" and it is followed by "GENERICMESSAGE::message create". It may trigger a tmm core. Below is an example iRule.
when CLIENT_ACCEPTED {
... omitted ...
after 1000 -periodic {
... omitted ...
reject
GENERICMESSAGE::message create "test"
}
}
This relates to ID 859721
Conditions:
- "reject" is used inside "after -periodic"
- it is followed by "GENERICMESSAGE::message create"
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event
Fix:
Using "reject" iRules command inside "after" no longer cause core.
Fixed Versions:
14.1.2.5, 15.1.0.2
858973-3 : DNS request matches less specific WideIP when adding new wildcard wideips
Links to More Info: BT858973
Component: Global Traffic Manager (DNS)
Symptoms:
After adding a new wildcard wideip, DNS requests start matching the wildcard even if a more specific wildcard wideip should match.
Conditions:
New less specific Wildcard WideIPs are created.
Impact:
DNS request matches less specific WideIP.
Workaround:
# tmsh load sys config gtm-only
or
restart tmm
Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2
858701-3 : Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x★
Links to More Info: BT858701
Component: Local Traffic Manager
Symptoms:
When you upgrade an 11.x/12.x device with route advertisement enabled, you might discover a difference between the running configuration and the saved configuration post upgrade, which might result in route advertisement becoming disabled.
-- In the running configuration, the virtual-addresses route advertisement setting 'enabled' changes to 'selective'.
-- In bigip.conf, the virtual-addresses route advertisement setting is still set to 'enabled'.
-- After config load or after re-licensing, the virtual-addresses route advertisement reverts to disabled.
Conditions:
-- Upgrading an 11.x/12.x device with route advertisement enabled.
-- After saving the config, both the running-config and bigip.conf have the same value: i.e., 'selective'.
-- Loading the configuration (tmsh load sys config) results in route advertisement becoming disabled.
Impact:
The route-advertisement setting is 'enabled' in the config file, but 'selective' in the running configuration. This has the following impact:
If you save the configuration and then reload it, the route advertisement is changed to 'selective' in the config file and 'disabled' in the running config.
Workaround:
You can identify whether systems running v13.0.0 or higher are at risk of encountering this issue by checking a legacy internal setting, ROUTE_ADVERTISEMENT:
Procedure to identify whether virtual-addresses are affected, that have an incorrect setting in the legacy ROUTE_ADVERTISEMENT artifact:
Virtual-addresses may be affected by this issue on v13.0.0 and higher if ROUTE_ADVERTISEMENT=true in mcpd.
You can check this value with the guishell command:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
Example:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
-----------------------------------------------------------
| NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
-----------------------------------------------------------
| /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
| /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
| /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
| /Common/10.32.101.47 | true | 0 | <<< MEDIUM RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
| /Common/10.32.101.49 | true | 1 | <<< HIGH RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled
Any virtual address that shows ROUTE_ADVERTISEMENT=true is at risk. If true but route-advertisement is not in use, there is no risk until route-advertisement is configured later.
------------------------------------------------------------------------------------------
Procedure to remove the legacy ROUTE_ADVERTISEMENT artifact from the config on systems found to be affected:
1. Review Standby system (if available) and ensure Route Advertisement in running configuration is configured and functioning as desired with "tmsh list ltm virtual-address route-advertisement". If not, manually correct Route Advertisement to desired configuration and confirm functionality.
2. Fail over Active system to Standby status:
tmsh run sys failover standby
3. Review former Active (now Standby) system and ensure Route Advertisement in running configuration is configured and functioning as desired. If not, manually correct Route Advertisement to desired configuration.
4. Save the config to disk:
tmsh save sys config
5. Load the config from disk. This may temporarily cause route-advertisement to revert to disabled on at risk virtual-addresses:
tmsh load sys config
6. Load the config a 2nd time. This removes the legacy artifact, re-enables route-advertisement as per the configuration, and leaves the system in a not-at-risk state:
tmsh load sys config
7. Verify it worked:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
Example of a fixed config:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
-----------------------------------------------------------
| NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
-----------------------------------------------------------
| /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
| /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
| /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
| /Common/10.32.101.47 | false | 0 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
| /Common/10.32.101.49 | false | 1 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled
------------------------------------------------------------------------------------------
If you encounter this issue and route-advertisement becomes disabled before cleaning the legacy ROUTE_ADVERTISEMENT artifact from the config, reload the configuration again using the following command to set the running config and saved config to 'selective':
tmsh load sys config
Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2
858429 : BIG-IP system sends ICMP packets on both virtual wire interfaces.
Links to More Info: BT858429
Component: Local Traffic Manager
Symptoms:
ICMP packets are forwarded to both virtual wire interfaces, which causes MAC-Flapping on the connected switches.
Conditions:
-- Ingress ICMP packet is on one TMM.
-- Egress is on another TMM.
Impact:
Traffic is disrupted in the network.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
14.1.2.8, 15.0.1.4, 15.1.1
858301-3 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
Links to More Info: K27551003, BT858301
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Workaround:
None.
Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858297-3 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
Links to More Info: K27551003, BT858297
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Workaround:
None.
Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858289-3 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
Links to More Info: K27551003, BT858289
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Workaround:
None.
Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Fixed Versions:
13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858285-3 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
Links to More Info: K27551003, BT858285
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Workaround:
None.
Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Fixed Versions:
13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858229-3 : XML with sensitive data gets to the ICAP server
Links to More Info: K22493037, BT858229
Component: Application Security Manager
Symptoms:
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.
Conditions:
XML profile is configured with sensitive elements on a policy.
ICAP server is configured to inspect file uploads on that policy.
Impact:
Sensitive data will reach the ICAP server.
Workaround:
No immediate workaround except policy related changes
Fix:
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.
Behavior Change:
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1.
When this is changed to 0 (using this command):
/usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0
XML requests with sensitive data will not be sent to ICAP.
Fixed Versions:
11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
858197-1 : Merged crash when memory exhausted
Links to More Info: BT858197
Component: TMOS
Symptoms:
Merged crashes when system memory is exhausted
Conditions:
System memory is is at 0% available.
Impact:
Merged crashes, stopping stats updates
Workaround:
Reduce the configuration on the system
Fix:
Remove function call to drop row from table on error path where row was not successfully added.
Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.2, 16.0.1.1
858189-1 : Make restnoded/restjavad/icrd timeout configurable with sys db variables.
Links to More Info: BT858189
Component: Device Management
Symptoms:
When a large number of LTM objects are configured on BIG-IP, making updates via iControl REST can result in restjavad, restnoded, and/or icrd timeout errors.
Conditions:
Using iControl REST or an iApp to update a data-group that contains a large number of records, e.g., 75,000 or more.
Impact:
REST operations can time out when they take too long, and it is not possible to increase the timeout.
Workaround:
N/A
Fix:
ICRD/restjavad/restnoded timeouts are now configurable through sys db variables.
Behavior Change:
New Sys DB variables have been added to allow you to modify the timeout settings of restjavad, restnoded, and icrd:
restnoded.timeout
restjavad.timeout
icrd.timeout
The default value is 60 seconds for each of these.
A restart of restjavad and restnoded is required for the change to take effect.
tmsh restart /sys service restjavad
tmsh restart /sys service restnoded
Fixed Versions:
12.1.5.2, 14.1.2.7, 15.1.1
857953-3 : Non-functional disable/enable buttons present in GTM wide IP members page
Links to More Info: BT857953
Component: Global Traffic Manager (DNS)
Symptoms:
Enable/disable buttons do not perform any action against the selected members when pressed.
Conditions:
-- GTM wide IP has members.
-- Navigate to the GTM wide IP members page.
-- Attempt to enable or disable a selected member./
Impact:
No action against the selected members occurs when the buttons are pressed.
Workaround:
None.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
857845-6 : TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule
Links to More Info: BT857845
Component: Local Traffic Manager
Symptoms:
Whenever the server or client side data have not been drained, 'server drained' or 'client drained' appear in /var/log/tmm as errors.
Conditions:
-- Using iRule configuration with LB::detach or LB::connect.
-- Server- or client-side data has not been drained before those statements are triggered.
Impact:
TMM crashes and can cause an outage on standalone system or failover in a DSC. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes and the 'server not drained' or 'client not drained' message is logged instead. If tmm.oops is set to 'log', the OOPS messages is reported in /var/log/tmm.
Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2
857725 : Anti-Fraud/DataSafe Logging Settings page not found
Links to More Info: BT857725
Component: Fraud Protection Services
Symptoms:
When navigating to Security :: Fraud Protection Service : Anti-Fraud Logging Settings, a 404 error is shown instead of the actual page.
Conditions:
- Provision Fraud Protection Service.
- License DataSafe or Fraud Protection Service.
- Enable the 'antifraud.riskengine.reportlogins' database variable.
Impact:
'Anti-Fraud Logging Settings' page is not found.
Workaround:
Configure logging setting using the Traffic Management Shell (tmsh) utility.
Fix:
'Anti-Fraud Logging Settings' page is shown correctly.
Fixed Versions:
14.1.2.5
857633-2 : Attack Type (SSRF) appears incorrectly in REST result
Links to More Info: BT857633
Component: Application Security Manager
Symptoms:
After ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, a mistaken value for Attack Type (SSRF) appears incorrectly in REST query results.
Conditions:
ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, even if another ASM Signature update is installed subsequently.
Impact:
A mistaken value for Attack Type (SSRF) appears incorrectly in REST query results. This impacts BIG-IQ usage and other REST clients.
Workaround:
Workaround:
1) Install a newer ASU to reassociate the affected signatures with the correct attack type
2) Run the following SQL on the affected BIG-IP devices:
DELETE FROM PLC.NEGSIG_ATTACK_TYPES WHERE attack_type_name = "Server-Side Request Forgery (SSRF)";
Fixed Versions:
14.1.4.5, 15.1.4.1
856953-2 : IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1
Links to More Info: BT856953
Component: TMOS
Symptoms:
In rare circumstances, TMM may core when changing the ike-peer configuration from IKEv2 to IKEv1.
Conditions:
- The BIG-IP system is attempting to establish an IKEv2 tunnel.
- The related ike-peer config is changed from IKEv2 to IKEv1.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not reconfigure the ike-peer configuration while the related IPsec tunnel is attempting to establish.
Fix:
TMM no longer cores.
Fixed Versions:
14.1.2.8, 15.1.4.1
856713-1 : IPsec crash during rekey
Links to More Info: BT856713
Component: TMOS
Symptoms:
IPsec-related tmm crash and generated core file during rekey.
Conditions:
-- IPsec timeout occurs.
-- Some temporary SA's are created by racoon.
Impact:
Tmm crashes and creates core file. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
IPsec-related tmm crash has been fixed.
Fixed Versions:
14.1.2.8, 16.0.1.2
854493-3 : Kernel page allocation failures messages in kern.log
Links to More Info: BT854493
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:
swapper/16: page allocation failure: order:2, mode:0x104020
After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This issue is known to occur on the following VIPRION blade models:
- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)
Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.
It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades)
-- 48 MB (49152 KB for B4300 blades)
-- 128 MB (131072 KB for 4450 blades)
You must do this on each blade installed in the system.
When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on all blades, and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
Fix:
The BIG-IP system no longer experiences kernel page allocation failures.
Fixed Versions:
14.1.2.8, 15.1.0.2
854177-3 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
Links to More Info: BT854177
Component: Application Security Manager
Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.
Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.
Impact:
Latency is introduced to ASM handling.
Workaround:
Set the fast changing nodes to static updates every hour.
Fix:
ASM now correctly ignores pool member updates that do not affect remote logging.
Fixed Versions:
12.1.5.1, 13.1.3.4, 14.1.2.5, 15.1.0.5
854001-4 : TMM might crash in case of trusted bot signature and API protected url
Links to More Info: BT854001
Component: Application Security Manager
Symptoms:
When sending request to a protected API URL, with a trusted bot signature, tmm tries to perform reverse DNS to verify the signature. During this process, the URL qualification might change. In this case - tmm crashes.
Conditions:
-- Bot Defense profile attached.
-- 'API Access for Browsers and Mobile Applications' is enabled.
-- A DNS server is configured.
-- Request is sent to an API-qualified URL.
-- Request is sent with a trusted bot signature.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable the 'API Access for Browsers and Mobile Applications' or remove the DNS server.
Fix:
An issue where tmm could crash when processing a request sent to a protected API URL with a trusted bot signature has been fixed.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
853613-2 : Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp
Links to More Info: BT853613
Component: Local Traffic Manager
Symptoms:
A TCP connection hangs occasionally.
Conditions:
-- The TCP connection is on the clientside.
-- sys db tm.tcpsendrandomtimestamp is enabled (default is disabled).
-- A virtual server's TCP's Verified Accept and Timestamps are both enabled.
Impact:
TCP connections hangs, and data transfer cannot be completed.
Workaround:
You can use either of the following workarounds:
-- Disable tm.tcpsendrandomtimestamp.
-- Disable either the TCP's Verified Accept or Timestamps option.
Fix:
This release provides improved interaction between TCP's Verified Accept and Timestamps options and the tm.tcpsendrandomtimestamp setting.
Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2
853585-2 : REST Wide IP object presents an inconsistent lastResortPool value
Links to More Info: BT853585
Component: Global Traffic Manager (DNS)
Symptoms:
The output of a REST call to tm/gtm/wideip/<wideip_kind> returns objects that contain inconsistent values for the property 'lastResortPool'. For instance, for the kind 'aaaa', the output might be:
...
"lastResortPool": "aaaa \"\""
...
Conditions:
The BIG-IP admin has modified a Wide IP object via tmsh and used the following command structure:
tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind>
Impact:
The lastResortValue in the REST response might be confusing for an external orchestrator that consumes the BIG-IP configuration via iControl REST. BIG-IQ, for instance. BIG-IQ might not work as expected with these values.
Workaround:
Change the Wide IP object via the GUI and set the Last Resort Pool to None, then save the changes.
Fix:
The tmsh interpreter now enforces the structure 'tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind> <pool_name>'.
Fixed Versions:
12.1.6, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
853545-3 : MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event
Links to More Info: BT853545
Component: Service Provider
Symptoms:
For each message dropped during GENERICMESSAGE_INGRESS, memory is leaked.
Conditions:
Usage of GENERICMESSAGE::message drop iRule command during GENERICMESSAGE_INGRESS event will leak memory.
Impact:
As more memory is leaked, less memory is available for message processing, eventually leading to a core.
Workaround:
Use MR::message drop during MR_INGRESS event instead to drop a message.
Fix:
Usage of GENERICMESSAGE::message drop iRule command no longer leaks memory.
Fixed Versions:
14.1.2.5, 15.1.0.2
853329-4 : HTTP explicit proxy can crash TMM when used with classification profile
Links to More Info: BT853329
Component: Local Traffic Manager
Symptoms:
The BIG-IP system may serve HTTP traffic as forward proxy and use DNS resolver objects to provide a server to connect to for request processing. When a classification profile is attached to the virtual server, it may result in a TMM crash with regards to some HTTP requests.
Conditions:
-- PEM is provisioned.
-- HTTP explicit proxy is configured on a virtual server.
-- A classification profile attached to the virtual server.
Impact:
TMM crashes, causing failover. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release prevents a condition causing this TMM crash.
Fixed Versions:
11.6.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3
853325-3 : TMM Crash while parsing form parameters by SSO.
Links to More Info: BT853325
Component: Access Policy Manager
Symptoms:
When a form is received in the response, TMM crashes when SSO identifies the form parameter, and logs the Form parameter value and type in SSOv2 form-based passthrough log.
Conditions:
-- When any of the form parameters that SSO receives in the response does not have a value.
-- Passthrough mode is enabled in SSO.
Impact:
TMM crash when Passthrough mode is enabled in SSO. Traffic disrupted while tmm restarts.
Workaround:
Do not use Passthrough mode with SSO.
Fix:
TMM does not crash when Passthrough mode is enabled in SSO, and SSO receives any valid form in a response.
Fixed Versions:
14.1.4.5, 15.0.1.3, 15.1.0.2
852873 : Proprietary Multicast PVST+ packets are forwarded instead of dropped
Links to More Info: BT852873
Component: Local Traffic Manager
Symptoms:
Because the BIG-IP system does not recognize proprietary multicast MAC addresses such as PVST+ (01:00:0c:cc:cc:cd) and STP (01:80:c2:00:00:00), when STP is disabled the system does not drop those frames. Instead the system treats those as L2 multicast frames and forwards between 2 interfaces.
Conditions:
-- STP disabled
-- All platforms except 2000 series, 4000 series, i2000 series, i4000 series and i850.
Impact:
PVST+ (01:00:0c:cc:cc:cd), a proprietary multicast MAC is forwarded instead of discarded, even when STP is disabled.
Workaround:
None.
Fix:
Traffic with Destination MAC as PVST+ (01:00:0c:cc:cc:cd) or STP (01:80:c2:00:00:00) is sent to the BIG-IP system, egress traffic is monitored to check that MAC is dropped when either or both of the following db variables is enabled or vice-versa:
bcm56xxd.rules.badpdu_drop
bcm56xxd.rules.lldp_drop
Fixed Versions:
14.1.2.7, 15.1.0.2
852613-1 : Connection Mirroring and ASM Policy not supported on the same virtual server
Component: Application Security Manager
Symptoms:
Connection Mirroring used together with ASM is not supported by the BIG-IP system, and a config validation prevents associating an ASM Policy with a virtual server that is configured with Connection Mirroring.
Conditions:
Virtual Server is attempted to be configured with Connection Mirroring and ASM Policy together.
Impact:
Connection Mirroring and ASM Policy cannot be configured on the same virtual server.
Workaround:
None.
Fix:
Connection Mirroring and ASM Policy can now be configured on the same virtual server. Only a subset of ASM features are supported. Please refer to the documentation for support and limitations when using Connection Mirroring with ASM.
Fixed Versions:
14.1.2.7
852557-1 : Tmm core while using service chaining for SSL Orchestrator
Links to More Info: BT852557
Component: SSL Orchestrator
Symptoms:
Tmm core found when using service chaining for SSL Orchestrator (SSL Orchestrator).
Conditions:
SSL Orchestrator with service chaining.
Impact:
Tmm crashes and generates a core file. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Tmm no longer crashes while using service chaining for SSL Orchestrator.
Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2
852481-1 : Failure to check virtual-server context when closing server-side connection
Links to More Info: BT852481
Component: SSL Orchestrator
Symptoms:
The TMM process may fail with a segment fault (SIGSEGV) panic and deposit a core file.
Conditions:
-- SSL Orchestrator configuration.
-- Closing server-side connection.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer experiences panic when server-side connections are being closed.
Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2
852477-1 : Tmm core when SSL Orchestrator is enabled
Links to More Info: BT852477
Component: SSL Orchestrator
Symptoms:
The tmm process may fail with a segment fault (SIGSEGV) panic and deposit a core file.
Conditions:
This can occur when SSL Orchestrator is enabled and is passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Tmm no longer experiences panic when draining data from server-side connections that are being closed.
Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2
852437-1 : Overly aggressive file cleanup causes failed ASU installation
Links to More Info: K25037027, BT852437
Component: Application Security Manager
Symptoms:
Directory cleanup for failed Attack Signature Updates (ASU) is too aggressive and may delete needed files in the middle of installation itself, which causes the update to fail.
Conditions:
An ASU runs at the same time as the file cleanup task.
Impact:
The ASU fails to complete successfully.
Workaround:
The default clean interval is 300 seconds (5 minutes).
1. Run the following command to monitor the clean activity:
#tailf /var/log/ts/asmcrond.log | grep CleanFiles
2. Watch for following message in the log:
asmcrond|INFO|Mar 20 21:54:44.389|24036|F5::PeriodicTask::Base::run,,Running Task: CleanFiles
3. Upgrade the ASU immediately.
If 5 minutes is not enough, you can increase the clean interval.
1. Adjust the interval in the /etc/ts/tools/asmcrond.cfg file:
From:
[CleanFiles]
Interval=300
To:
[CleanFiles]
Interval=3000
Important: Do not set Interval too high. 50 minutes (3000 seconds) should be enough.
2. Restart the asmcrond by killing the process. It respawns after several seconds.
ps -ef | grep asmcrond
kill <pid>
3. Monitor the asmcrond.log until you see another Cleanfiles log message.
# tailf /var/log/ts/asmcrond.log | grep CleanFiles
4. Install the ASU; the temp files can stay in the folder for 50 minutes.
5. After the ASU is installed, change the interval back to 300 and restart asmcrond.
6. Make sure asmcrond has been started correctly.
# ps -ef | grep asmcrond
# tailf /var/log/ts/asmcrond.log
Fix:
The directory cleanup does not clean up files that are being actively used for an installation.
Fixed Versions:
14.1.2.5, 15.1.0.2
852373-2 : HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error
Links to More Info: BT852373
Component: Local Traffic Manager
Symptoms:
HTTP/2 connection breaks and Tcl error is logged in /var/log/ltm similar to the following:
TCL error: /Common/http2_disable <CLIENT_ACCEPTED> - Unknown error (line 1) (line 1) invoked from within "HTTP2::disable".
Conditions:
Any of the following Tcl commands are used in any iRule event: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside.
Impact:
HTTP/2 traffic is not passed to the serverside.
Workaround:
Do not use the following Tcl commands: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside
Fix:
When the previously mentioned Tcl commands are used in appropriate HTTP iRule events, such as CLIENT_ACCEPTED, HTTP/2 filter is put into passthrough mode and traffic is delivered to the server.
Fixed Versions:
14.1.2.5, 15.0.1.4, 15.1.1
852313-2 : VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured
Links to More Info: BT852313
Component: Access Policy Manager
Symptoms:
VMware Horizon clients cannot ,connect to APM and /var/log/apm contains hte following error:
... err tmm3[12345]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_BOUNDS. File: ../modules/hudfilter/access/access.c, Function: access_do_internal_retry, Line: 16431
Conditions:
-- Access Policy has 'VMware View Logon Page' agent configured with 'Kerberos Authentication'.
-- The policy has been in use for some time.
Impact:
VMware Horizon client cannot connect to APM after some time.
Workaround:
None.
Fix:
Fixed an issue, where 'VMware View Logon Page' agent configured with 'Kerberos Authentication' does not process logon requests after some time.
Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2
852289-2 : DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector
Links to More Info: K23278332, BT852289
Component: Advanced Firewall Manager
Symptoms:
DNS over TCP packet is not rate-limited accurately by DoS device sweep and flood vector.
Conditions:
-- Setting the correct DNS pkt type in the DoS device sweep or flood vector.
-- Sending DNS over TCP.
Impact:
DNS over TCP is DDoS attack is not mitigated correctly.
Workaround:
Using DNS DoS vector to mitigate the attack.
Fix:
The attack mitigation by sweep and flood vector is accurate.
Fixed Versions:
13.1.3.4, 14.1.2.5, 15.1.1
852101-3 : Monitor fails.
Links to More Info: BT852101
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d fails external monitor SIP_monitor because GTM SIP Monitors need to be running as privileged.
Conditions:
TLS SIP monitor on pool member requiring client auth.
Impact:
Big3d fails external monitor SIP_monitor.
Workaround:
The only workaround is to allow world reading of key files in the filestore, however, this is not ideal as it exposes potentially sensitive data.
Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2
852001-3 : High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously
Links to More Info: BT852001
Component: TMOS
Symptoms:
When using more than 4 BIG-IP devices connected in a device cluster, and adding 2 more devices to the trust domain, the mcpd processes of each device may get into a sync loop. This causes mcpd to reach up to 90% CPU utilization during this time, and causes other control-plane functionality to halt. This state may last 10-20 minutes in some cases, or continuous in other cases.
Conditions:
-- More than 4 BIG-IP devices are configured in a trust domain configuration.
-- Adding at least 2 more devices to the trust domain, one after the other, without waiting for the full sync to complete.
-- ASM, FPS, or DHD (DOS) is provisioned.
Impact:
High CPU utilization, GUI, TMSH, and REST API not responding or slow-responding, other system processes halted.
Workaround:
When adding a BIG-IP device to the trust domain, before adding any other device, wait a few minutes until the sync is complete, and no more sync logs display in /var/log/ltm.
Fix:
MCPD no longer utilizes high CPU resources when adding simultaneously 4 or more devices to CMI.
Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2
851857-3 : HTTP 100 Continue handling does not work when it arrives in multiple packets
Links to More Info: BT851857
Component: Local Traffic Manager
Symptoms:
If a 100 Continue response from a server arrives in mulitple packets, HTTP Parsing may not work as expected. The later server response payload may not be sent to the client.
Conditions:
The server responds with a 100 Continue response which has been broken into more than one packet.
Impact:
The response is not delivered to the client. Browsers may retry the request.
Workaround:
None.
Fix:
100 Continue responses are parsed correctly by the HTTP parser if they are broken into multiple packets.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1
851789-3 : SSL monitors flap with client certs with private key stored in FIPS
Links to More Info: BT851789
Component: Local Traffic Manager
Symptoms:
Bigd reporting 'overload' or 'overloaded' in /var/log/ltm.
SSL monitors flapping while the servers are available.
Conditions:
-- FIPS-enabled platform.
-- HTTPS monitors using client-cert authentication where the key is stored in FIPS HSM.
-- Large number of monitors or low interval.
Impact:
Periodic service interruption depending on which monitors are flapping. Reduced number of available servers.
Workaround:
-- Increase the interval on the monitors.
-- Switch the monitors to use software keys.
Fix:
Optimized FIPS API calls to improve performance of SSL monitors.
Fixed Versions:
12.1.5.3, 14.1.2.5, 15.1.1
851745-1 : High cpu consumption due when enabling large number of virtual servers
Links to More Info: BT851745
Component: Advanced Firewall Manager
Symptoms:
Observed autodosd CPU burst
Conditions:
Enable autodosd and a large number of virtual servers
Impact:
High cpu utilization in autodosd
Workaround:
Disable autodosd
Fix:
Autodosd no longer excessively consumes CPU cycles.
Fixed Versions:
14.1.4.1, 15.1.2
851733-1 : Tcpdump messages (warning, error) are sent to stdout instead of stderr
Links to More Info: BT851733
Component: TMOS
Symptoms:
Tcpdump error and warning messages are sent to stdout. This causes issues when the packet capture is sent to a file, and standard programs such as Wireshark do not understand the error message strings and error.
Conditions:
-- tcpdump used to capture packets.
-- tcpdump stdout redirected to a file.
-- The capture file is read by standard packet parse-and-display tools wuch as Wireshark .
Impact:
Captures cannot be analyzed from the capture file
Workaround:
None.
Fix:
Tcpdump messages are now sent to stderr. Packet dumps continue to be in stdout. A capture file contains only captured packets, and can be analyzed by any tool that understands pcap format (wuch as Wireshark, tshark etc.)
Fixed Versions:
14.1.3.1
851581-1 : Server-side detach may crash TMM
Links to More Info: BT851581
Component: Local Traffic Manager
Symptoms:
TMM crash with 'server drained' panic string.
Conditions:
-- Server-side flow is detached while the proxy is still buffering data for the pool member and the client continues to send data.
-- The detach may be triggered by the LB::detach iRule commands or internally.
Impact:
TMM crash, failover, brief traffic outage. Traffic disrupted while tmm restarts.
Workaround:
-- In cases in which the detach is triggered internally, there is no workaround.
-- In cases in which the detach is triggered by LB::Detach, make sure the command is not executed when a request may still be in progress by using it in response events, for example HTTP_RESPONSE, USER_RESPONSE, etc.
Fix:
TMM does not crash no matter when the server-side detach is triggered.
Fixed Versions:
14.1.2.8, 15.1.1
851477-3 : Memory allocation failures during proxy initialization are ignored leading to TMM cores
Links to More Info: BT851477
Component: Local Traffic Manager
Symptoms:
Memory allocation failures during proxy initialization are ignored. TMM cores when trying to access uninitialized memory.
Conditions:
-- HTTP or HTTP/2 virtual server with httprouter profile.
-- Low memory or fragmented memory on the system when configuration is being loaded.
Impact:
TMM cores when accessing uninitialized memory.
Workaround:
No workaround.
Fix:
Memory allocation failures are now detected and virtual server ends up in DENY state. No connections are accepted in this state.
Fixed Versions:
14.1.3.1, 15.1.1
851393-3 : Tmipsecd leaves a zombie rm process running after starting up
Links to More Info: BT851393
Component: TMOS
Symptoms:
After booting the system, you notice zombie 'rm' processes:
$ top -b | awk '$8=="Z"'
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
Restarting tmipsecd will kill the zombied process but will start a new one.
Conditions:
-- IPsec is enabled.
-- Booting up the system.
Impact:
A zombie 'rm' process exists. There should be no other impact.
Workaround:
None.
Fixed Versions:
14.1.4.4, 15.1.0.5
851345-2 : The TMM may crash in certain rare scenarios involving HTTP/2
Links to More Info: BT851345
Component: Local Traffic Manager
Symptoms:
The HTTP/2 Gateway configuration is used without the HTTP MRF Router.
The TMM may crash in rare scenarios when a stream is being torn down.
Conditions:
-- HTTP/2 is configured in the Gateway scenario.
-- The HTTP MRF Router is not used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The TMM no longer crashes in rare scenarios when a stream is being torn down.
Fixed Versions:
14.1.3.1, 15.1.2
851045-3 : LTM database monitor may hang when monitored DB server goes down
Links to More Info: BT851045
Component: Local Traffic Manager
Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.
Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).
Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.
Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.
Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.1
850873-1 : LTM global SNAT sets TTL to 255 on egress.
Links to More Info: BT850873
Component: Local Traffic Manager
Symptoms:
When using the global SNAT feature on LTM, IPv4 TTL/IPv6 Hop-Limit values may be erroneously set to 255/64 on egress.
Conditions:
Traffic is handled by global SNAT.
Impact:
TTL on egress is set to 255/; Hop-Limit on egress is set to 64.
Workaround:
None.
Fixed Versions:
14.1.3.1, 15.1.2
850777-1 : BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config
Links to More Info: BT850777
Component: TMOS
Symptoms:
After rebooting BIG-IP Virtual Edition (VE) deployed on a cloud provider, the instance enters LICENSE INOPERATIVE state.
Errors similar to one below are seen in an LTM log:
err chmand[4770]: Curl request to metadata service failed with error(7): 'Couldn't connect to server'.
Conditions:
- Static management IP address configuration.
- Instance is restarted.
Impact:
Instance is not operational after restart.
Workaround:
After instance is fully booted, reload the license with 'reloadlic'.
Fix:
In case of 1 NIC with static route, issuing "bigstart restart mcpd" will not be enough to bring system to the licensed state, issue "reboot" instead.
Fixed Versions:
14.1.3.1, 15.1.1
850677-2 : Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy
Links to More Info: BT850677
Component: Application Security Manager
Symptoms:
Non-ASCII parameter static values are garbled when created in a non-UTF-8 policy using REST.
Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII parameter static values using REST.
Impact:
Parameter static values containing non-ASCII characters are garbled when created using REST.
Workaround:
Use UTF-8.
Fix:
This release supports REST access in non-UTF-8 policies.
Fixed Versions:
14.1.2.7, 15.1.0.5
850673-3 : BD sends bad ACKs to the bd_agent for configuration
Links to More Info: BT850673
Component: Application Security Manager
Symptoms:
-- The bd_agents stops sending the configuration in the middle of startup or a configuration change.
-- The policy may be incomplete in the bd causing incorrect enforcement actions.
Conditions:
This is a rarely occurring issue, and the exact conditions that trigger it are unknown.
Impact:
-- The bd_agent hangs or restarts, which may cause a complete ASM restart (and failover).
-- A partial policy may exist in bd causing improper enforcement.
Workaround:
-- Unassign and reassign the policy.
-- if unassign/reassign does not help, export and then reimport the policy.
Fix:
Fixed inconsistency scenario between bd and bd_agent.
Fixed Versions:
12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
850509-3 : Zone Trusted Signature inadequately maintained, following change of master key
Links to More Info: BT850509
Component: Global Traffic Manager (DNS)
Symptoms:
During config load or system start-up, you may see the following error:
-- 01071769:3: Decryption of the field (privatekey) for object (13079) failed.
Unexpected Error: Loading configuration process failed.
In some instances, other errors resembling the following may appear:
-- Failed to sign zone transfer query for zone DNSZONE01 using TSIG key zone01key.pl.
-- Failed to transfer DNSZONE01 from 203.0.113.53, will attempt IXFR (Retry).
Conditions:
-- TSIG keys are present in the device configuration.
-- The device's master key is changed.
Impact:
Unable to view TSIG keys. Configuration cannot be loaded. Failures of DNS zone transfers may occur.
Workaround:
None.
Fix:
When master key changes, TSIG keys are now properly re-encrypted, so this problem no longer exists.
Fixed Versions:
14.1.4.4, 15.1.2
850277-3 : Memory leak when using OAuth
Links to More Info: BT850277
Component: Access Policy Manager
Symptoms:
Tmm memory usage keeps going up when passing multiple HTTP requests through a kept-alive TCP connection carrying an OAuth token as bearer in the Authorization header.
Conditions:
-- Multiple HTTP requests through a kept-alive TCP connection.
-- Requests carry an OAuth token as bearer in the Authorization header.
Impact:
Memory leak occurs in which tmm memory usage increases.
Workaround:
None.
Fixed Versions:
13.1.3.4, 14.1.4, 15.0.1.3, 15.1.0.2
850193-2 : Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues
Links to More Info: BT850193
Component: TMOS
Symptoms:
-- Uneven unic channel distribution and transmit errors (tx_errcnt) seen in /proc/unic.
-- Packet loss and increased retransmissions under load.
Conditions:
BIG-IP Virtual Edition (VE) in Hyper-V or Azure Cloud.
Impact:
-- Reduced throughput.
-- Packet loss and increased retransmissions under load.
Workaround:
None.
Fixed Versions:
14.1.4.4, 15.1.4
850145-3 : Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed
Links to More Info: BT850145
Component: Local Traffic Manager
Symptoms:
First HTTP request on a connection creates a connection to the server. Subsequent pipelined requests should be processed and use the established connection to the server. However, the requests were queued in the proxy and not processed resulting in connection hang.
Conditions:
- HTTP or HTTP/2 virtual server with httprouter profile.
- HTTP/1.1 connections with the client and server.
- Pipelined HTTP requests.
Impact:
Connection hangs and is eventually reset.
Workaround:
No workaround.
Fix:
If a connection to the server has been established, pipelined requests are now processed immediately and not queued.
Fixed Versions:
14.1.3.1, 15.1.2
849405-1 : LTM v14.1.2.1 does not log after upgrade★
Links to More Info: BT849405
Component: TMOS
Symptoms:
After upgrading to v14.1.2.1, logs are not generated and sysstat.service is not running.
Conditions:
-- Upgrade from BIG-IP v12.1.x (which uses CentOS 6) to BIG-IP v14.1.2.1 or later (which uses CentOS 7).
-- The issue is momentary and is not always reproducible.
Impact:
Logs are not generated and sysstat.service is not running.
Workaround:
Once the BIG-IP system starts up, check for failed services:
systemctl list-units --failed
If results show sysstat.service as FAILED, run the following command:
restorecon -Rv /var/log/sa6 && systemctl start sysstat
Fixed Versions:
14.1.2.5, 15.1.0.5
849085-3 : Lines with only asterisks filling message and user.log file
Links to More Info: BT849085
Component: TMOS
Symptoms:
/var/log/message and /var/log/user.log files have lines that only contain asterisks.
For example:
Nov 12 10:40:57 bigip1 **********************************************
Conditions:
Snmp query an OID handled by sflow, for example:
snmpwalk -v2c -c public localhost SNMPv2-SMI::enterprises.14706.1.1.1
Impact:
The impact is cosmetic only, however it could make reading the logs more difficult if the sflow snmp tables are constantly being queried.
Workaround:
You have two options:
-- Filter out all sflow_agent log messages
-- Filter out all messages that contain a newline '\n' or carriage return character '\r'.
Both workarounds are done by editing the syslog template, this means that if the you upgrades, you must edit the template again to reinstate the workaround.
=============================================
Solution #1 - Filter out all sflow_agent logs:
1) remount /usr as read+write:
mount -o rw,remount /usr
2) Make a backup copy of the template:
cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig
3) Add write permissions to the template:
chmod +w /usr/share/defaults/config/templates/syslog.tmpl
4) Add the filter to syslog.tmpl
4a) Open syslog.tmpl for edit:
vi /usr/share/defaults/config/templates/syslog.tmpl
4b) Add the new filter after the filter f_messages:
filter f_not_sflow {
not match ("sflow_agent" value("$PROGRAM"));
};
For example:
filter f_messages {
level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO)
and not facility(auth, authpriv, cron, daemon, mail, news)
and not message("WA");
};
filter f_not_sflow {
not match ("sflow_agent" value("$PROGRAM"));
};
4c) Add the filter to the log that sends all source local message to the syslog pipe:
log {
source(local);
filter(f_not_sflow);
destination(d_syslog_pipe);
}
5) Save the changes and quit vi.
6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice':
tmsh modify /sys syslog daemon-from info
tmsh modify /sys syslog daemon-from notice
7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf.
8) remount /usr as read-only
mount -o ro,remount /usr
=============================================
Solution #2 - Filter out all messages with \n or \r:
1) remount /usr as r+w:
mount -o rw,remount /usr
2) Make a backup copy of the template:
cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig
3) Add write permissions to the template:
chmod +w /usr/share/defaults/config/templates/syslog.tmpl
4) Add the filter to syslog.tmpl:
4a) Open syslog.tmpl for edit:
vi /usr/share/defaults/config/templates/syslog.tmpl
4b) Add the new filter after the filter f_messages:
filter f_no_multi_line {
not (message('\n') or message('\r'));
};
For example:
filter f_messages {
level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO)
and not facility(auth, authpriv, cron, daemon, mail, news)
and not message("WA");
};
filter f_no_multi_line {
not (message('\n') or message('\r'));
};
4c) Add the filter to the log that sends all source local message to the syslog pipe:
log {
source(local);
filter(f_no_multi_line);
destination(d_syslog_pipe);
}
5) Save the changes and quit vi.
6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice':
tmsh modify /sys syslog daemon-from info
tmsh modify /sys syslog daemon-from notice
7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf.
8) remount /usr as read-only:
mount -o ro,remount /usr
Fix:
The sflow log message that was a multiline message has been changed so that it is no longer multiline.
Fixed Versions:
14.1.3.1, 15.1.1
849029-3 : No configurable setting for maximum entries in CRLDP cache
Links to More Info: BT849029
Component: Access Policy Manager
Symptoms:
There is no setting provided to configure maximum entries the in CRLDP cache.
Conditions:
In a configuration with tens of thousands of CRLDP and hundreds of thousands or millions of certificates, certain operations might encounter an internal limit, resulting in a number of revoked certificates.
Impact:
No settings exist. Cannot set maximum entries in CRLDP cache.
Workaround:
None.
Fix:
There is now a setting for configuring maximum entries in CRLDP cache.
Fixed Versions:
14.1.4.4
848777-1 : Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.
Links to More Info: BT848777
Component: Local Traffic Manager
Symptoms:
Shared object address-list in non-default partition in non-default route-domain does not sync to peer node. The system reports the following exceptions when such an issue occurs:
-- err mcpd[4941]: 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).
-- err mcpd[4941]: 01071488:3: Remote transaction for device group /Common/DG1 to commit id 500 6754270728594498269 /Common/bigiptest1 0 failed with error 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).
Conditions:
-- Create custom partition.
-- Create custom route-domain.
-- Change custom partition.
-- Create address list in non-default route domain.
-- Create virtual server with previously created address list and any TCP port, or port list.
-- Now, try to Sync to high availability (HA) peer.
Impact:
Sync fails with error. Configuration does not sync to peer node.
On VIPRION systems this may cause mcpd on a secondary blade to crash and fail to come up.
Workaround:
None
Fix:
Configuration now syncs to peer node successfully.
Fixed Versions:
14.1.2.7, 15.1.0.4
848445-3 : Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer★
Links to More Info: K86285055, BT848445
Component: Application Security Manager
Symptoms:
Global/URL/Flow Parameters with flag is_sensitive true are not masked in referrer and their value may be exposed in logs.
Conditions:
Global/URL/Flow Parameters with flag is_sensitive true are defined in the policy. In logs, the value of such parameter will be masked in QS, but will be exposed in the referrer.
Impact:
The parameter will not be masked in 'Referer' value header in logs, although it is masked in 'QS' string.
Workaround:
Can defined the parameters as global sensitive parameters.
Fix:
After the fix, such parameters will be treated like global sensitive parameters and will be covered also in the Referer
Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5
847325-1 : Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior.
Links to More Info: BT847325
Component: Local Traffic Manager
Symptoms:
-- High tmm CPU utilization.
-- Stalled connections.
-- Incorrect persistence decisions.
Conditions:
-- A OneConnect profile is combined with certain persist profiles on a virtual server.
-- The virtual server configuration is changed while there is an ongoing connection to the virtual server. Any connections that make a request after the configuration change can be affected.
-- The persistence types that are affected are:
- Source Address (but not hash-algorithm carp)
- Destination Address (but not hash-algorithm carp)
- Universal
- Cookie (only cookie hash)
- Host
- SSL session
- SIP
- Hash (but not hash-algorithm carp)
Impact:
-- High tmm CPU utilization.
-- Stalled connections.
-- Incorrect persistence decisions.
Workaround:
None.
Fix:
Changing a virtual server that uses a OneConnect profile no longer triggers incorrect persistence behavior.
Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2
847105-3 : The bigip_gtm.conf is reverted to default after rebooting with license expired★
Links to More Info: BT847105
Component: Global Traffic Manager (DNS)
Symptoms:
The bigip_gtm.conf is reverted to default after rebooting (or upgrading to a newer BIG-IP software release).
Conditions:
-- The BIG-IP license is expired prior to the reboot or upgrade.
-- GTM is configured.
Impact:
The GTM configuration (in /config/bigip_gtm.conf) information is lost in the newly installed boot location.
Workaround:
Renew license before reboot. Always reboot with valid license.
If you have already rebooted or upgraded with an expired license, and your configuration has been lost, you can restore it using the following procedure.
1. Re-activate the BIG-IP license
2. Restore bigip_gtm.conf from the auto-created backup (.bak) file:
cp /config/bigip_gtm.conf.bak /config/bigip_gtm.conf
3. Load the replaced config:
tmsh load sys config gtm-only
If this is a the result of a software upgrade, and the .bak file is not available or has been overwritten, you can boot back to the previous volume and re-copy the configuration from there (cpcfg or via the GUI) before rebooting back to the upgraded software release.
Fixed Versions:
14.1.4.4, 15.1.4.1
846601-3 : Traffic classification does not update when an inactive slot becomes active after upgrade★
Links to More Info: BT846601
Component: Traffic Classification Engine
Symptoms:
VIPRION platforms have an automated process of joining a newly inserted blade to a cluster. TMOS install, licensing, and configuration including iAppLX are synchronized from primary to the newly inserted blade automatically without manual intervention. Traffic classification update is not occurring as expected under these conditions.
Conditions:
-- Traffic classification configured.
-- Update installation.
-- VIPRION blade is inactive, and later comes online.
Impact:
Traffic policies/rules related to updated installation do not work on inactive slot when it returns to the online state.
Workaround:
To prevent this issue from occurring, ensure that all blades are online when installation begins.
If you insert a blade, run config sync manually from the active blade.
Fix:
Upgrade script now initiates install when the slot becomes active.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
846441-1 : Flow-control is reset to default for secondary blade's interface
Links to More Info: BT846441
Component: TMOS
Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.
Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.
Impact:
The flow-control setting is reset to default (tx-rx).
Workaround:
Reload the configuration on the primary blade.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2
846217-1 : Translucent vlan-groups set local bit in destination MAC address
Links to More Info: BT846217
Component: Local Traffic Manager
Symptoms:
Translucent vlan-groups may set the locally-unique bit in a destination MAC address when sending traffic to a pool member/client.
Conditions:
On versions earlier than 15.0.0:
- Translucent vlan-group is in use.
On v15.0.0 and later:
-- Translucent vlan-group is in use.
-- The connection.vgl2transparent db variable is enabled.
Impact:
Traffic handled by translucent vlan-groups may not work properly.
Workaround:
On versions earlier than 15.0.0, there is no workaround.
-- On version 15.0.0 and later, you can disable the connection.vgl2transparent db variable to mitigate the problem:
tmsh modify sys db connection.vgl2transparent value disable
Note: connection.vgl2transparent is disabled by default.
Fixed Versions:
14.1.4.4, 15.1.2.1
846181-1 : Request samples for some of the learning suggestions are not visible
Links to More Info: BT846181
Component: Application Security Manager
Symptoms:
Learning suggestions created from single request do not show source 'request log' in the 'Suggestion' GUI section.
Conditions:
'Learning Suggestion' created from only one 'Request Log' record.
Impact:
Learning suggestions created from single request does not show source 'request log' in the 'Suggestion' GUI section
Workaround:
None.
Fixed Versions:
14.1.4.2, 15.1.4
846137-3 : The icrd returns incorrect route names in some cases
Links to More Info: BT846137
Component: TMOS
Symptoms:
The icrd returns an incorrect route names when a '.' (dot, or period) is present in the subPath, as it treats the subPath as an IP address and the leaf name as a subnet and considers its name as a whole. Also the subPath field is missed in the response route object. This happens only in the case of curl request.
Conditions:
-- The subPath contains a '.' in it.
-- A curl request is made.
Impact:
Result information is not compatible with actual result.
Workaround:
None.
Fix:
The system now verifies whether or not the leafname a numeric valuel, so this issue no longer occurs.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2
846057-2 : UCS backup archive may include unnecessary files
Links to More Info: BT846057
Component: Application Security Manager
Symptoms:
UCS backup archive file size is much larger than UCS files in previous releases.
Conditions:
-- UCS backup process finishes with failure and does not clean temporary files.
-- A second UCS backup is attempted.
Impact:
Those files are included in the UCS archive, which results in an unusually large UCS backup files.
Workaround:
Before running the UCS backup process, remove directories:
/var/tmp/ts_db.save_dir_*.cstmp/
Fixed Versions:
13.1.4, 14.1.4, 15.1.3
845333-3 : An iRule with a proc referencing a datagroup cannot be assigned to Transport Config
Links to More Info: BT845333
Component: Local Traffic Manager
Symptoms:
If you try to assign an iRule to a Transport Config, and if the iRule has a proc that references a datagroup, the assignment fails with an error:
01070151:3: Rule [/Common/test2] error: Unable to find value_list (datagroup) referenced at line 6: [class lookup "first" datagroup]
Conditions:
-- Assign an iRule to a Transport Config.
-- The iRule has a proc.
-- The proc references a datagroup.
Impact:
Validation fails. An iRule with a proc referencing a datagroup cannot be assigned to Transport Config objects.
Workaround:
Make the datagroup a Tcl variable to bypass validation.
Fix:
Validation can recognize the datagroup on Transport Config objects.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
845313 : Tmm crash under heavy load
Links to More Info: BT845313
Component: Policy Enforcement Manager
Symptoms:
Tmm crashes.
Conditions:
-- BIG-IP PEM is licensed and configured.
-- Heavy traffic is received by PEM virtual server.
-- The traffic pattern goes through subscriber add/delete frequently.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm crash related to PEM subscriber IDs.
Fixed Versions:
14.1.4, 15.1.2.1
844781-1 : [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection
Links to More Info: BT844781
Component: Access Policy Manager
Symptoms:
SELinux policy does not allow the rewrite plugin to create a directory and write troubleshooting data into /var/tmp/WebAppTrace.
Conditions:
Collecting Portal Access web applications traces per K13384: Performing a web applications trace (11.x - 14.x) :: https://support.f5.com/csp/article/K13384
Impact:
Cannot collect Portal Access web applications troubleshooting data as it described in in that AskF5 Article.
Workaround:
Connect via SSH using the root account and run this command:
restorecon -Rv /var/tmp/WebAppTrace/
Fix:
Fixed an issue with an SELinux policy blocking Portal Access from processing web applications traces.
Fixed Versions:
14.1.4.4, 15.0.1.3, 15.1.0.2
844689-3 : Possible temporary CPU usage increase with unusually large named.conf file
Links to More Info: BT844689
Component: Global Traffic Manager (DNS)
Symptoms:
You might see occasional and temporary CPU usage increases when named.conf file is unusually large.
Conditions:
Unusually large named.conf file and zones are checked for updates (when the SOA expires).
Impact:
When a zone file is updated, a downstream effect is the ZoneRunner process to parse again the named.conf file. The parsing of an unusually large file may cause a temporary increase in CPU usage.
Workaround:
None.
Fix:
ZoneRunner does not issue a reload command when zones are checked for updates, so no CPU usage increases occur.
Fixed Versions:
14.1.3.1, 15.1.2
844281-1 : [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.
Links to More Info: BT844281
Component: Access Policy Manager
Symptoms:
Java applets are not patched when accessed through APM Portal Access.
/var/log/rewrite contains error messages similar to following:
-- notice rewrite - fm_patchers/java_patcher_engine/CryptoToolsManager.cpp:568 (0x1919ab0): CryptoToolsManager :: _ReadCA() - cannot open CA file.
/var/log/auditd/audit.log contains AVC denials for rewrite on attempt to read file under /config/filestore/.
Conditions:
Java patching is enabled via rewrite profile and Portal Access resource.
Impact:
Java applets cannot be patched by APM Portal Access rewriter.
Workaround:
None.
Fix:
Fixed an issue with SELinux policy blocking Portal Access code from reading Java Patcher certificates.
Fixed Versions:
14.1.4.4, 15.0.1.3, 15.1.0.2
844085-3 : GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address
Links to More Info: BT844085
Component: TMOS
Symptoms:
With multiple virtual servers that have the same destination address, changing all of them in the GUI to use an address list as their source address will result in the last one changed failing with an error similar to:
01070344:3: Cannot delete referenced virtual address /Common/1.2.3.4.
Conditions:
-- More than one virtual server with the same destination address.
-- Changing all the virtual servers that share the same destination address to use an address list for their source address.
Impact:
Unable to change the source address of a virtual server to an address list.
Workaround:
Use TMSH to manually create a traffic-matching criteria object and assign it to the virtual server:
tmsh create ltm traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination-address-inline <destination address of virtual server> destination-port-inline <destination port of virtual server> source-address-inline 0.0.0.0 source-address-list <address list name>
}
tmsh modify /ltm virtual <virtual server name> traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination 0.0.0.0:any
Fixed Versions:
14.1.2.8, 15.1.0.5, 16.0.1
844045-2 : ASM Response event logging for "Illegal response" violations.
Component: Application Security Manager
Symptoms:
Response log is not available when the request is legal but returns an illegal response status code.
In ASM, logging profiles allow the logging of all blocked responses. The existing response logging allows either all requests or illegal requests only which does not contain response logging data.
Conditions:
-- Response logging is enabled
-- An illegal response occurs
Impact:
Response logging does not occur.
Workaround:
N/A
Fix:
When a response has ASM response violations and response logging is enabled only for when there was a violation, ASM includes the response in the log.
Added an internal variable:
disable_illegal_response_logging -- default value 0.
If the response logging is enabled in the GUI, only the response logs are captured.
If the variable disable_illegal_response_logging is set to 1, then response logging is disabled(even if enabled in GUI).
Fixed Versions:
14.1.4.6
843801-1 : Like-named previous Signature Update installations block Live Update usage after upgrade★
Links to More Info: BT843801
Component: Application Security Manager
Symptoms:
Signature Update installations using ASU files with the same name on versions before 14.1.0 block Live Update usage after upgrade to 14.1.0 or later.
Conditions:
The same Signature Update file is installed multiple times on the device when running a version earlier than 14.1.0.
Impact:
Signature Update cannot be installed using Live Update, and errors appear in logs.
Workaround:
1. Delete the file: /var/lib/hsqldb/live-update/live-update-import.yaml.
2. Restart tomcat:
bigstart restart tomcat
This causes pre-upgrade records for Signature Update to be lost, but does not have any other functional impact.
** Another Workaround incase the above does not solve the issue:
1. stop the tomcat server:
> bigstart stop tomcat
2. clean the live update db :
> cd /var/lib/hsqldb/live-update
> rm -f liveupdatedb.*
3. remove all *.im files which are not genesis file (factory-default files):
3.1 get the list of genesis files:
> less /etc/live-update-genesis.yaml | grep genes | cut -d":" -f2
3.2 go to update file directory:
> cd /var/lib/hsqldb/live-update/update-files
3.3 manually remove the *.im files that are not genesis
4. restart the tomcat server:
> bigstart start tomcat
Fixed Versions:
14.1.2.7, 15.1.1
843597-3 : Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle
Links to More Info: BT843597
Component: TMOS
Symptoms:
The vmxnet3 driver cannot handle MTUs larger than 9000 bytes. This issue can present itself in a few different ways, depending on the underlying platform. One example would be the BIG-IP failing to initialize vmxnet interfaces with messages similar to the following logged in /var/log/tmm:
notice vmxnet3[1b:00.0]: MTU: 9198
notice vmxnet3[1b:00.0]: Error: Activation command failed: 1
If the BIG-IP does successfully initialize its vmxnet interfaces, there can be unpredictable behavior (possibly with the hypervisor).
Conditions:
-- Using a BIG-IP Virtual Edition (VE) with the vmxnet3 driver.
-- If the BIG-IP is able to initialize the vmxnet interfaces: Passing packets larger than 9000 bytes.
Impact:
The BIG-IP system may not be able to initialize the vmxnet3 interfaces on startup. If it is able to do so, then packets may be dropped, or the hypervisor may crash on some platforms that do not handle this condition gracefully.
Workaround:
Modify the tmm_init.tcl file, adding the following line:
ndal mtu 9000 15ad:07b0
Fix:
The software now ensure that the default setting for the vmxnet3 driver MTU is 9000, which prevents the issue from occurring.
Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2
843105-1 : Adding multicast stats for multicast bridging over L2 wire transparent VLAN-group (LACP STP LLDP)
Links to More Info: BT843105
Component: Local Traffic Manager
Symptoms:
The BIG-IP system can now be configured to collect multicast statistics for LACP, STP, and LLDP. It is controlled by a sys db variable:
l2.virtualwire.multicast.stats
It is enabled by default.
Conditions:
This is encountered when L2 wire transparent VLAN groups are configured.
Impact:
The ability to collect and read multicast statistics makes it easier to debug l2 wire setups.
Multicast statistics can be viewed in the following tmctl table:
tmctl -w250 tmm/l2_mcast_stat
Workaround:
None.
Fix:
Added new stats available like:
tmctl -w250 tmm/l2_mcast_stat
Fixed Versions:
14.1.2.5
842989-7 : PEM: tmm could core when running iRules on overloaded systems
Links to More Info: BT842989
Component: Policy Enforcement Manager
Symptoms:
When sessions usage iRules are called on an already overloaded system it might crash.
Conditions:
Session iRule calls on heavily overloaded BIG-IP systems.
Impact:
Tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
Reduce the load on tmm or modify the optimize the irule.
Fixed Versions:
14.1.4, 15.1.2
842937-4 : TMM crash due to failed assertion 'valid node'
Links to More Info: BT842937
Component: Local Traffic Manager
Symptoms:
Under undetermined load pattern TMM may crash with message: Assertion 'valid node' fail.
Conditions:
This can occur while passing traffic with the Ram Cache profile enabled on a Virtual Server. Other conditions are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Refrain from using ramcache may mitigate the problem.
Fix:
Ramcache module stops handling messages after it is teared down, so it does not attempt to use data structures which have already been deinitialized.
Fixed Versions:
12.1.5.3, 14.1.2.7, 15.1.1
842865-1 : Add support for Auto MAC configuration (ixlv)
Links to More Info: BT842865
Component: TMOS
Symptoms:
Mac addresses are forced to be the same for ixlv trunks.
Conditions:
This happens when ixlv trunks are used.
Impact:
Mac addresses may not be as depicted on the device.
Workaround:
None.
Fix:
Unicast mac filters are used for ixlv trunks.
Fixed Versions:
14.1.2.8, 15.0.1.4, 15.1.0.5
842625-3 : SIP message routing remembers a 'no connection' failure state forever
Links to More Info: BT842625
Component: Service Provider
Symptoms:
When SIP message routing fails to route to a pool member (Triggering a MR_FAILED, MR::message status of 'no connection'), The BIG-IP system caches the failed state and continues to return this even after the pool member becomes reachable again.
Conditions:
When BIG-IP systen fails to route messages to the peer (server) due to unavailability of route or any other issues.
Impact:
The BIG-IP system is never be able to establish connection to the peer.
Workaround:
None.
Fix:
SIP message routing now recovers from a 'no connection' failure state.
Fixed Versions:
13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.2
842189-2 : Tunnels removed when going offline are not restored when going back online
Links to More Info: BT842189
Component: TMOS
Symptoms:
When a BIG-IP instance goes offline, any functioning tunnel is removed from the active configuration. Upon restoration to online operation, the tunnel is not automatically restored.
Conditions:
-- Configuration includes tunnels.
-- BIG-IP instance goes offline and then comes back online.
Impact:
Failure of tunnel packet traffic.
Workaround:
Manually recreate the tunnel after the BIG-IP instance has been brought back online.
Fix:
Tunnels removed when going offline are now restored when going back online.
Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.2.1
842125-4 : Unable to reconnect outgoing SCTP connections that have previously aborted
Links to More Info: BT842125
Component: TMOS
Symptoms:
When an outgoing SCTP connection is created using an ephemeral port, the connection may appear to be open after an SCTP connection halt. This prevents new connections to the same endpoint, as the connection appears to already exist.
Conditions:
-- A virtual server configured with an SCTP profile.
-- An outgoing SCTP connection after an existing connection to the same endpoint has halted.
Impact:
New connections are unable to be created resulting in dropped messages.
Workaround:
None.
Fix:
SCTP connections can now be halted and recreated to the same endpoint.
Fixed Versions:
13.1.3.4, 14.1.2.5, 15.1.0.5
842013-4 : ASM Configuration is Lost on License Reactivation★
Links to More Info: BT842013
Component: Application Security Manager
Symptoms:
After re-activating a BIG-IP license, if the configuration fails to load and reverts to a base config load, the ASM policy config contains 'default' or 'stub' policies, even after fixing the error that caused the configuration to fail to load.
Conditions:
1) A parsing error exists in the BIG-IP config such that 'tmsh load sys config verify' would fail
2) There is a license reactivation or the configuration is reloaded
Impact:
ASM policy configuration is lost and all policies are reverted to empty 'stubs'
Workaround:
In the case of license re-activation/before upgrade:
Run the command "tmsh load sys config verify" prior to license activation on ASM units to be sure that the config will pass parsing and avoid the fallback to base configuration load.
In a case of booting the system into the new version:
Option 1:
1. Using the steps in either K4423 or K8465, fix the issue that was preventing the config to load.
2. Reload the config from the fixed UCS file using the command in K13132.
Option 2:
1. Roll back to the old version.
2. Fix the issue that was preventing the config to load.
3. Before activating the Boot Location of the new version at System >> Software Management : Boot Locations, make sure to set the option Install Configuration to Yes. see: K64400324
Option 3: If one of the high availability (HA) units successfully upgraded, then use config-sync to push the working config to the failing unit.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
841953-5 : A tunnel can be expired when going offline, causing tmm crash
Links to More Info: BT841953
Component: TMOS
Symptoms:
When the system transitions from active or next active (standby), e.g., to offline, the internal flow of a tunnel can be expired.
If the device returns to active or standby, and if the tunnel is modified, a double flow removal can cause a tmm crash.
Conditions:
-- System transitions from active or next active.
-- Tunnel is modified.
-- Device returns to active or next active mode.
Impact:
The tmm process restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The tmm process no longer crashes under these conditions.
Fixed Versions:
12.1.5.3, 14.1.2.8, 15.1.0.2
841649-2 : Hardware accelerated connection mismatch resulting in tmm core
Links to More Info: BT841649
Component: TMOS
Symptoms:
Tmm receives an update from the ePVA for a hardware accelerated connection that is matched to the wrong correction. This can result in a tmm core, which is reported as a segment fault in the tmm log files.
Conditions:
One or more of the following:
-- A FastL4 virtual server that has hardware acceleration enabled.
-- A NAT or SNAT object without a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable hardware acceleration.
Fixed Versions:
14.1.4.1, 15.1.2
841333-5 : TMM may crash when tunnel used after returning from offline
Links to More Info: BT841333
Component: TMOS
Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.
Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.2
841277-5 : C4800 LCD fails to load after annunciator hot-swap
Links to More Info: BT841277
Component: TMOS
Symptoms:
After following F5-recommended procedures for hot-swapping the left annunciator card on a C4800 chassis and replacing the top bezel, the LCD screen fails to load.
Conditions:
- C4800 chassis with 2 annunciator cards.
- Hot-swap the left annunciator card and replace the top bezel.
Impact:
-- Status light on the top bezel turns amber.
-- LCD becomes unresponsive, and continuously displays 'F5 Networks Loading...'.
Workaround:
1. Run the command:
tmsh modify sys db platform.chassis.lcd value disable
2. Wait 10 seconds.
3. Run the command:
tmsh modify sys db platform.chassis.lcd value enable.
This forces the LCD to sync back up with the VIPRION system and returns it to normal operation. The top bezel status light should turn green.
Fix:
The LCD now automatically reloads once a functioning annunciator card is inserted into the left slot and the top bezel is replaced. It may take up to 10 seconds for the LCD to return to normal functionality.
Fixed Versions:
14.1.4.3, 15.1.4
840809-1 : If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged
Links to More Info: BT840809
Component: Advanced Firewall Manager
Symptoms:
When subscriber info changes, the log events for LSN_PB_UPDATE are not logged.
Conditions:
If subscriber info changes, for example, if a client is sending a radius message with IMSI A - LSN_PB_UPDATE logs are observed. And later when the IMSI is changed to B and another radius message is sent from the client, then LSN_PB_UPDATE log events are not observed.
Impact:
LSN_PB_UPDATE are not logged.
Fix:
Fix will send LSN_PB_UPDATE even if subscriber info is changed
Fixed Versions:
14.1.4, 15.1.2
839749-2 : Virtual server with specific address list might fail to create via GUI
Links to More Info: BT839749
Component: Local Traffic Manager
Symptoms:
When a user tries to create a virtual server with address list, it might fail with below shown error:
01b90011:3: Virtual Server /Common/VS1's Traffic Matching Criteria /Common/testvs1 illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/testvs2 destination address, source address, service port.
Conditions:
-- One or more virtual servers that were created via the GUI already exist on the BIG-IP system.
-- Attempt to use the GUI to create another virtual server with address list.
Impact:
Cannot create the virtual server.
Fix:
You can now create virtual servers with address lists directly from the GUI.
Fixed Versions:
14.1.2.8, 15.0.1.1, 15.1.0.5
839597-4 : Restjavad fails to start if provision.extramb has a large value
Links to More Info: BT839597
Component: Device Management
Symptoms:
Rolling restarts of restjavad occur every few seconds and the following messages are seen in the daemon log:
daemon.log: emerg logger: Re-starting restjavad
The system reports similar message at the command line.
No obvious cause is logged in rest logs.
Conditions:
-- System DB variable provision.extramb has an unusually high value*:
+ above ~2700-2800 MB for v12.1.0 and earlier.
+ above ~2900-3000 MB for v13.0.0 and later.
-- On v13.0.0 and later, sys db variable restjavad.useextramb needs to have the value 'true'
*A range of values is shown. When the value is above the approximate range specified, constant restarts are extremely likely, and within tens of MB below that point may be less frequent.
To check the values of these system DB varaiables use:
tmsh list sys db provision.extramb
tmsh list sys db restjavad.useextramb
Impact:
This impacts the ability to use the REST API to manage the system.
Workaround:
If needing sys db restjavad.useextramb to have the value 'true', keep sys db provision.extramb well below the values listed (e.g., 2000 MB work without issue).
To set that at command line:
tmsh modify sys db provision.extramb value 2000
If continual restarts of restjavad are causing difficulties managing the unit on the command line:
1. Stop restjavad (you can copy this string and paste it into the command line on the BIG-IP system):
tmsh stop sys service restjavad
2. Reduce the large value of provision.extramb if necessary.
3. Restart the restjavad service:
tmsh start sys service restjavad
Fix:
Restjavad memory is now capped at a sensible maximum.
If provision.extramb is set to a value higher than 2500 MB it will be considered to be 2500 MB for the purposes of restjavad, and the system logs a message similar to the following in /var/log/ltm, where XXXX is the value of provision.extramb:
notice restjavad: JVM heap limit exceeded. Using maximum supported value of 2500 instead of provision.extramb XXXX.
Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
839401-3 : Moving a virtual-address from one floating traffic-group to another does not send GARPs out.
Links to More Info: BT839401
Component: Local Traffic Manager
Symptoms:
Gratuitous ARPs (GARPs) are not sent out when moving a virtual-address from one floating traffic-group to another (e.g., from traffic-group-1 to traffic-group-2).
Conditions:
-- Moving a virtual-address from one floating traffic-group to another.
-- The traffic-groups are active on different devices.
Impact:
Application traffic does not immediately resume after the virtual-address is moved. Instead, the surrounding network devices have to ARP out for the IP address after reaching a timeout condition.
Workaround:
After moving the virtual-address, disable and then re-enable the ARP setting for the virtual-address. This forces GARPs to be sent out.
Fix:
GARPs are sent out as expected.
Fixed Versions:
14.1.2.5, 15.0.1.4, 15.1.0.2
839245-1 : IPother profile with SNAT sets egress TTL to 255
Links to More Info: BT839245
Component: Local Traffic Manager
Symptoms:
BIG-IP may set TTL to 255 on forwarded packets.
Conditions:
Virtual-server with ipother profile and SNAT configured.
Impact:
Traffic leaves with egress TTL set to 255.
Workaround:
None.
Fix:
TTL is now decremented by 1 on forwarded packets.
Fixed Versions:
14.1.2.5, 15.1.0.2
839121-1 : A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade★
Links to More Info: K74221031, BT839121
Component: TMOS
Symptoms:
After upgrading, the configuration fails to load and throws an error about a profile that is located in profile_base.conf using SSLv2. However, upon inspection you will notice that there is no SSLv2 cipher in use.
Conditions:
The upgrade failure is seen when all the following conditions are met:
-- BIG-IP system with SSLv2 as the ciphers option in an SSL profile running software v12.x/v13.x.
-- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.
(1) Modified root SSL profile (such as /Common/clientssl or /Common/serverssl) is present in bigip.conf.
(2) The modified root SSL profile contains an invalid keyword 'COMPAT', 'SSLv2', or 'RC2' in its ciphers
(3) The default profiles whose ciphers inherited from the root profile are not present in bigip.conf. The error for invalid ciphers is reported against these profiles.
Impact:
Beginning in version 14.x, SSLv2 has been changed from being a warning condition, and now prevents the configuration from loading. In most cases the upgrade script properly removes this, so there is no issue. However, if this issue is encountered, the configuration fails to load after upgrading.
Workaround:
There are two possible workarounds:
-- The easiest way to work around this is to comment out the modified base profile from bigip.conf and then run the command: tmsh load sys config.
-- If you are post upgrade, you can use sed to remove the !SSLv2 entries. To do so, perform these steps on the standby device:
1. cp /config/bigip.conf /config/backup_bigip.conf
2. Run: sed -i "s/\(\!SSLv2:\|:\!SSLv2\)//g" /config/bigip.conf
3. tmsh load /sys config
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
838901-2 : TMM receives invalid rx descriptor from HSB hardware
Links to More Info: BT838901
Component: TMOS
Symptoms:
The HSB hardware returns an invalid receive (rx) descriptor to TMM. This results in a TMM core and can be seen as a SIGSEGV in the TMM logs. This also might result in continuous restarts of TMM, resulting in subsequent SIGSEGVs reported in the TMM logs until the unit is manually recovered.
Conditions:
The exact conditions under which this occurs are unknown.
Impact:
Traffic disrupted while tmm restarts. This may result in continuous TMM restarts until the BIG-IP system is rebooted.
Workaround:
None.
Fixed Versions:
13.1.4, 14.1.4, 15.1.2
838861-2 : TMM might crash once after upgrading SSL Orchestrator★
Links to More Info: BT838861
Component: Access Policy Manager
Symptoms:
TMM might crash due to SIGABRT.
Conditions:
-- Session check agent is present in APM per-request policy.
-- APM Access Profile scope changes during SSL Orchestrator upgrade.
-- This issue can occur for SSL Orchestrator upgrades from 14.x to 15.x and above.
Impact:
TMM might crash once. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Session check agent now exits and terminates the flow.
Fixed Versions:
14.1.2.7, 15.1.1
838709-1 : Enabling DoS stats also enables page-load-time
Links to More Info: BT838709
Component: Application Visibility and Reporting
Symptoms:
If collect-all-dos-statistic is enabled, AVR 'promises' to the client a JavaScript injection in the response by adding the expected length of the JavaScript to the Content-length header.
Conditions:
Security :: reporting : settings : collect-all-dos-statistic is enabled.
Impact:
In addition to collecting DoS statistics, JavaScript injection also occurs.
Workaround:
Can use iRules to control which pages should get the JavaScript injection.
For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.
Fix:
Changed the condition that insert the JavaScript injection in case that "collect all dos stats" is enabled.
Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
838685-2 : DoS report exist in per-widget but not under individual virtual
Links to More Info: BT838685
Component: Application Visibility and Reporting
Symptoms:
'Undefined entity dosl7_vip was used' error message is reported on widgets whenever a 'Virtual Server' filter is selected on the 'Security :: Reporting : DoS : Custom Page' GUI page.
Conditions:
-- Navigate to Security :: Reporting : DoS : Custom Page in the GUI.
-- Filter widgets results with specific 'Virtual Server'.
Impact:
GUI widgets report errors and cannot show stats.
Workaround:
This GUI fix requires modifying a single PHP file in one location, which you can do directly on your BIG-IP system with a few bash commands:
1. Backup the file '/var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php':
$ cp /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/
2. Change permissions to allow modifying it:
$ chmod +w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
3. Change the file to include the fix:
$ sed -i 's/dosl7_vip/vip/g' /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
$ sed -i "s/ANALYTICS_MOD_DNS_DOS => 'vip'/ANALYTICS_MOD_DNS_DOS => 'dns_vip'/g" /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
4. Verify that the fix is as expected:
$ vimdiff /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/dos_custom_overview_commons.php
(** You should see two lines modified:
1. ANALYTICS_MOD_DOSL7 => 'dosl7_vip' to ANALYTICS_MOD_DOSL7 => 'vip'.
2. ANALYTICS_MOD_DNS_DOS => 'vip' to ANALYTICS_MOD_DNS_DOS => 'dns_vip')
5. Revert permissions of the file:
$ chmod -w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
6. Log out and log back into the GUI, so that the new version of the file loads.
Fix:
GUI configuration for the 'Virtual Server' filter is fixed with the correct dimension name.
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.0.5
838353-3 : MQTT monitor is not working in route domain.
Links to More Info: BT838353
Component: Local Traffic Manager
Symptoms:
MQTT monitor fails when non-default route domains are used.
Conditions:
-When a non-default route domain is configured for a pool member
-mqtt monitor in use
Impact:
Mqtt monitor does not work in route domain.
Fixed Versions:
14.1.4.6
838305-4 : BIG-IP may create multiple connections for packets that should belong to a single flow.
Links to More Info: BT838305
Component: Local Traffic Manager
Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.
Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.
Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.
Fixed Versions:
14.1.4.6
838297-1 : Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication
Links to More Info: BT838297
Component: TMOS
Symptoms:
Under certain conditions, the BIG-IP system requires you to change your password on every login.
Furthermore, the login then fails, and loops endlessly asking for the password, even though the password has not expired.
Conditions:
-- BIG-IP 14.0.0 and later.
-- LDAP authentication is used for remote users.
-- Active Directory (AD) user account has shadowLastChange attribute with a value of 0 (or anything lower than the number of days since 1-1-1970).
Impact:
Remote AD BIG-IP users are unable to login to the BIG-IP system using remote LDAP authentication
Workaround:
Clear the value of shadowLastChange within AD.
Fixed Versions:
14.1.2.8, 15.1.1
837637-2 : Orphaned bigip_gtm.conf can cause config load failure after upgrading★
Links to More Info: K02038650, BT837637
Component: Global Traffic Manager (DNS)
Symptoms:
Configuration fails to load after upgrade with a message:
01420006:3: Can't find specified cli schema data for x.x.x.x
Where x.x.x.x indicates an older version of BIG-IP software than is currently running.
Conditions:
-- Orphaned bigip_gtm.conf from an older-version. This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade, leaving behind a bigip_gtm.conf with the old schema.
-- Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.
Impact:
Configuration fails to load after upgrade.
Workaround:
Before upgrading:
If the configuration in bigip_gtm.conf is not needed, then it can be renamed (or deleted) before upgrading:
mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
tmsh load sys config gtm-only
After upgrading (i.e., with the system in the Offline state) services must be restarted to pick up the change:
mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
tmsh restart sys service all
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
837617-3 : Tmm may crash while processing a compression context
Links to More Info: BT837617
Component: Local Traffic Manager
Symptoms:
Tmm crashes on segfault.
Conditions:
Conditions are unknown.
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
14.1.4.4, 15.1.0.2
837269 : Processing ICMP unreachable packets causes FWNAT/CGNAT persistence issues with UDP traffic
Links to More Info: BT837269
Component: Carrier-Grade NAT
Symptoms:
When hosts send ICMP unreachable error messages and processed by the BIG-IP system, subsequent good UDP packets do not get the persistence LSN translation address.
Conditions:
-- Virtual server with FW NAT or CGNAT configuration to accept UDP traffic.
-- Client or/and server randomly sends ICMP unreachable messages.
Impact:
LSN persistence issues. UDP packets from the same client IP address may not get the same translation address every time, even though there exists a persistence entry in the table
Workaround:
None.
Fix:
Processing ICMP unreachable packets no longer causes FWNAT/CGNAT persistence issues with UDP traffic.
Fixed Versions:
14.1.2.8, 15.1.0
837233-1 : Application Security Administrator user role cannot use GUI to manage DoS profile
Links to More Info: BT837233
Component: Advanced Firewall Manager
Symptoms:
BIG-IP GUI users configured with the Application Security Administrator role are not allowed to manage DoS profile page and settings.
Conditions:
This affects users logged in with the Application Security Administrator role
Impact:
DoS profiles cannot be edited from the GUI.
Workaround:
You can use either workaround:
-- Change the user role to one that allows managing DoS profile.
-- Have the Application Security Administrator user edit profiles from tmsh.
Fix:
The roles Application Security Operations Administrator and Application Security Administrator can now manage DoS profiles in the GUI.
Fixed Versions:
14.1.4, 15.1.3
836661 : Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet.
Links to More Info: BT836661
Component: Local Traffic Manager
Symptoms:
Packet with unexpected source MAC is seen on the adjacent node to the BIG-IP system.
Conditions:
-- The BIG-IP system is configured in an L2 transparent mode using virtual wires.
-- Traffic forwarded between client and server in an asymmetric manner across virtual wires.
Impact:
Incorrect source MAC is used. Possible impacts to services on nodes adjacent to the BIG-IP system if policy decisions on those nodes are made with the source MAC of the received packet as input.
Workaround:
None.
Fixed Versions:
14.1.2.3, 15.1.0.2
836357-3 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2
Links to More Info: BT836357
Component: Service Provider
Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.
Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.
Impact:
This causes the BIG-IP system to abort the flow that originates the message.
Workaround:
None.
Fix:
SIP MBLB correctly initiates a new flow from a virtual IP to the client when an existing flow is in the FIN-wait2 stage.
Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
835381-1 : HTTP custom analytics profile 'not found' when default profile is modified
Links to More Info: BT835381
Component: Application Visibility and Reporting
Symptoms:
Adding SMTP config to default HTTP analytics profile results in config parsing failures for child profiles that are assigned to virtual servers. Removing SMTP config resolves the issue. The 'tmsh load sys config' command fails with the following error:
-- 01020036:3: The requested profile (/Common/child-analytics) was not found.
-- Unexpected Error: Validating configuration process failed.
Conditions:
-- Child analytics profile applied to virtual server.
-- Parent analytics profile contains SMTP config.
Impact:
Loading configuration might fail.
Workaround:
None.
Fix:
The system now avoids setting SMTP field for child profiles on MCP validation when in load/merge phase.
Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2
835209-1 : External monitors mark objects down
Links to More Info: BT835209
Component: Global Traffic Manager (DNS)
Symptoms:
Object to which the external monitor is attached is marked down.
Conditions:
Executing external monitors trying to access something without appropriate permissions.
Impact:
Object to which the external monitor is attached is marked down.
Workaround:
None.
Fix:
This issue no longer occurs.
Fixed Versions:
14.1.4.2, 15.1.3
834373-3 : Possible handshake failure with TLS 1.3 early data
Links to More Info: BT834373
Component: Local Traffic Manager
Symptoms:
During TLS 1.3 early data handshake, a code alert and handshake failure may occur
Conditions:
TLS 1.3 with early data resumption.
Impact:
Handshake failure.
Workaround:
Turn off early data.
Fix:
Fixes a possible TLS 1.3 early data handshake failure and code alert.
Fixed Versions:
14.1.2.3, 15.0.1.1
833685-3 : Idle async handlers can remain loaded for a long time doing nothing
Links to More Info: BT833685
Component: Application Security Manager
Symptoms:
Idle async handlers can remain loaded for a long time doing nothing because they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.
Conditions:
This issue might result from several sets of conditions. Here is one:
Exporting a large XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.
Impact:
Depletion of memory by lingering idle async handlers may deprive other processes of sufficient memory, triggering out-of-memory conditions and process failures.
Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart asm_config_server periodically using cron, as idle handlers are soon created again.
Fix:
Idle async handlers now exit after 5 minutes of not receiving any new calls.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.5
833213-3 : Conditional requests are served incorrectly with AAM policy in webacceleration profile
Links to More Info: BT833213
Component: WebAccelerator
Symptoms:
HTTP 1.1 allows a conditional request with header If-Modified-Since or If-Unmodified-Since to determine whether a resource changed since a specified date and time. If AAM is provisioned and its policy is assigned to a virtual server, it may incorrectly respond with 304 Not Modified, even after the resource was updated.
Conditions:
-- AAM is provisioned and webacceleration policy is attached to a virtual server.
-- Client sends a conditional request with If-Modified-Since or If-Unmodified-Since header.
-- The BIG-IP system responds from AAM cache.
Impact:
Client does not receive an updated resource.
Workaround:
Use webacceleration profile without AAM policy for resources that require conditional checks falling back into Ramcache.
Fix:
The BIG-IP system now respects If-Modified-Since or If-Unmodified-Since header and provides an appropriate response for the requested resource when compared to the date supplied in either header.
Fixed Versions:
13.1.3.4, 14.1.2.3, 15.0.1.3, 15.1.3
833113-3 : Avrd core when sending large messages via https
Links to More Info: BT833113
Component: Application Visibility and Reporting
Symptoms:
When sending large messages (>4KB) via HTTPs may cause avrd to core.
Conditions:
This typically happens when BIG-IP is managed by BIG-IQ and configuration is large and complex or traffic capturing is enabled.
Impact:
Messages to BIG-IQ are lost. In severe cases, analytics functionality may be unavailable due contiguous AVRD cores.
Workaround:
None.
Fix:
Fixed an avrd crash
Fixed Versions:
13.1.3.4, 14.1.4.3, 15.0.1.3, 15.1.4
833049-2 : Category lookup tool in GUI may not match actual traffic categorization
Links to More Info: BT833049
Component: Access Policy Manager
Symptoms:
Category Lookup agent has changed to include the IP in the categorization query. The BIG-IP TMUI does not do the same (Access Policy :: Secure Web Gateway : Database Settings : URL Category Lookup).
Conditions:
-- SWG or URLDB provisioned.
-- Run traffic with category lookup in the PRP and note the category produced.
-- Run the same URL through the GUI lookup tool or the command line tool.
Impact:
Some websites may be categorized differently depending on if the IP address is passed in or not.
Workaround:
None.
Fixed Versions:
13.1.3.5, 14.1.4, 15.1.2
832857 : Support ID on AJAX CAPTCHA popup (SPA) does not match the Support ID in log
Links to More Info: BT832857
Component: Application Security Manager
Symptoms:
The Support ID shown to the ASM end user does not appear in the logs.
Conditions:
-- ASM provisioned.
-- Bot Defense profile attached to a virtual server.
-- Single Page Application (SPA) is enabled in the Bot Defense profile.
-- AJAX request is blocked by bot defense, and CAPTCHA is shown to the ASM end user.
Impact:
ASM end user might complain about CAPTCHA and provide their Support ID to the BIG-IP administrator, but the BIG-IP administrator will not be able to find the Support ID in the logs.
Workaround:
None.
Fix:
Bot defense has been fixed so that the Support ID shown to the ASM end user matches the Support ID in the logs.
Fixed Versions:
14.1.2.3
832805-1 : AVR should make sure file permissions are correct (tmstat_tables.xml)
Links to More Info: BT832805
Component: Application Visibility and Reporting
Symptoms:
By building rpm of avrd, few cfg files get wrong set of permissions (executable)
Conditions:
Any build of avrd rpm
Impact:
Apparently not having the right set of permissions can lead to system halt
Workaround:
Change permissions on file:
# chmod -x /etc/avr/tmstat_tables.xml
Fix:
AVR build the rpm cfg files with the right set of permissions, instead of building them as executable file, building them in 644 mode.
Fixed Versions:
14.1.4.5, 15.1.4.1
832569-2 : APM end-user connection reset
Links to More Info: BT832569
Component: Access Policy Manager
Symptoms:
When the URL being accessed exceeds a length of 8 KB, the BIG-IP resets the connection.
Conditions:
-- APM deployed with a per-request policy.
-- The per-request policy includes a category lookup.
Impact:
The APM end-user connection is reset, and the system posts an error message in /var/log/apm:
-- crit tmm[23363]: 01790601:2: [C] 10.62.118.27:65343 -> 65.5.55.254:443: Maximum URL size exceeded.
Workaround:
None.
Fix:
The URL length limit has been increased from 8 KB to 32 KB.
Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2
832205 : ASU cannot be completed after Signature Systems database corruption following binary Policy import
Links to More Info: BT832205
Component: Application Security Manager
Symptoms:
Signatures cannot be updated after signature systems have become corrupted in the configuration database, after a binary policy containing a user-defined Signature Set using an unknown System was imported.
Conditions:
Signature systems are corrupted in configuration database, because a binary policy containing a user-defined Signature Set using an unknown System was imported.
Impact:
Signatures cannot be updated.
Workaround:
Delete signature systems with an ID greater than 38, and re-add them by performing a signature update. You can delete these signature systems by running the following command:
mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "DELETE FROM PLC.NEGSIG_SYSTEMS WHERE system_group = ''"
Fixed Versions:
12.1.5.1, 14.1.2.3
831821-3 : Corrupted DAG packets causes bcm56xxd core on VCMP host
Links to More Info: BT831821
Component: TMOS
Symptoms:
On VCMP host, bcm56xxd crashes when it receives a corrupted DAG packets.
Conditions:
Unknown.
Impact:
Device goes offline, traffic disruption.
Fixed Versions:
14.1.4.5, 15.1.4.1
831781-5 : AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode
Links to More Info: BT831781
Component: Access Policy Manager
Symptoms:
Both AD Query and LDAP Auth/Query fails.
Conditions:
-- AD Query Agent, LDAP Auth Agent, or LDAP Query Agent is configured in Per-Session or Per-Request Policy.
-- These agents are configured in Direct mode.
-- The AD and LDAP server address is configured as IPv6 address.
Impact:
Users may not be able to login to APM, and hence service is disrupted.
Workaround:
None.
Fix:
Users are now able to login to APM.
Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2
831661-2 : ASMConfig Handler undergoes frequent restarts
Links to More Info: BT831661
Component: Application Security Manager
Symptoms:
Under some settings and load the RPC handler for the Policy Builder process restarts frequently, causing unnecessary churn and slower learning performance.
Conditions:
Configure one or more policies with automatic policy building enabled and learn traffic with violations
Impact:
Control Plane instability and poor learning performance on the device.
Fix:
The Policy Builder handler is now restored to a more robust process lifecycle.
Fixed Versions:
12.1.5.1, 14.1.2.3
831549-1 : Marketing name does not display properly for BIG-IP i10010 (C127)
Links to More Info: BT831549
Component: TMOS
Symptoms:
The /var/log/ltm log includes error messages about the marketing names errors:
Invalid marketing name.
Conditions:
-- Running BIG-IP software version 13.1.3.1.
-- Using BIG-IP i10010 (C127) platform.
Impact:
This causes errors in the logs, and affects the tmsh and LCD displays. The LCD displays C127 for the Platform Name instead of the actual platform name. The TMSH command, tmsh show sys hw, displays C127 for the Platform Name instead of the actual platform name.
Workaround:
None.
Fix:
This is fixed in version 13.1.3.2.
Fixed Versions:
13.1.3.2, 14.1.4.4
831517-1 : TMM may crash when Network Access tunnel is used
Links to More Info: BT831517
Component: Access Policy Manager
Symptoms:
TMM may crash.
Conditions:
-- APM session is established.
-- Network Access tunnel is established and used;
Impact:
APM end users experience Network Access tunnel disconnected. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release fixes a tmm crash.
Fixed Versions:
14.1.2.7, 15.1.3
831325-2 : HTTP PSM detects more issues with Transfer-Encoding headers
Links to More Info: K10701310, BT831325
Component: Local Traffic Manager
Symptoms:
HTTP PSM may not detect some invalid Transfer-Encoding headers.
Conditions:
HTTP PSM is used to detect HTTP RFC violations. A request with an invalid Transfer-Encoding header is sent.
Impact:
Traffic is not alarmed/blocked as expected.
Workaround:
None.
Fix:
HTTP PSM detects new cases of invalid Transfer-Encoding headers.
Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.1
831293-3 : SNMP address-related GET requests slow to respond.
Links to More Info: BT831293
Component: TMOS
Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.
Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.
Impact:
Slow performance.
Workaround:
None.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.2
830833-2 : HTTP PSM blocking resets should have better log messages
Links to More Info: BT830833
Component: Local Traffic Manager
Symptoms:
When reset-cause logging is turned on, or when RST packet logging is used, the reset reason used when rejecting bad HTTP PSM traffic is not descriptive.
Conditions:
This occurs under either of these conditions:
-- HTTP PSM is used, and a request is blocked.
-- Reset cause or RST packet logging is enabled.
Impact:
The reset reason given is not descriptive, making troubleshooting difficult.
Workaround:
None.
Fix:
The reset reason used when rejecting HTTP PSM traffic is more descriptive.
Fixed Versions:
13.1.4.1, 14.1.2.5, 15.0.1.1
830797-2 : Standby high availability (HA) device passes traffic through virtual wire
Links to More Info: BT830797
Component: Local Traffic Manager
Symptoms:
Virtual wire is forwarding traffic on standby resulting in traffic loops and potential network outage.
Conditions:
-- High availability (HA) configured.
-- Virtual wire configured.
Impact:
Standby device is passing traffic, which may create traffic loops and bring down the network.
Workaround:
Do not configure virtual wire on standby devices.
Fix:
Although you can create this configuration, the standby no longer forwards any traffic, which prevents the traffic loop and potential network outage.
Fixed Versions:
14.1.2.3, 15.0.1.1, 15.1.1
830413-4 : Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure★
Links to More Info: BT830413
Component: TMOS
Symptoms:
Deployment of BIG-IP Virtual Edition may result in an error "Failed to generate ssh host key".
Conditions:
Azure only. Observed for instances with password-based authentication.
Impact:
A timing issues exists with host key generation. The Virtual Machine is likely to be deployed, but users and automation tools might be unable to communicate with the instance.
Workaround:
BIG-IP may still be accessible despite the error.
Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1
830361-4 : CVE-2012-6711 Bash Vulnerability
Links to More Info: K05122252
830341-1 : False positives Mismatched message key on ASM TS cookie
Links to More Info: BT830341
Component: Application Security Manager
Symptoms:
ASM system triggers false positives for ASM Cookie Hijacking violation with reason "Mismatched message key"
Conditions:
-- An HTTP request containing an old frame cookie with a different message key from the main ts cookie is rejected
-- The cookie is left intact
Impact:
All subsequent requests are rejected on ASM Cookie Hijacking violation
Workaround:
1. Disable "Learn Host Names" flag all policies. If the policy builder is on manual mode, they need to change it back to Auto mode, disable "Learn Host Names", then change to manual mode.
OR
2. Delete the mismatched cookie. This will cause the violations to stop occurring if the request comes from a legit endpoint
Fix:
In order to activate the changed functionality, set internal parameter ignore_cookies_msg_key to 1 and restart asm by executing following commands in CLI:
/usr/share/ts/bin/add_del_internal add ignore_cookies_msg_key 1
bigstart restart asm
Once enabled, ASM system does not trigger false positives.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2.1
830073-3 : AVRD may core when restarting due to data collection device connection timeout
Links to More Info: BT830073
Component: Application Visibility and Reporting
Symptoms:
Avrd crashes, one or more core avrd files exist in /var/core
Conditions:
-- A BIG-IP system is managed by BIG-IQ via secure channel
-- Avrd is restarted.
Impact:
Avrd cores as it is shutting down. During avrd shutdown, the BIG-IQ data collection device (DCD) is unreachable for 10 minutes
Workaround:
None.
Fix:
The AVRD HTTPS module now stops any connection attempts when shutdown sequence is in progress, so this issue no longer occurs.
Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
829821-3 : Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured
Links to More Info: BT829821
Component: TMOS
Symptoms:
If a very large amount of pool members are configured (tens of thousands), mcpd may miss its high availability (HA) heartbeat and be killed by sod.
Conditions:
-- A large number of pool members.
-- Pool member validation occurs (such as when loading a configuration or doing a configsync operation).
Impact:
Mcpd is killed by sod. This causes a failover (when the BIG-IP is in a DSC) or outage (if standalone).
Workaround:
None.
Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
829677-1 : .tmp files in /var/config/rest/ may cause /var directory exhaustion
Links to More Info: BT829677
Component: TMOS
Symptoms:
The /var partition might become completely full on the disk due to tmp files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.
Additionally, there may be periodic restjavad and bigd daemon restarts related to disk space exhaustion.
Conditions:
Process traffic while DoS Dashboard is open.
This issue is happening because a VIPRION process is not available because of a REST timeout.
Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.
Workaround:
Manually run the following commands, in sequence:
bigstart stop restjavad
rm -rf /var/config/rest/*.tmp
bigstart start restjavad
Fix:
Increased the rest socket timeout value and shellexecutor timeout value to 6 min to fix the timeout issue of viprion worker
The fix also includes automatic removal of unused tmp files.
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.2, 16.0.1.1
829317-6 : Memory leak in icrd_child due to concurrent REST usage
Links to More Info: BT829317
Component: TMOS
Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.
Conditions:
-- The icrd_child process is running.
-- There are multiple users accessing device via REST.
Impact:
Memory slowly leaks in icrd_child.
Workaround:
None.
Fix:
Fixed a memory leak in icrd_child.
Fixed Versions:
13.1.4, 14.1.3, 14.1.3.1, 15.1.0.2
829277-1 : A Large /config folder can cause memory exhaustion during live-install★
Links to More Info: BT829277
Component: TMOS
Symptoms:
-- Live install can fail at ~96% complete.
-- System memory might be exhausted, and the kernel terminates processes as a result.
Conditions:
-- During live-install.
-- Configuration roll-forward is enabled.
-- The uncompressed UCS size is larger than the available memory.
Impact:
The kernel terminates any number of processes; any/all critical applications might become nonfunctional.
Workaround:
You can use these two techniques to mitigate this situation:
-- Any file stored under /config is considered part of the configuration, so make sure there are no large, unnecessary files included in that directory.
-- If the configuration matches or is close to total system memory size, do not roll it forward as part of live install. Instead, save the UCS manually and restore it after rebooting to the new software.
To turn off config roll forward:
setdb liveinstall.saveconfig disable
For information about manually saving and restoring configurations, see K13132: Backing up and restoring BIG-IP configuration files with a UCS archive :: https://support.f5.com/csp/article/K13132.
Fixed Versions:
14.1.3.1, 15.1.2.1
829193-2 : REST system unavailable due to disk corruption
Links to More Info: BT829193
Component: TMOS
Symptoms:
-- The iControl REST commands respond with the following:
[INFO] Text: u'{"code":200,"message":"REST system unavailable due to disk corruption! See /var/log/restjavad.*.log for errors.","restOperationId":1472895,"kind":":resterrorresponse"}'
-- The GUI indicates that iAppLX sub-system is unresponsive.
-- On the BIG-IP device, /var/config/rest/storage/LOST-STORAGE.txt exists.
Conditions:
The conditions that trigger this are unknown. It might be due to a previous catastrophic event such as power loss or out-of-memory errors.
Manually creating the file /var/config/rest/storage/LOST-STORAGE.txt can also trigger this error.
Impact:
The iControl REST system is unavailable.
Workaround:
Run the following commands at the BIG-IP command prompt:
bigstart stop restjavad restnoded
rm -rf /var/config/rest/storage
rm -rf /var/config/rest/index
bigstart start restjavad restnoded
rm -f /var/config/rest/downloads/*.rpm
rm -f /var/config/rest/iapps/RPMS/*.rpm
tmsh restart sys service tomcat
Then, reinstall any iAppLX packages that were installed.
Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.0.4
828937-3 : Some systems can experience periodic high IO wait due to AVR data aggregation
Links to More Info: K45725467, BT828937
Component: Application Visibility and Reporting
Symptoms:
Systems with a large amount of statistics data collected in the local database (i.e., systems not working with BIG-IQ) can have high IO Wait CPU usage, peaking at 10 minutes, 1 hour, and 24 hours. This is caused by the data aggregation process that is running on the local database. Notice that large memory footprints, particularly for avrd might be a symptom for the phenomenon.
Conditions:
-- The BIG-IP system is collecting statistics locally (i.e., not sending data to BIG-IQ or another external device).
-- There is a large amount of statistics data.
-- May occur even if AVR is not explicitly provisioned (in that case, ASM, APM, PEM, AFM, or AAM must be provisioned).
Impact:
High IO can impact various processes on BIG-IP systems. Some of them can experience timeouts and might restart.
Workaround:
The most effective workaround is to lower the amount of data collected by setting the 'avr.stats.internal.maxentitiespertable' DB variable to a lower value. The recommended values are 20000 (on larger, more powerful systems with more than 8 cores) or 2148 (on smaller systems).
Note: After you lower the database value, continue to monitor the BIG-IP system for long I/O wait times and high CPU usage. If symptoms persist and the system continues to experience resource issues, you may need to reset the BIG-IP AVR statistics. For information about resetting BIG-IP AVR statistics, refer to K14956: Resetting BIG-IP AVR statistics :: https://support.f5.com/csp/article/K14956.
Fix:
Set default value of avr.stats.internal.maxentitiespertable DB variable to 2148 on systems with the number of CPU cores fewer than or equal to 8.
Fixed Versions:
13.1.3.4, 14.1.2.5, 15.1.0.5
828789-3 : Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters
Links to More Info: BT828789
Component: TMOS
Symptoms:
Certificate Subject Alternative Names are limited to 1023 characters.
Conditions:
Using a certificate with a Subject Alternative Name longer than 1023 characters.
Impact:
A certificate's Subject Alternative Name is not correct in the BIG-IP configuration.
This does not impact the BIG-IP system's ability to select the proper Client SSL profile on a virtual server that uses SNI matching to provide distinct certificates.
Workaround:
Specify fewer than 1023 character for the Certificate Subject Alternative Names.
Fixed Versions:
14.1.2.8, 15.1.1
828773-1 : Incomplete response to an internal request by Portal Access
Links to More Info: BT828773
Component: Access Policy Manager
Symptoms:
HTTP request to /private/fm/volatile.html may return a truncated response.
Conditions:
- Portal Access configured for some resource
- The resource uses cookies
Impact:
Web application may not work correctly
Fix:
Now Portal Access handles internal requests correctly.
Fixed Versions:
14.1.4.2
828761-3 : APM OAuth - Auth Server attached iRule works inconsistently
Links to More Info: BT828761
Component: Access Policy Manager
Symptoms:
The iRule attached to the OAuth Resource Server (RS) is not triggered when the traffic hits the virtual server.
Conditions:
The issue occurs during a reboot of the BIG-IP device containing an OAuth server config and an attached iRule, or when the iRule is initially assigned to the OAuth Server.
Impact:
OAuth scope check agent fails with 'HTTP error 503': as the iRule attached to the RS virtual server is not triggered.
Workaround:
For existing OAuth servers with the iRule attached, modify the iRule, for example, adding a log. This makes the iRule trigger when it is initially attached or loaded.
Fix:
The iRule is triggered when a request comes to the OAuth RS virtual server.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
828601-3 : IPv6 Management route is preferred over IPv6 tmm route
Links to More Info: BT828601
Component: Local Traffic Manager
Symptoms:
The IPv6 Management route has lower metrics than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the management interface.
Conditions:
-- Create an IPv6 management route, which is going to be a default gateway.
-- Receive another default gateway from a configured peer using any of dynamic routing protocols (BGP, OSPF, etc.)
Impact:
The incorrect routing table sends the traffic that matches the default route to the management interface.
Workaround:
None.
Fix:
IPv6 routes now prioritize TMM interfaces.
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.0.3
827393-1 : In rare cases tmm crash is observed when using APM as RDG proxy.
Links to More Info: BT827393
Component: Access Policy Manager
Symptoms:
Tmm may crash when APM is configured as an RDG proxy to access Microsoft remote desktops and applications.
Conditions:
APM is used as RDG proxy
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Tmm does not crash when APM is configured as RDG proxy.
Fixed Versions:
14.1.4.5, 16.1.2.1
827033-3 : Boot marker is being logged before shutdown logs
Links to More Info: BT827033
Component: TMOS
Symptoms:
When rebooting the BIG-IP, the boot marker appears before the shutdown logs
localhost notice boot_marker : ---===[ HD1.1 - BIG-IP 14.1.2 Build 0.0.37 ]===---
localhost.localdomain err logger[29153]: shutting down for system shutdown on behalf of root
localhost.localdomain notice mcpd[4645]: 01070406:5: Removed publication with publisher id shell_publish
Conditions:
Issue is observed while rebooting the device
Impact:
Creates confusion when trying to debug an issue using log files.
Workaround:
None
Fixed Versions:
14.1.4.4, 15.1.4
826905-1 : Host traffic via IPv6 route pool uses incorrect source address
Links to More Info: BT826905
Component: TMOS
Symptoms:
IPv6 route pool uses an incorrect source address rather than the self IP address. As a side symptom, if there are an even number of members in the pool, only half of the pool members are attempted during load balancing.
Conditions:
--IPv6 route pool is configured.
Impact:
Failed connections from the BIG-IP host that uses an IPv6 pool route.
Workaround:
None.
Fix:
IPv6 route pool uses the correct self IP address.
Fixed Versions:
14.1.3.1, 15.1.2
826601-5 : Prevent receive window shrinkage for looped flows that use a SYN cookie
Links to More Info: BT826601
Component: Local Traffic Manager
Symptoms:
TMM cores.
Conditions:
-- VIP to VIP (looped flow) configuration.
-- SYN cookie is used.
-- Initial receive window is greater than 3.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
-- Set the initial receive window value of the VIP to 3.
Fix:
Receive window shrinkage is prevented for looped flows using SYN cookies.
Fixed Versions:
11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.3
826349-2 : VXLAN tunnel might fail due to misbehaving NIC checksum offload
Links to More Info: BT826349
Component: Local Traffic Manager
Symptoms:
Some NICs, e.g., on BIG-IP 2000/4000 platforms, perform checksum offloading for UDP, and erroneously mark a 0 (zero) checksum as a checksum failure, even though the UDP header includes an optional, 16-bit one's complement checksum that provides an integrity check.
If the computed checksum is 0, it is transmitted as all ones. In this case the NIC should accept the checksum, but it does not.
Conditions:
NIC offload checksum of 0.
Impact:
VXLAN tunnel fails.
Workaround:
None.
Fix:
The VXLAN tunnel now ignores invalid checksums if the checksum is 0.
Fixed Versions:
14.1.4.6
825805-1 : NTLM Auth may fail due to incorrect handling of EPM response★
Links to More Info: BT825805
Component: Access Policy Manager
Symptoms:
NTLM passthrough authentication may stop working after upgrade.
Conditions:
-- NTLM authentication configured.
-- Upgraded to a BIG-IP software version that contains the implementation for the Microsoft Internet Explorer feature, 'Enhanced protected mode' (EPM).
-- There are more than two protocol sequence towers included in the EPM response.
Impact:
APM end users cannot login.
Workaround:
None.
Fix:
The system can now parse EPM response as expected.
Fixed Versions:
14.1.2.3, 15.0.1.3
825689-3 : Enhance FIPS crypto-user storage
Component: Local Traffic Manager
Symptoms:
Existing TMOS releases use legacy storage and generation facilities that have been supplanted in newer TMOS releases.
Conditions:
Crypto-officer access to TMSH / fipsutil.
Impact:
Did not leverage Secure Vault facilities.
Workaround:
None.
Fix:
FIPS crypto-user storage now leverages Secure Vault facilities.
Fixed Versions:
12.1.6, 13.1.4, 14.1.4, 15.1.1
825501-1 : IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.★
Links to More Info: BT825501
Component: Protocol Inspection
Symptoms:
If the IPS IM package is installed on a multi-slot device, and one slot is offline, the IM package version might be different on the offline slot when it comes back online.
It also shows different versions of the Active IM package on different slots.
Conditions:
-- Multi-bladed clustered system.
-- One of the blades is offline.
-- The IPS IM package is installed to the primary blade.
Impact:
The primary blade syncs the IM package to all of the secondary blades that are online; however, when the offline blade comes back online, it does not have the updated IM package.
As a result, traffic being processed by different blades will be using different IPS libraries and might cause inconsistency in the functionality
Workaround:
Although there is no workaround, you can prevent the issue by ensuring that all blades are online when you install an IPS IM package.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
825245-2 : SSL::enable does not work for server side ssl
Links to More Info: BT825245
Component: Local Traffic Manager
Symptoms:
When SSL::enable is issued in an iRule, for example in the HTTP Request event, it will not enable the server side profile if the server side profile is disabled.
Conditions:
An HTTP profile is configured on a virtual, and the server-ssl profile on the same virtual is disabled.
Impact:
The connection will close instead of completing.
Workaround:
Do not use a disabled server-ssl profile in this situation.
Fix:
The SSL::enable iRule works as expected in the above scenario.
Fixed Versions:
14.1.4.6
825013-3 : GENERICMESSAGE::message's src and dst may get cleared in certain scenarios
Links to More Info: BT825013
Component: Service Provider
Symptoms:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands may not work properly if iRule processing changes to a different TMM. These commands may return an empty string rather than correct data.
Conditions:
-- Using "GENERICMESSAGE::message src" and/or "GENERICMESSAGE::message dst" iRule commands.
-- iRule processing moves from one TMM to another TMM.
Impact:
Incorrect data returned from "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands.
Fix:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands now return correct data.
Fixed Versions:
14.1.2.7, 15.0.1.1, 15.1.0.2
824881-2 : A rare TMM crash cause by the fix for ID 816625
Links to More Info: BT824881
Component: Local Traffic Manager
Symptoms:
In rare scenarios involving HTTP unchunking and plugins, the TMM may crash.
Conditions:
Software that contains the fix for ID 816625, which involves HTTP unchunking and some plugins, dynamically removing the unchunking logic when required.
Impact:
In addition, other plugin behavior may abort the unchunking logic in an unexpected way. This causes a double-abort, and triggers a TMM crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The TMM no longer crashes in a rare scenario involving HTTP unchunking and plugins.
Fixed Versions:
14.1.3.1, 15.0.1.1
824365-3 : Need informative messages for HTTP iRule runtime validation errors
Links to More Info: BT824365
Component: Local Traffic Manager
Symptoms:
For HTTP iRule runtime validation errors, an ERR_NOT_SUPPORTED error message is appended (with rule name and event) to /var/log/ltm, but the message is not informative about the cause of the validation error:
err tmm1[20445]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri".
The system should post a more informative message, in this case:
err tmm[10662]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - can't call after responding - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri"
Conditions:
-- HTTP filter and HTTP iRules are used by a virtual server.
-- An HTTP iRule runtime validation error happens. For example, HTTP::uri is called after HTTP::respond () which is not supported.
Impact:
With no informative error messages, it is difficult to identify the validation error.
Workaround:
There is no workaround at this time.
Fix:
Informative messages are provided for HTTP iRule runtime validation errors.
Fixed Versions:
13.1.3.6, 14.1.2.3, 15.0.1.1, 15.1.0.2
824149-3 : SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured
Links to More Info: BT824149
Component: Service Provider
Symptoms:
In SIP ALG virtual with source-nat-policy assigned, if traffic processed by the virtual server does not match source-nat-policy, or if it matches source-nat-policy that does not have source-translation configured, tmm cores and restarts.
Conditions:
-- SIP ALG virtual server with an assigned source-nat-policy.
-- Traffic does not match the source-nat-policy, or traffic matches a source-nat-policy that has no source-translation configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure SIP ALG virtual so that the condition never happens. For example, apply a source attribute to the virtual server that filters out traffic that will not match the source-nat-policy. Never use a source-nat-policy that has no source-translation.
Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
824101-1 : Request Log export file is not visible for requests including binary data
Links to More Info: BT824101
Component: Application Security Manager
Symptoms:
Request Log export file is not visible.
Conditions:
Request Log export file contain request with binary data
Impact:
Cannot get data from Request Log export file.
Workaround:
None.
Fixed Versions:
14.1.2.3
824093-3 : Parameters payload parser issue
Links to More Info: BT824093
Component: Application Security Manager
Symptoms:
Incorrect parameter parsing occurs under some conditions. For example, in a signature violation, the 'Actual Parameter Name' value appears as 'attachment; filename'.
Conditions:
-- ASM in use.
-- Request contains multipart headers.
Impact:
Incorrect policy enforcement.
Workaround:
None.
Fix:
This release fixes an issue related to multipart requests.
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3
824037-2 : Bot Defense whitelists do not apply for IP 'Any' when using route domains
Links to More Info: BT824037
Component: Application Security Manager
Symptoms:
When defining whitelists in bot defense profiles, when the IP is set to 'Any' and route domains are in use, whitelists are not applied.
Conditions:
-- Bot Defense profile is enabled.
-- Whitelist is configured for IP 'Any' (for URL or GEO),
-- Sending a request that matches the whitelist using route domains.
Impact:
Request will be mitigated.
Workaround:
For url whitelist only:
Add micro service to the bot defense profile, configure:
1. Add required URL.
2. Specify service type 'Custom Microservice Protection'.
3. Set the 'Mitigation and Verification' setting as required (relevant for logging only).
4. In 'Automated Threat Detection', set 'Mitigation Action' to 'None'.
5. Set the microservice 'Enforcement Mode' to 'Transparent'.
This causes the associated URL to never be blocked (but no 'whitelist' will be seen in reporting).
Fix:
Enabling IP 'Any' on route domains now works as expected.
Fixed Versions:
14.1.2.3
823921-2 : FTP profile causes memory leak
Links to More Info: BT823921
Component: Local Traffic Manager
Symptoms:
When a FTP profile is added to a virtual server, TMM runs with memory leak and eventually system has to terminate connections.
Conditions:
A FTP profile is installed on virtual server and the inherit-parent-profile parameter is enabled or isession is also included on the FTP virtual.
Impact:
TMM runs with memory leak and eventually system has to terminate connections.
Workaround:
Disable the inherit-parent-profile option if fastL4 data-channel is adequate.
Fix:
Fix the internal memory cleanup function bug.
Fixed Versions:
14.1.3.1
822377-2 : CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability
Component: TMOS
Symptoms:
A limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
Conditions:
This flaw is only exploitable if Proxy* directives are used in Apache httpd configuration. The following command can be used to search for possible vulnerable configurations:
grep -R '^\s*Proxy' /etc/httpd/
Impact:
An attacker could cause the link on the error page to be malformed and instead point to a page of their choice.
Workaround:
This flaw is only exploitable if Proxy* directives are used in Apache httpd configuration. As a Mitigation/Workaround, exclude Proxy* directives in Apache Httpd configuration.
Fix:
Removed request data from many other in-built error messages.
Fixed Versions:
14.1.2.8, 15.1.1
822245-5 : Large number of in-TMM monitors results in some monitors being marked down
Links to More Info: BT822245
Component: In-tmm monitors
Symptoms:
Pool members are marked down from the in-TMM monitor.
Conditions:
Device has a large number of in-TMM monitors.
Impact:
Monitor target may appear down when it is actually up.
Workaround:
Disable in-tmm monitors:
tmsh modify sys db bigd.tmm value disable
Fixed Versions:
14.1.4.4, 15.1.4
822025-2 : HTTP response not forwarded to client during an early response
Links to More Info: BT822025
Component: Local Traffic Manager
Symptoms:
In early server responses, the client does not receive the intended response from the HTTP::respond iRule. The client instead receives an unexpected 500 internal server error.
Conditions:
-- A slow client.
-- early server response with the HTTP::respond iRule.
Impact:
A client does not receive the redirect from the HTTP::respond iRule.
Workaround:
None.
Fix:
The client now receives the redirect from the HTTP:respond iRule.
Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.4, 15.1.0.2
821369 : Incomplete Action 'Deny' does not take effect for HTTP-Connect
Links to More Info: BT821369
Component: Access Policy Manager
Symptoms:
Per-request policy's incomplete-action 'Deny' does not take effect for HTTP-Connect request.
Conditions:
-- SSL Orchestrator (SSLO) or APM is licensed and provisioned.
-- Per-request policy is created and attached to a virtual server.
-- Incomplete Action value of per-request policy is set to 'Deny'.
Impact:
The BIG-IP system does not reject the HTTP-Connect request when incomplete-action is set to 'Deny'.
Workaround:
None.
Fix:
Incomplete Action 'Deny' now takes effect for HTTP-Connect request.
Fixed Versions:
14.1.2.1
821309-3 : After an initial boot, mcpd has a defunct child "systemctl" process
Links to More Info: BT821309
Component: TMOS
Symptoms:
Zombie "systemctl" process, as a child of mcpd.
Conditions:
Reboot of the BIG-IP.
Impact:
Minimal; a single zombie process is created.
Workaround:
To get rid of the process, you can restart mcpd.
Fixed Versions:
14.1.2.7, 15.1.0.5
821133-2 : Wrong wildcard URL matching when none of the configured URLS include QS
Links to More Info: BT821133
Component: Fraud Protection Services
Symptoms:
Wildcard URLs has a flag (include_query_string) which indicates if the matching should include traffic URL's QS or not
For example, if the traffic URL is '/path?a=b' and configured URL is '/path*b':
1. if include QS enabled, URL is matched
2. otherwise, no match (since matching against '/path' only)
if there are no configured URLs with "Include Query String" enabled, matching may be wrong
Conditions:
1. Wildcard URL configured in anti-fraud profile (URL name contains an asterisk)
2. None of the configured URLs has "Include Query String" enabled
3. Traffic URL contains a query-string
Impact:
URL is incorrectly matched (when it either shouldn't be matched at all or should match another configured URL). Features/signatures might not work as expected.
Workaround:
Configure at least one URL with "Include Query String" enabled
Fix:
FPS should match query string correctly (according to configuration)
Fixed Versions:
14.0.1.1, 14.1.2.3, 15.0.1.1
820845-2 : Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.
Links to More Info: BT820845
Component: TMOS
Symptoms:
BIG-IP systems might not respond to ( ARP / Neighbour Discovery ) requests received via EtherIP tunnels on a multi-blade system.
Conditions:
Decapsulated ( ARP / Neighbour Discovery ) requests for an address owned by the BIG-IP system is processed by a secondary blade.
Impact:
Some endpoints may not be able to resolve ( ARP / Neighbour protocol ) via EtherIP tunnel.
Workaround:
Create static ARP entries on affected endpoints.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
820333-3 : LACP working member state may be inconsistent when blade is forced offline
Links to More Info: BT820333
Component: Local Traffic Manager
Symptoms:
Inconsistent (out-of-sync) LACP working member state.
Incorrect trunk high availability (HA) score.
Conditions:
LACP updates while blade is going offline.
Impact:
Incorrect high availability (HA) score may prevent the unit from automatically failing over.
Fixed Versions:
14.1.3.1, 15.1.2
820213-2 : 'Application Service List' empty after UCS restore
Links to More Info: BT820213
Component: TMOS
Symptoms:
The iApps :: Applications LX list does not display anything after restoring a UCS that was taken from a different device.
Conditions:
-- Restoring a UCS from a different device.
-- UCS includes the iAppLX package.
Impact:
Cannot see anything on 'Application Service List', and you are unable to configure the application.
Workaround:
Run the following command before restoring the UCS file:
clear-rest-storage
Fixed Versions:
14.1.2.8
819397-1 : TMM does not enforce RFC compliance when processing HTTP traffic
Links to More Info: K50375550, BT819397
Component: Local Traffic Manager
Symptoms:
TMM does not require RFC compliance when processing HTTP traffic. This does not impact the performance or security of BIG-IP systems, but may impact connected systems if they expect only compliant traffic to be forwarded.
Conditions:
-- HTTP virtual server
-- Non-compliant HTTP request from client
Impact:
Pool members may be exposed to non-compliant HTTP requests.
Workaround:
None.
Fix:
The HTTP filter now optionally performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.
Behavior Change:
A new BigDB variable has been added.
The new 'Tmm.HTTP.RFC.Enforcement' option may be enabled or disabled. It is disabled by default.
If enabled, the HTTP filter performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.
The checks performed are a subset of those described within the HTTP PSM module. If a blocking page is required, or more detailed control over which checks are performed, configure HTTP PSM or ASM on the virtual server.
If either HTTP PSM or ASM are configured on a virtual server, the state of the 'Tmm.HTTP.RFC.Enforcement' BigDB variable is ignored on that virtual server.
Fixed Versions:
12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.1
819329-2 : Specific FIPS device errors will not trigger failover
Links to More Info: BT819329
Component: Local Traffic Manager
Symptoms:
When the FIPS device experiences a hardware failure during idle-time, the device may not fail over.
Conditions:
-- FIPS hardware failure occurs, but the device is idle
Impact:
The device may not fail over on FIPS hardware failure.
Fix:
Interpret rare FIPS card failure as failover event.
Fixed Versions:
14.1.3.1, 15.1.4, 16.0.1.2
819321-1 : DoS stats table shows drops count on tcp-half-open global vector for packets dropped by ltm syn cookie
Links to More Info: BT819321
Component: Advanced Firewall Manager
Symptoms:
DoS stats table shows drops count on tcp-half-open global vector for packets dropped by ltm syn cookie, even when the tcp-half-open vector mitigation threshold is not reached on the vector
Conditions:
-- Device DoS tcp-half-open vector is in detect-only mode or mitigate with 64000 limit.
-- LTM SYN cookies are enabled.
Impact:
DoS stats table show inaccurate result
Fix:
After fix, the packets dropped by LTM SYN cookie is not counted against device dos tcp-half-open vector
Fixed Versions:
14.1.4
819053-2 : CVE-2019-13232 unzip: overlapping of files in ZIP container
Component: TMOS
Symptoms:
CVE-2019-13232 unzip: overlapping of files in ZIP container leads to denial of service
Conditions:
Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container
Impact:
UnZip overlapping will leading to denial of service.
Workaround:
N/A
Fix:
UnZip updated to resolve CVE-2019-13232
Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
819009-3 : Dynamic routing daemon mribd crashes if 'mrib debug all' is enabled in high availability (HA) config with Floating Self IP configured for PIM protocol.
Links to More Info: BT819009
Component: TMOS
Symptoms:
The multicast routing protocols are implemented by pimd and mribd daemons. mribd daemon crashes in a specific configuration when debug logging is enabled for this daemon.
Conditions:
1) Dynamic Routing bundle is enabled and PIM protocol is enabled on a route domain.
2) High availability (HA) group/pair with floating self IP address is configured.
3) PIM neighbors are configured for each peer in high availability (HA) group/pair.
4) One of the peers in high availability (HA) is configured to use floating self IP address as an IP address for PIM protocol.
This is done using the 'ip pim use-floating-address' command in the PIM configuration in imish:
# ip pim use-floating-address
5) Multicast routing is configured in imish:
# ip multicast-routing
6) Debug logging for mribd is enabled:
# debug ip mrib all
# debug ipv6 mrib all
---
Note: Although steps 3 and 4 are optional, a practical configuration makes no sense without them.
Impact:
Dynamic routing daemon mribd crashes. Advanced routing not available while mribd restarts.
Workaround:
None.
Fix:
Dynamic routing daemon mribd no longer crashes when mribd debug logging is enabled.
Fixed Versions:
14.1.2.5
818889-3 : False positive malformed json or xml violation.
Links to More Info: BT818889
Component: Application Security Manager
Symptoms:
A false positive malformed XML or JSON violation occurs.
Conditions:
-- A stream profile is attached (or the http profile is set to rechunk on the request side).
-- A json/XML profile attached to the virtual.
Impact:
A false positive violation.
Workaround:
Modify the http profile to work in preserve mode for request chunking (this workaround is not possible in 16.1).
Fix:
N/A
Fixed Versions:
14.1.4.6
818853-3 : Duplicate MAC entries in FDB
Links to More Info: BT818853
Component: Local Traffic Manager
Symptoms:
Forwarding DataBase (FDB) not updated when a MAC moves among interfaces.
Conditions:
-- Having multiple paths to a MAC in a given configuration.
Impact:
There are duplicate MAC address entries which come from multiple interfaces.
Workaround:
None.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.0.2
818833-3 : TCP re-transmission during SYN Cookie activation results in high latency
Links to More Info: BT818833
Component: Local Traffic Manager
Symptoms:
Issue is reported at the following system setup:
client <-> BIG-IP <-> concentrator <-> proxy <-> BIG-IP nat gateway <-> Internet
-- SYN Cookie got activated on F5 nat gateway.
-- Latency from 'Internet' (public host) is observed at 'Proxy' device sitting before F5 nat gw.
-- During the latency issue, SYN Cookie was active and evicting connections.
-- When SYN Cookie is enabled, it switches to l7 delayed binding as expected but it is not sending ACK for HTTP request so the client sends it again and again.
Conditions:
Haredware SYN Cookie is enabled on FastL4 profile
Impact:
High latency is observed.
Workaround:
Disable the SYN Cookie on the FastL4 profile
Fixed Versions:
14.1.4.4, 15.1.4
818465-2 : Unnecessary memory allocation in AVR module
Links to More Info: BT818465
Component: Anomaly Detection Services
Symptoms:
Internal Bados indicator is not updated correctly, creating unnecessary memory allocation in AVR module.
Conditions:
Using AVR.
Impact:
Unnecessary memory consumption
Workaround:
None.
Fixed Versions:
14.1.3.1
818253-1 : Generate signature files for logs
Links to More Info: BT818253
Component: TMOS
Symptoms:
To achieve DoDIN APL certification, the BIG-IP system must guarantee the integrity of log files using the standards' recommendation of encrypting those files on the local store. The BIG-IP system does not generate signature files for logs. As a result, the system stores the audit information (i.e., the log files stored in /var/log folder and other subfolders) without creating integrity files.
Conditions:
Viewing the audit information stored in /var/log and other locations.
Impact:
Audit log files are stored without integrity files on the local system.
Workaround:
Disable local logging for audit logs and send them to remote syslog, for example:
tmsh modify sys syslog include "filter f_audit { facility(local0) and not message(AUDIT); }; "
Fix:
There is now a LogIntegrity utility provided to generate signature files for logs.
-- To enable the feature:
tmsh modify sys db logintegrity.support value enable
-- To set the LogIntegrity loglevel:
tmsh modify sys db logintegrity.loglevel value debug
You must create private key and store it in SecureVault before enabling this feature. To do so:
1. Generate a private key with the name logfile_integrity.key, for example:
tmsh create sys crypto key logfile_integrity.key key-type rsa-private key-size 2048 gen-certificate security-type password country US city Seattle state WA organization "Example, Inc." ou "Example-Creation Team" common-name www.example.com email-address admin@example.com lifetime 365
2. Generate RSA encrypted private SSL keys:
2a. Go to the filestore location on the BIG-IP system:
cd /config/filestore/files_d/Common_d/certificate_key_d/
ls | grep logfile_integrity:Common:logfile_integrity.key_63031_2
openssl rsa -aes256 -in :Common:logfile_integrity.key_63031_2 -out logfile_integrity_secure.key
2b. Specify the PEM password/passphrase (e.g., root0101) to use to protect the SSL private key (in this example, logfile_integrity_secure.key is the password protected private key):
2c. run command to list the generated files
ls | grep logfile_integrity :Common:logfile_integrity.key_63031_2 logfile_integrity_secure.key
3. Install the generated password protected SSL private key with the same password (e.g., root0101) used in step 2 to store in 'secure vault' on the BIG-IP system:
tmsh install sys crypto key logfile_integrity.key passphrase example root0101 from-local-file logfile_integrity_secure.key
Once the feature is enabled and the private key installed, The signature files are generated under /var/log/digest whenever log files get rotated.
If you want to verify Signatures, follow these steps:
1. Go to the filestore location on the BIG-IP system :
cd /config/filestore/files_d/Common_d/certificate_d
2. Execute the following command to generate the public key.
openssl x509 -in :Common:logfile_integrity.key_63031_2 -noout -pubkey > certificatefile.pub.cer
3.Verify the signature file using public key:
openssl dgst -sha256 -verify /config/filestore/files_d/Common_d/certificate_d/certificatefile.pub.cer -signature /var/log/digest/audit.1.sig /var/log/audit.1
Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1.1
818169-3 : TMM may consume excessive resources when processing DNS profiles with DNS queing enabled
Component: Global Traffic Manager (DNS)
Symptoms:
TMM may consume excessive resources while processing traffic with a DNS profile.
Conditions:
A DNS listener is configured with DNS queuing enabled.
DNS queuing is enabled by default.
Impact:
Excessive resources consumption potentially leading to a TMM crash and failover event.
Workaround:
Disable DNS queuing.
Fix:
Resource limits for DNS queuing are introduced with the help of DB variables.
modify /sys db dns.ingress.queue.high value <value>
modify /sys db dns.ingress.queue.low value <value>
This change also exposes following variables to ensure that the paths to the DNSX database are resilient in the face of a temporarily unavailable DNSX database:
modify /sys db dns.action.queue.max value <value>
modify /sys db dns.actions.poll value <value>
modify /sys db dns.contexts.poll value <value>
Modify the value to default to reset any of the above variables.
Behavior Change:
Resource limits for DNS queuing are introduced with the help of DB variables.
modify /sys db dns.ingress.queue.high value <value>
modify /sys db dns.ingress.queue.low value <value>
This change also exposes following variables to ensure that the paths to the DNSX database are resilient in the face of a temporarily unavailable DNSX database:
modify /sys db dns.action.queue.max value <value>
modify /sys db dns.actions.poll value <value>
modify /sys db dns.contexts.poll value <value>
Modify the value to default to reset any of the above variables.
Fixed Versions:
14.1.4.6, 15.1.0.2
818109-3 : Certain plaintext traffic may cause SSL Orchestrator to hang
Links to More Info: BT818109
Component: Local Traffic Manager
Symptoms:
After upgrading SSL Orchestrator to version 5.x, traffic gets reset, SSL Orchestrator hangs, and tcpdump analysis indicates that connections are being reset due to SSL handshake timeout exceeded.
Conditions:
-- SSL Orchestrator configured.
-- Initial plaintext traffic resembles SSLv2 hello message or has less-than-enough bytes for SSL to process.
Impact:
SSL Orchestrator hangs on that connection, unable to bypass traffic until the connection times out. Other connections handle traffic during this interval.
Workaround:
None.
Fix:
This release adds a db variable to enable/disable SSLv2 hello parsing. It is called tmm.ssl.v2compatibility and is disabled by default.
Fixed Versions:
14.1.4, 15.1.2.1
817709-2 : IPsec: TMM cored with SIGFPE in racoon2
Links to More Info: BT817709
Component: TMOS
Symptoms:
TMM asserted and cored in racoon2 with this panic message:
panic: iked/ikev2_child.c:2858: Assertion "Invalid Child SA proposal" failed.
Conditions:
When IKEv2 Phase 2 SA has no peer proposal associated with it.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This issue no longer occurs.
Fixed Versions:
14.1.2.8, 15.1.0.2
817649-2 : AVR statistics for NAT cannot be shown on multi-bladed machine
Links to More Info: BT817649
Component: Application Visibility and Reporting
Symptoms:
The system presents an error messagewhen trying to get AVR statistics for NAT:
Data Input Error: Database is unavailable.
Conditions:
Using AVR reports for NAT on a multi-bladed BIG-IP device.
Impact:
Cannot view AVR statistics for NAT.
Workaround:
1. Back up the file /etc/avr/monpd/monp_tmstat_fw_nat_entities.cfg
2. Run the following command:
sed -i 's/measures=/measures=period,/' /etc/avr/monpd/monp_tmstat_fw_nat_entities.cfg
3. Verify that the only change made to 'sed -i 's/measures=/measures=period,/' /etc/avr/monpd/monp_tmstat_fw_nat_entities.cfg' was adding a 'period,' to the list of measures (can be compared against the backup file).
4. Restart monpd (to pick up the changes):
bigstart restart monpd
Fix:
Fixed formula for statistics to allow using it on a multi-bladed BIG-IP device.
Fixed Versions:
14.1.2.5, 15.0.1.3
817417-1 : Blade software installation stalled at Waiting for product image★
Links to More Info: BT817417
Component: Local Traffic Manager
Symptoms:
On a chassis system where the active/primary blade is running version 14.1.0 or later and a new blade is inserted that has version 14.0.0 or lower, the secondary blades fail to receive the updated images and the installation stalls. The primary blade reports 'Waiting for product image' when running the tmsh show sys software status command.
Conditions:
Primary blade running version 14.1.0 or above.
Secondary running an earlier version is inserted.
Impact:
Newly inserted blade does not synchronize volumes with the primary blade and cannot be used.
The tmsh show sys software status command reports that one or more blades are in 'waiting for product image' status indefinitely.
Workaround:
Ensure all blades are running the same version. This can be accomplished manually by running the following command at the command prompt (this example is for new blade inserted at slot #3):
scp /shared/images/* slot3:/shared/images
Fixed Versions:
14.1.2.3, 15.0.1.4
817085-4 : Multicast Flood Can Cause the Host TMM to Restart
Links to More Info: BT817085
Component: TMOS
Symptoms:
A vCMP host tmm is restarted.
Conditions:
The vCMP host is processing heavy multicast traffic.
Impact:
The host TMM restarts and traffic stops for the guests.
Workaround:
An adjustment to the scheduling can be made by this setting of the vCMP Host configuration:
# echo "realtime yield 90" > /config/tmm_init.tcl
# bigstart restart tmm
The bigstart restart tmm must be performed individually on all blades on the vCMP host. These changes also must be done on all vCMP hosts with guests in a high availability (HA) setup.
Fix:
The host TMM no longer restarts.
Fixed Versions:
12.1.5.3, 14.1.4
816881-1 : Serverside conection may use wrong VLAN when virtual wire is configured
Links to More Info: BT816881
Component: Local Traffic Manager
Symptoms:
Server syn is flowing on the wrong VLAN, when tmm tries to establish a server connection. The BIG-IP system sends RST packets of unmatched VLAN/MAC combination
Conditions:
-- Virtual wire is configured .
-- Clientside data and handshake come in on different VLANs.
Impact:
Some client connections fail to establish
Workaround:
None.
Fixed Versions:
14.1.2.8, 15.1.1
816625-1 : The TMM may crash in a rare scenario involving HTTP unchunking, and plugins.
Links to More Info: BT816625
Component: Local Traffic Manager
Symptoms:
The TMM crashes while passing traffic.
Conditions:
This occurs rarely on a Virtual Server configured with an HTTP profile that has HTTP response chunking enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The TMM no longer crashes in a rare scenario involving HTTP unchunking and plugins.
Fixed Versions:
14.1.2.3, 15.0.1.1
816529-2 : If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart.
Links to More Info: BT816529
Component: Traffic Classification Engine
Symptoms:
URLCAT lookups to Custom DB return Unknown result.
Conditions:
-- URL is being looked up against Custom DB
-- wr_urldbd is restarted at the same time
Impact:
Queries will likely fail in highly loaded environments if wr_urldbd is restarted for any reason.
Workaround:
None.
Fix:
Wr_urldbd restores connection to Custom DB after restart.
Fixed Versions:
12.1.5.2, 14.1.2.5
816277-2 : Extremely long nameserver name causes GUI Error
Links to More Info: BT816277
Component: Global Traffic Manager (DNS)
Symptoms:
Extremely long nameserver and tsig key name gives an error in the GUI while viewing:
-- Bad Request. Your browser sent a request that this server could not understand.
-- Request-URI Too Long. The requested URL's length exceeds the capacity limit for this server.
Conditions:
When nameserver and tsig key name length exceeds 3300 characters.
Impact:
The GUI reports an error when you try to view them. Youa re unable to view nameserver and tsig keys having extremely long names.
Workaround:
Create nameserver and tsig keys with shorter names, preferably fewer than 255 characters.
Fix:
Nameserver and tsig key names are now validated, so this error no longer occurs.
Fixed Versions:
14.1.4.4
816273-2 : L7 Policies may execute CONTAINS operands incorrectly.
Links to More Info: BT816273
Component: Local Traffic Manager
Symptoms:
L7 Policies involving CONTAINS operands may execute incorrectly in some cases.
The policy compiler may incorrectly combine some internal states, 'forgetting' degrees of partial evaluation of a CONTAINS operation.
Conditions:
Multiple CONTAINS conditions are used on the same virtual server.
Impact:
The wrong policy actions may be triggered.
Workaround:
It may be possible to reorder the rules in a policy to restore correct operation. However, the more complex the policy, the less likely this is.
Fix:
L7 Policy CONTAINS operations are compiled correctly. Policies with CONTAINS operations no longer trigger the wrong rule actions.
Fixed Versions:
13.1.3.4, 14.1.2.3, 15.0.1.1
816233-3 : Session and authentication cookies should use larger character set
Links to More Info: BT816233
Component: TMOS
Symptoms:
The session and authentication cookies are created using a limited character set.
Conditions:
Creating session and authentication cookies.
Impact:
Cookies are created with a less broad character set than they could be.
Workaround:
None.
Fix:
JSESSIONIDs and AuthCookies are created using a wider character set.
Behavior Change:
This release changes the format of the BIGIPAuthCookie and JSESSIONID cookies to use a larger alphabet during encoding (case sensitive alphanumeric).
Fixed Versions:
14.1.2.7, 15.0.1.4, 15.1.0.5
815877-1 : Information Elements with zero-length value are rejected by the GTP parser
Links to More Info: BT815877
Component: Service Provider
Symptoms:
When processing a GTP message containing zero-length IEs (which are allowed by the 3GPP Technical Specification), the message might get rejected.
Conditions:
Virtual server with GTP profile enabled processing GTP traffic.
Impact:
Well-formed GTP messages might get rejected.
Workaround:
Avoid sending GTP messages containing zero-length IEs.
Fix:
Zero-length IEs are now processed correctly.
Fixed Versions:
11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.0.1.4, 15.1.0.5
815689-3 : Azure walinuxagent has been updated to v2.2.42.
Links to More Info: BT815689
Component: TMOS
Symptoms:
Some onboarding features are not available in the current version of walinuxagent.
Conditions:
Attempting to use a feature that is not available in the current version of the Azure walinuxagent that is included in the BIG-IP release.
Impact:
Cannot use new features in the Azure walinuxagent until the Azure walinuxagent is updated.
Workaround:
None.
Fix:
The Azure walinuxagent has been updated to v2.2.42.
Fixed Versions:
14.1.2.2
815649-1 : Named.config entry getting overwriting on SSL Orchestrator deployment
Links to More Info: BT815649
Component: Device Management
Symptoms:
When topology or general settings are re-deployed, named.config is modified, and entries which do not belong to SSL Orchestrator are overwritten.
Conditions:
This occurs when topology or system settings are re-deployed.
Impact:
Content of named.conf file is lost/overwritten.
Workaround:
Modify named.conf manually or using zoneRunner (DNS :: Zones : ZoneRunner : named Configuration) after SSL orchestrator deployment.
Fixed Versions:
14.1.2.5, 15.0.1.3
815529-2 : MRF outbound messages are dropped in per-peer mode
Links to More Info: BT815529
Component: Service Provider
Symptoms:
When a Message Routing profile is configured with a peer consisting of an outbound virtual server, transport config, no pool, and per-peer mode, messages may be dropped when the outgoing connection is persisted to a different tmm than the message was received on.
Conditions:
-- Message Routing Profile.
-- A peer configured for outbound traffic with a virtual server and transport config in per-peer mode, no pool.
-- Persistence is enabled.
-- Multiple outbound messages with the same destination address.
Impact:
Outbound traffic with the same destination address may be dropped at random.
Workaround:
Change the peer connection mode to 'Per TMM'.
Fix:
Multiple outbound messages to the same destination address are no longer randomly dropped.
Fixed Versions:
13.1.3.4, 14.1.2.7
815449-2 : BIG-IP closes connection when an unsized response is served to a HEAD request
Links to More Info: BT815449
Component: Local Traffic Manager
Symptoms:
When HTTP response has neither Content-Length nor Transfer-Encoding and has a body, BIG-IP closes a connection to designate end of the response body. HTTP protocol allows to send HEAD request instead of GET request to obtain a response headers only (without). BIG-IP erroneously closes a connection when a response to HEAD request lacks both Content-Length and Transfer-Encoding.
Conditions:
BIG-IP has a virtual server configured to use an HTTP profile.
The server response does not include the Content-Length or Transfer-Encoding headers in response to a HEAD request, and both client and server sides expects the communication to continue over the same connection.
Impact:
Connection closes and a client may not repeat the corresponding GET request on another connection.
Fix:
Connection keeps opened when an unsized response provided to a HEAD request.
Fixed Versions:
14.1.2.3, 15.0.1.1
815001-1 : TMM Crash with inbound traffic during high availability (HA) failover
Links to More Info: BT815001
Component: Carrier-Grade NAT
Symptoms:
New standby device's tmm crashes and generates a core after high availability (HA) failover.
Conditions:
1. Enable inbound mode Endpoint Independent Filtering (EIF) in the source translation object.
2. Outbound traffic hits the source translation creating inbound entries.
3. Inbound traffic matches the inbound entry, and this connection stays alive.
4. high availability (HA) failover occurs.
5. Inbound connection closes, and the connection free comes from the BIG-IP system.
Impact:
New standby device's tmm may crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes with inbound traffic during high availability (HA) failover.
Fixed Versions:
14.1.3.1
814761-2 : PostgreSQL monitor fails on second ping with count != 1
Links to More Info: BT814761
Component: Local Traffic Manager
Symptoms:
When using one of the DB monitors (Oracle, MSSQL, MySQL, PostgreSQL) to monitor the health of a server, the pool member may initially be marked UP, but then will be marked DOWN on the next and all subsequent pings.
When this occurs, an error message similar to the following appears in the monitor-instance log under /var/log/monitors:
Database down, see /var/log/DBDaemon.log for details.
Exception in thread "DBPinger-##" java.lang.AbstractMethodError: org.postgresql.jdbc3.Jdbc3Connection.isValid(I)Z
at com.f5.eav.DB_Pinger.db_Connect(DBDaemon.java:1474)
at com.f5.eav.DB_Pinger.db_Ping(DBDaemon.java:1428)
at com.f5.eav.MonitorWorker.run(DBDaemon.java:772)
at java.lang.Thread.run(Thread.java:748)
Conditions:
This may occur if all of the following conditions are true:
1. You are using a DB monitor (Oracle, MSSQL, MySQL, PostgreSQL) configured with a 'count' value of either '0' or a value of '2' or higher.
2. You are using a version of BIG-IP (including an Engineering Hotfix) which contains the fix for ID 769309.
Impact:
Unable to monitor the health of postgresql server pool members accurately.
Workaround:
To work around this issue, configure a 'count' value of '1' in the postgresql monitor configuration.
Fix:
The DB monitor reports the health of a DB server pool member accurately in conjunction with the fix for ID 769309.
Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.2.3, 15.0.1.3
814585-3 : PPTP profile option not available when creating or modifying virtual servers in GUI
Links to More Info: BT814585
Component: TMOS
Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.
Conditions:
Creating or modifying a virtual server in the GUI.
Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.
Workaround:
Use TMSH to add a PPTP profile to the virtual server.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1
814097-2 : Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.
Links to More Info: BT814097
Component: Service Provider
Symptoms:
When using the Generic Message router to convert SIP messages from TCP to UDP, BIG-IP fails to raise the SERVER_CONNECTED iRule event.
Conditions:
Converting the transport of SIP messages with the Generic Message router.
Impact:
Any code that waits for the SERVER_CONNECTED event will not run.
Fix:
SERVER_CONNECTED event is raised.
Fixed Versions:
11.6.5.2, 13.1.3.4, 14.1.2.7
814053-2 : Under heavy load, bcm56xxd can be killed by the watchdog
Links to More Info: BT814053
Component: TMOS
Symptoms:
bcm56xxd crashes, and the device fails over on heartbeat error:
warning sod[7244]: 01140029:4: HA daemon_heartbeat bcm56xxd fails action is restart.
notice sod[7244]: 010c006c:5: proc stat: [0] pid:12482 comm:(bcm56xxd) state:S utime:16612520 stime:879057 cutime:11 cstime:21 starttime:1601425044 vsize:2189299712 rss:527927 wchan:18446744073709551615 blkio_ticks:0 [-1] pid:12482 comm:(bcm56xxd) state:S
Conditions:
-- HA configured.
-- Programming the DAG while it is under heavy load (i.e., a large number of objects that have to be programmed into the switches).
Impact:
The bcm56xxd daemon may restart and produce a core file. It then continues trying to program the DAG.
This causes a system to go offline and stop processing traffic.
Workaround:
None.
Fix:
The bcm56xxd daemon no longer crashes while the DAG is being programmed.
Fixed Versions:
14.1.4
814037-4 : No virtual server name in Hardware Syncookie activation logs.
Links to More Info: BT814037
Component: Local Traffic Manager
Symptoms:
Missing virtual server name in Hardware Syncookie activation logs. ltm/logs contains error messages:
notice tmm2[1150]: 01010240:5: Syncookie HW mode activated, server = 0.0.0.0:0, HSB modId = 2.
Conditions:
-- More than one virtual server with same Destination IP e.g., 'x.x.x.x'.
-- Port 'y' configured.
-- Hardware Syncookie activated.
Impact:
Difficult to determine which virtual server actually got the Syncookie activated.
Workaround:
None.
Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1
813945-3 : PB core dump while processing many entities
Links to More Info: BT813945
Component: Application Security Manager
Symptoms:
PB core dump.
Conditions:
This may happen when the system is strained and PB is processing large policies (updating many entities may happen during periodic processing, response analysis).
This is a very rarely occurring scenario.
Impact:
PB core dump and restart.
Workaround:
None.
Fix:
PB core dump no longer occurs.
Fixed Versions:
13.1.3.2, 14.1.2.3
813701-3 : Proxy ARP failure
Links to More Info: BT813701
Component: Local Traffic Manager
Symptoms:
In certain configurations, and when the BIG-IP system does not have a directly connected route to the request sender, proxy ARP may fail, leading to dropped ARP replies.
Conditions:
-- Running v12.1.4.1 or 12.1.3.7 with engineering hotfix 0.89.2.
-- ARP requests and replies are processed by different TMMs.
-- A directly connected route to the request sender is not available.
Impact:
ARP replies are dropped, leading to connection failures.
Workaround:
Create a self IP in the same subnet as the ARP request senders. This creates the necessary directly connected route.
Fixed Versions:
14.1.2.7, 15.1.0.5
813561-3 : MCPD crashes when assigning an iRule that uses a proc
Links to More Info: BT813561
Component: Local Traffic Manager
Symptoms:
MCPD crashes when assigning an iRule to a Virtual Server or loading a config with an iRule assigned.
Conditions:
The iRule must uses a proc that contains three statements associated with different feature flags.
Impact:
MCPD will crash, unable to use a desired iRule.
Workaround:
None
Fix:
iRules using proc can be assigned to a Virtual Server without crashing MCPD.
Fixed Versions:
13.1.3.4, 14.1.2.8, 15.0.1.3
813409-1 : BD crash under certain circumstances
Links to More Info: BT813409
Component: Application Security Manager
Symptoms:
BD crashes with an error message:
01230140:3: RST sent from 10.0.1.101:83 to 10.0.1.1:464, [0x2911514:1148] Internal error (ASM requested abort (open error)).
Conditions:
The conditions under which this occurs are unknown.
Impact:
Traffic disruption / failover.
Workaround:
None.
Fix:
This release fixes a bd crash scenario.
Fixed Versions:
14.1.2.7
813389-1 : TMM Crashes upon failure in Bot Defense Client-Side code
Links to More Info: BT813389
Component: Application Security Manager
Symptoms:
On some cases, when Bot Defense Client-Side code is running on the browser, it causes TMM to crash.
Conditions:
-- Bot Defense is enabled with any JS browser verification (before or after access).
-- Surfing using a browser to an html page.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Adding sanity test so TMM will not crash.
Fixed Versions:
14.1.2.3
813301 : LSN_PB_UPDATE logs are not generated when subscriber info changes
Links to More Info: BT813301
Component: Advanced Firewall Manager
Symptoms:
LSN_PB_UPDATE logs are not generated when subscriber info changes.
Conditions:
Logging profile indicates that LSN_PB_UPDATE events should be logged.
Impact:
The expected logs are not generated.
Workaround:
None.
Fixed Versions:
14.1.3.1, 15.1.0
812981-4 : MCPD: memory leak on standby BIG-IP device
Links to More Info: BT812981
Component: TMOS
Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.
Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically
Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.
Fix:
MCPD on standby BIG-IP device does not take more memory than the same daemon on active BIG-IP device.
Fixed Versions:
12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
812929-2 : mcpd may core when resetting a DSC connection
Links to More Info: BT812929
Component: TMOS
Symptoms:
In rare circumstances mcpd may core when resetting its DSC connection.
Conditions:
The exact conditions are not known for this to occur. The BIG-IP system must be in a Device Service Cluster, and must have configuration sync enabled. It might be related to when an Administrative BIG-IP user makes manual changes to the device trust group that would cause the trust to be broken (and optionally, re-established).
Impact:
mcpd cores and restarts. This results in a failover to the next active peer.
Workaround:
None.
Fix:
The system now prevents mcpd from coring when it resets it DSC connection.
Fixed Versions:
14.1.2.7, 15.0.1.4
812525-3 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
Links to More Info: K27551003, BT812525
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Workaround:
None.
Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Fixed Versions:
13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
812341-2 : Patch or Delete commands take a long time to complete when modifying an ASM signature set.
Links to More Info: BT812341
Component: Application Security Manager
Symptoms:
When modifying an ASM signature set that is not attached to any security policy using iControl REST Patch or Delete commands, the command takes a long time to complete.
Conditions:
-- ASM provisioned.
-- Using REST API Patch or Delete command to modify an ASM signature set.
Impact:
Command takes longer (several seconds) to process on detached ASM signature sets than it takes to complete on attached signature sets.
Workaround:
None.
Fix:
Changes to signatures and signatures sets now only recompile policies that are affected by the change.
Fixed Versions:
13.1.3.2, 14.1.2.3
811973-2 : TMM may crash when shutting down
Links to More Info: BT811973
Component: TMOS
Symptoms:
When the TMM is shutting down, a driver may be in a partially initialized state. When a buffered packet is flushed, the driver may crash.
Conditions:
-- BIG-IP Virtual Edition.
-- The TMM is shutting down while traffic is being processed.
Impact:
A TMM restart may be delayed while the TMM writes a core file. Traffic disrupted while the tmm process restarts.
Workaround:
None
Fix:
The TMM shuts down properly without crashing.
Fixed Versions:
14.1.4
811745-2 : Failover between clustered DIAMETER devices can cause mirror connections to be disconnected
Links to More Info: BT811745
Component: Service Provider
Symptoms:
When using DIAMETER with certain settings, a failover might cause mirror connections to get disconnected.
Conditions:
-- Two or more BIG-IP systems in a high availability (HA) configuration.
-- Aggressive settings for the DIAMETER watchdog timeout and max failures.
Impact:
Loss of mirroring between BIG-IP systems.
Workaround:
None.
Fix:
Mirror connections no longer disconnect during a failover.
Fixed Versions:
13.1.3.2, 14.1.2.1, 15.0.1.1
811701-1 : AWS instance using xnet driver not receiving packets on an interface.
Links to More Info: BT811701
Component: TMOS
Symptoms:
Packets are being sent to the AWS instance but no packets are seen on interface.
Conditions:
-- AWS instance using xnet driver.
-- Occurs when the instances are idle and then suddenly passes traffic again.
-- Other, more specific conditions are unknown at this time.
Impact:
Loss of packets in the interface, in turn, causing data loss.
Workaround:
A temporary way to avoid the problem is to configure BIG-IP Virtual Edition (VE) to use an alternative network driver in place of the default 'xnet' driver. In releases 14.1.0 and later, this would be the 'sock' driver.
Use the following command sequences from the BIG-IP instance's 'bash' prompt to configure the alternative driver. (Note the use of the 'greater-than' symbol.)
# echo "device driver vendor_dev 1d0f:ec20 sock" > /config/tmm_init.tcl
# echo "ndal force_sw_tcs off 1d0f:ec20" >> /config/tmm_init.tcl
[check that the file's contents are correct]
# cat /config/tmm_init.tcl
[restart the BIG-IP system's TMM processes]
# bigstart restart tmm
[make certain that the 'driver_in_use' is 'sock']
# tmctl -dblade -i tmm/device_probed
Fixed Versions:
14.1.2.7, 15.0.1.4, 15.1.0.2
811333-2 : Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile★
Links to More Info: BT811333
Component: Local Traffic Manager
Symptoms:
After upgrade, configuration load fails and the following error is present in /var/log/ltm log:
01070312:3: Invalid keyword 'sslv2' in ciphers list for profile /Common/serverssl-insecure-compatible
Unexpected Error: Loading configuration process failed.
Conditions:
-- BIG-IP system with SSLv2 as ciphers option in SSL profile running software v12.x/v13.x.
-- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.
Impact:
The config is not loaded, and upgrade fails.
Workaround:
If you are encountering this after upgrading, run the following commands from the bash prompt:
1. Backup the configuration:
#cp /config/bigip.conf /config/bigip_backup.conf
2. List the occurrences of 'sslv2' in the bigip.conf:
#more bigip.conf | grep -i sslv2
3. Remove the SSLv2 references:
#sed -i "s/\!SSLv2://g" /config/bigip.conf
4. Check to ensure there are no 'sslv2' references:
#more bigip.conf | grep -i sslv2
5. Verify the configuration:
#tmsh load sys config verify
6. Try loading the configuration:
#tmsh load sys config
Fix:
SSLv2 validation is removed from the configuration and upgrade succeeds.
Fixed Versions:
14.1.2, 15.0.1
811161-1 : Tmm crash SIGSEGV - virtual_address_update() in ../mcp/db_vip.c:1992
Links to More Info: BT811161
Component: Local Traffic Manager
Symptoms:
TMM cores when creating a virtual server.
Conditions:
ISO build that includes a fix for the following IDs:
-- ID 718790 :: Bug ID 718790: Traffic does not forward to fallback host when all pool members are marked down :: https://cdn.f5.com/product/bugtracker/ID718790.html.
-- ID 783617 :: Bug ID 783617: Virtual Server resets connections when all pool members are marked disabled :: https://cdn.f5.com/product/bugtracker/ID783617.html.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now handles the case in which the virtual address tags come in different orders.
Fixed Versions:
14.1.3.1
811157-2 : Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself
Links to More Info: BT811157
Component: Advanced Firewall Manager
Symptoms:
"Global Staged Default Action" message is logged into the firewall log for ICMP traffic targeted to Self-IP or Virtual Server destination address, even though this traffic can never be affected by Global Default Actions.
The "Global Staged Default Action" counter is also incremented.
Conditions:
Logging is enabled for Global Staged Default Action by setting the sys db tm.fw.stagedglobaldefaultrule.log to value "enabled" (this sys db has value "disabled" by default).
There are no special conditions for the "Global Staged Default Action" counter increment.
Impact:
Misleading messages are logged into the firewall log.
The "Global Staged Default Action" counter is incorrectly incremented.
The traffic itself is not affected and there are no other negative effects except the incorrect log message and counter update.
Workaround:
There is no workaround regarding the "Global Staged Default Action" counter increment.
For preventing the misleading log message disable logging of Global Staged Default Action by setting the sys db tm.fw.stagedglobaldefaultrule.log to value "disabled".
Fix:
The "Global Staged Default Action" message is not logged and corresponding counter is not incremented for ICMP traffic targeted to Self-IP or Virtual Server destination address.
Fixed Versions:
14.1.2.8
811149-1 : Remote users are unable to authenticate via serial console.
Links to More Info: BT811149
Component: TMOS
Symptoms:
Attempts to login to the serial console with remote user credentials (e.g., RADIUS, LDAP, TACACS remote auth) fail with one of the following error messages:
-- 'Cannot load user credentials for user' (v13.1.1.2)
-- 'Session setup problem, abort.' (v14.1.0.1)
Conditions:
Configure system for remote authentication and attempt authentication via serial console.
Impact:
Remote authentication users are unable to login via serial console.
Workaround:
There are two workarounds:
-- Remote authentication users can login using an SSH connection to the BIG-IP system's management IP address.
-- Use the credentials of a local user account to login to the serial console.
Fixed Versions:
14.1.2.8, 15.0.1.4, 15.1.0.2
811145-2 : VMware View resources with SAML SSO are not working
Links to More Info: BT811145
Component: Access Policy Manager
Symptoms:
Connections to SAML-enabled VMware View resources fail with following error in /var/log/apm:
err vdi[18581]: 019cffff:3: /pathname: {a7.C} Failed to handle View request: Can't find 'artifact' parameter.
Conditions:
VMware View resource is configured with SAML SSO method.
Impact:
Users cannot launch VMware View apps/desktops via SAML-enabled resource.
Workaround:
None.
Fix:
Can now successfully use VMware View resources with SAML SSO.
Fixed Versions:
13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
811105-1 : MRF SIP-ALG drops SIP 183 and 200 OK messages
Links to More Info: BT811105
Component: Service Provider
Symptoms:
SIP 183 and 200 OK messages are dropped after an INVITE in MRF SIP-ALG when media info is present in the Session Description Protocol.
Conditions:
- MRF SIP-ALG default configuration
- INVITE sent with media info in SDP
- Media info contains an rtcp without an IP address
Impact:
SIP calls are unable to establish media connections.
Workaround:
Ensure all RTCP attributes in the SDP have IP addresses.
Example: Change "a=rtcp:29974\r\n" to "a=rtcp:29974 IN IP4 10.10.10.10\r\n"
Fix:
Calls are able to establish media connections in MRF SIP-ALG when media info contains an RTCP with no IP information.
Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.4
811053-2 : REBOOT REQUIRED prompt appears after failover and clsh reboot
Links to More Info: BT811053
Component: TMOS
Symptoms:
In rare circumstances, when a reboot immediately follows a VIPRION blade failover, a REBOOT REQUIRED prompt will appear on one blade after the system starts up again.
Conditions:
This issue can be created by doing the following:
- using a VIPRION system with at least 2 blades running
- AAM is not provisioned
- reset the primary blade
- immediately following the blade reset, run 'clsh reboot' on a secondary blade.
Impact:
Following the clsh reboot, the REBOOT REQUIRED prompt appears on one blade:
[root@vip4480-r44-s18:/S2-yellow-S::REBOOT REQUIRED:Standalone] config #
Any blade with this prompt must be rebooted again.
Workaround:
None currently known.
Fixed Versions:
14.1.2.7, 15.1.2
811033-2 : MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used
Links to More Info: BT811033
Component: Service Provider
Symptoms:
If a message is routed from one transport protocol (for example TCP) to another transport protocol (for example UDP), messages traveling from the destination to the source of the persistence entry are incorrectly delivered to the destination.
Conditions:
-- A message is routed from one transport protocol (for example TCP) to another transport protocol (for example UDP).
-- Messages are traveling from the destination to the source of the persistence entry.
Impact:
Messages are forwarded to an incorrect endpoint.
Workaround:
None.
Fix:
For all bi-directional persistence records the transport protocol of the connection is not used in the key used to store the record.
Fixed Versions:
13.1.3.4, 14.1.2.5
810957-2 : Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core
Links to More Info: BT810957
Component: TMOS
Symptoms:
When using dynamic routing, changing a virtual server's address from IPv6 to IPv4 can cause tmrouted to core.
Conditions:
-- Using dynamic routing.
-- Changing a virtual server's destination address from IPv6 to IPv4.
-- The virtual server's state changes.
Impact:
Tmrouted cores and restarts, which causes a temporary interruption of dynamic routing services.
Workaround:
Use TMSH to modify both the destination address and the netmask at the same time, e.g.:
tmsh modify ltm virtual <virtual server name> destination <destination address> mask <netmask>
Fix:
Now preventing tmrouted from coring when a virtual server's address is changed from IPv6 to IPv4.
Fixed Versions:
12.1.5.3, 14.1.2.5, 15.0.1.4
810821-1 : Management interface flaps after rebooting the device.
Links to More Info: BT810821
Component: TMOS
Symptoms:
The Management interface flaps after rebooting the device, which may cause a momentary active-active condition in a high availability (HA) configuration.
Conditions:
This can occur after rebooting the active or standby device in an HA configuration if the final management port configuration completes late in the startup sequence. This can be due to network conditions for the network the management port is connected to.
This problem has been observed only on hardware platforms.
Impact:
Devices go active-active for a few seconds and then resume normal operation.
Workaround:
You may be able to work around this by changing the management port speed to 100/Fixed Duplex.
For more information on changing the interface, see K14107: Configuring the media speed and duplex settings for network interfaces (11.x - 13.x), available at https://support.f5.com/csp/article/K14107.
or
Connecting serial failover cable between HA peers would prevent active/active issue from happening.
Fix:
The startup sequence has been changed to confirm that management port configuration is complete before proceeding with HA processing.
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.2
810593-2 : Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade★
Links to More Info: K10963690, BT810593
Component: TMOS
Symptoms:
The vCMP guests go to 'INOPERATIVE' after upgrade.
Conditions:
-- Upgrading the host from v12.1.4.1.
-- Upgrading the host from v13.1.1.5.
Impact:
The vCMP guests go to the 'INOPERATIVE' state and do not pass traffic.
Workaround:
There is no workaround. You must upgrade the VCMP host to a fixed version, for example, 15.1.0.
Fixed Versions:
13.1.3.5, 14.1.2.7
810533-4 : SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile
Links to More Info: BT810533
Component: Local Traffic Manager
Symptoms:
When the client attempts to connect, even when sending the proper SNI extension, the BIG-IP system resets the connection after the client hello.
Conditions:
-- SNI Required set to true.
-- No Server Name configured in the client SSL profile.
Impact:
SSL connections with valid SNI are closed, and the client cannot connect. With generic alerts enabled, you will see 'SSL alert number 40'. This is because the system does not read the server names from the SAN extension within the certificate.
Workaround:
Specify a valid server name in the server name field of the client SSL profile.
Fixed Versions:
14.1.2.7
810497-2 : Pabnagd cores during device group settings changes
Links to More Info: BT810497
Component: Application Security Manager
Symptoms:
Pabnagd crashes with core
Conditions:
This can occur intermittently when device group settings are changed.
Impact:
Due to pabnagd restart, up to 1 hour of policy builder learning progress is lost.
Workaround:
None
Fix:
Fixed a pabnagd crash.
Fixed Versions:
14.1.4.2
810445-2 : PEM: ftp-data not classified or reported
Links to More Info: BT810445
Component: Local Traffic Manager
Symptoms:
When a virtual server is configured with an FTP profile, and also a PEM or classification profile, the traffic associated with the FTP data stream is not correctly classified or reported.
Conditions:
-- Virtual server is configured with an FTP profile.
-- There is also PEM or classification profile.
Impact:
Traffic associated with ftp-data (i.e., file transfers using FTP) may not be classified or reported.
Workaround:
None.
Fix:
Ftp-data is now correctly classified and reported. Note that the 'inherit-parent-profile' in the FTP profile must be enabled.
Fixed Versions:
13.1.3.5, 14.1.2.8
810381-4 : The SNMP max message size check is being incorrectly applied.
Links to More Info: BT810381
Component: TMOS
Symptoms:
If the SNMP server receives an SNMPv3 request with a small max message size then, it applies that check to all requests. This can cause SNMPv1 and SNMPv2c requests time out if they are too long or if their responses are too long, for example, large get bulk requests.
Conditions:
An SNMPv3 small max message size received while processing large SNMPv1 and SNMPv2c requests.
Impact:
Responses time out.
Workaround:
Do not send SNMPv3 requests to the BIG-IP system.
Fix:
SNMPv3 requests no longer impact SNMPv1 and SNMPv2c requests.
Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.0.4
809729-2 : When HTTP/2 stream is reset by a client, BIG-IP may not respond properly
Links to More Info: BT809729
Component: Local Traffic Manager
Symptoms:
When a client resets the HTTP/2 stream, the BIG-IP system may have several DATA frames ready to send. It drops these frames but does not account back those in a connection-send window. It can reduce this window to the value when no DATA frames are sent over this connection until the client updates the send window.
Conditions:
-- BIG-IP system has a virtual server.
-- HTTP/2 profile is assigned to it.
Impact:
For any subsequent request after the send window loses enough size, DATA frames with payload are not sent to the client over the affected HTTP/2 connection.
Workaround:
None.
Fix:
BIG-IP systems correctly handle dropping DATA frames accounting back their lengths in a connection-send window.
Fixed Versions:
14.1.2.5, 15.0.1.1
809701-2 : Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist
Links to More Info: BT809701
Component: Local Traffic Manager
Symptoms:
In BIG-IP GUI iRule definitions, when hovering over HTTP::proxy, the help text mentions 'HTTP::proxy dest', which is an invalid command.
Conditions:
The system displays incorrect information when the iRule help text is visible.
Impact:
The help text mentions 'HTTP::proxy dest', which is an invalid command option.
Workaround:
Do not use the invalid 'HTTP::proxy dest' command.
Fix:
The help text now shows 'HTTP::proxy', which is correct.
Fixed Versions:
14.1.3.1, 15.0.1.3, 15.1.2
809657-2 : HA Group score not computed correctly for an unmonitored pool when mcpd starts
Links to More Info: BT809657
Component: TMOS
Symptoms:
When mcpd starts up, unmonitored pools in an high availability (HA) group do not contribute to the HA group's score.
Conditions:
-- HA group configured with at least one pool.
-- At least one of the pools assigned to the HA group is not using monitoring.
-- mcpd is starting up (due to bigstart restart, or a reboot, etc.).
Impact:
Incorrect HA Group score.
Workaround:
Remove the unmonitored pools from the HA group and re-add them.
Fixed Versions:
14.1.4.4, 15.1.4.1
809597-3 : Memory leak in icrd_child observed during REST usage
Links to More Info: BT809597
Component: Local Traffic Manager
Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.
Conditions:
-- The icrd_child process is running.
-- There are multiple users accessing device via REST.
Impact:
The memory leak is very progressive. Eventually, the icrd_child process runs out of memory.
Workaround:
None.
Fix:
Fixed a memory leak in icrd_child.
Fixed Versions:
13.1.4, 14.1.3, 15.1.0.2
809553 : ONAP Licensing - Cipher negotiation fails
Links to More Info: BT809553
Component: TMOS
Symptoms:
Cipher negotiation fails between the BIG-IP and a third-party license server.
Conditions:
This occurs when BIG-IP is deployed in a custom ONAP environment that uses a third-party license server.
Impact:
TLS negotiation fails.
Workaround:
Change the order of ciphers.
Enable only ECDHE ciphers.
Fixed Versions:
14.1.3.1
809377-6 : AFM ConfigSync Hardening
Links to More Info: K05123525
809205 : CVE-2019-3855: libssh2 Vulnerability
Component: TMOS
Symptoms:
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server.
Conditions:
-- Authenticated administrative user with Advanced Shell Access.
-- Use of cURL from the command line to connect to a compromised SSH server.
Impact:
A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
Workaround:
None.
Fix:
libcurl updated
Fixed Versions:
12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.1, 15.1.3, 16.0.1.2
809125-2 : CSRF false positive
Links to More Info: BT809125
Component: Application Security Manager
Symptoms:
A CSRF false-positive violation.
Conditions:
CSRF enforcing security policy.
This is a very rare scenario, but it happens due to a specific parameter in the request, so the false-positive might repeat itself many times for the same configuration.
Impact:
False-positive Blocking / Violation
Workaround:
If this happens change the csrf parameter and restart the asm daemon:
1. Change the csrf parameter name internal parameter:
/usr/share/ts/bin/add_del_internal add csrf_token_name <string different than csrt>
2. Restart the asm daemon:
restart asm
Fixed Versions:
12.1.5.1, 14.1.2.7, 15.1.0.5
808893-2 : DNS DoS profile vectors do not function correctly★
Links to More Info: BT808893
Component: Advanced Firewall Manager
Symptoms:
Clients report that DNS TXT queries are not working. In /var/log/ltm, you see the following error:
DOS attack start was detected for vector TXT query DOS.
Conditions:
This can occur when DNS profile DoS vectors are enabled. It can be encountered after upgrading.
Impact:
DNS DoS detection and mitigation is not functioning correctly.
Workaround:
None.
Fix:
DNS DoS profile vectors are now detected correctly.
Fixed Versions:
14.1.4.6
808889-2 : DoS vector or signature stays hardware-accelerated even when traffic rate is lower than mitigation threshold
Links to More Info: BT808889
Component: Advanced Firewall Manager
Symptoms:
Incorrect hw_offload status for DoS vector or signature in tmctl dos_stat after the attack has stopped.
Conditions:
BIG-IP system with DoS-accelerated vectors support (SPVA support).
Impact:
DoS vector/signature stays hardware-accelerated.
Workaround:
After attack, change the state for DoS vector/signature to detect-only. Then return vector state to mitigate.
Fix:
Hardware-acceleration status for vector/signature status is updated based on observed traffic.
Fixed Versions:
14.1.4.6
808409-3 : Unable to specify if giaddr will be modified in DHCP relay chain
Links to More Info: BT808409
Component: Local Traffic Manager
Symptoms:
ID746077 changed the dhcprelay behavior in order to comply with RFC 1542 Clarifications and Extensions for BOOTP.
However, as the change also encompasses the DHCP-to-DHCP relay scope, the behavior cannot be configurable with a db key.
Conditions:
DHCP Relay deployments where the giaddr needs to be changed.
Impact:
You are unable to specify whether giaddr will be changed.
Workaround:
None.
Fix:
A new sys db tmm.dhcp.relay.giaddr.overwrite is introduced
The default is :
sys db tmm.dhcp.relay.giaddr.overwrite {
value "enable"
}
On versions with a fix to 746077, the sys db DOES NOT exist and BIG-IP will always retain the source IP
On versions with both this fix and ID748333 fix, this fix overrides the fix for 746077. To change the default, set to "disable" to retain
Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
808129-1 : Cannot use BIG-IQ to license BIG-IP 14.1.0.3 on AWS.
Links to More Info: BT808129
Component: TMOS
Symptoms:
BIG-IP 14.1.0.3 on AWS license does not complete from BIG-IQ.
Conditions:
-- Using BIG-IQ.
-- Attempting to license BIG-IP 14.1.0.3 on AWS.
Impact:
Cannot use BIG-IQ to license BIG-IP 14.1.0.3 on AWS.
Workaround:
Restart restjavad on the BIG-IP system.
Fix:
Can now use BIG-IQ to license BIG-IP 14.1.0.3 on AWS.
Fixed Versions:
14.1.2, 15.0.1
807453-1 : IPsec works inefficiently with a second blade in one chassis
Links to More Info: BT807453
Component: TMOS
Symptoms:
Under high availability (HA) configurations, a secondary blade does not receive mirrored updates for security associations (SAs).
When a new ike-peer is created, if that peer's IP address is handled by a secondary blade, all IKE negotiation packets are dropped after forwarding between primary and secondary blades.
But an ike-peer that is present from the start is mistakenly assigned to a primary blade, and thus works correctly.
Conditions:
-- More than one blade: a secondary blade in addition to a primary blade.
-- Remote ike-peer IP addresses that happen to hash to a secondary blade by the BIG-IP system disaggregation (DAG) mechanism.
-- Configuration for Active-Standby, which works on Active but fails to mirror SAs to Standby, when the IP address would be handled by a secondary blade.
Impact:
After failover from Active to Standby, missing SAs that could not be mirrored are renegotiated, causing tunnel outage until new negotiation concludes.
After adding a new ike-peer that should negotiate on a secondary blade, all IKE packets vanish, so no tunnel is ever created for such an ike-peer.
In high availability (HA) configurations, tunnels re-establish after renegotiation, for tunnels that would be assigned to a secondary blade. This works, but undercuts the benefit of high availability (HA) for tunnels other than those on a primary blade.
Workaround:
For a new ike-peer assigned to a secondary blade, restart tmm or the blade, and when the system comes back up, this peer is handled on the primary blade.
Note: Although this peer can then create a tunnel, any secondary blade is unused by IPsec.
Fix:
Assignment of blade ownership is now correct after a restart, even when blades are slowly discovered incrementally, or added dynamically after a system has come up.
HA mirroring works, and SAs are present after failover.
Tunnels are negotiated on secondary blades, so ike-peer instances with IP addresses handled on a secondary blade function as well as those on a primary blade.
Fixed Versions:
14.1.2.8
807337-3 : Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.
Links to More Info: BT807337
Component: TMOS
Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction attempts 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.
Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object (such as delete, create, modify).
Impact:
The GUI shows misleading info about the pool monitor.The monitor-related object may be unchanged, or monitoring may stop for that object.
Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').
Fix:
Behavior is as-expected when a transaction executes multiple commands (such as 'delete', 'create', 'modify') upon the same monitor-related object (pool, pool_member, node_address, monitor).
Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1.1
807177-2 : HTTPS monitoring is not caching SSL sessions correctly
Links to More Info: BT807177
Component: Global Traffic Manager (DNS)
Symptoms:
In situations where a cached SSL session cannot be used, there are conditions where the information for old and new SSL sessions are not properly updated, and valid SSL sessions are not terminated in an orderly fashion.
Conditions:
When using GTM HTTPS monitoring.
Impact:
Information for old and new SSL sessions are not properly updated, and valid SSL sessions are not terminated in an orderly fashion.
Workaround:
Restart big3d by running the following command:
bigstart restart big3d
Fixed Versions:
13.1.3.4, 14.1.2.5
807005-1 : Save-on-auto-sync is not working as expected with large configuration objects
Links to More Info: BT807005
Component: TMOS
Symptoms:
In device group has enabled 'save sys config' for all auto-sync operations using the following command:
modify cm device-group name save-on-auto-sync true
Warning: Enabling the save-on-auto-sync option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.
Conditions:
-- The save-on-auto-sync option is enabled.
-- Device has large configuration, such as 2,100 virtual servers and ~1100 partitions
Impact:
Configuration is not saved, which leads to out-of-sync condition.
Workaround:
You can avoid this issue by using manual sync instead of auto-sync, or by not enabling 'save-on-auto-sync'.
Fixed Versions:
11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
806985 : Engineering Hotfix installation may fail when Engineering Hotfix contains updated nash-initrd package★
Links to More Info: BT806985
Component: TMOS
Symptoms:
Installation of an Engineering Hotfix based on BIG-IP 14.1.0 or later may fail in some cases if the Engineering Hotfix contains an updated nash-initrd package.
When this issue occurs:
-- The system software status for the affected volume on the new blade shows a status of 'failed (RPM transaction failure.)'
-- The /var/log/liveinstall.log file on the new blade contains a message similar to the following:
info: RPM: error: %post(nash-initrd-5.1.19.6-68.el7.1.0.17.7.x86_64) scriptlet failed, exit status 1.
Conditions:
This issue may occur under some conditions when installing an Engineering Hotfix based between BIG-IP 14.1.0 and 14.1.2.6 inclusive, which contains an updated nash-initrd package.
The specific conditions under which this issue may occur have not been confirmed, but are reported to include:
-- Using B4450, B2100, B2150 or B2250 blades in a VIPRION chassis.
-- Installing an affected Engineering Hotfix into a new software volume on all blades in the chassis.
-- Inserting a new blade into a VIPRION chassis where the primary blade is running an affected Engineering Hotfix but the new blade is currently running an older BIG-IP software version (such as v12.1.x).
There may be other conditions under which this problem may occur which have not yet been confirmed.
See Bug Tracker for updated information as details are confirmed.
Impact:
Unable to install a software image containing an affected Engineering Hotfix to one or more blades in VIPRION chassis.
Workaround:
Specific workarounds for specific reported conditions have not yet been confirmed, but may include:
-- In a VIPRION chassis, booting into a software volume that is not running an affected Engineering Hotfix; inserting the new blade and waiting for all software volumes to be successfully installed/updated; and then booting the blades into the software volume that is running the affected Engineering Hotfix.
-- In a VIPRION chassis, rebooting all blades into a common volume that has been successfully installed (such as v12.1.x); waiting for the failed software installation to be automatically retried; and then rebooting the blades into the software volume that is running the affected Engineering Hotfix.
-- Temporarily installing a new blade into a separate VIPRION chassis with no other blades; manually reinstalling the affected Engineering Hotfix into the affected volume; and then installing the new blade into the existing chassis.
-- In a VIPRION chassis, installing the Release image on which the desired Engineering Hotfix is based into a new volume; booting into the new volume; rebooting into the original volume; installing the Engineering Hotfix into the new volume; and then booting into the new volume.
There may be other workarounds which are effective in avoiding and/or resolving this issue under specific conditions but have not yet been confirmed.
See Bug Tracker for updated information as details are confirmed.
Fix:
A software image containing an Engineering Hotfix which includes an updated nash-initrd package may be successfully installed into blades in VIPRION chassis.
Fixed Versions:
14.1.2.7
806825 : Align the behavior of NAT44 and NAT64 when translate-address is disabled under Virtual Configuration with LTM Pool and LSN Pool
Links to More Info: BT806825
Component: Carrier-Grade NAT
Symptoms:
Configure translate-address disabled under Virtual with LTM pool configured.
In the NAT44 case, LTM pool is used as next-hop and packets are L2 forwarded to LTM pool members without destination address translated.
In NAT64 case, packets are dropped if there is no route available to reach the IPv4 destinations (derived from original IPv6 destination). Packets are not L2 forwarded to LTM pool members.
Conditions:
-- Virtual server with LTM pool configured.
-- CGNAT LSN pool configured.
-- Translate-address disabled.
Impact:
If there is no route available to reach the destination, NAT64 packets are dropped.
Workaround:
Configure default gateways/routes to reach the IPv4 destination in NAT64 case.
Fix:
Aligned the behavior of NAT44 and NAT64 when translate-address is disabled under Virtual Configuration with LTM Pool and LSN Pool.
Use LTM pool as next hop for L2 forwarding the NAT64 packets when translate-address is disabled.
Fixed Versions:
14.1.2.7
806093-1 : Unwanted LDAP referrals slow or prevent administrative login
Links to More Info: BT806093
Component: TMOS
Symptoms:
On a BIG-IP system configured with remote LDAP/Active Directory authentication, attempting to login to the Configuration Utility or to the command-line interface may proceed very slowly or fail.
Conditions:
-- LDAP/Active Directory 'system-auth' authentication configured.
-- The Active Directory enables LDAP referral chasing (the default).
-- There are a number of Active Directory servers in the enterprise, or the BIG-IP system does not have complete network connectivity to all Active Directory servers (caused by firewalls or special routes).
Impact:
The BIG-IP system may chase LDAP referrals that reference LDAP servers that are unreachable, resulting in authentication timeouts/failures.
Workaround:
Which workaround to use to temporarily disable referrals chasing depends on the version you have.
-- For BIG-IP 14.1.0 - 14.1.2.2, and 15.0.0 - 15.0.1.0
1. Edit the configuration files
-- /etc/nslcd.conf
2. Add add the following line to the end of the file:
referrals no
3. Restart nslcd service to apply change:
systemctl restart nslcd
Important: This change is not persistent, and will be lost whenever MCPD reloads the BIG-IP configuration (tmsh load sys config), or when other changes are made to system-auth configuration values.
-- For BIG-IP 14.1.2.3 (and later 14.1.x releases), and 15.0.1.1 (and later 15.0.x.x releases), a db key has been added to allow this setting to be controlled. After making the db key change, the BIG-IP configuration must be saved and then loaded again, in order to update nslcd.conf
tmsh modify sys db systemauth.referrals value no
tmsh save sys config
tmsh load sys config
Fix:
In BIG-IP v15.1.0 and later, you can configure the use of referrals using the 'referrals' property of the 'auth ldap system-auth' object.
In BIG-IP v14.1.2.3+ and BIG-IP v15.0.1.1+, you can configure the use of referrals using the 'systemauth.referrals' db key.
Fixed Versions:
14.1.2.3, 15.0.1.1
806085-2 : In-TMM MQTT monitor is not working as expected
Links to More Info: BT806085
Component: Local Traffic Manager
Symptoms:
The monitoring probes are not being sent out to the network. Regardless of the monitor config and sys db variable.
Conditions:
Configuring the in-TMM MQTT monitor.
Impact:
Pool members with attached MQTT monitor state is incorrectly shown as DOWN.
Workaround:
None.
Fix:
In-TMM MQTT monitor now works as expected.
Fixed Versions:
14.1.2.3, 15.0.1.1
806073-3 : MySQL monitor fails to connect to MySQL Server v8.0
Links to More Info: BT806073
Component: TMOS
Symptoms:
The LTM MySQL health monitor fails to connect to a MySQL server running MySQL Server v8.0.
A pool member configured for a MySQL server running MySQL Server v8.0 and using the MySQL health monitor will be marked DOWN.
Conditions:
This occurs when using the LTM MySQL health monitor to monitor a MySQL server running MySQL Server v8.0.
Impact:
BIG-IP cannot monitor the health of a MySQL server running MySQL Server v8.0 using the MySQL health monitor.
Fixed Versions:
14.1.3.1, 15.1.2.1, 16.0.1.1
805821-4 : GTP log message contains no useful information
Links to More Info: BT805821
Component: Service Provider
Symptoms:
GTP profile and GTP iRules provide no useful information in order to proceed with troubleshooting.
Conditions:
GTP profile or iRules fails to process message
Impact:
User lacks of information for troubleshooting
Workaround:
N/A
Fix:
GTP error log has been replaced with a more useful message. The new log message provides more intuitive information including the reason and, in some messages, location of data that causes the failure.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
805417-1 : Unable to enable LDAP system auth profile debug logging
Links to More Info: BT805417
Component: TMOS
Symptoms:
Beginning in version 14.1.0, LDAP debugging must be performed on nslcd logs and not pam_ldap logs; however, it is not possible to enable debug logging on nslcd via the configuration file.
Conditions:
This would be encountered only if you (or F5 Support) wanted to do troubleshooting of LDAP connections by enabling debug logging.
Impact:
LDAP system authentication 'debug' parameter does not provide sufficient levels of debug logs, but there is no functional impact to normal system operation.
Workaround:
To enable debug logging and have the system post log messages to the SSH/console window, start the nslcd process with -d option, which causes nslcd to run in the foreground until you press control-c to stop it:
systemctl stop nslcd
nslcd -d
Note: The -d setting does not persist, so each time you want to log debug output, you must complete this procedure.
You can increase the amount of debug output by specifying additional -d options (up to 3), e.g., '-ddd' or '-d -d -d'.
When done, stop nslcd with control-c, and then restart it with the default options via the normal systemctl daemon:
systemctl start nslcd
Fix:
The nslcd logs are now visible on /var/log/secure file.
Fixed Versions:
14.1.2.7, 15.1.1
805353-1 : ASM reporting for WebSocket frames has empty username field
Links to More Info: BT805353
Component: Application Security Manager
Symptoms:
When using ASM to inspect and report WebSocket frames, the username field is always reported as empty or absent.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- WebSocket profile attached to a virtual server.
-- ASM logging profile attached to a virtual server.
-- WebSocket traffic inspected by ASM and logged as event log message or remote logger message.
Impact:
Poor visibility of current logged-in user in the event log for WebSocket frames.
Workaround:
None.
Fix:
ASM populates username field for logged WebSocket frames
Fixed Versions:
14.1.2.3
805017-2 : DB monitor marks pool member down if no send/recv strings are configured
Links to More Info: BT805017
Component: Local Traffic Manager
Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle or PostgreSQL database monitor type) is configured without a 'send' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.
Conditions:
-- AnLTM pool or pool members are configured to us an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- No send string is configured for the monitor.
Impact:
With this configuration, the monitor connects to the configured database, but does not issue a query or check for a specific response. Pool members are always marked DOWN when using a database monitor with no 'send' string configured.
Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).
Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.3
804537-1 : Check SAs in context callbacks
Links to More Info: BT804537
Component: TMOS
Symptoms:
Crypto operations can crash.
Conditions:
Any crypto operation involving an ike-sa or a child-sa.
Impact:
Tunnel outage due to core, lasting until restart and renegotiation.
Workaround:
None.
Fix:
Fixed a crash related to crypto operations and SAs.
Fixed Versions:
14.1.2.8
804477-4 : Add HSB register logging when parts of the device becomes unresponsive
Links to More Info: BT804477
Component: TMOS
Symptoms:
Parts of the HSB can become unresponsive, with insufficient logging to diagnose the root cause. Additional data needs to be captured when the issue occurs.
Conditions:
This additional logging will trigger whenever parts of the HSB become unresponsive.
Impact:
The register logging will provide further insight into the HSB state when it becomes unresponsive.
Workaround:
None.
Fix:
Additional logging of HSB register states has been added whenever parts of the HSB become unresponsive.
Fixed Versions:
13.1.3.4, 14.1.4.3
804313-2 : MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.
Links to More Info: BT804313
Component: Service Provider
Symptoms:
The mirrored-message-sweeper-interval configuration option has no effect on the BIG-IP.
Conditions:
MRF in use, high availability configured, and a SIP profile is configured to use a specific Mirrored Message Sweeper Interval setting.
Impact:
On a system under high load, the next active device in a high availability (HA) pair could run out of memory.
Workaround:
None
Fix:
Message sweeper interval value now loads correctly.
Fixed Versions:
13.1.3.4, 14.1.2.1, 15.0.1.2
804309-2 : [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument
Links to More Info: BT804309
Component: TMOS
Symptoms:
Running the command 'tmsh list' on a pool or virtual server with the 'all-properties' argument generates a warning:
[api-status-warning] ltm/virtual, properties : deprecated : urldb-feed-policy
Conditions:
Including the 'all-properties' argument with the 'tmsh list' command.
Impact:
There is no impact to the system. The excessive [api-status-warning] at stderr and /var/log/ltm for tmsh list commands are spurious, benign, and can be ignored.
Workaround:
tmsh modify /mgmt shared settings api-status log resource-property deprecatedApiAllowed false
tmsh modify /mgmt shared settings api-status log resource deprecatedApiAllowed false
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.0.5
804185-2 : Some WebSafe request signatures may not work as expected
Links to More Info: BT804185
Component: Fraud Protection Services
Symptoms:
Request signatures are part of the WebSafe signature mechanism. The request signature is achieved by configuring an FPS-protected URL and a corresponding custom-alert. If the URL is a wildcard, a priority must be assigned to determine the order of matching. URL matching by priority is not working properly. As a result, the signature do not work as expected
Conditions:
There is at least one wildcard URL configured by the request signature update file.
Impact:
A portion of WebSafe request signature do not work as expected:
-- An alert is sent, though it should not be (false-positive).
-- An alert was not sent, though it should be (false-negative).
Workaround:
Configure the same signature manually in the BIG-IP system's GUI/tmsh.
Fix:
FPS now correctly handles signature-based wildcard URL's priority.
Fixed Versions:
13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
804157-1 : ICMP replies are forwarded with incorrect checksums causing them to be dropped
Links to More Info: BT804157
Component: Local Traffic Manager
Symptoms:
If a FastL4 virtual server receives an ICMP response without first receiving an ICMP request, the checksum on the ICMP response that is egressed by tmm will not be calculated correctly.
Conditions:
An ICMP response without a corresponding ICMP request, such as in non-symmetric routing scenarios.
Impact:
ICMP replies are forwarded with the incorrect checksum and likely will be dropped by the recipient or other devices on the network.
Workaround:
Ensure symmetric routing. Configure L7 virtual servers for use with ipother profiles.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
803845-2 : When in HA, the Standby device is forwarding traffic causing a loop and subsequent network shutdown
Links to More Info: BT803845
Component: Local Traffic Manager
Symptoms:
Standby is passing traffic when a virtual wire is configured.
Conditions:
-- Virtual wire configured in high availability (HA).
Impact:
Standby device is forwarding traffic traffic when it should not, causing a loop and subsequent network shutdown.
Workaround:
None.
Fix:
The Standby device no longer passes traffic through virtual wire when it should not.
Fixed Versions:
14.1.2.1
803825-3 : WebSSO does not support large NTLM target info length
Links to More Info: BT803825
Component: Access Policy Manager
Symptoms:
WebSSO crashes.
Conditions:
When the optional field of the target info is about 1000 bytes or larger.
Impact:
WebSSO crashes and loss of service.
Workaround:
Config NTLM not to have large target info, recommend < 800.
Fixed Versions:
13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2
803813-2 : TMM may experience high latency when processing WebSocket traffic
Links to More Info: BT803813
Component: Application Security Manager
Symptoms:
Under certain conditions, TMM may experience higher than usual latency when processing WebSocket traffic.
Conditions:
-- WebSocket traffic.
-- Very long connections or large amounts traffic.
-- Platforms with many CPUs.
Impact:
Increased latency in WebSocket traffic.
Workaround:
None.
Fix:
Fix an issue that could cause a latency with WebSocket traffic.
Fixed Versions:
13.1.3.4, 14.1.2.7
803809-2 : SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.
Links to More Info: BT803809
Component: Service Provider
Symptoms:
When MRF SIP is configured in per-client mode and preserve-strict source port is enabled on a virtual server, messages may fail to forward due to port collisions when multiple clients try to use the same port (which is expected/accepted behavior with this configuration). After the port has been freed or the configuration changed, messages continue to fail for clients that had previous port collisions.
Conditions:
-- MRF SIP configured with: Per-Client connection mode and virtual server with preserve-strict source port enabled.
-- Multiple clients try to connect using the same local port.
-- Previously failed client connections attempt to connect again after the port has been freed or configuration changed.
Impact:
Calls from one or more clients are unable to be completed.
Workaround:
You can prevent this behavior using either workaround:
-- Configure a different connection mode (Per-TMM, for example).
-- Disable preserve-strict source port on the virtual server.
Fix:
Clients with previous connection failures are now able to connect when the port is no longer in use or the configuration has been changed.
Fixed Versions:
13.1.3.4, 14.1.2.7, 15.1.0.2
803645-3 : GTMD daemon crashes
Links to More Info: BT803645
Component: Global Traffic Manager (DNS)
Symptoms:
The gtmd process crashes in response to a call triggered by its own timer event.
Conditions:
The conditions under which this causes this intermittent issue are difficult to reproduce, but it might occur when the system is under heavy load when gtmd is starved of CPU cycles.
Impact:
The gtmd process restarts and produces a core file.
Workaround:
None.
Fixed Versions:
13.1.3.3, 14.1.2.7
803629-2 : SQL monitor fails with 'Analyze Response failure' message even if recv string is correct
Links to More Info: BT803629
Component: Local Traffic Manager
Symptoms:
For a database (mssql, mysql, postgresql or oracle) monitor type, with a 'recv' string configured, a pool member configured to use the DB monitor may be marked down even if the server is working and includes the configured response string among the response data.
Debug logging of the SQL monitor indicates the following:
... [DBPinger-3778] - Response from server: Database: 'db1'Database: 'information_schema'
... [DBPinger-3778] - Checking for recv string: information_schema
... [DBPinger-3778] - Analyze Response failure
The log shows 'Analyze Response failure' error message even when the configured 'recv' string appears within the response message from the DB server.
Conditions:
This occurs when the string matching the configured 'recv' string value does not appear in the response from the DB server in the row indicated by the 'recv-row' value configured for the monitor.
The default value of 'none' for the 'recv-row' monitor configuration value is actually interpreted as 'row 1' by the DB monitor core implementation.
Therefore, with the default configuration, any 'recv' string configured must appear in the first row of the DB server response in order to be recognized as a match.
Impact:
The DB monitor fails, and the DB server (node) is marked as down even though it is reachable and responding correctly per the configured 'recv' string.
Workaround:
You may use one of the following methods to work around this issue:
1. Configure the DB monitor's 'recv' string to match on the first row in the server response message.
2. Configure the 'recv-row' value in the DB monitor to match the row of the DB server's response which contains the configured 'recv' string.
3. Do not configure 'send' or 'recv' string for the DB monitor.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.0.1.1
803477-2 : BaDoS State file load failure when signature protection is off
Links to More Info: BT803477
Component: Anomaly Detection Services
Symptoms:
Behavioral DoS (BADoS) loses its learned thresholds.
Conditions:
Restart of admd when signature protection is off.
Impact:
The system must relearn the thresholds, BADoS protection is not available during the learning time.
Workaround:
Turn on signatures detection.
Fix:
BADoS State file successfully loads after admd restart, even without signatures detection.
Fixed Versions:
13.1.3.2, 14.1.2.1, 15.0.1.1
803445-3 : When adding several mitigation exceptions, the previously configured actions revert to the default action
Links to More Info: BT803445
Component: Application Security Manager
Symptoms:
After adding a new item to the mitigation exception list, you can also change its mitigation action. If you do not save the changes and then add more new exception items, the mitigation actions of the previously added items return to their default value actions.
Conditions:
-- Add mitigation exception to the Bot Configuration.
-- Change mitigation action on that new exception.
-- Add new items to exception list without first saving.
Impact:
Mitigation action exceptions might be saved with their default value actions instead of the actions you configured.
Workaround:
After adding a group of exception items and editing their actions, save the Bot Configuration properties before adding any new mitigation exception items.
Fix:
When adding several mitigation exceptions, the previously configured actions no longer revert to the default action.
Fixed Versions:
14.1.2.1, 15.0.1.1
803237-4 : PVA does not validate interface MTU when setting MSS
Links to More Info: BT803237
Component: TMOS
Symptoms:
An incorrect MSS value might be used when hardware (HW) syncookies are used, and the MTU is smaller than the MSS.
Conditions:
-- The BIG-IP system sends TCP segments, fragmented across multiple IP packets, that exceed the size of the local interface MTU.
-- This occurs when HW Syncookies are enabled.
Impact:
TCP segments larger than the local interface MTU sent towards the client. These TCP segments are transmitted as IP fragments.
Workaround:
Increase MTU size.
Fixed Versions:
14.1.4, 15.1.3
803233-3 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
Links to More Info: BT803233
Component: Local Traffic Manager
Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):
1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:
-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.
2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:
-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.
Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.
Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.
Workaround:
None.
Fix:
FQDN ephemeral pool members are created in a more timely manner when FQDN resolution via DNS returns new address records.
Fixed Versions:
12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1
803149-1 : Flow Inspector cannot filter on IP address with non-default route_domain
Links to More Info: BT803149
Component: Advanced Firewall Manager
Symptoms:
Flow Inspector cannot filter on IP address with non-default route_domain.
Conditions:
-- In Flow Inspector.
-- Attempting to filter results.
-- Some results use IP addresses with non-default route domains.
Impact:
Filter does not return results as expected.
Workaround:
None.
Fix:
You can now filter on IP address with non default route_domain In Flow Inspector.
Fixed Versions:
14.1.2.8
803109-2 : Certain configuration may result in zombie forwarding flows
Links to More Info: BT803109
Component: Local Traffic Manager
Symptoms:
OneConnect profile in conjunction with 'Source-port preserve-strict' or cmp-hash setting of 'dst-ip' or 'src-ip' on the server-side VLAN may result in zombie forwarding flows.
On the server-side the incoming traffic hits a different TMM from the one that handles the outgoing traffic.
Unexpected 'Inet port exhaustion' messages may be logged in the LTM log file.
Conditions:
-- OneConnect configured.
And one of the following:
-- Source-port is set to preserve-strict.
-- The cmp-hash setting on the server-side VLAN is set to 'dst-ip' or 'src-ip'.
Impact:
Zombie forwarding flows. Over time, the current allocation count grows and does not return to its prior level when traffic stops.
The current allocation can be checked with this command:
# tmctl memory_usage_stat name=connflow -s name,cur_allocs
Workaround:
You can use any of the following workarounds:
-- Remove the OneConnect profile from the Virtual Server.
-- Do not use 'source-port preserve-strict' setting on the Virtual Server.
-- Set the 'cmp-hash default' on the server-side VLAN if it is set to 'cmp-hash src-ip' or 'cmp-hash dst-ip'.
Note: After making this change, it may be necessary to run the command 'tmsh restart sys service tmm', which will clear the old flows but also impact traffic. Traffic interrupted while tmm restarts.
Fixed Versions:
14.1.4.6
802977-2 : PEM iRule crashes when more than 10 policies are tried to be set for a subscriber
Links to More Info: BT802977
Component: Policy Enforcement Manager
Symptoms:
Tmm crashes.
Conditions:
Using an iRule to apply more than 10 referential policies for a subscriber.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The BIG-IP system validates the number of policies before setting them to a subscriber.
In this release, iRule behavior does not result in a tmm core dump, but the number of policies that can be simultaneously applied to a subscriber through an iRule is limited to 7.
Behavior Change:
In previous releases, the system did not prevent using an iRule to apply more than 10 referential policies for a subscriber. In those cases, however, tmm crashed and generated a core.
In this release, the BIG-IP system validates the number of policies before setting them to a subscriber. iRule behavior does not result in a tmm core dump, but the number of policies that can be simultaneously applied to a subscriber through an iRule is limited to 7.
Fixed Versions:
14.1.2.7
802961-2 : The 'any-available' prober selection is not as random as in earlier versions
Links to More Info: BT802961
Component: Global Traffic Manager (DNS)
Symptoms:
Some big3d instances can be periodically busier than other big3d instances.
Conditions:
-- When 'any-available' is selected for either the prober-preference or prober-fallback options.
-- A large number of monitors are defined.
Impact:
When the 'any-available' prober option is used, the selection of big3d probers may not be as random as in BIG-IP software versions prior to v13.0.0.
Workaround:
None.
Fixed Versions:
13.1.3.4, 14.1.2.5
802889 : Problems establishing HA connections on chassis platforms
Links to More Info: BT802889
Component: TMOS
Symptoms:
High availability (HA) mirroring does not work correctly. Some or all tmms may show up as closed when observing the show /sys ha-mirror stats.
The ha_stat table shows a non-zero amount in the 'mismatch' stat:
tmctl -d blade ha_stat -s ha_unit,tmid,active,mismatch
ha_unit tmid mismatch
------- ----- --------
0 [1.1] 0
1 [1.1] 132422
0 [1.0] 0
1 [1.0] 132411
Conditions:
-- VIPRION B4400 chassis platforms are commonly affected.
-- HA mirroring is enabled.
Impact:
The HA mirroring channel becomes disconnected and does not re-connect. In rare cases this might affect vCMP guests or other bladed platforms if HA packets are directed to the wrong blades, or during blade startup if the CMP state does not match between units.
Workaround:
None.
Fix:
HA connections on chassis platforms are correctly re-established after a peer mismatch.
Fixed Versions:
14.1.2.8, 14.1.3
802873-1 : Manual changes to policy imported as XML may introduce corruption for Login Pages
Links to More Info: BT802873
Component: Application Security Manager
Symptoms:
Manual changes to a policy imported as XML may introduce corruption for Response Pages. The following log appears:
ASM subsystem error (asm_config_server.pl ,F5::PrepareConf::Policy::prepare_alternate_response_file_tbl): failed to parse response headers - please check response page.
Conditions:
-- XML policy file is missing a response header.
-- Import the policy.
Impact:
The affected reponse page is not returned for traffic as expected, and an error is reported instead.
Workaround:
Mitigation:
Ensure that response_header exists in XML policy file before import.
Workaround:
Go to the affected policy's Response Pages: Login Page, click Save and then click Apply Policy.
Fix:
The system now gracefully ignores empty header for Login Page response page.
Fixed Versions:
14.1.2.7, 15.1.4
802865-1 : The iControl REST query request returning empty list for DoS Protected Objects
Links to More Info: BT802865
Component: Advanced Firewall Manager
Symptoms:
DoS Protection profiles are not displayed in the GUI, but they are visible when using the tmsh command:
tmsh list security dos profile | grep "security dos profile"
Conditions:
This is encountered in Security :: DoS Protection : Protection Profiles.
Impact:
DoS Protected Objects are not included in the REST endpoint /mgmt/tm/security/presentation/tmui/virtual-list, so the GUI cannot display the DoS Protected Objects
Workaround:
Use tmsh.
Fix:
DoS Protected Objects are now visible in the GUI
Fixed Versions:
14.1.2.3
802685-3 : Unable to configure performance HTTP virtual server via GUI
Links to More Info: BT802685
Component: TMOS
Symptoms:
When creating 'performance HTTP' virtual servers via GUI, the following error is reported:
01070734:3: Configuration error: A Virtual Server(/Common/vfasthttp) cannot be associated with both fasthttp and L4 profile.
Conditions:
Use the GUI to create a virtual server of type Performance (HTTP).
Impact:
Failed to create a 'performance HTTP' virtual server.
Workaround:
Use TMSH to configure the performance HTTP virtual server:
tmsh create ltm virtual vfasthttp destination 1.1.1.1:80 ip-protocol tcp profiles add { fasthttp }
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
802421 : The /var partition may become 100% full requiring manual intervention to clear space
Links to More Info: BT802421
Component: Advanced Firewall Manager
Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.
Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.
Conditions:
Process traffic while DoS Dashboard is open
Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.
Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.
Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.
Run the following commands, in sequence:
bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad
Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.
Fixed Versions:
14.1.2.7, 15.1.0.5
802381-2 : Localdb authentication fails
Links to More Info: BT802381
Component: Access Policy Manager
Symptoms:
In Active / Standby setup, user authentication fails after failover occurs.
Conditions:
-- APM configured in Active / Standby setup.
-- Per-session policy configured with Localdb Auth .
-- Failover occurs.
Impact:
APM end users are unable to authenticate.
Workaround:
Restart localdbmgr on the new active device, using the following command:
# bigstart restart localdbmgr
Fix:
In Active / Standby setup, user authentication no longer fails after failover occurs, so APM end users are able to authenticate.
Fixed Versions:
14.1.4.5, 15.0.1.3
802281-1 : Gossip shows active even when devices are missing
Links to More Info: BT802281
Component: TMOS
Symptoms:
Gossip appears Active even when one or more devices go missing from device group. 'restcurl shared/gossip' shows active on both devices, even when the devices are not listed in 'restcurl shared/resolver/device-groups/tm-shared-allBIG-IPs/devices'.
Conditions:
The conditions under which this issue occurs are unknown. This is an intermittent issue.
Impact:
Gossip reports that it is working when it is not.
Workaround:
-- If the missing device is the active device, run the following command on the Active DSC Device:
restcurl -X POST -d '{}' tm/shared/bigip-failover-state
-- If the missing device is the standby device, reboot the device, make it active, and then run the following command:
restcurl -X POST -d '{}' tm/shared/bigip-failover-state
Fixed Versions:
13.1.3.5, 14.1.2.5, 15.1.0.2
802245-1 : When HTTP/2 is negotiated, if the provided cipher suite list cannot be matched, then the last one will be selected.
Links to More Info: BT802245
Component: Local Traffic Manager
Symptoms:
The last provided cipher suite in the list is chosen if HTTP/2 is negotiated and not matched.
Conditions:
-- HTTP/2 negotiation is enabled.
-- The provided cipher suites are not matched.
Impact:
The least-secure cipher suite would be selected.
Workaround:
Put the most secure cipher suite in the end of the list.
Fix:
Now the most secure cipher suite is selected regardless of the order in the list.
Fixed Versions:
14.1.2.7
801705-4 : When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC
Links to More Info: BT801705
Component: Local Traffic Manager
Symptoms:
The 'HTTP::cookie attribute' irule command allows manipulation of Cookie or Set-Cookie headers in HTTP requests or responses. When this command is used to insert a cookie attribute, it appends the attribute (and a possible value) to the header without a leading space character. A leading space character is a requirement per RFC 6265. When such a header is formed with iRule command 'HTTP::cookie insert' or 'HTTP::cookie attribute insert', the leading space is not provided, violating the RFC.
Conditions:
-- A virtual server with HTTP profile is configured.
-- There is an iRule generating or updating a cookie header with 'HTTP::cookie insert' or 'HTTP::cookie attribute insert' command.
Impact:
There is no space preceding the attribute. RFC is violated.
Workaround:
When inserting a cookie attribute with iRule command, add a leading space to the name of attribute to be inserted.
Fixed Versions:
13.1.3.6, 14.1.3.1
801497-2 : Virtual wire with LACP pinning to one link in trunk.
Links to More Info: BT801497
Component: Local Traffic Manager
Symptoms:
A virtual-wire that uses interface trunks may use a single interface on egress.
Conditions:
Virtual-wire configured across multi-interface trunks.
Impact:
This may lead to unexpected link saturation.
Workaround:
None.
Fixed Versions:
14.1.2.1, 15.1.1
800453-3 : False positive virus violations
Links to More Info: K72252057, BT800453
Component: Application Security Manager
Symptoms:
False positive ASM virus violations.
Conditions:
Specific connection characteristics between ASM and the antivirus server may cause replies from the antivirus server to be missed by the ASM.
Impact:
ASM reports a virus when the antivirus reply is timed out. False positive blocking or violation reporting.
Workaround:
Configure the EnableASMByPass internal parameter setting to allow the antivirus server to not reply, so it does not issue a violation when it occurs:
/usr/share/ts/bin/add_del_internal add EnableASMByPass 1
bigstart restart asm
Note: When the internal parameter is enabled, ASM also bypasses huge HTTP requests (when they come on multiple connections) instead of resetting them.
Fix:
False positive ASM virus violations no longer occur under these conditions.
Fixed Versions:
13.1.3.2, 14.1.2.3, 15.0.1.3
800369-2 : The fix for ID 770797 may cause a TMM crash
Links to More Info: BT800369
Component: Local Traffic Manager
Symptoms:
In rare situations the TMM may crash after the original fix for ID 770797 is applied.
Conditions:
HTTP2 is used on the client-side of a virtual server without an MRF http_router profile.
The original fix for ID 770797 is used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The fix for ID 770797 has been altered to prevent the TMM from crashing in rare situations.
Fixed Versions:
14.1.2.3, 15.0.1.1
800305-2 : VDI::cmp_redirect generates flow with random client port
Links to More Info: BT800305
Component: Local Traffic Manager
Symptoms:
The VDI::cmp_redirect iRule command generates a flow with a randomly-assigned client port.
Conditions:
-- VDI::cmp_redirect iRule command used
Impact:
Client port is not the same as the original client port.
Fix:
The VDI::cmp_redirect iRule command now uses the same port.
Fixed Versions:
13.1.3.2, 14.1.2.3, 15.0.1.1
800265-2 : Undefined subroutine in bigip_add_appliance_helper message
Links to More Info: BT800265
Component: Global Traffic Manager (DNS)
Symptoms:
When using the -a switch with bigip_add (which instructs bigip_add to use bigip_add_appliance_helper), the script terminates with an error:
Undefined subroutine >m_env::get_unique_certs called at /usr/local/bin/bigip_add_appliance_helper line 113.
Conditions:
Use the bigip_add script with the -a switch in appliance mode.
Impact:
BIG-IP_add fails in appliance mode, reporting an error message.
Workaround:
None.
Fixed Versions:
14.1.2.8
800209-1 : The tmsh recursive list command includes DDoS GUI-specific data info
Links to More Info: BT800209
Component: Advanced Firewall Manager
Symptoms:
DDoS GUI-specific data is included when running the command: tmsh recursive list. This irrelevant information might cause confusion.
Conditions:
This occurs when the AFM module is enabled
Impact:
Extra, irrelevant data is provided in output, which can cause confusion.
Workaround:
This always happens as long as AFM is enabled. You can deprovision the AFM module to disable this command.
Fix:
DDoS GUI-specific data is now filtered out when running the command: tmsh recursive list.
Fixed Versions:
14.1.2.1
800185-4 : Saving a large encrypted UCS archive may fail and might trigger failover
Links to More Info: BT800185
Component: TMOS
Symptoms:
-- When saving a very large encrypted UCS file, you may encounter an error:
# tmsh save /sys ucs my_ucs passphrase <mysecret>
Saving active configuration...
Can't fork at /usr/local/bin/im line 305.
/var/tmp/configsync.spec: Error creating package
-- If saving UCS is automated you may find related errors in /var/log/audit:
err scriptd[45342]: 014f0013:3: Script (/Common/f5.automated_backup__backup) generated this Tcl error: (script did not successfully complete: (UCS saving process failed. while executing "tmsh::save /sys ucs $fname ))
-- Other services might be restarted due to lack of memory, which might result in failover.
--System management via config utility or command line may be sluggish while UCS saves.
Conditions:
-- Large encrypted UCS files and low free host memory.
-- UCS file sizes in hundreds of MB are much more likely to encounter this issue, along with free memory less than 1 GB.
Impact:
The operation uses at least 1.3 times the UCS file size of RAM. The UCS may not get saved correctly, and if not enough memory is available, low free-memory symptoms become apparent.
The latter may result in services being killed to free memory, resulting in service impact and failover, though it is quite typical for the overly large process saving the UCS to be terminated with no other impact.
Workaround:
A mitigation is to minimise UCS file size. UCS files large enough to encounter this issue typically contain very large files, some of which may not be needed or are no longer necessary.
Remove unnecessary large files from directories that contribute to UCS archives, for example, stray, large files such as packet captures in /config or its subdirectories. (For help understanding what is in UCS archives, see K12278: Removing non-essential files from a UCS when disk space errors are encountered :: https://support.f5.com/csp/article/K12278.)
If using APM, remove unnecessary EPSEC ISO files. (For more information, see K21175584: Removing unnecessary OPSWAT EPSEC packages from the BIG-IP APM system :: https://support.f5.com/csp/article/K21175584.
Fix:
Saving a large UCS file no longer fails.
Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4
800101-1 : BIG-IP chassis system may send out duplicated UDP packets to the server side
Links to More Info: BT800101
Component: Local Traffic Manager
Symptoms:
On a BIG-IP chassis based system, a single UDP packet on the client side flow may be duplicated and sent out to the server side.
Conditions:
When the UDP flow has been idle for more than 10 minutes and L2 entries for the flow in the broadcom switch have aged out.
Impact:
Duplicated server side egress packets may cause server side processing error.
Fix:
BIG-IP no longer sends out duplicated UDP egress packets on the server side.
Fixed Versions:
14.1.2.8
799749-1 : Asm logrotate fails to rotate
Links to More Info: BT799749
Component: Application Security Manager
Symptoms:
ASM logrotate reports errors in /var/log/asm.:
error: error creating output file /ts/log//bd.log.1: File exists
Conditions:
Files ending with .1 exists in the logs directories.
Impact:
Logrotate does not work. May fill disk with logs over time.
Workaround:
Remove or rename all of the .1 logs.
Fixed Versions:
14.1.2.7, 15.1.0.5
799649-2 : TMM crash
Links to More Info: BT799649
Component: Local Traffic Manager
Symptoms:
TMM SIGSEGV crash due to memory corruption.
Conditions:
HTTP Security profile attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove the HTTP Security profile.
Fix:
HTTP Security profile does not cause TMM crash.
Fixed Versions:
14.1.2.5
799149-2 : Authentication fails with empty password
Links to More Info: BT799149
Component: Access Policy Manager
Symptoms:
Per-req policy authentication fails when an empty password is detected. Following errors are seen in apm logs:
-- err apmd[13930]: 01490301:3: /Common/test_sp::abcdef78/Common/test_auth/XXXXXXX==: Empty session variable value received from tmm.
-- err apmd[13930]: 01490302:3: /Common/test_sp::abcdef78/Common/test_auth/XXXXXXX==: Failed to decrypt session variable 'subsession.logon.last.password' from tmm with error code: 3.
Conditions:
-- APM is licensed and provisioned.
-- Per-req policy is created with at least one Auth agent.
Impact:
APM end users cannot change a password/token or access backend resources.
Workaround:
None.
Fix:
Per-request policy auth no longer complains about empty password. If the backend server accepts an empty password, auth should work fine.
Fixed Versions:
13.1.3.2, 14.1.2.7
799001-3 : Sflow agent does not handle disconnect from SNMPD manager correctly
Links to More Info: BT799001
Component: TMOS
Symptoms:
If Sflow agent loses the connection with the SNMPD Manager, it tries to connect multiple times but fails to reconnect.
Conditions:
Sflow agent loses connection with the SNMPD Manager. The conditions that may trigger this are unknown.
Impact:
Snmpd service restarts repeatedly
Workaround:
Run 'tmsh restart sys service sflow_agent' to clear the session data in the sflow agent which results in successful re-connection with snmpd.
Fix:
No Fix. Execute 'tmsh restart sys service sflow_agent'
Fixed Versions:
14.1.4, 15.1.3
798949-3 : Config-Sync fails when Config-Sync IP configured to management IP
Links to More Info: BT798949
Component: TMOS
Symptoms:
Device Group Sync Fails with error in the GUI: 01070712:3: Caught configuration exception (0), Failed to sync files.
Conditions:
Config-Sync IP configured to management IP:
sys db configsync.allowmanagement value enable
Impact:
Config-Sync of file objects such as SSL certificates fails.
Workaround:
None.
Fix:
Config-Sync has been updated to allow synchronization of file objects over the mgmt port.
Fixed Versions:
14.1.2, 15.0.1
798261-2 : APMD fails to create session variables if spanning is enabled on SWG transparent virtual server
Links to More Info: BT798261
Component: Access Policy Manager
Symptoms:
The following logs showed up in APM log and user session was terminated.
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_finish_set_pipeline()" line: 720 Msg: Error: Set pipeline: While receiving response to 0 cmd set /.*/tmm.session.6833364e.session.assigned.uuid 0 0 32 s
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_server_disconnect()" line: 2533 Msg: Error: bad memcache connection (tmm:1), (fd:205)
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.
The SET command failed because it incorrectly attempted to create session variable in all traffic groups.
Conditions:
1. Virtual address for SWG transparent is 0.0.0.0
2. Spanning on the virtual address is enabled.
Impact:
User sessions will be terminated
Workaround:
Disable virtual address spanning.
Fix:
N/A
Fixed Versions:
13.1.3.2, 14.1.2.5, 15.0.1.3
798105-1 : Node Connection Limit Not Honored
Links to More Info: BT798105
Component: Local Traffic Manager
Symptoms:
Connection limits on nodes are not honored.
Conditions:
A node with connection limits set.
Impact:
More traffic will pass to the node than the limit is supposed to allow.
Workaround:
Modify the node's limit after the node is created and it will start honoring the limit.
Fix:
The node's limit is now honored.
Fixed Versions:
14.1.2.1, 15.0.1.4
797977-1 : Self-IP traffic does not preserve the TTL from the Linux host
Links to More Info: BT797977
Component: Local Traffic Manager
Symptoms:
The Egress traffic from TMM has IP TTL set to 255 instead of keeping the TTL from the Linux host.
Conditions:
IP/IPv6 TTL for host traffic.
Impact:
Tools like traceroute do not work because Linux host rejects the packets.
Workaround:
Adjust TTL verification restrictions
Fix:
IP TTL is preserved.
Fixed Versions:
14.1.2.3, 15.0.1.4
797829-5 : The BIG-IP system may fail to deploy new or reconfigure existing iApps
Links to More Info: BT797829
Component: TMOS
Symptoms:
The BIG-IP system may fail to deploy new or reconfigure existing iApps. When this happens, a long error message is displayed in the GUI that begins with:
script did not successfully complete: ('source-addr' unexpected argument while executing
The message is also logged to /var/log/audit by scriptd with a severity of 'notice'.
The unexpected argument mentioned in the error varies depending on the iApp being deployed and on the settings you configure. You may also see 'snatpool', 'ldap', etc.
Conditions:
This issue occurs when:
-- The BIG-IP system is configured with multiple users of varying roles.
-- The scriptd daemon has already spawned the maximum number (5) of allowed child processes to serve its queue, and all the processes were assigned a low 'security context'. This can happen, for instance, if a low-privileged user (such as an Auditor) has been looking at the configuration of iApps using the GUI a lot.
-- Subsequently, a high-privileged user (such as an Administrator) attempts to deploy a new iApp or reconfigure an existing one.
Note: You can inspect the number of child processes already created by scriptd by running the following command:
pstree -a -p -l | grep scriptd | grep -v grep
However, it is not possible to determine their current 'security context'.
Impact:
New iApps cannot be deployed. Existing iApps cannot be re-configured.
Workaround:
Restart scriptd. To restart scriptd, run:
bigstart restart scriptd
Running this command has no negative impact on the system.
The workaround is not permanent; the issue may occasionally recur depending on your system usage.
Fix:
The system now stops all scriptd child processes and creates new ones with the new user security-context when the user changes.
Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1
797785-2 : AVR reports no ASM-Anomalies data.
Links to More Info: BT797785
Component: Application Visibility and Reporting
Symptoms:
AVR collects data for ASM-Anomalies, which include Brute-Force and Web-Scraping activities. When reported, all metrics and dimensions are hidden. AVR output looks like this:
errdefs_msgno=\"22282253\",Entity=\"ASM_ANOMALIES\
Conditions:
When gathering statistics reporting a Brute-Force or Web-Scraping attack.
Impact:
AVR reports no ASM-Anomalies data.
Workaround:
None.
Fixed Versions:
13.1.3.2, 14.1.2.1, 15.0.1.3
797541-1 : NTLM Auth may fail when user's information contains SIDS array
Links to More Info: BT797541
Component: Access Policy Manager
Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:
-- Users cannot log in through the BIG-IP APM system.
-- In the /var/log/apm file, the system logs warning messages similar to the following examples:
- warning eca[11256]: 01620002:4: [Common] 192.168.0.1:60294 Authentication with configuration (/Common/server1.example.com) result: user01@USER01 (WORKSTATION): Fail (UNEXP_006C0065)
- warning nlad[11261]: 01620000:4: <0x2b4d27397700> client[46]: DC[10.10.10.12]: schannel[0]: authentication failed for user 'user01', return code: 0x006c0065
Note: The reported return code may be a value other than 0x006c0065 or 0x00000007. However, the larger the size of the SIDS and Attributes array, the more likely the error value will be 0x00000007.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP APM system is configured to provide NTLM front-end authentication.
-- The authentication response contains a non-empty SID_AND_ATTRIBUTES array.
For example, this issue can occur when the user is a member of universal groups from a trusted domain.
Impact:
The authentication process fails and the user cannot log in.
Workaround:
None.
Fixed Versions:
14.1.2.1, 15.0.1.1
797277-2 : URL categorization fails when multiple segments present in URL path and belong to different categories.
Links to More Info: BT797277
Component: Traffic Classification Engine
Symptoms:
When a URL path contains multiple segments, where each segment belongs to a different URL category, the Webroot URL categorization engine does not store the results correctly and can return the wrong categories for these path segments.
Conditions:
-- URL path contains multiple segments(example: /abc/def/ghi)
-- Each segment belongs to a different URL category
+ abc: News
+ def: Search_Engine
-- URL categorization (Webroot) lookup results in cloud lookup (sending the query to Webroot remote server because of missing match in the local database).
Impact:
URL categorization does not categorize all of the segments in the path correctly when the query results in a cloud lookup to the Webroot BrightCloud server.
Workaround:
None.
Fix:
The system now stores the results of the BrightCloud server lookup correctly and returns the correct categories for each segment in the path.
Fixed Versions:
14.1.2.8
797221-1 : BCM daemon can be killed by watchdog timeout during blade-to-blade failover
Links to More Info: BT797221
Component: TMOS
Symptoms:
The BCM daemon deletes entries from tables during blade to blade failover. If tables are very large, the entry-by-entry deletion may take too long, such that the daemon is restarted by the watchdog timeout.
Conditions:
Very large L2 tables during blade-to-blade failover.
Impact:
There is a BCM core file on the primary blade after the failover.
Workaround:
None.
Fix:
The system now maintains the watchdog while deleting large tables, so this issue no longer occurs.
Fixed Versions:
14.1.4
796993-1 : Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs
Links to More Info: BT796993
Component: Local Traffic Manager
Symptoms:
When a pool contains FQDN nodes as pool members, pool member state changes messages are not logged in /var/log/ltm.
Conditions:
-- Create a pool with fqdn node as it pool members
-- Apply monitor to it
-- Monitor marks the pool member up/down based on reachability
Impact:
-- Status message is not updated in /var/log/ltm logs.
-- There is no functional impact.
Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.3.1
796601-4 : Invalid parameter in errdefsd while processing hostname db_variable
Links to More Info: BT796601
Component: TMOS
Symptoms:
Errdefsd crashes, creates a core file, and restarts.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Possible loss of some logged messages.
Workaround:
None.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2
795769-3 : Incorrect value of Systems in system-supplied signature sets
Links to More Info: BT795769
Component: Application Security Manager
Symptoms:
In properties of system-supplied Attack Signature Sets, the field "Systems" is always displayed with value All.
For example, for Generic Detection Signatures the "Systems" field should be: System Independent, General Database, Various systems
Instead, "Systems" is set to "All".
Conditions:
Only for system-supplied signature sets, while user-defined signatures sets are displayed with correctly assigned Systems.
Impact:
Misleading value of Systems
Workaround:
N/A
Fix:
Correct value of "Systems" is displayed for system-supplied signature sets
Fixed Versions:
14.1.2.3, 15.0.1.1
795685-2 : Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer
Links to More Info: BT795685
Component: TMOS
Symptoms:
If the BIG-IP system receives a BGP notification for OUT_OF_RESOURCES from its BGP peer, then displaying the peer information on the BIG-IP system causes bgpd to crash (running show ip bgp neighbor).
Conditions:
-- Receive a BGP notification for OUT_OF_RESOURCES from the BGP peer.
-- Run the 'show ip bgp neighbor' command to display the BGP peer information.
Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.
Workaround:
None.
Fix:
All the supporting BGP notification now have the corresponding message to display in show commands.
Fixed Versions:
14.1.2.5
795649-3 : Loading UCS from one iSeries model to another causes FPGA to fail to load
Links to More Info: BT795649
Component: TMOS
Symptoms:
When loading a UCS file from one iSeries model to a different iSeries model, the FPGA fails to load due to a symlink in the UCS file pointing to the firmware version for the source device.
The system will remain in INOPERATIVE state, and messages similar to the following will be seen repeatedly in /var/log/ltm:
-- emerg chmand[7806]: 012a0000:0: FPGA firmware mismatch - auto update, No Interruption!
-- emerg chmand[7806]: 012a0000:0: No HSBe2_v4 PCIs found yet. possible restart to recover Dataplane.
-- emerg chmand[7806]: 012a0000:0: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
-- err chmand[7806]: 012a0003:3: HAL exception publishing switch config: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
Conditions:
Loading a UCS from one iSeries model onto another model, for example, from an i7800 onto an i11400-ds, or from an i2600 to an i5600.
Impact:
FPGA fails to load; the BIG-IP system becomes unusable.
Workaround:
1. Update the symbolic link /config/firmware/hsb/current_version to point to the correct firmware file for the hardware model in use. Here are some examples:
-- For the i2800:
# ln -sf /usr/firmware/hsbe2v4_atlantis/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version
-- For the i7800:
# ln -sf /usr/firmware/hsbe2v2_discovery/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version
-- For the i11400-ds:
# ln -sf /usr/firmware/hsbe2_discovery_turbo/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version
2. Reboot the system
Fixed Versions:
12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.0.3
795501-3 : Possible SSL crash during config sync
Links to More Info: BT795501
Component: Local Traffic Manager
Symptoms:
During config sync, it's possible that cipher group processing will crash.
Conditions:
-- SSL is configured.
-- Config sync is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Cipher group processing has been fixed to avoid this error.
Fixed Versions:
14.1.4
795329-2 : IM installation fails if 'auto-add-new-inspections' enabled on profile★
Links to More Info: BT795329
Component: Protocol Inspection
Symptoms:
IPS IM package installation fails. IPS log /var/log/pi_hitless_upgrade shows following message:
Error during switching: unsupported type for timedelta seconds component: tuple.
Conditions:
-- IM package should contain compliance check related to a specific service (e.g., HTTP).
-- At the time of IM package installation, there is an IPS profile with following parameters:
+ The 'auto-add-new-inspections' property set to 'on'.
+ Contains a service related to compliance checks, for example:
* Presence on the following services causes an issue with the BIG-IP v14.1.0 IM:
HTTP, SIP, IMAP
* Presence on the following services causes an issue with the BIG-IP v15.0.0 IM:
HTTP, SIP, IMAP, GTP, Diameter
Impact:
IPS IM package is not installed.
Workaround:
1. Before IM package installation, set the profile property 'auto-add-new-inspections' to 'off' (disable).
2. Install IM package.
3. Manually add compliance checks from the IM package to profile. Compliance checks names appear similar to the following:
-- pi_updates_14.0.0-20190607.2216.im
-- pi_updates_14.0.0-20190607.2216.im
Fix:
IM installation now succeeds when 'auto-add-new-inspections' is enabled on a profile.
Fixed Versions:
14.1.4.3, 15.0.1.1
795261-2 : LTM policy does not properly evaluate condition when an operand is missing
Links to More Info: BT795261
Component: Local Traffic Manager
Symptoms:
The BIG-IP system provides an LTM policies mechanism to process traffic based on a set of rules. A rule may include a number of conditions and a number of actions to execute when the conditions are satisfied. Conditions use operands to evaluate. When an operand is missing, the BIG-IP system may fail to properly evaluate the condition.
Conditions:
-- A virtual server is configured with an LTM policy.
-- The policy contains a rule with a condition which has an operand and a negative matching type like 'not equals' or 'not starts-with', etc. (e.g., http-referer host not contains { www.example.com }).
-- A processing entity (like HTTP request, etc.) is missing an operand or has an empty value (e.g., header 'Referer' is missing from the request).
Impact:
The policy is improperly evaluated on the processing entity and may produce incorrect results when load balancing a request and/or serving a response.
Workaround:
You can use either workaround:
-- Convert rules into a 'positive' (lacking of negative matching type) whenever possible.
-- Use iRules instead of a policy (might impact performance).
Fix:
The BIG0IP system no longer incorrectly evaluates conditions in LTM policy rules when their operands are missing in a processing entity.
Fixed Versions:
14.1.2.5, 15.0.1.1
794581 : Transfer might stall for an object served from WAM cache
Links to More Info: BT794581
Component: Local Traffic Manager
Symptoms:
When HTTP response is served from cache, a transfer stalls due to incorrect value in Content-Length header.
Conditions:
- Virtual server with HTTP profile that has standard chunking settings.
- Web acceleration profile is configured on the virtual server.
- HTTP response is served from AAM cache.
Impact:
Transfer stalls as the client is expecting more bytes from peer (due to Content-Length header being advertised as greater than than object's actual size).
Workaround:
For the HTTP profile used, set request-chunking to selective.
Fix:
Transfer completes for an object served from WAM cache.
Fixed Versions:
14.1.2.1
794501-2 : Duplicate if_indexes and OIDs between interfaces and tunnels
Links to More Info: BT794501
Component: TMOS
Symptoms:
In certain instances, having a configuration with both tunnels and interfaces can result in duplicate if_indexes between a tunnel and an interface, which also results in duplicate OIDs for SNMP.
Conditions:
There is no completely predictable trigger, but at a minimum, a configuration with at least one interface and at least one tunnel is needed.
Impact:
SNMP OIDs relating to interfaces may yield incomplete results.
Duplicate if_indexes and duplicate OIDs. SNMP logs error messages:
# tmsh list net interface all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net vlan all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net tunnel all-properties | egrep "(^net)|(if-index)"
net interface 0.10 {
if-index 64 <-------------------------------
net interface mgmt {
if-index 32
net vlan external {
if-index 96
net vlan internal {
if-index 112
net vlan test {
if-index 128
net vlan tmm_bp {
if-index 48
net tunnels tunnel http-tunnel {
if-index 64 <-------------------------------
net tunnels tunnel socks-tunnel {
if-index 80
# snmpwalk -c public -v 2c localhost >/dev/null; tail /var/log/ltm
-- notice sod[4258]: 010c0044:5: Command: running disable zrd bigstart.
-- notice zxfrd[6556]: 01530007:5: /usr/bin/zxfrd started
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID ZXFRD_Publisher and filterType 1024
-- info bigd[11158]: 0114002b:6: high availability (HA) daemon_heartbeat bigd enabled.
-- info cbrd[6106]: 0114002b:6: high availability (HA) daemon_heartbeat cbrd enabled.
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID cbrd and filterType 1152921504606846976
-- info runsm1_named[6104]: 0114002b:6: high availability (HA) proc_running named enabled.
=========================
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if_x.c:289
Workaround:
No workaround currently known.
Fix:
Duplicate if_indexes are no longer assigned to tunnels and interfaces. The resulting duplicate SNMP OIDs are prevented.
Fixed Versions:
12.1.5.3, 13.1.3.2, 14.1.2.3, 15.0.1.1
794417-1 : Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not★
Links to More Info: BT794417
Component: Local Traffic Manager
Symptoms:
On a single virtual server, when 'TLS Renegotiation' is enabled in an associated Client SSL profile, the system should prevent enabling the 'Enforce TLS Requirements' option in the associated HTTP/2 profile.
Conditions:
BIG-IP system validation does not prevent this configuration in the following scenario:
1. Disable the 'Enforce TLS Requirements' option in the HTTP/2 profile.
2. Enable 'TLS Renegotiation' in the Client SSL profile.
3. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile.
Impact:
The configuration does not load if saved, and reports an error:
01070734:3: Configuration error: In Virtual Server (/Common/http2vs) an http2 profile with enforce-tls-requirements enabled is incompatible with clientssl profile '/Common/my_clientssl'; renegotiation must be disabled.
Workaround:
If enabling 'Enforce TLS Requirements' in an HTTP/2 profile configured on a virtual server, ensure that 'TLS Renegotiation' is disabled in all Client SSL profiles on that virtual server.
Fix:
Added a missing validation check for TLS Renegotiation and Enforce TLS Requirements.
Behavior Change:
BIG-IP validation now requires TLS Renegotiation of the SSL profile to be disabled when the TLS Enforcement requirement (RFC7540) is enabled in the HTTP/2 profile
Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2
794285 : BIG-IQ reading AFM configuration fails with status 400
Links to More Info: K36191493, BT794285
Component: Protocol Inspection
Symptoms:
When the BIG-IQ tries to read the AFM configuration, using REST, the operations fails with status 400, if AFM is provisioned but the Protocol Inspection module is not licensed.
Conditions:
-- AFM provisioned on BIG-IP system.
-- Protocol Inspection module is not licensed.
Impact:
The operations fails with status 400. BIG-IQ cannot read AFM configuration if Protocol Inspection module is not licensed.
Workaround:
License Protocol Inspection.
Fixed Versions:
14.1.2
793929-1 : In-TMM monitor agent might crash during TMM shutdown
Links to More Info: BT793929
Component: Local Traffic Manager
Symptoms:
A crash due to assertion in the in-TMM monitor agent occurs while TMM is shutting down.
Conditions:
In-TMM monitors are active and TMM shuts down, e.g., for BIG-IP reboot.
Impact:
There is no functional impact because TMM was shutting down anyway.
Workaround:
Turn off all in-TMM monitors before rebooting the BIG-IP system.
Fix:
TMM does not crash due to in-TMM monitor activities during shutdown.
Fixed Versions:
14.1.4.6
793669-1 : FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value.
Links to More Info: BT793669
Component: Local Traffic Manager
Symptoms:
On a high availability (HA) paired device group configuration, where there are FQDN nodes as pool members in a pool, when the pool member is enabled or disabled on one device, and with config-sync, the other device does not fully update the peer. The template node gets updated with the new value, but the ephemeral pool member retains the old value.
Conditions:
Steps to Reproduce:
1. Configure HA, specifically a Device group (for example, Failover) with two BIG-IP systems.
2. Create an HTTP pool (TEST_FQDN_POOL) and FQDN Pool Member on both systems.
3. Wait for the FQDN pool member to report as AVAIL_GREEN and the ephemeral node as AVAIL_BLUE on both systems.
4. Tmsh login to any of the systems.
5. Run the command:
tmsh run cm config-sync to-group Failover
6. Run the command:
tmsh modify ltm pool TEST_FQDN_POOL members modify { example.com:http { session user-disabled } }
7. Run the command:
tmsh run cm config-sync force-full-load-push to-group Failover
Impact:
FQDN pool member enabling/disabling is not being fully propagated to the other device after config-sync.
Workaround:
Delete the fqdn node from the pool and add it back.
Fix:
FQDN ephemeral pool members are now in sync and disabled on the high availability (HA) peer.
Fixed Versions:
14.1.4.6
793149-3 : Adding the Strict-transport-Policy header to internal responses
Links to More Info: BT793149
Component: Application Security Manager
Symptoms:
Some applications requires the Strict-transport-Policy header to appear in all responses. BIG-IP internal responses do not add this header.
Conditions:
- ASM is provisioned with CAPTCHA/CSI challenge enabled
or
- DoS is provisioned with CAPTCHA/CSI enabled
or
- Bot Defense is provisioned with CAPTCHA mitigation/Browser JS verification/Device ID collection is enabled.
Impact:
Responses arrives to the browser without the Strict-transport-Policy header.
Workaround:
Create an iRule to add the header to the response.
Fix:
Adding a BigDB parameter (asm.strict_transport_policy) which allows to add the header to all internal responses. Default is disabled.
Fixed Versions:
12.1.5.1, 14.1.2.7
793121-3 : Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication
Links to More Info: BT793121
Component: TMOS
Symptoms:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, high availability (HA) status, provisioning, and installed software information.
Conditions:
The TMUI redirect-http-to-https is enabled.
Impact:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, HA status, provisioning, and installed software information.
Workaround:
On the vCMP guest, disable sys httpd redirect-http-to-https.
Fixed Versions:
13.1.3.2, 14.1.2.7, 15.0.1.3, 15.1.0.2
793045-2 : File descriptor leak in net-snmpd while reading /shared/db/cluster.conf
Links to More Info: BT793045
Component: TMOS
Symptoms:
Net-snmpd is leaking the file descriptors during the SNMP traps add/delete via tmsh.
Observe that the file descriptors used by snmpd increase using 'ls -l /proc/$(pidof snmpd)/fd'
Following error is logging into /var/log/daemon.log
err snmpd[5160]: /proc/stat: Too many open files
Conditions:
Perform add/delete on SNMP traps via tmsh.
Impact:
Failure of snmpd operations on BIG-IP systems.
Workaround:
None.
Fix:
No longer leaks file descriptors in net-snmpd while reading /shared/db/cluster.conf.
Fixed Versions:
14.1.2.1, 15.0.1.1
793017-1 : Files left behind by failed Attack Signature updates are not cleaned
Links to More Info: BT793017
Component: Application Security Manager
Symptoms:
If an Attack Signature update encounters an error during installation, files that are meant to be temporary are left behind on disk and a not subject to a periodic cleanup. This can eventually lead to disk space issues.
Conditions:
Attack Signature update encounters an error during installation.
Impact:
This can eventually lead to disk space issues.
Workaround:
Old sigfile.tmp.* directories under /var/ts/var/tmp can be safely removed.
Fix:
These directories are now included in the periodic file cleanup task.
Fixed Versions:
14.1.2.3, 15.1.0.2
793005-3 : 'Current Sessions' statistic of MRF/Diameter pool may be incorrect
Links to More Info: BT793005
Component: Service Provider
Symptoms:
In MRF/Diameter deployment, the LTM pool 'Current Sessions' statistics may show an unusually large number, such as 18446744073709551606.
Conditions:
There is a Diameter answer that does not match a pending request, the answer message is dropped, but BIG-IP system still decrements the 'Current Sessions' counter. If the counter is already zero, it can underflow.
Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue. When it underflows, the number becomes useless, making troubleshooting more difficult.
Workaround:
None.
Fix:
'Current Sessions' statistics of MRF/Diameter pool reports correctly.
Fixed Versions:
13.1.3.4, 14.1.2.7, 15.1.0.5
792341-2 : Google Analytics shows incorrect stats.
Links to More Info: BT792341
Component: Application Security Manager
Symptoms:
ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.
Conditions:
Scenario 1:
-- ASM provisioned.
-- ASM policy attached to a virtual server with challenge mitigation enabled (as part of brute force protection, for example).
Scenario 2:
-- Bot defense profile attached to a virtual server with challenge mitigation enabled.
Scenario 3:
-- DoS Application profile attached to a virtual server with challenge mitigation enabled.
Impact:
Incorrect data is displayed in the Google Analytics dashboard.
Workaround:
Have an iRule that injects google-analytics.js into the challenge white page at the HTTP_RESPONSE_SENT time event.
Fix:
ASM now handles the backend's response to fix up document.referrer for tools that read this property.
Fixed Versions:
13.1.4.1, 14.1.4.2
792285-2 : TMM crashes if the queuing message to all HSL pool members fails
Links to More Info: BT792285
Component: TMOS
Symptoms:
When a system uses a High Speed Logging (HSL) configuration with the HSL pool, TMM is crashing if the queuing message to all HSL pool members fails.
Conditions:
-- Two-member pool configured as remote-high-speed-log destination.
-- Data-Plane logging using for example but not limited to: iRule HSL::send.
Impact:
TMM crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
13.1.3.4, 14.1.2.5
792265-3 : Traffic logs does not include the BIG-IQ tags
Links to More Info: BT792265
Component: Application Visibility and Reporting
Symptoms:
AVR collects traffic data. When that data is reported to BIG-IQ, it omits the BIG-IQ tags which are required by BIG-IQ.
Conditions:
When AVR collects traffic data and sending it BIG-IQ.
Impact:
There are no BIG-IQ tags in the traffic logs. BIG-IQ is unable to map traffic-capturing logs to applications.
Workaround:
None.
Fix:
Traffic logs now include the BIG-IQ tags.
Fixed Versions:
13.1.3.2, 14.1.2.1, 15.0.1.3
791669 : TMM might crash when Bot Defense is configured for multiple domains
Links to More Info: BT791669
Component: Application Security Manager
Symptoms:
TMM might crash and generate a core file when using a Bot Defense profile that is configured for multiple domains.
Conditions:
Bot Defense is configured with multiple 'Related Site Domains' and attached to a virtual server.
Impact:
TMM crash with core. Traffic disrupted while tmm restarts.
Workaround:
None,
Fix:
TMM no longer crashes when Bot Defense is configured for multiple domains.
Fixed Versions:
14.1.2.3, 15.1.4, 16.0.1.2
791337-1 : Traffic matching criteria fails when using shared port-list with virtual servers
Links to More Info: BT791337
Component: Local Traffic Manager
Symptoms:
The system reports an error:
01b90011:3: Virtual Server /Common/vs1's Traffic Matching Criteria /Common/vs1_tmc_obj illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs2 destination address, source address, service port.
Conditions:
-- Creating virtual servers with shared object port-list.
-- Using the same port in another virtual server with different protocol with overlapping sources and destination IP address.
Impact:
Config validation failure prevents configuration changes.
Workaround:
Use different IP addresses and ports.
Fixed Versions:
14.1.2.3
791057-1 : MCP may crash when traffic matching criteria is updated
Links to More Info: BT791057
Component: Local Traffic Manager
Symptoms:
MCP may crash when traffic matching criteria is updated, either directly or as the result of a configuration sync operation.
Conditions:
The specific root cause is unknown, although the crash is related to the update of traffic matching criteria.
Impact:
mcpd restarts. This results in a failover (when DSC is in use) or a halt to traffic processing (when DSC is not in use) while mcpd is restarting.
Workaround:
None.
Fixed Versions:
14.1.2.3, 15.0.1.3
790845-2 : An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default
Links to More Info: BT790845
Component: Local Traffic Manager
Symptoms:
An In-TMM monitor may be marked down when the CMP-hash (Cluster Multiprocessing) is set to non-default value.
Conditions:
-- There is a configured In-TMM monitor (K11323537).
-- CMP-hash is set to non-default value.
Note: For information about In-TMM monitoring, see K11323537: Configuring In-TMM monitoring :: https://support.f5.com/csp/article/K11323537.
Impact:
An In-TMM monitor is falsely marked as down.
Workaround:
Use default settings for a CMP-hash.
Fix:
An In-TMM monitor is not marked down when a non-default CMP-hash is in use.
Fixed Versions:
13.1.3.5, 14.1.4, 15.1.2
790349-2 : merged crash with a core file
Links to More Info: BT790349
Component: Application Security Manager
Symptoms:
merged crash and restart.
Conditions:
A tmstat sync operation is occurring in the background.
Impact:
Statistical data is not available for system utilities/graphs while merged restarted. There is no other impact beside the appearance of the core file.
Workaround:
None.
Fix:
merged core scenario fix.
Fixed Versions:
14.1.2.3
790205-3 : Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core
Links to More Info: BT790205
Component: Local Traffic Manager
Symptoms:
TMM cores when adding a route (either statically or dynamically) to a child route domain.
Conditions:
Adding a more-specific route to a child domain that overrides a route in the default domain.
Impact:
TMM cores. A failover or outage. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores when adding routes to child domains.
Fixed Versions:
12.1.5.3, 13.1.3, 14.0.1.1, 14.1.2.7, 15.0.1.1
789993-1 : Failure when upgrading to 15.0.0 with config move and static management-ip.
Links to More Info: BT789993
Component: TMOS
Symptoms:
Upgrade to 15.0.0 from earlier version fails.
Conditions:
This happens when upgrading to 15.0.0 from earlier versions with static management-ip (dhclient.mgmt set to disabled).
Impact:
As the config move fails, the Management IP address might not be correct on the newly installed 15.0.0 device.
Workaround:
Keep DHCP enabled before upgrading or reset the management-ip after upgrade.
Fix:
Failure when upgrading to 15.0.0 with config move and static management-ip.
Fixed Versions:
14.1.0.6, 15.0.1.4
789857-1 : "TCP half open' reports drops made by LTM syn-cookies mitigation.
Links to More Info: BT789857
Component: Advanced Firewall Manager
Symptoms:
'TCP half open' reports drops in logs/tmctl/AVR even though it is configured in detect-only mode.
Conditions:
-- 'TCP half open' attack is being actively detected.
-- LTM syn-cookie mitigation is enabled.
-- This is triggered when LTM syn-cookies mitigation begins.
Impact:
It will appear that 'TCP half open' is doing mitigation, but it is actually LTM syn-cookies dropping the connections.
Workaround:
If LTM syn-cookies are not needed, disable the option:
modify ltm global-settings connection default-vs-syn-challenge-threshold infinite global-syn-challenge-threshold infinite
Fixed Versions:
14.1.4, 15.1.1
789817-1 : In rare conditions info fly-out not shown
Links to More Info: BT789817
Component: Application Security Manager
Symptoms:
When the question mark icon ('?') is close to the right upper corner of the page, the info fly-out is not shown when the question mark icon is clicked.
Conditions:
This can occur under the following conditions:
-- On Security :: Application Security screens that display a question mark for a help icon.
-- The ? icon is close to the right upper corner of the page.
-- Clicking the question mark icon to open the fly-out menu.
Impact:
Info fly-out not shown.
Workaround:
Change page size so that the ? icon is not in the right upper corner.
Fix:
Fly-out is shown correctly in all cases.
Fixed Versions:
14.1.2.3, 15.0.1.4
789421-2 : Resource-administrator cannot create GTM server object through GUI
Links to More Info: BT789421
Component: Global Traffic Manager (DNS)
Symptoms:
Users logged in with a role of resource-administrator are unable to create a GTM server object via GUI. The warning banner reports 'No Access'.
Conditions:
A user with a role of resource-administrator attempts to create a GTM server object.
Impact:
Unable to create GTM server object via the GUI.
Workaround:
Use tmsh or iControl/REST.
Fixed Versions:
14.1.2.7, 15.1.0.5, 16.0.1
789365-1 : pkcs11d CPU usage increases after running nethsm self validation test
Links to More Info: BT789365
Component: Local Traffic Manager
Symptoms:
pkcs11d CPU usage rises from less than 5% to more than 80% after running 'tmsh run sys crypto nethsm-test' command.
Conditions:
pkcs11d is up when running nethsm self-validation test.
Impact:
pkcs11d CPU usage is higher than expected.
Workaround:
Restart pkcs11d to recover CPU usage.
Fix:
Do not subscribe to MCPD for nethsm self=validation test. Instead, use one-time MCPD message passing routine.
Fixed Versions:
14.1.2.3
789169-2 : Unable to create virtual servers with port-lists from the GUI★
Links to More Info: BT789169
Component: TMOS
Symptoms:
Using the GUI to create a virtual server with a port-list or address-list fails with the following error:
01070096:3: Virtual server <virtual server name> lists profiles incompatible with its protocol.
Conditions:
- The virtual server is created with an ip-protocol set to a value other than 'any'.
- A port-list or address-list is used.
Impact:
Virtual server creation fails.
Workaround:
Create the configuration in tmsh.
1. Create an LTM traffic-matching-criteria object to define the port-list and/or address list. The protocol on the traffic-matching-criteria must be set to the protocol that the virtual server will use.
2. Create the LTM virtual server, and set the traffic-matching-criteria to the name of the traffic-matching-criteria object.
Fix:
While creating virtual server with port-list from the GUI, a traffic-matching-criteria is created internally and mapped to the virtual server. This ensures that the traffic-matching-criteria object uses the same ip-protocol as the virtual server.
Fixed Versions:
14.1.2.3, 15.0.1.4
789085-2 : When executing the ACCESS::session iRule command under a serverside event, tmm may crash
Links to More Info: BT789085
Component: Access Policy Manager
Symptoms:
Executing the ACCESS::session iRule command inside a serverside event, e.g., SERVER_CONNECTED, may cause tmm to crash.
Conditions:
ACCESS::session iRule command invoked under a serverside event, for example:
when SERVER_CONNECTED {
log local0. "[ACCESS::session data get session.user.sessionid]"
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm no longer crashes during the execution of ACCESS::session iRule on a serverside event, e.g. SERVER_CONNECTED.
Fixed Versions:
14.1.4.4
788949-3 : MySQL Password Initialization Loses Already Written Password
Links to More Info: BT788949
Component: TMOS
Symptoms:
In some cases, the MySQL root password initialization is not complete. A re-attempt to restart MySQL fails.
Conditions:
-- MySQL startup script is interrupted.
-- Setting the root password fails.
Impact:
Processes may fail to connect to MySQL server.
Workaround:
None.
Fix:
Corrected MySQL startup script so it can recover if an earlier attempt to set the root password fails.
Fixed Versions:
14.1.2.7
788813-1 : TMM crash when deleting virtual-wire config
Links to More Info: BT788813
Component: Local Traffic Manager
Symptoms:
Tmm crashes.
Conditions:
This can occur when deleting a virtual-wire config
Impact:
Traffic disrupted while tmm restarts.
Fix:
The fix should prevent the crashes.
Fixed Versions:
14.1.4.5
788753-4 : GATEWAY_ICMP monitor marks node down with wrong error code
Links to More Info: BT788753
Component: Local Traffic Manager
Symptoms:
Pool state shows down when there is no route configured to node.
Conditions:
-- In-tmm gateway_icmp monitor configured for a node or pool member.
-- There is no route to the node or pool member.
Impact:
The pool member or node is marked down and the reason listed is 'timeout', instead of 'no route to host'.
Workaround:
None.
Fixed Versions:
13.1.3.4, 14.1.2.8, 15.1.0.5
788741-2 : TMM cores in the MQTT proxy under rare conditions
Links to More Info: BT788741
Component: Local Traffic Manager
Symptoms:
TMM may core in the MQTT proxy under unknown conditions.
Conditions:
-- MQTT proxy in use.
-- It is not known what other conditions are required to cause this issue.
Impact:
TMM cores. Failover or outage. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores in the MQTT proxy.
Fixed Versions:
14.1.2.5
788625-3 : A pool member is not marked up by the inband monitor even after successful connection to the pool member
Links to More Info: BT788625
Component: Service Provider
Symptoms:
1. Pool member is still shown as down even after BIG-IP has connected to it.
2. If a pool has only one pool member, continuous logs are seen in /var/log/ltm, at the frequency of auto-init interval and in-band timer interval mentioning about pool member being in-active and active respectively.
Conditions:
-- Auto-init is enabled to continuously try connecting the pool member
-- An inband monitor is configured
-- The inband monitor's retry interval is slightly less than auto-init interval
Impact:
Pool member marked down, even though the pool member is up
Workaround:
Configure the inband monitor's retry interval to be the lowest interval possible, which is 1 second.
Fix:
Pool member should be marked as up by the inband monitor, when the pool member comes up and connection to it is successful.
Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2
788593-2 : APM logs may contain additional data
Links to More Info: K43404365, BT788593
Component: Access Policy Manager
Symptoms:
Under certain conditions, APM logs may include more information than was requested.
Conditions:
-APM licensed and enabled.
-ACCESS::log iRule in use.
Impact:
Additional data recorded in the APM log, potentially disrupting log filters or logging unrequested data.
Workaround:
None.
Fix:
APM logs now contain the expected information.
Fixed Versions:
14.1.2.5, 15.0.1.3
788577-4 : BFD sessions may be reset after CMP state change
Links to More Info: BT788577
Component: TMOS
Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.
This happens in the following instances:
- Blade reset.
- Booting up or shutting down.
- Running 'bigstart restart'.
- Setting a blade state from/to primary/secondary.
During these events, Bidirectional Forwarding Detection (BFD) session processing ownership might be migrating from old, processing TMMs to new, selected TMMs. This process is rapid and could lead to contest between several TMMs over who should be the next BFD processing owner.
It might also lead to a situation where the BFD session is deleted and immediately recreated.
This problem occurs rarely and only on a chassis with more than one blade.
Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BFD peering is configured.
-- CMP state change is occurred on one of the blades.
-- BFD connection is redistributed to the processing group (TMMs) on the blade that experienced the CMP state change and the contest between the old TMM owner and the new TMM owner occurs.
Impact:
When the BFD session is recreated, it marks corresponding routing protocol DOWN if it's configured. The protocol might be BGP, OSPF, or any other routing protocols that support BFD.
This causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decision are from networks learnt by affected routing protocols when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
There are two workarounds, although the latter is probably impractical:
-- Change CMP hash of affected VLAN to the Default value.
-- Maintain a chassis with a single blade only. Disable or shut down all blades except one.
Fix:
BFD session is no longer reset during CMP state change.
Fixed Versions:
11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
788557-5 : BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior
Links to More Info: BT788557
Component: TMOS
Symptoms:
GRST - BGP graceful reset.
The problem occurs when the routing daemon bgpd restarts/starts (e.g., by terminating the bgpd daemon) its distribution of a process and is not supported. Another way we've found is to call "bigstart restart" command on a primary blade on chassis with more than one blade.
After the new primary blade takes over, BGP and BFD sessions are recreated at around the 'graceful restart' timeout interval.
Conditions:
-- BGP and BFD are configured.
-- BGP router's 'graceful restart' option is configured, enabled (set to 120 by default).
-- The bgpd daemon is terminated.
Another way to trigger the issue is to run 'bigstart restart' on a primary blade on a chassis with more than one blade.
Impact:
If BGP peering is reset, it causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocol from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decisions come from networks learnt by affected routing protocol when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system, typically, the routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
None.
Fix:
BGP and BFD peering is not recreated in GRST timeout anymore.
Fixed Versions:
11.6.5.2, 13.1.3.2, 14.1.2.1, 15.0.1.1
788513-2 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log
Links to More Info: BT788513
Component: Service Provider
Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:
warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]
This appears to be benign, as the configuration loads successfully, and the script works as expected.
Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name
Instead of:
RADIUS::avp replace USER-NAME "static value"
Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.
Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.
Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
788465-2 : DNS cache idx synced across HA group could cause tmm crash
Links to More Info: BT788465
Component: Global Traffic Manager (DNS)
Symptoms:
DNS cache idx conflicts and tmm crash.
Conditions:
-- High availability (HA) configuration.
-- DNS cache is configured and synced to the peer twice
-- A second DNS cache is configured on the peer.
Impact:
The idx conflicts will be observed. If the second DNS cache is of another type and is added to a virtual server, accessing that virtual server might cause a tmm core. Traffic disrupted while tmm restarts.
Workaround:
On the BIG-IP system that has the DNS cache idx conflicts, restart tmm:
# bigstart restart tmm
Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1
788417-2 : Remote Desktop client on macOS may show resource auth token on credentials prompt
Links to More Info: BT788417
Component: Access Policy Manager
Symptoms:
APM uses the 'username' attribute to pass auth token for SSO enabled native RDP resources on macOS. In case Windows policy forces the user to provide credentials, or if Single Sign-on fails, the end user may see a credentials prompt containing the base 64-encoded auth token in the username field.
This behavior is observed only with Remote Desktop Client v10.x for macOS.
Conditions:
-- APM Webtop is configured with Single Sign-on enabled native RDP resource.
-- Try to access the RDP resource from macOS using RDP client v10.x.
Note: This issue is known to occur when Microsoft Group Policy 'Always prompt for password upon connection' is enabled on the target RDP server: Computer Configuration \ Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Security \ Always prompt for password upon connection.
Impact:
Prompt for credentials (contains auth token in username field) causing APM end user confusion.
Workaround:
Apply the following iRule:
Note: With the following iRule implemented, users running RDP client v8 for macOS may see an empty credentials prompt when launching APM native RDP resources.
when HTTP_RESPONSE_RELEASE {
catch {
set locationUri [HTTP::header Location]
if { [HTTP::status] == 302 && $locationUri starts_with "rdp://" &&
$locationUri contains "username=s:f5_apm"} {
HTTP::header Location \
[string map {"username=s:f5_apm" "gatewayaccesstoken=s:"} $locationUri]
}
}
}
Fix:
Remote Desktop client on macOS does not show resource auth token on credentials prompt.
Fixed Versions:
13.1.3.2, 14.1.2.1, 15.0.1.1
788325-2 : Header continuation rule is applied to request/response line
Links to More Info: K39794285, BT788325
Component: Local Traffic Manager
Symptoms:
When a browser communicates with a server over HTTP, it can split a long header into several lines, prepending continuation lines with leading whitespace symbols. This rule does not apply to request or response line, so having leading whitespace in a first header line is invalid. The BIG-IP system parses such line a header with empty value.
Conditions:
A virtual server is configured on the BIG-IP system with HTTP profile.
Impact:
The BIG-IP system can hide some important HTTP headers either passing those to the pool member or failing to properly handle the request (or response) or failing to correctly load balance a connection (or request in case of OneConnect profile).
Workaround:
None.
Fix:
Now, when the BIG-IP system receives an invalid request or response with leading whitespace in first header line, it properly parses the header and handles it correctly.
Fixed Versions:
11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
788301-5 : SNMPv3 Hardening
Links to More Info: K58243048, BT788301
Component: TMOS
Symptoms:
SNMPv3 agents do not follow current best practices.
Conditions:
SNMPv3 agents enabled.
Impact:
SNMPv3 agents do not follow current best practices.
Fix:
SNMPv3 features now follow current best practices.
Fixed Versions:
11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
788269-3 : Adding toggle to disable AVR widgets on device-groups
Links to More Info: BT788269
Component: Application Visibility and Reporting
Symptoms:
Devices on device-group get into state of not-synced when AVR-related widgets are created or modified.
It occurs more frequently when manual config sync is enabled.
It can also occur when visiting a widgets page for the first time that automatically creates default widgets on the first page visit, such as Security :: Overview : Application : Traffic. This can make it appear that a 'read-only' user visiting the page has triggered the need for a config sync.
Conditions:
-- Two or more devices are in a device-group.
-- AVR-related widgets are created or modified.
Impact:
Devices go into a non-synced state.
Workaround:
None.
Fix:
A DB-variable called avr.gui.widgets.sync has been added to disable widgets syncing. Possible values are 'disable' or 'enable', it is enabled by default.
Behavior Change:
This release adds a DB-variable, avr.gui.widgets.sync, to disable widget syncing. Possible values are 'disable' or 'enable'. It is enabled by default.
Fixed Versions:
13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.3
788093 : MRF iRule command MR::restore with no argument causes tmm to crash
Links to More Info: BT788093
Component: Service Provider
Symptoms:
Executing MRF iRule command MR::restore with no arguments intended to restore all variables saved previously with MR::store causes tmm to crash.
Conditions:
Using iRule command MR::restore with no arguments intended to restore all variables saved previously with MR::store.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use MR::restore command with explicitly mentioned variables intended to be restored.
Fix:
MR:restores works as intended: when no variable is given it brings back all variables saved previously with MR::store.
Fixed Versions:
14.1.2.5
788005-2 : Bypass MRF SIP LB restriction of conversion from reliable transport (TCP) to unreliable transport (UDP)
Links to More Info: BT788005
Component: Service Provider
Symptoms:
The SIP RFC states that if converting a message from a reliable transport to an unreliable transport, the proxy must guarantee delivery.
Conditions:
A adminstator required conversion of SIP messages from TCP to UDP and was willing to forgo the delivery requirement.
Impact:
A system db variable was added to disable the TCP to UDP protection.
Workaround:
None
Fix:
A DB variable has been added, Tmm.Sp.Sip.AllowTcpUdpConversion, possible values are enable|disable, the default value is disable. Enabling the DB variable enables the protection blocking TCP to UDP conversion for SIP messages.
Fixed Versions:
14.1.2.5
787965-1 : URLCAT by URI does not work if it contains port number
Links to More Info: BT787965
Component: Traffic Classification Engine
Symptoms:
If absolute URI contains port number then URLCAT returns the result: Uncategorized.
Conditions:
Create new connection using CONNECT <absolute_uri> method.
Impact:
AFM rules configured with use of categorization do not work as intended.
Workaround:
Add URI with port number to custom Feed List.
Fix:
URLCAT works if request URI contains port number.
Fixed Versions:
14.1.2.7
787885-1 : The device status is falsely showing as forced offline on the network map while actual device status is not.
Links to More Info: BT787885
Component: TMOS
Symptoms:
Network Map in GUI shows incorrect [Forced Offline] status.
Conditions:
-- Multi-blade system
The device status in the network map is falsely shown [Forced Offline] when actual device status is something else other than [Forced Offline]. In other words, it is always shown as [Forced Offline].
-- Non multi-blade system
The device status in the network map is falsely shown [Forced Offline] when actual device status is something else other than [Active] or [Forced Offline]. In other words, it displays fine only for [Active] and [Forced Offline].
Impact:
The device status in the network map is not reliable
Workaround:
None.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
787881-2 : TMSH displays TSIG keys
Links to More Info: BT787881
Component: TMOS
Symptoms:
TSIG key is displayed when related configuration is listed in TMSH.
Conditions:
-- Authenticated administrative user.
-- Listing TSIG keys using TMSH.
Impact:
TSIG keys are listed when they should not be.
Workaround:
None.
Fix:
TMSH no longer displays TSIG keys when listing configuration.
Fixed Versions:
14.1.4.4
787853-2 : BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps.
Links to More Info: BT787853
Component: Local Traffic Manager
Symptoms:
The BIG-IP system unexpectedly responds to ICMP echo requests to a virtual-address that is unavailable, or unexpectedly does not respond to ICMP echo requests to a virtual-address that is available.
The BIG-IP system fails to remove a dynamic route for a virtual-address that is unavailable or fails to add a dynamic route for a virtual-address that is available.
Conditions:
1. Create two virtual servers with multiple nodes. Set ICMP echo as all or selective/all.
2. Ping from client to virtual address.
3. Bring down nodes.
4. ping fails from client to virtual address as expected
5. Bring up nodes and make sure all virtual servers are online.
6. Start ping from client to virtual address.
Impact:
The BIG-IP system might respond incorrectly to ICMP echo requests sent to a virtual-address.
-- If the virtual-address icmp-echo is set to 'all' or 'any', the BIG-IP system may not respond correctly after a virtual-address availability change.
-- If the virtual-address route-advertisement is set to 'all' or 'any', the route for the virtual-address may not advertise properly after a virtual-address availability change.
The BIG-IP system might fail to insert or remove a dynamic route for a virtual-address. This might cause the network to direct traffic to a down virtual-address or alternatively, not direct traffic to an up virtual-address.
Workaround:
Update virtual address ICMP setting to any or selective/any.
Fix:
This issue has been fixed.
Fixed Versions:
14.1.3.1
787845 : Tmsh command 'show running-config' fails when Protocol Inspection is not licensed.
Links to More Info: BT787845
Component: Protocol Inspection
Symptoms:
If the Protocol Inspection feature is not licensed then tmsh command 'show running-config' fails with 'Protocol Inspection feature not licensed.' message.
Conditions:
- AFM Protocol Inspection feature is not licensed.
Impact:
'tmsh show running-config' command returns an error: 'Protocol Inspection feature not licensed.'
Workaround:
None.
Fix:
'tmsh show running-config' command works as expected.
Fixed Versions:
14.1.2.3
787825-2 : Database monitors debug logs have plaintext password printed in the log file
Links to More Info: K58243048, BT787825
Component: Local Traffic Manager
Symptoms:
When monitor instance is in "debug" logging enabled mode for certain monitor types, the resulting monitor instance logs may contain sensitive details like password
Conditions:
When debug mode is enabled for following monitoring types
1. mssql
2. mysql
3. oracle
4. postgresql
Impact:
The user-account password configured in the health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors/.
Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected monitor types. 2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes , remove the resulting log files from the BIG-IP system after troubleshooting is completed.
Fix:
The password filed for monitor will now be redacted by external monitors when monitor debugging is enabled.
Fixed Versions:
11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
787677-3 : AVRD stays at 100% CPU constantly on some systems
Links to More Info: BT787677
Component: Application Visibility and Reporting
Symptoms:
One thread of the avrd process spontaneously starts to consume 100% CPU.
Conditions:
The exact conditions under which this occurs are unknown, but might occur only on vCMP configurations.
Impact:
System performance degrades.
Workaround:
Restart TMM:
bigstart restart tmm
Fix:
Added processing that prevents AVRD from entering endless loops.
Fixed Versions:
14.1.4.5, 15.1.4.1
787477-2 : Export fails from partitions with '-' as second character
Links to More Info: BT787477
Component: Access Policy Manager
Symptoms:
Attempting to export a profile/policy from partition using the hyphen/dash (-) as the second character results in error message:
'Incorrect arguments: <partition> is not specified' error.
Conditions:
Partition with '-' as second character in the name.
Impact:
Unable to export policy from given partition
Workaround:
Rename partition without '-' as the second character.
Fix:
Export is working as expected in this scenario.
Fixed Versions:
13.1.3.2, 14.1.2.1
787433-3 : SSL forward proxy: OCSP signer certificate isn't refreshed or regenerated when forward proxy CA key/cert is changed
Links to More Info: BT787433
Component: Local Traffic Manager
Symptoms:
When stapling the OCSP response (and hence OCSP certificate) to the SSL client, the issuer that appears on the OCSP certificate mismatches with what is configured in the client SSL profile as the forward proxy CA cert.
Conditions:
The issue is seen when all the below conditions are met.
-- The BIG-IP system is using SSLO or SSL forward proxy.
-- The client hello sent from the SSL client includes the status request extension. This means that it requests BIG-IP system to staple the OCSP response.
-- The forward proxy CA cert in the client SSL profile is modified.
Impact:
In SSLO or SSL forward proxy mode, the server cert and the OCSP response the BIG-IP system sends to the SSL client should be both signed (issued) by the forward proxy CA cert configured at the client SSL profile. If they are signed by different issuers, it may not pass some of the validation check performed by the SSL client and might lead to SSL client's terminating the SSL handshake.
Workaround:
To updates and regenerates the OCSP signer information, after modifying the forward proxy CA cert, run the command:
bigstart restart tmm
Fix:
The issuer appearing on the OCSP response always matches the forward proxy CA cert configured at the client SSL profile.
Fixed Versions:
14.1.2.1
787285 : Configuration fails to load after install of v14.1.0 or v14.1.2 on BIG-IP 800★
Links to More Info: BT787285
Component: TMOS
Symptoms:
When performing an installation of v14.1.0 or v14.1.2
on the BIG-IP 800 platform, the configuration fails to load after booting and reports an error:
01070920:3: Application error for confpp: iptables-restore v1.4.21: Couldn't load target `ha_multicast':No such file or directory.
Conditions:
-- Install or upgrade to v14.1.0 or v14.1.2.
-- BIG-IP 800 platform.
Note: The BIG-IP 800 platform does not support BIG-IP software version 14.1.3 or later.
Impact:
Unable to load configuration.
Workaround:
None
Fixed Versions:
14.1.3.1
786981-3 : Pending GTP iRule operation maybe aborted when connection is expired
Links to More Info: BT786981
Component: Service Provider
Symptoms:
When there is a suspended iRule operation (such as the table or after command) in GTP iRule event, the operation may be intermittently aborted when the connection is expired.
Conditions:
This occurs when a connection times out while there is still a pending iRule operation. For example, in one use case, there is a table command in GTP_SIGNALLING_INGRESS event, and the immediate idle timeout is configured in the UDP profile.
Impact:
GTP iRule may not be completely executed.
Workaround:
For the specific use case when immediate idle timeout is used, change idle timeout to some positive value. Then use the iRule to expire the connection after the GTP iRule event is done, for example, by setting 'IP::idle_timeout 0' in SERVER_CONNECTED event.
Fix:
When connection is expired, pending iRule operations in GTP iRule events are now completed.
Fixed Versions:
13.1.3.4, 14.1.2.7
786913-2 : Upgrade failure from 13.0.x or earlier when using LTM Policies with DOSL7
Links to More Info: BT786913
Component: Application Security Manager
Symptoms:
Upgrade fails when upgrading from 13.0.x or under if the config includes an LTM Policy (CPM) which modifies a DoS Application Profile.
Conditions:
-- LTM Policy is configured to specify a DoSL7 profile name.
-- Upgrade is from version 13.0.x or earlier.
Impact:
Upgrade failure.
Workaround:
1. Manually edit the /config/bigip.conf file, and place all of the 'security dos profile' objects before any 'ltm policy' objects.
2. Load the config.
Fix:
Upgrade no longer fails when using an LTM Policy which specifies a DoSL7 profile name.
Fixed Versions:
14.1.2.3
786565-2 : MRF Generic Message: unaccepted packets received by GENERIC MESSAGE filter causes subsequent messages to not be forwarded
Links to More Info: BT786565
Component: Service Provider
Symptoms:
When a message is created using the GENERICMESSAGE::message create iRule command during the CLIENT_DATA event, if the TCP payload buffer is not cleared before the event completes, the data in the payload buffer is forwarded to the generic message filter disrupting its statemachine.
Conditions:
-- A message is created using GENERICMESSAGE::message create iRule command during CLIENT_DATA event.
-- TCP payload buffer is not cleared before the event completes.
Impact:
The data in the payload buffer is forwarded to the generic message filter disrupting its statemachine. Subsequent messages are not forwarded.
Workaround:
To fix the problem, add the following to CLIENT_DATA:
TCP::payload replace 0 [TCP::payload length] ""
Fix:
Data left in the TCP payload buffer is now ignored and does not negatively impact the filter.
Fixed Versions:
14.1.2.1, 15.0.1.1
786517-3 : Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address
Links to More Info: BT786517
Component: Local Traffic Manager
Symptoms:
- Monitors are firing and are being sent to a pool-member or node address rather than a monitor's alias address.
- Running the command 'tmsh load /sys config' reports an error:
01070038:3: Monitor /Common/a-tcp address type requires a port.
Conditions:
-- Create a monitor without an alias address.
-- Modify the monitor later in the TMUI to specify an alias address.
Impact:
Monitors are sent to an incorrect IP address.
tmsh load /sys config will fail to load the configuration.
Workaround:
There are two workarounds:
-- Delete and recreate the monitor and specify the correct alias address at creation time.
-- Fix the monitor definition using tmsh.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.0.5
786173-1 : UI becomes unresponsive when accessing Access active session information
Links to More Info: BT786173
Component: Access Policy Manager
Symptoms:
When accessing Admin UI Access :: Overview :: Active Sessions page, the page status is stuck in 'Receiving configuration data from your device'. TMSH command 'show apm access-info' also hangs.
Conditions:
-- Two vCMP guests or two chassis are set up in high availability mode.
-- If Network Mirroring is toggled between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.
Impact:
Some session variables may be lost, which results in the GUI becoming unresponsive. The Access :: Overview :: Active Sessions page in the Admin UI becomes unusable.
Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.
Fix:
The solution for the reported issue is handled by the fix provided for ID 783817. ID 786173 fixes a null pointer exception that might occur in the specific case of a certain missing session variable, which is relevant only in BIG-IP releases 14.1.0 or later.
Fixed Versions:
14.1.2.1, 15.0.1.1
785877-2 : VLAN groups do not bridge non-link-local multicast traffic.
Links to More Info: BT785877
Component: Local Traffic Manager
Symptoms:
VLAN groups do not bridge non-link-local multicast traffic.
Conditions:
-- VLAN groups configured.
-- Using non-link-local multicast traffic.
Impact:
Non-link-local multicast traffic does not get forwarded.
Workaround:
None.
Fix:
VLAN groups now bridge non-link-local multicast traffic.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
785873-2 : ASM should treat 'Authorization: Negotiate TlR' as NTLM
Links to More Info: BT785873
Component: Application Security Manager
Symptoms:
When an authentication request with Authorization: Negotiate arrives to ASM. ASM does not count it as a login attempt. As a result brute force protection isn't applied.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual sever.
-- Login URL configured in ASM policy.
-- Brute force protection enabled in ASM policy.
Impact:
Brute force attack checking can be skipped if the backend server authorization type is NTLM but the client sends 'Authorization: Negotiate TlR'.
Workaround:
Use iRule which changes 'Authorization: Negotiate TlR' to NTLM on the client side (before ASM) and sets is back to the original value on the server side (after ASM)
Fix:
After the fix ASM treats 'Authorization: Negotiate TlR' as NTLM, while the 'TlR' is a sign of NTLM usage.
Fixed Versions:
14.1.4.5
785741-1 : Unable to login using LDAP with 'user-template' configuration
Links to More Info: K19131357, BT785741
Component: TMOS
Symptoms:
Unable to login as remote-user.
Conditions:
When the following are true:
-- LDAP remote-auth configured with user-template.
-- Remote-user configured to permit login.
Impact:
Unable to login with remote-user.
Workaround:
Use bind-dn for authentication.
Fixed Versions:
14.1.2.3, 15.0.1.4, 15.1.0.5
785701-1 : Changes to a Web Acceleration profile are not instantly applied to virtual servers using the profile
Links to More Info: BT785701
Component: Local Traffic Manager
Symptoms:
Changing parameters in a Web Acceleration profile does not change the behavior of virtual servers already using the profile.
Conditions:
This issue is encountered after changing the settings of a Web Acceleration profile already in use by one or more virtual servers.
Impact:
The changes are saved correctly and are visible in the Web UI and tmsh; however, virtual servers already using the profile are not affected by the changes. This may result in some confusion and in the BIG-IP Administrator being unable to apply their desired changes.
Workaround:
After modifying the profile, remove the profile from all virtual servers and then re-add it.
Fixed Versions:
14.1.2.8
785605-2 : Traffic Intelligence Feed Lists are not usable if created on Standby unit in Traffic Group
Links to More Info: BT785605
Component: Traffic Classification Engine
Symptoms:
If Feed List is created on Standby unit, it will not be synchronized to other units in Traffic Group, and will become unusable.
Conditions:
-- Create Feed List on a Standby unit.
-- Attempt to use URLCAT with Custom DB.
Impact:
URL Categorization based on Custom DB does not work.
Workaround:
Create Feed List on the Active unit and synchronize to Standby.
Fix:
Feed Lists can now be used if created on a Standby unit.
Fixed Versions:
14.1.4.4
785529-1 : ASM unable to handle ICAP responses which length is greater then 10K
Links to More Info: BT785529
Component: Application Security Manager
Symptoms:
ASM drops ICAP and HTTP connections when a multipart request arrives to the ASM enforcer and then forwarded to the ICAP server for virus inspection, and the ICAP server replies with a large (greater then 10 KB) response.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Antivirus service IP and port defined in the BIG-IP GUI under Options :: Integrated Services.
-- Antivirus protection enabled in the ASM policy.
Impact:
ASM drops ICAP and HTTP connections.
Workaround:
Configure the ICAP server to send back responses smaller than 10 KB.
Fix:
There is new ASM internal parameter introduced to make the ICAP response buffer size configurable within the ASM enforcer. The maximum response buffer size is 250 KB. To set the variable, issue the following commands, in sequence:
-- /usr/share/ts/bin/add_del_internal add icap_response_buff_size 250000
-- bigstart restart asm
Fixed Versions:
11.6.5.2, 14.1.2.7
785481-2 : A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached
Links to More Info: BT785481
Component: Local Traffic Manager
Symptoms:
Setting the DB variable tm.rejectunmatched to 'false' causes the BIG-IP system to not send RSTs when there is a match but the connection is rejected due to connection limits.
Conditions:
- tm.rejectunmatched is set to 'false'.
- A packet is matching a BIG-IP object.
- The packet is to be rejected because of connection limits.
Impact:
Reset packets are not sent back to clients when they should be.
Workaround:
None.
Fix:
Packets that match a BIG-IP object but fail due to connection limits will now be rejected with an RST.
Fixed Versions:
12.1.5.3, 14.1.2.8, 15.0.1.1
785017-1 : Secondary blades go offline after new primary is elected
Links to More Info: BT785017
Component: TMOS
Symptoms:
Secondary active blades go offline.
Conditions:
-- Cluster with three or more active blades.
-- Primary blade is rebooted.
For example, on a 4-bladed system, after slot 1 (primary blade) was rebooted and slot 2 (secondary blade) takes over as primary, slots 3 and 4 both go offline due to high availability (HA) table, with the logs showing reason as 'waiting for configuration load'.
Impact:
Cluster reduced to a single blade, which may impact performance.
Workaround:
None.
Fixed Versions:
13.1.4, 14.1.4, 15.1.3
784989-2 : TMM may crash with panic message: Assertion 'cookie name exists' failed
Links to More Info: BT784989
Component: Access Policy Manager
Symptoms:
TMM crashes with SIGFPE panic
panic: ../modules/hudfilter/http/http_cookie.c:489: Assertion 'cookie name exists' failed.
Conditions:
-- Virtual server with remote desktop or VDI profile attached.
-- VDI logging level is set to Debug.
-- iRule that modifies/reads HTTP cookies.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Increase the log-level for VDI from 'Debug' to a higher level.
Fix:
Fixed TMM crash, which occurred when remotedesktop/VDI profile was used together with custom iRule and Debug level logging.
Fixed Versions:
13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
784713-3 : When SSL forward proxy is enabled, AKID extension of the OCSP signer certificate on the clientside is not correct
Links to More Info: BT784713
Component: Local Traffic Manager
Symptoms:
When SSL forward proxy is configured, or for SSLO, if OCSP or CRL is set on the serverside, the certificate that signs the OCSP response on the clientside does not have the correct Authority Key Identifier (AKID).
Conditions:
Configure SSL forward proxy or enable SSLO and enable OCSP or CRL on serverside/server SSL profiles.
Impact:
Incorrect AKID X509 extension for the OCSP signer certificate on the clientside. Depending on browsers/clients, this may result in the browsers/clients to not be able to use the stapled OCSP response.
Workaround:
None.
Fix:
After the fix, the OCSP signer certificate has the correct AKID X509 extension.
Fixed Versions:
14.1.2.1
783849-2 : DNSSEC Key Generations are not imported to secondary FIPS card
Links to More Info: BT783849
Component: Global Traffic Manager (DNS)
Symptoms:
When new DNSSEC Key Generations are generated by FIPS card, the Generation is not imported to secondary FIPS card.
Conditions:
BIG-IP has a GTM sync group with FIPS cards in sync. New DNSSEC Key Generation is created.
Impact:
New DNSSEC Key Generation is not imported to secondary FIPS card, but the generation is synced within GTM sync group.
Workaround:
N/A
Fix:
DNSSEC Key Generation is not imported to secondary FIPS card over creation
Fixed Versions:
14.1.2.1
783817-2 : UI becomes unresponsive when accessing Access active session information
Links to More Info: BT783817
Component: Access Policy Manager
Symptoms:
When accessing Admin UI Access :: Overview :: Active Sessions page, the page status is stuck in 'Receiving configuration data from your device'. TMSH command 'show apm access-info' also hangs.
The following error messages shows up in TMM log:
-- notice mcp error: 0x1020002 at ../mcp/db_access.c:831
-- notice mcp error: 0x1020031 at ../mcp/mcp_config.c:588
Conditions:
-- Two vCMP guests or two chassis are set up in high availability mode.
-- If Network Mirroring is toggled between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.
Impact:
Some session variables may be lost, which results in UI hang. Admin UI becomes unusable.
Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
783753-1 : Increase vCPU amount guests can use on i11800-DS platforms.
Links to More Info: BT783753
Component: TMOS
Symptoms:
Users are unable to configure guests with 12 or 16 CPUs on the i11800-DS platforms.
Conditions:
i11800-DS platforms in vCMP mode.
Impact:
Cannot assign 12 or 16 CPUs to guests on i11800-DS platforms.
Workaround:
None
Fix:
12 or 16 CPUs can now be assigned to guests on i11800-DS platforms.
Fixed Versions:
14.1.2.8
783617-1 : Virtual server resets connections when all pool members are marked disabled
Links to More Info: BT783617
Component: Local Traffic Manager
Symptoms:
The BIG-IP system immediately responds with an RST against a SYN when all pool members are marked disabled by a monitor.
Conditions:
All of the pool members are marked disabled by a monitor or administratively.
Impact:
Cannot use iRules to respond with an HTTP 503 error to incoming traffic.
Cannot use LTM policies to select multiple pools if all pool members are disabled in a default pool assigned to a virtual server.
Workaround:
Use Forced offline instead of disabled to prevent this issue.
Fix:
Virtual server no longer resets connections when all pool members are marked disabled.
Fixed Versions:
13.1.3.5, 14.1.3.1
783565-2 : Upgrade support for DB variable to attach AJAX payload to vToken cookie should be consistent with config in MCP
Links to More Info: BT783565
Component: Fraud Protection Services
Symptoms:
Upgrade support for DB variable to attach AJAX payload to vToken cookie sets 'send in alerts' flag configured on parameters without checking whether automatic transaction detection is turned on on the URL.
Conditions:
-- BIG-IP version 13.1.x or 14.0.x
-- A protected URL is configured with automatic transaction detection turned off.
-- A parameter on that URL is configured with all flags turned off.
-- The DB variable antifraud.internalconfig.flag1 is set to 'enabled' value.
-- Upgrade to 13.1.x or later (with load config) started.
Impact:
After upgrade, the configuration fails to load due to an error during schema change validation
Workaround:
-- Set the DB variable antifraud.internalconfig.flag1 value to 'disabled' before the upgrade.
-- Configure 'send in alerts' flag on the parameters manually.
Fix:
Now upgrade support takes into consideration the automatic transaction detection flag on URL and sets 'send in alerts' flag on URL parameters only for URLs with automatic transaction detection turned on.
Fixed Versions:
14.1.2.1, 15.0.1.1
783513-2 : ASU is very slow on device with hundreds of policies due to logging profile handling
Links to More Info: BT783513
Component: Application Security Manager
Symptoms:
Signature Update (ASU) is very slow on devices with hundreds of policies due to logging profile handling.
Conditions:
-- There are hundreds of ASM policies on the device.
-- ASU is performed.
-- The BIG-IP is configured for logging profile handling.
Impact:
The ASU process takes hours to complete.
Workaround:
None.
Fixed Versions:
13.1.3.2, 14.1.2.3
783289-1 : PEM actions not applied in VE bigTCP.
Links to More Info: BT783289
Component: Policy Enforcement Manager
Symptoms:
If PEM virtual server is configured using bigTCP, the return traffic from the server may not return to the same TMM. PEM policies do not get applied.
Conditions:
-- BIG-IP Virtual Edition.
-- bigTCP is configured (FastL4 with PEM/GPA hudfilters).
-- Virtual server uses Source-NAT.
Impact:
PEM policies do not get applied.
Workaround:
To work around this, do the following:
-- Configure bigTCP virtual server not to use source-NAT.
-- Configure destination-IP for hashing in server-vlan (the external VLAN that has the virtual server).
Fixed Versions:
13.1.3.5, 14.1.3.1
783233-2 : OAuth puts quotation marks around claim values that are not string type
Links to More Info: BT783233
Component: Access Policy Manager
Symptoms:
When you define a claim to use with OAuth, and the claim-type setting is set to something other than String, the claim value is treated as a string anyway and encapsulated in quotation marks.
Conditions:
-- OAuth is configured.
-- The oauth claim value being used is not of type string (i.e. array, or boolean, or number)
Impact:
The claim value is encapsulated in quotation marks and processed as a string.
Workaround:
None.
Fix:
OAuth no longer puts quotation marks around claim values that are not string type.
Fixed Versions:
14.1.4.2
783217-1 : Negative numbers of received packets in DoS-sampled log messages for bad actor and attacked destination attacks
Links to More Info: BT783217
Component: Advanced Firewall Manager
Symptoms:
There are negative values for the number of received packets in DoS-sampled log messages for bad actor and attacked destination attacks.
Conditions:
Running the reset-stats command.
Impact:
Incorrect log messages.
Workaround:
Restart tmm. Traffic disrupted while tmm restarts.
Do not run reset-stats command.
Fix:
Internal counter is now initialized properly after running the reset-stats command.
Fixed Versions:
14.1.4.2
783165-3 : Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile
Links to More Info: BT783165
Component: Application Security Manager
Symptoms:
When creating a whitelist in the Bot Defense profile with url "Any" - after modifying the Bot Defense log profile, the whitelist does not apply anymore.
Conditions:
-- Bot Defense profile is attached to the Virtual Server
-- Adding a whitelist to the Bot Defense profile with url "Any"
-- Modifying the Bot Defense profile afterwards.
Impact:
Whitelist does not apply - users from the defined IP/GEO location might be blocked.
Workaround:
Delete and add the whitelist after modifying the profile.
Fix:
Keep the whitelist as is when updating bot profile.
Fixed Versions:
14.1.2.7, 15.1.0.5
783125-2 : iRule drop command on DNS traffic without Datagram-LB may cause TMM crash
Links to More Info: BT783125
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM may crash and restart when an iRule on a DNS virtual server performs the 'drop' command while the BIG-IP system is handling both a DNS request and DNS response at the same time for the same DNS client IP and port without UDP Datagram-LB.
Conditions:
-- The BIG-IP instance has two or more TMM processes as a result of having two or more physical cores or virtual CPUs.
-- A virtual server with both DNS and UDP profiles and one or more iRules.
-- The UDP profile has Datagram LB disabled.
-- The iRules have a 'drop' command.
-- The iRules have a DNS_REQUEST and/or DNS_RESPONSE event with an iRule command that require coordinating data with another TMM on the system, such as the 'table' command.
Impact:
TMM crash or restart. Traffic impacted. Traffic disrupted while tmm restarts.
Workaround:
F5 strongly recommends using a UDP profile with Datagram-LB enabled for DNS UDP virtual servers.
Alternatively, replace the 'drop' command with DNS::drop in DNS_REQUEST and DNS_RESPONSE events, or with UDP::drop in other iRule events.
See the respective references pages for DNS::drop and UDP::drop for the Valid Events each iRule command is available in:
https://clouddocs.f5.com/api/irules/DNS__drop.html
https://clouddocs.f5.com/api/irules/UDP__drop.html
Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
783113-4 : BGP sessions remain down upon new primary slot election
Links to More Info: BT783113
Component: TMOS
Symptoms:
BGP flapping after new primary slot election.
Conditions:
--- A BFD session is processed on a secondary blade. (It can be identified by running tcpdump.)
-- After a primary blade reset/reboot, the BFD session should be processed by the same tmm on the same blade, which was secondary before the primary blade reset/reboot.
-- The BFD session creation should happens approximately in 30 seconds after the reset/reboot.
Impact:
BGP goes down. BGP flaps cause route-dampening to kick-in on the BGP neighbors.
Workaround:
There is no workaround, but you can stabilize the BIG-IP system after the issue occurs by restarting the tmrouted daemon. To do so, issue the following command:
bigstart restart tmrouted
Fix:
BFD no longer remains DOWN after a blade reset/reboot. There is a convergence period caused by blade changes(blade reset/reboot, new blade installed, blade comes up), which may take a few moments, but after that BFD sessions show correct status.
Fixed Versions:
11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.1
782569-1 : SWG limited session limits on SSLO deployments
Links to More Info: BT782569
Component: Access Policy Manager
Symptoms:
SWG limited session limits are enforced on SSLO deployments that enable Explicit proxy authentication.
Conditions:
-- SSLO with Explicit proxy authentication is deployed.
-- Many concurrent SSLO connections that use custom category lookup (beyond the SWG limited session limit).
Impact:
SSLO fails to connect when the SWG limited session limit is reached.
Workaround:
None.
Fix:
If there is an SSLO profile paired with either an APM or SSLO per-request policy on a virtual server, and the operation has done a custom category only lookup, an SWG limited license is no longer consumed. This answers the case where there is auth (APM) on one virtual server, and the transparent virtual server is SSLO with custom category lookup only.
Fixed Versions:
14.1.2.1, 15.0.1.1
782353-6 : SIP MRF via header shows TCP Transport when TLS is enabled
Links to More Info: BT782353
Component: Service Provider
Symptoms:
When an SSL Client Profile (TLS) is enabled on a SIP Message-Routing Virtual Server, the via header shows an incorrect transport protocol when SIP messages are sent out the client side of MRF. For example, the via header contains 'SIP/2.0/TCP' or 'SIP/2.0/UDP', when it should read 'SIP/2.0/TLS'.
Conditions:
Sending SIP messages from the client side of the SIP MRF when an SSL client profile is enabled on the SIP Message-Routing virtual server.
Impact:
The via header is not correct and violates the SIP RFC.
Workaround:
Create an iRule that replaces the incorrect via header with a correct one, for example:
when SIP_REQUEST_SEND {
if { [clientside] } {
SIP::header replace Via [string map [list "SIP/2.0/TCP " "SIP/2.0/TLS " "SIP/2.0/UDP " "SIP/2.0/TLS "] [SIP::header Via 0]] 0
}
}
Fix:
The via headers show the correct text (e.g., SIP/2.0/TLS) when an SSL Client Profile is enabled on a SIP Message-Routing virtual server.
Fixed Versions:
13.1.3.4, 14.1.2.7
781829-1 : GTM TCP monitor does not check the RECV string if server response string not ending with \n
Links to More Info: BT781829
Component: Global Traffic Manager (DNS)
Symptoms:
GTM TCP monitor marks resource down.
Conditions:
TCP server respond string not ending with '\n'.
Impact:
Available resources are marked down.
Workaround:
If the TCP server is sending a text response, reconfigure the server to make sure it terminates the output with '\n'.
If the TCP server can not be changed (for example if it produces binary output), it may be possible to create an external gtm monitor instead.
Fixed Versions:
13.1.3.5, 14.1.3.1
781753-3 : WebSocket traffic is transmitted with unknown opcodes
Links to More Info: BT781753
Component: Local Traffic Manager
Symptoms:
The BIG-IP system does not preserve WebSocket frames. Frame headers and payload may be reordered such that a header for a second frame may be sent out in the middle of a first frame's payload. Frame boundaries get skewed and payload gets interpreted as headers.
Conditions:
A request logging profile is configured on a WebSocket virtual server.
Impact:
WebSocket frames are not preserved such that traffic appears to be garbage.
-- If request logging is enabled, client frames may not be preserved.
-- If response logging is enabled, server frames may not be preserved.
Workaround:
Remove the request logging profile.
Fixed Versions:
13.1.3.2, 14.1.2.8
781725-2 : BIG-IP systems might not complete a short ICAP request with a body beyond the preview
Links to More Info: BT781725
Component: Service Provider
Symptoms:
An ICAP request (REQMOD or RESPMOD) body goes out to the ICAP server as far as a preview. If the server responds 100-continue, only a single chunk of the remaining payload might be sent to the server. Eventually the connection times out.
Conditions:
-- An ICAP profile is configured with a preview.
-- The HTTP request or response to be modified has a body that is more than one chunk longer than the preview length, yet short enough to be completely buffered in BIG-IP system before the preview is sent to the ICAP server.
-- The ICAP server responds with 100-continue.
Impact:
Only the first chunk of payload is sent after the preview, and eventually the connection times out.
Workaround:
None.
Fix:
The BIG-IP system now sends the complete ICAP request to the server, and the transaction completes normally.
Fixed Versions:
14.1.2.5
781637-2 : ASM brute force counts unnecessary failed logins for NTLM
Links to More Info: BT781637
Component: Application Security Manager
Symptoms:
False positive brute force violation raised and login request is blocked
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM Brute force protection enabled for NTLM login type
Impact:
login request blocked by asm policy
Workaround:
Define higher thresholds in brute force protection settings
Fix:
asm code has been fixed and do not count unnecessary failed logins for NTLM
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
781605-3 : Fix RFC issue with the multipart parser
Links to More Info: BT781605
Component: Application Security Manager
Symptoms:
False positive or false negative attack signature match on multipart payload.
Conditions:
Very specific parsing issue.
Impact:
A parameter specific excluded signature may be matched or un-matched.
Workaround:
N/A
Fix:
Multi part parser issue was fixed.
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3, 14.1.2.1, 15.0.1.1
781581-3 : Monpd uses excessive memory on requests for network_log data
Links to More Info: BT781581
Component: Application Visibility and Reporting
Symptoms:
Monpd allocates excessive memory on multi-blade devices, and in some cases the kernel may kill monpd. The following log signature may be encountered in /var/log/kern.log:
err kernel: : [1537424.588160] Out of memory: Kill process 28371 (monpd) score 117 or sacrifice child
Conditions:
This can occur in a multi-blade BIG-IP environment when you are displaying pages that query for network_log data, for example Bot Defense requests in the event log, or realtime AVR data.
Impact:
Large fluctuations in host memory usage, occasionally leading to OOM events.
Workaround:
None.
Fix:
A db variable has been added: avr.eventlogsreportrownumber, which controls the number of logs displayed. The db variable default is 10000, and supports a range from 100 through 1000000.
Note: Using the maximum value may trigger the behavior described here. The system behavior depends on the specific machine hardware.
Fixed Versions:
13.1.3.2, 14.1.2.3, 15.0.1.3
781445-1 : Named or dnscached cannot bind to IPv6 address
Links to More Info: BT781445
Component: Access Policy Manager
Symptoms:
In some scenarios, the named process cannot bind to IPv6 addresses. This occurs because the dnscached process listens to the wildcard IPv6 address port 53 (i.e., :::53) so it cannot respond to queries sent to IPv6 addresses.
Following message is reported in ltm log:
err named[16593]: binding TCP socket: address in use.
Conditions:
-- The named and dnscached processes are not running.
-- The dnscached process is started first.
-- The named process is started later.
Impact:
The named process does not respond to the queries that are sent to IPv6 addresses at port 53.
Workaround:
1) Stop both named and dnscached process.
2) Edit the startup script for dnscached to start in IPv4-only mode.
2a) On BIG-IP system, open the file /etc/bigstart/startup/dnscached.
2b) Add "-4" to the command line option of dnscached. That's done in "/etc/bigstart/scripts/dnscached" add "-4" so this line:
exec /usr/sbin/dnscached -f -t $chroot_home -u named -c /config/named.conf -n 1
Now reads like this:
exec /usr/sbin/dnscached -4 -f -t $chroot_home -u named -c /config/named.conf -n 1
3) Restart the processes:
bigstart restart named dnscached
Fix:
The dnscached startup script has been modified to start in IPv4-only mode, so it does not listen on any IPv6 address.
Fixed Versions:
14.1.2.1
781425 : Firewall rule list configuration causes config load failure
Links to More Info: BT781425
Component: Advanced Firewall Manager
Symptoms:
'tmsh load sys config' has a syntax error.
The syntax error is reported on 'security firewall rule-list rule' configuration.
Conditions:
This occurs only if any of the rule-list rule ip-protocol contains one of the following protocols:
-- BBN-RCC-MON
-- NVP-II
-- DCN-MEAS
-- OSPFIGP
-- CRUDP
Impact:
The system fails to load the configuration.
Workaround:
Manually edit the configuration file: /config/bigip_base.conf
1. Replace the ip-protocol name from rule-list configuration:
-- Change BBN-RCC-MON to bbn-rcc.
-- Change NVP-II to nvp.
-- Change DCN-MEAS to dcn.
-- Change OSPFIGP to ospf.
-- Change CRUDP to crudp.
2. Save the file.
3. Issue the command:
tmsh load sys config.
The configuration now loads without syntax errors.
Fixed Versions:
14.1.3.1
781313-1 : AVR dashboard displays incorrect client/server bytes-in/bytes-out stats
Links to More Info: BT781313
Component: SSL Orchestrator
Symptoms:
AVR dashboard for SSL Orchestrator shows incorrect bytes-in and bytes-out stats for both client and server.
Conditions:
-- SSL Orchestrator licensed and provisioned.
-- Application Visibility and Reporting (AVR) is licensed and provisioned.
Impact:
AVR does not report correct stats.
Workaround:
None.
Fix:
AVR dashboard for SSL Orchestrator now shows correct bytes-in and bytes-out stats for both client and server.
Fixed Versions:
14.1.2.1, 15.0.1.3
781225-2 : HTTP profile Response Size stats incorrect for keep-alive connections
Links to More Info: BT781225
Component: Local Traffic Manager
Symptoms:
The HTTP profile Response Size static is incorrectly updated per-response using the cumulative number of response bytes seen for the lifetime of the connection, rather than the bytes seen per-response.
Conditions:
-- HTTP profile configured
-- HTTP connection reused for multiple requests/responses
Impact:
The HTTP profile Response Size statistics may be incorrectly reported and do not correlate to actual traffic seen.
Workaround:
None.
Fix:
The HTTP Response Size statistics are correctly updated using per-response values.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1
781069-2 : Bot Defense challenge blocks requests with long Referer headers
Links to More Info: BT781069
Component: Application Security Manager
Symptoms:
The Bot Defense challenge may block the client if the Referer header is between about 1400 characters and 3072 characters long.
This client may get blocked by TCP RST, or suffer from a challenge loop.
Conditions:
-- Bot Defense with Verify before Access, or Proactive Bot Defense are configured
-- Request has a Referer header that is between ~1400 and 3072 characters long
Impact:
Legitimate browsers may get blocked or suffer from a challenge loop
Workaround:
Use an iRule to override the Referer header from the HTTP_REQUEST event, to make it shorter.
Fix:
Challenges with long Referer headers no longer block legitimate clients.
Fixed Versions:
13.1.3, 14.1.2.1, 15.0.1.1
781041-1 : SIP monitor in non default route domain is not working.
Links to More Info: BT781041
Component: Local Traffic Manager
Symptoms:
SIP pool members in non-default route domain are being marked as unavailable even though they are available. This may be intermittent depending on which device is assigned to do the monitoring.
Conditions:
- SIP pool members in non default route domain.
- Probing device attempts to probe from anything other than route domain 0.
Impact:
SIP service unavailable.
Fixed Versions:
14.1.2.7
781021-2 : ASM modifies cookie header causing it to be non-compliant with RFC6265
Links to More Info: BT781021
Component: Application Security Manager
Symptoms:
When ASM strips the cookie header from the ASM cookies, it leaves the cookie header in a way that is not compliant with RFC6265 on two aspects:
-- No space after the semicolon
-- A cookie with no value is sent without the equals sign
Conditions:
-- ASM Security Policy is used.
-- Request includes an ASM cookie.
Impact:
Some web servers may refuse to handle non-compliant Cookie headers, causing the application flow to break.
Workaround:
Disable the cookie stripping by modifying the DB variable as follows:
tmsh modify sys db asm.strip_asm_cookies value false
Fix:
ASM now strips the ASM cookies from the request in a way that is compliant with RFC6265.
Fixed Versions:
14.1.2.3
780837-1 : Firewall rule list configuration causes config load failure
Links to More Info: BT780837
Component: Advanced Firewall Manager
Symptoms:
'tmsh load sys config' reports a syntax error.
The syntax error is reported on 'security firewall rule-list rule' configuration.
Conditions:
This occurs only if any of the rule-list rule ip-protocol contains one of the following protocols:
Note: You can see the mismatched protocol names in the /etc/protocols listing file (column 1 and column 3 differ):
bbn-rcc 10 BBN-RCC-MON # BBN RCC Monitoring
nvp 11 NVP-II # Network Voice Protocol
dcn 19 DCN-MEAS # DCN Measurement Subsystems
ospf 89 OSPFIGP # Open Shortest Path First IGP
crdup 127 CRUDP # Combat Radio User Datagram
Impact:
The system fails to load the configuration.
Workaround:
Manually edit the configuration file: /config/bigip_base.conf
1. Replace the ip-protocol name from rule-list configuration:
-- Change BBN-RCC-MON to bbn-rcc.
-- Change NVP-II to nvp.
-- Change DCN-MEAS to dcn.
-- Change OSPFIGP to ospf.
-- Change CRUDP to crudp.
2. Save the file.
3. Issue the command:
tmsh load sys config.
The configuration now loads without syntax errors.
Fixed Versions:
14.1.2.1, 15.0.1.4
780817-5 : TMM can crash on certain vCMP hosts after modifications to VLANs and guests.
Links to More Info: BT780817
Component: TMOS
Symptoms:
TMM crashes and produces a core file. TMM logs show the crash was of type SIGFPE, with the following panic message:
notice panic: ../base/vcmp.c:608: Assertion "guest has vlan ref" failed.
Conditions:
-- The vCMP host is a platform with more than one tmm process per blade or appliance.
+ VIPRION B4300, B4340, and B44xx blades.
+ BIG-IP iSeries i15x00 platforms
-- A VLAN is assigned to a vCMP guest.
-- The TAG of the VLAN is modified.
-- The VLAN is removed from the vCMP guest.
Impact:
While TMM crashes and restarts on the host, traffic is disrupted on all the guests running on that system.
Guests part of a redundant pair may fail over.
Workaround:
None.
Fix:
TMM no longer crashes on certain vCMP hosts after modifications to VLANs and guests.
Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1
779857-1 : Misleading GUI error when installing a new version in another partition★
Links to More Info: BT779857
Component: TMOS
Symptoms:
While installing a new version in another partition, the GUI displays an error for a brief time:
'Install Status':Failed Troubleshooting
Conditions:
Install a new version in another partition.
Impact:
The GUI error is misleading. It is showing the install status as 'Failed Troubleshooting' even though the installation is proceeding normally. The installation process is proceeding normally; only the error is incorrect and does not indicate a problem with the installation.
Workaround:
If you click on the 'Troubleshooting' link on the GUI screen, the GUI indicates that it is actually installing properly without any error.
Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
778869-3 : ACLs and other AFM features (e.g., IPI) may not function as designed
Links to More Info: K72423000, BT778869
Component: Advanced Firewall Manager
Symptoms:
Under certain conditions, ACLs, IPI and other AFM features may not function as designed.
Conditions:
AFM provisioned and configured.
TCP mitigations active.
Impact:
AFM features do not function as designed.
Workaround:
None.
Fix:
ACLs and other AFM rules (e.g., IPI) features now function as designed.
Fixed Versions:
13.1.3.2, 14.0.1.1, 14.1.2.5
778841-2 : Traffic is not passing in virtual wire when Virtual server type is standard & IP profile is ipother
Links to More Info: BT778841
Component: Local Traffic Manager
Symptoms:
Traffic is not passing in virtual wire when virtual server type is configured as standard, protocol set to "All Protocols" and the IP profile is ipother.
Conditions:
-- Virtual wire is configured
-- Virtual server type is standard
-- IP profile is ipother
Impact:
Virtual wire traffic matching the virtual server is dropped.
Fixed Versions:
14.1.4.4
778681-2 : Factory-included Bot Signature update file cannot be installed without subscription★
Links to More Info: BT778681
Component: Application Security Manager
Symptoms:
After upgrade, the factory-included Bot Signature update file cannot be installed without subscription, even if it is already installed.
Conditions:
Device is upgraded to 14.1.0 from previous version, and does not have a Bot Signatures subscription.
Impact:
The factory-included Bot Signature update file cannot be installed.
Fixed Versions:
14.1.2.3, 15.0.1.1
778517-1 : Large number of in-TMM monitors results in delayed processing
Links to More Info: K91052217, BT778517
Component: Local Traffic Manager
Symptoms:
A monitor may continue to probe for a while after it has been removed from pool / member / node. Duplicate monitor instances may get created after associating a monitor to a server.
Conditions:
Device has a large number of in-TMM monitors.
Impact:
-- Monitor target may appear down when responding correctly.
-- Monitor may continue to run after removed from pool / member / node.
-- Increased monitoring load on server.
Workaround:
Disable in-tmm monitors:
tmsh modify sys db bigd.tmm value disable
Fix:
Large numbers of in-TMM monitors are processed in a timely fashion.
Fixed Versions:
13.1.3.4, 14.1.2.7
778365-2 : dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service
Links to More Info: BT778365
Component: Global Traffic Manager (DNS)
Symptoms:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS. If there is DNS service running on the LDNS, RTT metrics should be collected successfully as expected. However if there is no DNS service on the LDNS, there should not be any RTT metrics collected. But BIG-IP still populates the RTT values giving users a "false positive" results.
Conditions:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS and there is no DNS service running on the LDNS.
Impact:
RTT metrics are collected even though no response from the DNS service is present giving users wrong impression that there is.
Fix:
RTT metrics are collected only when the DNS service is present otherwise zero RTT values are returned.
Fixed Versions:
13.1.3.4, 14.1.2.7
778125-1 : LDAP remote authentication passwords are limited to fewer than 64 bytes
Links to More Info: BT778125
Component: TMOS
Symptoms:
The LDAP remote authentication password is limited to fewer than 64 bytes.
Conditions:
Configured for remote authentication with a password is longer than or equal to 64 bytes.
Impact:
Unable to login as remote-user with long password.
Workaround:
Set password that is shorter than 64 bytes.
Fixed Versions:
14.1.2.3, 15.0.1.4
777993-2 : Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same
Links to More Info: BT777993
Component: TMOS
Symptoms:
Egress TCP/UDP traffic with same L4 source port and destination port to an external trunk is pinned to one link only.
Conditions:
This happens on BIG-IP hardware platforms with broadcom switch chip, so BIG-IP 2000/4000 and i2000/i4000 series are not impacted.
Impact:
Performance degradation as only a portion of the trunk bandwidth is utilized.
Workaround:
None.
Fix:
Egress TCP/UDP traffic with same L4 source port and destination port is now evenly distributed among trunk ports.
Fixed Versions:
14.1.2.5
777937-3 : AWS ENA: packet drops due to bad checksum
Links to More Info: BT777937
Component: Performance
Symptoms:
-- Lower throughput and tps.
-- High availability (HA) heartbeat is getting dropped, resulting in an active-active configuration.
Conditions:
AWS Elastic Network Adapter (ENA) NIC is in use.
Impact:
Performance degradation and invalid HA configuration.
Workaround:
On the BIG-IP system, turn off checksum offloading in on TX as follows:
modify sys db tm.tcpudptxchecksum value Software-only
Important: This workaround negatively affects NICs other than ENA. Therefore, the workaround is recommended exclusively when ENA is the only dataplane NICs in use in the BIG-IP system.
Fix:
AWS ENA: no packet drops due to bad checksum.
Fixed Versions:
14.1.0.6, 15.0.1
777269-1 : Gratuitous ARP may be sent for self IPs from incorrect MAC address at startup
Links to More Info: BT777269
Component: Local Traffic Manager
Symptoms:
The Address Resolution Protocol is used to allow IP endpoints to advertise their L2 (Ethernet MAC) addresses, and to query their network peers to request needed associations. Typically, TMM will immediately broadcast an ARP announcing its IP-MAC association (sometimes called a "gratuitous" ARP), so that switches can begin directing traffic to the self-ip immediately.
When BIGIP-VE starts with interfaces provided by some hypervisors, it may not immediately know the MAC address assigned to the interface until several milliseconds after the interface is created. In these cases, the gratuitous ARP will contain the MAC address 00:98:76:54:32:10, which is a valid but incorrect MAC address.
Normally, this is harmless, because the correct MAC address is immediately announced once it is known. However, it may be possible for a L2 switch upstream from multiple BIGIP-VE instances to believe a L2 loop has developed, and block one or both ports through which it saw the gratuitous ARPs.
Conditions:
BIG-IP VE, version 13.0.0 or later, running with the virtio driver on an OpenStack-compatible hypervisor.
Impact:
If an upstream switch sees gratuitous ARPs from multiple downstream BIG-IP instances on the same L2 LAN, it might block connectivity to one or more ports through which the gratuitous ARPs are seen. The self IP may appear to have connectivity for some time after it comes up, before connectivity is blocked at the upstream switch.
Fix:
Gratuitous ARPs sent with an incorrect MAC address are no longer broadcast.
Fixed Versions:
14.1.2.5
777261-4 : When SNMP cannot locate a file it logs messages repeatedly
Links to More Info: BT777261
Component: TMOS
Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.
Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.
Impact:
This can fill up the log with errors.
Fix:
The SNMP daemon has been fixed to log this error once.
Fixed Versions:
11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
777241-2 : smtps partial_conncount issues and unexpected resets
Links to More Info: BT777241
Component: SSL Orchestrator
Symptoms:
In certain scenarios, SMTPS related counter may underflow and this may cause some of the SMTPS connection to be reset by BIG-IP.
Conditions:
The specific conditions under which this occurs are unknown.
Impact:
Some of the SMTPS connection could get terminated with a reset. This can be observed by looking at the tmstat table smtps_parse_stat
Workaround:
None.
Fix:
Intermittent SMTPS connection failures no longer occur under these conditions.
Fixed Versions:
14.1.2.3
777237-1 : IPsec high availability (HA) for failover confused by runtime changes in blade count
Component: TMOS
Symptoms:
Security Associations (SAs) for IPsec could fail to mirror to standby correctly when multiple blades are involved, because tmm ownership of SAs on active could be assigned both before and after the blade count stabilized. (Initialization of peer descriptions started before the blade count finished stabilizing, which made them stale with respect to mirroring, after blade count change.) Missing SAs on standby would then be renegotiated after failover.
Conditions:
An IPsec config running under high availability where multiple blades are present in the chassis.
Impact:
Failure to properly mirror some SAs to standby caused them to be renegotiated after failover, which delays tunnel service until a new SA can be established.
Workaround:
No workaround is known.
Fix:
When blade count changes dynamically at runtime (which happens because IPsec init starts before blade count stablizes), all previously initialized peers are visited to update their idea of tmm ownership to reflect the new blade count.
Fixed Versions:
14.1.2.8
777229-1 : IPsec improvements to internal pfkey messaging between TMMs on multi-blade
Links to More Info: BT777229
Component: TMOS
Symptoms:
There is no known performance degradation. This work eliminates unnecessary duplication of internal messages.
Conditions:
- IPsec tunnel configured.
- Multi-blade system.
Impact:
Extra logging in the TMM log due to duplicated internal messaging.
Workaround:
For vCMP systems, provision the Guest on one blade only. There is no workaround for bare-metal systems.
Fix:
Duplication of inter-tmm messaging has been eliminated.
Fixed Versions:
14.1.2.8
777173-2 : Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error
Links to More Info: BT777173
Component: Access Policy Manager
Symptoms:
When administrator runs Citrix vdi iApp in APM standalone deployment (LTM is not licensed), iApp fails with the following error:
01070356:3: HTTP header transformation feature not licensed
This is result of a license check added for HTTP header transformation.
Conditions:
- APM is licensed as stand alone (no LTM license)
- Admin tries to run Citrix vdi iApp
Impact:
Administrator is not able to use the iApp to configure Citrix vdi access
Workaround:
Adding LTM module license will resolve the error.
Fix:
Citrix vdi iApp now can be used to configure Citrix vdi access in an APM standalone deployment.
Fixed Versions:
13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
776393-2 : Restjavad restarts frequently due to insufficient memory with relatively large configurations
Links to More Info: BT776393
Component: TMOS
Symptoms:
Restjavad restarts frequently -- approximately every 5 minutes -- due to the JVM heap running out of memory
Conditions:
-- BIG-IP system with no extra memory given to restjavad.
-- The configuration contains a large number of configuration items related to APM access-policies, APM policy-items, APM policy agents, LTM nodes, LTM rules, DNS Requests, sys application services, LTM data-groups, LTM profiles, security bot-defense profiles, and sys file ssl-certs.
Impact:
REST API intermittently unavailable.
Workaround:
Give restjavad extra memory, using the following commands. The example below allocates 2 GB of extra memory to restjavad:
tmsh modify sys db restjavad.useextramb value true
tmsh modify sys db provision.extramb value 2000
bigstart restart restjavad
To persist the change above with system reboots, save the configuration with:
tmsh save sys config
Fix:
Default restjavad heap memory has been increased to 384MB
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
776229-2 : iRule 'pool' command no longer accepts pool members with ports that have a value of zero
Links to More Info: BT776229
Component: Local Traffic Manager
Symptoms:
Values of 0 (zero) are no longer accepted for pool member ports in iRule 'pool' commands. The system reports an error similar to the following in /var/log/ltm:
err tmm3[12179]: 01220001:3: TCL error: /Common/_user_script_member <CLIENT_ACCEPTED> - bad port in 'pool member <addr> <port>' cmd while executing "pool test_pool member 10.1.30.10 0"
Conditions:
-- Configure an iRule to use the 'pool' command to go to the pool member using a zero port in the CLIENT_ACCEPTED event.
-- Attach the iRule to the virtual server.
-- Run traffic through it.
Impact:
The iRule rejects traffic when the pool member's port number is 0.
Workaround:
Configure any iRule using the 'pool' command to go to apool member using a non-0 port in the CLIENT_ACCEPTED event.
Fix:
No longer blocking access to pool members that use port number 0 (zero) from iRule 'pool' commands.
Fixed Versions:
13.1.3.4, 14.1.3.1
776133-1 : RSS hash is not used on VE resulting in performance impact on non-SR-IOV devices
Links to More Info: BT776133
Component: Performance
Symptoms:
RSS hash is not used on BIG-IP Virtual Edition (VE).
You can run the following command to see the 'n' (no) for RSS results:
tmctl -d blade -i tmm/ndal_dev_status
Example:
iface device pci if_up link_up rcso lro sw_lro lro_no_md rvho rss tcso tso
1.1 vmxnet3 11:0.0 n n y:n y:n n y y:n n y:y y
Conditions:
This is encountered on BIG-IP VE.
Impact:
Performance degradation on non-SR-IOV devices.
Workaround:
None.
Fixed Versions:
14.1.2.3
776073-1 : OOM killer killing tmm in system low memory condition as process OOM score is high
Links to More Info: BT776073
Component: TMOS
Symptoms:
When BIG-IP system running under low memory situation, Out-Of-Memory killer more likely selects tmm to kill and release the resources.
Conditions:
BIG-IP version 13.0.x or later installed and system running with low memory.
AFM provisioned makes the tmm process more likely to be selected by the oom killer
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Adjust OOM score of "tmm" process through oom_score_adj proc setting.
echo "-500" > /proc/<pid_of_tmm>/oom_score_adj
Fix:
OOM score for "tmm" process is adjusted such that OOM killer will not prioritize "tmm" during system low memory condition.
Fixed Versions:
14.1.2.1, 15.0.1.1
775897-1 : High Availability failover restarts tmipsecd when tmm connections are closed
Links to More Info: BT775897
Component: TMOS
Symptoms:
All security associations (SAs) can be deleted when tmipsecd restarts as a result of closing tmm connections during failover from active to standby.
Conditions:
When failover happens for high availability (HA), tmipsecd aims to close tmm connections when on standby, because tmm must connect instead to the daemon running in the active system. But a side effect of this restarts tmipsecd, resulting in deletion of all SAs when tmipsecd came back up.
Impact:
tmipsecd restarts. All IPsec tunnels experience an interruption of service until new SAs are negotiated.
Workaround:
None.
Fix:
Now tmipsecd no longer restarts when the tmm connections are closed in response to failover from active to standby.
Fixed Versions:
14.1.2.5
775621-2 : urldb memory grows past the expected ~3.5GB
Links to More Info: BT775621
Component: Access Policy Manager
Symptoms:
When using the categorization engine (urldb), memory may increase when real-time update databases are downloaded (once every ten minutes, as available).
Conditions:
-- SWG provisioned.
-- Using urldb.
-- Real-time database updates occurring.
Impact:
Memory increases, and if there is not enough room on the BIG-IP system, urldb can core.
Workaround:
None.
Fix:
The system no longer preloads the database into memory, so memory no longer grows past what is expected.
Fixed Versions:
13.1.3, 14.1.2.1, 15.0.1.3
775013-2 : TIME EXCEEDED alert has insufficient data for analysis
Links to More Info: BT775013
Component: Fraud Protection Services
Symptoms:
The time-exceeded alert does not include sufficient alert details to troubleshoot the process. It is difficult to determine whether or not the alert is valid, or how long past the request time the alert occurred.
Conditions:
Viewing alert logs for time-exceeded messages.
Impact:
Makes troubleshooting and/or analysis difficult.
Workaround:
None.
Fix:
All encryption failures alert now provides additional details to assist in troubleshooting the process.
Fixed Versions:
13.1.3, 14.1.2.1, 15.0.1.1
774941-1 : GUI misspelling in Bot Defense logging profile
Links to More Info: BT774941
Component: Application Security Manager
Symptoms:
There is a misspelling in the logging profile for Bot Defense: Log Requests by Classificaiton.
Conditions:
Go to Security :: Event Logs : Logging Profiles :: Logging Profile :: Bot Defense :: Request Log.
Impact:
GUI shows misspelled word. There is no functional impact to this issue.
Workaround:
None needed. This is a cosmetic issue only.
Fix:
The text has been corrected: Log Requests by Classification.
Fixed Versions:
14.1.0.6
774913-1 : IP-based bypass can fail if SSL ClientHello is not accepted
Links to More Info: BT774913
Component: Local Traffic Manager
Symptoms:
IP-based bypass can fail for SSL stream if the client sends a ClientHello that is not accepted by the BIP-IP system.
Conditions:
Client's SSL ClientHello message is not accepted by the BIG-IP system.
Impact:
Connection drop.
Workaround:
None.
Fix:
Check SSL bypass policy before parsing ClientHello message.
Fixed Versions:
14.1.2.1, 15.0.1.3
774881 : Protocol Inspection profiles can be added to a virtual server without Protocol Inspection being licensed.
Links to More Info: BT774881
Component: Protocol Inspection
Symptoms:
Protocol Inspection profiles can be added to a virtual server but are not applied to traffic.
To add a Protocol Inspection profile now it is required to have an AFM standalone license or to have an add-on AFM license, which includes Protocol Inspection module. Otherwise a error message is shown.
Conditions:
-- AFM is licensed as an add-on module without Protocol Inspection feature.
-- Protocol Inspection profile is configured and added to a virtual server or referenced in a firewall rule.
Impact:
It might appear that the configured Protocol Inspection profile attached to a virtual server or referenced in a firewall rule should work, but in fact, it is not applied to the actual traffic.
Workaround:
None.
Fix:
An error message is shown when trying to apply a Protocol Inspection profile to a virtual server or to a firewall rule having no Protocol Inspection license.
Fixed Versions:
14.1.0.5
774633-2 : Memory leak in tmm when session db variables are not cleaned up
Links to More Info: BT774633
Component: Access Policy Manager
Symptoms:
There are some session db variables created as part of the split session proxy that have an indefinite timeout. If there is an error path or a failure with an inline service, the delete never gets called and these session keys build up over time, causing memory to leak in tmm.
Conditions:
SSLO setup with a service connector that fails.
Impact:
tmm eventually runs out of memory and generates a core file.
Workaround:
None.
Fix:
Variables have been set with a timeout so that they don't leak memory if the inline service fails.
Fixed Versions:
14.1.0.6, 15.0.1.1
774617-1 : SNMP daemon reports integer truncation error for values greater than 32 bits
Links to More Info: BT774617
Component: TMOS
Symptoms:
Some values sent to SNMP can grow too large over time, causing an integer truncation error.
Conditions:
Values greater than 32 bits sent to SNMP.
Impact:
SNMP values are truncated. An error message is logged in var/log/daemon.log:
err snmpd[20680]: truncating integer value > 32 bits
Workaround:
No current workaround.
Fixed Versions:
14.1.4, 15.1.0.4
774481-2 : DNS Virtual Server creation problem with Dependency List
Links to More Info: BT774481
Component: Global Traffic Manager (DNS)
Symptoms:
Cannot use the GUI to create virtual servers with dependent virtual server.
Conditions:
This occurs when creating a virtual server that contains a dependent virtual server.
Impact:
Cannot use the GUI to create the virtual server that contains a dependent virtual server in one step.
Workaround:
You can use either of the following workarounds:
-- Use tmsh;
-- Create the virtual server through GUI without dependent virtual server first and then edit the virtual server to add dependency.
Fixed Versions:
13.1.3.4, 14.1.2.7
774445-1 : BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2
Links to More Info: K74921042, BT774445
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) does not pass traffic when deployed on ESXi 6.7 Update 2 hypervisors, when the VE is using VMXNET 3 network interfaces (VMXNET 3 interfaces are the default).
Conditions:
-- BIG-IP VE running on VMware ESXi 6.7 Update 2 (build number 13006603) hypervisor.
-- VMXNET 3 NICs.
Impact:
Traffic does not pass through non-mgmt interfaces.
Workaround:
You can use the following workarounds:
-- Until this issue is fixed in a Point-Release for your software branch, you can contact F5 Networks Technical Support to obtain an Engineering Hotfix to address the issue. This workaround allows TMM to continue to use the VMXNET3 driver, which is preferable.
-- On BIG-IP version 14.1.0, you can switch to the 'sock' driver.
-- On BIG-IP versions earlier than 14.1.0, you can switch to the 'unic' driver.
Note: The workarounds that switch driver must be applied individually to devices, as they do not synchronize via ConfigSync.
IMPORTANT: The driver must be configured the same way on all devices in a sync-failover device group.
To switch driver:
1. Add a line to /config/tmm_init.tcl that reads 'device driver vendor_dev 15ad:07b0 DRIVER' (replacing DRIVER with 'unic' or 'sock', as appropriate). For example:
echo "device driver vendor_dev 15ad:07b0 sock" >> /config/tmm_init.tcl
2. Restart tmm for the changes to take effect (restarting tmm disrupts traffic):
bigstart restart tmm
3. After tmm restarts, confirm the driver in use by examining the output of:
tmctl -d blade tmm/device_probed
Fix:
BIG-IP VE now passes traffic on ESXi 6.7 Update 2.
Fixed Versions:
13.1.3, 14.0.0.5, 14.1.0.6
774361-2 : IPsec High Availability sync during multiple failover via RFC6311 messages
Links to More Info: BT774361
Component: TMOS
Symptoms:
After multiple failover events, BIG-IP can fail to coordinate with a remote peer via RFC6311 protocol messages, whose content can present the wrong message IDs, which are also marshalled in host byte order instead of network byte order.
Conditions:
When active and standby systems failover multiple times, and a newly active system must sync IDs with the newly standby system before exchanging messages with a remote peer to synchronize expected ID sequences.
Impact:
IPsec tunnels experience a temporary outage until new security associations are negotiated.
Workaround:
No workaround is known at this time.
Fix:
The following changes have been applied to RFC6311 messages:
-- Values are now passed in bigendian network byte order.
-- BIG-IP is willing to send messages after multiple failovers.
-- Active always syncs with standby before putting IDs into messages.
Fixed Versions:
14.1.2.8
774301-4 : Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList
Links to More Info: BT774301
Component: Access Policy Manager
Symptoms:
When the BIG-IP system is configured as SAML IdP or SAML SP processes SAML Requests/Responses, the verification of digital signature fails in certain cases:
err apmd[19684]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 5321 Msg: ERROR: verifying the digest of SAML Response
Conditions:
-- BIG-IP system is configured as SAML IdP or SAML SP.
-- SAML sends the "ArtifactResponse" message with both "ArtifactResponse" and "Assertion" signed.
-- This is also applicable to any SAML requests/responses that are signed:
a) SAML Authentication Request
b) SAML Assertion
c) SAML Artifact Response
e) SAML SLO Request/Response
Impact:
Output does not match the 'Canonicalized element without Signature' calculated by APM. BIG-IP SAML IdP or SAM SP fails to process SAML Requests/Responses resulting in errors. Cannot deploy APM as SAML SP with Assertion Artifact binding.
Workaround:
None.
Fix:
Output now matches the Canonicalized element without Signature' calculated by APM, so deployment occurs without error.
Fixed Versions:
12.1.5, 14.1.4, 15.0.1.3
774257-2 : tmsh show gtm pool and tmsh show gtm wideip print duplicate object types
Links to More Info: BT774257
Component: Global Traffic Manager (DNS)
Symptoms:
Tmsh show gtm pool and show gtm wideip commands with field-fmt will display the object type twice in the output. For example:
tmsh> show gtm pool a field-fmt
gtm pool pool emptypool:A
tmsh> show gtm wideip a field-fmt
gtm wideip wideip testwip.f5.com:A
Conditions:
This occurs when running the following tmsh commands:
tmsh show gtm pool <poolname> field-fmt
tmsh show gtm wideip <wideipname> field-fmt
Impact:
The output type is printed twice
Workaround:
None.
Fix:
The output becomes like this after fix:
gtm pool a emptypool
gtm wideip a testwip.f5.com
Fixed Versions:
14.1.2.7, 15.1.0.5
774213-1 : SWG session limits on SSLO deployments
Links to More Info: BT774213
Component: Access Policy Manager
Symptoms:
SWG session limits are enforced on SSLO deployments that enable Explicit proxy authentication.
Conditions:
-- SSLO with Explicit proxy authentication is deployed.
-- Many concurrent SSLO connections (beyond the SWG session limit).
Impact:
SSLO fails to connect when the SWG session limit is reached.
Workaround:
None.
Fix:
If there is an SSLO profile paired with either an APM or SSLO per-request policy on a virtual server, and the operation has done a hostname only lookup, an SWG license is no longer consumed. This answers the case where there is auth (APM) on one virtual server, and the transparent virtual server is SSLO with hostname Category Lookup only.
Fixed Versions:
14.1.0.6, 15.0.1.1
773925-2 : Sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB tables files
Links to More Info: BT773925
Component: Application Visibility and Reporting
Symptoms:
For unknown reasons, sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB table files. MySQL starts reporting error 24 in its error log:
190228 8:21:17 [ERROR] mysqld: Can't open file: './AVR/AVR_STAT_FW_NAT_TRANS_DEST_H.frm' (errno: 24)
190228 8:45:36 [ERROR] mysqld: Can't open file: './AVR/AVR_STAT_ASM_NETWORK_T.frm' (errno: 24)
190228 9:12:22 [ERROR] mysqld: Can't open file: './AVR/AVR_STAT_ASM_NETWORK_T.frm' (errno: 24)
Conditions:
-- Statistics are collected locally on the BIG-IP system (that is, the BIG-IP system is not associated with a BIG-IQ device).
-- There is a considerable amount of traffic.
Impact:
Statistic reports stop working. In some cases DB becomes corrupted.
Workaround:
In /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter from 2500 to 5000.
2. Add the following parameter (right after 'open_files_limit'):
table_open_cache=2000
3. Restart MySQL:
bigstart restart mysql
Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.
Fix:
Embed MariaDB configuration change into the standard BIG-IP versions.
Fixed Versions:
14.1.2.1
773821-1 : Certain plaintext traffic may cause SSLO to hang
Links to More Info: BT773821
Component: Local Traffic Manager
Symptoms:
SSLO relies on SSL hudfilter to detect non-SSL traffic; but certain plaintext can be mistaken as SSL traffic, which can cause a hang.
Conditions:
Initial plaintext traffic resembles SSLv2 hello message or has less than enough bytes for SSL to process.
Impact:
SSLO hangs, unable to bypass traffic.
Workaround:
None.
Fix:
Improve SSL hello parser.
Fixed Versions:
14.1.2.1, 15.0.1.3
773773-2 : DoS auto-threshold detection values are not reloaded correctly after a reboot.
Links to More Info: BT773773
Component: Advanced Firewall Manager
Symptoms:
After a reboot, DoS statistics show DoS thresholds as floor thresholds as opposed to learned thresholds.
Conditions:
Enable autodosd
Impact:
Historic thresholds not considered as part of DoS detection that can lead to incorrect DoS detection.
Workaround:
None
Fix:
The system now reads historic data as expected.
Fixed Versions:
14.1.4
773677-1 : BIG-IP 14.1.0 system-journald write to /run/log/journal cause SWAP usage increase★
Links to More Info: K72255850, BT773677
Component: TMOS
Symptoms:
The system-journald process writes to temporary storage /run/log/journal when storage mode is set to 'auto'. The persistent directory /var/log/journal that controls where the log goes (temporary or persistent memory) is usually created during BIG-IP system reboot. In some cases, /var/log/journal is not created. In the absence of this, system-journald writes to temporary storage /run/log/journal.
Conditions:
BIG-IP upgraded from versions prior to v14.1.0 to version 14.1.0 or later.
Impact:
As it writes to temporary memory, system SWAP memory usage increases, impacting overall system performance and may result in the kernel out-of-memory killer running and killing system processes.
Workaround:
Perform these steps while running the upgraded 14.1.x system.
1. Create system-journald persistent log directory manually:
mkdir /var/log/journal
chown root:systemd-journal /var/log/journal
chmod 2755 /var/log/journal
chcon system_u:object_r:var_log_t:s0 /var/log/journal
2. Reboot the system.
Fix:
The system-journald persistent directory is always created during reboot or when the system-journald storage option is set to 'persistent'.
Fixed Versions:
14.1.0.6
773553-2 : ASM JSON parser false positive.
Links to More Info: BT773553
Component: Application Security Manager
Symptoms:
False positive JSON malformed violation.
Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.
Impact:
HTTP request is blocked or an alarm is raised.
Workaround:
There is no workaround other than disabling the JSON profile.
Fix:
JSON parser has been fixed as per RFC8259.
Fixed Versions:
12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
773421-1 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
Links to More Info: BT773421
Component: Local Traffic Manager
Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.
Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).
-- OneConnect is applied.
-- proxy-mss is enabled (the default value starting in v12.0.0).
Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.
Workaround:
Disable proxy-mss in the configured TCP profile.
Fix:
OneConnect prevents sending ICMP fragmentation needed messages to servers.
Fixed Versions:
12.1.5.1, 13.1.3.2, 14.1.2.1, 15.0.1.1
773253-3 : The BIG-IP may send VLAN failsafe probes from a disabled blade
Links to More Info: BT773253
Component: Local Traffic Manager
Symptoms:
The BIG-IP system sends multicast ping from a disabled blade. tmm core
Conditions:
-- There is one or more blades disabled on the VIPRION platform.
-- VLAN failsafe is enabled on one or more VLANs.
-- the VLAN failsafe-action is set to 'failover'.
-- There is more than one blade installed in the chassis or vCMP guest.
Impact:
The BIG-IP system sends unexpected multicast ping requests from a disabled blade.
Workaround:
To mitigate this issue, restart tmm on the disabled blade. This causes tmm to stop sending the multicast traffic.
Impact of workaround: Traffic disrupted while tmm restarts.
Fixed Versions:
13.1.4, 14.1.4.2, 15.1.2.1
772545-3 : Tmm core in SSLO environment
Links to More Info: BT772545
Component: Local Traffic Manager
Symptoms:
Unexpected SSL events can occur in SSLO configuration, possibly resulting in tmm core.
Conditions:
SSLO environment which can cause serverside ssl to become enabled during clientside handshake causing unexpected events.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Enabling SSL forward proxy verified-handshake setting available in 14.0.
Fixed Versions:
13.1.3.6, 14.1.2.3, 15.0.1.1
772473-3 : Request reconstruct issue after challenge
Links to More Info: BT772473
Component: Application Security Manager
Symptoms:
False positive on Content-Type header in GET request.
Conditions:
After challenge is completed, the server responds to the reconstructed request with a 302-redirect.
Impact:
The BIG-IP adds to the next request (GET request) a Content-Type header.
Workaround:
There is no workaround at this time.
Fix:
The BIG-IP no longer reconstructs the next request after a redirect.
Fixed Versions:
14.0.1.1, 14.1.2.1, 15.0.1.1
772297-2 : LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade
Links to More Info: BT772297
Component: Local Traffic Manager
Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.
Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.
Impact:
LLDP-related options under 'tmsh net interface' for that secondary blade are reset to default.
Workaround:
Run 'tmsh load sys config' on the primary blade, and the LLDP-settings will reapply to the interfaces.
Fixed Versions:
14.1.4
772233-4 : IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.
Links to More Info: BT772233
Component: Global Traffic Manager (DNS)
Symptoms:
When probing DNS Path, the metric round trip time (RTT) is not set correctly if the collection protocols used are NDS_DOT or DNS_REV.
The problem occurs only if the Path involves an IPv6 address; IPv4 address works fine.
Conditions:
-- Path involves IPv6 addresses.
-- Collection protocol used is either DNS_DOT or DNS_REV.
Impact:
RTT metric is not set at all.
Workaround:
Use collection protocols - ICMP instead.
Fix:
The problem for both collection protocols - DNS_DOT and DNS_REV no longer occurs, and the RTT is set correctly.
Fixed Versions:
13.1.3.2, 14.1.2.5, 15.0.1.3
772165-1 : Sync Failed due to Bot Defense profile not found.
Links to More Info: BT772165
Component: Application Security Manager
Symptoms:
A sync failure might happen in a sync-failover device group after manually editing the /config/bigip.conf file and removing the Bot Defense profiles, and then performing a config sync.
The system reports a sync error message similar to this:
FODG (Sync Failed): A validation error occurred while syncing to a remote device.
- Sync error on device-b: Load failed from /Common/device-a 01020036:3: The requested profile (/Common/bot-defense-device-id-generate-before-access) was not found.
- Recommended action: Review the error message and determine corrective action on the device.
Conditions:
Manually editing the /config/bigip.conf file and removing the Bot Defense profile, then loading the config, and performing a config sync.
This sync failure may happen even without ASM provisioned, and in rare cases may happen even if you have not modified the base Bot Defense profile.
Impact:
Sync failure.
Workaround:
Reload the config from the receiving device, and then perform a force sync in the opposite direction, overriding the previous changes. This should bring the system back to in sync.
Fix:
Sync failures no longer happen when removing Bot Defense profiles from the config file and loading config.
Fixed Versions:
14.1.2.7
772117-3 : Overwriting FIPS keys from the high availability (HA) peer with older config leads to abandoned key on FIPS card
Links to More Info: BT772117
Component: TMOS
Symptoms:
A key being overwritten is not removed from the FIPS card, so it becomes an abandoned key in the FIPS card, which cannot be used and properly tracked by the BIG-IP system.
An abandoned key appears similar to the following:
[root@big8:Active:Standalone] config # tmsh show sys crypto fips
-------------------------------------------
FIPS 140 Hardware Device
-------------------------------------------
=== private keys (1)
ID MOD.LEN(bits)
d3d8ecc5a489c64b8dfd731945d59950 2048 <==== properly tracked and configured key in BIG-IP
/Common/fffff.key
e35e900af8b269d2f10b20c47e517fd1 2048 <==== no name, abandoned
Conditions:
The issue is seen when all the following conditions are met:
1. High availability (HA) setup formed by multiple BIG-IP systems with FIPS cards.
2. An Administrator of one of the BIG-IP systems deletes its FIPS key, and creates another FIPS key using the same name.
3. high availability (HA) sync occurs from another BIG-IP system (with the older config) back to the first BIG-IP system (i.e., the operation overwrites the newly created FIPS key with the old FIPS key).
Impact:
It leads to orphan keys on the FIPS card, meaning that the keys are not present in the BIG-IP configuration as a configured key, so the key cannot be used by the BIG-IP system.
Workaround:
Manually delete the abandoned key from the FIPS card using the following command.
tmsh delete sys crypto fips key <key-id>
For example, for the abandoned key specified earlier, use the following command:
tmsh delete sys crypto fips key "e35e900af8b269d2f10b20c47e517fd1"
Fix:
Now, the overwritten key is successfully removed, so there is no longer an abandoned key present on the FIPS card.
Fixed Versions:
14.1.2.5
771961-1 : While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core
Links to More Info: BT771961
Component: Access Policy Manager
Symptoms:
If the device is active at the time and is passing traffic, if the SSL Orchestrator configuration is deleted, tmm can core.
Conditions:
SSL Orchestrator device is active and passing traffic while being deleted.
Impact:
TMM cores. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm core related to deleting SSL Orchestrator.
Fixed Versions:
14.1.3.1, 15.1.1
771905-2 : JWT token rejected due to unknown JOSE header parameters
Links to More Info: BT771905
Component: Access Policy Manager
Symptoms:
JWT token rejected and OAuth Scope Agent fails.
Conditions:
When JWT access token contains unregistered JSON Object Signing and Encryption (JOSE) header parameters (e.g., nonce).
Impact:
Unregistered JOSE header parameters causes JWT access token to be rejected. OAuth Scope Agent fails.
Workaround:
None.
Fix:
If an unregistered parameter in the JOSE header is present in the JWT token, the system ignores the parameter instead of rejecting the token.
Fixed Versions:
14.1.2.5
771705-1 : You may not be able to log into BIG-IP Cloud Edition if FSCK fails
Links to More Info: BT771705
Component: TMOS
Symptoms:
During BIG-IP Cloud Edition bootup, if FSCK fails and requires manual intervention to recover, you may not be able to proceed. This occurs because login requires the password for root, which is not typically set.
Conditions:
-- BIG-IP Cloud Edition.
-- FSCK failure on bootup requires manual intervention to recover.
Impact:
Cannot log in to BIG-IP Cloud Edition.
Important: There is no way to recover if the FSCK failure has already occurred. You must begin the BIG-IP Cloud Edition configuration again. You should implement the Workaround to prevent the issue from occurring.
Workaround:
To prevent the issue from occurring, run the following command for every filesystem:
tune2fs -i 0 <file system>
Following is a list of file systems (replace '1' with the relevant slot number if the active slot is not 1):
/dev/vg-db-vda/set.1.root
/dev/mapper/vg--db--vda-set.1._var
/dev/mapper/vg--db--vda-set.1._usr
/dev/mapper/vg--db--vda-set.1._config
/dev/mapper/vg--db--vda-dat.share
/dev/mapper/vg--db--vda-dat.log
/dev/mapper/vg--db--vda-dat.appdata
Fix:
FSCK is disabled BIG-IP Virtual Edition (VE) for both cloud and hypervisor configurations, so this issue no longer occurs.
Note: Disabling FSCK in virtual machines is considered standard operating procedure. In BIG-IP VE, FSCK is disabled upon the image creation and during live install of the full ISO. It is disabled for all file systems on all slots (boot locations). Although it is not recommended, you can manually reenable FSCK in Linux, in particular, using tune2fs to set the FSCK schedule, and updating /etc/fstab to allow it.
Behavior Change:
FSCK is now disabled in BIG-IP Virtual Edition (VE) for both cloud and hypervisor, preventing failure during bootup. FSCK disablement also persists during a downgrade. F5 Networks does not recommend reenabling FSCK. However, you can reenable it in Linux by updating /etc/fstab, so you can use tune2fs to set the FSCK schedule.
Fixed Versions:
14.1.2
771173-3 : FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.★
Links to More Info: BT771173
Component: Advanced Firewall Manager
Symptoms:
The system does not roll forward the FastL4 profile syn-cookie-enable attribute after upgrading from 12.x to 13.x and beyond.
Conditions:
This happens when upgrading from 12.x to 13.x and beyond.
Impact:
If syn cookies are explicitly disabled on a FastL4 profile prior to upgrading, they may be enabled.
FastL4 profiles with default values for "hardware-syn-cookie" (enabled) and "software-syn-cookie" (disabled) prior to upgrading will have "syn-cookie-enable" set to "disabled" on first boot after upgrading.
Workaround:
You can fix the configuration by modifying it manually after upgrading.
In tmsh:
tmsh modify ltm profile fastl4 <profile_name> syn-cookie-enable <enabled|disabled>
Fix:
N/A
Fixed Versions:
13.1.3, 14.1.2.5, 15.0.1.3
771025-3 : AVR send domain names as an aggregate
Links to More Info: BT771025
Component: Application Visibility and Reporting
Symptoms:
AVR sends domain name as an aggregate of a number of domain names.
Conditions:
-- AVR receives more than the number of domain names it can handle.
-- After AVR gets DNS calls with different domain name, it no longer clears the domain name.
-- When AVR receives the maximum number of total domain names, it start to aggregate all the new domain names.
Impact:
Cannot see the correct domain name.
Workaround:
None.
Fix:
AVR now removes old domain names, so it can add new ones and send the actual domain names it collected.
Fixed Versions:
13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.3
770989 : Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x.★
Links to More Info: BT770989
Component: TMOS
Symptoms:
F5optics installation can fail with RPM database corruption on B4450 blades and iSeries platforms when installing 14.1.x.
Conditions:
-- Using B4450 blades or iSeries platforms.
-- Clean install (i.e., a completely new installation) of 14.1.0 from either an external drive or PXE without taking over license:
image2disk --format=volumes --nosaveconfig --nosavelicense BIGIP-14.1.0-0.0.116.iso
Impact:
-- After 14.1.0 boots up, when you check /shared/lib/rpm RPM database (by running the command: /opt/bin/rpm --dbpath /shared/lib/rpm -qa), you see errors if the RPM database has already been corrupted.
+ rpmdb: /shared/lib/rpm/Name: unexpected file type or format.
+ error: cannot open Name index using db3 - Invalid argument (22).
-- No default f5optics package is reported when running the command: tmsh show net f5optics. No f5optics packages is present in the /shared/f5optics/images/ directory (even the /shared/f5optics/images/ directory is not created).
Due to corruption of '/shared/lib/rpm' RPM database, additional component 'f5optics' installation can fail with RPM error. Other components such as geoip or epsec might also be affected due to corrupted '/shared/lib/rpm' RPM database.
Other symptoms may be that the Link Controller linkcost library (Non-US patch) may be unable to install, showing the error message:
DB_VERSION_MISMATCH: Database environment version mismatch.
Workaround:
Remove the RPM database and manually install the f5_optics RPM package.
Steps
=====
1. Remove corrupted RPM database:
# rm -rf /shared/lib/rpm/
2. Initialize rpm database and update
# /opt/bin/rpm --root /shared --dbpath /lib/rpm --initdb
# /opt/bin/rpm --dbpath /shared/lib/rpm -qa
3. For iSeries platform:
# /usr/bin/f5optics_install
For VIPRION platform
# tmsh install net f5optics slot all
Fixed Versions:
13.1.3.5, 14.1.3.1
770953 : 'smbclient' executable does not work
Links to More Info: BT770953
Component: TMOS
Symptoms:
Service Message Block (SMB) monitor is not functional.
Conditions:
This occurs under all conditions.
Impact:
SMB monitors fail. This occurs because the 'smbclient' executable is not functional.
Workaround:
None.
Fix:
'smbclient' executable is runnable and SMB monitoring is working.
Fixed Versions:
14.1.2.1
770797-1 : HTTP2 streams may get stuck in rare situations
Links to More Info: BT770797
Component: Local Traffic Manager
Symptoms:
If HTTP2 is used in a 'gateway' configuration on a virtual server, without the use of an MRF http_router profile, HTTP connections are used to connect to the back-end servers.
The HTTP connections are pooled, and may be reused between streams. In rare situations, an HTTP connection is reused whilst it is in the process of shutting down. This may cause the corresponding HTTP2 stream to get into an unexpected state, and get 'stuck'.
The stuck streams persist until the client closes the HTTP2 connection. If a client keeps opening new streams on the affected connection, it may eventually run out of the total allowed streams limited by the HTTP2 profile. The client may then deadlock, waiting for streams to close.
Conditions:
An HTTP2 profile is used on a virtual server without an MRF http_router profile.
Impact:
The impact depends on client behavior. Some clients will open new connections for stuck streams, so the impact will be minimal. Others will show loss of performance or hang waiting for resources that will never be delivered.
Workaround:
None.
Fix:
HTTP2 streams no longer get stuck in rare situations.
Fixed Versions:
14.1.2.3
770557-3 : Per-Session RADIUS Acct STOP message is forged based on pool route domain, but is sent through default one
Links to More Info: BT770557
Component: Access Policy Manager
Symptoms:
The per-Session RADIUS Acct STOP message is forged based on the pool route domain, but is sent through the default one.
Conditions:
1. Deploy the BIG-IP system with two route domains
2. Under each route domains you have a path to the RADIUS server.
3. Create Access Policy with a Logon Page, RADIUS Acct agent fallback-to-Deny ending.
4. Attach it to the virtual server.
5. Run tcpdump -i any port 1813 -ne on the BIG-IP system.
5. Navigate to the virtual server.
6. Wait 20 seconds till STOP packets arrive.
Impact:
The BIG-IP system sends the STOP packets according to the default routing table instead of the configured route domain RADIUS server.
Workaround:
None.
Fix:
The BIG-IP system now sends the STOP packets according to the configured route domain RADIUS server.
Fixed Versions:
14.0.0.5, 14.1.0.6
770477-2 : SSL aborted when client_hello includes both renegotiation info extension and SCSV
Links to More Info: BT770477
Component: Local Traffic Manager
Symptoms:
Client SSL reports an error and terminates handshake.
Conditions:
Initial client_hello message includes both signaling mechanism for secure renegotiation: empty renegotiation_info extension and TLS_EMPTY_RENEGOTIATION_INFO_SCSV.
Impact:
Unable to connect with SSL.
Workaround:
None.
Fix:
Allow both signaling mechanism in client_hello.
Fixed Versions:
12.1.5.3, 13.1.3.2, 14.1.2.5
769997-1 : ASM removes double quotation characters on cookies
Links to More Info: BT769997
Component: Application Security Manager
Symptoms:
ASM removes the double quotation characters on the cookie.
Conditions:
Cookie sent that contains double quotation marks.
Impact:
The server returns error as the cookie is changed by ASM.
Workaround:
Set asm.strip_asm_cookies to false using the following command:
tmsh modify sys db asm.strip_asm_cookies value false
Fix:
ASM no longer removes the double quotation characters on the cookie.
Fixed Versions:
14.1.2.1, 15.0.1.1
769981-2 : bd crashes in a specific scenario
Links to More Info: BT769981
Component: Application Security Manager
Symptoms:
bd crash with a core file.
Conditions:
-- XML profile with schema validation is attached to a security policy.
-- The bd.log shows out-of-memory messages relating to XML.
Impact:
Failover; traffic disruption.
Workaround:
Increase the memory XML uses by using the internal parameters total_xml_memory and/or additional_xml_memory_in_mb. For more information, see K10803: Customizing the amount of memory allocated to the BIG-IP ASM XML processing engine available at https://support.f5.com/csp/article/K10803
Fixed Versions:
13.1.3, 14.1.2.1, 15.0.1.1
769853-2 : Access Profile option to restrict connections from a single client IP is not honored for native RDP resources
Links to More Info: K24241590, BT769853
Component: Access Policy Manager
Symptoms:
When launching a native RDP resource (desktop/application) from APM Webtop, APM provides an RDP file to the browser and the browser invokes the native RDP client to launch the resource with the parameters specified in the RDP file.
When Access profile option 'Restrict to Single Client IP' option is enabled, user should only be allowed to launch the resource from the client that initiated the request.
Conditions:
-- APM Webtop is configured with native RDP resource.
-- 'Restrict to Single Client IP' option is enabled in Access Profile.
Impact:
RDP file provided by APM can be used for launching the RDP resource on a client machine that did not initiate the APM session.
Workaround:
None.
Fix:
When Access Profile option 'Restrict to Single Client IP' is enabled, APM restricts native RDP resource launch from the client that initiated the APM session.
Fixed Versions:
14.0.1.1, 14.1.2.1, 15.0.1.1
769817-3 : BFD fails to propagate sessions state change during blade restart
Links to More Info: BT769817
Component: TMOS
Symptoms:
BFD fails to propagate sessions state change during blade restart.
Conditions:
-- On a chassis with multiple blades, several routing protocol sessions are established, (e.g., BGP sessions).
-- BFD sessions are configured for each BGP session to sustain fast failover of BGP sessions.
-- There is a BGP session that can be established only via specific blade and the corresponding BFD session of this BGP session is processed on the same blade.
-- This blade is restarted (e.g., using the bladectl command) or experienced a blade failure.
Impact:
The BFD session remains in the BFD sessions table and remains there until BGP session is timed out by hold the timer (90 seconds, by default). Dynamic routes, which are learnt via affected BGP session, remain in the routing table until the hold time is reached.
Workaround:
Change BGP hold time to reasonable lower value.
Fix:
The affected BFD session is removed from the BFD table after blade reset during the period configured for this BFD session.
Fixed Versions:
11.6.5.1, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.4
769809-4 : The vCMP guests 'INOPERATIVE' after upgrade
Links to More Info: BT769809
Component: TMOS
Symptoms:
After upgrading the host or creating new vCMP guests, the prompt in the vCMP guests report as INOPERATIVE.
Conditions:
-- The system truncates the unit key. (Note: This occurs because the unit key is designed to be a certain length, and the internally generated unit key for the guest has a NULL in it.)
-- Upgrading the host.
-- Creating new guests.
Impact:
The vCMP guests are sent a truncated unit key and fail to decrypt the master key needed to load the config. vCMP Guests report 'INOPERATIVE' after upgrade.
Workaround:
Important: If you upgrade vCMP hosts from an affected version to a version unaffected by this issue (ID 769809), ensure that the upgrade version contains the fix for Bug ID 810593: Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade :: https://cdn.f5.com/product/bugtracker/ID810593.html.
Upon encountering this issue, it may be best to roll back to the previously used, unaffected version on the vCMP host, and then install a version unaffected by this issue (i.e., versions later than 12.1.4.1 or later than 13.1.1.5).
Fix:
The system now handles a guest unit key that has a NULL in it, so vCMP guests are no longer 'INOPERATIVE' after upgrade
Fixed Versions:
12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6
769801-1 : Internal tmm UDP filter does not set checksum
Links to More Info: BT769801
Component: Local Traffic Manager
Symptoms:
An internal tmm UDP filter does not set checksum for outgoing UDP packets.
Conditions:
-- An internal tmm UDP filter is in use.
Impact:
Even though a UDP packet with no checksum is permitted, it could cause some problems with some firewalls/servers.
Workaround:
For internal tmm udp filters, add the following to the UDP profile in use:
no_cksum 0
Fix:
Internal tmm UDP filters set checksum for outgoing UDP packets.
Fixed Versions:
14.1.2.1, 15.0.1.1, 15.0.1.3
769581-1 : Timeout when sending many large iControl Rest requests
Links to More Info: BT769581
Component: TMOS
Symptoms:
After sending hundreds of REST requests, REST requests eventually begins to time out. This is the case for applications such as an AS3, with requests with 700 services.
Conditions:
1. Download and install the AS3 iApp. This adds the /mgmt/shared/appsvcs/ endpoint to the the BIG-IP system.
2. Deploy config with AS3:
curl -X POST \
https://<$IP_address>/mgmt/shared/appsvcs/declare \
-H 'Content-Type: application/json' \
-d //This should be the data from an AS3 body
3. While deployment in step 2 is happening, make a GET to the tasks:
curl -X GET \
https://<$IP_address>/mgmt/shared/appsvcs/task \
-H 'Content-Type: application/json'
4. Delete configuration:
curl -X DELETE \
https://<$IP_address>/mgmt/shared/appsvcs/declare
It may take 3 or 4 times repeating steps 2 through 4 for the issue to show up. When it appears, you will start seeing messages in the AS3 task response like the following:
-- 'message': 'failed to save BIG-IP config (POST http://<$USERNAME>:<$PASSWORD>@<$IP_address>:8100/mgmt/tm/task/sys/config create task save sys config response=400 body={\"code\":400,\"message\":\"remoteSender:Unknown, method:POST \",\"originalRequestBody\":\"{\\\"command\\\":\\\"save\\\"}\",\"referer\":\"Unknown\",\"restOperationId\":6924816,\"kind\":\":resterrorresponse\"})'
Impact:
Saving new configuration data does not work. Any new transaction tasks fail.
Workaround:
1. Restart restjavad and all iControl Rest (icrd_child) instances.
2. Wait longer for large requests to finish before performing additional requests.
Fix:
Changes to handle the new transaction iControl Rest creation process creation properly when the existing process was killed with a timeout operation.
Fixed Versions:
13.1.3.5, 14.0.0.5, 14.1.2.7
769385-1 : GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message
Links to More Info: BT769385
Component: Global Traffic Manager (DNS)
Symptoms:
GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message:
err mcpd[7649]: error: crypto codec New token is smaller with added values.
Conditions:
Two or more GTM devices with internal FIPS modules are configured with DNSSEC keys with 'use-fips internal' set, and GTM config sync between the devices is configured and enabled.
Impact:
DNSSEC keys are not imported into the FIPS cards of devices that receive the key via a synchronization from another device.
Workaround:
None.
Fixed Versions:
14.0.0.5, 14.1.2.7
769357-1 : IPsec debug logging needs more organization and is missing HA-related logging
Component: TMOS
Symptoms:
After a failover between active and standby systems, the internal mechanisms that support high availability (HA) cannot be examined and diagnosed using logs generated with log-level set to debug or better.
Conditions:
-- log-level set to debug or better.
-- Failover between active and standby systems.
-- Viewing logs.
Impact:
Any problems involving HA cannot be diagnosed from logs after failover. What logging does appear tends to be verbose, unclear, and often difficult to correlate with specific security associations.
Workaround:
None.
Fix:
IPsec logging has been partially restructured, with some logging under control of bitflags that can be enabled or disabled via commands added to the description string of any ipsec-policy instance.
Logging for HA now appears when log-level is debug, provided lowercase bitflags for 'h' and 'a' are also enabled. For example, this would do so:
tmsh create net ipsec ipsec-policy dummy description " env { cmd='flag +ha' }"
Fixed Versions:
14.1.2.8
769309-2 : DB monitor reconnects to server on every probe when count = 0
Links to More Info: BT769309
Component: Local Traffic Manager
Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.
Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).
Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.
Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.
Fix:
The LTM database monitor keeps the network connection to the monitored database server open indefinitely when configured with the default 'count' value of 0 (zero).
Fixed Versions:
12.1.5.3, 13.1.3.2, 14.1.2.3, 15.0.1.1
769281-1 : Per-request Acess Policy may show user interface pages incorrectly i nlanguages other than English
Links to More Info: BT769281
Component: Access Policy Manager
Symptoms:
If per-request Access Policy contains a user interface page (logon page, message box, etc.), this page may not be shown correctly in the browser if English is not the preferred language.
Conditions:
-- Browser with preferred language other than English.
-- Per-request Access Policy with support of this language.
-- Access Policy Agent with user interface included in the policy (logon page, message box, decision box, various forms of Rejected Ending Agent).
Impact:
The browser shows incorrect items on the response page presented to the APM end user (e.g., the page displays incorrect language strings).
Workaround:
None.
Fix:
Now, user interface pages in non-English languages are shown correctly by per-request Access Policy Agents.
Fixed Versions:
14.0.0.5, 14.1.0.6
769193-5 : Added support for faster congestion window increase in slow-start for stretch ACKs
Links to More Info: BT769193
Component: Local Traffic Manager
Symptoms:
When Appropriate Byte Counting is enabled (the default), TCP's congestion window increases slower in slow-start when the data receiver sends stretch ACKs.
Conditions:
-- TCP data sender receives stretch ACKs (ACKs that acknowledges more than 2*MSS bytes of data).
-- Appropriate Byte Counting (ABC) is enabled in slow-start.
Impact:
ABC limits the increase of congestion window by 2*MSS bytes per ACK. TCP's congestion window is increased slower in slow-start, which may lead to longer transfer times.
Workaround:
There is no workaround at this time.
Fix:
A new sys db (TM.TcpABCssLimit) is provided to set TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received. If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.
Behavior Change:
There is a new db variable, TM.TcpABCssLimit for specifying TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received.
Note: If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.
Fixed Versions:
12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.3
769169-3 : BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring
Links to More Info: BT769169
Component: TMOS
Symptoms:
BIG-IQ sends a lot of request to the BIG-IP system to collect the stats it makes the BIG-IP slow and eventually GUI goes unresponsive.
Conditions:
-- BIG-IQ monitoring a large BIG-IP configuration.
-- With a very large number of requests, and with resource-expensive requests.
Impact:
ICRD requests wait longer in the ICRD queue, which can make the BIG-IP system becomes unresponsive. Policy Creation, Device Overview, and stats pages take more time to respond, and eventually, the GUI becomes unresponsive on these three pages.
Lot of process terminated/re-created messages in restjavad logs.
Workaround:
Remove the BIG-IP device from the BIG-IQ and restart the mcpd.
Fix:
The system now handles the queue so that there is time for BIG-IP system to recover and become responsive.
Fixed Versions:
13.1.3.6, 14.0.0.5, 14.1.2.5
769061-2 : Improved details for learning suggestions to enable violation/sub-violation
Links to More Info: BT769061
Component: Application Security Manager
Symptoms:
The title for the entity in suggestions to enable violation/sub-violation is 'Match violation'/'Matched HTTP Check', though these suggestions are created when there is no match in the observed traffic.
Conditions:
There are learning suggestions to enable violations/sub-violation in the policy
Impact:
Misleading suggestion details.
Workaround:
None.
Fix:
The misleading word 'Matched' was removed from the title.
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.1
768761-2 : Improved accept action description for suggestions to disable signature/enable metacharacter in policy
Links to More Info: BT768761
Component: Application Security Manager
Symptoms:
It is difficult to understand the description for suggestions to disable signature or enable metacharacter on parameter/URL alternative action (accept for all entities).
Conditions:
There are suggestions to disable signature or enable metacharacter on parameter/URL.
Impact:
Action description can be difficult to understand.
Workaround:
None.
Fix:
'Accept for Any Entity' action has been renamed to 'Accept Globally'. The 'Charset' type is now mentioned in the action description for better understanding of the applied action.
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6
768085-3 : Error in python script /usr/libexec/iAppsLX_save_pre line 79
Links to More Info: BT768085
Component: iApp Technology
Symptoms:
While creating a UCS file, you see a confusing error message, and the UCS file is not created:
Failed task: %s: %s"%(taskUri, taskResult['message']))"
Conditions:
This can be encountered while trying to create a UCS file.
Impact:
Certain failure messages are not interpreted correctly by the script, resulting in the actual error message not being displayed.
Workaround:
None.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
768025-4 : SAML requests/responses fail with "failed to find certificate"
Links to More Info: BT768025
Component: Access Policy Manager
Symptoms:
BIG-IP as SP and BIG-IP as IdP fail to generate signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after the certificate that is used for signing is modified.
Conditions:
The certificate used for signing SAML requests/responses or SAML SLO requests/responses is modified or re-imported.
Impact:
When this issue occurs, SAML services are impacted when BIG-IP is configured as SP or IdP. Subsequent SAML/SAML SLO requests/responses fail with the error 'failed to find certificate'.
-- When BIG-IP is configured as IdP, then SAML Authentication fails and SAML/SAML SLO services do not work.
-- When BIG-IP is configured as SP, resources that need SAML Authentication cannot be accessed. Also, SAML SLO service does not work.
Workaround:
-- When BIG-IP as IdP is affected, configure a different certificate associated with SAML IdP configuration that is used for signing, change it back to the original certificate, and then the apply policy.
-- Similarly, when BIG-IP as SP is affected, configure a different certificate associated with SAML SP configuration that is used for signing, change it back to the original certificate, and then apply the policy.
Fix:
BIG-IP as SP and BIG-IP as IdP works as expected while generating signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after certificate that is used for signing is modified.
Fixed Versions:
13.1.3.2, 14.1.2.5, 15.0.1.3
767941-1 : Gracefully handle policy builder errors
Links to More Info: BT767941
Component: Application Security Manager
Symptoms:
Policy Builder (pabnagd) restarts when it encounters an error, and logs errors to /var/log/asm:
crit perl[24868]: 01310027:2: ASM subsystem error (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: pabnagd, Failure: Insufficient number of threads (required: 2, found: 0).
Conditions:
This occurs when policy builder encounters an error.
Impact:
Temporary loss of connectivity with ASM and Policy Builder.
Workaround:
None.
Fix:
The system now handles Policy Builder errors gracefully and reduces Policy Builder down time upon connectivity loss with ASM.
Fixed Versions:
13.1.3.6, 14.1.4
767877-3 : TMM core with Bandwidth Control on flows egressing on a VLAN group
Links to More Info: BT767877
Component: TMOS
Symptoms:
TMM cores during operation.
Conditions:
Known condition:
1. BWC attached to serverside connflow
2. Serverside traffic traversing/egressing VLAN group
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
14.1.2.1, 15.0.1.1
767737-2 : Timing issues during startup may make an HA peer stay in the inoperative state
Links to More Info: BT767737
Component: TMOS
Symptoms:
When two BIG-IP systems are paired, it is possible during startup for the network connection to be made too early during the boot sequence. This may leave a peer in the inoperative state.
Conditions:
This is a timing-related issue that might occur during boot up of high availability (HA) peers.
Impact:
An HA peer does not become ACTIVE when it should.
Workaround:
None.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2.1
767689-1 : F5optics_install using different versions of RPM★
Links to More Info: BT767689
Component: TMOS
Symptoms:
Symptoms have been observed only in one case: A bare metal install to BIG-IP 14.1.0. In this case, a messages indicating the RPM database under /shared is corrupted.
Conditions:
Bare metal installation via PXE boot or USB install.
Impact:
The /shared/lib/rpm database must be recreated and f5optics manually installed.
Workaround:
1. Backup the current Packages file:
cp /shared/lib/rpm/Packages /shared/tmp/
2. Remove all the files from the database directory"
rm -f /shared/lib/rpm/*
3. Initiate the database by using the old version RPM:
/opt/bin/rpm --dbpath /shared/lib/rpm --initdb
4. Restore the Packages file (Press 'y' when promoted by 'cp: overwrite'):
cp /shared/tmp/ /shared/lib/rpm/Packages
Now you should be able to install the package.
Fix:
With these changes, the corruption of the /shared/lib/rpm database is no longer observed.
Fixed Versions:
14.1.2.5
767613-2 : Restjavad can keep partially downloaded files open indefinitely
Links to More Info: BT767613
Component: Device Management
Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client does not complete the download. Since these files remain open, the total number of available file handles for the process decreases, and the disk space for the files cannot be recovered. Symptoms may include errors like 'Too many open files', low disk space even after deleting the associated files, and items listed with '(deleted)' in lsof output.
Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.
Impact:
Various errors ('Too many open files.'), low disk space, items listed with '(deleted)' when listed using lsof.
Workaround:
To free the file handles, restart restjavad:
tmsh restart sys service restjavad
Files that were deleted now have their space reclaimed.
Fix:
The restjavad process now internally clears the file handles of such partially downloaded files if they remain untouched for two hours.
Fixed Versions:
13.1.3.5, 14.1.3.1
767341-3 : If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.
Links to More Info: BT767341
Component: Local Traffic Manager
Symptoms:
Repeated TMM service crash SIGBUS with memory copy operation at the top of stack trace.
Conditions:
TMM loads filestore file and size of this file is smaller than the size reported by mcp or if this ifile store is not present at all.
This condition is possible due to
- filesystem errors/corruption or
- BIG-IP user intervention.
Filesystem error might be due to power loss, full disk or other reasons.
Impact:
TMM crash.
The program terminated with signal SIGBUS, Bus error.
Workaround:
Manual copy of the "good" ifile store and forceload on the previously bad unit. Usually trivial, but error prone.
Another workaround is clean install, if possible/acceptable
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
767269-2 : Linux kernel vulnerability: CVE-2018-16884
Component: TMOS
Symptoms:
Linux kernel NFS41+ subsystem use-after-free vulnerability when node have NFSv41+ mounts inside several net namespaces.
Conditions:
NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic.
Impact:
BIG-IP is not exposed to this vulnerability. use-after-free causes system panic, subsequent system reset.
Workaround:
None.
Fix:
Updated kernel to include patches for CVE-2018-16884.
Fixed Versions:
14.1.2.8, 15.1.0.5
767077-1 : Loading truncated Live Update file (ASU) completes incorrectly or fails with odd error
Links to More Info: BT767077
Component: Application Security Manager
Symptoms:
Loading Live Update file (ASM Signature Update (ASU)) which has been truncated may complete incorrectly or fail with an unusual error when using REST:
Failed loading /ts/var/tmp/sigfile.tmp.18625/botsigs/200099916/13.1.0.xml (a HASH reference"
Conditions:
Loading an ASU that has been truncated.
Impact:
ASU loading may complete incorrectly or fail with an unexpected error.
Workaround:
Download the appropriate Live Update file from downloads.f5.com and manually load it on the device.
For more information, see K82512024: Managing BIG-IP ASM Live Updates (14.1.x) available at https://support.f5.com/csp/article/K82512024.
Fixed Versions:
14.1.4.1
767057-2 : In a sync-only device group, inactive policy is synced to peer, ASM is removed from virtual server
Links to More Info: BT767057
Component: Application Security Manager
Symptoms:
An ASM policy is suddenly detached from a virtual server and deactivated.
Conditions:
-- sync-only device group.
-- ASM sync enabled.
-- A policy is used on device ASM-A (attached to virtual server/device group).
-- The same policy is not used on device ASM-B (not attached to virtual server/device group).
Impact:
Inactive policy is synced to the peer, resulting in ASM being unassigned from the Virtual Server.
Workaround:
To prevent Policy Sweeper from deactivating any ASM policy, create a non-functioning device group and attach the unused ASM policies to that device group.
Fixed Versions:
14.1.4.4
767045-2 : TMM cores while applying policy
Links to More Info: BT767045
Component: Anomaly Detection Services
Symptoms:
TMM core and possible cores of other daemons.
Conditions:
The exact conditions are unknown.
Occurrences have been seen during specialized internal testing and while applying a copied and edited ASM policy.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
13.1.3.2, 14.1.2.3
767013-3 : Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch
Links to More Info: BT767013
Component: TMOS
Symptoms:
In a rare scenario, the HSB sends a large amount and continuous pause frames to the Broadcom switch, which indicates that the HSB is in a bad state.
Conditions:
This happens when there is heavy traffic load on VIPRION B2150, B2250, and B4450 blades. This has also been seen on F5 Appliances, such as iSeries platforms. The root cause of that is still under investigation. It happens extreme rarely.
Impact:
Reboot the BIG-IP system.
Workaround:
None.
Fix:
The system now monitors the pause frames and reboots when it detects that the HSB is in this state.
Fixed Versions:
11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.4.4
766921-1 : Localdbmgr process crashes and generates a core
Links to More Info: BT766921
Component: Access Policy Manager
Symptoms:
Rarely, the localdbmgr process crashes when starting up.
Also the ldbutil utility can crash when launched.
Conditions:
-- APM is configured on the BIG-IP device.
Impact:
Ldbutil operation fails.
Workaround:
None.
Fix:
Localdbmgr process no longer crashes and generates a core.
Fixed Versions:
14.1.4.4
766873 : Omission of lower-layer types from sFlow packet samples
Links to More Info: BT766873
Component: TMOS
Symptoms:
The packet samples transmitted from BIG-IP to an sFlow receiver may contain only 'http' samples, with no 'vlan' or 'interface' FLOW samples appearing. sFlow will continue to transmit CNTR (counter) telemetry packets.
Conditions:
When the BIG-IP system is configured with one or more sFlow receivers, with non-zero sampling-rate configured for 'vlan' or 'interface' types.
Impact:
External network-monitoring or management systems, which may depend on sFlow packet samples from BIG-IP systems and from other equipment, are unable properly to characterize the flow of data throughout the network.
Workaround:
None.
Fix:
This issue no longer occurs.
Fixed Versions:
14.1.2.1
766761-2 : Ant-server does not log requests that are excluded from scanning
Links to More Info: BT766761
Component: Access Policy Manager
Symptoms:
Based on Request/Response Analytics agent 'Exclude Types' settings, the requests that are excluded from scanning should log a message that states, 'Response content is in excluded content list'.
Conditions:
Response or Request Analytics agent in the Per-Request Policy.
Impact:
These particular logs are not available.
Workaround:
None.
Fix:
Appropriate messages now get logged.
Fixed Versions:
14.1.0.6
766577-2 : APMD fails to send response to client and it already closed connection.
Links to More Info: BT766577
Component: Access Policy Manager
Symptoms:
APMD fails to send response to client and produces error message:
err apmd[8353]: 01490085:3: /pt-qp-campus/apm-cdp-qp-qa:pt-qp-campus:bb651ae6: Response could not be sent to remote client. Socket error: Connection reset by peer
APMD does most of its action with backend authentication servers (e.g., AD, LDAP, RADIUS). If the backend server response is very slow (because of various reasons such as network issues), it might cause slow apmd client response. Sometimes, the client has already closed the connection to the virtual server, so the client connection is no longer valid.
Conditions:
Backend server is slow, causing longer-than-usual response times.
Impact:
This causes the client to close the connection. APMD fails to respond to the client.
The cumulative slowness of the backend server causes delay in response. Most of the time, the client connection is already closed. As a result, the request queue gets full. When apmd starts processing the request from the queue, the client connection is already closed for some of them, and processing those requests still continues, which is unnecessary and causes more delay.
Fix:
The system now tests the client connection after picking up the request from the request queue and before processing.
-- If the connection is already closed, the system drops the request.
-- If the request is already in progress, the system checks the client connection before saving the session variables and sending the response to client.
Fixed Versions:
12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1
766509-1 : Strict internal checking might cause tmm crash
Links to More Info: BT766509
Component: Local Traffic Manager
Symptoms:
Overly strict internal validation can cause TMM to raise an OOPS when it does not need to.
Conditions:
Device instability.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Set 'tmm.oops' to a value other than 'panic':
tmsh modify sys db tmm.oops value silent
tmsh modify sys db tmm.oops value log
Fix:
Loosened internal validation so OOPS does not occur.
Fixed Versions:
14.1.3.1
766405-2 : MRF SIP ALG with SNAT: Fix for potential crash on next-active device
Links to More Info: BT766405
Component: Service Provider
Symptoms:
The next active device may crash with a core when attempting to create media flows.
Conditions:
The names for the LSN pool and router profile are longer than expected.
Impact:
The TMM on the next active device may core. Traffic disrupted while tmm restarts; If the next-active device was not carrying traffic for a traffic group, traffic is not disrupted.
Workaround:
None.
Fix:
Device no longer cores.
Fixed Versions:
13.1.3.4, 14.1.0.6
766365-1 : Some trunks created on VE platform stay down even when the trunk's interfaces are up
Links to More Info: BT766365
Component: TMOS
Symptoms:
Trunk configured on BIG-IP Virtual Edition (VE) does not pass traffic because it is in 'down' state
Conditions:
Trunk is created on VADC for NICs that use XNet drivers.
Note: In this release, XNet drivers are used by Mellanox and AWS ENA NICs on the VE platform only
Impact:
Trunk marked 'down'; traffic does not pass through the trunk.
Workaround:
None.
Fix:
Drivers that suffered from this problem now set speed correctly for the interface.
Fixed Versions:
14.1.0.6
766357-1 : Two simultaneously manual installations can cause live-update inconsistency
Links to More Info: BT766357
Component: Application Security Manager
Symptoms:
When running two manual installations of the same update type simultaneously from different browser instances, live-update may encounter inconsistencies, and one of the installations gets stuck in the 'installing' state.
Conditions:
-- Two different installations of the same update type exists.
-- Manual installation occurs both at the same time from different browser instances.
Impact:
-- One of the installations stays in the 'installing' state.
-- Cannot install other installations (.im files).
Workaround:
Run the following command:
bigstart restart tomcat
Live-update changes the status of the installation from 'installing' to 'error' and allows subsequent installation operations.
Fix:
Live-update now queues all manual installations, so they start one after another. After all installations end, only one installation has the 'installed' status.
Fixed Versions:
14.1.0.6
766329-2 : SCTP connections do not reflect some SCTP profile settings
Links to More Info: BT766329
Component: TMOS
Symptoms:
The effective receive-chunks, transmit-chunks, in-streams, and out-streams parameters in SCTP traffic do not match the settings from the configured SCTP profile:
-- The in-streams setting alters both the in-streams parameter and the tx-chunks parameter.
-- The out-streams setting alters both the out-streams parameter and the rx-chunks parameter.
-- The tx-chunks setting has no effect.
-- The rx-chunks setting has no effect.
Conditions:
An SCTP virtual server is configured.
Impact:
Unexpected SCTP parameters are negotiated on SCTP connections.
Workaround:
None.
Fix:
The SCTP profile settings are now used during SCTP connection negotiation.
Fixed Versions:
14.1.0.6, 15.0.1.3
766293-1 : Monitor logging fails on v14.1.0.x releases
Links to More Info: BT766293
Component: Local Traffic Manager
Symptoms:
With a fresh install of v14.1.0.x, you attempt to enable monitor logging for a node or pool member, an error message appears in /var/log/ltm. Also the log file to be created fails to be created.
This behavior is due to SELinux changes. /var/log/auditd/audit.log show the SELinux violations logs.
System reports messages similar to the following in /var/log/ltm:
-- info bigd[12457]: Couldn't open logging file /var/log/monitors/Common_Splunk_HTTP_monitor-Common_node1-8088.log for monitor /Common/Splunk_HTTP_monitor on node /Common/node1.
Conditions:
-- Clean installation of v14.1.0.x software.
-- Enable monitor logging for a node or pool member.
Impact:
Monitor logging fails. Error messages logged.
Workaround:
None.
Fix:
Updated bigd SELinux rules to allow the monitor log file creations.
Fixed Versions:
14.1.0.6
766169-2 : Replacing all VLAN interfaces resets VLAN MTU to a default value
Links to More Info: BT766169
Component: Local Traffic Manager
Symptoms:
When the last physical interface is removed from a VLAN, VLAN's MTU is reset to default value of 1500. However when replacing all interfaces belonging to a VLAN with a new ones (e.g., with a command 'tmsh modify net vlan [name] interfaces replace-all-with {...}'), even if it does not look like removing all interfaces, it is actually done by removing all interfaces immediately followed by adding new ones. Because all interfaces are removed first, the VLAN MTU is reset to the default value even if the original value is perfectly valid for newly added interfaces. As it is done automatically inside TMM, it is not reflected in the configuration. TMSH and Configuration Utility continue to report original value.
Conditions:
Issue is visible only when removing or replacing all interfaces in a VLAN which has MTU value different than default 1500. Added interfaces must also have MTU values larger than 1500.
Impact:
VLAN MTU is set to 1500 despite Configuration Utility and TMSH still reporting original value.
Workaround:
There are two workarounds:
-- Reset desired MTU value after each operation of replacing all interfaces in a VLAN.
-- Avoid replace-all-with operation by adding new interfaces before removing unneeded ones.
Fix:
VLAN MTU value is left unchanged after the last interface is removed. It is recalculated upon adding a new interface anyway, so there is no risk it will be too large.
Fixed Versions:
12.1.5.2, 13.1.3.5, 14.1.2.8
766017-1 : [APM][LocalDB] Local user database instance name length check inconsistencies★
Links to More Info: BT766017
Component: Access Policy Manager
Symptoms:
Tmsh accepts long localdb instance names, but ldbutil later refuses to work with names longer than 64 characters.
The GUI limits the instance name length to 64 characters including the partition prefix, but this is not obvious to the admin.
Conditions:
-- Create a 64 character long local user database instance using tmsh.
-- Try to add users to this instance or try to delete the instance from the GUI.
Impact:
A tmsh-created localdb instance with a name length greater than 64 characters can be created but cannot be used.
Workaround:
Delete instance from tmsh and re-create it with a shorter name.
Fix:
Tmsh now enforces the length limit for localdb instance names.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.4.2, 15.1.2, 16.0.1.1
765801 : WCCP service info field corrupted in upgrade to 14.1.0 final★
Links to More Info: BT765801
Component: TMOS
Symptoms:
WCCP 'Here I am' packets from BIG-IP to routers have corrupted service info. No 'I see you' response received from routers due to mismatched service flags information.
Conditions:
No specific condition other than WCCP configuration on BIG-IP 14.1.0.x version.
Impact:
Unable to deploy WCCP on BIG-IP in version 14.1.0.x.
Workaround:
None.
Fix:
Corrected WCCP service flags during initialization.
Fixed Versions:
14.1.0.6
765785-3 : Monpd core upon "bigstart stop monpd" while Real Time reporting is running
Links to More Info: BT765785
Component: Application Visibility and Reporting
Symptoms:
Monpd cores upon "bigstart stop monpd" while Real Time reporting is running
Conditions:
Real Time UI view is active.
Impact:
None.
Workaround:
None.
Fix:
Fixed a monpd core.
Fixed Versions:
14.1.2.1
765533-2 : Sensitive information logged when DEBUG logging enabled
Links to More Info: K58243048, BT765533
Component: TMOS
Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048
Conditions:
For more information see: https://support.f5.com/csp/article/K58243048
Impact:
For more information see: https://support.f5.com/csp/article/K58243048
Workaround:
For more information see: https://support.f5.com/csp/article/K58243048
Fix:
For more information see: https://support.f5.com/csp/article/K58243048
Fixed Versions:
11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.1
765517-1 : Traffic Match Criteria validation fails when create Virtual server with address list with overlapping address space but a different ingress VLAN
Links to More Info: BT765517
Component: Local Traffic Manager
Symptoms:
When two virtual servers are created and they have same address list but different incoming VLANs, Traffic Match Criteria validation fails.
Conditions:
Create 2 virtual servers and they have same address list but different incoming VLANs.
Impact:
System validation fails.
Workaround:
Use non-overlapping address lists.
Fixed Versions:
14.1.2.3, 15.0.1.4
765449-1 : Update availability status may be inaccurate
Component: Application Security Manager
Symptoms:
Under certain condition the UI may indicate that attack signature updates are available.
Conditions:
ASM provisioned.
Impact:
Attack signature updates are listed as available when the latest signatures are already installed.
Workaround:
An accurate status for availability of updates is available in System::Software Management::Live Update
Fix:
The UI now displays an accurate availability status for attack signatures.
Fixed Versions:
14.1.0.6
765413-1 : ASM cluster syncs caused by PB ignored suggestions updates
Links to More Info: BT765413
Component: Application Security Manager
Symptoms:
Frequent syncs occurring within an ASM device group.
Conditions:
Several (updating) suggestions are marked 'ignored'.
Impact:
Syncs appear in the logs (no actual performance degradation).
Workaround:
-- Remove the Ignored Suggestions. (Note: These might be re-added and you must refrain from clicking the Ignore button).
-- Remove the Ignored Suggestions and uncheck the Learn flag for the violation that causes it. (Note: The impact is that the system does not learn this violation anymore, so any future suggestions to amend the policy for that violation will not be created.)
Fix:
Policy Builder (PB) no longer updates Ignored Suggestions, so unnecessary sync operations no longer occur.
Fixed Versions:
14.0.0.5, 14.1.0.6, 15.0.1.1
765033 : Upgrades to versions that restrict resource-admin users from accessing bash may fail under certain conditions★
Links to More Info: BT765033
Component: TMOS
Symptoms:
Some versions of BIG-IP software have removed the ability to access bash from users that have resource-admin roles. Upgrades to one of these versions may fail to load the configuration on the upgraded volume with a message in /var/log/ltm similar to:
err mcpd[14994]: 01070825:3: Access denied - Administrators only: Custom shells only available to administrators, not testuser.
Conditions:
-- Users with the resource-admin role also have bash access.
-- Upgrading to an affected version from certain versions.
Impact:
The upgraded volume's configuration does not load.
Workaround:
You can use either of the following workarounds:
-- Ensure that all users with the resource-admin role do not have bash access prior to upgrading.
-- Hand-edit the bigip_user.conf to remove bash from any users with the resource-admin role and reload the configuration using the following command:
tmsh load sys config
Fix:
Upgrades no longer fail under these conditions.
Fixed Versions:
11.6.5.1, 14.1.0.6
764873-2 : An accelerated flow may transmit packets to an unavailable pool member.
Links to More Info: BT764873
Component: TMOS
Symptoms:
Normally, when a pool member becomes unavailable, the flow is redirected towards another available pool member. However, an accelerated flow can continue to send traffic to the unavailable pool member rather than the updated one.
Conditions:
-- Using virtual servers configured for ePVA hardware acceleration via ePVA.
-- A flow changes the pool member it should go to, while the flow is accelerated.
Impact:
The flow's traffic continues to be targeted to a pool member that has become unavailable, resulting in a failure of service.
Workaround:
You can use either of the following workarounds:
-- Disable HW acceleration.
-- On BIG-IP v14.1.0 and later, if a pool member goes away, run the following command to flush all accelerated flows to be handled correctly by software:
tmsh modify sys conn flow-accel-type software-only
Fixed Versions:
13.1.3.2, 14.1.4.2, 15.0.1.3
764665-2 : AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change
Links to More Info: BT764665
Component: Application Visibility and Reporting
Symptoms:
When BIG-IP is registered on BIG-IQ system, sometimes avrd crashes with core.
Conditions:
-- BIG-IP is registered at BIG-IQ.
-- BIG-IQ sends configuration update to BIG-IP.
Impact:
Avrd cores and restarts. Functionality is not impacted, stats data are sent to BIG-IQ.
Workaround:
None.
Fix:
Corrected issue in setting value for internal flag.
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6
764373-3 : 'Modified domain cookie' violation with multiple enforced domain cookies with different paths
Links to More Info: BT764373
Component: Application Security Manager
Symptoms:
When the server sends enforced cookies with the same name for different paths, a false-positive 'Modified domain cookie' violation is reported.
Conditions:
Server sends enforced cookies with the same name but with different paths.
Impact:
A valid request might be rejected.
Workaround:
None.
Fix:
The system now checks all enforced cookies correctly, so this issue no longer includes.
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
763349-3 : AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out
Links to More Info: BT763349
Component: Application Visibility and Reporting
Symptoms:
avrd application on BIG-IP crashes; core is generated.
Conditions:
-- The BIG-IP is configured to send data to BIG-IQ DCD node via the HTTPS protocol.
-- Connection to DCD is established but response does not arrive within the timeout interval, so the connection times out.
Impact:
avrd crashes, and a core is generated.
Workaround:
None.
Fix:
avrd now reconnects to BIG-IQ DCD in a different sequence so this issue no longer occurs.
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6
763157-2 : MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped
Links to More Info: BT763157
Component: Service Provider
Symptoms:
Processing the response to an outbound request at the same time as an inbound request message on the same connection could cause internal state generated to be confused and the inbound request to be dropped.
Conditions:
Processing the response to an outbound request at the same time as an inbound request message on the same connection.
Impact:
The inbound request will be dropped.
Workaround:
None.
Fix:
The internal state generated is no longer confused so the inbound request is no longer dropped.
Fixed Versions:
14.0.1.1, 14.1.0.6, 15.0.1.4
763121-3 : Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM.
Links to More Info: BT763121
Component: Advanced Firewall Manager
Symptoms:
TMM crashes and produces a core file. The crash is a SIGFPE accompanied by the following panic string:
Assertion "packet must already have an ethernet header" failed.
Conditions:
This issue occurs when all of the following conditions are met:
- The system is provisioned for AFM.
- A TCP Half Open attack to the system is underway.
- A BIG-IP Administrator attempts to use the AFM Packet Tester tool, and simulates sending a TCP segment with the SYN flag set.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the AFM Packet Tester tool while a TCP Half Open attack is underway.
Fix:
TMM no longer crashes when utilizing the AFM Packet Tester tool.
Fixed Versions:
13.1.3, 14.1.2.8
763005-3 : Aggregated Domain Names in DNS statistics are shown as random domain name
Links to More Info: BT763005
Component: Application Visibility and Reporting
Symptoms:
Many DNS queries (e.g., 50000) with different query domain names are sent and AVR aggregates data it shows aggregated names using a random name taken from the first lookup table record.
Conditions:
-- Run 50000 DNS queries, all with different domain names.
-- View Statistics :: Analytics :: DNS, and choose View By : Domain Names.
Impact:
There is one random domain name with a high counter value, other domains are shown with counter 1.
Workaround:
None.
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6
763001-1 : Web-socket enforcement might lead to a false negative
Links to More Info: K70312000, BT763001
Component: Application Security Manager
Symptoms:
A request that should be blocked will be passed to server.
Conditions:
Parse parameters flag in json profile is enabled.
Requests are sent in json websocket.
Impact:
Bad requests may be passed to the server
Workaround:
Disable parse parameters flag in json profile
Fix:
Web-socket enforcement now filters requests as expected.
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6
762385 : Wrong remote-role assigned using LDAP authentication after upgrade to 14.1.x and later★
Links to More Info: BT762385
Component: TMOS
Symptoms:
When multiple attributes in a list match multiple roles, the wrong role may be assigned. Alternatively, authentication may fail when check-roles-group is disabled.
Conditions:
LDAP server replies with a list of attributes (e.g., list of memberOf) where more than one match existing role.
Impact:
BIG-IP assigns the user to the last attribute in the list that matches a role, potentially yielding a more restrictive set of permissions.
Authentication may fail when check-roles-group is disabled.
Workaround:
None.
Fix:
The correct remote-role is now assigned using LDAP authentication.
Fixed Versions:
14.1.2.3
762205-2 : IKEv2 rekey fails to recognize VENDOR_ID payload when it appears
Links to More Info: BT762205
Component: TMOS
Symptoms:
Rekey with non BIG-IP systems can fail when a response contains a VENDOR_ID payload.
Conditions:
- IKEv2 Responder sends VENDOR_ID payload in rekey response.
- The ipsec.log misleadingly reports:
[I] [PROTO_ERR]: unexpected critical payload (type 43)
Note: This message may be correctly present under other conditions, with different type constants not equal to 43.
Impact:
BIG-IP as the initiator of rekey drops the rekey negotiation without making further progress when the responder included a VENDOR_ID payload in a response. This will result in deleting the SA for good when the hard lifetime expires, causing a tunnel outage.
Workaround:
No workaround is known at this time.
Fix:
Handling of payload types during rekey will now ignore VENDOR_ID when it appears, the same way we ignore VENDOR_ID in other messages during IKE negotiation.
Fixed Versions:
13.1.3.4, 14.1.2.3, 15.0.1.4
762073-2 : Continuous TMM restarts when HSB drops off the PCI bus
Links to More Info: BT762073
Component: TMOS
Symptoms:
In the unlikely event that HSB drops off the PCI bus, TMM continuously restarts until the BIG-IP system is rebooted.
Conditions:
The conditions under which the issue occurs are unknown, but it is a rarely occurring issue.
Impact:
Repeated TMM restarts. Traffic disrupted until you reboot the BIG-IP system. The HSB reappears and is functional after reboot.
Workaround:
Manually reboot the BIG-IP system.
Fix:
TMM no longer gets stuck in a restart loop, as a reboot is now automatic in this scenario.
Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4
761993-2 : The nsm process may crash if it detects a nexthop mismatch
Links to More Info: BT761993
Component: TMOS
Symptoms:
If there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop, nsm may crash and restart.
Conditions:
-- Dynamic routing is in use.
-- A mismatch between tmrouted and nsm for the interface index or gateway of a nexthop exists.
Impact:
There is a temporary interruption to dynamic routing while nsm is restarted.
Workaround:
None.
Fix:
Prevented nsm crashing when there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop.
Fixed Versions:
13.1.3.2, 14.1.2.1, 15.0.1.1
761941-1 : ASM does not remove CSRT token query parameter before forwarding a request to the backend server
Links to More Info: BT761941
Component: Application Security Manager
Symptoms:
CSRT query parameter observed in tcpdump on the BIG-IP system's server side.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- CSRF enabled in ASM policy.
Impact:
Backend app gets CSRT parameter, which might impact its business logic.
Workaround:
You can remove a CSRT query parameter using a URI modification iRule on the server side.
Fix:
The system now removes the csrt query parameter before forwarding a request to the backend server
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6
761933-1 : Reboot with 'tmsh reboot' does not log message in /var/log/audit
Links to More Info: BT761933
Component: TMOS
Symptoms:
The tmsh reboot command is missing from /var/log/audit.
Conditions:
-- Reboot a system using the command 'tmsh reboot'.
-- View the /var/log/audit log.
Impact:
The system does not log the tmsh reboot operation in the /var/log/audit log. A message similar to the following should be reported:
notice tmsh[19115]: 01420002:5: AUDIT - pid=19115 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=reboot.
Workaround:
None.
Fixed Versions:
14.1.2.1
761921-1 : avrd high CPU utilization due to perpetual connection attempts
Links to More Info: BT761921
Component: Application Security Manager
Symptoms:
avrd shows high CPU utilization. Repeated retries on auth token client failed connection attempts.
Conditions:
-- The BIG-IQ system is not available (even though it is configured).
-- Frequent connection retries.
Impact:
avrd consumes a large amount of CPU.
Workaround:
Correct BIG-IQ availability and restart avrd.
Fix:
avrd now waits between connection retries, so this issue does not occur.
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6
761753-2 : BIG-IP system incorrectly flags UDP checksum as failed on x520 NICs
Links to More Info: BT761753
Component: TMOS
Symptoms:
When UDP checksum is 0 (zero), a BIG-IP device with an x520 NIC causes the packets to be marked as 'checksum failed'.
Conditions:
-- Using BIG-IP Virtual Edition (VE).
-- VE is using x520 VF.
Impact:
UDP Packets with 0 checksum are dropped.
Workaround:
None.
Fix:
UDP checksum failed packets are marked by the ixvf driver as 'not checksummed by hardware'. This makes software re-verify checksum instead of relying on hardware-indicated checksum pass/fail.
Fixed Versions:
14.1.2.8
761749-2 : Security pages unavailable after switching RT mode on off few times
Links to More Info: BT761749
Component: Application Visibility and Reporting
Symptoms:
Security dashboard and analytics pages display "Unable to load application" and no statistics available.
Conditions:
A BIG-IP configured to collect statistics from security modules and new statistics are generated periodically.
The problem may appear when a user switches real-time mode on off few times.
Impact:
Security dashboard and analytics pages unavailable for at least few hours and some real-time statistics are lost.
Fix:
Added timeout for fetching data from statistics module.
Fixed Versions:
14.1.2.1
761685-3 : Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set
Links to More Info: BT761685
Component: Service Provider
Symptoms:
Systems desiring to create a unique connection per connection client may silently end up with clients sharing an outgoing connection if routing uses a virtual server as the outgoing connection transport definition, and the virtual server has the source-port attribute set to preserve-strict.
Conditions:
-- Routing using a virtual server as the transport definition for the outgoing connection.
-- The virtual server has the source-port attribute set to preserve-strict.
Impact:
Systems desiring to create a unique connection per connection client may silently end up sharing an outgoing connection.
Workaround:
None.
Fix:
Per-client mode is now maintained when routing to a virtual server, even when preserve-strict is selected.
Fixed Versions:
14.0.1.1, 14.1.2.1, 15.0.1.4
761553-2 : Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic
Links to More Info: BT761553
Component: Application Security Manager
Symptoms:
Text for analyzed requests might be misleading for suggestions that are created as result of an absence of violations in traffic:
X requests triggered this suggestion from date:time until date:time.
Actually:
-- 'X requests' did not trigger a violation, and no sampled are requests provided.
-- The format of the time in 'from date:time until date:time' is difficult to parse.
Conditions:
There are suggestions that were created as result of an absence of violations in traffic in the policy.
Impact:
Text might be misleading.
Workaround:
None.
Fix:
Improved text for analyzed requests for suggestions that were created as result of absence of violations in traffic
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6
761549-2 : Traffic Learning: Accept and Stage action is shown only in case entity is not in staging
Links to More Info: BT761549
Component: Application Security Manager
Symptoms:
Accept and Stage action is available, even for entities that are in staging already.
Conditions:
Create suggestion for the entity (e.g., Attack signature on parameter) that is in staging.
Impact:
Action that is not relevant is shown.
Workaround:
None.
Fix:
Accept and Stage action is available only for suggestions on entities that are not in staging
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6
761517-1 : nat64 and ltm pool conflict
Links to More Info: BT761517
Component: Carrier-Grade NAT
Symptoms:
When a pool is assigned to a virtual server with nat64, the destination address is changed to the one of the pool, regardless if address translation is enabled or not.
Conditions:
vs with nat64 and pool configured.
Impact:
nat64 does not happen, even if the translate-address option is set to disable.
Workaround:
none
Fix:
When a nat64 virtual server has a pool and translate-address is disabled, the pool is utilized but nat64 is performed.
Fixed Versions:
14.1.2.7
761477-7 : Client authentication performance when large CRL is used
Links to More Info: BT761477
Component: Local Traffic Manager
Symptoms:
Search for revoked certificate is done serially on the BIG-IP system. This causes performance impact when a large CRL (e.g., one with ~60K entries) is used.
Conditions:
-- Client authentication configured with a CRL containing a large number of entries (~60K).
-- Associated with virtual server.
-- Client connection requests arrive to be authenticated.
Impact:
CRL checking spikes up TMM CPU usage. Performance may be impacted.
Workaround:
None.
Fixed Versions:
14.1.4.5
761385-1 : Without a virtual server, responses from server to client are dropped in a BIG-IP system when the latter is deployed in L2 transparent mode using virtual wire.
Links to More Info: BT761385
Component: Local Traffic Manager
Symptoms:
Responses from a server are not received by the client.
Conditions:
-- BIG-IP system deployed in L2 transparent mode using virtual wire.
-- No virtual server is configured.
Impact:
Responses from server to client are dropped. Loss of service.
Workaround:
None.
Fix:
Set the L2 transparent flag for the server-side flow if the client-side flow has this flag set.
Fixed Versions:
14.1.2.1
761381-1 : Incorrect MAC Address observed in L2 asymmetric virtual wire
Links to More Info: BT761381
Component: Local Traffic Manager
Symptoms:
Incorrect MAC Address observed in L2 asymmetric virtual wire for ICMP unreachable on UDP traffic.
Conditions:
L2 asymmetric virtual wire is configured.
Impact:
Incorrect MAC Address in teh packet when the BIG-IP system sends ICMP unreachable on UDP traffic
Workaround:
None.
Fix:
The correct MAC address is seen in the packet that is flowing from the BIG-IP system.
Fixed Versions:
14.1.2.1
761345-3 : Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode
Links to More Info: BT761345
Component: Advanced Firewall Manager
Symptoms:
When manual config-sync mode is enabled for a HA setup, additional config-sync may be required after firewall blob compilation.
Conditions:
Firewall rule configuration modified on a high availability (HA) setup with manual config-sync mode enabled.
Impact:
Additional config-sync may be required after compilation completion.
A warning may be given: "There is a possible change conflict between <device1> and <device2>.", and full sync may be forced.
Workaround:
Enable auto config-sync instead of manual config-sync.
Fix:
Additional config-sync is not required in these conditions.
Fixed Versions:
13.1.3.2, 14.1.2.3
761314-2 : OSPF Hello does not work for L2 wire
Links to More Info: BT761314
Component: SSL Orchestrator
Symptoms:
OSPF Hello does not work for L2 wire.
Conditions:
This always occurs for L2 wire configurations.
Impact:
OSPF does not perform connection.
Workaround:
Set the vlangroup.forwarding.override flag to enable:
tmsh modify sys db vlangroup.forwarding.override value enable
Fix:
The problem is fixed by propagating some flags from parent to dynamic VLAN groups.
Fixed Versions:
14.1.4.5
761273-2 : wr_urldbd creates sparse log files by writing from the previous position after logrotate.
Links to More Info: BT761273
Component: Traffic Classification Engine
Symptoms:
After log rotation, the wr_urldbd daemon continues to write at the pre-rotate offset into the file, so the next message is written at offset N, making the file sparse, with all characters prior to position being read as nulls.
Conditions:
System rotates log files.
Impact:
Some automated systems might not be able to read log file.
Workaround:
None.
Fix:
Log file preserves text file type after log rotation.
Fixed Versions:
13.1.1.5, 14.1.2.8
761234-2 : Changing a virtual server to use an address list should be prevented if the virtual server has a security policy with a logging profile attached
Links to More Info: BT761234
Component: Advanced Firewall Manager
Symptoms:
If you create a virtual server with a single address ('Host' in the GUI) for both its source and destination, then configure the virtual server's security policy with a logging profile, and then (after creating the virtual server) modify the source or destination to use a traffic matching condition, the system reports no error when updating the configuration.
Conditions:
Attempting to use a virtual server with a security policy attached that uses a logging profile with an address list as the virtual server's source or destination.
Impact:
An invalid configuration is not caught. When later loading the configuration, the system reports a validation error, and the configuration does not load.
Workaround:
None.
Fix:
An error is now generated under these conditions.
Fixed Versions:
14.1.2.1, 15.0.1.1
761231-2 : Bot Defense Search Engines getting blocked after configuring DNS correctly
Links to More Info: K79240502, BT761231
Component: Application Security Manager
Symptoms:
Bot Defense performs a reverse DNS for requests with User-Agents of known Search Engines.
A cache is stored for legal / illegal requests to prevent querying the DNS again.
This cache never expires, so in case of an initial misconfiguration, after fixing the DNS configuration, or routing or networking issue, the Search Engines may still be blocked until TMM is restarted.
Conditions:
-- Initial misconfiguration of DNS or routing or networking issue.
-- Cache stores requests to prevent future queries to DNS.
-- Correct the misconfiguration.
Impact:
Cache does not expire and is never updated, so it retains the misconfigured requests. As a result, valid Search Engines are getting blocked by Bot Defense.
Workaround:
Restart TMM by running the following command:
bigstart restart tmm
Fix:
The internal DNS cache within Bot Defense and DoSL7 now expires after five minutes.
Fixed Versions:
12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
761199-1 : Wr_urldbd might crash while system is in a restarting loop.
Links to More Info: BT761199
Component: Traffic Classification Engine
Symptoms:
Webroot daemon (wr_urldbd) crashes if it gets back to back SIGTERM signals. Subsequent SIGTERM is handled by default signal handler instead of registered one.
As a result wr_urldbd's threads are not prevented from starting if wr_urldbd is in the process of shutting down.
Conditions:
-- System configuration is changing
-- wr_urldbd is restarting continuously at the same time
Impact:
Wr_urldbd crashes during restart and generates core file.
Workaround:
None.
Fix:
Wr_urldbd handles all signals with registered handler and does not crash.
Fixed Versions:
14.1.2.5
761194-2 : param data type violation on an Integer parameter, if an integer value is sent via websocket JSON
Links to More Info: BT761194
Component: Application Security Manager
Symptoms:
A false positive occurs with 'Illegal parameter data type' violation on an integer parameter, on websocket messages
Conditions:
An explicit parameter with type integer is configured.
Impact:
A false positive can occur, 'Illegal parameter data type' is reported.
Workaround:
N/A
Fix:
Fixed a false positive with integer values
Fixed Versions:
14.1.0.6
761185-2 : Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic
Links to More Info: K50375550, BT761185
Component: Local Traffic Manager
Symptoms:
For more information please see: https://support.f5.com/csp/article/K50375550
Conditions:
For more information please see: https://support.f5.com/csp/article/K50375550
Impact:
For more information please see: https://support.f5.com/csp/article/K50375550
Workaround:
For more information please see: https://support.f5.com/csp/article/K50375550
Fix:
For more information please see: https://support.f5.com/csp/article/K50375550
Fixed Versions:
12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.1
761173-1 : tmm crash after extended whitelist modification
Links to More Info: BT761173
Component: Advanced Firewall Manager
Symptoms:
tmm might crash and restart.
Conditions:
Modifying the whitelist extended entry in tmsh.
Impact:
Tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The tmm process no longer crashes when modifying the whitelist extended entry in tmsh.
Fixed Versions:
14.1.0.5
761160-2 : OpenSSL vulnerability: CVE-2019-1559
Component: TMOS
Symptoms:
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).
Conditions:
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).
Impact:
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).
Workaround:
None.
Fix:
Update OpenSSL to 1.0.2s.
Fixed Versions:
14.1.2.1, 15.0.1.1
761088-1 : Remove policy editing restriction in the GUI while auto-detect language is set
Links to More Info: BT761088
Component: Application Security Manager
Symptoms:
While policy language was set to auto-detect, the policy editing was not allowed.
Conditions:
Create a new policy and set the language to auto-detect.
Impact:
While policy language was set to auto-detect, the policy editing was not allowed.
Workaround:
The policy language must be set to something other than auto-detect to allow user to edit the policy from GUI. However, policy editing is possible using REST API.
Fix:
The GUI restriction was removed. User can modify the policy while the language is set to auto-detect.
Fixed Versions:
14.1.2.1, 15.0.1.1
761032-2 : TMSH displays TSIG keys
Links to More Info: K36328238, BT761032
Component: Global Traffic Manager (DNS)
Symptoms:
TSIG key is displayed when related configuration is listed in TMSH.
Conditions:
Authenticated administrative user.
Listing TSIG keys using TMSH.
Impact:
Displaying TSIG keys is a security exposure.
Workaround:
None.
Fix:
TMSH no longer displays TSIG keys when listing configuration.
Fixed Versions:
13.1.3.2, 14.0.1.1, 14.1.2.3
761030-2 : tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route
Links to More Info: BT761030
Component: Local Traffic Manager
Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not shown using the show net route lookup command.
Conditions:
-- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.
-- Dynamic Routing protocols such as OSPFv3 configured.
Impact:
Cannot see any dynamic routes added while IPv4-mapped IPv6 addresses are configured.
Workaround:
None.
Fix:
The query for IPv4-mapped IPv6 addresses now shows dynamic routes added while IPv4-mapped IPv6 is configured.
Fixed Versions:
13.1.3.2, 14.1.2.5
760998-1 : F5.ip_forwarding iAPP fails to deploy
Links to More Info: BT760998
Component: TMOS
Symptoms:
F5.ip_forwarding iApp fails to deploy due to a syntax error in the tmsh command for syn-cookie-enable.
Conditions:
Deployment of the f5.ip_forwarding iApp fails unless you specify an existing FastL4 profile.
Impact:
Cannot deploy the f5.ip_forwarding iApp template.
Workaround:
To deploy the f5.ip_forwarding iApp, select 'Advanced' configuration mode and choose an existing FastL4 profile for the question 'What Fast L4 profile do you want to use?'
Fix:
The f5.ip_forwarding iApp template deploys the recommended FastL4 profile without error.
Fixed Versions:
14.1.2.1
760961-3 : TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts
Links to More Info: BT760961
Component: Traffic Classification Engine
Symptoms:
Webroot daemon (wr_urldbd) crashes because of a socket handler issue that occurs when sending the URI categorization request to the BrightCloud server.
Wr_urldbd daemon restarts, and during startup, it loads the downloaded database to the shared memory channel. This shared memory channel is being used by the TMM, which has no information about the wr_urldbd restart, so tmm restarts.
Conditions:
-- Wr_urldbd restarts (which occurs due to an issue in socket handler when sending URL categorization requests to the BrightCloud server).
-- During wr_urldbd startup, the daemon starts loading the downloaded webroot database to the shared memory channel set up between the wr_urldbd and TMM.
-- TMM accesses this shared memory channel to perform a URL category lookup (due to traffic).
Impact:
TMM restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes under these conditions.
Fixed Versions:
13.1.1.5, 14.1.4.4
760950-4 : Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment
Links to More Info: BT760950
Component: TMOS
Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.
Note: A previous bug had this same symptom, but was due to a different root cause.
Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.
Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.
Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.
Fix:
The advertised next-hop in BGP is now the smallest floating-IP active on the current BIG-IP system.
Fixed Versions:
12.1.5.3, 14.1.2.7
760930-2 : MRF SIP ALG with SNAT: Added additional details to log events
Links to More Info: BT760930
Component: Service Provider
Symptoms:
Subscriber name is not included in debug log events for temporary subscriber registration creation and deletion.
Conditions:
debug log events for temporary subscriber registration creation and deletion.
Impact:
No functional impact, but the associated MRF SIP ALG with SNAT issue might be difficult to debug.
Workaround:
None.
Fix:
Subscriber ID is now included in the log events.
Fixed Versions:
14.0.1.1, 14.1.0.6, 15.0.1.4
760878-3 : Incorrect enforcement of explicit global parameters
Links to More Info: BT760878
Component: Application Security Manager
Symptoms:
A false positive or false negative enforcement of explicit global parameter.
Conditions:
-- A configuration with more than 255 security policies.
-- Policies configured with an explicit parameter that is unique (for example, 'static', a disabled signature, etc.).
-- Attempt to enforce that parameter.
Impact:
Wrong blocking/violations. The parameter is not found, and the wildcard * parameter is enforced instead.
Workaround:
Make the explicit parameters a wildcard parameter.
Fix:
Explicit parameters are enforced correctly on all parameters.
Fixed Versions:
12.1.5, 13.1.1.5, 14.1.0.6
760771-1 : FastL4-steered traffic might cause SSL resume handshake delay
Links to More Info: BT760771
Component: Local Traffic Manager
Symptoms:
When a FastL4 virtual server steers traffic to another SSL-enabled virtual server, there can be a delay on SSL session resumption because SSL is unable to identify the connection flow.
Additionally, it has been observed that if fallback persistence is configured, the BIG-IP system might fail to start the connection serverside.
Conditions:
-- FastL4 virtual server.
-- iRule is used to steer traffic to another virtual server with client SSL enabled.
-- Multiple tmm's.
Impact:
-- Potential impact to SSL performance.
-- Possible connection failure.
Workaround:
To workaround this issue:
-- Disable FastL4.
-- Enable OneConnect.
Fix:
FastL4-steered traffic no longer causes SSL resume handshake delay.
Fixed Versions:
13.1.3, 14.1.2.3
760683-1 : RST from non-floating self-ip may use floating self-ip source mac-address
Links to More Info: BT760683
Component: Local Traffic Manager
Symptoms:
A RST from non-floating self-ip may use floating self-ip source mac-address when AFM or ASM is enabled.
Conditions:
-- AFM or ASM is enabled.
-- RST generated from non-floating self-ip address.
Impact:
An L2 switch may update the fwd table incorrectly.
Workaround:
None.
Fix:
The system now uses the correct source mac-address under these conditions.
Fixed Versions:
13.1.3.2, 14.1.2.5
760680-1 : TMSH may utilize 100% CPU (single core's worth) when set to be a process group leader and SSH session is closed.
Links to More Info: K36350541, BT760680
Component: TMOS
Symptoms:
TMSH does not correctly handle absence of input stream after closing an interactive SSH session and remains active in an infinite loop using 100% CPU.
Conditions:
If TMSH is a process group leader, it is not killed when the parent shell is terminated upon SSH session close.
This is a rare case, as TMSH must be deliberately promoted to a process group leader, e.g., with the 'setsid' command.
Usually the shell process is a group leader and, when it is terminated upon SSH session close, it kills its child processes, including TMSH.
Impact:
The equivalent of one CPU core is utilized to 100% by the TMSH process. It may be mostly scheduled on one core or spread over multiple control plane cores.
Workaround:
TMSH should not be intentionally promoted to a process group leader.
You can kill all TMSH processes using the command:
killall -9 tmsh
Warning: This command kills both abandoned and in-use TMSH processes. The latter can include other users' TMSH shells, and even system-level processes invoking the TMSH utility internally. Killing all TMSH processes can lead to various unexpected failures. You can use the 'top' command to see which TMSH process is using high CPU (e.g., 90% or more), and kill just those, as those are the likely zombie processes. pstree may also show the problem TMSH processes with no sshd ancestor.
You can kill specific TMSH processes using the command:
kill -9 <pid>
Where <pid> is the process ID of the TMSH instance to kill.
Possible mitigation
===================
Set a CLI idle timeout to a value lower than the sshd idle timeout (which is not set by default):
tmsh modify cli global-settings idle-timeout <timeout in minutes>
Fix:
I/O error handling in TMSH has been corrected, so it no longer ignores absence of input stream, which led to infinite loop.
Fixed Versions:
14.1.2.1, 15.0.1.1
760629-3 : Remove Obsolete APM keys in BigDB
Links to More Info: BT760629
Component: Access Policy Manager
Symptoms:
Several APM/Access BigDB keys are obsolete
Conditions:
This is encountered on BIG-IP software installations.
Impact:
The db keys are obsolete and can be safely ignored.
Workaround:
None
Fix:
The following db keys have been removed from the system:
Log.AccessControl.Level
Log.ApmAcl.Level
Log.SSO.Level
Log.swg.Level
Log.AccessPerRequest.Level
Log.access.syslog
Log.access.db
Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
760622-3 : Allow Device Certificate renewal from BIG-IP Configuration Utility
Links to More Info: BT760622
Component: TMOS
Symptoms:
Unable to renew Device Certificate from System :: Certificate Management : Device Certificate Management : Device Certificate :: server.crt in non-English BIG-IP configurations.
Conditions:
Attempting to renew a device certificate on the System :: Certificate Management : Device Certificate Management : Device Certificate :: using the server.crt-equivalent on a non-English BIG-IP system.
Impact:
Unable to renew Device Certificate from the BIG-IP Configuration Utility.
Workaround:
Use a command of the following syntax, replacing key name, cert name, and # of days with your values:
openssl req -new -x509 -key ../ssl.key/server.key -days <# of days> -out server.crt
For example, to renew the siteserver.key and siteserver.crt for 90 days, use the following command:
openssl req -new -x509 -key ../ssl.key/siteserver.key -days 90 -out siteserver.crt
Fix:
The system now allows Device Certificate renewal from BIG-IP Configuration Utility.
Fixed Versions:
15.1.0.5
760597-1 : System integrity messages not logged
Links to More Info: BT760597
Component: TMOS
Symptoms:
On TPM-equipped platforms, log messages indicating recovery from a very rarely triggered condition, where the TPM chip needs to be cleared, are not being recorded in the logs on boot.
Conditions:
-- TPM-equipped platforms.
-- Rarely triggered condition in which the TPM chip needs to be cleared.
Impact:
No message indicating the need to clear the TPM.
Note: The need to clear the TPM does not affect the subsequent operation of system integrity checks.
Workaround:
None. The TPM is automatically cleared on boot. Once cleared, it operates normally.
Using remote attestation by submitting a QKview file to iHealth and checking the System Integrity status in the resulting report will reliably indicate any tampering in the BIOS or system startup files.
Fix:
TPM needing to be cleared message is now logged.
Fixed Versions:
14.1.0.6
760594 : On BIG-IP VE, 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details.
Links to More Info: BT760594
Component: TMOS
Symptoms:
Executing 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details.
Conditions:
BIG-IP Virtual Edition
Impact:
The snmpwalk command shows the details of all partitions on previous versions. It now shows only the '/appdata' details.
Workaround:
No workaround exists for this issue currently.
Fixed Versions:
14.1.0.6
760574 : Updating BIG-IP 14.1.x Linux kernel to RHEL7.5
Links to More Info: BT760574
Component: TMOS
Symptoms:
The kernel for the BIG-IP 14.1.x Linux kernel needs updating to RHEL7.5.
Conditions:
Using the most current version of the BIG-IP software.
Impact:
The Linux kernel update is a typical function of ongoing BIG-IP software development.
Workaround:
None.
Fix:
Below are the advantages of kernel update:
-- Ease of maintenance.
-- Security fixes part of RHEL 7.5.
-- New / Enhanced feature support.
Fixed Versions:
14.1.2.2
760573-1 : TPM system integrity check may return invalid status when booting into BIG-IP 14.1.0★
Links to More Info: K00730586, BT760573
Component: TMOS
Symptoms:
The Trusted Platform Module (TPM) system integrity check may return an invalid status.
As a result of this issue, you may encounter one or more of the following symptoms:
-- While the system boots to BIG-IP 14.1.0, you observe an error message that appears similar to the following example:
tpm-status-check[5025]: System Integrity Status: Invalid
-- After rebooting the system to different volumes, you continue to observe the previous error message.
Conditions:
This issue occurs when the following condition is met:
You reboot a system running either BIG-IP 13.1.x or 14.0.0 (including their point releases) to BIG-IP 14.1.0.
Impact:
The BIG-IP system reports an invalid TPM status and TPM is non-functional.
Workaround:
To recover from this issue, you must delete the grub configuration file and reboot the system twice for an automatic repair to occur. To do so, perform the following procedure:
Impact of workaround: The system will not be available while performing multiple reboots. F5 recommends that you perform this procedure during an appropriate maintenance window.
1. Log in to the command line of the affected system.
2. Mount the boot partition by typing the following command:
mkdir -p /mnt/boot; mount /dev/mapper/$(ls /dev/mapper | grep boot) /mnt/boot
3. Delete the grub.multiboot.cfg file by typing the following command:
rm -f /mnt/boot/grub2/grub.multiboot.cfg
4. Reboot the system by typing the following command:
reboot
Note: The system software fixes the grub.multiboot.cfg file automatically upon booting.
5. When the system has completed booting, log in to the command line and reboot the system again by typing the following command:
reboot
This final step properly boots the system with TPM enabled.
Fix:
Rebooting a system no longer returns the TPM error.
Fixed Versions:
14.1.0.6
760550-5 : Retransmitted TCP packet has FIN bit set
Links to More Info: BT760550
Component: Local Traffic Manager
Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.
Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.
Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.
Workaround:
Set Nagle to disabled in the TCP profile.
Fix:
The incorrect FIN bit is removed.
Fixed Versions:
11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6
760508-1 : On systems with multiple versions of BIG-IP in use, the 'invalid' System Integrity Status may persist★
Links to More Info: K91444000, BT760508
Component: TMOS
Symptoms:
The system security state reported by the shell utility 'tpm-state' may report 'Invalid'.
Conditions:
-- The system contains a volume running BIG-IP software version that does not support Trusted Platform Module (TPM).
-- You install a version that does support TPM.
-- The system is rebooted, from the old (non-TPM-capable) BIG-IP version to the new, TPM-capable version.
Impact:
The BIG-IP system reports an invalid TPM status upon the first boot of the upgraded BIG-IP 14.1.0 slot.
Workaround:
Rebooting the system again into 14.1.0 after initially booting into 14.1.0 resolves the issue.
Fixed Versions:
14.1.0.6
760497-1 : Invalid configuration parameters are visible when Dos Vector is in "Auto Detection/Multiplier Based Mitigation"
Links to More Info: BT760497
Component: Advanced Firewall Manager
Symptoms:
Configure Dos Vector to use
"Threshold Mode" -> "Auto Detection/Multiplier Based Mitigation"
1. Enable "Bad Actor Detection
-Parameters Per Source IP Detection/Mitigation Threshold EPS are visible.
2. Enable "Attacked Destination Detection"
-Parameters Per Destination IP Detection/Mitigation Threshold EPS are visible.
Conditions:
Dos Profile Vector "Threshold Mode" -> "Auto Detection/Multiplier Based Mitigation"
Impact:
Some parameters are visible that should not be. There is no negative system behavior.
Fix:
Check for Threshold Mode, before enabling or disabling fields
Fixed Versions:
14.1.4
760475-1 : Apache spawns more processes than the configured limit, causing system low memory condition
Links to More Info: BT760475
Component: TMOS
Symptoms:
Apache (httpd) process count MaxClients on BIG-IP systems is set to '10' in the configuration. When more requests are received, Apache spawns more processes than 10, consuming more memory.
Conditions:
Numerous clients trying to connect simultaneously to the BIG-IP GUI.
Impact:
System low memory condition can severely impact application/system performance, and sometimes triggers Out-Of-Memory (OOM) Killer, so critical applications might be terminated.
Workaround:
Complete the following procedure:
1. Modify /etc/httpd/conf/httpd.conf to have the following configuration outside of the prefork module (global):
MaxClients 10
2. Run the following command:
bigstart restart httpd
Fixed Versions:
14.1.2.1
760471-3 : GTM iQuery connections may be reset during SSL key renegotiation.
Links to More Info: BT760471
Component: Global Traffic Manager (DNS)
Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.
Conditions:
This occurs occasionally during routine renegotiation. Renegotiation occurs once very 24 hours, per connection, by default (but can be controlled by the db key big3d.renegotiation.interval)
Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.
Workaround:
There is no workaround.
Fix:
GTM iQuery renegotiations no longer cause the error that reset the connection.
Fixed Versions:
12.1.5.2, 13.1.3.5, 14.1.2.3, 15.0.1.4, 15.1.0.2
760468 : Route domains cause diskmonitor errors in logs
Links to More Info: BT760468
Component: TMOS
Symptoms:
Configuring a non-default route-domain results in frequent diskmonitor error in the LTM log file:
warning diskmonitor[14972]: 011d0002:4: Skipping net:[4026532306]. Stat returned message: /usr/bin/stat: cannot read file system information for net:[4026532306]: No such file or directory.
Conditions:
-- BIG-IP system running v14.1.x.
-- Non-default route-domain configured.
Impact:
There is no functional impact. The message logged does not indicate functional issues. However, the issue might occur frequently, which can be erroneously concerning.
Workaround:
This issue can be worked around with two methods.
The first is by creating a syslog-ng filter.
1. Log in to the TMOS shell (tmsh) by typing the following command:
-----
tmsh
-----
2. To edit syslog, type the following command:
-----
edit /sys syslog
-----
3. When syslog configuration opens in the vi text editor, copy and paste the entire entries below:
============ CUT BELOW ==============
modify syslog {
include "
# Workaround for ID760468 to remove diskmonitor messages
filter f_no_audit {
not message(\"AUDIT|diskmonitor.*Skipping net:\");
};"
}
============ CUT ABOVE ==============
4. Exit the text editor by typing the following key sequence:
-----
:wq!
-----
5a. At the following prompt, type y to save the changes to the file:
Save changes? (y/n/e)
The tmsh utility prompt returns.
5b. If the syslog filter contains syntax errors, the tmsh utility returns the following prompt:
There were errors. Continue editing (y) or discard changes (n) (y/n)
Correct the errors until there are no more errors flagged.
6. Save the configuration by typing the following command:
-----
save /sys config
-----
The second is by modifying the diskmonitor script as follows.
Note: This change does not replicate between blades, does not ConfigSync, is not preserved as part of a UCS archive, and is not preserved across software installs on a system.
1. Mount /usr as rw (read-write).
2. Open /usr/bin/diskmonitor in an editor, locate the line that references '/shared/em', and add this immediately above it:
|| substr($mountline[1], 0, 4) eq 'net:'
3. Mount /usr as ro (read-only).
Here is a one-line command string you can use:
mount /usr -o remount,rw && if [ ! -f /usr/bin/diskmonitor.id760468 ]; then /bin/cp /usr/bin/diskmonitor{,.id760468}; fi && sed -ie "/^.*shared\/em.*\$/i\ || substr(\$mountline[1], 0, 4) eq 'net:'" /usr/bin/diskmonitor && (perl -c /usr/bin/diskmonitor || echo "WARNING: DISKMONITOR SCRIPT IS NO LONGER VALID PERL") && mount /usr -o remount,ro
Fix:
Configuring a non-default route-domain no longer results in diskmonitor errors in the LTM log.
Fixed Versions:
14.1.2.2
760462-1 : Live update notification is shown only for provisioned/licensed modules
Links to More Info: BT760462
Component: Application Security Manager
Symptoms:
Live update notification in the left top corner of the screen was shown even when you cannot install updates, e.g., no permissions or no license/provisioning.
Conditions:
-- There is update for non-provisioned/licensed module.
-- Attempt to install the update.
Impact:
A notification appears and it cannot be removed.
Workaround:
None.
Fix:
Live update notification is now shown only for provisioned/licensed modules.
Fixed Versions:
14.1.2.3
760439-4 : After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status
Links to More Info: BT760439
Component: TMOS
Symptoms:
After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status (e.g., transitions to standby or active).
Conditions:
Installing UCS that was taken in forced-offline state on clean installed unit.
Impact:
Unit may become active/standby before intended (e.g., during maintenance).
Workaround:
After installing the UCS, ensure that the unit is in forced-offline state as intended. If not in forced-offline state, force the unit offline before proceeding.
Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1
760438-3 : PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions
Links to More Info: BT760438
Component: Policy Enforcement Manager
Symptoms:
tmm coredump
Conditions:
-- Using an iRule to apply a referential policy in a rigorous loop.
-- This is a rarely occurring timing issue.
Impact:
Traffic impact due to tmm coredump. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The BIG-IP system now validates session presence before applying the policy.
Fixed Versions:
13.1.3, 14.1.2.1
760410-1 : Connection reset is seen when Category lookup agent is used in per-req policy
Links to More Info: BT760410
Component: Access Policy Manager
Symptoms:
The BIG-IP system sends reset to client when Category Lookup agent is used in per-req policy.
Conditions:
-- APM or SSLO is licensed and provisioned.
-- URLDB and SWG are not provisioned.
-- Category Lookup agent is used in the policy to process custom categories.
Impact:
Connection reset is seen on client from APM/SSLO box.
Workaround:
Modify Category Lookup agent 'lookup-type' property to 'custom-only' via TMSH, for example, by using a command similar to the following:
modify apm policy agent category-lookup example_prp_act_category_lookup_ag lookup-type custom-only
Fix:
Category lookup agent in per-req policy now successfully processes custom categories, so the reset no longer occurs.
Fixed Versions:
14.1.0.6
760408-3 : System Integrity Status: Invalid after BIOS update★
Links to More Info: BT760408
Component: TMOS
Symptoms:
When BIG-IP system boots, it performs a System Integrity Check. The System Integrity Status may return one of three states: Valid, Unavailable, or Invalid.
This issue causes the System Integrity Status to return a value of 'Invalid'.
Conditions:
-- One of the following BIG-IP platforms, which has a Trusted Platform Module (TPM), that were manufactured using a earlier BIOS version:
- i850, i2600, i2800, i4600, i4800
- i5600, i5800, i7600, i7800, i10600, i10800
- i12600, i12800, i15600, i15800
- B4400 series blades
-- Updating to a newer BIOS version.
Impact:
The System Integrity Status returns a status of Invalid, which may falsely indicate that the system BIOS or OS has been compromised.
Workaround:
Install the new BIOS, which fixes the issue that causes the 'Invalid' status to be reported, and, on systems where the BIOS and OS have not been compromised, returns a status of 'Valid'.
Fix:
The System Integrity Status check now return 'Valid' for systems that have not been compromised.
Fixed Versions:
13.1.3, 14.0.0.5, 14.1.0.6
760406-3 : HA connection might stall on Active device when the SSL session cache becomes out-of-sync.
Links to More Info: BT760406
Component: Local Traffic Manager
Symptoms:
A BIG-IP system in a high availability (HA) configuration might exhibit slow performance in handling TLS/SSL traffic and experience 'SSL handshake timeout' errors.
Messages such as the following can appear in the "ltm" log:
01260009:4: Connection error: hud_ssl_handler:1554: codec alert (20)
Conditions:
This might occur in either of the following scenarios:
Scenario 1
-- Manual sync operations are performed during while traffic is being passed.
-- SSL Connection mirroring is enabled.
Scenario 2
-- Saving configuration on an high availability (HA) Standby node during while traffic is being passed.
-- SSL Connection mirroring is enabled.
Impact:
-- In Scenario 1, the sync operations causes the session cache to be out-of-sync between active and standby nodes.
-- In Scenario 2, the save operation clears the session cache on the standby node. As a result, the session cache might be out-of-sync between active and standby nodes.
In either Scenario:
-- SSL Connection mirroring fails and posts the timeout message.
-- The high availability (HA) system performance becomes degraded due to SSL connection timeout.
Workaround:
-- Disable SSL session caching by setting 'Cache Size' in the client SSL profile option to 0.
-- Set device management sync type to Automatic with incremental sync.
Fix:
N/A
Fixed Versions:
14.1.4.1
760393 : GARP is not sent from newly active device after failover for FW NAT policy rule's dest prefixes
Links to More Info: BT760393
Component: Advanced Firewall Manager
Symptoms:
After failover, there is no GARP from the newly active device for FW NAT policy rule's dest prefixes.
Conditions:
Configure FW NAT policy rules with proxy arp enabled for destination prefixes. After failover no GARP is sent for those destinations prefixes.
Impact:
After failover traffic can fail/degrade.
Workaround:
No workaround other than forcing the initial active HA device to be active again.
Fix:
The system now sets the high availability (HA) unit correctly for FW NAT policy.
Fixed Versions:
14.1.0.5
760370-2 : MRF SIP ALG with SNAT: Next active ingress queue filling
Links to More Info: BT760370
Component: Service Provider
Symptoms:
When running MRF SIP ALG with SNAT, the ingress queue may fill, causing messages to be dropped on the next-active device.
Conditions:
-- The active device determines that an operation can be skipped because the details are already discovered processing a previous message.
-- The next-active device has not yet processed the previous message and is not able to skip the operation.
Impact:
Mirroring state is lost for the connection.
Workaround:
None.
Fix:
When the connection is mirrored, the processing operation is not skipped on either the active or next-active device.
Fixed Versions:
14.0.1.1, 14.1.0.6, 15.0.1.4
760363-1 : Update Alias Address field with default placeholder text
Links to More Info: BT760363
Component: TMOS
Symptoms:
Unable to update Alias Address field with the default value under Local Traffic :: Monitors :: [MonitorName] after removing everything from the input field and updating again with the placeholder text.
Conditions:
-- Using a system running software in which the GUI supports Chinese characters.
-- Remove content from the Alias Address field under Local Traffic :: Monitors:: [MonitorName].
-- Enter the default placeholder text.
Impact:
Unable to update the Alias Address input field with default placeholder text after replacing the said field with blank text or a valid value.
Workaround:
Pass empty value or ::
Fix:
Allow monitors to update with default placeholder text for Alias Address
Fixed Versions:
13.1.3.2
760356-2 : Users with Application Security Administrator role cannot delete Scheduled Reports
Links to More Info: BT760356
Component: Application Visibility and Reporting
Symptoms:
User accounts configured with the Application Security Administrator role cannot delete scheduled reports, while they can create/view/edit them.
Conditions:
-- Logged on with a user account configured as an Application Security Administrator.
-- Attempting to delete a scheduled report.
Impact:
Cannot complete the delete operation. Deleting scheduled reports requires root/admin intervention.
Workaround:
Use root or a user account configured as Administrator to delete scheduled reports.
Fix:
User accounts configured with the Application Security Administrator role can now delete Scheduled Reports
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6, 15.0.1.1
760355 : Firewall rule to block ICMP/DHCP from 'required' to 'default'★
Links to More Info: BT760355
Component: Advanced Firewall Manager
Symptoms:
If firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.
Conditions:
-- Firewall is configured on the management port.
-- Firewall is configured with an ICMP rule to block.
Impact:
ICMP packets cannot be blocked with a firewall rule to drop on management port. ICMP packets are allowed from the management port.
Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.
# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP
Fix:
ICMP firewall rule has been moved from the f5-required to f5-default.
Fixed Versions:
14.1.2.1, 15.0.1.1
760278 : F5 SSL Orchestrator may fail to install an RPM software package on BIG-IP systems running point release versions★
Links to More Info: BT760278
Component: SSL Orchestrator
Symptoms:
User running on BIG-IP point release is not able to upgrade SSL Orchestrator RPM from SSL Orchestrator landing page.
Conditions:
This issue occurs when all of the following conditions are met:
* User is running on BIG-IP 14.1.0.x point release.
* From SSL Orchestrator landing page user click the Upgrade SSL Orchestrator link to install SSL Orchestrator RPM.
Impact:
User is not able to upgrade to newer version of SSL Orchestrator RPM
Workaround:
a) Log in to the BIG-IP using management IP
b) Navigate to iApps > Package Management LX.
c) Click Import.
d) Click Choose File and select the RPM software package
f) Click Upload.
Fixed Versions:
14.1.0.5
760259-3 : Qkview silently fails to capture qkviews from other blades
Links to More Info: BT760259
Component: TMOS
Symptoms:
When capturing a qkview on a chassis, there are no warnings provided if the qkview utility is run to gather a qkview from other blades.
Conditions:
-- On a chassis system, rename/move the qkview binary from a given blade.
-- Execute qkview on another blade, verify that no warnings or errors are produced.
Impact:
There is no warning that the qkview failed for a given blade.
Workaround:
There is no workaround other than running the qkview on the actual blade.
Fixed Versions:
14.1.2.3
760250 : 'Unsupported SSO Method' error when requests sharing the same TCP session
Links to More Info: BT760250
Component: Access Policy Manager
Symptoms:
In API Protection configurations, 'Unsupported SSO Method' error occurs when requests sharing the same TCP session, and some branch selects Single-Sign On (SSO).
Conditions:
-- On the virtual server, the OneConnect profile is selected.
-- Requests sharing the same TCP session.
Impact:
Some requests are rejected.
Workaround:
Remove the OneConnect profile from the virtual server.
Fix:
Reset the SSO selection for each request, regardless of whether requests share the same TCP connection.
Fixed Versions:
14.1.0.6
760234-1 : Configuring Advanced shell for Resource Administrator User has no effect
Links to More Info: BT760234
Component: TMOS
Symptoms:
Advanced shell is present in the Terminal Access dropdown list when creating a Resource Administrator User, but the functionality is not available.
Conditions:
Configuring Advanced shell for Resource Administrator User.
Impact:
There is no warning message, but the setting has no effect. Gives the false impression that you can configure a Resource Administrator User to have Advanced shell access when the role does not support it.
Workaround:
None.
Fix:
The Advanced shell option is no longer present in the Resource Administrator User Terminal Access dropdown list.
Behavior Change:
Resource Administrator User can no longer select Advanced shell. The option has been removed from the dropdown list in the GUI for the Resource Administrator User.
Fixed Versions:
12.1.5.3, 14.1.2.3, 15.0.1.4
760222 : SCP fails unexpected when FIPS mode is enabled
Links to More Info: BT760222
Component: TMOS
Symptoms:
Secure Copy (scp) to some locations fails with the following message:
Path not allowed.
Conditions:
-- FIPS mode is enabled.
-- Copying a file to a restricted location using SCP.
Impact:
Cannot use SCP to copy to restricted locations on the BIG-IP system.
Workaround:
None.
Fix:
This scp issue no longer occurs when FIPS cards are installed.
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.3
760164-1 : BIG-IP VE Compression Offload HA action requires modification of db variable
Links to More Info: BT760164
Component: TMOS
Symptoms:
When TMM detects a compression offload device hang it does not invoke the configured high availability (HA) action.
Conditions:
This occurs when the following conditions exist:
-- BIG-IP Virtual Edition (VE) Cryptographic Offload is licensed.
-- BIG-IP VE VM has been assigned QuickAssist Virtual Functions (VFs).
-- A QuickAssist endpoint associated with one of the VFs hangs.
-- BIG-IP VE executes compression operations.
Impact:
The configured HA action does not occur when a compression offload device hangs. Clients compression requests eventually time out.
Workaround:
Disable the pfmand by running the following commands:
tmsh modify sys db pfmand.healthstatus value disable
tmsh save sys config
The configured HA action will now occur when a compression offload device hangs.
Note: The pfmand daemon is not needed for BIG-IP VE, so disabling the db variable has no impact for BIG-IP VE configurations.
Fixed Versions:
14.1.0.6, 15.0.1.1
760130-3 : [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK
Links to More Info: BT760130
Component: Access Policy Manager
Symptoms:
-- Increased overall TMM memory usage, which eventually forces TMM to start closing connections to reduce memory usage.
-- connflow memory usage keeps increasing. Memory usage can be observed with this command:
# tmctl -f /var/tmstat/blade/tmm0 memory_usage_stat -w200
Conditions:
1. Using PingAccess.
2. Errors are being logged in /var/log/paa.
Impact:
-- Memory leak.
-- Eventually TMM starts closing connections randomly.
Workaround:
None.
Fix:
When PingAccess encounters an error after sending traffic data to PingAccess SDK, TMM no longer leaks memory.
Fixed Versions:
13.1.3, 14.1.3.1
760078-1 : Incorrect source MAC used when the BIG-IP in L2 transparent mode generates a TCP RST packet.
Links to More Info: BT760078
Component: Local Traffic Manager
Symptoms:
Packet with unexpected source MAC seen on the adjacent node to the BIG-IP.
Conditions:
- BIG-IP configured in an L2 transparent mode using virtual wires
- Traffic forwarded between client and server in an asymmetric manner across virtual wires.
Impact:
Possible impacts to services on nodes adjacent to the BIG-IP if policy decisions on those nodes are made with the source MAC of the received packet as input.
Fixed Versions:
14.1.2.1
760050-2 : "cwnd too low" warning message seen in logs
Links to More Info: BT760050
Component: Local Traffic Manager
Symptoms:
The following benign message appears in the log: "cwnd too low."
The message can be seen in both tmm logs (where it shows as 'notice' severity) and also in the ltm log (where it shows as 'crit' (critical) severity).
Conditions:
The TCP congestion window has dropped below one Maximum Segment Size, which should not happen.
Impact:
None. TCP resets the congestion window to 1 MSS.
Workaround:
This message does not indicate a functional issue, so you can safely ignore this message. There is no action to take, but the presence of the message can be useful information for debugging other TCP problems.
Fixed Versions:
13.1.4.1, 14.1.2.7, 15.1.4
759968-3 : Distinct vCMP guests are able to cluster with each other.
Links to More Info: BT759968
Component: Local Traffic Manager
Symptoms:
-- Distinct vCMP guests are able to cluster with each other.
-- Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:
clsh tmctl -d blade tmm/vcmp -w 200 -s vcmp_name,tmid,rebroad_mac
Check the 'rebroad_mac' field for duplicate mac addresses.
vcmp_name tmid rebroad_mac
--------- ---- -----------------
default 0 02:01:23:45:01:00
vcmp1 0 00:00:00:00:00:00
vcmp5 0 02:01:23:45:01:04
vcmp6 0 00:00:00:00:00:00
vcmp7 0 02:01:23:45:01:06
vcmp8 0 00:00:00:00:00:00
vcmp9 0 02:01:23:45:01:08
vcmp10 0 02:01:23:45:01:0A <--------------
vcmp11 0 02:01:23:45:01:0A <--------------
Conditions:
-- It is not yet clear under what circumstances the issue occurs.
-- One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate 'rebroad_mac' on one or more slots.
Impact:
Only the vCMP guest acting as primary will be operative.
Workaround:
-- Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:
modify sys db clusterd.communicateovertmmbp value false.
To disable the db variable on the affected guest, log in to the TMOS Shell (tmsh) by entering the following command:
tmsh
Then run the following commands, in sequence:
stop sys service clusterd
modify sys db clusterd.communicateovertmmbp value false
start sys service clusterd
save sys config
Afterwards, the affected guest might still have the wrong management IP address. To resolve that, log into the vCMP Hypervisor and force a management IP update such as changing the netmask and then changing it back.
With the above steps, the duplicated rebroadcaster MAC still shows, but the vguests are in stable states. To fix the duplicated MAC problem, apply the workaround (on all blades) documented in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.
Important: Applying procedure described in K13030 interrupts traffic.
Fix:
The vCMP guests no longer end up having a non-null and duplicate 'rebroad_mac' on one or more slots. Distinct vCMP guests are no longer able to cluster with each other.
Fixed Versions:
12.1.5, 13.1.3, 14.1.2.1, 15.0.1.1
759868-1 : TMM crash observed while rendering internal pages (like blocked page) for per-request policy
Links to More Info: BT759868
Component: Access Policy Manager
Symptoms:
TMM crashes.
Conditions:
-- SSLO/SWG configured.
-- Rendering internal pages (like a blocked page).
-- Per-request policy.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores while rendering internal pages (like blocked page) for per-request policy.
Fixed Versions:
14.1.0.6
759814-1 : Unable to view iApp component view★
Links to More Info: BT759814
Component: TMOS
Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:
An error has occurred while trying to process your request.
Conditions:
-- Upgrade to v14.1.x.
-- Create a new iApp with an SSL, ASM, or Traffic policy profile.
-- Or, attempt to view an iApp containing ASM information
Impact:
Unable to access the iApp Component view. Cannot reconfigure the iApp directly (iApp : Application Services : application : any app).
Workaround:
To reconfigure the iApp, do the following:
1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List.
2. Click the Application Link :: Reconfigure.
Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.
Fixed Versions:
14.1.2.1
759735-2 : OSPF ASE route calculation for new external-LSA delayed
Links to More Info: BT759735
Component: TMOS
Symptoms:
External link-state advertisement (LSA) update does not trigger OSPF ASE route calculation, resulting in delay for route state changes from external LSA.
Conditions:
-- OSPF enabled.
-- More than 20 updated external LSA.
-- No updated router and network LSA.
Impact:
Delay of route update from external LSA.
Workaround:
Manually clear ip ospf process.
Fix:
OSPF ASE route calculation from external LSA are happening as normal.
Fixed Versions:
13.1.3.2, 14.1.2.5
759723-1 : Abnormally terminated connections on server side may cause client side streams to stall
Links to More Info: BT759723
Component: Local Traffic Manager
Symptoms:
The BIG-IP system provides HTTP/2 Gateway configuration when an HTTP/2 client is served by HTTP/1.x pool members. When a server-side connection terminates abnormally, TMM may crash.
Conditions:
-- A virtual server with HTTP/2 Gateway configuration is configured on the BIG-IP system.
-- Traffic on the server side has some abnormalities, resulting in aborted or unclosed connections.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm crash when a virtual server is configured as a HTTP/2 gateway.
Fixed Versions:
14.1.0.6
759721-2 : DNS GUI does not follow best practices
Links to More Info: K03332436, BT759721
Component: Global Traffic Manager (DNS)
Symptoms:
The DNS WebUI does not follow best security practices.
Conditions:
DNS services provisioned, enabled, and configured
Impact:
The DNS WebUI does not follow best security practices.
Workaround:
None.
Fix:
The DNS WebUI now follows best security practices.
Fixed Versions:
13.1.3, 14.0.0.5, 14.1.0.6
759654-1 : LDAP remote authentication with remote roles and user-template failing
Links to More Info: BT759654
Component: TMOS
Symptoms:
The directory server that performs authentication requests refuses a query for authorization (user attributes), which prevents the BIG-IP user from logging on with remote authentication.
BAD_NAME errors are usually present in LDAP communication.
Conditions:
-- Configure LDAP remote authentication with remote roles and a user template.
-- As a remote user, attempt to logon.
Impact:
The query request sent to the directory server is refused because the password is not included in the request, and the server does not accept an anonymous bind request. The refused request prevents a lookup of the user account attributes on the directory server. As a result, the BIG-IP user cannot logon.
Workaround:
Remove user-template. bind-dn must be used to authenticate against LDAP server.
Fixed Versions:
14.1.2.3, 15.0.1.4
759596-2 : Tcl errors in iRules 'table' command
Links to More Info: BT759596
Component: TMOS
Symptoms:
The iRules 'table delete' command causes Tcl errors due to improperly handling the return code from SessionDB.
Conditions:
-- iRules 'table delete' command is used.
-- Does not occur consistently, but is more prone to occur when the system is processing more traffic.
Impact:
The 'table delete' command randomly fails and causes disruptions in traffic.
Workaround:
Do not use 'table delete' command
Fix:
Fixed 'table delete' to properly interpret the return code from SessionDB.
Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.4
759579-1 : Full Webtop: 'URL Entry' field is available again
Links to More Info: BT759579
Component: Access Policy Manager
Symptoms:
'URL Entry' field is no longer visible from full webtop.
Conditions:
Using Portal Access full webtop screen.
Impact:
It is not possible to open Portal Access session with arbitrary URL from full webtop screen.
Workaround:
None.
Fix:
Now 'URL Entry' field can be enabled and used on full webtop.
Fixed Versions:
14.1.2.1
759564-4 : GUI not available after upgrade
Links to More Info: BT759564
Component: TMOS
Symptoms:
After installing over the top of a previous version, the Management GUI is inaccessible while SSH access works. You may see one or more of the following conditions
Shell prompt may show logger[1234]: Re-starting named
bigstart restart httpd fails
bigstart start httpd fails
Conditions:
Installation over a previously used Boot Volume
Impact:
Corrupt install
Workaround:
Boot back to previous boot volume and then delete the boot volume containing the failed install.
Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1
759499-2 : Upgrade from version 12.1.x to version 13.1.x and later failing with error★
Links to More Info: BT759499
Component: TMOS
Symptoms:
Upgrade from version 12.1.x to version 13.1.x or later fails. Running 'tmsh show sys software' shows the following message:
failed (Could not access configuration source; sda,n)
Conditions:
1. Install BIG-IP version 12.1.x in new volume.
2. From 12.1.x, try to install 13.1.x or later version in new volume.
Impact:
Upgrade fails.
Workaround:
To work around this issue, delete the new installed volume and try the installation again.
The second installation succeeds in this scenario.
Fixed Versions:
14.1.2.3, 15.0.1.1
759483-1 : Message about HTTP status code which are set by default disappeared from the UI
Links to More Info: BT759483
Component: Application Security Manager
Symptoms:
When creating a new policy using the policy-creation page, there are status codes (200-399) that are enabled by default. There is no message about HTTP status codes that are set by default does not appear in the GUI.
Conditions:
Open Create a New Policy page.
Impact:
The message is not shown on Create Policy page
Workaround:
None.
Fix:
The message was added and shown always next to Allowed Response Status Codes input.
Fixed Versions:
14.0.0.5, 14.1.0.6
759480-3 : HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash
Links to More Info: BT759480
Component: Local Traffic Manager
Symptoms:
When a request is sent to the virtual server which meets the conditions specified, TMM may crash.
Conditions:
When all of the following conditions are met:
-- Virtual server configured with iRule that contains HTTP::respond or HTTP::redirect in an LB_FAILED event.
-- A command in an LB_FAILED event (does not have to be in the same iRule as the previous point, but must be attached to the same virtual server), that parks the iRule (e.g., table, session, persist, after, HSL).
-- A CLIENT_CLOSED event is present.
-- The pool member fails in some manner, triggering LB_FAILED
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Add reject command to LB_FAILED event to force the serverside of the connection closed before response is sent to the client.
Fixed Versions:
12.1.5, 13.1.3.4, 14.1.3.1
759462-1 : Site names and vulnerabilities cannot be retrieved from WhiteHat server
Links to More Info: BT759462
Component: Application Security Manager
Symptoms:
Site names and/or vulnerabilities cannot be retrieved from WhiteHat's server, and you get this error:
Failed to get site names
500 Can't connect to 63.128.163.17:443
Additionally, if configured, the HTTP/HTTPS proxy is not used.
Conditions:
You attempt to retrieve site names and/or vulnerabilities from WhiteHat's server.
Impact:
The site names and/or vulnerabilities cannot be retrieved.
Workaround:
You can manually enter site name in the field 'WhiteHat Site Name' on the Security :: Application Security :: Vulnerability Assessments :: Settings page, and vulnerabilities can be downloaded from the WhiteHat server and uploaded to ASM.
Fix:
Site names and vulnerabilities can now be retrieved directly from WhiteHat's server.
Fixed Versions:
14.1.0.6
759449-1 : Unable to modify the application language with 'Copy ASM Policy'
Links to More Info: BT759449
Component: Application Security Manager
Symptoms:
When using the 'Copy policy' feature, if you select another application language, it copies the actual policy without taking account of the modification on GUI, and it remains UTF-8 if it originally was UTF-8.
Conditions:
1. Go to Security :: Application Security : Security Policies : Policies List.
2. Select an ASM Policy.
3. Click 'Copy policy'.
4. Modify application language to anything else.
5. Click Save.
Impact:
Newly copied policy carries the application language setting that was active before the change, so the copy does not match the original.
Workaround:
None.
Fix:
In this release, if the encoding is different from the source policy encoding, copy now handles the operation so that the resulting policy has the correct application language.
Fixed Versions:
14.1.2.7
759439-1 : Unable to attach default SSL and FTP profiles to virtual server
Links to More Info: BT759439
Component: SSL Orchestrator
Symptoms:
Configuring a virtual server with default SSL and FTP profiles failed with the following error message
01b40014:3: Virtual server (/Common/testvs) requires clientssl profile (/Common/clientssl) to enable SSL forward proxy when FTP profile (/Common/ftp) is present.
Conditions:
-- SSL Forward Proxy is disabled in the client SSL profile, and
-- FTPS Mode is set to 'Disallow' in the FTP profile.
Impact:
The virtual server cannot be configured successfully.
Workaround:
None.
Fix:
Configuring a virtual server with default SSL and FTP profiles now succeeds.
Fixed Versions:
14.0.1.1, 14.1.2.1, 15.0.1.1
759360-2 : Apply Policy fails due to policy corruption from previously enforced signature
Links to More Info: BT759360
Component: Application Security Manager
Symptoms:
Apply Policy fails due to policy corruption in PLC database from a previously enforced signature.
Conditions:
1. Export a policy containing a signature with an enforced rule.
2. Update ASM Signatures (ASU).
3. Import that previously exported policy.
4. Apply the newly imported policy.
Impact:
Apply policy fails.
Workaround:
As a workaround, run the following SQL, and then apply the policy:
----------------------------------------------------------------------
UPDATE PLC.PL_POLICY_NEGSIG_SIGNATURES SET previous_enforced_rule_md5 = '' WHERE previous_enforced_rule = '' and previous_enforced_rule_md5 != ''
----------------------------------------------------------------------
Fixed Versions:
13.1.1.5, 14.1.0.6
759356-2 : Access session data cache might leak if there are multiple TMMs
Links to More Info: BT759356
Component: Access Policy Manager
Symptoms:
Due to asynchronicity in the TMM subsystem, it is possible that the session data cache might be created after the session is terminated. As a result, that session data cache never gets released.
Conditions:
-- Transparent SWG.
-- The BIG-IP system has more than one TMM.
Impact:
TMM memory might be exhausted eventually.
Workaround:
None.
Fixed Versions:
14.1.3.1
759192-3 : TMM core during display of PEM session under some specific conditions
Links to More Info: BT759192
Component: Policy Enforcement Manager
Symptoms:
TMM crashes during display of PEM session if the session has multiple IP addresses added under certain conditions.
Conditions:
-- Session has multiple IP addresses added.
-- When the session was created, addition of multiple IP addresses was not allowed.
Impact:
TMM restart. Traffic disrupted while tmm restarts.
Workaround:
Do not change the value of sys db variable tmm.pem.session.ip.addr.max while some sessions are already created.
Fix:
TMM core during display of PEM session no longer occurs.
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.2.1
759191-1 : While using explicit or transparent http type service on SSL Orchestrator, TMM cores.
Links to More Info: BT759191
Component: SSL Orchestrator
Symptoms:
TMM can core while using http type service (explicit or transparent ) on SSL Orchestrator.
Conditions:
SSL Orchestrator configured while using explicit or transparent http type service.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fix:
TMM no longer cores using explicit or transparent http type service on SSL Orchestrator.
Fixed Versions:
14.1.2.5
759172-1 : Read Access Denied: user (gu, guest) type (Certificate Order Manager)
Links to More Info: BT759172
Component: TMOS
Symptoms:
GUI guest user is supposed to see Key properties (which includes cert order manager association details) and Certificate Order Manager object itself, but reports an error:
-- General database error retrieving information.
-- err mcpd[6586]: 01070823:3: Read Access Denied: user (gu) type (Certificate Order Manager)
Conditions:
-- BIG-IP Virtual Edition (VE).
-- Guest user attempts to view Key properties (including cert order manager association details) and Certificate Order Manager object information.
Impact:
Certificate Manager role does not allow users to create certificates. They can upload and delete certificates, but when trying to create one, the GUI stays blank and the logs show a Read Access Denied error.
Workaround:
None.
Fixed Versions:
14.1.2.5
759135-2 : AVR report limits are locked at 1000 transactions
Links to More Info: BT759135
Component: Application Visibility and Reporting
Symptoms:
AVR reports are limited to 1000 transactions. This is due to a hard-coded limit.
Conditions:
Using AVR reports for more than 1000 transactions.
Impact:
Unable to create reports with more than 1000 rows.
Workaround:
None.
Fix:
A db variable avr.stats.reportrownumberlimit has been added, that can be controlled via TMSH. The variable controls the number of rows in report within the range of 1 to 100000.
For example, for a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:
tmsh modify sys db avr.stats.reportrownumberlimit value 10000
Behavior Change:
There is a new db variable avr.stats.reportrownumberlimit available in TMSH, which controls the number of rows in an AVR report. Valid values are from 1 to 100000.
For example, to create a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:
tmsh modify sys db avr.stats.reportrownumberlimit value 10000
Fixed Versions:
13.1.3.2, 14.1.2.1, 15.0.1.1
759077-2 : MRF SIP filter queue sizes not configurable
Links to More Info: BT759077
Component: Service Provider
Symptoms:
The ingress and egress queues of the MRF SIP filter have fixed sizes that cannot be configured.
Conditions:
If the hard-coded queue size of 512 messages or 65535 bytes are exceeded, the filter enables its flow control logic.
Impact:
Messages may be dropped.
Workaround:
None.
Fix:
The max-pending-messages and max-pending-bytes values in the SIP router profile will be used as the limits for the SIP filter's queues. If the configured value is less than the existing hard-coded limits (512 bytes or 65535 bytes), the hard-coded limits will be used.
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.4
759056-2 : stpd memory leak on secondary blades in a multi-blade system
Links to More Info: BT759056
Component: Local Traffic Manager
Symptoms:
On secondary blades in a multi-blade system, stpd shows continued increased memory usage.
Conditions:
A non passthru STP mode (STP, RSTP or MSTP) is enabled on the system.
Impact:
System performance is degraded due to needless memory usage by stpd.
Workaround:
None.
Fix:
Stpd no longer leaks memory.
Fixed Versions:
13.1.3.6, 14.1.3.1
759004-2 : Autodosd history files not loaded correctly after software upgrade★
Links to More Info: BT759004
Component: Advanced Firewall Manager
Symptoms:
DoS statistics do not reflect historic detection thresholds.
Conditions:
-- Enable autodosd.
-- Upgrade the system.
Impact:
Incorrect DoS detection thresholds.
Workaround:
None.
Fix:
The system now correctly loads autodosd history files after a software upgrade.
Fixed Versions:
14.1.4
758992-2 : The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address
Links to More Info: BT758992
Component: Local Traffic Manager
Symptoms:
tmm may use a combination of the traffic-group MAC address and the per-VLAN MAC address for traffic associated with the traffic-group.
Conditions:
All of the following:
-- The traffic-group has a MAC address set.
-- The sys db variable 'tm.macmasqaddr_per_vlan' is set to true.
-- There are multiple tmm processes running on the BIG-IP system.
Note: BIG-IP Virtual Edition is not affected since there is only one tmm process.
Impact:
Incorrect MAC address used for traffic associated with the traffic-group.
Workaround:
None.
Fix:
tmm uses the proper MAC address when there is a traffic-group mac address defined and 'tm.macmasqaddr_per_vlan' is set to true.
Fixed Versions:
13.1.3.2, 14.1.2.3, 15.0.1.3
758879 : BIG-IP VE with ixlv devices does not reliably pass some traffic after hard-boot
Links to More Info: BT758879
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) with ixlv devices (Intel X710/XL710/XXV710 family) might not reliably pass traffic after a hard boot of the host on which it runs.
The tmm log contains messages similar to the following:
ixlv[0:8.0]: Error: AQ returned error -1 to request 10!
ixlv[0:8.0]: Error: Error -1 waiting for PF to complete operation 4
ixlv[0:8.0]: Error: WARNING: Error adding VF mac filter!
ixlv[0:8.0]: Error: WARNING: Device may not receive traffic!
The host's kernel log might contain messages similar to the following:
i40e 0000:06:00.0: VF is not trusted, switch the VF to trusted to add more functionality
Conditions:
-- BIG-IP VE with one or more virtual functions that utilize the ixlv driver within tmm.
-- Hard reboot the host and observe traffic.
Note: This issue might be dependent upon the version of the PF driver in the host, and has been observed with at least 2.1.4 and 2.4.10, but this list is incomplete.
Impact:
IPv6 and other network traffic may be handled unreliably.
Workaround:
Reboot the guest. This problem has been observed only on the very first boot after a hard boot of the host.
Fixed Versions:
14.1.0.6
758872-3 : TMM memory leak
Links to More Info: BT758872
Component: Local Traffic Manager
Symptoms:
When a Clustered Multiprocessing (CMP) disabled virtual server enters syncookie mode the flows created on TMM instances other than tmm0 are not removed, resulting in a TMM memory leak.
Note: CMP-disabled virtual servers are not distributed among the available TMM processes, but instead are processed on tmm0.
Conditions:
-- Virtual server is CMP disabled.
-- The same virtual server enters syncookie mode.
Impact:
Elevated memory utilization that may impact performance. In extreme cases, it might lead to out-of-memory crash.
Workaround:
Make sure the virtual server is not CMP disabled, for example, avoid using global variables in iRules.
Fix:
Flows of CMP-disabled virtual servers are now properly removed from all TMM instances.
Fixed Versions:
12.1.5, 13.1.3.4, 14.1.2.3
758818-2 : While using explicit or transparent http type service on SSL Orchestrator, TMM cores.
Links to More Info: BT758818
Component: SSL Orchestrator
Symptoms:
TMM can core while using http type service (explicit or transparent ) on SSL Orchestrator.
Conditions:
SSL Orchestrator configured while using explicit or transparent http type service.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fix:
TMM no longer cores using explicit or transparent http type service on SSL Orchestrator.
Fixed Versions:
14.0.1.1, 14.1.0.6
758781-3 : iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates
Links to More Info: BT758781
Component: TMOS
Symptoms:
The following commands take a long time to complete when there are a large number of certificates:
get_certificate_list()
get_certificate_list_v2()
get_certificate_list_v3()
Conditions:
-- Using the get_certificate_list(), get_certificate_list_v2(), and get_certificate_list_v3() commands to get certificate information.
-- A large number of certificates (typically in the thousands) are installed on the BIG-IP system.
Impact:
Slowness might cause timeouts in applications that are calling these functions.
Workaround:
Use iControl REST API corresponding to sys/file/ssl-cert.
Fixed Versions:
13.1.3.2, 14.1.2.3, 15.0.1.1
758772-3 : DNS Cache RRSET Evictions Stat not increasing
Links to More Info: BT758772
Component: Global Traffic Manager (DNS)
Symptoms:
In the DNS Cache stats, the 'Resource Record Cache' statistic of 'Evictions' does not increase.
Conditions:
This occurs when the cache is full enough for records to be evicted.
Impact:
The 'Evictions' statistics do not increase when those records are evicted. Incorrect statistics accounting.
Workaround:
None.
Fix:
Fixed an issue preventing the DNS Cache's 'Resource Record Cache' statistic from counting 'Evictions'.
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7
758764-2 : APMD Core when CRLDP Auth fails to download revoked certificate
Links to More Info: BT758764
Component: Access Policy Manager
Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.
Conditions:
Empty revoked-certificate list handling.
Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.
Workaround:
None.
Fix:
The system now checks for empty revoked certificate lists (for NULL) and lets the validation OK (because there is nothing to validate against).
Fixed Versions:
12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
758714-1 : Virtual wire on a BIG-IP does not pass traffic when configured over two terminating link aggregation/trunk ports.
Links to More Info: BT758714
Component: Local Traffic Manager
Symptoms:
Traffic does not pass through the BIG-IP system.
Conditions:
- Configure two trunk/LAG ports on a BIG-IP system.
- Create a virtual wire across it.
Impact:
Loss of service across the virtual wire.
Workaround:
None.
Fix:
Corrected the faulty validation checks during configuration that were a result of collateral damage.
Fixed Versions:
14.1.2.1
758701-1 : APM fails to handle Remote Desktop Gateway connections from standalone RDP clients after fresh install
Links to More Info: BT758701
Component: Access Policy Manager
Symptoms:
Remote Desktop (RD) Gateway connections from standalone RDP clients on Mac/iOS/Android fail against a fresh APM installation.
Following error is logged into /var/log/ltm:
... 01220001:3: TCL error: /Common/_sys_APM_Citrix_SmartAccess <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::path"
Conditions:
- Fresh APM installation.
- Standalone Mac/iOS/Android RDP client uses APM as RD Gateway.
Impact:
Connection can't be established.
Workaround:
Disable "tmm.http.tcl.validation" variable:
# tmsh modify sys db tmm.http.tcl.validation value disable
Fix:
Remote Desktop (RD) Gateway connections from standalone RDP clients on Mac/iOS/Android are not failing anymore against fresh APM installation.
Fixed Versions:
14.1.0.6
758667-1 : BIG-IP VE high availability (HA) actions are not invoked when offload hardware hangs
Links to More Info: BT758667
Component: TMOS
Symptoms:
When TMM detects a crypto or compression offload device hang it does not invoke the configured high availability (HA) action.
Conditions:
This occurs when the following conditions exist:
-- BIG-IP Virtual Edition (VE) Cryptographic Offload is licensed.
-- BIG-IP VE VM has been assigned QuickAssist Virtual Functions (VFs).
-- A QuickAssist endpoint associated with one of the VFs hangs.
-- BIG-IP VE executes crypto or compression operations.
Impact:
Client requests eventually time out.
Workaround:
None.
Fixed Versions:
14.1.0.3
758655-1 : TMC does not allow inline addresses with non-zero Route-domain.
Links to More Info: BT758655
Component: Local Traffic Manager
Symptoms:
When trying to create a traffic-matching-criteria with inline addresses with non-zero Route-domain, receive an error:
TMC(/Common/tmc333) and addresses within the address list have different route domain.
Conditions:
Attempting to creating a traffic-matching-criteria with inline address (source or destination) and non-zero route-domain, e.g.:
create ltm traffic-matching-criteria tmc333 destination-address-inline 111.111.111.194 source-address-inline 0.0.0.0 route-domain 100
Impact:
Cannot create the traffic-matching-criteria.
Workaround:
None.
Fix:
You can now create a traffic-matching-criteria with inline addresses with non-zero Route-domain.
Fixed Versions:
14.1.2.3
758631-4 : ec_point_formats extension might be included in the server hello even if not specified in the client hello
Links to More Info: BT758631
Component: Local Traffic Manager
Symptoms:
RFC 5246 states that if an extension does not exist in the client hello, it must not exist in the server hello. When an EC cipher suite is selected, the server might send the ec_point_formats extension, even if none exists in the client hello.
Conditions:
-- An EC cipher suite is selected.
-- The client does not send an ec_point_formats extension.
Impact:
Some clients abort the connection in this case.
Workaround:
There is no workaround other than not configuring any EC cipher suites.
Fix:
With this change, the server does not send an unsolicited ec_point_formats extension.
Fixed Versions:
12.1.5, 13.1.3.5, 14.0.1.1, 14.1.2.5
758604-2 : Deleting a port from a single-port trunk does not work.
Links to More Info: BT758604
Component: TMOS
Symptoms:
Deleting a port from a single-port trunk does not work.
Conditions:
1. Disable all ports for a trunk, for example by disabling them on a directly connected switch. The last port is not deleted correctly.
2. Re enable some other ports, the trunk now also uses the disabled port.
Impact:
No user connectivity depending on which port is used.
Workaround:
None.
Fix:
Fixed deleting a port from a single-port trunk.
Fixed Versions:
14.1.2.7
758599-1 : IPv6 Management route is preferred over IPv6 tmm route
Links to More Info: BT758599
Component: Local Traffic Manager
Symptoms:
The IPv6 Management route has lower metric than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the mgmt interface.
Conditions:
Create an IPv6 mgmt route and a static IPv6 tmm route on the same BIG-IP system. IPv6 routes from TMM are injected at metric 1024.
Impact:
The incorrect routing table sends the traffic that matches the default route to the mgmt interface.
Workaround:
None.
Fix:
The IPv4 and IPv6 management routes now have a metric value of 4096. Default value of static routes are 1 for IPv4 and 1024 for IPv6. This makes static routes (TMM routes) preferred over management routes, which is correct behavior.
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.3
758536 : Traffic Intelligence IM pkg for 14.1.0 fails to install on base build version 14.1.0.x
Links to More Info: BT758536
Component: Traffic Classification Engine
Symptoms:
Traffic Intelligence IM pkg for v14.1.0 fails to install on base build version v14.1.0.1 through v14.1.0.4. This is due to strict version check in upgrade scripts.
Conditions:
When hitless upgrade for traffic intelligence with version 14.1.0 is used on base build v14.1.0.1 through v14.1.0.4.
Impact:
The process fails to load/install. The system does not receive the latest traffic intelligence signatures.
Workaround:
There is no workaround other than requesting a purpose-built traffic intelligence IM for that particular build.
Fix:
You can now install 14.1.0 IM on any other 14.1.0.x with minor version update.
Fixed Versions:
14.1.0.5
758527-2 : BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode
Links to More Info: K39604784, BT758527
Component: TMOS
Symptoms:
Under certain conditions BIG-IP may forward VLAN-tagged frames even if the VLAN is not defined on the ingress interface.
Conditions:
Tagged VLANs in use.
STP pass-through mode enabled.
Impact:
Frames not delivered as expected.
Workaround:
Disable global STP.
Fix:
Frames now delivered as expected.
Fixed Versions:
11.6.5.1, 12.1.5, 13.1.3.2, 14.0.0.5, 14.1.2.3, 15.0.1.3
758517-1 : Callback for Diffie Hellman crypto is missing defensive coding
Links to More Info: BT758517
Component: TMOS
Symptoms:
Destruction of objects during Diffie Hellman crypto callback does not first check for object validity.
Conditions:
Async callback for Diffie Hellman crypto call when objects no longer look valid.
Impact:
IPsec tunnels down during tmm core in rare cases.
Workaround:
No work around is known at this time.
Fix:
Add defensive coding to forestall action when objects look invalid.
Fixed Versions:
14.1.2.8
758516-1 : IKEv2 auth encryption is missing defensive coding that checks object validity
Links to More Info: BT758516
Component: TMOS
Symptoms:
Auth signature crypto callback does not check objects for validity before encryption.
Conditions:
Encryption during auth signature callback processing for IKE_AUTH.
Impact:
IPsec tunnels go down when tmm cores in rare situations.
Workaround:
No workaround is known at this time.
Fix:
Add defensive coding that checks object validity during auth encryption.
Fixed Versions:
14.1.2.8
758465-1 : TMM may crash or iRule processing might be incorrect
Links to More Info: BT758465
Component: Local Traffic Manager
Symptoms:
After modifying an iRule:
- The iRules on one or more virtual servers might fire in the wrong order.
- The iRules on one or more virtual servers might not fire at all.
- TMM might crash if the iRule event is modified again.
- TMM might crash if a virtual server is modified.
Conditions:
This occurs when all of the following conditions are met:
- An iRule is in use on more than one virtual server.
- The iRule occupies a different position in the iRule list on various virtual servers, and one or more of the other iRules define the same event.
- The iRule event is modified.
Impact:
Traffic interruption while TMM restarts.
Incorrect iRule processing.
Workaround:
None.
Fixed Versions:
14.1.0.6
758459-1 : Cross origin AJAX requests are blocked Cross-Origin Resource Sharing (CORS) protection
Links to More Info: BT758459
Component: Application Security Manager
Symptoms:
When enabling Single Page Application (SPA) option in ASM, cross origin AJAX requests are resulting in the following error in the browser console, and site application might not work:
Access to XMLHttpRequest at 'https://x.com' from origin 'https://www.y.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
Conditions:
-- ASM with SPA enabled
-- App is sending cross-origin requests
Impact:
App does not work as expected.
Workaround:
Using an iRule, add the following headers to the response:
-- Access-Control-Allow-Origin with originating domain.
-- Access-Control-Allow-Credentials: true.
Fix:
This release adds the relevant CORS fields to responses.
Fixed Versions:
14.1.2.3
758437-6 : SYN w/ data disrupts stat collection in Fast L4
Links to More Info: BT758437
Component: Local Traffic Manager
Symptoms:
Fast L4 analytics reports very large integers for goodput.
Conditions:
BIG-IP receives SYNs with attached data.
Impact:
Goodput data is unreliable.
Workaround:
None.
Fix:
Data coupled with the SYN breaks the check for a Fast L4 state change. The connection can still function normally, but statistics collection is reliant on the state change to initialize things properly. The system now ensures the correct state under these conditions, so statistics are measured correctly.
Fixed Versions:
13.1.3.5, 14.1.2.8
758436-4 : Optimistic ACKs degrade Fast L4 statistics
Links to More Info: BT758436
Component: Local Traffic Manager
Symptoms:
Fast L4 Analytics reports very large integers for goodput.
Conditions:
Endpoints send ACKs for data that has not been sent.
Impact:
Goodput statistics are not usable in certain data sets.
Workaround:
None.
Fix:
Additional checks prevent analytics from trusting optimistic ACKs.
Fixed Versions:
13.1.3.5, 14.1.2.8
758387-2 : BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it
Links to More Info: BT758387
Component: TMOS
Symptoms:
In STP 'passthru' mode, any packet sent to the BIG-IP system with a destination MAC of 01-80-c2-00-00-00 is treated as an STP bridge protocol data unit (BPDU), and is flooded to the VLAN.
Conditions:
-- The BIG-IP system is configured for STP 'passthru' mode
-- The BIG-IP system receives a packet with MAC 01-80-c2-00-00-00.
Impact:
A packet that is not an STP BPDU, but is sent to the same destination MAC address may be flooded as if it was a BPDU.
Workaround:
None.
Fix:
Added an STP drop rule for certain LLDP-type packets sent to STP destination MAC:
# list sys db bcm56xxd.rules.lldp_drop
sys db bcm56xxd.rules.lldp_drop {
value "disable"
}
It is disabled by default. You must manually set it to cause the LLDP frames to be dropped in STP passthrough mode.
Fixed Versions:
14.0.0.5, 14.1.2.5, 15.0.1.3
758336-3 : Incorrect recommendation in Online Help of Proactive Bot Defense
Links to More Info: BT758336
Component: Application Security Manager
Symptoms:
The online help of Proactive Bot Defense within the DoS profile shows the following under the 'Cross-Domain Requests' section:
Allow configured domains; validate in bulk: ... We recommend this option if your web site has many cross-domain resources.
Allow configured domains; validate upon request: ... We recommend this option if your web site does not have many cross-domain resources.
The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.
Conditions:
Application has multiple cross-domain resources.
Impact:
Confusing documentation. The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.
Workaround:
For many cross-domain resources, it is better to use 'validate upon request'.
Fix:
The online help of Proactive Bot Defense has been corrected under the 'Cross-Domain Requests' section.
Fixed Versions:
12.1.5, 13.1.1.5, 14.1.4, 15.1.2.1
758311-1 : Policy Compilation may cause MCPD to crash
Links to More Info: BT758311
Component: Local Traffic Manager
Symptoms:
If a policy has rules involving IPv6 addresses, and the addresses differ only on 32-bit boundaries, then the compilation of that policy may cause MPCD to crash.
Conditions:
-- A policy is attached to a virtual server.
-- That policy contains conditions that involve IPv6 addresses.
-- The addresses in different rules differ only on 32-bit boundaries.
Impact:
MCPD cores, and then restarts. The policy is not usable.
Workaround:
You can try either of the following:
-- It may be possible to create multiple rules from a given rule by altering the netmask.
-- Another possibility is to add a placeholder rule with no action that matches IP addresses differently.
Fix:
Policies involving matching IP addresses now compile correctly.
Fixed Versions:
14.1.0.6
758119-6 : qkview may contain sensitive information
Links to More Info: K58243048, BT758119
Component: TMOS
Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048
Conditions:
For more information see: https://support.f5.com/csp/article/K58243048
Impact:
For more information see: https://support.f5.com/csp/article/K58243048
Workaround:
For more information see: https://support.f5.com/csp/article/K58243048
Fix:
For more information see: https://support.f5.com/csp/article/K58243048
Fixed Versions:
11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
758099-1 : TMM may crash in busy environment when handling HTTP responses
Links to More Info: BT758099
Component: Local Traffic Manager
Symptoms:
When load balancing HTTP requests, the BIG-IP system matches client-side and server-side connections. When connections are shutting down, a race condition may occur on a busy system and peer connection reference can be lost.
Conditions:
-- The BIG-IP system has a standard virtual with HTTP profile and HTTP router.
-- The BIG-IP system has high CPU utilization.
Impact:
TMM crashes causing failover. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The race condition has been corrected, so TMM no longer crashes in a busy environment when handling HTTP responses.
Fixed Versions:
14.1.4
758085-1 : CAPTCHA Custom Response fails when using certain characters
Links to More Info: BT758085
Component: Application Security Manager
Symptoms:
When setting the CAPTCHA Custom Response in the Bot Defense GUI, saving the profile fails when using certain characters.
For example, using the following response will return the error: 'black' unknown property
This question is for testing whether you are a human visitor and to prevent automated spam submission.
<p style="color: black; padding-right:20px">
<br>
%BOTDEFENSE.captcha.image% %BOTDEFENSE.captcha.change%
<br>
<b>What code is in the image\?</b>
%BOTDEFENSE.captcha.solution%
<br>
%BOTDEFENSE.captcha.submit%
<br>
<br>
Your support ID is: %BOTDEFENSE.captcha.support_id%.
Conditions:
Attempting to configure custom CAPTCHA response in the Bot Defense profile GUI.
Impact:
Cannot configure custom CAPTCHA response in the Bot Defense Profile GUI.
Workaround:
Use TMSH or REST API to configure the CAPTCHA Custom Response.
Fix:
Configuring custom CAPTCHA response page in the Bot Defense Profile no longer fails when using certain characters.
Fixed Versions:
14.1.0.6
758041-3 : LTM Pool Members may not be updated accurately when multiple identical database monitors are configured.
Links to More Info: BT758041
Component: Local Traffic Manager
Symptoms:
When two or more LTM database monitors (MSSQL, MySQL, PostgreSQL, Oracle) with identical 'send' and 'recv' strings are configured and applied to different LTM pools (with at least one pool member in each), the monitor status of some LTM pool members may not be updated accurately.
Other parameters of the affected LTM monitors that differ (such as 'recv row' or 'recv column' indicating where the specified 'recv' string should be found in the result set) may cause pool members using one of the affected monitors to connect to the same database to be marked UP, while LTM pool members using another affected monitor may be marked DOWN.
As a result of this issue, LTM pool members that should be marked UP or DOWN by the configured LTM monitor may instead be marked according to another affected monitor's configuration, resulting in the affected LTM pool members being intermittently marked with an incorrect state.
After the next monitor ping interval, affectedLTM pool members members may be marked with the correct state.
Conditions:
This may occur when multiple LTM database monitors (MSSQL, MySQL, PostgreSQL, Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different LTM pools/members which share the same IP address and Port values.
For example:
ltm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
recv none
send "select version();"
...
}
Impact:
Monitored LTM pool members using an LTM database monitor (MSSQL, MySQL, PostgreSQL, Oracle) randomly go offline/online.
Workaround:
To avoid this issue, configure each LTM database monitor with values that make the combined parameters unique by changing either the 'send' or the 'recv' parameters, or both.
For example:
ltm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
recv 5.7
send "select version();"
...
}
Fix:
The system now correctly updates LTM pool members when multiple identical LTM database monitors are configured.
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.4.1
757992-3 : RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup
Links to More Info: BT757992
Component: Access Policy Manager
Symptoms:
RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup
Conditions:
-- Configure Floating IP with route domain.
-- Configure RADIUS accounting server with Pool Setup.
-- Configure the virtual server containing the access policy to use the RADIUS Accounting server.
-- Access the virtual server.
Impact:
-- START message is being sent through proper egress floating IP address.
-- STOP message is not sent, and the system logs the following error message:
-- err tmm1[11193]: 01490586:3: (null):Common:8a505e8c: Processing radius acct stop message failed, connection failure.
-- err tmm1[11193]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_RTE. File: ../modules/hudfilter/access/access_session.c, Function: access_session_final_callback, Line: 4439.
Workaround:
This issue is present only when the floating IP address is configured with a non-default route domain. It works fine with the default route domain. Use of default route domain is recommended.
Fix:
RADIUS Acct STOP message is now sent as expected.
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6
757985-1 : TMM memory leak
Links to More Info: K79562045, BT757985
Component: Local Traffic Manager
Symptoms:
-- TMM memory utilization baseline is slowly increasing.
-- The 'allocated' column of the 'tcl' row in the memory_usage_stat tmctl table is high and is close to the 'max_allocated' value.
Conditions:
-- The header-insert option in a custom HTTP profile is configured.
-- The profile is attached to a virtual server.
Impact:
Degraded performance, and eventual out-of-memory condition that may trigger a TMM crash. Traffic disrupted while tmm restarts.
Workaround:
Instead of the profile header-insert, use HTTP::header iRule commands.
Fix:
The header-insert option can now be configured in HTTP profiles without causing a TMM memory leak.
Fixed Versions:
14.1.0.6
757862-1 : IKEv2 debug logging an uninitialized variable leading to core
Links to More Info: BT757862
Component: TMOS
Symptoms:
Logging an internal error might result in core.
Conditions:
When ike_sa variable is uninitialized.
Impact:
Loss of tunnels due to core.
Workaround:
None.
Fix:
Ike_sa is now initialized to hold a valid value before logging takes place.
Fixed Versions:
14.1.2.8
757827-1 : Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution
Links to More Info: BT757827
Component: Local Traffic Manager
Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP reboot operation.
Conditions:
This may occur on affected BIG-IP versions when:
-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
-- DNS queries to resolve these FQDN names occur almost simultaneously.
-- The BIG-IP version in use contains the fix for ID 726319 :: Bug ID 726319: 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses :: https://cdn.f5.com/product/bugtracker/ID726319.html.
The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.
Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected. As a result, some pools may not have any active pool members, and do not pass traffic.
This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.
Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes ('##' is the desired number of seconds between successive DNS queries to resolve the configure FQDN name):
tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Fix:
When using FQDN nodes and pool members, ephemeral pool members are now created as expected following a configuration-load or BIG-IP reboot operation.
However, messages similar to the following may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name:
-- err mcpd[20479]: 01020066:3: The requested Node (****) already exists in partition ****.
-- err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.
These are benign messages that do not affect BIG-IP functionality.
Fixed Versions:
13.1.3.2, 14.1.2.5, 15.0.1.3
757782-1 : OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default
Links to More Info: BT757782
Component: Access Policy Manager
Symptoms:
Invalid 'sub' claim in JWT access token that is generated by OAuth Authorization Server.
Conditions:
-- OAuth Authorization Server is configured to return JWT access token.
-- Subject field is configured to be a session variable other than the default '%{session.assigned.uuid}'.
Impact:
Invalid value in 'sub' claim in JWT access token. If OAuth resource server depends on the value of 'sub' claim, then that functionality does not work.
Workaround:
Add Variable assign agent after OAuth Authorization agent, and assign session.assigned.oauth.authz.token.subject with the session variable name such as the following:
session.logon.last.logonname.
Fix:
OAuth Authorization Server sends valid value in 'sub' claim in the generated JWT token when subject is configured to use a session variable.
Fixed Versions:
14.0.1.1, 14.1.2.3
757781-3 : Portal Access: cookie exchange may be broken sometimes
Links to More Info: BT757781
Component: Access Policy Manager
Symptoms:
Portal Access uses special HTTP request with URL '/private/fm/volatile.html' to exchange cookie data between client and BIG-IP. Sometimes the BIG-IP system might send an invalid response to such a request. As a result, no cookie data can be sent from the backend server to the client.
Conditions:
Invalid response to HTTP requests with the following URL:
/private/fm/volatile.html.
Impact:
Portal Access client cannot see cookies set by the backend server. Backend server does not send cookie data to the client.
Workaround:
None.
Fix:
Portal Access now sends correct HTTP responses with backend cookie data to the client.
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.4.2, 15.0.1.1
757777-3 : bigtcp does not issue a RST in all circumstances
Links to More Info: BT757777
Component: Local Traffic Manager
Symptoms:
bigtcp does not issue a TCP reset, e.g. when using the iRule reject command on CLIENT_ACCEPTED
Conditions:
bigtcp in use, tcp connection, connection ungracefully shut down via a 'reject' command in an iRule
Impact:
TCP RST is not sent, and the SYN is silently dropped.
Workaround:
none
Fix:
bigtcp virtuals send now a TCP RST if needed.
Fixed Versions:
14.1.2.5
757722-2 : Unknown notify message types unsupported in IKEv2
Links to More Info: BT757722
Component: TMOS
Symptoms:
IKE negotiation fails when an unrecognized notify payload type is seen in a message processed by IKEv2.
Conditions:
Receiving an IKE message that contains a notify payload whose numeric type value is unrecognized by IKEv2.
Impact:
Negotiation fails with an aborted connection, preventing tunnel creation.
Workaround:
A peer can suppress notification payloads with advisory values that get rejected by IKEv2 within the BIG-IP system.
Fix:
All unknown notify types are now logged and then ignored.
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6
757698-1 : TMM crashes in certain situations of which iRule execution interleaves client side and server side flows
Links to More Info: BT757698
Component: Local Traffic Manager
Symptoms:
TMM crashes in certain situations in which iRule execution interleaves client-side and server-side flows.
Conditions:
The exact conditions that cause this issue are unknown, although appear to happen in at least one configuration: OneConnect with an iRule whose execution leads to that, inside TMM, the client-side and server-side flow operations interleave.
Impact:
TMM crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
iRule clears the right side data after execution.
Fixed Versions:
14.1.0.6
757578-2 : RAM cache is not compatible with verify-accept
Links to More Info: BT757578
Component: Local Traffic Manager
Symptoms:
The TCP profile's verify-accept option is not compatible with the RAM cache feature
Conditions:
A TCP profile is used with the 'verify-accept' option enabled, together with a Web Acceleration via RAM cache.
Impact:
There may be a log message in /var/log/tmm# describing an 'Invalid Proxy Transition'. The RAM cache feature may not handle later pipelined requests due to the proxy shutting down the connection.
Workaround:
Do not use TCP's verify-accept option together with RAM cache.
Fix:
RAM cache now works correctly when the TCP profile enables the verify-accept option.
Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.1, 15.0.1.1
757555-2 : Network DoS Logging Profile does not work with other logging profiles together
Links to More Info: BT757555
Component: Advanced Firewall Manager
Symptoms:
When the network DoS logging profile is configured with other logging profiles, such as AFM ACL logging profile, on the same virtual server, DoS logging does not occur.
Conditions:
Configure DoS logging profile on a virtual server with other logging profiles, such as AFM ACL logging profile.
Impact:
When DoS attack happens, no DoS attack is being logged.
Workaround:
Configure one general log profile for all DoS and AFM logging.
Fix:
Both logging profiles now work together.
Fixed Versions:
14.1.2.8
757524 : Data operation attempt on object that has not been loaded
Links to More Info: BT757524
Component: Advanced Firewall Manager
Symptoms:
While assigning VLANs to Traffic Matching Criteria, you get an error:
01070712:3: Data operation attempt on object that has not been loaded.
Conditions:
This occurs while trying to add or modify VLANs on a Traffic Matching Criteria.
Impact:
Error is reported; unable to add or modify VLAN assignment to Traffic Matching Criteria.
Workaround:
None.
Fix:
Fixed the issue to allow configuration of VLANs to Traffic Matching Criteria object.
Fixed Versions:
14.1.0.6
757519-1 : Unable to logon using LDAP authentication with a user-template
Links to More Info: K92525101, BT757519
Component: TMOS
Symptoms:
Cannot logon using remote LDAP authentication. This occurs because LDAP with user-template configured uses the user-template value as the distinguished name (DN) for the LDAP search, instead of a properly formed X.500 name, for example:
cn=xxx,ou=xxx,dc=example,dc=org
Conditions:
-- LDAP authentication configuration includes the user-template value as the DN.
-- Attempt to logon.
Impact:
Remote LDAP authentication users are unable to login.
Note: The user-template value is not a valid DN.
Workaround:
You can use either of the following workarounds:
-- Create a specific user for bind by configuring bind-dn and bind-pw, and remove user-template.
-- Switch to local authentication.
Fixed Versions:
14.1.2.3, 15.0.1.4
757464-1 : DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record
Links to More Info: BT757464
Component: Global Traffic Manager (DNS)
Symptoms:
Attempt to delete a DNS Validating Resolver cache record from the 'Key' cache does not remove the record. Also displays a negative TTL for that record.
tmm crash
Conditions:
-- Populate the DNS Validating Resolver Cache.
-- Attempt to delete a record from the 'Key' cache.
Impact:
Undesired behavior due to records not being deleted as instructed. Also negative TTL.
Workaround:
The only workaround is to restart tmm to generate a completely empty DNS cache. Traffic disrupted while tmm restarts.
Fix:
Fixed an issue preventing records from a DNS Validating Resolver's 'Key' sub-cache from being deleted when utilizing the TMSH command:
delete ltm dns cache records key cache
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7
757446-2 : Invoking the HTTP::respond iRule command when the HTTP2 profile is present can cause stalled or malformed responses.
Links to More Info: BT757446
Component: Local Traffic Manager
Symptoms:
The BIG-IP system stalls a connection instead of sending the intended HTTP response, or sends a malformed response.
Conditions:
This issue occurs when all of the following conditions are met:
-- The virtual server uses the http2 profile.
-- The virtual server uses an iRule that invokes the HTTP::respond command under the HTTP_REQUEST or HTTP_RESPONSE event.
Impact:
Clients do not get the expected responses, leading to application failures.
Workaround:
None.
Fix:
The HTTP::respond iRule command works as expected under these conditions.
Fixed Versions:
14.1.2.7
757442-2 : A missed SYN cookie check causes crash at the standby TMM in HA mirroring system
Links to More Info: BT757442
Component: Local Traffic Manager
Symptoms:
In a high availability (HA) mirroring configuration, an L7 packet SYN cookie check may be skipped on the standby unit and eventually causes TMM to crash.
Conditions:
-- L7 traffic being passed to an HA configuration that is configured for mirroring traffic.
-- Failover occurs.
Impact:
TMM crashes on the standby device. No connections shown on the standby unit even when mirroring isenabled.
Workaround:
Do not use HA mirroring.
Fix:
The system now provides SYN cookie checks for L7 mirrored packets on the standby system.
Fixed Versions:
13.1.3, 14.1.4
757441-4 : Specific sequence of packets causes Fast Open to be effectively disabled
Links to More Info: BT757441
Component: Local Traffic Manager
Symptoms:
You see this warning in the logs:
warning tmm[21063]: 01010055:4: Syncookie embryonic connection counter -1 exceeded sys threshold 64000.
Conditions:
-- TCP Fast Open and ECN are both enabled.
-- There are multiple RST segments from the receive window received in SYN_RECEIVED state.
Impact:
TCP Fast open is disabled, as the pre_established_connections becomes very large (greater than a threshold).
Workaround:
TCP ECN option can be disabled.
Fix:
TCP Fast Open is prevented from being disabled when some conditions are met.
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.2.1
757407-1 : Error reading RRD file may induce processes to mutually wait for each other forever
Links to More Info: BT757407
Component: Local Traffic Manager
Symptoms:
If an error occurs while statsd is reading a file that contains performance data, certain control-plane processes may wait for each other indefinitely.
In some instances, error messages about files in the /var/rrd directory may appear in /var/log/ltm.
Conditions:
Errors occur when performance-monitoring processes attempt to read files in the BIG-IP's internal Round-Robin Database.
Impact:
Attempts to issue commands using "tmsh" may hang up.
No "qkview" datasets can be successfully generated.
Workaround:
If damaged data files in /var/rrd can be identified, delete them and run "bigstart restart statsd".
Fixed Versions:
14.1.4.6
757391-2 : Datagroup iRule command class can lead to memory corruption
Links to More Info: BT757391
Component: Local Traffic Manager
Symptoms:
When using the iRule command to access datagroups within a foreach loop, memory can be corrupted and tmm can crash.
Conditions:
A [class] command used within a foreach loop.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround aside from removing that iRule.
Fix:
tmm no longer crashes under these conditions.
Fixed Versions:
12.1.5, 13.1.3, 14.1.2.5
757360-1 : Category lookup returns wrong category on subsequent traffic following initial HTTP CONNECT traffic through SSLO
Links to More Info: BT757360
Component: Access Policy Manager
Symptoms:
Category lookup returns the wrong category on subsequent traffic following initial HTTP CONNECT traffic through F5 SSL Orchestrator (SSLO).
Conditions:
-- Outbound deployment configured in SSLO, where SSLO behaves as a transparent proxy.
-- A policy has a branch to lookup category using HTTP Connect.
-- An HTTPS client generates HTTPS traffic via an explicit proxy on the local network with a private address through SSLO as the gateway.
Impact:
Category Match is not performed on subsequent requests, resulting in fallback branch to be taken.
Workaround:
None.
Fix:
Category lookup now works correctly in this scenario.
Fixed Versions:
14.1.0.6
757359-1 : pccd crashes when deleting a nested Address List
Links to More Info: BT757359
Component: Advanced Firewall Manager
Symptoms:
When removing a nested Address List or Port List, the pccd process might crash.
Conditions:
This might occur under the following conditions:
-- Removing a nested Address List or Port List using a tmsh transaction with an incorrect tmsh command order consistently results in this crash.
-- A high availability (HA) setup with config-sync enabled and there are intermittent problems with HA-connections, or out-of-memory system state, might intermittently result in this crash.
Impact:
pccd crashes with core, restarts, and correctly compiles the new configuration. There is a resulting, small delay in applying the new configuration due to the pccd restart.
Workaround:
-- If the crash occurs as a result of incorrect tmsh commands in a transaction, reorder commands to the parent list is modified or deleted before deleting the nested list.
-- If the crash is an intermittent issue due to problems with HA-connections, or an out-of-memory system state, no action is necessary; pccd correctly compiles new configuration after it restarts.
Fix:
pccd no longer crashes under these conditions, and correctly compiles the new configuration.
Fixed Versions:
13.1.3, 14.1.0.6
757306-3 : SNMP MIBS for AFM NAT do not yet exist
Links to More Info: BT757306
Component: Advanced Firewall Manager
Symptoms:
SNMP MIBS for AFM NAT do not yet exist.
Conditions:
This occurs in normal operation.
Impact:
Unable to read values that do not exist in SNMP, meaning that you cannot access information that you need.
Workaround:
None.
Fixed Versions:
13.1.3, 14.1.2, 15.0.1
757279-1 : LDAP authenticated Firewall Manager role cannot edit firewall policies
Links to More Info: BT757279
Component: Advanced Firewall Manager
Symptoms:
The system posts the following message when the LDAP authenticated Firewall Manager role creates/modifies a firewall policy with rules or upgrading existing firewall policy:
User does not have modify access to object (fw_uuid_config).
Conditions:
-- Log in using an account with the Firewall Manager role.
-- Create/modify firewall policy with rules or upgrade existing firewall policy.
Impact:
Firewall modification operations fail with access to object (fw_uuid_config) error.
Workaround:
None.
Fix:
Firewall manager can now edit firewall policies.
Fixed Versions:
13.1.1.5, 14.1.2.8, 15.1.0.5
757088-1 : TMM clock advances and cluster failover happens during webroot db nightly updates
Links to More Info: BT757088
Component: Traffic Classification Engine
Symptoms:
Webroot database mapping and unmapping takes a very long amount of time on TMM, so you might see clock advances occur. The long interval might result in a failover/state-transition in clustered environment.
Conditions:
-- Webroot database is downloaded.
-- TMM needs to swap to the new instance.
Impact:
TMM does not process traffic because of the long delay in mapping and unmapping, and failover might happen in a clustered environment.
Workaround:
You can avoid this issue by disabling BrightCloud updates, however, your environments will miss the latest updates as a result.
#vi /etc/wr_urldbd/bcsdk.cfg
DoBcap=true
DoRtu=false
DownloadDatabase=false
Fix:
Mapping/Unmapping the database is done asynchronously and the delay is reduced so that the CDP failover does not happen.
Fixed Versions:
12.1.5, 13.1.1.5, 14.1.0.5
757084-2 : Bypassing SSL interception in SSL Orchestrator may crash TMM if virtual server is SNAT enabled
756877-1 : Virtual server created with Guided Configuration is not visible in Grafana
Links to More Info: BT756877
Component: Anomaly Detection Services
Symptoms:
The traffic of Virtual Server created with the Guided Configuration is not visible with Grafana monitoring tool.
Statistics of this virtual server are not included in the admdb part of qkview.
Conditions:
-- Create virtual server using Guided Configuration.
-- Use the Grafana monitoring tool to view virtual server statistics.
-- Create a qkview.
Impact:
Cannot view virtual server using the Grafana monitoring tool. The resulting qkview contains no statistics for this virtual server. Lack of information for debugging and troubleshooting
Workaround:
Configure virtual server manually, without the Guided Configuration
Fix:
Virtual server created with Guided Configuration is visible in Grafana and its statistics present in qkview.
Fixed Versions:
14.0.0.5, 14.1.0.6
756817-1 : ZebOS addresses blocks do not reflect RFC5735 changes to reserved address blocks.
Links to More Info: BT756817
Component: Local Traffic Manager
Symptoms:
Special IP address handling as per RFC6890 is done correctly in the routing protocols. There is a possibility of martian addresses getting announced or allowed addresses restricted (e.g., 128.0.0.0/16 and 191.255.0.0/16).
This impacts all components using dynamic routing.
Conditions:
-- Network advertisements in BGP, etc., allow martian addresses and restrict allowed network-space as per RFC6890, for example, 128.0.0.0/16 and 191.255.0.0/16, 223.255.255.0/24 are blocked.
-- In IPv6 loopback addressed are allowed, so ::/128 (unspec) and ::1/128 (loopback) addresses are allowed.
-- Some DSlite address ranges are not handled correctly.
Impact:
Martian addresses are allowed. Non-martian addresses are blocked.
Workaround:
None.
Fix:
Ensure that martian addresses like IPv6 (::/128 - unspec, ::1/128 - loopback) are not used.
Note: Although 128.0.0.0/16, 191.255.0.0/16, 223.255.255.0/24 are no longer martian addresses, they still cannot be used.
Fixed Versions:
14.1.4.1, 15.0.1.4
756812-2 : Nitrox 3 instruction/request logger may fail due to SELinux permission error
Links to More Info: BT756812
Component: Local Traffic Manager
Symptoms:
When the tmm Nitrox 3 queue stuck problem is encountered, the Nitrox 3 code tries to log the instruction/request, but it may fail due to SELinux permissions error.
The system posts messages in /var/log/ltm similar to the following:
-- crit tmm1[21300]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 00:09.7, discarded 54).
-- crit tmm1[21300]: 01010025:2: Device error: n3-compress0 Failed to open instruction log file '/shared/nitroxdiag/instrlog/tmm01_00:09.7_inst.log' err=2.
Conditions:
-- tmm Nitrox 3 queue stuck problem is encountered.
-- The Nitrox 3 code tries to log the instruction/request.
Impact:
Error messages occur, and the tmm Nitrox 3 code cannot log the instruction/request.
Workaround:
None.
Fix:
Nitrox 3 queue stuck occurrences are now logged as expected.
Fixed Versions:
14.1.4.1, 15.1.3
756777-1 : VDI plugin might crash on process shutdown during RDG connections handling
Links to More Info: BT756777
Component: Access Policy Manager
Symptoms:
VDI plugin might crash on process shutdown if it is stopped during handling of RDG connections.
Conditions:
VDI plugin process is stopped while new RDG connection is established via APM.
Impact:
The process will be shutdown, but generated core file might cause unnecessary confusion.
Workaround:
None.
Fix:
Fixed VDI plugin crash on process shutdown during RDG connections handling.
Fixed Versions:
14.1.2.1
756595-1 : Traffic redirection to an internal virtual server may fail.
Links to More Info: BT756595
Component: Policy Enforcement Manager
Symptoms:
Traffic sent by a first virtual server to a second internal virtual server may fail.
Traffic is silently dropped.
Conditions:
One of the following configurations:
- A virtual server configured with a pem policy rule that targets an internal radius virtual server that sends traffic statistics to a radius server.
- A virtual server configured with an iRule that opens a sideband connection to a second internal virtual server using the iRule command "connect".
- A virtual server configured with an iRule that forwards traffic to a second internal virtual server using the iRule command "virtual", where the second virtual server performs source address translation with an LSN pool or with AFM NAT.
Impact:
The traffic sent to the internal virtual server is silently dropped.
Workaround:
Avoid using a PEM policy rule that targets an internal radius virtual server.
Avoid traffic forwarding to an internal virtual server with the iRule commands "connect" or "virtual".
Fix:
The traffic is now successfully sent or redirected to the internal virtual server without any drops.
Fixed Versions:
14.1.4.6
756538-4 : Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair.
756494-3 : For in-tmm monitoring: multiple instances of the same agent are running on the Standby device
Links to More Info: BT756494
Component: Local Traffic Manager
Symptoms:
The standby device is sending monitor requests at a more frequent interval than what is configured.
Conditions:
-- In-tmm monitoring configured.
-- High availability (HA) configured.
There is no explicit way to reproduce this and it does not occur every time.
Impact:
Multiple instances of in-tmm monitoring may be created and the BIG-IP device may be sending monitoring traffic more frequently than what is configured.
Workaround:
Reboot the BIG-IP system.
Fix:
Fixed an issue causing multiple monitoring instances to be created.
Fixed Versions:
13.1.3.4, 14.1.2.7
756477-2 : Drop Redirect tab incorrectly named as 'Redirect Drop'
Links to More Info: BT756477
Component: Advanced Firewall Manager
Symptoms:
Incorrect naming on navigation tabs Security :: Debug :: Drop Redirect.
Conditions:
Navigating to Security :: Debug :: Drop Redirect.
Impact:
The page name is Drop Redirect instead of Redirect Drop.
Workaround:
None.
Fix:
Drop Redirect tab is now correctly named as 'Drop Redirect'
Fixed Versions:
14.1.0.6
756470-5 : Additional logging added to detect when monitoring operations in the configuration exceeds capabilities.
Links to More Info: BT756470
Component: Global Traffic Manager (DNS)
Symptoms:
GTM logs 'no reply from big3d: timed out' messages when the configuration results in more runtime monitoring operations than can be supported in a given environment, but the same message also appears in the log for other reasons.
Conditions:
The GTM configuration results in more runtime monitoring operations than can be supported in a given environment.
Impact:
It is not possible to detect when there are more runtime monitoring operations than can be supported in a given environment without enabling debug logging and performing a complex analysis of the resulting log files.
Workaround:
Enable debug logging and conduct a detailed analysis to determine if monitor requests are scheduled at the configured intervals.
Fix:
There is now a warning message that provides a much clearer indication of the condition:
The list processing time (14 seconds) exceeded the interval value. There may be too many monitor instances configured with a 7 second interval.
Fixed Versions:
13.1.3.4, 14.1.4.5
756457-2 : tmsh command 'show security' returning a parsing error
Links to More Info: BT756457
Component: Advanced Firewall Manager
Symptoms:
Running the tmsh command 'tmsh -m show security' returns a parsing error similar to the following:
Unexpected Error: Chunked data did not start with start_message.
Conditions:
-- AFM is provisioned.
-- Running the command: 'tmsh -m show security'.
Impact:
-- the 'show security' commands return a parsing error.
-- Some show commands might not work.
Workaround:
None.
Fix:
Ensured that the system handles the 'tmsh -m show security' command without a parsing error.
Fixed Versions:
14.1.4.6
756450-1 : Traffic using route entry that's more specific than existing blackhole route can cause core
Links to More Info: BT756450
Component: TMOS
Symptoms:
TMM asserts with 'Attempting to free loopback interface'message.
Conditions:
- Using blackhole routes.
- Have a route entry that is more specific than the existing blackhole route.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use /32 blackhole routes.
Fix:
TMM no longer cores when using blackhole routes that are less specific than non-blackhole routes.
Fixed Versions:
11.6.5.1, 12.1.5, 13.1.3, 14.1.2.3
756418-1 : Live Update does not authenticate remote users
Links to More Info: BT756418
Component: Application Security Manager
Symptoms:
Remote users with Administrator or Application Security Administrator roles cannot run Live Update.
Conditions:
-- Remote user (LDAP/RADIUS).
-- Remote user logged in.
-- New installation is available.
Impact:
-- Remote users cannot manually check for updates.
-- Remote users cannot manually upload new files.
-- Remote users cannot install new update files.
Workaround:
Log in with a local user like admin, application security editor, or application security administrator.
Fix:
Authentication is directly done from MCP. Remote users are not treated like local users, so only the role of the user determines the ability to perform operations such as Live Update.
Fixed Versions:
14.1.0.6
756402-2 : Re-transmitted IPsec packets can have garbled contents
Links to More Info: BT756402
Component: TMOS
Symptoms:
Before re-transmitting a packet, it is discovered to be garbled, mainly in the form of having physical length that no longer matches the logical length recorded inside the packet.
Conditions:
Possibly rare condition that might cause packet freeing while still in use.
Impact:
Likely tunnel outage until re-established.
Workaround:
No workaround is known at this time.
Fix:
This release adds checksums to verify IPsec packets are not altered between first creation and later re-transmission.
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6
756363-1 : SSLO or SWG connections using proxy chaining to Explicit Proxy can get reset
Links to More Info: BT756363
Component: Access Policy Manager
Symptoms:
Connections get reset with reset cause "repick failed"
Conditions:
SSLO with proxy chaining to Explicit Proxy or SWG per-request policy using proxy select agent with No URI rewrite
Impact:
Connections get reset with reset cause "repick failed"
Workaround:
None
Fix:
Connections no longer get reset.
Fixed Versions:
14.1.2.3
756356-2 : External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long
Links to More Info: BT756356
Component: Local Traffic Manager
Symptoms:
iRules using the command 'class match' with the 'equals' operator on long entries fail to return a positive match, even if they are in the datagroup, for example:
my_datagroup:
"abcdefghijklmnopqrstuvwxyz0123456" := "value1"
class match "abcdefghijklmnopqrstuvwxyz0123456" equals my_datagroup
Conditions:
This is encountered when all of the following conditions are met:
- Using an external datagroup of type string with keys longer than 32 characters.
- Using an iRule with the 'class match' command and the 'equals' operator on the external datagroup.
- Trying to match keys that are longer than 32 characters.
Impact:
iRules will act incorrectly
Workaround:
If none of the keys in the datagroup are prefixes of each other, the 'equals' operator can be changed to 'starts_with' or 'ends_with' (if none are suffixes of each other).
Fix:
iRules using the command 'class match' with the 'equals' operator on long entries now correctly matches external datagroup string entries which are longer than 32 characters.
Fixed Versions:
14.1.0.6
756311-4 : High CPU during erroneous deletion
Links to More Info: BT756311
Component: Policy Enforcement Manager
Symptoms:
The utilization of some CPU cores increases and remains high for a long time. Rebooting just one blade can cause the high CPU usage to move to another blade in the chassis.
There might be messages similar to the following in tmm logs:
-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.10.10%0-4a89723e; Instance ID mismatch ERR_OK for subscriber id 310012348494 with 10.1.10.10-0-4a8987ea.
-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.18.10%0-4a8b850c; Look up returned err ERR_OK for subscriber id 3101512411557
Conditions:
The exact conditions under which this occurs are not fully understood, but one way it can be triggered is when a single TMM is crashing on a chassis system.
Impact:
The CPU usage is coming from an erroneous cleanup function, which is only running on a TMM when it's not busy; traffic is not expected to have a significant impact. However, recovering may result in a cluster-wide TMM restart, if the CPU usage does not subside. Traffic disrupted while tmm restarts.
Workaround:
Delete all subscribers from the CLI.
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.2.1
756270-4 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
Links to More Info: BT756270
Component: Local Traffic Manager
Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.
Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.
Impact:
Handshake failure.
Workaround:
None.
Fix:
This has been fixed to check for the issuer among all certificates that have the same subject name as the CRL issuer.
Fixed Versions:
11.5.9, 11.6.4, 12.1.5, 13.1.1.5, 14.1.0.6
756205-1 : TMSTAT offbox statistics are not continuous
Links to More Info: BT756205
Component: Application Visibility and Reporting
Symptoms:
When BIG-IP systems are manged by BIG-IQ, the device health statistics have gaps (missing samples).
Conditions:
BIG-IP systems managed by BIG-IQ,
Impact:
Missing data on device health, such as CPU load and memory occupancy.
Workaround:
None.
Fix:
Functionality restored - BIG-IP systems send all the data as expected.
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6
756167-1 : No URL category data on SSL Orchestrator dashboard and on SSL Orchestrator statistics page after upgrade★
Links to More Info: BT756167
Component: SSL Orchestrator
Symptoms:
After upgrade, the "Top 10 URL Category" tab on SSL Orchestrator dashboard shows "No data". URL data are also missing on "SSL Orchestrator orchestrator-> Analytics->General Statistics" page. The data collected before upgrade disappears.
Conditions:
Upgrade any version of BIG-IP when SSL Orchestrator is provisioned.
Impact:
Some analytics data for SSL Orchestrator is missing.
Workaround:
None
Fix:
Fixed SELinux issues on backup of url category data.
Fixed Versions:
14.1.0.6
756153-3 : Add diskmonitor support for MySQL /var/lib/mysql
Links to More Info: BT756153
Component: TMOS
Symptoms:
If the disk partition /var/lib/mysql is filled to 100%, diskmonitor does not notify that the partition is nearly exhausted.
Conditions:
The disk partition /var/lib/mysql is filled to 100%.
Impact:
diskmonitor does not notify that disk partition /var/lib/mysql is nearly exhausted.
Workaround:
None.
Fixed Versions:
12.1.4.1, 13.1.3, 14.1.2.7
756139-1 : Inconsistent logging of hostname files when hostname contains periods
Links to More Info: BT756139
Component: TMOS
Symptoms:
Some logs write the hostname with periods (eg, say for FQDN. For example, /var/log/user.log and /var/log/messages files log just the hostname portion:
-- user.log:Aug 5 17:05:01 bigip1 ).
-- messages:Aug 5 16:57:32 bigip1 notice syslog-ng[2502]: Configuration reload request received, reloading configuration.
Whereas other log files write the full name:
-- daemon.log:Aug 5 16:58:34 bigip1.example.com info systemd[1]: Reloaded System Logger Daemon.
-- maillog:Aug 5 16:55:01 bigip1.example.com err sSMTP[12924]: Unable to connect to "localhost" port 25.
-- secure:Aug 5 17:02:54 bigip1.example.com info sshd(pam_audit)[2147]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=10.14.13.20 attempts=1 start="Mon Aug 5 17:02:30 2019" end="Mon Aug 5 17:02:54 2019".
-- ltm:Aug 5 17:02:42 bigip1.example.com warning tmsh[2200]: 01420013:4: Per-invocation log rate exceeded; throttling.
Conditions:
BIG-IP hostname contains periods or an FQDN:
[root@bigip1:Active:Standalone] log # tmsh list sys global-settings hostname
sys global-settings {
hostname bigip1.example.com
}
Impact:
Hostname is logged inconsistently. Some logs write the full hostname (FQDN), while other log files write only the hostname portion. This can make searching on hostname more complicated.
Workaround:
None.
Fix:
Hostnames are now written consistently for all log files in /var/log directory.
Behavior Change:
Syslog-ng was using truncated hostname (without FQDN) while logging. This release adds fqdn use_fqdn(yes) in the syslog-ng template, so the system now logs the full hostname (FQDN).
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
756108-1 : BD crash on specific cases
Links to More Info: BT756108
Component: Application Security Manager
Symptoms:
BD crash on specific cases.
Conditions:
Have a feature that requires Captcha/ Client side Integrity in ASM.
Impact:
No traffic to app.
Workaround:
None.
Fix:
This release fixes the specific crash scenario.
Fixed Versions:
14.1.2.3
756102-2 : TMM can crash with core on ABORT signal due to non-responsive AVR code
Links to More Info: BT756102
Component: Application Visibility and Reporting
Symptoms:
ABORT signal is sent to TMM by SOD; TMM aborts with a core.
Conditions:
Non-responsive AVR code. No other special conditions.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
13.1.3.2, 14.1.0.6, 15.0.1.1
756094-2 : DNS express in restart loop, 'Error writing scratch database' in ltm log
Links to More Info: BT756094
Component: Global Traffic Manager (DNS)
Symptoms:
DNS express (zxfrd) daemon gets stuck in a restart loop with the messages:
-- In /var/log/ltm:
Error writing scratch database (no error information available), serving database is unchanged. zxfrd will exit and restart.
-- The system posts the following message on the command line every few seconds:
emerg logger: Re-starting zxfrd
Conditions:
An update to an SOA record (and only an SOA) is received through a incremental zone transfer update (IXFR).
Impact:
Zone updates from the DNS master servers are not processed.
Workaround:
As a partial workaround, the DNS express cache files can be removed, forcing zxfrd to pull the entire zone using an AXFR request. To do so, use the following commands, in sequence:
bigstart stop zxfrd
rm /shared/zxfrd/*
bigstart start zxfrd
Note: DNS express will not be able to service DNS responses until the zone transfers have completed. For this reason, this procedure should be carried out on the standby device, if possible.
Fix:
The system now properly handles IXFRs that contain only starting and ending SOA RRs, and no other RRs.
Fixed Versions:
12.1.4.1, 13.1.1.5, 14.1.0.2
756071-3 : MCPD crash
Links to More Info: BT756071
Component: TMOS
Symptoms:
mcpd crashes on out of memory.
Conditions:
MCPD experiences a memory leak under one of the following conditions:
- A tmsh command such as the following is run:
tmsh reset-stats ltm virtual
- The ASM or AVR module is provisioned.
In both circumstances, the 'cur_allocs' for one of MCPD's internal memory allocation types generally increases and becomes very high (e.g., millions):
tmctl -I --select cur_allocs memory_stat program=mcpd name=umem_alloc_40
Impact:
MCPD can run out of memory and crash. Traffic disrupted while mcpd restarts.
Workaround:
None.
Fix:
A memory leak that occurred in the MCPD process has been fixed.
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6
756019-1 : OAuth JWT Issuer claim requires URI format
Links to More Info: BT756019
Component: Access Policy Manager
Symptoms:
APM currently expects the OAuth JSON web tokens (JWT) Issuer claim to be in the URI format:
-- JWT-Config does not allow Issuer setting unless it is in the URI format.
-- The issuer value in the incoming token is expected to be in the URI format and should match with the Issuer setting in the JWT-Config.
Conditions:
OAuth JWT Issuer claim in the URI format for JWT access token and ID token.
Impact:
As per RFC 7519, 'iss' claim value is a case-sensitive string containing a StringOrURI value. To comply with RFC 7519, basically allowing any string value in the Issuer claim, APM should ease this validation.
Workaround:
None.
Fix:
JWT config issuer Validation is removed to allow a string or URI value for the JWT issuer.
Fixed Versions:
14.1.2.1
755997-2 : Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address
Links to More Info: BT755997
Component: Local Traffic Manager
Symptoms:
When IPsec traffic is processed by a FastL4 profile, which is not related to an IPsec listener, and is send out via a gateway pool or a dynamic route, the source address of this traffic can be erroneously changed to 127.0.0.x.
Conditions:
-- IPsec traffic is processed by a FastL4 profile, which is not related to an IPSEC listener.
-- The traffic is sent out via a gateway pool or a dynamic route.
Impact:
The incorrect source address is used.
Workaround:
None.
Fix:
The IPsec traffic uses now the correct IP source-address.
Fixed Versions:
12.1.5.3, 14.1.2.5
755976-3 : ZebOS might miss kernel routes after mcpd deamon restart
Links to More Info: BT755976
Component: TMOS
Symptoms:
After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses).
One of the most common scenario is a device reboot.
Conditions:
-- Dynamic routing is configured.
-- Virtual address is created and Route Advertisement is configured:
imish -e 'sh ip route kernel'
-- mcpd daemon is restarted or device is rebooted.
Impact:
The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised.
Workaround:
There are several workarounds; here are two:
-- Restart the tmrouted daemon:
bigstart restart tmrouted
-- Recreate the affected virtual address.
Fix:
The kernel route is now present in the ZebOS routing table after mcpd daemon restart.
Fixed Versions:
14.1.4.6
755817 : v14.1.0.5 includes Guided Configuration 4.1
Links to More Info: BT755817
Component: Access Policy Manager
Symptoms:
Guided Configuration is not upgraded automatically with each release; it must be manually upgraded between versions. It should be bundled into the release.
Version 14.1.0.5 includes Guided Configuration 4.1.
Conditions:
Upgrading Guided Configuration.
Impact:
Have to manually upgrade Guided Configuration.
Workaround:
Manually upgrade Guided Configuration.
Fix:
Guided Configuration v4.1 is bundled into BIG-IP software v14.1.0.5 and no longer requires manual upgrade.
Behavior Change:
Guided Configuration v4.1 is bundled into BIG-IP software v14.1.0.5. For versions earlier than 14.1.0.5 (e.g., 14.1.0.0), you had to upgrade Guided Configuration manually. That is no longer necessary.
Fixed Versions:
14.1.0.5
755727-2 : Ephemeral pool members not created after DNS flap and address record changes
Links to More Info: BT755727
Component: Local Traffic Manager
Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.
Once this condition occurs, ephemeral pool members are no longer created for a given FQDN name in the affected pool.
Conditions:
This issue may occur under rare timing conditions when the following factors are present:
-- Using FQDN nodes/pool members.
-- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted.
-- There is a temporary loss of connectivity to/responsiveness from the DNS server.
Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool become unavailable and stop passing traffic.
Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by either of the following actions:
1. Restart the dynconfd daemon:
bigstart restart dynconfd
2. Delete and re-create the FQDN template pool member using the following two commands:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }
To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.
Fixed Versions:
12.1.5.2, 13.1.3.2, 14.1.2.5, 15.0.1.3
755721-1 : A UDP DNS packet may incorrectly match a BDoS signature if such a packet was queued up due to ingress shaper
Links to More Info: BT755721
Component: Advanced Firewall Manager
Symptoms:
A UDP DNS packet may incorrectly match a BDoS signature if such a packet was queued up due to ingress shaper. In the worst case, this incorrect signature match might drop the packet.
Conditions:
AFM is enabled and it receives multiple (back-to-back-to-back) UDP DNS packets, which (due to ingress shaper) might cause queueing for some of the packets in the same data path thread.
Impact:
In this case, when the queued packet is later picked up for further processing, it may incorrectly match a BDoS signature (that would not have otherwise matched if this packet was not queued). A UDP DNS packet may match an incorrect signature and thus might be incorrectly dropped by the BIG-IP system.
Workaround:
None.
Fix:
UDP DNS packets never match an incorrect BDoS signature, even if such packets are queued due to ingress shaper.
Fixed Versions:
14.1.2.7
755716-1 : IPsec connection can fail if connflow expiration happens before IKE encryption
Links to More Info: BT755716
Component: TMOS
Symptoms:
IKEv2 negotiation fails, and tmm log shows the following error:
notice [INTERNAL_ERR]: ikev2....: Invalid BIG-IP flow context
Conditions:
Unusual timing that results in connflow expiration immediately preceding Diffie Hellman generation.
Impact:
IKE Negotiation fails, so an SA cannot be established.
Workaround:
None.
Fix:
Missing connection context is now replaced, so IKE negotiation can continue.
Fixed Versions:
14.1.2.8
755641-1 : Unstable asm_config_server after upgrade, 'Event dispatcher aborted'
Links to More Info: BT755641
Component: Application Security Manager
Symptoms:
Ignored suggestions for Multiple decoding or HTTP Protocol Settings present after upgrading a unit to 14.1.0 can cause the asm_config_server and pabnagd processes to enter restart loops.
Conditions:
1) On a 13.1.x system send traffic that will generate suggestions for Max Decoding Passes, Maximum Headers, and/or Maximum Parameters.
2) Set those Suggestions to be Ignored.
3) Upgrade to 14.1.0.
Impact:
-- Multiple asm_config_server restarts.
-- System instability, including inability to manage ASM settings or use traffic learning.
-- No local logging.
Workaround:
You can use either of the following workarounds:
A) Delete any such ignored suggestions using the following SQL command:
> DELETE FROM PL_SUGGESTIONS WHERE element_type IN (7,193,75);
B) Delete any such ignored suggestions before upgrade using the GUI/REST/SQL.
Fix:
The system now handles removed Entity types during upgrade for Ignored Suggestions: Ignored suggestions for Multiple decoding or HTTP Protocol Settings are removed during upgrade. You must reconfigure the Ignore settings after upgrade.
Behavior Change:
Refactoring in 14.1.0 modified the functionality of the following Entity types: Max Decoding Passes, Maximum Headers, and/or Maximum Parameters. Ignored suggestions for Multiple decoding or HTTP Protocol Settings are removed during upgrade, so you must reconfigure the Ignore settings after upgrade.
Fixed Versions:
14.1.0.2
755630-1 : MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes
Links to More Info: BT755630
Component: Service Provider
Symptoms:
The media flows get terminated after the UDP idle timeout expires on a Standby device.
Conditions:
-- High availability (HA) configuration.
-- SIP media calls on a SIP-ALG with SNAT feature enabled.
Impact:
SIP calls fail to deliver media when high availability (HA) failover occurs.
Workaround:
Partial mitigation is to set the UDP idle timeout to a higher value.
Fix:
Properly set SIP ALG media pinhole connection flags so that to not time out due to inactivity on the next active device.
Fixed Versions:
14.0.1.1, 14.1.0.6
755585-1 : mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction
Links to More Info: BT755585
Component: Local Traffic Manager
Symptoms:
On a VIPRION cluster, if a single transaction creates a policy with the name Drafts/NAME, publishes the policy, and attaches the policy to a virtual server, mcpd restarts on the secondary blades.
Conditions:
-- VIPRION chassis with more than one blade.
-- Single mcp transaction that:
* Creates a policy with 'Drafts/' as part of the policy name.
* Publishes that policy.
* Attaches that policy to a virtual server, either in the same transaction or a later transaction.
Impact:
mcpd restarts on all secondary blades of a cluster.
Workaround:
You can use either of the following workarounds:
-- Do not create policies with 'Drafts/' in the name.
-- Do not create and publish a policy in the same transaction.
Fixed Versions:
13.1.3, 14.1.2.1
755575-1 : In MOS, the 'image2disk' utility with the '-format' option does not function properly
Links to More Info: BT755575
Component: TMOS
Symptoms:
When the BIG-IP system boots, mcpd continually restarts.
Conditions:
This occurs if you issue the 'image2disk' command with the '-format' option in the MOS (Maintenance Operating System) shell.
Impact:
When the system boots, it cannot become active.
Workaround:
In the MOS shell, do not issue the 'image2disk' utility with the '-format' option. You can achieve the same result by following the shell guidance. To begin, type 'start<enter>'.
If the system is already in the defective state, use this shell command, and then reboot:
touch /.tmos.platform.init
The problem should be resolved.
Fix:
In MOS, running 'image2disk' with the '-format' option no longer causes continuous mcpd restarts.
Fixed Versions:
14.1.2.1
755475-1 : Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync
Links to More Info: BT755475
Component: Access Policy Manager
Symptoms:
After making changes to the logon page agent field, performing config sync to another device and opening the logon agent in VPE on the sync target device encounters an error. Though this problem described to the logon page agent, this is applicable to any agent that is tied to customization group.
Conditions:
1. Form a failover device group with two devices.
2. On one device, create an access policy with logon page agent. Initiate config sync to sync the policy to other devices. Verify everything is correct on target device (specifically: open VPE for the policy, Logon Page is in the policy, click on the agent, and edit box appears without issue).
3. On source device, launch VPE for the policy, click on Logon Page agent, make changes to Agent (e.g., choose 'password' type for field3. Save the change and make a config sync again.
4. Go to target device, open VPE for the policy, and click on Logon Page is in the policy.
Impact:
Config is not synced properly to another device in the device group.
Workaround:
- Workaround 1:
Step1. On Standby (where the problem happens): delete the policy in question.
Step2. On Active: modify the access policy and Sync it.
* Problem with this workaround: sometimes, you cannot properly delete the access policy in question on the standby (as customization is corrupted, some related config deletion fails).
- Workaround 2:
Step 1. On Standby (where the problem happens): try to open up access policy item using VPE. Error will show the exact location of the file that is missing, for example:
"An error 'customization::getMessages: Unable to get xml dom from /config/filestore/files_d/Common_d/customization_group_d/:Common:MyAccessPolicy_act_logon_page_ag_5678_4' has occured on server... Dialogue loading has failed."
Step 2. On Standby: copy the exact file from active unit to standby unit, change the permission (ownership/group, permission flags) of the file so that it looks similar to active.
Fix:
Target device receives identical configuration as source one after config sync after user updates logon page field in logon agent editing dialog.
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6
755447-1 : SSLO does not deliver content generated/originated from inline device
Links to More Info: BT755447
Component: Access Policy Manager
Symptoms:
If any inline service acting as a proxy generates content for the client while resetting the server side connection, then the client might not see the content, and will instead see a reset.
Conditions:
-- F5 SSL Orchestrator (SSLO) with inline services intercepting requests and replying without letting the content go to back-end server.
-- Inline services resetting the back-end connection
Impact:
Client receives a reset instead of a redirect or error page.
Workaround:
None.
Fix:
Clients now receive the content that the inline device generates.
Fixed Versions:
14.1.0.6
755378-1 : HTTPS connection error from Chrome when BADOS TLS signatures configured
Links to More Info: BT755378
Component: Anomaly Detection Services
Symptoms:
HTTPS connection error occurs. The system posts the following ltm.log warnings:
-- warning tmm1[25112]: 01260009:4: Connection error: ssl_basic_crypto_cb:694: Decryption error (20)
-- warning tmm1[25112]: 01260009:4: Connection error: hud_ssl_handler:1941: codec alert (20)
Conditions:
-- BADOS TLS signatures configured.
-- DoS profile is attached to a virtual server.
-- Using Google Chrome browser.
Impact:
HTTPS virtual server is not responsive.
Workaround:
Turn off TLS signatures flag.
Fix:
HTTPS connection error no longer occurs when connecting from Chrome to virtual server with TLS signature BADOS protection.
Fixed Versions:
14.1.0.2
755317-1 : /var/log logical volume may run out of space due to agetty error message in /var/log/secure
Links to More Info: BT755317
Component: TMOS
Symptoms:
An agetty error message is output to the /var/log/secure log fil every 10 seconds while the instance remains on:
agetty[<process_id>]: /dev/tty0 ttyS0: No such file or directory.
Conditions:
This agetty error message is an issue on all BIG-IP Virtual Edition and Cloud instances. It is not configuration-dependent.
Impact:
This may fill the /var/log/secure log file. When /var/log is full, certain system services may degrade or become unresponsive (e.g., DNS).
Workaround:
Manually extend the /var/log logical volume.
For more information, see Increase disk space for BIG-IP VE :: https://clouddocs.f5.com/cloud/public/v1/shared/disk_space.html.
Fix:
The issue causing the agetty error message in /var/log/secure has been resolved.
Fixed Versions:
14.1.2.5, 15.1.0.2
755254-1 : Remote auth: PAM_LDAP buffer too small errors★
Links to More Info: K54339562, BT755254
Component: TMOS
Symptoms:
You are unable to log into the BIG-IP system using an LDAP account.
The system might log the following message in /var/log/secure:
-- crit httpd[28010]: pam_ldap(httpd:account): buffer 'buffer_size' too small.
Note: This message might not be logged for all occurrences of this issue.
Conditions:
This occurs when the following conditions are met:
-- Remote-LDAP authentication is configured.
-- There is a user account with attributes longer than 255 characters in length.
-- That user attempts a logon to the BIG-IP system.
Impact:
LDAP authentication not working properly.
Workaround:
Configure user accounts with attributes shorter than 255 characters.
Fix:
LDAP authentication and authorization now succeeds for users under these conditions.
Fixed Versions:
14.1.0.6
755213-1 : TMM cores in certain scenarios with HTTP/2 virtual server
Links to More Info: BT755213
Component: Local Traffic Manager
Symptoms:
TMM cores when attempting to reset a stream. Parent connection may be resetting and going away, race conditions may lead to TMM core in HTTP MR proxy.
Conditions:
Virtual server with HTTP/2, HTTP, TCP, SSL and httprouter profiles. Race conditions when resetting connections.
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
14.1.2.5
755197-3 : UCS creation might fail during frequent config save transactions
Links to More Info: BT755197
Component: TMOS
Symptoms:
If 'tmsh save sys config' is run simultaneously with 'tmsh save sys ucs <file>', there is the possibility of a race condition where a file gets scheduled to be added to the UCS file, but gets deleted by the save-config before it actually gets saved.
Conditions:
-- Run 'save sys config' at the same time as 'save sys ucs <file>' in tmsh.
-- Files are getting added by one tmsh command, yet deleted by the other. For example, when deleting a file that has not been saved to the configuration, while the system tried to create a UCS that contains that to-be-deleted file.
Note: There are many operations in which 'save sys config' is performed internally, so running the 'save sys ucs <file>' operation might encounter the timing error any time, even when you are not manually running 'save sys config'.
Impact:
The UCS is not created, and system posts messages similar to the following:
-- config/bigip_base.conf/: Cannot stat: No such file or directory.
-- Exiting with failure status due to previous errors.
-- Operation aborted.
This is a rare, timing-related occurrence. Even though the 'save sys ucs <file>' aborts and logs errors, simply re-running the command is likely to succeed.
Workaround:
Re-run the 'save sys ucs <file>' after it aborts. Nothing else needs to be changed or restored.
Fix:
The race condition is avoided and the 'save sys ucs <file>' now succeeds due to files removed by 'save sys config'.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2
755134-1 : HTTP/2 connections may leak memory if server-side connection not established
Links to More Info: BT755134
Component: Local Traffic Manager
Symptoms:
Xhead and xdata memory caches grow over time when HTTP/2 traffic is present. Eventual performance degradation and potential traffic outage due to memory exhaustion.
Conditions:
-- HTTP/2 configured with HTTP Router profile.
-- Configuration or network issues which prevent server-side connection from being established.
Impact:
Memory leakage over time may result in performance degradation and eventual traffic outage if TMM restarts due to memory exhaustion.
Workaround:
None.
Fix:
HTTP/2 connections no longer leak memory when server-side connection establishment fails.
Fixed Versions:
14.1.2.5
755047-1 : Category lookup returns wrong category on CONNECT traffic through SSLO
Links to More Info: BT755047
Component: Access Policy Manager
Symptoms:
Category lookup returns wrong category on CONNECT traffic through F5 SSL Orchestrator (SSLO).
Conditions:
-- Outbound deployment configured in SSLO, where SSLO behaves as a transparent proxy.
-- A policy has a branch to lookup category using HTTP Connect.
-- An HTTPS client generates HTTPS traffic via an explicit proxy on local network with private address through SSLO as the gateway.
Impact:
Category Match is not performed, resulting in fallback branch to be taken.
Workaround:
None
Fix:
Category lookup now works correctly in this scenario.
Fixed Versions:
14.1.0.6
755027-1 : Timer processing taking too long
Links to More Info: BT755027
Component: TMOS
Symptoms:
The SFP status process takes too long, causing the timer to fire too infrequently.
Conditions:
On i15xxx platforms the timer interval is too long due to processing inside the timer.
Impact:
It will take the system longer to notice changes to SFP status.
Fix:
The timer processing has been fixed so the timer interval is now correct.
Fixed Versions:
14.1.4.4
755018-2 : Egress traffic processing may be stopped on one or more VE trunk interfaces
Links to More Info: BT755018
Component: TMOS
Symptoms:
Trunk interface members might be missing from tmm on BIG-IP Virtual Edition (VE).
Conditions:
-- Using trunks on VE.
-- May happen after a TMM restart, or after interface link states change.
Impact:
No egress traffic processing on one or more interfaces of a VE trunk.
Workaround:
Modify an attribute of the trunk and then return it to its previous value, for example:
# tmsh modify net trunk <trunk name> link-select-policy maximum-bandwidth
# tmsh modify net trunk <trunk name> link-select-policy auto
Fix:
Traffic is processed on all trunk interfaces.
Fixed Versions:
13.1.3.2, 14.1.2.7, 15.0.1.1
755005-1 : Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations
Links to More Info: BT755005
Component: Application Security Manager
Symptoms:
Illegal Request Length uses Illegal Query String Length template and vice versa, so the incorrect titles are shown in violation details.
Conditions:
Open details of Illegal Request Length or Illegal Query String Length violation in request log.
Impact:
Illegal Request Length uses Illegal Query String Length template and vice versa. Only the titles are wrong. The actual requests are recorded correctly.
Workaround:
None.
Fix:
Correct templates are now used for Illegal Request Length and Illegal Query String Length violations, so the correct titles show.
Fixed Versions:
12.1.5.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
754985-1 : Standby mirrored server SSL connections fail, and tmm may crash while processing mirrored TLS traffic
Links to More Info: BT754985
Component: Local Traffic Manager
Symptoms:
Server SSL mirrored connections fail, showing any6.any - any6.any as the server connection.
Under certain conditions, the standby TMM may crash while processing mirrored TLS traffic.
Conditions:
-- Virtual server with server-side SSL.
-- Connection mirroring enabled.
Impact:
High availability (HA) connection mirroring fails. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM now processes TLS traffic as expected.
Fixed Versions:
14.1.0.6
754971-2 : OSPF inter-process redistribution might break OSPF route redistribution of various types.
Links to More Info: BT754971
Component: TMOS
Symptoms:
Enabling inter-process OSPF route redistribution might cause overall problems with OSPF route redistribution.
Conditions:
OSPF is configured with inter-process OSPF route redistribution, for example:
router ospf
network 0.0.0.0/0 area 0
redistribute kernel
redistribute ospf 1234 <--- !
Impact:
Routes might not be redistributed and will not be present in OSPF database. This affects all redistribution types (kernel, static, etc..)
Workaround:
Do not use inter-process OSPF route redistribution.
Fix:
Inter-process OSPF route redistribution is working properly.
Fixed Versions:
13.1.3.5, 14.1.3.1
754901-1 : Frequent zone update notifications may cause TMM to restart
Links to More Info: BT754901
Component: Global Traffic Manager (DNS)
Symptoms:
When there are frequent zone update notifications, the watchdog for TMM may trip and TMM crash/restarts. There may also be 'clock advanced' messages in /var/log/ltm.
Conditions:
- Using DNS express.
- DNS zone with allow notify.
- Frequent zone NOTIFY messages resulting in zone transfers.
Impact:
TMM restart potentially resulting in failing or impacting services. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Frequent zone update notifications no longer cause TMM to restart.
Fixed Versions:
13.1.3, 14.1.2.5
754875-1 : Enable FIPS 140-2 Level 1 Compliant Mode in PAYG VE images on first boot
Links to More Info: BT754875
Component: Local Traffic Manager
Symptoms:
On first boot, BIG-IP Virtual Edition (VE) public cloud images with pay-as-you-go (PAYG) Best license and FIPS 140-2 Level 1 Compliant Mode option displays a prompt indicating REBOOT REQUIRED.
Conditions:
-- BIG-IP VE on public cloud
-- Using PAYG Best license
-- FIPS 140-2 Level 1 Compliant Mode option
Impact:
FIPS 140-2 Level 1 Compliant Mode is not fully enabled yet on first boot.
Workaround:
Reboot the BIG-IP VE instance to finish enabling FIPS compliance mode.
Fix:
This release fully enables FIPS compliance mode in certain PAYG public cloud images on first boot.
Behavior Change:
BIG-IP VE Best public cloud PAYG images now fully enables FIPS 140-2 Level 1 Compliant Mode on first boot.
Fixed Versions:
14.1.2
754841-1 : Policy updates stall and never complete
Links to More Info: BT754841
Component: Application Security Manager
Symptoms:
When applying new or updated ASM policies, the update process stalls and never returns.
This error is logged in /var/log/asm:
crit perl[7333]: 01310027:2: ASM subsystem error (bd_agent,F5::BdAgent::start): No ack received from BD after 600 seconds -- aborting.
Conditions:
This can occur intermittently when making policy updates.
Impact:
The policy update is not applied, and you are unable to make configuration changes.
Workaround:
Restart ASM:
bigstart restart asm
Fix:
The system now handles the application of new or updated ASM policies so that the issue no longer occurs.
Fixed Versions:
14.1.2.3
754805 : Possible tmm crash when AFM DoS badactor or attacked-dst or endpoint vector configured
Links to More Info: K97981358, BT754805
Component: Advanced Firewall Manager
Symptoms:
tmm might crash and restart.
Conditions:
When AFM DoS badactor or attacked dst is configured on a vector, there is a race condition which can cause tmm to crash. The same race condition is present when single endpoint vectors are configured.
Impact:
Tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The race condition is now fixed.
Fixed Versions:
14.1.0.6
754691-1 : During failover, an OSPF routing daemon may crash.
Links to More Info: BT754691
Component: TMOS
Symptoms:
With a specific OSPF configuration, during a failover, a peer which is changed from standby to active may experience an ospfd daemon crash.
Conditions:
High availability configuration with a routing configuration:
1) access-list with 0.0.0.0/0 filtering:
access-list 199 remark test
access-list 199 deny ip host 0.0.0.0 host 0.0.0.0
access-list 199 permit ip any any
2) OSPF router with this access-list:
router ospf 1
ospf router-id 10.14.0.11
bfd all-interfaces
network 10.14.0.0/16 area 0.0.0.1
distribute-list 199 in
!
-- The device with this configuration is in the standby state.
-- A failover occurs.
Impact:
An OSPF daemon crashes, losing routing information and OSPF dynamic routes for a moment while ospfd daemon restarts.
Workaround:
None.
Fix:
An ospfd daemon no longer crashes during a failover.
Fixed Versions:
14.1.2.3, 15.0.1.4
754658-2 : Improved matching of response messages uses end-to-end ID
Links to More Info: BT754658
Component: Service Provider
Symptoms:
Some responses incorrectly match requests when their hop-by-hop IDs match. This causes the response to be dropped.
Conditions:
Matching hop-by-hop ID.
Impact:
Responses rarely match the wrong request, but when they do, they will be dropped.
Workaround:
None.
Fix:
Responses are now matched to requests using end-to-end ID as well as hop-by-hop ID. There should be no more incorrect matches.
Fixed Versions:
13.1.3.4, 14.1.2.7
754617-2 : iRule 'DIAMETER::avp read' command does not work with 'source' option
Links to More Info: BT754617
Component: Service Provider
Symptoms:
Configuring a 'source' option with the iRule 'DIAMETER::avp read' command does not work.
The operation posts a TCL error in /var/log/ltm logs:
err tmm3[11998]: 01220001:3: TCL error: /Common/part1 <MR_INGRESS> - Illegal value (line 1) error Illegal value invoked from within "DIAMETER::avp read 444 source [DIAMETER::avp data get 443 grouped]".
Conditions:
Using the 'DIAMETER::avp read' iRule command with a 'source' option.
Impact:
'DIAMETER::avp read' does not work with the 'source' option.
Workaround:
Use 'DIAMETER::avp get data' with the 'source' option, and re-create the header part when needed.
Fixed Versions:
13.1.3.4, 14.1.2.7
754615-2 : Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup.
Links to More Info: BT754615
Component: Service Provider
Symptoms:
tmm crashes.
Conditions:
-- SIP calls under load.
-- MRF-SIP-ALG setup.
-- Most of the calls re-use the conn flow.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fix:
If connections reach a threshold value of 64500, the connection is dropped, drop stats are updated, and a log message is reported: Message handling threshold reached on flow.
Fixed Versions:
14.0.1.1, 14.1.0.6
754542-2 : TMM may crash when using RADIUS Accounting agent
Links to More Info: BT754542
Component: Access Policy Manager
Symptoms:
TMM may crash when using RADIUS Accounting agent in either per-session or per-request policy.
Conditions:
- APM is provisioned and licensed.
- RADIUS Accounting agent is used in either per-session or per-request policy.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when RADIUS Accounting agent is used in the access policy.
Fixed Versions:
13.1.3, 14.1.0.6
754541-2 : Reconfiguring an iApp that uses a client SSL profile fails
Links to More Info: BT754541
Component: TMOS
Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:
-- A virtual server is created but no client SSL profile is applied.
-- In the /var/log/ltm file, the system logs messages similar to the following example:
err mcpd[6434]: 01b4002b:3: Client SSL profile (/Common/Example.app/Example_client-ssl): the profile has no RSA cert/key pair that can be modified. To add RSA cert/key, please use [cert-key-chain add]
Conditions:
This issue occurs when the following conditions are met:
-- Attempting to reconfigure an iApp.
-- The iApp contains a client SSL profile.
Impact:
The system fails to create and apply the client SSL profile to the virtual server.
Workaround:
To work around this issue, you can temporarily disable SSL in the iApp, and then enable it again.
Impact of workaround:
Reconfiguring your iApp reconfigures all BIG-IP objects associated with the iApp. This might cause service disruptions to the application the iApp has been deployed for.
1. Navigate to the impacted iApp in GUI:
iApps :: Application Services : Applications :: Example.
2. Find the setting associated with the client SSL profile, often titled "How should the BIG-IP system handle SSL traffic?"
3. Change the associated setting to one that does not imply the use of SSL, for example: 'Plain text to and from both clients and servers.'
4. Press the Reconfigure button.
5. Return to the same question and change the field back to its original setting.
6. Press the Reconfigure button once more.
Fix:
Reconfiguring an iApp that uses a client SSL profile now succeeds as expected.
This issue is resolved in the following release candidates:
f5.microsoft_exchange_2016.v1.0.3rc5.tmpl
f5.microsoft_exchange_2016.v1.0.3rc6.tmpl
f5.citrix_vdi.v2.4.6.tmpl
f5.vmware_view.v1.5.6.tmpl
You can download these iApp templates on the F5 Downloads site :: https://downloads.f5.com
Issues resolved:
- Corrected an issue that caused Tcl iApps using client SSL profiles to stop working when the iApp was reconfigured.
- This issue affected iApps running on BIG-IP 14.1, citrix_vdi, and vmware_view.
Fixed Versions:
14.1.0.3
754525-1 : Disabled virtual server accepts and serves traffic after restart
Links to More Info: BT754525
Component: Local Traffic Manager
Symptoms:
Disabled virtual servers accept traffic after being upgraded to an affected version, or after restarting.
Conditions:
1. A virtual server is configured on pre-v14.1.0.
2. Disable the virtual server.
3. Either upgrade to an affected version, or restart the system.
Impact:
The virtual server remains 'Disabled', but it accepts and processes traffic.
Workaround:
To correct the behavior, manually enable/disable the virtual server.
Fix:
Disabled virtual servers no longer process traffic after a restart.
Fixed Versions:
14.1.2.1, 15.0.1.1
754500-2 : GUI LTM Policy options disappearing
Links to More Info: BT754500
Component: TMOS
Symptoms:
Listed policies disappear under 'Do the following when traffic is matched' in Local Traffic :: Policies : Policy List :: {Rule Name} when pressing Cancel or Save and opening the list again.
Conditions:
Click the Cancel or Save button on the Local Traffic :: Policies : Policy List :: /Common/policy1:rule1 properties page.
Here are some specific steps to reproduce this issue (this procedure assumes you have at least one policy with at least one rule defined):
1. Navigate to Local Traffic :: Policies : Policy List :: /Common/policy1:rule1 to open the rule1 properties page.
2. In the section 'Do the following when the traffic is matched', click to open the first dropdown menu.
- The system lists all of the items.
3. Click Cancel.
4. Click to reopen the properties page, and click the first dropdown menu.
- The system lists fewer of the options.
5. Repeat steps 3 and 4.
Impact:
Options disappear from the list each time you click Cancel or Save. Cannot select options because they are no longer visible in the list.
Workaround:
To return all options to the list, use the refresh button in the browser.
You can also use the following the tmsh command:
modify ltm policy Drafts/<policy name> modify { <rule name> { actions add { ...
Fix:
Policies no longer disappear under these conditions.
Fixed Versions:
14.1.0.6
754425-1 : Exported requests cannot be opened in Internet Explorer or Edge browser
Links to More Info: BT754425
Component: Application Security Manager
Symptoms:
Any exported report (requests/correlation/learning) cannot be opened in Microsoft Internet Explorer (IE) or Edge brower due to javascript error
Conditions:
Viewing an exported report using IE or Edge.
Impact:
Unable to view the exported report.
Workaround:
Use a different browser.
Fix:
Exported files are now visible in all officially supported browsers.
Fixed Versions:
14.1.2.3
754420-1 : Missing policy name in exported ASM request details
Links to More Info: BT754420
Component: Application Security Manager
Symptoms:
No Policy name in exported ASM Request details.
Conditions:
This is encountered when viewing the Security Events Report.
Impact:
Missing policy name in request details.
Workaround:
None.
Fix:
Policy name is now displayed in exported ASM request details.
Fixed Versions:
14.0.0.5, 14.1.0.2
754365-5 : Updated flags for countries that changed their flags since 2010
Links to More Info: BT754365
Component: Application Security Manager
Symptoms:
Old flags for countries that changed their flags since 2010.
Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya
Impact:
Old flag is shown.
Workaround:
None.
Fix:
The three flags are now updated in ASM.
Fixed Versions:
12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
754346-2 : Access policy was not found while creating configuration snapshot.
Links to More Info: BT754346
Component: Access Policy Manager
Symptoms:
APMD fails to create configuration snapshot with the following error:
--err apmd[16675]: 01490000:3: AccessPolicyProcessor/AccessPolicyProcessor.cpp func: "dispatchEvent()" line: 1195 Msg: EXCEPTION AccessPolicyProcessor/ProfileAccess.cpp line:234 function: snapshotConfigVariables - AccessPolicy ("/Common/myPolicy") not found while creating configuration snapshot!!!!
If you attempt to modify the policy in question, the system reports a second error:
-- err apmd[16675]: 01490089:3: 00000000: Configuration change notification received for an unknown access profile: /Common/myPolicy
Conditions:
If TMM restarts and new access policy is added before TMM is fully up and running.
Impact:
Configuration snapshot is not created, and users cannot log on.
Workaround:
Recreate the access profile when TMM is stable.
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2
754335-1 : Install ISO does not boot on BIG-IP VE★
Links to More Info: BT754335
Component: TMOS
Symptoms:
The install ISO does not boot on BIG-IP Virtual Edition (VE).
Conditions:
Attempting to boot a BIG-IP VE from a virtual DVD-ROM drive loaded with an affected ISO file.
Impact:
The system does not fully boot and hangs, preventing you from performing an installation or using the live environment for other recovery purposes.
Workaround:
To work around this issue, boot the BIG-IP VE from an ISO file earlier than 14.1.0. If necessary, install that version, and then upgrade to 14.1.0 using the live installer.
Fix:
Fixed an issue with iso images not booting.
Behavior Change:
The fix introduces a behavioral change in the serial console prompt when compared to the legacy console. During DVD, USB, PXE installations, MOS reboots on hardware platforms:
The login prompt will read 'localhost login:' before changing to the 'switch_root' prompt.
After logging in as root, the prompt changes to 'switch_root'.
Fixed Versions:
14.1.4.4, 15.1.4.1
754257-2 : URL lookup queries not working
Links to More Info: BT754257
Component: Traffic Classification Engine
Symptoms:
Occasionally, there is no response to a url-categorization query.
Conditions:
This might occur under the following conditions:
-- When there are duplicate requests using tmsh.
-- When the connection is partially closed by the server.
Impact:
URL does not get classified. Cannot take any actions against those URLs.
Workaround:
None.
Fix:
URL lookup queries now work as expected.
Fixed Versions:
12.1.5, 14.1.2.7
754143-1 : TCP connection may hang after FIN
Links to More Info: K45456231, BT754143
Component: Local Traffic Manager
Symptoms:
TCP connections hang. Memory usage increases. TMM restarts.
Numerous hanging connections reported similar to the following:
-- config # tmsh show sys conn protocol tcp
Sys::Connections
10.0.0.1:5854 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5847 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5890 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5855 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5891 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
Conditions:
Pool member fails to respond with an ACK to BIG-IP system serverside FIN (or sends a RST in response to the BIG-IP system's FIN).
Impact:
The BIG-IP system serverside connection eventually times out, and the clientside connection is orphaned.
Those clientside connections hang indefinitely (even past the idle timeout). BIG-IP system memory increases, eventually leading to a possible TMM out-of-memory condition, requiring a TMM restart. Traffic disrupted while tmm restarts.
Workaround:
To delete the orphaned connections, you must restart the Traffic Management Microkernel (TMM) or restart the BIG-IP system. To restart the BIG-IP system, you can use either of the following procedures:
Impact of either workaround: Service will be interrupted. If configured for high availability (HA), the BIG-IP system fails over to another device in the device group.
Rebooting the BIG-IP system
===========================
1. Log in to the Advanced Shell (bash).
2. To restart the system, type the following command:
reboot
Restarting all blades on a VIPRION system
=========================================
1. Log in to bash.
2. To restart all the blades on the VIPRION system, type the following command:
clsh shutdown -r now
Fix:
TCP connections no longer hang under these conditions.
Fixed Versions:
13.1.4.1, 14.1.0.2
754132-2 : A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command
Links to More Info: BT754132
Component: TMOS
Symptoms:
A default route is not propagated in Network Layer Reachability Information (NLRI) by a routing framework on a command: 'clear ip bgp <neighbor router-id> soft out'.
-- Enter to imi(Integrated Management Interface) shell.
[root@hostname:Active:Standalone] config # imish
hostname[0]>
-- Issue a command inside imish. 10.0.0.4 is neighbor BGP router-id.
hostname[0]>clear ip bgp 10.0.0.4 soft out
Conditions:
-- There is a BIG-IP system with the following routing configuration:
imish output:
hostname[0]#sh run
!
no service password-encryption
!
interface lo
!
... <skip other default information, like interfaces.>
!
router bgp 1
bgp router-id 10.17.0.3
bgp graceful-restart restart-time 120
neighbor 10.17.0.4 remote-as 1
!
-- There is a default route, which is advertised by this BGP configuration. Here is one way to check it:
hostname[0]:sh ip ospf database
... <skip less important info>
AS External Link States
Link ID ADV Router Age Seq# CkSum Route Tag
0.0.0.0 10.17.0.3 273 0x80000002 0x5c4e E2 0.0.0.0/0 0
The 'clear ip bgp 10.17.0.4 soft out' command is issued, and there is no NLRI with a default route generated. You can confirm that by running tcpdump and reading what is in the generated Link-state advertisement (LSA), messages or by watching OSPF debug logs.
Note: The source from which you gather the default route and advertise it to the neighbors does not matter. It might be the usual BGP route learned from another router, a locally created route, or it might be configured by 'neighbor <neighbor router-id> default-originate'.
Impact:
A default-route is not propagated in NLRI by 'soft out' request, even with default-originate configured.
Workaround:
There is no specific workaround for 'clear ip bgp <neighbor router-id> soft out' command, but if you want to make routing protocol propagate a NLRI with a default route, you can do either of the following:
-- Remove the default route from advertised routes. This workaround is configuration-specific, so there there are no common steps.
+ If you have default-originate configured for your neighbor, then delete that part of the configuration and re-add it.
+ If you create a default route as a static route, recreate it.
+ And so on.
The idea is to remove a root of default route generation and then add it back.
-- Run a 'soft in' command from your neighbor. If a neighbor you want to propagate a NLRI is a BIG-IP device, or is capable of running this type of command, you can issue a imish command on the neighbor:
# neighbor-hostname[0]: clear ip bgp <neighbor router-id> soft in
Note: This time, the 'soft in' command requests the NLRIs.
Fix:
A NLRI with default route information is successfully propagated on 'clear ip bgp <neighbor router-id> soft out' command.
Fixed Versions:
13.1.3.6, 14.1.4
754109-1 : ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive
Links to More Info: BT754109
Component: Application Security Manager
Symptoms:
When the backend server sends a content-security-policy header where source-src and default-src directives are missing, ASM will modify the header when it does its own JavaScript injection, which might cause a csp policy violation for inline JavaScript code.
Conditions:
-- ASM provisioned.
-- ASM or Bot-Defense/DoS attached on a virtual server.
-- ASM or Bot/Dos does inline injections, like CSRF/CSHUI.
Impact:
Inline JavaScript does not run. The Browser reports a content-security-policy violation.
Workaround:
You can use either of the following workarounds:
-- Disable csp in ASM by running the following commands:
/usr/share/ts/bin/add_del_internal add csp_enabled 0
bigstart restart asm
-- Disable csp in Bot/DoS using an iRule:
when HTTP_REQUEST {
set csp 0
}
when HTTP_RESPONSE {
if { [HTTP::header exists Content-Security-Policy] } {
set csp "[HTTP::header values Content-Security-Policy]"
}
}
when HTTP_RESPONSE_RELEASE {
if { $csp != 0 } {
HTTP::header replace Content-Security-Policy $csp
}
set csp 0
}
Fix:
ASM/Bot/DoSL7 no longer modifies the csp header when both source-src and default-src directives are missing.
Fixed Versions:
13.1.3.4, 14.1.2.3
754066-1 : Newly added Systems are not added as part of installing a Server Technologies update file
Links to More Info: BT754066
Component: Application Security Manager
Symptoms:
Newly added Systems are not added as part of installing a Server Technologies update file, which prevents acceptance of Server Technology suggestion.
Conditions:
A Server Technology update file contained newly added Systems is installed.
Impact:
A suggestion to add a Server Technology using a newly added System cannot be accepted.
Workaround:
The corresponding ASM Signature update file must be loaded first.
Fix:
Newly added Systems are added correctly after installing Server Technology update file.
Fixed Versions:
14.1.0.2
754003-3 : Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate
Links to More Info: K73202036, BT754003
Component: Local Traffic Manager
Symptoms:
For more information please see: https://support.f5.com/csp/article/K73202036
Conditions:
For more information please see: https://support.f5.com/csp/article/K73202036
Impact:
For more information please see: https://support.f5.com/csp/article/K73202036
Workaround:
None.
Fix:
For more information please see: https://support.f5.com/csp/article/K73202036
Fixed Versions:
13.1.3.2, 14.1.2.3, 15.0.1.3
753925-1 : CLIENTSSL_CLIENTCERT iRule event may not be triggered on TLSv1.3 connections
Links to More Info: BT753925
Component: Local Traffic Manager
Symptoms:
The CLIENTSSL_CLIENTCERT iRule event may not be triggered on TLSv1.3 connections.
Conditions:
-- TLSv1.3 connection.
-- Client SSL profile is configured with client certificate authentication (either 'request' or 'require').
-- An iRule depends upon the CLIENTSSL_CLIENTCERT event.
Impact:
The CLIENTSSL_CLIENTCERT iRule event may not be triggered on TLSv1.3 connections.
Workaround:
None.
Fix:
The system now sends CLIENTSSL_CLIENTCERT iRule event when client certificate authentication is configured on client SSL profiles TLS 1.3.
Fixed Versions:
14.1.4.4
753912-4 : UDP flows may not be swept
Links to More Info: K44385170, BT753912
Component: Local Traffic Manager
Symptoms:
Some UDP connection flows do not show in connection table but do show up in stats. This might occur with datagram_lb mode is enabled on the UDP profile under heavy load.
Conditions:
-- UDP profile with datagram_lb mode enabled.
-- System under heavy load.
Impact:
Increased memory utilization of TMM.
Workaround:
None.
Fix:
The system now correctly manages all expired flows.
Fixed Versions:
12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
753860-3 : Virtual server config changes causing incorrect route injection.
Links to More Info: BT753860
Component: TMOS
Symptoms:
Updating the virtual server to use a different virtual address (VADDR) does not work as expected. The old VADDR route should remove and inject the new route for the new virtual address. Instead, it injects incorrect routes into the routing protocols.
Conditions:
-- Change the VADDR on a virtual server.
-- Set route-advertisement on both VADDRs.
Impact:
Incorrect routes are injected into routing protocols.
Workaround:
None.
Fixed Versions:
13.1.3.4, 14.1.2.7
753821-3 : Log messages 'TCP RST from remote system' messages logged if GTM/DNS is licensed but not provisioned
Links to More Info: BT753821
Component: Global Traffic Manager (DNS)
Symptoms:
When GTM/DNS is licensed but not provisioned, there are potentially numerous reset messages every 10 secs in the gtm/logs:
err tmm[29412]: 01230140:3: RST sent from <IP-address:port> to <IP-address:port>, [n] TCP RST from remote system
Conditions:
GTM/DNS is licensed but not provisioned.
Impact:
A message is logged in gtm/logs. This is an informational message, and can be safely ignored.
Workaround:
None.
Fix:
The tmm process no longer attempts to attempt to connect to gtmd if GTM/DNS is not provisioned, so this message no longer occurs.
Fixed Versions:
14.1.4.6
753805-3 : BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.
Links to More Info: BT753805
Component: Local Traffic Manager
Symptoms:
After failover, a longer time than expected for the virtual server to become available.
Conditions:
-- There is a configuration difference in the pool members before and after the configuration synchronization.
-- Probe status is also different.
Impact:
Virtual server takes longer than expected to become available.
Workaround:
Run full sync (force-full-load-push) from the active BIG-IP system to solve this issue.
Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.3.1
753796-1 : SNMP does not follow best security practices
Links to More Info: K40443301
753715-1 : False positive JSON max array length violation
Links to More Info: BT753715
Component: Application Security Manager
Symptoms:
False-positive JSON max array length violation is reported.
Conditions:
-- JSON profile is used.
-- The violation is coming for non-array under certain conditions.
Impact:
The system reports a false-positive violation.
Workaround:
None.
Fixed Versions:
14.1.4.4, 15.1.4.1
753711-1 : Copied policy does not retain signature staging
Links to More Info: BT753711
Component: Application Security Manager
Symptoms:
When copying a modified policy or a policy that has never been applied, all signatures are set to staging enabled.
Conditions:
Copying a modified policy or policy that has never been applied.
Impact:
All signatures in the copied policy are set to staging enabled.
Workaround:
Export the policy (either as binary or XML) and re-import.
Fix:
Signature staging settings are retained correctly after the policy is copied.
Fixed Versions:
14.1.2.1
753650-2 : The BIG-IP system reports frequent kernel page allocation failures.
Links to More Info: BT753650
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:
swapper/16: page allocation failure: order:2, mode:0x104020
After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This issue is known to occur on the following VIPRION blade models:
- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)
Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.
It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades)
-- 48 MB (49152 KB for B4300 blades)
-- 128 MB (131072 KB for 4450 blades)
-- 96 Mb (98304 KB for 4340N blades)
You must do this on each blade installed in the system.
When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
Fix:
The BIG-IP system no longer experiences kernel page allocation failures on the following blades:
- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
Important: This fix does not eliminate the issue on B4450 (A114) blades. ID950849 tracks the issue on that blade :: https://cdn.f5.com/product/bugtracker/ID950849.html.
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6
753642-1 : iHealth may report false positive for Critical Malware
Links to More Info: BT753642
Component: TMOS
Symptoms:
A minor change in the way qkview reports executable filenames may cause iHealth to interpret the presence of malware.
Conditions:
qkview files produced by 14.1.0 when uploaded to ihealth.f5.com
Impact:
iHealth may report a false positive for malware.
Workaround:
Ignore critical errors for malware reported by iHealth for version 14.1.0 only.
Fix:
This is fixed in 14.1.0.1
Fixed Versions:
14.1.0.2
753594-2 : In-TMM monitors may have duplicate instances or stop monitoring
Links to More Info: BT753594
Component: Local Traffic Manager
Symptoms:
Most monitored resources (such as pools) report messages similar to the following:
Availability : unknown
Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet.
A fraction of the monitored resources report the correct status based on the state of the resource.
Enabling bigdlog may show instances of messaging containing 'tmm_mid=x:0' (where x can be values like 0, 1, 2 etc.), for example, it is tmm_mid=1:0 in the following example:
[0][11288] 2019-03-08 10:03:04.608: ID 10859 :(_do_ping): post ping, status=UNKNOWN [ tmm?=true td=true tr=false tmm_mid=1:0 addr=::ffff:1.2.37.44:443 mon=/Common/https fd=-1 pend=0 #conn=0 up_intvl=5 dn_intvl=5 timeout=16 time_until_up=0 immed=0 next_ping=[1552068189.684126][2019-03-08 10:03:09] last_ping=[1552068184.684909][2019-03-08 10:03:04] deadline=[1552067610.048558][2019-03-08 09:53:30] on_service_list=True snd_cnt=119 rcv_cnt=0 ]
The following error might appear in /var/log/ltm:
-- failed to handle TMA_MSG_DELETE message: MID 0, error TMA_ERR_INVALID_MID(Monitor ID is invalid or unused)
Conditions:
-- Configure In-TMM monitoring with a sufficiently large number of monitored objects.
-- Modify monitors while pool members are in an offline state or perform rapid modification of In-TMM monitors.
Impact:
Some monitors may be executed multiple times per configured interval on a resource, and some monitors may not be executed at all against resources.
Workaround:
Switch to traditional bigd monitoring instead of In-TMM:
tmsh modify sys db bigd.tmm value disable
Fix:
Rapid modification of in-TMM monitors no longer leaves old monitor instances behind.
Fixed Versions:
13.1.3, 14.1.3.1
753564-1 : Attempt to change password using /bin/passwd fails
Links to More Info: BT753564
Component: TMOS
Symptoms:
When you run /bin/passwd as root you get an error:
passwd.bin: unable to start pam: Critical error - immediate abort
Failed to change user's password. Exiting.
If you then run /bin/ausearch -m avc -ts recent, you see a lot of selinux denials for passwd.bin.
Conditions:
No special conditions needed
Impact:
Root/admin user cannot change password using the standard /bin/passwd executable.
Workaround:
The workaround would be to disable selinux, change the password and re-enable selinux:
# setenforce Permissive
# passwd
# setenforce Enforcing
Alternatively, you can use the tmsh commands to change the passwords: tmsh modify auth password root
Lastly, if you want to modify the selinux policy, this is the standard way of doing it:
# ausearch -c passwd.bin --raw | audit2allow -M mypasswd
# semoduile -i mypasswd.pp
Fix:
With fix, BIG-IP has no issues with /bin/passwd.bin being denied by selinux and /bin/passwd works as expected.
Fixed Versions:
14.1.0.2
753514-3 : Large configurations containing LTM Policies load slowly
Links to More Info: BT753514
Component: Local Traffic Manager
Symptoms:
Very slow performance when loading a configuration, for example, at system start up. During this time, the tmsh process shows high CPU usage.
Conditions:
Big IP 13.1.x, 14.x. Large configuration (1 MB or larger) and at least one, but more likely tens or hundreds of LTM policies defined in the configuration.
Impact:
Slow configuration loading, or in cases with very large configurations, full config load may fail after a long wait. Slowness increases with overall configuration size and number of LTM policies defined.
Workaround:
None.
Fix:
Large configurations containing LTM Policies load normally.
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.2.3
753485-1 : AVR global settings are being overridden by high availability (HA) peers
Links to More Info: K50285521, BT753485
Component: Application Visibility and Reporting
Symptoms:
Configuration of AVR global settings is being overridden by high availability (HA) peers, and thus report incorrectly to BIG-IQ Data Collection Devices (DCDs).
Conditions:
Configuring HA for systems connected to BIG-IQ.
Impact:
Configuration of BIG-IP systems in HA configuration can override each other. This might result in the following behavior:
-- A common symptom is the 'Stats Last Collection Date' shows up as Dec 31, 1969 or Jan 01, 1970, depending the timezone configuration of the device.
-- The 'Stats Last Collection Date' shows up as '--'.
-- The BIG-IP systems incorrectly identify themselves to BIG-IQ.
-- The BIG-IP systems report to the wrong DCD.
-- The BIG-IP systems report to DCD, even if they are not configured to report at all.
-- The BIG-IP systems do not report at all, even if they are configured to report.
Note: This bug is tightly related to BIG-IQ Bug ID 757423.
Workaround:
Refer to the procedure in K50285521: BIG-IQ system may cause out-of-sync condition between the managed BIG-IP HA pair
:: https://support.f5.com/csp/article/K50285521.
Fix:
Synchronization of relevant fields on AVR global settings are disabled, so this issue no longer occurs.
Fixed Versions:
13.1.3, 14.1.2, 15.0.1
753446-2 : avrd process crash during shutdown if connected to BIG-IQ
Links to More Info: BT753446
Component: Application Visibility and Reporting
Symptoms:
During shutdown of BIG-IP, if it is connected to BIG-IQ then avrd might crash.
Conditions:
BIG-IP is set to shutdown and configured to send statistics to BIG-IQ.
Impact:
No serious impact, since the BIG-IP is already instructed to shutdown, so the process crash is not causing any damage.
Workaround:
N/A
Fix:
Issue is fixed, avrd does not crash during shutdown
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.2
753383-4 : Deadlock While Attaching NDAL Devices
Links to More Info: BT753383
Component: Local Traffic Manager
Symptoms:
A potential deadlock may occur while Network Device Abstraction Layer (NDAL) Interfaces are being attached.
Conditions:
-- Using BIG-IP Virtual Edition.
-- Attaching NDAL devices.
-- The tmm has not yet established a connection with mcpd.
Impact:
TMM is unable to connect to mcpd. The tmm process cannot reconnect to mcpd in retries, if a connection is not established on tmm startup.
Workaround:
None
Fix:
Deadlock no longer occurs while NDAL devices are being attached.
Fixed Versions:
14.1.4
753370-3 : RADIUS auth might not be working as configured when there is change in RADIUS auth config name.
Links to More Info: BT753370
Component: Access Policy Manager
Symptoms:
RADIUS auth might not be working as configured when there is change in RADIUS auth config name. You might also see an error:
err apmd[14182]: 01490108:3: /Common/:Common:cc55b9e2: RADIUS module: authentication with 'testuser@example' failed: no response from server (0).
Conditions:
In an LTM pool that uses APM AAA RADIUS to authenticate, change (modify/delete) the name of the RADIUS authentication server in config file.
Impact:
When using tmm.default version, intermittently MCP error messages in tmm logs indicate that the RADIUS server cannot be found, and RADIUS authentication does not work as expected.
Workaround:
None.
Fixed Versions:
13.1.3, 14.0.0.5, 14.1.0.6
753295-1 : ASM REST: All signatures being returned for policy Signatures regardless of signature sets
Links to More Info: BT753295
Component: Application Security Manager
Symptoms:
By default, only signatures that are included in the Security Policy enforcement via the Policy's Signature Sets are included in the response to /tm/asm/policies/<ID>/signatures.
Additionally, there should be the capability to $filter for either signatures that are in the policy or not in the policy.
These filters are not working
Conditions:
ASM REST/GUI is used to determine the number of signatures enabled on a Security Policy
Impact:
More data that expected will be returned to REST clients which may cause confusion.
Learning statistics/graphs may have confusing/incorrect numbers.
Workaround:
None
Fix:
inPolicy $filter works again, and the default behavior only returns the signatures that are in the policy.
Fixed Versions:
14.1.0.2
753163-4 : PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days
Links to More Info: BT753163
Component: Policy Enforcement Manager
Symptoms:
No connection request with PCRF/OCS if high availability (HA) failover occurs after 26 days. tmm crash
Conditions:
-- Using PEM.
-- high availability (HA) failover occurs after 26 days.
Impact:
PEM does send the reconnect request within the configured reconnect, so there is no connection initiated with PCRF/OCS.
Workaround:
To restart the connection, restart tmm restart using the following command:
tmm restart
Note: Traffic disrupted while tmm restarts.
Fix:
PEM now initiates the connection with PCRF/OCS under these conditions.
Fixed Versions:
13.1.3, 14.1.2.1
753141-2 : Hardware returning incorrect type of entry when notifying software might cause tmm crash
Links to More Info: BT753141
Component: Advanced Firewall Manager
Symptoms:
Potential tmm crash when hardware returns incorrect type of entry when notifying software.
Conditions:
-- sPVA is not programmed with blacklist or greylist entries.
-- Hardware returns an incorrect blacklist or greylist entry to the software.
Impact:
tmm crashes and restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release provides a defensive check in software to not crash, and to dump the hardware registers when this happens. This will help to debug the hardware better in the future.
Fixed Versions:
14.1.4
753028-2 : AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule
Links to More Info: BT753028
Component: Advanced Firewall Manager
Symptoms:
When Proxy ARP is enabled for destination addresses in an FW NAT rule performing destination NAT (static-nat/static-pat), forwarding ICMP traffic matching that rule is incorrectly dropped by AFM instead of being forwarded through the BIG-IP system.
Conditions:
-- Proxy ARP is enabled for destination addresses in an FW NAT rule.
-- The BIG-IP system (AFM) receives forwarding ICMP traffic for these (untranslated) destination addresses.
Impact:
Forwarding ICMP traffic is dropped by the BIG-IP system.
Workaround:
You can disable Proxy ARP functionality for FW NAT rules to cause the BIG-IP system (AFM) to handle forwarding ICMP traffic correctly and pass it through the system to the backend.
However, this causes the BIG-IP system to not respond to ARP requests anymore for destination addresses in such rules. As a further mitigation action, you can configure static ARP entries to handle this.
Fix:
The BIG-IP system (AFM) now correctly forwards ICMP traffic through to the backend when Proxy ARP is enabled on destination addresses in the matching FW NAT rule.
Fixed Versions:
13.1.1.4, 14.1.0.6
753014-4 : PEM iRule action with RULE_INIT event fails to attach to PEM policy
Links to More Info: BT753014
Component: Policy Enforcement Manager
Symptoms:
PEM iRule action with RULE_INIT event fails to attach to PEM policy.
Conditions:
Attaching PEM policy with PEM iRule action that contains a RULE_INIT event.
Impact:
PEM fails to update the new iRule action.
Workaround:
Force mcpd to reload the BIG-IP configuration.
To do so, follow the steps in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.
Fix:
The system now continues processing PEM iRule actions if RULE_INIT event is present, so this issue no longer occurs.
Fixed Versions:
12.1.5.3, 13.1.3.2, 14.1.2.7
752942-1 : Live Update cannot be used by Administrator users other than 'admin' and 'root'
Links to More Info: BT752942
Component: Application Security Manager
Symptoms:
When users configured with the Administrator role log into the system, they are not allowed to install security update files on the new live-update page:
System :: Software Management : Live Update
Conditions:
Logged in BIG-IP user is not 'admin' (the built-in Administrator account for the TMUI) or 'root' (the built-in Administrator account for the TMSH).
Impact:
Cannot apply security updates.
Workaround:
To install the security updates, log in as 'admin' or a BIG-IP user configured as a web-application-security-administrator or web-application-security-editor (role must be configured on all partitions or at least on the Common partition).
Fix:
Any BIG-IP user configured as Administrator can now apply security updates.
Fixed Versions:
14.1.0.2
752930-3 : Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
Links to More Info: BT752930
Component: Local Traffic Manager
Symptoms:
Virtual Servers left in unknown state. Blade keeps restarting.
Conditions:
Change default route domain (RD) of partition with wildcard Virtual Servers.
Impact:
-- Cannot persist the wildcard virtual server RD configuration.
-- Changing virtual server description after moving route-domain fails.
-- Secondary blade in constant reboot loop or mcpd process restarting loop.
Workaround:
1. Delete wildcard virtual servers before changing default route-domain on partition.
2. Execute the following commands, in sequence, substituting your values for the configuration-specific ones in this example:
# ssh slot2 bigstart stop
# modify auth partition pa-1098-blkbbsi0000csa21ad1142 default-route-domain 109
# save sys config
# clsh rm -f /var/db/mcpdb.bin
# ssh slot2 bigstart start
Note: This recovery method might have to be executed multiple times to restore a working setup.
Fixed Versions:
12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6
752875-2 : tmm core while using service chaining for SSLO
Links to More Info: BT752875
Component: Access Policy Manager
Symptoms:
tmm cores when using security services (service connect agent in per-request policies) for SSLO deployment.
Conditions:
-- Service connect agent in per-request policy.
-- SSLO deployment.
Impact:
tmm cores. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm no longer cores when using security services (service connect agent in per-request policies) for SSLO deployment.
Fixed Versions:
14.0.1.1, 14.1.0.6
752835-2 : Mitigate mcpd out of memory error with auto-sync enabled.
Links to More Info: K46971044, BT752835
Component: TMOS
Symptoms:
If auto-sync is enabled and many configuration changes are sent quickly, it is possible for a peer system to fall behind in syncs. Once it does, it will exponentially get further behind due to extra sync data, leading to the sending mcpd running out of memory and core dumping.
Conditions:
-- Auto-sync enabled in an high availability (HA) pair.
-- High volume of configuration changes made in rapid succession. Typically, this requires hundreds or thousands of changes per minute for several minutes to encounter this condition.
Impact:
Mcpd crashes.
Workaround:
There are no workarounds other than not using auto-sync, or reducing the frequency of system configuration changes.
Fix:
This is not a complete fix. It is still possible for mcpd to run out of memory due to a peer not processing sync messages quickly enough. It does, however, make it more difficult for this scenario to happen, so configuration changes with auto-sync on can be sent somewhat more quickly without crashing mcpd as often.
Fixed Versions:
11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
752822-1 : SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type
Links to More Info: BT752822
Component: Service Provider
Symptoms:
SIP ALG calls that fail translation during ingress are not cleaned up by the system, which might result in memory being leaked inside the TMM processes.
Conditions:
SIP ALG calls that fail translation during ingress.
Impact:
TMM leaks memory, which can slow down performance and eventually cause TMM to run out of memory and restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now cleans up SIP ALG calls that fail translation during ingress, so this issue no longer occurs.
Fixed Versions:
13.1.1.5, 14.0.1.1, 14.1.0.6
752803-1 : CLASSIFICATION_DETECTED running reject can lead to a tmm core
Links to More Info: BT752803
Component: Traffic Classification Engine
Symptoms:
When the CLASSIFICATION_DETECTED event is run on a serverside flow, and then an iRule command (e.g., to reject a flow) is run, tmm crashes.
Conditions:
-- CLASSIFICATION_DETECTED event runs on a serverside flow.
-- An iRule command runs (e.g., reject a flow).
Impact:
tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm no longer crashes under these conditions.
Fixed Versions:
13.1.3, 14.1.0.6
752782-1 : 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'
Links to More Info: BT752782
Component: Fraud Protection Services
Symptoms:
The 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.
Conditions:
FPS Provisioning and a DataSafe license.
Impact:
The menu name has changed in this release.
Workaround:
None.
Fix:
'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.2
752592-1 : VMware Horizon PCoIP clients may fail to connect shortly after logout
Links to More Info: BT752592
Component: Access Policy Manager
Symptoms:
Sometimes if user closes opened PCoIP desktop and logs out and then logs in again, he can't launch the same desktop anymore.
Conditions:
PCoIP UDP VS has "vdi" profile assigned.
Impact:
User can't open PCoIP remote desktop during short time period (1 minute).
Workaround:
Remove "vdi" profile and assign "remotedesktop" profile to the PCoIP UDP VS:
# tmsh modify ltm virtual <PCoIP UDP VS> profiles delete { vdi }
# tmsh modify ltm virtual <PCoIP UDP VS> profiles add { remotedesktop }
In admin UI the assignment of "remotedesktop" profile can be controlled via "Application Tunnels (Java & Per-App VPN)" checkbox (right under "VDI Profile" dropdown).
Fix:
Assignment of "vdi" profile to PCoIP UDP VS does not cause intermittent connection problems anymore.
Fixed Versions:
13.1.1.5, 14.1.0.2
752542-4 : Automatic eviction of PEM URLCAT cloud cache
Links to More Info: BT752542
Component: Traffic Classification Engine
Symptoms:
PEM URLCAT looks up the URL in the local webroot database of 20 million entries.
If an entry is not found in the webroot local DB, a message is sent to webroot website.
The results from the web lookup are stored in a per tmm local cache, which can hold 128K entries (by default).
If the local cache fills up, the cloud query no longer happens.
It is required to clear up some space in the cloud cache to accommodate the new entries.
Conditions:
If the local cache fills up, the cloud query no longer happens.
Impact:
Cloud query no longer happens for new requests.
Workaround:
None
Fix:
10% of the per tmm local cache will be cleared and new entries will be added in this space only.
The last 10% of memory will always be cleared if the local cache is full.
Behavior Change:
The entries in the cloud cache will be evicted, if the cache becomes full. Prior to this change, the cloud lookup would stop altogether once the cache was full.
Fixed Versions:
14.1.4.4
752530-1 : TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.
Links to More Info: BT752530
Component: Local Traffic Manager
Symptoms:
Fast L4 TCP Analytics reports incorrect goodput when server sequence number and the TMM generated sequence number are different.
Conditions:
This occurs when either of the following conditions are met:
-- tcp-generate-isn is set in the Fast L4 profile.
-- SYN cookie is active.
Impact:
The GUI page Statistics :: Analytics :: TCP :: Goodput page displays incorrect goodput values.
Workaround:
None.
Fix:
Fast L4 TCP Analytics now shows correct goodput values when server sequence number and the TMM generated sequence number are different.
Fixed Versions:
13.1.4.1, 14.1.2.7
752363-2 : Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled
Links to More Info: BT752363
Component: Advanced Firewall Manager
Symptoms:
Client request fails, due to being dropped on the BIG-IP system.
Conditions:
-- The BIG-IP AFM L4 BDoS feature is enabled.
-- Virtual server setup is such that the client-facing virtual server's destination is forwarded through another virtual server, which is an internally forwarded flow.
Impact:
Client request gets dropped due to BIG-IP AFM dropping the flow.
Workaround:
Disable BDoS feature. The feature can be disabled using the following commands:
-- To disable BDoS globally, run the following command:
modify security dos device-config dos-device-config dynamic-signatures { network { detection disabled mitigation none }}
To disable BDoS globally per-profile, run the following command:
modify security dos profile <profile-name> dos-network modify { test { dynamic-signatures { detection disabled mitigation none } } }
modify security dos profile test protocol-dns modify { test { dynamic-signatures { detection disabled mitigation none } } }
Fix:
The system now handles the looped flows properly, so the BDoS module does not incorrectly cause the packet to be dropped.
Fixed Versions:
13.1.3, 14.1.0.2
752334-1 : Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation
Links to More Info: BT752334
Component: Local Traffic Manager
Symptoms:
When Fast L4 receives out of order TCP packets, TCP analytics may compute wrong goodput value.
Conditions:
When FAST L4 receives out-of-order packets.
Impact:
Fast L4 reports an incorrect goodput value for the connection.
Workaround:
None.
Fix:
Out-of-order packet arrival no longer causes incorrect Fast L4 goodput calculation
Fixed Versions:
13.1.4.1, 14.1.2.7
752078-2 : Header Field Value String Corruption
Links to More Info: BT752078
Component: Local Traffic Manager
Symptoms:
This is specific to HTTP/2.
In some rare cases, the header field value string can have one or more of its prefix characters removed by the BIG-IP system.
Conditions:
-- The header field value string is exceptionally long, and has embedded whitespace characters.
-- HTTP/2 is used.
Impact:
A header such as:
x-info: very_long_string that has whitespace characters
may be sent to the client as:
x-info: ery_long_string that has whitespace characters
Workaround:
None.
Fix:
The BIG-IP system no longer removes the prefix characters from very long HTTP/2 header field value strings containing embedded whitespace characters.
Fixed Versions:
13.1.1.4, 14.1.0.6
752047-1 : iRule running reject in CLASSIFICATION_DETECTED event can cause core
Links to More Info: BT752047
Component: Traffic Classification Engine
Symptoms:
The CLASSIFICATION_DETECTED iRule event can run very early when classification happens in the classification database (srdb). If the iRule then issues a reject command, tmm cores.
Conditions:
CLASSIFICATION_DETECTED on L4 executing reject command.
Impact:
tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
iRule running reject in CLASSIFICATION_DETECTED event no longer causes tmm core.
Fixed Versions:
13.1.1.5, 14.1.0.6
751991-1 : BIOS update fails with "flashrom not safe for BIOS updates yet" log message
Links to More Info: BT751991
Component: TMOS
Symptoms:
Upon installing a version of BIG-IP that contains an updated version of the system BIOS onto an F5 hardware platform, the BIOS update may fail.
Messages similar to the following may be seen at the console:
Updating BIOS to /usr/firmware/<filename>.bin
Using layout file /usr/firmware/<filename>.layout to update bios region
Updating BIOS... DO NOT POWER DOWN
Updating BIOS... DO NOT POWER DOWN (elapsed seconds:1)
...
Updating BIOS... DO NOT POWER DOWN (elapsed seconds:##)
BIOS update failed. Check /var/log/ltm for errors
Broadcast message from systemd-journald@localhost (<date & time string>):
chmand[####]: 012a0000:0: BIOS update failed. Check /var/log/ltm for errors
A message similar to the following will be seen in the /var/log/ltm file:
info chmand[####]: 012a0006:6: /bin/bios_update: flashrom not safe for BIOS updates yet.
Conditions:
This may occur on F5 hardware platforms running affected versions of BIG-IP based on RHEL 7.x, when booting into an affected version that includes a newer BIOS image than the system is currently using.
The "tmsh show sys hardware" command can be used to see the currently-used BIOS version.
The /var/log/ltm file contains messages from chmand when BIOS (and other firmware) updates are attempted, which display the version found currently installed and the newer version for which the update was attempted.
Impact:
Affected F5 hardware platforms may continue to run a non-current version of system BIOS, which may compromise system stability and/or performance.
Workaround:
It is possible to work around this issue by installing a later, non-affected version of BIG-IP into a different volume, booting into that version to perform firmware updates, then booting back into the affected BIG-IP version.
Fix:
BIOS updates are now successfully performed on versions of BIG-IP based on RHEL 7.x.
Fixed Versions:
14.1.4
751869-2 : Possible tmm crash when using manual mode mitigation in DoS Profile
Links to More Info: BT751869
Component: Advanced Firewall Manager
Symptoms:
tmm crash and restart is possible when using manual mode mitigation in DoS Profile.
Conditions:
When manual mode mitigation is used for any vector that is enabled in the DoS Profile that is attached to a Protected Object.
Impact:
tmm crash and restart is possible. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm crash and restart no longer occurs when using manual mode mitigation in DoS Profile.
Fixed Versions:
13.1.1.5, 14.1.0.5
751824-1 : Restore old 'merge' functionally with new tmsh verb 'replace'
Links to More Info: BT751824
Component: TMOS
Symptoms:
Prior to v12.1.3.4, the 'merge' command merged a specified config with the existing config, replacing certain conflicting values. In this release, the merge command operates differently, so there is a new command, 'replace', to now perform the operation previously accomplished with 'merge'.
Conditions:
Running the following command:
tmsh load /sys config file <scf-filename> merge
Impact:
Operation does not work like it did in previous releases.
Workaround:
None.
Fix:
This release restores the merge functionally from v12.x and earlier with a new tmsh verb: replace. The new TMSH command is as follows:
tmsh load sys config file <filepath> replace
Behavior Change:
This release restores the merge functionally from v12.x and earlier with a new tmsh verb: replace. The new TMSH command is as follows:
tmsh load sys config file <filepath> replace
The merge command now operates as follows:
-- Previously: if a top-level object (virtual server) existed in the config and also in the merge file, the top-level object was replaced.
-- Now: if a top-level object (virtual server) exists in both, the top-level object is recursively merged. (Pool members are merged together. LTM virtual server profiles are merged together (appended vs. replace-all-with)).
Fixed Versions:
14.1.0.5
751807-1 : SSL Orchestrator may not activate service connectors if traffic is an HTTP tunnel
Links to More Info: BT751807
Component: Access Policy Manager
Symptoms:
Decrypted traffic is not forwarded to services despite even though a matching rule action in security policy selects a service chain.
Conditions:
-- Matching rule action in security policy selects a service chain.
-- Traffic is an HTTP tunnel (CONNECT method) is accepted by an outbound transparent proxy created by SSL Orchestrator.
Impact:
No visibility to decrypted traffic if it is an HTTP tunnel through SSL Orchestrator.
Workaround:
None.
Fix:
Decrypted traffic is forwarded as expected to services, when matching rule action in security policy selects a service chain, for HTTP tunnel traffic sent through SSL Orchestrator.
Fixed Versions:
14.1.0.6
751710-4 : False positive cookie hijacking violation
Links to More Info: BT751710
Component: Application Security Manager
Symptoms:
A false positive cookie hijacking violation.
Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.
Impact:
False positive violation / blocking.
Workaround:
N/A
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.2.1
751636-1 : Downgrading from v14.1.0 to a previous release leaves two directories with improper ownership★
Links to More Info: BT751636
Component: TMOS
Symptoms:
Downgrading from BIG-IP version 14.1.0 to an earlier version, the group ID of /var/lock and /var/spool/mail are incorrect. This can be encountered after you boot into the earlier-versioned software image. /var/log/liveinstall.log contains the following messages:
-- info: RPM: filesystem-2.4.30-3.el6.0.0.10.i686
-- info: RPM: warning: group lock does not exist - using root
-- info: RPM: warning: group mail does not exist - using root
When running the following command:
config # rpm -V filesystem
......G.. /var/lock
......G.. /var/spool/mail
The expected results are as follows:
config # rpm -V filesystem
config # stat -c %G /var/lock
lock
config # stat -c %G /var/spool/mail
mail
In this version, the results are as follows:
config # rpm -V filesystem
config # stat -c %G /var/lock
root
config # stat -c %G /var/spool/mail
root
Conditions:
-- BIG-IP version 14.1.0 is running.
-- An earlier software version is installed.
-- The system is then booted into that earlier version.
Impact:
There is no known impact to the system if this occurs; however, running rpm -V will report these two discrepancies.
This occurs because rpm versions 4.8 and earlier have built-in recognition of exactly three group names; 'root', 'mail', and 'lock'. In v4.8, these special names appear in <src>/lib/misc.c:gnameToGid. To use the group names 'mail' and 'lock' as intended, all BIG-IP releases earlier than BIG-IP v14.1.0 rely on this special feature of rpm.
BIG-IP v14.1.0 moved to rpm version 4.11, in which the function no longer exists.
Workaround:
Using a shell command, correct the group ID of the two directories that are incorrect using the following two commands:
config # chgrp lock /var/lock
config # chgrp mail /var/spool/mail
Fixed Versions:
14.1.0.2
751589-1 : In BIG-IP VE, some IP rules may not be created during the first boot up.
Links to More Info: BT751589
Component: Local Traffic Manager
Symptoms:
The BIG-IP Virtual Edition (VE) system might not be able to install some IP rules in the host during the first boot up. As a result, some types of traffic (e.g., ssh) destined for the BIG-IP system via the data path (not via the management interface) might not be able to respond back to a sender. This issue exists only during the first boot into a new BIG-IP partition after installation.
Conditions:
This issue exists if the following conditions are met:
-- The BIG-IP system is VE.
-- Before installing a new BIG-IP image, the sys db variables 'liveinstall.saveconfig' and 'liveinstall.moveconfig' are both set to 'disable'. By default, both variables are set to 'enable'.
-- First boot into a new BIG-IP partition after installation.
Impact:
Some types of traffic (e.g., ssh) destined for the BIG-IP system via the data path (not via the management interface) might not be able to respond back to a sender.
Workaround:
You can use either of the following workarounds:
-- Restart mcpd using the following command:
bigstart restart mcpd
-- After the first boot into a new BIG-IP partition, you can simply reboot the BIG-IP system again, and then the necessary IP rules are created correctly.
Fix:
The necessary IP rules are created correctly in the first boot into a new BIG-IP partition after installation.
Fixed Versions:
14.1.2.7
751586 : Http2 virtual does not honour translate-address disabled
Links to More Info: BT751586
Component: Local Traffic Manager
Symptoms:
Translate-address disabled on an HTTP/2 virtual server is ignored.
Conditions:
-- HTTP/2 virtual server configured.
-- Translate-address disabled.
Impact:
The traffic is still translated to the destination address to the pool member.
Workaround:
None.
Fix:
Translate-address disabled is working correctly now.
Fixed Versions:
12.1.4.1, 13.1.3.4, 14.1.2.1, 15.1.4
751584-1 : Custom MIB actions can be blocked by SELINUX permissions
Links to More Info: BT751584
Component: TMOS
Symptoms:
When creating custom MIBs you can execute commands, but you may run into SELINUX permissions issues that prevent the tmctl command from executing.
Conditions:
Executing tmctl calls inside custom MIB procedures
Impact:
Statistics are not collected for the MIB objects
Workaround:
None.
Fix:
The SNMPD LINUX permissions have been expanded to cover this case.
Fixed Versions:
14.1.3.1
751573-1 : Updates to HSL pool members may not take effect
Links to More Info: BT751573
Component: TMOS
Symptoms:
High Speed Logging (HSL) does not respect the configured pool's changes and continues to send logs to the previous state of the pool.
For example, consider the following configuration:
-- HSL configured to send logs to pool (pool-HSL) where pool-HSL has 2 members: pm-1, and pm-2.
-- There is a manual update to pool-HSL to remove pm-2, or a monitor marks pm-2 down.
-- That change is not honored, and HSL continues to send logs to pm-2.
Conditions:
-- High Speed Logging configured to log to a pool of multiple members.
-- Pool members change manually or due to a monitoring probe.
-- Running one of the known affected TMOS versions.
Impact:
HSL logs continue being forwarded according to the previous state of the configured pool. The new state is not reflected.
Workaround:
None.
Fix:
Updates to pool members used as HSL destination are correctly reflected in HSL log forwarding.
Fixed Versions:
14.1.2.5
751448-1 : TMM, ZebOS, and Linux routing table may lose dynamic routes on a tmm restart
Links to More Info: BT751448
Component: TMOS
Symptoms:
There are three major routing participants on a BIG-IP system: TMM, ZebOS, and Linux routing tables. Each of them replicates routes between the other. The 'bigstart restart tmm' command restarts tmm, and a part of the restart process is to mark VLAN interfaces DOWN and later UP. Another part the same process is to restart the ZebOS daemons.
There is a race condition between these two events, so the following might happen:
1) tmm marks interface named vlan1 as DOWN, and a bit later marks as UP, but not UP and RUNNING.
2) The ZebOS daemons are restarted and ready to update interface status. They request a current status and mark interface UP, not UP and RUNNING.
3) tmm is fully restarted and marks vlan1 UP and RUNNING.
4) The ZebOS daemons reject dynamic routes because interface vlan1 is UP, but not RUNNING.
Conditions:
- BIG-IP Virtual Edition (VE).
- Dynamic routing is configured and there is a decide with some dynamic routes.
- You run the 'bigstart restart tmm' command.
Impact:
Traffic which relays on dynamic routes is interrupted. Because this is a race condition, it depends on configuration and timing.
Workaround:
Restart tmrouted daemon using the following command:
bigstart restart tmrouted
Fix:
Dynamic routes are not rejected and are successfully inserted into routing tables.
Fixed Versions:
14.1.4
751430-1 : Unnecessary reporting of errors with complex denial-of-service policies
Links to More Info: BT751430
Component: Application Security Manager
Symptoms:
In the tmm log files, messages are reported:
016e0002:3: Execution of action 'l7dos enable from-profile=/dos-xyzzy' failed, error ERR_NOT_SUPPORTED
Conditions:
-- ASM provisioned.
-- At least one virtual server configured with a complex L7DoS policy.
Impact:
The BIG-IP system continually logs erroneous errors to /var/log/ltm.
Workaround:
Attach another 'bot' profile to the virtual server associated with the error.
Fix:
The system no longer prints unnecessary errors
Fixed Versions:
14.1.2.7
751424-1 : HTTP Connect Category Lookup not working properly
Links to More Info: BT751424
Component: Access Policy Manager
Symptoms:
1. HTTP Connect Category Lookup does not return the correct category.
2. HTTP Connect Category Lookup cannot attach the service chain correctly.
Conditions:
-- Using SSLO iApp to configure a security policy.
-- Choose conditions 'Category Lookup (All)' and '"Category Lookup (HTTP Connect)'.
Impact:
Service chain is not correctly triggered based on the SSLO iApp policy selection when HTTP Connect traffic is passed.
Workaround:
There is no workaround at this time.
Fix:
1. The Access Per-request Policy HTTP Connect Category Lookup agent now returns the correct category ID.
2. Service connector is now inserted correctly, which ensures the correct behavior when dealing with HTTP Connect tunnel traffic.
Fixed Versions:
14.1.0.6
751292-1 : mcpd core after changing parent netflow to use version9
Links to More Info: BT751292
Component: Advanced Firewall Manager
Symptoms:
When making changes to netflow profile (changing between v9 and v5), mcpd CPU usage on one core goes high, and a core file is written.
The problem occurs only when modifying root netflow profile that is referenced by a child netflow. Modifying the root netflow profile works as expected when it is not being referred to by any child netflow. When the issue occurs, mcpd gets into a loop and hangs there for a long time.
Conditions:
The problem occurs only when modifying root netflow profile that is referenced by a child netflow.
Impact:
The config changes appear to have been made. However, mcpd processes the config and stops responding. While mcpd restarts, there is no traffic management functionality (e.g., cannot retrieve or update system status, cannot reconfigure system, other daemons are not functional).
Workaround:
No workaround.
Fixed Versions:
14.1.2.5
751179-1 : MRF: Race condition may create to many outgoing connections to a peer
Links to More Info: BT751179
Component: Service Provider
Symptoms:
If two different connections attempt to create an outgoing connection to a peer at the same time, multiple connections may be created, even if the peer object is configured for one connection per peer. This is due to a race condition in message routing framework during connection creation.
Conditions:
-- Two different connections attempt to create an outgoing connection to a peer at the same time.
-- The peer is configured for one connection per peer.
Impact:
More than one connection to a peer is created.
Workaround:
None.
Fix:
Only one connection is created under these conditions.
Fixed Versions:
11.6.5.2, 13.1.1.5, 14.1.0.6
751116-1 : DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring
Links to More Info: BT751116
Component: Advanced Firewall Manager
Symptoms:
The DoS visibility screens (Monitoring :: Security :: Reporting : DoS) may display DNS and Network protocol DoS attacks with the incorrect mitigation details.
Conditions:
An attacked object assigned to a DoS profile with either DNS or Network security protocols that are configured to have detect-only or learn-only states for DoS attacks.
Impact:
Network or DNS DoS attacks, detected by a DoS profile with detect-only or learn-only protection, display mitigation as Blocking instead of the configured Transparent protection. This does not affect the reported traffic data found in the DoS visibility dimensions and charts.
Workaround:
None.
Fixed Versions:
13.1.3.4, 14.1.4.2
751103-4 : TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop
Links to More Info: BT751103
Component: TMOS
Symptoms:
Issuing the command 'tmsh save sys config' results in a question when display threshold is set and when management routes are configured. There is no prompt when no management routes are configured. This question is posted only when management-routes are configured, and does not appear when other provisioning commands are issued and the config is saved.
Conditions:
1. Set the cli preference display-threshold to a smaller value than the default.
2. Create management routes.
3. Issue the following command:
tmsh save sys config
Impact:
When there are more items configured than the threshold, the system presents a question:
Display all <number> items? (y/n)
Scripts are stopped until the prompt is answered.
Workaround:
To prevent the question from popping up, set display threshold to 0 (zero).
In the case of this script, you can also delete the management route definitions to prevent the question from being asked.
Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1
751052-1 : HTTP iRule event HTTP_REJECT broken
Links to More Info: BT751052
Component: Local Traffic Manager
Symptoms:
When an action causes an HTTP_REJECT event to be triggered, the content isn't executed, and BIG-IP logs an error log message that the event aborted:
info tmm[16852]: 01220009:6: Pending rule (null) <HTTP_REJECT> aborted
Conditions:
Any actions that cause an HTTP_REJECT event to be triggered.
Impact:
iRule content is not executed and the iRule action is aborted.
Fix:
Fixed an issue with the HTTP_REJECT event
Fixed Versions:
14.1.2.5
751036-1 : Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone
751032-3 : TCP receive window may open too slowly after zero-window
Links to More Info: BT751032
Component: Local Traffic Manager
Symptoms:
After a zero-window, TCP reopens its receive window with init-rwnd * mss bytes if sys db tm.tcpinitwinafterxon is enabled, and grows it as data is received. For a TCP connection with a large receive window, reaching the receive window limit might take some RTTs because init-rwnd is limited to 64.
Conditions:
-- A TCP profile with large receive window size.
-- A zero-window is sent.
-- TCP receive window is reopened when data is drained.
Impact:
TCP does not have the functionality to reopen its receive window more aggressively if needed, which might result in longer transfer times.
Workaround:
None
Fix:
A new sys db (tm.tcpinitwinmultiplierafterxon) is introduced to provide TCP the functionality to reopen its receive window more aggressively after zero-window.
Behavior Change:
A new sys db (tm.tcpinitwinmultiplierafterxon) has been introduced to provide TCP the functionality to reopen its receive window more aggressively after zero-window. It has a default minimum value of 1 and can be increased to a maximum of 100.
Fixed Versions:
14.1.4.4, 15.1.4
751021-1 : One or more TMM instances may be left without dynamic routes.
Links to More Info: BT751021
Component: TMOS
Symptoms:
Inspecting the BIG-IP's routing table (for instance, using tmsh or ZebOS commands) shows that dynamic routes have been learnt correctly and should be in effect.
However, while passing traffic through the system, you experience intermittent failures. Further investigation reveals that the failures are limited to one or more TMM instances (all other TMM instances are processing traffic correctly). The situation does not self-recover and the system remains in this state indefinitely.
An example of a traffic failure can be a client connection reset with cause 'No route to host'. If the client retries the same request, and this hits a different TMM instance, the request might succeed.
Conditions:
This issue is known to occur when all of the following conditions are met:
- The system is a multi-blade VIPRION or vCMP cluster.
- The system just underwent an event such as a software upgrade, a reboot of one or more blades, a restart of the services on one or more blades, etc.
Impact:
Traffic fails intermittently, with errors that point to lack of routes to certain destinations.
Workaround:
You can try to temporarily resolve the issue by restarting the tmrouted daemon on all blades. To do so, run the following command:
# clsh "bigstart restart tmrouted"
However, there is no strict guarantee this will resolve the issue, given the nature of the issue.
Alternatively, you could temporarily replace the dynamic routes with static routes.
Fix:
All TMM instances across all blades now properly learn dynamic routes.
Fixed Versions:
13.1.3.5, 14.1.4
751011-3 : ihealth.sh script and qkview locking mechanism not working
Links to More Info: BT751011
Component: TMOS
Symptoms:
Two qkviews can be started up on a system at the same time, which results in conflicts for each.
Conditions:
Running qkview on one terminal and then ihealth.sh in another.
Impact:
Running of two qkviews at the same time breaks both qkviews since they compete for the same files.
Workaround:
Run either qkview or ihealth.sh, not both simultaneously.
Fix:
Starting a qkview and then running ihealth.sh halts immediately as the system detects that qkview is running.
Fixed Versions:
13.1.1.5, 14.1.0.2
751009-3 : Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out
Links to More Info: BT751009
Component: TMOS
Symptoms:
After generating a Qkview or collecting a tcpdump via the BIG-IP GUI, or using the 'tmsh run util ihealth' command to do the equivalent, the /var/tmp/mcpd.out file is missing.
Conditions:
-- Generating a Qkview or collecting a tcpdump via the BIG-IP GUI.
-- Using the 'tmsh run util ihealth' command to do the equivalent operation.
Impact:
The file /var/tmp/mpcd.out is a debug file used by mcpd, primarily for collecting debug-level log information from MCPD.
The file being deleted causes challenges with trying to collect diagnostic information from a BIG-IP system (turning on mcpd debug logging), because it now requires a service impact (restarting mcpd).
Additionally, may cause challenges in managing disk space on /shared filesystem, as mcpd keeps writing to a deleted file, and it cannot be truncated.
Workaround:
Generating Qkviews by invoking the 'qkview' command directly avoids this issue.
Edit the /usr/bin/ihealth.sh script to remove the corresponding line.
From a bash shell:
1. mount -o remount,rw /usr
2. /bin/cp /usr/bin/ihealth.sh{,751009.bak}
3. sed -i '/\/bin\/rm -f \/var\/tmp\/mcpd.out/d' /usr/bin/ihealth.sh
4. mount -o remount,ro /usr
Note: This workaround does not persist across software installs/upgrades, nor does it ConfigSync or replicate across blades in a VIPRION chassis.
Fix:
The problem line has been removed from the script, so this mcpd debug file is left alone (not deleted) after running ihealth.sh. Note that the GUI version of running qkview uses ihealth.sh script.
Fixed Versions:
13.1.1.4, 14.0.1.1, 14.1.0.2
750973-1 : Import XML policy error
Links to More Info: BT750973
Component: Application Security Manager
Symptoms:
Import XML policy fails with errors:
--------
The security policy file does not conform to the schema and cannot be imported
element attack_type: Schemas validity error : Element
'attack_type': 'Web Scraping' is not a valid value
--------
Conditions:
-- A user-defined Signature Set having Attack Type 'Web Scraping' defined.
-- This Signature Set is included in an exported XML policy.
Impact:
Schema validation on XML policy import fails. Import XML policy fails with errors.
Workaround:
Use binary policy export/import.
Fix:
This release fixes the XML policy export/import process to not fail or produce Attack Type 'Web Scraping'-related errors.
Fixed Versions:
14.1.0.2
750922-1 : BD crash when content profile used for login page has no parse parameters set
Links to More Info: BT750922
Component: Application Security Manager
Symptoms:
Bd crashes. No traffic goes through ASM.
Conditions:
-- A Json Login page is configured.
-- The content profile used for the login page does not have parse parameters set.
Impact:
No traffic goes through ASM. Bd crashes.
Workaround:
Set the parse parameters setting.
Fix:
BD no longer crashes when the content profile used for login page has no parse parameters set.
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2
750823-1 : Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD
Links to More Info: BT750823
Component: Access Policy Manager
Symptoms:
Memory usage in TMM keeps going up.
Conditions:
Access::policy evaluate command fails with error message in /var/log/ltm:
TCL error: ... - Failed to forward request to apmd.
Impact:
Memory leaks in TMM, which cause a TMM crash eventually.
Workaround:
Limit the amount of data that will be forwarded to APMD.
Fixed Versions:
13.1.3, 14.1.2.1
750793-2 : Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition
Links to More Info: BT750793
Component: Application Security Manager
Symptoms:
Removing Bot/Logging/Security Service profiles that were created in a user-defined partition fails via GUI.
Conditions:
Attempting to delete Bot/Logging/Security Service profiles that were created in a user-defined partition.
Impact:
The Bot/Logging/Security Service Profile cannot be deleted via GUI.
Workaround:
Remove Bot/Logging/Cloud Security Service profiles via TMSH.
Fix:
You can now remove Bot profiles, Logging profiles, and Cloud Security Service profiles from user-defined partition.
Fixed Versions:
14.0.0.5, 14.1.0.2
750702-1 : TMM crashes while making changes to virtual wire configuration
Links to More Info: BT750702
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
This can occur when deleting a virtual-wire configuration.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
14.1.4.5
750689-3 : Request Log: Accept Request button available when not needed
Links to More Info: BT750689
Component: Application Security Manager
Symptoms:
There are several violations that make requests unlearnable, but the Accept Request Button is still enabled.
Conditions:
This occurs in the following scenarios:
1. Request log has requests with following violations that make requests unlearnable:
- Threat Campaign detected.
- Null character found in WebSocket text message.
- Access from disallowed User/Session/IP/Device ID.
- Failed to convert character.
2. Subviolations of HTTP protocol compliance fails violation:
- Unparsable request content.
- Null in request.
- Bad HTTP version.
3. Only the following violations are detected:
- Access from malicious IP address.
- IP address is blacklisted.
- CSRF attack detected.
- Brute Force: Maximum login attempts are exceeded.
Impact:
Accept Request button is available, but pressing it does not change the policy.
Workaround:
None.
Fix:
The Accept Request button is now disabled when there is nothing to be learned from request.
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6
750686-1 : ASE user cannot create or modify a bot signature.
Links to More Info: BT750686
Component: Application Security Manager
Symptoms:
Application Security Editor user role gets a validation exception while trying to create or modify bot defense signature either via GUI, tmsh, or REST.
Conditions:
The logged on user account is configured with an Application Security Editor role.
Impact:
Application Security Editor unable to define user-defined signatures for bot defense module.
Workaround:
Change user role to Administrator or Web Application Security Administrator to create or modify bot defense signatures.
Fix:
User accounts configured for Application Security Editor can now create/modify bot defense signatures.
Fixed Versions:
14.1.0.2
750683-1 : REST Backwards Compatibility: Cannot modify enforcementMode of host-name
Links to More Info: BT750683
Component: Application Security Manager
Symptoms:
Modifying the enforcementMode value fails with the following message: Valid Host Name already exists in this policy.
In 14.1.0, the capability to treat specific domains as Transparent while the rest of the policy is in Blocking moved from Host Names to the new Microservices feature. The REST endpoint for Host Names (/mgmt/tm/asm/policies/<ID>/host-names) is meant to still support setting and modifying this attribute. However, this is not happening successfully.
Conditions:
-- Running version 14.1.0 software.
-- Using a pre-14.1.0 REST API to modify the enforcementMode of a host name (/mgmt/tm/asm/policies/<ID>/host-names).
Impact:
The value change fails.
Workaround:
You can use either workaround:
-- Change the value using the GUI.
-- Use the newer endpoint: (/mgmt/tm/asm/policies/<ID>/microservices).
Fix:
Using the backwards compatible REST to update the enforcementMode of a host name now succeeds.
Fixed Versions:
14.1.0.2
750679-1 : Tmm crash on standby device and Diameter stats issues
Links to More Info: BT750679
Component: Service Provider
Symptoms:
Tmm crashes on the standby device. Prior to the crash, Diameter stats are not updating on the standby device.
Conditions:
Diameter is configured in a high availability (HA) environment.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Stats on standby device are now updated properly, and tmm does not crash.
Fixed Versions:
14.1.4.1
750668-1 : Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition
Links to More Info: BT750668
Component: Application Security Manager
Symptoms:
Removing Bot/Logging/Security Service profiles that were created in a user-defined partition fails via GUI.
Conditions:
Attempting to delete Bot/Logging/Security Service profiles that were created in a user-defined partition.
Impact:
The Bot/Logging/Security Service Profile cannot be deleted via GUI.
Workaround:
Remove Bot/Logging/Cloud Security Service profiles via TMSH.
Fix:
You can now remove Bot profiles, Logging profiles, and Cloud Security Service profiles from user-defined partition.
Fixed Versions:
14.1.0.2
750666-1 : Impossible to create Bot Signature/Bot Category Signature in user partition different from 'Common'
Links to More Info: BT750666
Component: Application Security Manager
Symptoms:
For any partition other than 'Common'(i.e., a user-defined partition), cannot create a new Bot Signature or Bot Category Signature via GUI, because the form fields and buttons are disabled (grayed out).
Conditions:
-- Creating Bot Signature/Bot Category Signature.
-- The partition is set to a user-defined partition.
Impact:
No creation of Bot Signature/Bot Category Signature can be completed through GUI in a user-defined partition.
Workaround:
Create Bot Signature/Bot Category Signature in TMSH.
Fix:
Can now create Bot Signature/Bot Category Signature in user partition different from 'Common'.
Fixed Versions:
14.1.0.2
750661 : URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied.
Links to More Info: BT750661
Component: TMOS
Symptoms:
A regression in configuration processing causes LTM Rewrite profile to ignore configured URI translation rules.
Conditions:
Using LTM Rewrite profiles to ignore configured URI translation rules.
Impact:
URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied.
Workaround:
None.
Fix:
Restored functionality of LTM Rewrite URI translation rules.
Fixed Versions:
14.1.0.2
750631-2 : There may be a latency between session termination and deletion of its associated IP address mapping
Links to More Info: BT750631
Component: Access Policy Manager
Symptoms:
In SWG, if a new request from a client executes iRule command "ACCESS::session exists" when the session has expired previously, the command will return false. However, if command "ACCESS::session create" is executed following the exist command, the session ID of the previous session may be returned.
Conditions:
In SWG, if a new request from a client IP comes into the system right after its previous session has expired.
Impact:
The Access filter will determine that the session ID is stale and, therefore, will redirect the client to /my.policy
Fix:
N/A
Fixed Versions:
13.1.3, 14.1.2.7
750586-2 : HSL may incorrectly handle pending TCP connections with elongated handshake time.
Links to More Info: BT750586
Component: TMOS
Symptoms:
HSL may incorrectly handle TCP connections that are pending 3-way handshake completion that exceed default handshake timeout.
Conditions:
-- HSL or ReqLog configured to send logging data to pool via TCP protocol.
-- TCP 3-way handshake takes longer than 20 seconds (the default handshake timeout) to complete.
Impact:
-- Service interruption while TMM restarts.
-- Failover event.
Workaround:
None.
Fix:
HSL handles unusually long pending TCP handshakes gracefully and does not cause outage.
Fixed Versions:
12.1.5, 13.1.1.5, 14.1.0.6
750580-1 : Installation using image2disk --format may fail after TMOS v14.1.0 is installed★
Links to More Info: BT750580
Component: TMOS
Symptoms:
When v14.1.0 is installed, subsequent installations of software performed using image2disk with the --format=volumes option from within a TMOS installation slot.
The failure occurs after the disks have been formatted, but before the TMOS installation slot is bootable, and the system is left without a TMOS installation slot.
While performing the installation, the system posts messages similar to the following in the serial console:
-- info: tm_install::RPM::rpm_db_find_by_namearch -- not found : MySQL-shared/i686
...
-- info: tm_install::VolumeSet::VolumeSet_install_packages -- installing package MySQL-shared (i686)
-- info: tm_install::RPM::rpm_db_find_by_namearch -- not found : openssl/x86_64
...
-- info: tm_install::VolumeSet::VolumeSet_install_packages -- installing package openssl (x86_64)
-- info: capture: status 32512 returned by command: chroot /mnt/tm_install/1258.DHwcwN rpm --rebuilddb
...
-- info: chroot: failed to run command 'rpm': No such file or directory
Conditions:
This issue occurs when all of the following conditions are met:
-- Version 14.1.0 is installed on the system, even if the system never boots into the 14.1.0 installation slot.
-- Using image2disk with the --format=volumes option specified from TMOS.
-- Installing another version of the software.
In particular, this issue affects MOS version 2.12.0-140.0, which can be checked by running this command from a bash shell on the BIG-IP system:
grub_default -d | grep -A6 'TMOS maintenance' | grep 'TIC_STATIC_VERSION'
Impact:
The installation fails, and the system is left in a state where it is not accessible on the network and has no configuration. You must use the console to access the system.
Workaround:
You can use the following workarounds:
-- Use the Software Management screens in the GUI to perform installations
-- Use the tmsh 'sys software' commands to perform software installations.
-- Do not use the image2disk --format command to install software.
Fixed Versions:
14.1.0.2
750477-1 : LTM NAT does not forward ICMP traffic
Links to More Info: BT750477
Component: Advanced Firewall Manager
Symptoms:
ICMP traffic that matches LTM NAT object on a BIG-IP system, is not forwarded through but instead is dropped on the BIG-IP system.
Conditions:
-- LTM NAT object is configured on the BIG-IP system.
-- The BIG-IP system receives ICMP traffic matching the LTM NAT object.
Impact:
Client ICMP traffic (matching LTM NAT) is not forwarded to the destination causing traffic disruption.
Workaround:
None.
Fix:
ICMP traffic matching an LTM NAT object is now forwarded to the destination as expected.
Fixed Versions:
14.1.0.5
750473-4 : VA status change while 'disabled' are not taken into account after being 'enabled' again
Links to More Info: BT750473
Component: Local Traffic Manager
Symptoms:
The virtual-address network is not advertised with route-advertisement enabled.
Conditions:
1. Using a virtual-address with route advertisement enabled.
2. Disable virtual-address while state is down.
3. Enable virtual-address after state comes up.
Impact:
No route-advertisement of the virtual-address.
Workaround:
Toggle the route-advertisement for virtual-address.
Fix:
The virtual-address now operations as expected when disabled.
Fixed Versions:
11.6.5.2, 12.1.5.3, 14.1.2.7
750447-3 : GUI VLAN list page loading slowly with 50 records per screen
Links to More Info: BT750447
Component: TMOS
Symptoms:
GUI VLAN list page is loading slowly with there are 3200+ VLANs with the Records Per Screen Preference set to 50.
Conditions:
-- Using a VIPRION system.
-- Configuration containing 3200 or more VLANs.
-- System Preferences Records Per Screen set to 50.
Impact:
Cannot use the page.
Workaround:
Use tmsh or guishell tool to see the VLANs.
You can also try using a smaller value for the Records Per Screen option in System :: Preferences.
Fix:
Improved data retrieval and rendering for the VLAN list page.
Fixed Versions:
13.1.1.5, 14.1.0.2
750431-1 : Persistence record is deleted in MRF SIP after updating timeout value with the iRule 'SIP::persist timeout'
Links to More Info: BT750431
Component: Service Provider
Symptoms:
MRF SIP persistence records are deleted after updating the timeout value with the iRule 'SIP::persist timeout'.
Conditions:
-- MRF SIP configured with a persistence mode enabled.
-- Persistence timeout value is modified with iRule 'SIP::persist timeout'.
Impact:
Connections are not persisted as expected, causing additional processing, load balancing, and potential for misrouted messages.
Workaround:
Do not use 'SIP::persist timeout' to update timeouts. Increase initial timeout values when using custom persistence mode or switch to a non-custom persistence mode that updates timeouts automatically without iRules.
Fix:
The iRule 'SIP::persist timeout' no longer causes the persistence record to be deleted when updating the timeout value.
Fixed Versions:
14.1.2.1
750356-2 : Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted
Links to More Info: BT750356
Component: Application Security Manager
Symptoms:
In any Split View page (Request Log, Learning, etc.): All user-defined filters are removed if you delete a newly created filter without reloading the page first.
Conditions:
-- Create a new filter.
-- Remove the new filter.
Impact:
The system removes all user-defined filters.
Workaround:
Before you delete a newly created filter, reload the page.
Fix:
Filter removal now completes successfully for all scenarios.
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2
750318-3 : HTTPS monitor does not appear to be using cert from server-ssl profile
Links to More Info: BT750318
Component: TMOS
Symptoms:
An HTTPS monitor using a client certificate configured in the server-ssl profile fails to send the certificate during the SSL handshake.
A tcpdump shows a 0-byte certificate being sent.
Conditions:
-- In-tmm monitoring is disabled (default).
-- The server-ssl profile has been modified but without changing the configured certificate or key.
The resulting message passed from mcpd to bigd will contain only the incremental modification to the profile, which bigd treats as a complete profile, meaning that it is possible for the certificate and key parameters to be lost.
Impact:
SSL handshake might fail to complete and the HTTPS monitor fails.
Workaround:
Restart bigd process by running the following command:
bigstart restart bigd
Fix:
mcpd now sends the full profile configuration to bigd upon modification.
Fixed Versions:
13.1.1.5, 14.1.2.3
750278-4 : A sub-second timeout for the SSL alert-timeout option may be desirable in certain cases
Links to More Info: K25165813, BT750278
Component: Local Traffic Manager
Symptoms:
For certain high-throughput applications running over SSL (for instance, video streaming), it may be desirable for the BIG-IP system to reset both flows as soon as possible once one side has sent a FIN but the peer side is continuing to send data.
This situation can be undesirable (as it is wastes bandwidth) given that at this point the BIG-IP system is no longer proxying data but just dropping all remaining ingress packets (as SSL does not support half-closed TCP connections).
Conditions:
This issue occurs when the following conditions are met:
- A standard virtual server with the client SSL and server SSL profiles in use.
- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.
- The peer side ignores the FIN and continues to send data.
Impact:
Even if the SSL alert-timeout option was set to its lowest allowed value (1 second), given a large number of connections in this specific state, the wasted bandwidth can reach considerable levels.
Workaround:
None.
Fix:
The SSL alert-timeout option now supports the 'Immediate' value, which makes the BIG-IP system reset both flows after 1/1000 second.
Fixed Versions:
14.1.3.1, 15.0.1.3
750213-4 : DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.
Links to More Info: K25351434, BT750213
Component: Global Traffic Manager (DNS)
Symptoms:
FPGA hardware-accelerated DNS Cache can respond improperly to DNS queries that contain EDNS OPT Records. This improper response can take several forms, ranging from not responding with an OPT record, to a query timeout, to a badvers response.
Conditions:
-- Using VIPRION B2250 blades.
-- This may occur if a client sends a query with an EDNS OPT record that has an unknown version or other values that the Hardware-accelerated Cache does not understand. These errors only occur when matching the query to a hardware cached response.
Note: If the response is not in the hardware cache, then the query should be properly handled.
Impact:
Hardware-accelerated DNS Cache drops the request. Clients will experience a timeout for that query.
This is occurring now because of the changes coming to software from certain DNS software vendors that remove specific workarounds on February 1st, 2019. This is known as DNS Flag Day.
Workaround:
None.
Fixed Versions:
12.1.5, 13.1.3, 14.1.2.5
750200-3 : DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode
Links to More Info: BT750200
Component: Local Traffic Manager
Symptoms:
DHCP requests from the client are sent only to the first member in the DHCP server pool.
Conditions:
- BIG-IP system configured as a DHCP Relay.
- DHCP server pool contains more than one DHCP server.
Impact:
- DHCP server load balancing is not achieved.
- If the first DHCP server in the DHCP server pool does not respond or is unreachable, the DHCP client will not be assigned an IP address.
Workaround:
None.
Fixed Versions:
13.1.1.5, 14.0.1.1, 14.1.0.2
750194-4 : Moderate: net-snmp security update
Component: TMOS
Symptoms:
SNMP crashes due to a specially crafted UDP packet by an authenticated user, resulting in Denial of Service.
Conditions:
SNMP traffic enabled
Impact:
SNMP crashes resulting in a denial of service.
Fix:
Patched net-snmp to properly validate input data.
Fixed Versions:
13.1.3.5, 14.1.4
749912-1 : [BIG-IQ Integration] Deadlock occurs when adding multiple hostnames with transparent enforcement
Links to More Info: BT749912
Component: Application Security Manager
Symptoms:
Transparent enforcement by hostname has been moved from the Host Name configuration to the Microservice configuration.
REST API Clients that use the backwards-compatible, old endpoint, and send multiple requests in parallel may encounter a deadlock when configuring this element.
Conditions:
1) REST API Clients configure policy enforcement transparency by hostname.
2) They use the backwards-compatible, old endpoint to do so.
3) Multiple requests are sent in parallel.
Note: This is the case for BIG-IQ managing the BIG-IP system and configuring multiple domain names.
Impact:
Configuration calls fail due to internal DB deadlocks
Workaround:
Retry the API calls (or BIG-IQ deployment)
Fix:
Deadlocks during configuration calls are retried automatically and do not interrupt deployments.
Fixed Versions:
14.1.0.6
749785-2 : nsm can become unresponsive when processing recursive routes
Links to More Info: BT749785
Component: TMOS
Symptoms:
imish hangs, and the BIG-IP Network Services Module (nsm) daemon consuming 100% CPU.
Conditions:
-- Dynamic routing enabled
-- Processing recursive routes from a BGP peer with different prefixlen values.
Impact:
Dynamic routing, and services using dynamic routes do not operate. nsm does not recover and must be restarted.
Workaround:
None.
Fix:
nsm now processes recursive route without issues.
Fixed Versions:
12.1.5.3, 13.1.3, 14.1.2.5
749774-5 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
Links to More Info: BT749774
Component: Global Traffic Manager (DNS)
Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.
Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.
Impact:
Inconsistent behavior.
Workaround:
To allow consistent processing of any EDNS0 queries with ECS information, use a DNS profile where DNS caching is disabled by default, and selectively use the DNS cache only for non-EDNS0 queries.
Fix:
In this release, responses are now consistent when caching is enabled.
When DNS cache is enabled, EDNS0 EDNS Client Subnet (ECS) information is removed from the DNS query as it is not supported
Fixed Versions:
11.5.8, 11.6.3.4, 12.1.4, 13.1.1.4, 14.0.0.4, 14.1.0.1
749704-2 : GTPv2 Serving-Network field with mixed MNC digits
Links to More Info: BT749704
Component: Service Provider
Symptoms:
iRules command 'GTP::ie get value' incorrectly decodes Serving-Network field, putting the least significant digit of mobile network codes (MNC) value before the other two.
Conditions:
Using the iRule command 'GTP::ie get value' to retrieve the Serving-Network field from a GTP message (the iRule construction: GTP::ie get value -message $gtp_message 83).
Impact:
The operation returns results in which the least significant digit is inserted before the other two, resulting in incorrect data being returned.
Workaround:
None.
Fix:
The iRule command 'GTP::ie get -message $gtp_message 83' that retrieves the Serving-Network now returns the correctly ordered, three-digit values for mobile country codes (MCC) and mobile network codes (MNC) as a two-element list: {{<MCC> <MNC>} <optional data>}, where the first element is another list containing actual MCC and MNC values, while the second element is optional binary data which follows MCC and MNC. It is the same format as used for ULI field decoding.
Behavior Change:
The iRule command 'GTP::ie get -message $gtp_message 83' that retrieves the Serving-Network now returns the correctly ordered, three-digit values for mobile country codes (MCC) and mobile network codes (MNC) as a two-element list: {{<MCC> <MNC>} <optional data>}, where the first element is another list containing actual MCC and MNC values, while the second element is optional binary data which follows MCC and MNC. It is the same format as used for ULI field decoding.
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6
749690-1 : MOS_Image2Disk_Installation- kjournald service error★
Links to More Info: BT749690
Component: TMOS
Symptoms:
Attempted local installation of BIG_IP software image via MOS. During installation, there is a procedure error:
tm_install::TMOS::TMOS_getenforce --
Command not found: /usr/sbin/getenforce.
Installation is successful, even with this error.
Conditions:
Attempted installation of a copied .iso image:
image2disk --nosaveconfig --instslot=MD1.2 BIGIP-15.0.0-0.0.1248.iso
Impact:
When the installation of packages starts, the system reports the message. Installation completes successfully. There is no functional impact on the system, so you can safely ignore this message.
Workaround:
None.
Fix:
The 'Command not found: /usr/sbin/getenforce' error no longer occurs.
Fixed Versions:
14.1.2.5
749689-2 : HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart
Links to More Info: BT749689
Component: Local Traffic Manager
Symptoms:
HTTPS monitor sends different amount of cipher suites in client hello during SSL handshake and sometimes back end server fails to find a desired cipher suite from client hello. As a result, sometimes SSL handshake fails and monitor wrongly marks pool member down.
Conditions:
-- Have an SSL profile to be used by an HTTPS monitor.
-- Load the same config more than once.
Impact:
HTTPS monitor might incorrectly mark pool member down because of a failed SSL handshake.
Workaround:
Restart bigd using the following command:
bigstart restart bigd
Fix:
HTTPS monitor now sends a consistent number of cipher suites in the client hello message during the SSL handshake.
Fixed Versions:
13.1.1.5, 14.1.2.3
749675-5 : DNS cache resolver may return a malformed truncated response with multiple OPT records
Links to More Info: BT749675
Component: Global Traffic Manager (DNS)
Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.
Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).
Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.
Workaround:
A second query will return the cached record, which will only have one OPT record.
Fix:
DNS cache resolver now returns the correct response under these conditions.
Fixed Versions:
11.5.8, 11.6.3.4, 12.1.4, 13.1.1.4, 14.0.0.4, 14.1.0.1
749608-2 : HTTP Persistence cookies erroneously sent when cookie persistence turned off
Links to More Info: BT749608
Component: Local Traffic Manager
Symptoms:
Traffic may appear to not be load balancing among a pool correctly.
Because clients are receiving persistence cookies when they should not be, a client can be routed back to the same pool member for subsequent requests when this is not necessary, instead of being assigned a pool member through load balancing.
Conditions:
This occurs when two conditions are met
1) - The always_send option must be on with HTTP persistence cookies
or
- Cookies are configured with an expiry
2) Later, persistence is change to 'persist none' (by an iRule, for example).
Impact:
The system erroneously sends persistence cookies with responses. Undesired routing might occur, where a client is not load balanced, and instead is always directed back to the same pool member.
Workaround:
Turn off the always-send option, and disable the HTTP persistence cookie expiry.
If you need the expiry function, use an iRule to re-add it after the cookie has been inserted.
Fixed Versions:
14.1.4.4
749603-1 : MRF SIP ALG: Potential to end wrong call when BYE received
Links to More Info: BT749603
Component: Service Provider
Symptoms:
When a BYE is received, the media flows for a different call might be closed in error.
Conditions:
If the hash of the call-id (masked to 12 bits) matches the hash of another's call-id.
Impact:
The media flows for both calls will be closed when one receives a BYE command. A call may be incorrectly terminated early.
Workaround:
None.
Fix:
Entire call-id checked before terminating media flows.
Fixed Versions:
13.1.1.5, 14.0.1.1, 14.1.0.2
749508-1 : LDNS and DNSSEC: Various OOM conditions need to be handled properly
Links to More Info: BT749508
Component: Global Traffic Manager (DNS)
Symptoms:
Some LDNS and DNSSEC out-of-memory (OOM) conditions are not handled properly.
Conditions:
LDNS and DNSSEC OOM conditions.
Impact:
Various traffic-processing issue, for example, TMM panic during processing of DNSSEC activity.
Workaround:
None.
Fix:
The system contains improvements for handling OOM conditions properly.
Fixed Versions:
12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
749500-1 : Improved visibility for Accept on Microservice action in Traffic Learning
Links to More Info: BT749500
Component: Application Security Manager
Symptoms:
Low visibility for accepted on microservice action.
Conditions:
There are suggestions that can be accepted on microservice.
Impact:
The system does not show Accept on Microservice in a suggestion.
Workaround:
None.
Fix:
Improved visibility for Accept on Microservice action and microservice-related details of suggestions.
Fixed Versions:
14.1.0.2
749464-2 : Race condition while BIG-IQ updates common file
Links to More Info: BT749464
Component: Application Visibility and Reporting
Symptoms:
The file /var/config/rest/downloads/app_mapping.json is being used by two processes: BIG-IQ and avrd.
This can cause a race-condition between the two and in some rare cases can cause avrd to crash.
Conditions:
BIG-IQ updating /var/config/rest/downloads/app_mapping.json while avrd is reading it.
Impact:
avrd might read incomplete data, and can even core in some rare cases.
Workaround:
None.
Fix:
This race condition no longer occurs.
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2
749461-2 : Race condition while modifying analytics global-settings
Links to More Info: BT749461
Component: Application Visibility and Reporting
Symptoms:
Updating the analytics global-settings might cause a core for avrd.
The avrd.log contains the following record:
AVRD_CONFIG|NOTICE... 13931|lib/avrpublisher/infrastructure/avr_mcp_msg_parser.cpp:2985| Modified Analytics Global Settings, added "0" offbox TCP addresses
Conditions:
Analytics global-settings are updated either explicitly, using a tmsh command, or implicitly, by internal process script.
Impact:
Might cause a core for avrd. After coring once, avrd is expected to start normally without any additional cores. The configuration change is expected to be applied correctly after restart is complete.
Workaround:
None.
Fix:
This represents a partial fix. See bug 764665 for an additional fix.
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2
749414-4 : Invalid monitor rule instance identifier error
Links to More Info: BT749414
Component: Local Traffic Manager
Symptoms:
Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects.
Conditions:
-- BIG-IP system is configured with nodes, pool-members, and pools with monitors.
-- Modify one of the nodes that is in a pool.
-- Run the following command: tmsh load /sys config
-- Loading UCS/SCF file can trigger the issue also.
-- Nodes share the same monitor instance.
-- default-node-monitor is not configured.
Impact:
-- The system might delete monitor rule instances for unrelated nodes/pool-members.
-- Pool members are incorrectly marked down.
Workaround:
You can use either of the following:
-- Failover or failback traffic to the affected device.
-- Run the following command: tmsh load sys config.
Fixed Versions:
11.6.5.2, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6
749388-3 : 'table delete' iRule command can cause TMM to crash
Links to More Info: BT749388
Component: TMOS
Symptoms:
TMM SegFaults and restarts.
Conditions:
'table delete' gets called after another iRule command.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
Call 'table lookup' on any key before performing a 'table delete'.
Whether or not the key was added into the database beforehand does not matter.
Fix:
Fixed code to prevent invalid use of internal data structure.
Fixed Versions:
12.1.5.2, 13.1.3.2, 14.1.2.5
749382-1 : Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater
Links to More Info: BT749382
Component: TMOS
Symptoms:
Running a bare-metal installation via image2disk (IE, 'image2disk --format=volumes <ISO>') may fail due to a missing command in the maintenance OS.
Conditions:
The version of MOS installed on the system is from a v14.1.0 or newer ISO, and a user attempts a bare-metal installation via the 'image2disk' command.
Impact:
Unable to perform bare-metal installations/installations from MOS in affected versions.
Workaround:
The installed version of MOS can be removed with the command '/usr/lib/bpdiag -a mos'. After doing this, installing a version older than 14.1.0 will re-install an older version of MOS without this issue. You can then reboot to MOS and manually run the installation using 'image2disk' from there.
Fix:
Fix issues with bare-metal installations via 'image2disk' failing.
Fixed Versions:
14.1.0.2
749332-3 : Client-SSL Object's description can be updated using CLI and with REST PATCH operation
Links to More Info: BT749332
Component: TMOS
Symptoms:
REST PUT fails to update the object description when proxy-ca-cert and proxy-ca-key are not configured, and triggers an error:
SSL forward proxy RSA CA key is missing.
Conditions:
Issue is seen only with REST PUT operation, and when proxy-ca-cert and proxy-ca-key are not configured.
Impact:
REST PUT operation cannot be used to update/modify the description.
Workaround:
You can use either of the following:
-- You can use TMSH to update/modify the description, even if proxy-ca-cert and proxy-ca-key are not configured.
-- You can also use PATCH operation and send only the required field which need modification.
Fixed Versions:
14.1.4.4, 15.1.5, 16.1.2.1
749331-3 : Global DNS DoS vector does not work in certain cases
Links to More Info: BT749331
Component: Advanced Firewall Manager
Symptoms:
Global DNS DoS vector stops working under certain conditions.
Conditions:
Packets are not made to go through its entirety.
Impact:
Global DNS data structures are overwritten by subsequent incoming packets. Global DNS DoS vector does not rate-limit the packets.
Workaround:
None.
Fix:
Global DNS DoS vector checks now prevent this issue, so rate-limiting works as expected.
Fixed Versions:
14.1.0.2
749294-4 : TMM cores when query session index is out of boundary
Links to More Info: BT749294
Component: Local Traffic Manager
Symptoms:
TMM cores when the queried session index is out of boundary. This is not a usual case. It is most likely caused by the memory corrupted issue.
Conditions:
When session index equals the size of session caches.
Impact:
TMM cores. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The index boundary check now operates correctly in this situation, so tmm no longer cores.
Fixed Versions:
12.1.5, 13.1.3.2, 14.0.1.1, 14.1.0.2
749249-1 : IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP
Links to More Info: BT749249
Component: TMOS
Symptoms:
IPsec tunnels fail to establish and CPUs go to 100%.
Conditions:
- IPsec tunnels configured.
- System has multiple blades.
Impact:
The CPU exhaustion may cause system instability.
The tmm logs may contain large numbers of messages similar to the following:
-- notice SA is not in LARVAL state when receives PFKEY UPDATE: src=50.1.1.53 dst=40.1.1.50 spi=0xc9cd688 proto=0x32 dir=0x1:IN reqid=0.0:0:0x10c81 state=1
Workaround:
For vCMP systems, provision the Guest on one blade only. There is no workaround for bare-metal systems.
Fix:
An internal control-plane messaging loop has been fixed.
Fixed Versions:
14.1.2.8
749227-1 : MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE
Links to More Info: BT749227
Component: Service Provider
Symptoms:
INVITE message being processed operation creates a temporary registration entry for a unregistered subscriber, this registration entry is not extended if a subsequent invite occurs. This could cause the registration to expire during a call, thus allowing the reserved translated addresses to be provided to a different subscriber.
Conditions:
An INVITE message is received when unregistered-subscriber-callout attribute in the siprouter-alg profile
Impact:
The system adds a temporary registration entry to the registration table. The lifetime for this entry is the max-session-timeout value from the siprouter-alg profile. Subsequent INVITES will not extend the lifetime.
This could cause the registration to expire during a call, allowing the reserved translated addresses to be provided to a different subscriber.
Workaround:
None.
Fix:
Subsequent INVITEs now extend the lifetime by another max-session-timeout value.
Fixed Versions:
14.0.1.1, 14.1.0.2
749222-1 : dname compression offset overflow causes bad compression pointer
Links to More Info: BT749222
Component: Global Traffic Manager (DNS)
Symptoms:
DNS requests receive error response:
-- Got bad packet: bad compression pointer.
-- Got bad packet: bad label type.
Conditions:
When the DNS response is large enough so that dname redirects to an offset larger than 0x3f ff.
Impact:
DNS response is malformed. Because the DNS record is corrupted, zone transfer fails.
Workaround:
None.
Fix:
dname compression offset overflow no longer causes bad compression pointer.
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6
749184-2 : Added description of subviolation for the suggestions that enabled/disabled them
Links to More Info: BT749184
Component: Application Security Manager
Symptoms:
Missing description of subviolation for the suggestions that enabled/disabled them.
Conditions:
There are suggestions that enabled/disabled subviolations in the security policy.
Impact:
Cannot determine the subviolation for the suggestions that enabled/disabled them.
Workaround:
Open Description in an additional tab in Learning and Blocking settings screen.
Fix:
Added description of subviolation for the suggestions that enabled/disabled them.
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.3
749161-2 : Problem sync policy contains non-ASCII characters
Component: Access Policy Manager
Symptoms:
When access policy contain non-ASCII characters, policy sync either fails or the characters are not sync'ed properly on the target.
Conditions:
-- Using an access profile.
-- Access profile contains non-ASCII characters (code point greater than 0x7f), e.g.,in VPE, add an 'Advanced Resource Assign' agent and specify an expression similar to the following in addition to the resource:
expr { [string tolower [mcget -decode {session.ad.last.attr.memberOf}]] contains [string tolower "CN=Suporte_TransmissãČo,"] || [string tolower [mcget -decodde {session.ad.last.attr.memberOf}]] contains [string tolower "CN=suporte_tx,"]}
-- Start policy sync on the profile.
Impact:
Policy sync fails or does not complete properly for the non-ASCII characters.
Workaround:
None.
Fix:
Policy sync now works properly when the policy contains non-ASCII characters.
Fixed Versions:
13.1.3, 14.1.2.1
749136-1 : Disk partition /var/log is low on free disk space
Links to More Info: BT749136
Component: Application Security Manager
Symptoms:
Warning messages, such as these on system CLI:
--------------
Broadcast message from root@bigip1.test.net (Wed Nov 7 09:01:01 2018):
011d0004:3: Disk partition /var/log (slot 1) has only 0% free
--------------
Conditions:
ASM or DoS is provisioned.
Impact:
Disk partition /var/log is low on free disk space.
Workaround:
Manually delete nsyncd logs from /var/log.
Fix:
There is now stricter log rotation for nsyncd.
Fixed Versions:
14.1.0.2
749109-3 : CSRF situation on BIGIP-ASM GUI
Links to More Info: BT749109
Component: Application Security Manager
Symptoms:
CSRF situation on the BIG-IP ASM GUI that might potentially lead to resource exhaustion on the device for the moment it is being run.
Conditions:
The following URL accepts a wildcard in the parameter id, making it a heavy URL:
https://BIG-IP/dms/policy/pl_negsig.php?id=*
Impact:
Once multiple requests are sent to the target GUI, it is possible to see httpd process spiking even in core 0 (VMWare).
Workaround:
None.
Fix:
If the query string parameter has a string value the query is not executed.
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.2
749057-1 : VMware Horizon idle timeout is ignored when connecting via APM
Links to More Info: BT749057
Component: Access Policy Manager
Symptoms:
VMware Horizon has an option to set idle timeout under "View Configuration\Global Settings\General\Client-dependent settings\For clients that support applications". When there is no keyboard or mouse activity for the given time, application sessions should be disconnected (desktop sessions are staying, though).
This settings has no effect when connecting via APM.
Conditions:
VMware Horizon idle timeout setting for applications is configured and remote application is launched via APM.
Impact:
VMware Horizon idle timeout setting for applications has no effect.
Workaround:
None.
Fix:
VMware Horizon idle timeout "For clients that support applications" is now honored when connecting via APM.
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6
749036-2 : Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM
Links to More Info: BT749036
Component: Access Policy Manager
Symptoms:
Some tmsh list commands may fail while SSLO is provisioned but no urldb or APM modules are provisioned with the following message: 'Password could not be retrieved'.
Conditions:
-- SSLO is provisioned.
-- Neither APM or URLDB are provisioned.
-- Run the generic tmsh list command.
Impact:
tmsh command fails and posts the error: Unexpected Error: Password could not be retrieved.
Note: Some 'tmsh list' commands with arguments do run. For example, 'tmsh list net vlan' provides correct output, but 'tmsh list' does not.
Workaround:
There is no workaround other than provisioning APM or URLDB.
Note: You can provision APM or URLDB even if they are not licensed. Although the full feature set is not available without a license, provisioning loads the daemons needed to support the generic 'tmsh list' command.
Fix:
BIG-IP no longer requires SQL to be up with SSLO. Oauth is not needed under SSLO.
Fixed Versions:
14.1.2.5
749007-2 : South Sudan, Sint Maarten, and Curacao country missing in GTM region list
Links to More Info: BT749007
Component: TMOS
Symptoms:
South Sudan, Sint Maarten, and Curacao countries are missing from the region list.
Conditions:
-- Creating a GTM region record.
-- Create a GTM any region of Country South Sudan, Sint Maarten, or Curacao.
Impact:
Cannot select South Sudan county from GTM country list.
Workaround:
None
Fix:
South Sudan, Sint Maarten, and Curacao are now present in the GTM country list.
Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
748999-3 : invalid inactivity timeout suggestion for cookies
Links to More Info: BT748999
Component: Application Security Manager
Symptoms:
ASM will report "invalid inactivity timeout" suggestions to delete a cookie, even though the cookies are being sent and are valid.
Conditions:
- Inactivity timeout feature is configured in Policy Builder
- Cookie entity is configured in the policy
- Valid, non-violating traffic containing cookies is passed
Impact:
Since non-violating traffic is not sent to the policy engine, the inactivity timeout timer is never reset, which will eventually lead to suggestions to delete the inactive cookie entities. These suggestions are erroneous because valid cookies are being sent in the traffic.
Workaround:
Ignore the inactive entity suggestions for cookies
Fix:
Inactivity learning for cookies has been deprecated, the feature does not cover cookies anymore.
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2
748902-5 : Incorrect handling of memory allocations while processing DNSSEC queries
Links to More Info: BT748902
Component: Global Traffic Manager (DNS)
Symptoms:
tmm crashes.
Conditions:
-- Heavy DNS traffic using DNS security signatures.
-- Use of external HSM may aggravate the problem.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release corrects the handling of memory allocations while processing DNSSEC queries.
Fixed Versions:
12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
748891-2 : Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system.
Links to More Info: BT748891
Component: Local Traffic Manager
Symptoms:
Potential MAC relearning at the switches the BIG-IP system is connected to.
Conditions:
-- DB variable connection.vlankeyed set to disabled.
-- Multiple virtual-wires configured on the BIG-IP system.
-- Client to server and server to client traffic using different virtual wires on the BIG-IP system.
Impact:
Packets reach their L3 destination using an unexpected L2 path.
Workaround:
None.
Fix:
Connflow next hop and previous hop updates are now done in the correct order for virtual wires.
Fixed Versions:
14.1.2.1
748848-2 : Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers
Links to More Info: BT748848
Component: Application Security Manager
Symptoms:
Multiple virtual servers are each using different cookie names for cookies 72, 74, and 76. This occurred because these cookie names are dependent on virtual server properties.
Conditions:
-- Multiple subdomains are configured to resolve to different virtual servers with different ASM policies.
-- Anti-Bot Mobile SDK attempts to connect to these virtual servers.
Impact:
Anti-Bot Mobile SDK is not able to connect to multiple virtual servers using the same cookie.
Workaround:
None.
Fix:
The relevant cookie names were changed.
The format TS00000000_7x (prefix/suffix may change according to configuration) is now used for cookies 72, 74, and 76, which results in identical cookie names for all configured virtual servers.
This will allow Anti-Bot Mobile SDK to connect to multiple virtual servers using the same cookie.
Fixed Versions:
14.0.0.5, 14.1.0.2
748813-3 : tmm cores under stress test on virtual server with DoS profile with admd enabled
Links to More Info: BT748813
Component: Anomaly Detection Services
Symptoms:
tmm cores
Conditions:
-- Systems under stress testing.
-- Virtual server with DoS profile with admd enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Turn off Behavioral DOS.
Fix:
This tmm core no longer occurs under these conditions.
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.2.3
748572-2 : Occasionally ramcache might crash when data is sent without the corresponding event.
Links to More Info: BT748572
Component: Access Policy Manager
Symptoms:
Ramcache filter causes crash when sending data without HUDCTL_RESPONSE while in CACHE_COLLECT event.
Conditions:
When the access_policy_trace db variable is enabled, failure in insertion of policy path cookie in the header while sending a redirect to the client might cause the ramcache filter to SIGSEGV.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Turn off the access_policy_trace db variable.
Fix:
The system now handles this scenario, so there is no longer a ramcache crash.
Fixed Versions:
14.1.3.1
748561-1 : Network Firewall : Active Rules page does not list active rule entries for firewall policies associated with any context
Links to More Info: BT748561
Component: Advanced Firewall Manager
Symptoms:
In Security :: Network Firewall :: Active Rules, when selecting any context (Global, Route Domain, Virtual Server, or SelfIP), the policy associated with the Virtual Server is listed, but not the rules within that policy.
Conditions:
Applies to any context policies.
Impact:
You cannot manage rules from the Active Rules page. This is GUI display issue and does not affect functionality.
Workaround:
In Security :: Options :: Network Firewall :: Firewall Options:
Disable Inline Rules.
This reverts to the legacy editor and displays the policy details.
Fix:
Network Firewall : Active Rules page now lists active rule entries for firewall policies associated with any context.
Fixed Versions:
14.1.4, 15.1.3
748443-1 : HiGig MAC recovery mechanism may fail continuously at runtime
Links to More Info: BT748443
Component: TMOS
Symptoms:
At runtime, the HiGig MAC recovery mechanism might be triggered due to FCS errors. Normally, the FCS recovery mechanism corrects the issue. However, if the blade does not recover, the mechanism runs continuously, preventing correct blade operation.
Conditions:
The issue might be related to the traffic pattern the blade is processing.
Impact:
The blade remains in the Inoperative state and cannot pass traffic.
Workaround:
Manually reboot the blade.
Fix:
The blade now reboots if FCS recovery is not able to fix the link. The reboot can be disabled using the db variable:
tmm.hsb.hgmfcsresetaction
Fixed Versions:
14.1.2.8
748409-2 : Illegal parameter violation when json parsing a parameter on a case-insensitive policy
Links to More Info: BT748409
Component: Application Security Manager
Symptoms:
An illegal parameter violation is raised although the parameter is configured
Conditions:
The policy is configured as case insensitive, and a parameter is configured with capital letters
Impact:
False positive illegal parameter violation
Workaround:
Configure violation as case sensitive
Fixed Versions:
14.0.0.5, 14.1.0.2
748333-4 : DHCP Relay does not retain client source IP address for chained relay mode
Links to More Info: BT748333
Component: Local Traffic Manager
Symptoms:
The second relay in a DHCP relay chain modifies the src-address. This is not correct.
Conditions:
Using DHCP chained relay mode.
Impact:
The src-address is changed when it should not be.
Workaround:
None.
Fix:
For chained relay mode there is now an option to preserve the src-ip, controllable by 'sys db tmm.dhcp.relay.change.src'.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
748321-1 : bd crash with specific scenario
Links to More Info: BT748321
Component: Application Security Manager
Symptoms:
BD crash
Conditions:
A specific scenario may cause bd crash.
Impact:
Failover, traffic disturbance.
Workaround:
N/A
Fixed Versions:
14.1.0.2
748253-1 : Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection
Links to More Info: BT748253
Component: Service Provider
Symptoms:
Depending on the DIAMETER settings of the BIG-IP system, there can be a race condition in a mirrored device cluster where the standby BIG-IP system resets its mirror connection to the active device.
Conditions:
-- MRF DIAMETER in use.
-- The DIAMETER session profile on the BIG-IP system is configured to use a non-zero watchdog timeout.
-- The DIAMETER session profile on the BIG-IP system is configured to use Reset on Timeout.
-- This is more likely to happen if (in the DIAMETER session profile) the Maximum Watchdog Failures is set to 1, and the Watchdog Timeout is configured to be the same value as the remote DIAMETER system.
Impact:
The standby is no longer mirroring the active system, and gets out of sync with it. There may be connections lost if a failover occurs.
Workaround:
To mitigate this issue:
1. Configure the Maximum Watchdog Failures to a value greater than 1.
2. Configure the Watchdog Timeout as something different from the same timeout on the remote peer, preferably to something that will have little overlap (i.e., the two timers should fire at the exact same time very infrequently).
Fix:
Prevented the standby from sending DWR packets to the active device, so that it no longer expects DWA responses that never arrive.
Fixed Versions:
13.1.3, 14.1.2.1
748252-2 : Connection reset seen with SSL bypass on a L2 wire setup
Links to More Info: BT748252
Component: SSL Orchestrator
Symptoms:
A connection reset occurs when trying to bypass SSL forward proxy on a L2 Wire setup.
Conditions:
-- configure an SSL policy to bypass the SSL forward proxy in an L2 Wire setup.
-- Attempt to pass traffic that matches the policy.
Impact:
Traffic that matches the policy experiences a reset when attempting to do the bypass. Cannot bypass SSL forward proxy on a L2 wire setup
Workaround:
None.
Fix:
The system now recognizes that it is doing a bypass in a L2 Wire setup, and handles the bypass to avoid the reset.
Fixed Versions:
14.1.0.6
748206-1 : Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position
Links to More Info: BT748206
Component: TMOS
Symptoms:
Browser becomes unresponsive.
Conditions:
Loading the network map with a virtual server that contains a forwarding rule policy in the second position.
Impact:
Browser becomes unresponsive and must be restarted.
Workaround:
Change the position of the forwarding rule policy.
Fix:
The browser now behaves as expected when loading the network map with a virtual server that contains a forwarding rule policy in the second position.
Fixed Versions:
13.1.1.4, 14.1.0.6
748205-3 : SSD bay identification incorrect for RAID drive replacement★
Links to More Info: BT748205
Component: TMOS
Symptoms:
On iSeries platforms with dual SSDs, the 'bay' of a given SSD indicated in the 'tmsh show sys raid' command may be incorrect. If a drive fails, or for some other reason it is intended to be replaced, and you are using the bay number listed from the tmsh command, the wrong drive could be removed from the system resulting in system failure to operate or boot.
Conditions:
iSeries platform with dual SSDs.
Impact:
Removal of the one working drive could result in system failure and subsequent failure to boot
Workaround:
If you discover that you removed the incorrect drive, you can attempt to recover by re-inserting the drive into the bay that it was in, and powering on the device.
The following steps will help to avoid inadvertently removing the wrong drive:
As a rule for systems with this issue:
-- Power should be off when you remove a drive. This makes it possible to safely check the serial number of the removed drive.
-- Power should be on, and the system should be completely 'up' before you add a new drive.
Here are some steps to follow to prevent this issue from occurring.
1. Identify the failed drive, taking careful note of its serial number (SN). You can use any of the following commands to get the serial number:
• tmsh show sys raid
• tmsh show sys raid array
• array
2. Logically remove the failed drive using the following command: tmsh modify sys raid array MD1 remove HD<>
3. Power down the unit.
4. Remove the fan tray and physically remove the failed drive.
5. Manually inspect the SN on the failed drive to ensure that the correct drive was removed.
6. Replace the fan tray.
7. Power on the unit with the remaining, single drive.
8. Once booted, wait for the system to identify the remaining (good) drive. You can confirm that this has happened when it appears in the 'array' command output.
9. Remove fan tray again (with the system running).
10. Install the new drive.
11. Use the 'array' command to determine that the new drive is recognized (Note: the tmsh commands do not show new drive at this stage.)
12. Logically add the new drive using the command command: tmsh modify sys raid array MD1 add HD<>
13. Monitor the rebuild using any of the commands shown in step 1.
Note: You must follow these steps exactly. If you insert the new drive while the system is off, and you then boot the system with the previously existing working drive and the new blank drive present, the system recognizes the blank drive as the working Array member, and you cannot add it to the array. That means system responds and replicates as if 'HD already exists'.
Fixed Versions:
12.1.5, 13.1.3, 14.1.2.5
748187-4 : 'Transaction Not Found' Error on PATCH after Transaction has been Created
Links to More Info: BT748187
Component: TMOS
Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.
Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.
Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.
Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.
Fix:
Erroneous 'Transaction Not Found' messages no longer occur under these conditions.
Fixed Versions:
12.1.4, 13.1.1.5, 14.0.1.1, 14.1.0.6
748177-1 : Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character
Links to More Info: BT748177
Component: Global Traffic Manager (DNS)
Symptoms:
Multiple wildcards not matched to the most specific WideIP.
Conditions:
Two wildcard WideIPs differ on a '?' and a non-wildcard character.
Impact:
DNS request gets wrong answer.
Workaround:
There is no workaround at this time.
Fix:
Multiple wildcards are now matched to the most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character.
Fixed Versions:
12.1.4.1, 13.1.1.5, 14.1.0.6
748176-1 : BDoS Signature can wrongly match a DNS packet
Links to More Info: BT748176
Component: Advanced Firewall Manager
Symptoms:
When using BDoS feature for DNS protocol, and when there are auto-generated DNS Signatures or if Custom DNS signatures are configured manually, it is found that at times, a valid DNS request is dropped because it wrongly matches the configured/dynamically generated DNS Signature when the box is under load, and BDoS mitigation is ongoing.
Conditions:
Configured DNS Signature (Or) there exists a Dynamically generated DNS Signature.
Such a DNS signature is found to match a DNS packet wrongly, even though the signature match criteria is different from the matched DNS packet.
Impact:
When box is under load, the configured DNS signature gets into Attack Mitigation mode (which is normal), but may wrongly drop a DNS packet that does not match the signature.
Workaround:
Disable BDoS for protocol DNS. Also, do not use Manually configured DNS Signatures.
Fix:
The parsed DNS information is cached and re-used wrongly as a performance optimization, which is corrected.
Fixed Versions:
14.1.0.2
748121-3 : admd livelock under CPU starvation
Links to More Info: BT748121
Component: Anomaly Detection Services
Symptoms:
Due to the resources starvation the worker thread of admd does not get CPU for more than two minutes. At the same time, the configuration thread does get CPU.
The admd heartbeat failure occurs at 120 seconds. The SOD daemon kills admd.
The system posts messages similar to the following:
-- notice sod[6783]: 01140041:5: Killing /usr/bin/admd pid 6732
-- warning sod[6783]: 01140029:4: high availability (HA) daemon_heartbeat ADMD.Anomaly0 fails action is restart.
-- warning sod[6783]: 01140029:4: high availability (HA) daemon_heartbeat ADMD.Publisher0 fails action is restart.
Conditions:
-- High CPU / memory utilization,
-- Very large configuration.
Note: There are no known special configuration requirements to have this occur.
Impact:
admd restarts.
Behavioral DoS does not work.
Workaround:
Reboot the BIG-IP system.
Fix:
admd livelock event no longer occurs in response to CPU starvation in very large configurations.
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.6
748081-1 : Memory leak in Behavioral DoS module
Links to More Info: BT748081
Component: Advanced Firewall Manager
Symptoms:
TMM runs out of memory and restarts.
The memory usage as shown in "tmctl memory_usage_stat", under module line tag "session" is noticed to be high, and keeps growing.
Conditions:
The issue is seen when BDoS feature is configured, and if there exits Custom or Auto Generated BDoS Signatures. When such signatures exist, the BDoS one second timer callback leaks memory.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
1. Disable BDoS feature.
2. Disable all configured and auto generated BDoS signatures using TMSH command:
# cd dos-common
# modify security dos dos-signature all { state disabled }
Fixed Versions:
13.1.1.5, 14.1.0.2
748043-2 : MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP
Links to More Info: BT748043
Component: Service Provider
Symptoms:
SIP Server sends SIP Request to the client.
The SIP Server inserts a different port, so that response are received on a different port.
The Client sends the response on the new requested port.
BIG-IP drops the packet
Conditions:
SIP Server wants the SIP Response to be coming on a different port.
Impact:
SIP Request will not receive the SIP Response
Workaround:
There is no workaround.
Fix:
Fix BIG-IP to process the SIP Response and send it to the SIP Server
Fixed Versions:
13.1.1.5, 14.0.1.1, 14.1.0.2
747977-1 : File manually uploaded information is not synced correctly between blades
Links to More Info: BT747977
Component: Application Security Manager
Symptoms:
When you upload a file, the file is marked internally as manually uploaded. When the system downloads a file, it is marked as not being manually uploaded. This information is not passed and handled correctly on chassis.
Conditions:
-- Configuration is deployed on multiple blades
-- Fail over has occurred.
-- New update file is downloaded from ESDM on the primary blade.
Impact:
Security updates are not automatically installed on the new primary blade after failover.
Workaround:
Manually install security updates on new primary blade.
Fix:
Corrected sync/handle information about file files, whether they are manually uploaded or downloaded from ESDM.
Fixed Versions:
14.1.0.2
747968-3 : DNS64 stats not increasing when requests go through DNS cache resolver
Links to More Info: BT747968
Component: Local Traffic Manager
Symptoms:
DNS64 stats are not incrementing when running the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands if responses are coming from DNS cache resolver.
Conditions:
-- DNS responses are coming from DNS cache resolver.
-- Viewing statistics using the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands.
Impact:
DNS64 stats are not correct.
Workaround:
There is no workaround at this time.
Fixed Versions:
11.6.5.3, 12.1.4.1, 13.1.1.5, 14.1.0.6
747926-2 : Rare TMM restart due to NULL pointer access during AFM ACL logging
Links to More Info: BT747926
Component: Advanced Firewall Manager
Symptoms:
Tmm crashes while performing log ACL match logging.
Conditions:
The problem can happen only with the following configuration:
1) AFM Logging for ACLs enabled.
2) Security Network Logging profile has the property "log-translation-fields enabled"
The problem happens under extremely rare circumstances.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Defensive error handling to avoid the scenario of NULL pointer access.
Fixed Versions:
13.1.1.4, 14.1.0.2
747922-3 : With AFM enabled, during bootup, there is a small possibility of a tmm crash
Links to More Info: BT747922
Component: Advanced Firewall Manager
Symptoms:
During bootup or re-provisioning, with AFM enabled, there is a small possibility of a tmm crash. The tmm process generates a core file and then automatically restart.
Conditions:
-- AFM enabled.
-- sPVA-capable hardware platform.
-- Boot up or re-provision the system.
Impact:
Tmm crashes, coredumps, and then restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The race-condition has been fixed, so this issue no longer occurs.
Fixed Versions:
13.1.3.2, 14.1.0.2
747909-5 : GTPv2 MEI and Serving-Network fields decoded incorrectly
Links to More Info: BT747909
Component: Service Provider
Symptoms:
MEI and Serving-Network vales obtained with GTP::ie get iRule command contains digits swapped in pairs, first digit missing and a random digit added at the back.
Conditions:
Processing GTP traffic with iRules.
Impact:
It is impossible to obtain correct value of MEI and Serving-Network fields of the GTPv2 packets when processing with iRules.
Workaround:
No workaround.
Fix:
Decoding of GTPv2 MEI and Serving-Network fields corrected.
Fixed Versions:
11.6.5.1, 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.0.6
747907-2 : Persistence records leak while the high availability (HA) mirror connection is down
Links to More Info: BT747907
Component: Local Traffic Manager
Symptoms:
Memory might leak on the active unit while the high availability (HA) mirror connection is down.
Conditions:
-- The persistence configured that requires its state to be stored stored on the BIG-IP system.
-- Mirroring is configured on the persistence profile or the virtual server.
-- Mirror connection is down, for example, next active is down/offline/unavailable.
Impact:
Memory leak until the high availability (HA) mirror connection is up. Once mirror connection is up, the system releases the memory.
High CPU may also be observed, and may be more obvious than increased memory use.
Workaround:
-- Disable persistence while high availability (HA) mirror connection is down (e.g., performing maintenance).
-- Disable session mirroring for iRules.
-- Use persistence that does not requires its state to be stored on the BIG-IP system.
-- Restore high availability (HA) connection.
Fix:
Persistence records no longer leak memory while the high availability (HA) mirror connection is down.
Fixed Versions:
13.1.3.2, 14.1.0.6
747858-2 : OSPF packets are duplicated in the BIG-IP in L2 transparent mode using virtual wires
Links to More Info: BT747858
Component: Local Traffic Manager
Symptoms:
OSPF packets are duplicated while traversing a virtual wire.
Conditions:
BIG-IP configured in L2 transparent mode using a virtual wire.
Impact:
OSPF unreliability can impact the overall routing domain and in turn impact services dependent on it.
Workaround:
None.
Fix:
Handle multicast packets through a virtual wire correctly.
Fixed Versions:
14.1.2.1
747777-3 : Extractions are learned in manual learning mode
Links to More Info: BT747777
Component: Application Security Manager
Symptoms:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"
Conditions:
Direct cause: Policy contains parameters with dynamic type
Indirect cause: Policy Builder is configured to classify parameters as dynamic (related to bug 717525)
Impact:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"
Workaround:
- Change all dynamic parameters value types to User Input with Alpha Numeric data type
- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').
Fix:
Policy Builder does not set extractions for dynamic parameters in manual mode
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2
747727-1 : HTTP Profile Request Header Insert Tcl error
Links to More Info: BT747727
Component: Local Traffic Manager
Symptoms:
A TMM crash.
Conditions:
When the HTTP profile Request Header Insert field contains a Tcl interpreted string, Tcl is executed to expand the string before the header is inserted into the request header block.
If a Tcl error occurs
Impact:
In some cases this can cause TMM to crash. Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following to mitigate this:
-- Verify that your Tcl executes correctly in all cases.
-- Use a static string.
Fix:
TMM no longer crashes under these conditions.
Fixed Versions:
14.1.0.6
747725-3 : Kerberos Auth agent may override settings that manually made to krb5.conf
Links to More Info: BT747725
Component: Access Policy Manager
Symptoms:
when apmd starts up, it can override settings in krb5.conf file with those required for Kerberos Auth agent
Conditions:
- Kerberos Auth is configured in an Access Policy,
- administrator made changes to krb5.conf manually
to the section [realms] of the configured realm
Impact:
Kerberos Auth agent behavior is not what administrator expects with the changes.
it may also affect websso(kerberos) to behave properly
Workaround:
None
Fix:
after fix, the configuration file changes are merged.
Kerberos Auth agent adds the lines it requires and does not override existing settings
Fixed Versions:
12.1.4.1, 13.1.3, 14.1.2.5
747628-1 : BIG-IP sends spurious ICMP PMTU message to server
Links to More Info: BT747628
Component: Local Traffic Manager
Symptoms:
After negotiating an MSS in the TCP handshake, the BIG-IP system then sends an ICMP PMTU message because the packet is too large.
Conditions:
-- The server side allows timestamps and the client side does not negotiate them.
-- The client-side MTU is lower than the server-side MTU.
-- There is no ICMP message on the client-side connection.
Impact:
Unnecessary retransmission by server; suboptimal xfrag sizes (and possibly packet sizes).
Workaround:
Disable timestamps or proxy-mss on the server-side TCP profile.
Fixed Versions:
13.1.3.2, 14.1.2.3, 15.0.1.1
747624-2 : RADIUS Authentication over RSA SecureID is not working in challenge mode
Links to More Info: BT747624
Component: Access Policy Manager
Symptoms:
Cannot change/reset RSA PIN.
Conditions:
Using RADIUS Auth Agent to communicate with RSA SecurID server for user authentication.
Impact:
Users cannot change or reset RSA PIN.
Workaround:
None.
Fix:
RADIUS Authentication over RSA SecurID now works in challenge mode.
Fixed Versions:
14.1.2.5
747617-2 : TMM core when processing invalid timer
Links to More Info: BT747617
Component: Local Traffic Manager
Symptoms:
TMM crashes while processing an SSLO iRules that enables the SSL filter on an aborted flow.
Conditions:
SSLO is configured and passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround
Fix:
SSL filter will no longer be enabled after connection close.
Fixed Versions:
12.1.5.2, 13.1.1.5, 14.0.1.1, 14.1.0.2
747592-1 : PHP vulnerability CVE-2018-17082
Component: TMOS
Symptoms:
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.
Conditions:
This exploit doesn't need any authentication and can be exploited via POST request. Because of 'Transfer-Encoding: Chunked' header php is echoing the body as response.
Impact:
F5 products not affected by this vulnerability. Actual impact of this vulnerability is possible XSS attack.
Workaround:
No known workaround.
Fix:
The brigade seems to end up in a messed up state if something fails in shutdown, so we clean it up.
Fixed Versions:
11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1
747585-3 : TCP Analytics supports ANY protocol number
Links to More Info: BT747585
Component: Local Traffic Manager
Symptoms:
No TCP analytics data is collected for an ANY virtual server.
Conditions:
1. Provision AVR
2. Create a FastL4 server that accepts all protocols.
3. Attach a TCP Analytics profile
4. Try to run UDP traffic through it.
Impact:
No TCP analytics data is collected for TCP flows when a virtual server's protocol number is ANY.
Workaround:
There is no workaround this time.
Fix:
TCP analytics now supports both ANY and TCP protocol numbers and would collect analytics for TCP flows if protocol number is ANY or TCP.
Fixed Versions:
12.1.5, 13.1.3.4, 14.1.2.1
747560-5 : ASM REST: Unable to download Whitehat vulnerabilities
Links to More Info: BT747560
Component: Application Security Manager
Symptoms:
When using the Whitehat Sentinel scanner, the REST endpoint for importing vulnerabilities (/mgmt/tm/asm/tasks/import-vulnerabilities) does not download the vulnerabilities from the server automatically when no file is provided.
Conditions:
The ASM REST API (/mgmt/tm/asm/tasks/import-vulnerabilities) is used to download vulnerabilities from the server when a Whitehat Sentinel Scanner is configured.
Impact:
Vulnerabilities from the Whitehat server are not automatically downloaded when no file is provided, and it must be downloaded manually, or the GUI must be used.
Workaround:
The ASM GUI can be used to download the vulnerabilities from the Whitehat Server, or the file can be downloaded separately, and provided to the REST endpoint directly.
Fix:
The REST endpoint for importing Scanner Vulnerabilities for the Whitehat Scanner now correctly downloads the vulnerability file automatically when no file is provided.
Fixed Versions:
12.1.5.1, 13.1.3, 14.1.0.6
747550-3 : Error 'This Logout URL already exists!' when updating logout page via GUI
Links to More Info: BT747550
Component: Application Security Manager
Symptoms:
When you try to update the Logout Page, you get an error about the URL existence: Error 'This Logout URL already exists!'
Conditions:
1. Create any Logout page.
2. Try to update it.
Impact:
The properties of the Logout Page cannot be updated.
Workaround:
Delete the logout page and create a new one.
Fix:
This release addresses the issue, so that no error is reported when updating the Logout Page.
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2
747239-1 : TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection
Links to More Info: BT747239
Component: Local Traffic Manager
Symptoms:
TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection.
Conditions:
This might occur rarely when the HTTP/2 gateway is configured on a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fix:
TMM SIGABRT no longer occurs under these conditions.
Fixed Versions:
14.1.0.6
747234-5 : Macro policy does not find corresponding access-profile directly
Links to More Info: BT747234
Component: Access Policy Manager
Symptoms:
The discovery task runs but does not apply the 'Access Access Policy' for the access policy for which the Provider is configured.
Conditions:
-- Auto-discovery is enabled for a provider.
-- Discovery occurs.
Impact:
The Access Policy is not applied after successful auto-discovery. The policy must be applied manually.
Workaround:
Apply the Access Policy manually after auto-discovery.
Fix:
Fixed an issue with not automatically applying the access policy after discovery.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
747225-1 : PCCD may get into crash-loop after BIG-IP upgrade or after BIG-IP restart
Links to More Info: BT747225
Component: Advanced Firewall Manager
Symptoms:
When there are scheduled firewall rules, and per-policy compilation optimization enabled, PCCD may enter crash-loop after installing new build. In very rare cases this can happen after regular BIG-IP restart. Per-policy compilation optimization is enabled by default, the sys db variable pccd.perpolicycompilation is true.
Conditions:
-- AFM is licensed and provisioned.
-- There are scheduled firewall rules.
-- Per-policy compilation optimization enabled (sys db variable pccd.perpolicycompilation is true)
-- The BIG-IP system is upgraded or restarted
Impact:
After this failure, an rare problem is that PCCD is continuously crashing. New firewall config is not applied on data traffic. The pre-upgrade firewall config is still applied on data traffic.
Workaround:
Set sys db variable pccd.perpolicycompilation to false.
Fix:
PCCD works correctly in these conditions.
Fixed Versions:
14.1.3.1
747187-2 : SIP falsely detects media flow collision when SDP is in both 183 and 200 response
Links to More Info: BT747187
Component: Service Provider
Symptoms:
A spurious error message is logged ("MR SIP: Media flow creation (...) failed due to collision") and media does not flow.
Conditions:
A SIP server responds to an INVITE with both a 183 "Session Progress" and later a "200 OK" for a single SIP call, and both responses contain an SDP with the same media info.
Impact:
Media does not flow on pinholes for which a collision was detected and reported.
Workaround:
None
Fix:
No collision is detected or logged when multiple messages with SDP recreate the same flows in the same call.
Fixed Versions:
12.1.5.2, 13.1.1.5, 14.0.1.1, 14.1.0.2
747104-1 : LibSSH: CVE-2018-10933
Links to More Info: K52868493, BT747104
Component: Advanced Firewall Manager
Symptoms:
For more information see: https://support.f5.com/csp/article/K52868493
Conditions:
For more information see: https://support.f5.com/csp/article/K52868493
Impact:
For more information see: https://support.f5.com/csp/article/K52868493
Fix:
For more information see: https://support.f5.com/csp/article/K52868493
Fixed Versions:
12.1.4.1, 13.1.1.4, 14.1.0.2
747020-1 : Requests that evaluate to same subsession can be processed concurrently
Links to More Info: BT747020
Component: Access Policy Manager
Symptoms:
Requests that evaluate to the same subsession can be processed concurrently in some cases
Conditions:
-- Per-Request policy with subroutines.
-- Duplicate requests are sent that match existing subsession gating criteria.
Impact:
The request gets aborted with error messages in /var/log/apm:
apmd_plugin.cpp func: "serialize_apmd_reply()" line: 495 Msg: AccessV2 agent execution error 4.
Workaround:
None.
Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1
747013-3 : Add OCSP server support to IKEv2 negotiation for IPsec peer authentication
Links to More Info: BT747013
Component: TMOS
Symptoms:
There is no support for OCSP in IPsec.
Conditions:
When and IPsec ike-peer uses certificates, the name of a locally defined OCSP cert-validator object can be specified in new attribute ocsp-cert-validator, so the OCSP server is contacted during IKE negotiation, to authenticate the peer's certificate.
Impact:
If a peer is not using certificates, nothing happens.
But if using certificates, the ike-peer's certificate is authenticated with the OCSP server, using asynchronous HTTP request during the middle of the IKE_AUTH exchange in IKEv2.
Success permits new SA (security association) creation, while failure causes IKEv2 negotiation failure, denying an SA.
Workaround:
None, this is a code improvement.
Fix:
IKEv2 negotiation of SAs in IPsec now supports OCSP for certificate authentication. This requires the definition of and OCSP cert-validator in configuration, followed by adding the name of this object to attribute ocsp-cert-validator in the ike-peer configuration definition.
Note: You can use this feature with IKEv2 but not IKEv1.
Behavior Change:
You can now add the name of an OCSP cert-validator to ike-peer in IPsec, to make a peer's certificate require authentication by OCSP before IKE negotiation succeeds and an SA (security association) is created.
For docs on the new ocsp-cert-validator attribute see this help info:
tmsh help net ipsec ike-peer
For docs on how to create an instance of the OCSP object, see this help info:
tmsh help sys crypto cert-validator ocsp
The name must include the partition prefix. For example, If you create an instance named 'my_ocsp_srv' in the Common partition, then set ocsp-cert-validator like this:
tmsh modify net ipsec ike-peer peer_ocsp ocsp-cert-validator /Common/my_ocsp_srv
This new attribute is only used when 1) the ike-peer also uses certificates, and 2) an instance of OCSP cert-validator with that name is found in configuration.
When creating the OCSP object instance, you likely want a shorter timeout in order to minimize the effect of caching responses from the OCSP server. For example:
tmsh create sys crypto cert-validator ocsp my_ocsp_srv dns-resolver my_dns timeout 4 cache-timeout 5 cache-error-timeout 5 responder-url http://10.100.145.64:8888 clock-skew 900
The cache-timeout and cache-error-timeout values cannot be smaller than timeout, so adding one second to the timeout value is suggested.
Note if the responder-url has and explicit IP address, as shown above in the example, then a DNS resolver will not actually be used, so you can provide a dummy:
tmsh create net dns-resolver my_dns forward-zones add { net { nameservers add { 10.20.20.100:53 } } } route-domain 0
The IP address given for my_dns above does not matter, because it will not be used. So my_dns merely serves to satisfy OCSP cert-validator creation, which requires either a dns-resolver or a proxy-server-pool in the command line.
If an ike-peer uses certificates, and attribute ocsp-cert-validator is the name of a configured OCSP cert-validator instance, then during IKEv2 negotiation, the OCSP server will be contacted to authenticate the remote peer's certificate, during the IKE_AUTH exchange. This happens right after the AUTH signature payload is authenticated. If the OCSP server returns good status, negotiation succeeds and a new SA is created. Otherwise, for example if the OCSP says the peer's certificate has been revoked, then negotiation fails because the peer is not authenticated.
Note: IKEv1 is not supported in this behavior change.
Fixed Versions:
14.1.2.8
746941-2 : Memory leak in avrd when BIG-IQ fails to receive stats information
Links to More Info: BT746941
Component: Application Visibility and Reporting
Symptoms:
There is an avrd memory leak when it fails to send BIG-IP statistical information to BIG-IQ.
Error messages may appear in the avrd.log file in /var/log/avr:
EXTERNAL_MESSAGES|ERROR|Mar 07 10:10:10.10|10|lib/avrpublisher/infrastructure/avr_http_connection.cpp:0129| (skipped 16 msgs) Can't insert messages to queue - some external log will be lost!
Conditions:
-- BIG-IP is used by BIG-IQ version 6.0.0 or higher.
-- Stats collection is enabled.
-- There is a malfunction in BIG-IQ that prevents it from receiving statistical information that BIG-IP sends (e.g., all data collection devices (DCDs) are down, or there is no network connection between BIG-IP and BIG-IQ systems).
Impact:
The avrd process' memory usage increases over time, leading to avrd restart when usage is too large, and/or avrd usage may starve other control-plane processes of memory. The AVR-related functionality is unavailable while avrd restarts.
Workaround:
Correct connectivity issues between BIG-IP and BIG-IQ.
This correction should be made not only to prevent this memory leak, but for more important functionality, such as visibility and alerts features in BIG-IQ.
Fix:
The avrd process no longer leaks memory under these conditions.
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2
746922-6 : When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
Links to More Info: BT746922
Component: Local Traffic Manager
Symptoms:
In a situation when a routing entity belonging to the child route domain is searching for an egress point for a traffic flow, it's searching for a routing entry in the child domain first, then if nothing is found, it searches for it in the parent route domain and returns the best found routing entry.
If the best routing entry from the parent route domain is selected, then it is held by a routing entity and is used to forward a traffic flow. Later, a new route entry is added to the child route domain's routing table and this route entry might be better than the current, previously selected, routing entry. But the previously selected entry doesn't get invalidated, thus the routing entity that is holding this entry is forwarding traffic to a less-preferable egress point.
#Example:
RD0(parent) -> RD1(child)
routing table: default gw for RD0 is 0.0.0.0/0%0
pool member is 1.1.1.1/32%1
-
Pool member searches for the best egress point and finds nothing in the routing table for route domain 1, and then later finds a routing entry, but from the parent route domain - 0.0.0.0/0%0.
Later a new gw for RD1 was added - 0.0.0.0/0%1, it's preferable for the 1.1.1.1/32%1 pool member. 0.0.0.0/0%0 should be (but is not) invalidated to force the pool member to search for a new routing entry and find a better one if it exists, as in this case, with - 0.0.0.0/0%1.
Conditions:
1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. New routing entry for child route domain is added.
Impact:
If a new added route is preferable to an existing one in a different route domain, the new, preferable, route is not going to be used by a routing object that has previously selected a route. Thus, traffic flows through these routing objects to an unexpected/incorrect egress point. This might result in undesirable behavior:
-- The route might be unreachable, and all traffic for a specific pool member is dropped.
-- The virtual server cannot find an available SNAT address.
-- Simply, the wrong egress interface is being used.
Workaround:
Use either of these workaround after a new route in child domain is added.
-- Recreate a route.
Recreate a parent route domain's routes. Restart tmrouted daemon if routes are gathered via routing protocols.
-- Recreate a routing object.
- If a pool member is affected, recreate the pool member.
- If a SNAT pool list is affected, recreate it.
- And so on.
Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table.
Fixed Versions:
12.1.4.1, 13.1.3, 14.0.1.1, 14.1.2.7
746877-1 : Omitted check for success of memory allocation for DNSSEC resource record
Links to More Info: BT746877
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM may panic from SIGABRT while logging this message:
./rdata.c:25: ldns_rdf_size: Assertion `rd != ((void *)0)' failed.
Conditions:
During memory stress while handling DNSSEC traffic.
Impact:
TMM panic and subsequent interruption of network traffic.
Workaround:
Keeping the workload within normal ranges reduces the probability of encounter.
Fix:
The system now checks for success of memory allocation for DNSSEC resource record, so this issue no longer occurs.
Fixed Versions:
12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
746873-1 : Non-admin users are not able to run the tmsh list command due to permissions error for LTM message-routing
Links to More Info: BT746873
Component: TMOS
Symptoms:
Any non-admin cannot use tmsh list commands. Running the command gives the following error:
Unexpected Error: Can't display all items, can't get object count from mcpd.
Conditions:
Run a tmsh list command when logged in as non-admin user.
Impact:
Error is posted. Non-admin users cannot use the tmsh list commands.
Workaround:
Log in as admin to execute the tmsh list command.
Fix:
Non-admin users can now run tmsh list commands, as appropriate for the Role associated with the type of user account.
Fixed Versions:
14.1.0.2
746861-1 : SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated★
Links to More Info: BT746861
Component: TMOS
Symptoms:
The SFP interfaces do not come up, or they flap up and down repeatedly on BIG-IP 2000/4000 on boot up when both SFP interfaces are populated.
When interface flaps state changes such as those below are logged in ltm log:
info pfmand[PID]: 01660009:6: Link: 2.1 is UP
info pfmand[PID]: 01660009:6: Link: 2.1 is DOWN
Conditions:
Both SFP interfaces, 2.1 and 2.2, on BIG-IP 2000/4000 are populated.
This is typically observed on boot up after an upgrade to an affected version. And this may occur during normal reboot
Impact:
Traffic cannot be sent/received from these interfaces.
Workaround:
Disconnect and reconnect the cable.
Fix:
The interfaces now come up successfully. Occasional link bounce may be seen on reboot.
Fixed Versions:
14.1.2.5, 15.1.4
746825-1 : MRF SIP ALG with SNAT: Ephemeral listeners not created for unsubscribed outgoing calls
Links to More Info: BT746825
Component: Service Provider
Symptoms:
When a temporary registration is created for an unsubscribed user making an outgoing call, an ephemeral listener to receive incoming messages is not created.
Conditions:
-- If nonregister-subscriber-callout attribute is enabled in the siprouter-alg profile.
-- An unregistered client device places an outgoing call. At this point, a temporary registration is created. This temporary registration lives for the life of the call.
-- During the lifetime of the temporary registration, if the connection from the client is closed, it is not possible for an external device to reach the client device.
Impact:
The callee of an outgoing call initiated by an unregistered SIP device cannot end the call.
Workaround:
There is no workaround at this time.
Fix:
When a temporary registration is created, an ephemeral listener is created to receive SIP commands to be forwarded to the client device.
Fixed Versions:
14.0.1.1, 14.1.0.6
746771-3 : APMD recreates config snapshots for all access profiles every minute
Links to More Info: BT746771
Component: Access Policy Manager
Symptoms:
When the access profile configurations in APMD and MCPD are out of sync, APMD detects that the config snapshot for one access profile is missing. This triggers AMPD to recreates the config snapshots for all access profiles. The detect-recreate cycle repeats every minute, posting log messages:
-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...
-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
...
-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...
-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
Conditions:
The conditions under which the access profile configurations in APMD and MCPD become out of sync is unknown.
Impact:
TMM memory usage increases due to excessive config snapshots being created.
Workaround:
Restart APMD to clear the APMD and MCPD out-of-sync condition.
Fix:
This issue has been fixed.
Fixed Versions:
13.1.1.4, 14.1.0.2
746768-4 : APMD leaks memory if access policy policy contains variable/resource assign policy items
Links to More Info: BT746768
Component: Access Policy Manager
Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.
Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.
Impact:
APMD's memory footprint will increase whenever the access policy is applied.
Workaround:
There is no workaround.
Fix:
Memory growth has been addressed.
Fixed Versions:
12.1.4.1, 13.1.1.4, 14.1.2.1
746750-1 : Search Engine get Device ID challenge when using the predefined profiles
Links to More Info: BT746750
Component: Application Security Manager
Symptoms:
When using one of the pre-defined profiles, "bot-defense-device-id-generate-after-access" and "bot-defense-device-id-generate-after-access", Search Engines might get Device ID challenges (and will most likely get blocked since cannot run JS)
Conditions:
One of the pre-defined profiles ("bot-defense-device-id-generate-after-access" or "bot-defense-device-id-generate-after-access") are attached to vs, and a valid search engine sends requests.
Impact:
Search Engines may be blocked.
Workaround:
Change mitigation of "Trusted Bot" in the attached profile to "Alarm":
1. Go to
Security ›› Bot Defense : Bot Defense Profiles ›› bot-defense-device-id-generate-after-access
or
Security ›› Bot Defense : Bot Defense Profiles ›› bot-defense-device-id-generate-before-access
2. Go to tab "Mitigation Settings"
3. For "Trusted Bot" choose "Alarm".
4. Save profile.
Fixed Versions:
14.1.0.2
746731-1 : BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set
Links to More Info: BT746731
Component: Service Provider
Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Firmware-Revision AVPs in DIAMETER Capabilities Exchange Request messages.
Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Firmware-Revision AVP.
Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.
Workaround:
Configure an iRule in the MRF transport-config, for example:
ltm rule workaround {
when DIAMETER_EGRESS {
if {[serverside] && [DIAMETER::command] == "257" } {
DIAMETER::avp flags set 267 0
}
}
}
Fix:
This release always clears the Mandatory bit for Firmware-Revision AVPs in DIAMETER Capabilities Exchange Request messages.
Fixed Versions:
13.1.3.4, 14.1.2.7
746719-1 : SERVFAIL when attempting to view or edit NS resource records in zonerunner
Links to More Info: BT746719
Component: Global Traffic Manager (DNS)
Symptoms:
While attempting to use ZoneRunner to edit NS resource records, getting error:
01150b21:3: RCODE returned from query: 'SERVFAIL'.
Conditions:
- An NS resource record is selected using the zonerunner GUI
- The NS record points to a zone that bind is not authoritative for.
- Recursion is enabled on the zone in question
- The bind process is not able to reach the nameserver referenced in the NS record.
Impact:
Administrator is unable to use ZoneRunner to edit NS records.
Workaround:
Set recursion to no for the appropriate zone, perform the change, set recursion back to yes.
Note: This will be impacting to any clients expecting recursion for the duration of the change.
Fixed Versions:
14.1.4.2
746710-1 : Use of HTTP::cookie after HTTP:disable causes TMM core
Links to More Info: BT746710
Component: Local Traffic Manager
Symptoms:
When an iRule disables HTTP with HTTP:disable, subsequent use of HTTP::cookie for that request will cause a TMM core dump.
Conditions:
1) HTTP profile is configured on the virtual.
2) HTTP:disable is called on request.
3) HTTP:cookie is then called on that request.
Impact:
Use of iRules in the above mentioned order will result in a TMM core. Traffic disrupted while tmm restarts.
Workaround:
Do not call HTTP:cookie on requests that have had HTTP disabled by HTTP:disable
Fixed Versions:
13.1.3, 14.1.2.1
746704-2 : Syslog-ng Memory Leak
Links to More Info: BT746704
Component: TMOS
Symptoms:
After a long uptime (almost a year) syslog-ng had consumed 1.1G of virtual memory on BIG-IP.
Conditions:
Memory leak when syslog-ng handles continuous SIGHUP signals.
Impact:
Minimal. This is a leak of virtual memory. If syslog-ng does not read or write to this memory it will not be consume physical memory.
Workaround:
Run this command once a month:
service syslog-ng restart
Fixed Versions:
13.1.3.5, 14.1.2.8
746657-1 : tmsh help for FQDN node or pool member shows incorrect default for fqdn interval
Links to More Info: BT746657
Component: TMOS
Symptoms:
The tmsh help text for LTM nodes and pools shows the incorrect default for the FQDN 'interval' value.
The default is indicated as the TTL, whereas the actual default value is 3600 seconds (1 hour).
The configured value is displayed correctly if the node or pool is displayed using the 'all-properties' keyword.
Conditions:
This occurs when viewing tmsh help text.
Impact:
FQDN nodes and pool members may be created with a different FQDN refresh interval than intended.
Workaround:
When creating an FQDN node or pool member, specify the desired FQDN 'interval' value (either TTL, or the desired number of seconds).
Fix:
The tmsh help text for LTM nodes and pools correctly shows the default value of 3600 seconds for the FQDN 'interval' value.
Fixed Versions:
14.1.0.6
746483-2 : The autodosd process consumes a lot of memory and continuously restarts.
Links to More Info: BT746483
Component: Advanced Firewall Manager
Symptoms:
The autodosd process consumes a lot of memory and continuously restarts.
(The autodosd process is a control plane process which supports the BIG-IP AFM DoS Auto Threshold feature.)
Conditions:
Many virtual servers (e.g., 1,020) with dos-profiles attached, even there is no DoS vector enabled.
Impact:
The BIG-IP system continuously restarts.
Workaround:
Set sys db dos.auto.threshold.learnalways to false.
This sys db variable controls whether the BIG-IP system should learn/store traffic history and calculate the auto-thresholds when we are in manual-threshold mode also. The default is on (always learn).
Fix:
The autodosd process allocates memory only when the DoS vector is enabled, so this issue no longer occurs.
Fixed Versions:
14.1.2.8
746424 : Patched Cloud-Init to support AliYun Datasource
Links to More Info: BT746424
Component: TMOS
Symptoms:
Shipped Cloud-Init in this version of VE has no support of Alibaba Cloud metadata service for having no support of AliYun Datasource.
Conditions:
VE for Alibaba Cloud
Impact:
Provisioning VE through Cloud-Init won't work on Alibaba cloud
Workaround:
N/A
Fix:
Patched Cloud-Init to support AliYun Datasource
Fixed Versions:
14.1.0.1
746394-1 : With ASM CORS set to 'Disabled' it strips all CORS headers in response.
Links to More Info: BT746394
Component: Application Security Manager
Symptoms:
All access-control-* headers are removed by ASM, including Cross-Origin Resource Sharing (CORS) headers. This causes CORS-related JavaScript errors on the browser console, and blocks cross-domain requests that should be allowed.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Backend server sends CORS headers access-control-*.
Impact:
Any webapp that sends cross origin AJAX requests might not work.
Workaround:
Set up an iRule on a virtual server, for example:
when HTTP_RESPONSE {
array set header_list { }
foreach header_name [HTTP::header names] {
if { [string tolower $header_name] starts_with "access-control-" } {
set header_list($header_name) [HTTP::header $header_name]
}
}
}
when HTTP_RESPONSE_RELEASE {
foreach header_name [array names header_list] {
if {!([HTTP::header exists $header_name])} {
HTTP::header insert $header_name $header_list($header_name)
}
}
}
Fix:
ASM no longer removes CORS headers when the feature is set to set to 'Disabled'. This is correct behavior.
Fixed Versions:
14.0.1.1, 14.1.2.1
746348-2 : On rare occasions, gtmd fails to process probe responses originating from the same system.
Links to More Info: BT746348
Component: Global Traffic Manager (DNS)
Symptoms:
On rare occasions, some resources are marked 'unavailable', with a reason of 'big3d: timed out' because gtmd fails to process some probe responses sent by the instance of big3d that is running on the same BIG-IP system.
Conditions:
The monitor response from big3d sent to the gtmd on the same device is being lost. Monitor responses sent to other gtmds are sent without issue. The conditions under which this occurs have not been identified.
Impact:
Some resources are marked 'unavailable' on the affected BIG-IP system, while the other BIG-IP systems in the sync group mark the resource as 'available'.
Workaround:
Restart gtmd on the affected BIG-IP system.
Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.2
746298-1 : Server Technologies logos all appear as default icon
Links to More Info: BT746298
Component: Application Security Manager
Symptoms:
Server Technologies logos all appear as the default icon.
Conditions:
Browsing the list of available Server Technologies in an ASM policy.
Impact:
Server Technologies logos all appear as the default icon.
Workaround:
Install the most recent Server Technologies update file.
Fix:
Server Technology-specific logos appear correctly.
Fixed Versions:
14.1.0.2
746266-3 : A vCMP guest VLAN MAC mismatch across blades.
Links to More Info: BT746266
Component: TMOS
Symptoms:
The vCMP guests running on blades in a single chassis report different MAC addresses on a single VLAN upon host reboot for the vCMP guest.
Conditions:
This issue may be seen when all of the following conditions are met:
-- One or more blades are turned off completely via AOM.
-- There are two VLANs.
-- You deploy a multi-slot guest with the higher lexicographic VLAN, and assign the lower VLAN to the guest.
-- Reboot the host.
Impact:
Incorrect MAC addresses are reported by some blades.
Workaround:
None.
Fix:
There is no longer a vCMP guest VLAN MAC mismatch across blades under these conditions.
Fixed Versions:
12.1.5, 13.1.3, 14.1.2.3
746167-1 : Memory pressure from nsyncd
Links to More Info: BT746167
Component: Application Security Manager
Symptoms:
The nsyncd process may reserve large pages of memory. This can impact the performance of other processes.
Conditions:
ASM is provisioned.
Impact:
Degraded GUI or tmm performance.
Workaround:
Restart nsyncd.
Fix:
Nsyncd no longer reserves large pages of memory.
Fixed Versions:
14.1.4.4
746131-4 : OpenSSL Vulnerability: CVE-2018-0732
Component: Local Traffic Manager
Symptoms:
OpenSSL RSA key generation was found to be vulnerable to cache side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover parts of the private key.
Conditions:
Advanced shell access.
Impact:
OpenSSL RSA key generation was found to be vulnerable to cache side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover parts of the private key.
Workaround:
None.
Fix:
Updated to OpenSSL 1.0.2p
Fixed Versions:
14.1.0.2
746078-1 : Upgrades break existing iRulesLX workspaces that use node version 6
Links to More Info: BT746078
Component: Local Traffic Manager
Symptoms:
When upgrading a BIG-IP with iRulesLX plugins, if those plugins are based on workspaces that use node version 6 (instead of version 0.12) they will fail to work properly after the upgrade once the plugin is reloaded from the workspace.
Errors like this will be seen in /var/log/ltm:
Oct 5 06:37:12 B7200-R14-S36 info sdmd[17582]: 018e0017:6: pid[26853] plugin[/Common/test-jt-plugin.test-jt-extension] Starting the server.....jt...after upgrade...
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: Resuming log processing at this invocation; held 233 messages.
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] /var/sdm/plugin_store/plugins/:Common:test-jt-plugin_62858_3/extensions/test-jt-extension/node_modules/f5-nodejs/lib/ilx_server.js:30
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ILXServerWrap = process.binding('ILXServerWrap').ILXServerWrap;
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ^
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] Error: No such module: ILXServerWrap
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] at Error (native)
Conditions:
Upgrading a version of BIG-IP that is using iRulesLX that has a workspace based on node version 6. Later reloading the iRulesLX plugin from the workspace.
Impact:
The iRulesLX plugin no longer works.
Workaround:
- Navigate to the workspace folder on the BIG-IP (/var/ilx/workspaces/<partition>/<workspace name>.
- Make the file "node_version" writable (chmod +w node_version).
- Edit the node_version file: change "0.12" to "6"
- Save the node_version file.
- Make the file "node_version" read-only (chmod -w node_version).
- Reload the iRulesLX plugin from the workspace.
Fix:
Prevented the node version from getting reverted to default during an upgrade.
Fixed Versions:
14.1.2.5
746077-4 : If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified
Links to More Info: BT746077
Component: Local Traffic Manager
Symptoms:
DHCP-RELAY overwrites the 'giaddr' field containing a non-zero value. This violates RFC 1542.
Conditions:
DHCP-RELAY processing a message with the 'giaddr' field containing a non-zero value,
Impact:
RFC 1542 violation
Workaround:
None.
Fix:
DHCP-RELAY no longer overwrites the 'giaddr' field containing a non-zero value.
Fixed Versions:
12.1.5.3, 13.1.1.5, 14.1.2.5
745947-2 : Add log events for MRF SIP registration/deregistration and media flow creation/deletion
Links to More Info: BT745947
Component: Service Provider
Symptoms:
Generally, only error conditions are logged for SIP. More logging is needed around SIP registration/deregistration, media flow creation/deletion, to help with debugging operations.
Conditions:
log.mrsip.level notice or above.
Impact:
Only error conditions are logged. Events helpful for debugging are not available in the logs.
Workaround:
There is no workaround at this time.
Fix:
Log information logging is available around SIP registration/deregistration and media flow creation/deletion.
Fixed Versions:
14.1.0.6
745923-2 : Connection flow collision can cause packets to be sent with source and/or destination port 0
Links to More Info: BT745923
Component: Local Traffic Manager
Symptoms:
Symptoms vary based on traffic impacted:
Virtual server may reset a connection with the source and/or destination port set to 0 when the client sends an ACK after a 4-way close
UDP traffic to virtual server with UDP profile immediate timeout configured or datagram load-balancing can collide with existing connections and be incorrectly sent with source and/or destination port 0.
Conditions:
-- Conditions to trigger this issue with TCP traffic:
- 3-way handshake initiated by client to virtual server.
- Client actively closing the connection - 4-way close.
- Client continues to send ACK after 4-way close.
-- Conditions to trigger this issue with UDP traffic:
- UDP profile has timeout immediate configured or datagram load-balancing.
- UDP packet arrives that matches an expiring but still-present connection.
-- Provisioned for AFM.
Impact:
Virtual server performs an incorrect reset with source or destination port 0, or UDP proxy traffic is sent incorrectly with source and/or destination port 0.
Workaround:
None.
Fix:
Connection flow collision no longer causes packets to be sent from source port 0.
Fixed Versions:
13.1.3.5, 14.1.2.5, 15.0.1.4
745851 : Changed Default Cloud-Init log level to INFO from DEBUG
Links to More Info: BT745851
Component: TMOS
Symptoms:
Cloud-Init services generate too many debug log lines that populate their systemd journal.
Conditions:
Any BIG-IP VE release with Cloud-Init enabled and using "systemd".
Impact:
There're too many debug log lines that might make VE admin miss any more important information and severe errors when reading it.
Workaround:
Manually change all Cloud-Init's log levels to INFO from DEBUG.
Fix:
Cloud-Init's log default levels have been changed to INFO from DEBUG.
Fixed Versions:
14.1.0.1
745825-1 : The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading
Links to More Info: BT745825
Component: TMOS
Symptoms:
This message may be logged while the audit_forwarder is loading the configuration:
audit_forwarder is disabled as the configuration is incomplete. Please define the following db variables: config.auditing.forward.sharedsecret, config.auditing.forward.destination and config.auditing.forward.type. And make sure config.auditing.forward.destination is not set to "::".
These DB variables may all be actually configured correctly, but since the configuration has not loaded yet this message may be logged multiple times.
Conditions:
The audit_forwarder process is starting up and loading the configuration.
Impact:
Confusing error messages in /var/log/ltm. Logging will still work as configured.
Workaround:
There is no workaround.
Fix:
Message has been modified to indicate the possibility of loading the configuration. Message is now logged only once. A new messages is logged indicating when audit_forwarder is enabled.
Fixed Versions:
13.1.3.2, 14.1.0.2
745813-1 : Requests are reported to local log even if only Bot Defense remote log is configured
Links to More Info: BT745813
Component: Application Security Manager
Symptoms:
Requests are logged locally on the BIG-IP system while they supposed to be sent only to the remote logger.
Conditions:
- Bot Defense profile attached to a virtual server.
- Bot Defense remote logger profile attached to a virtual server.
Impact:
Requests logged locally on the BIG-IP system when they are not supposed to be.
Workaround:
None.
Fix:
Logging profile filter mechanism now honors remote and local logging configurations.
Fixed Versions:
14.1.0.2
745809-2 : The /var partition may become 100% full, requiring manual intervention to clear space
Links to More Info: BT745809
Component: TMOS
Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free
Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.
Conditions:
Process traffic while DoS Dashboard is open on multi-blade VIPRION systems.
Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition
Workaround:
This workaround is temporary in nature, and may need to be periodically performed either manually or from a script. While these steps are performed, the BIG-IP REST API are temporarily inaccessible, and higher disk IO may be seen.
Run the following commands, in sequence:
bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad
Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.
Fix:
The system deletes all Zip files in the REST root directory so that the partition-full condition no longer occurs.
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.6
745802-1 : Brute Force CAPTCHA response page truncates last digit in the support id
Links to More Info: BT745802
Component: Application Security Manager
Symptoms:
Brute Force CAPTCHA response page shown to an end-user has a support id and the last digit is truncated.
Conditions:
- ASM Provisioned
- ASM policy attached to a virtual server
- ASM Brute Force Protection enabled in the asm policy
- ASM Brute Force sends captcha mitigation page when a website is under brute force attack.
Impact:
The support id presented to an end-user won't be matched to the one shown in the asm logs
Workaround:
There is no workaround at this time.
Fix:
The code is fixed, correct support id is shown in the captcha response page.
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.2.1
745783-1 : Anti-fraud: remote logging of login attempts
Links to More Info: BT745783
Component: Fraud Protection Services
Symptoms:
There is no support for logging of login attempts to a remote service.
Conditions:
Using high speed logging (HSL) to log login attempts.
Impact:
There is no support for logging of login attempts.
Workaround:
None.
Fix:
FPS now uses HSL to report login attempts using configured templates, rate-limit, and publisher to a remote service.
To enable this feature:
# via tmsh only
tmsh modify sys db antifraud.riskengine.reportlogins value enable
# via tmsh or GUI
tmsh modify sys db antifraud.internalconfig.string1 value "<login attempt log template>"
tmsh modify sys db antifraud.internalconfig.string2 value "<log-rate-exceeded log template>"
tmsh modify sys db antifraud.internalconfig.number1 value "<log-rate-exceeded threshold>"
tmsh modify security anti-fraud profile <fps profile> risk-engine-publisher <publisher>
It is recommended that you use encoding when composing an HTTP template. The default encoding level is 0, meaning 'never encode'.
To change encoding level:
tmsh modify sys db antifraud.internalconfig.number2 value <0/1/2>
Behavior Change:
FPS now includes the ability to perform High Speed Logging (HSL) of all login attempts to specific protected URLs. These events can be forwarded to remote services (e.g. SIEM Server), and, when enabled, can help indicate whether applications are under attack.
Fixed Versions:
13.1.1.3, 14.1.0.3
745774-1 : Creating EC-only client SSL profile for forward-proxy without RSA key certs defined results in invalid profile
Links to More Info: BT745774
Component: Local Traffic Manager
Symptoms:
When you create an EC-key-cert-only client SSL profile and attach it to the virtual server, TMM marks the profile as invalid and reports an error in /var/log/ltm:
-- crit tmm[16024]: 01260000:2: Profile /Common/c.f: could not load default key file; invalidating profile.
Conditions:
The issue is seen when the following conditions are met:
-- An EC-type cert/key pair is configured on the client SSL profile.
-- Forward proxy is enabled in the client SSL profile.
-- No RSA key cert is configured on the client SSL profile.
Impact:
The system marks that client SSL profile invalid, rendering it unusable.
Workaround:
Also configure an RSA-type key cert on the client SSL profile.
Fix:
The client SSL profile no longer has the restriction for key/cert type when forward proxy is enabled.
Fixed Versions:
14.1.0.1
745733-3 : TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup
Links to More Info: BT745733
Component: Traffic Classification Engine
Symptoms:
TMSH command "tmsh show ltm urcat-query" does not perform cloud lookup when there is no entry in the local database.
Conditions:
- TMSH command "show ltm urlcat-query abc.com" is executed.
- abc.com does not have an entry in the local webroot database.
Impact:
- Cloud lookup is not executed for unknown URL entries.
Fix:
Now the "tmsh show ltm ulcat-query" command performs cloud lookup when there is no entry in the local database.
Fixed Versions:
13.1.3.5, 14.1.0.2
745715-2 : MRF SIP ALG now supports reading SDP from a mime multipart payload
Links to More Info: BT745715
Component: Service Provider
Symptoms:
Previously all non-SDP SIP payloads were ignored. This would cause media pinhole flows to not be created.
Conditions:
An INVITE message or its response contained a SDP section in a mime multipart payload.
Impact:
Media pinhole flows were not created
Workaround:
None.
Fix:
The SIP ALG functions can now extract and process the SDP section of a mime multipart payload.
Fixed Versions:
14.1.0.2
745682-1 : Failed to parse X-Forwarded-For header in HTTP requests
Links to More Info: BT745682
Component: Local Traffic Manager
Symptoms:
Failed to parse X-Forwarded-For header. This results in failure when extracting proper values in DOSL7.
Conditions:
-- 'Accept XFF' is enabled in HTTP profile. HTTP profile is added to the virtual server.
-- Bot Defense profile is added to the virtual sever.
-- HTTP request contains 'X-Forwarded-For' header.
Impact:
DOSL7 does not receive the proper values for X-Forwarded-For.
Workaround:
None.
Fix:
DOSL7 now receives the correct value under these conditions.
Fixed Versions:
13.1.3.6, 14.1.3.1
745663-3 : During traffic forwarding, nexthop data may be missed at large packet split
Links to More Info: BT745663
Component: Local Traffic Manager
Symptoms:
When splitting large packages, nexthop data is used for the first small packet, but missed in subsequent packets.
Conditions:
Forward of host LRO packet (e.g., FTP data-channel).
Impact:
Heavy packet loss, re-transmissions, and delays.
Workaround:
None.
Fix:
Transmission time is now relatively consistent and there is no significant packet loss or delay.
Fixed Versions:
13.1.3.5, 14.1.2.8
745654-4 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
Links to More Info: BT745654
Component: Access Policy Manager
Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.
Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.
Impact:
Low throughput and slow responses from Virtual server.
Workaround:
There is no workaround at this time.
Fix:
Increase the size of websso worker queue, so that tmm and websso process can communicate effectively. This eliminates VS slowness and hence increase throughput.
Fixed Versions:
12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2
745629 : Ordering Symantec and Comodo certificates from BIG-IP
Links to More Info: BT745629
Component: TMOS
Symptoms:
This new feature enables ordering Symantec and Comodo certificates from the BIG-IP system.
Conditions:
You must have a Symantec or Comodo CA account to make certificate orders from the BIG-IP system.
Impact:
This new feature enables ordering of certificates from CAs Symantec and Comodo. CA-Approved certificates are automatically fetched and installed on the BIG-IP system.
Workaround:
None. This is a new feature.
Fix:
This release adds the capability to order/fetch and install certificates from CAs Symantec and Comodo.
Behavior Change:
You can now order/fetch and install certificates from the Symantec and Comodo Certificate Authorities.
Fixed Versions:
14.1.0.1
745628-1 : MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message
Links to More Info: BT745628
Component: Service Provider
Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a NOTIFY message has been processed.
Conditions:
This occurs because the NOTIFY message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.
Impact:
Media addresses in the SDP payload are not translated.
Workaround:
There is no workaround.
Fix:
Hairpin mode is not entered when processing NOTIFY messages
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.2
745624-1 : Tooltips for OWASP Bot Categories and Anomalies were added
Links to More Info: BT745624
Component: Application Security Manager
Symptoms:
Tooltips for some OWASP Bot Categories and Anomalies are 'N/A' in GUI/REST.
Conditions:
- GUI page: Event Logs:: Bot Defense :: Bot Traffic.
- Bot classification is 'OWASP Automated Threat'.
Impact:
Tooltip shows 'N/A' instead of detailed description. You cannot see detailed description of Bot classification of traffic.
Workaround:
None.
Fix:
Tooltips for OWASP Bot Categories and Anomalies were added.
Fixed Versions:
14.1.0.2
745607-1 : Bot Defense : Bot Traffic - 3 month/last year filter not displayed correctly
Links to More Info: BT745607
Component: Application Security Manager
Symptoms:
3 month/last year filters are not displayed correctly in the applied filter.
Conditions:
3 month/last year filter applied in Bot Defense : Bot Traffic.
Impact:
You cannot see which filter is currently applied.
Workaround:
None.
Fix:
3 month/last year filter is now displayed correctly in applied filter.
Fixed Versions:
14.1.0.2
745590-1 : SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added
Links to More Info: BT745590
Component: Service Provider
Symptoms:
In MRF SIP ALG, the hairpin flag is part of the translation_details structure. Because a connection/translation might be used for multiple simultaneous calls, if any call is hairpinned, subsequent calls on the same connection will not translate SDP addresses.
Conditions:
-- A connection/translation using multiple simultaneous calls
-- A call is hairpinned.
Impact:
Subsequent calls on the same connection do not translate SDP addresses.
Workaround:
None.
Fix:
SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added.
Fixed Versions:
14.0.1.1, 14.1.0.6
745589-6 : In very rare situations, some filters may cause data-corruption.
Links to More Info: BT745589
Component: Local Traffic Manager
Symptoms:
In very rare situations, an internal data-moving function may cause corruption.
Filters that use the affected functionality are:
HTTP2, Sip, Sipmsg, MQTTsession, serdes_diameter, FTP.
tmm crash
Conditions:
The affected filters are used, and some very rare situation occurs.
Impact:
This may cause silent data corruption, or a TMM crash. If there is a TMM crash, traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The data-moving function has been fixed to prevent data corruption.
Fixed Versions:
14.1.4.4
745574-1 : URL is not removed from custom category when deleted
Links to More Info: BT745574
Component: Access Policy Manager
Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.
Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.
Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.
Workaround:
"bigstart restart tmm" will resolve the issue.
Fix:
Made sure that the deletion takes effect properly and SSL traffic is no longer miscategorized after removal of the URL from the custom category.
Fixed Versions:
12.1.4, 13.1.1.4, 14.0.0.5, 14.1.0.6
745533-6 : NodeJS Vulnerability: CVE-2016-5325
Component: Local Traffic Manager
Symptoms:
It was found that the reason argument in ServerResponse#writeHead() was not properly validated.
Conditions:
iRules LX is running at the BIG-IP.
Impact:
A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request.
Workaround:
N/A.
Fix:
NodeJS updated to patch for CVE-2016-5325
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6
745531-2 : Puffin Browser gets blocked by Bot Defense
Links to More Info: BT745531
Component: Application Security Manager
Symptoms:
Users using the Puffin Browser are blocked when accessing the Virtual Server when it is protected with either Proactive Bot Defense (within DoSL7 profile) or with the Bot Defense profile.
This applies to all version of the Puffin Browsers: Desktop, Android, iOS.
Conditions:
- Users using the Puffin Browser on Desktop, Android, iOS
- Bot Defense Profile, or: DoSL7 profile with Proactive Bot Defense is used while the "Block Suspicious Browsers" checkbox is enabled
Impact:
Users of the Puffin Browser cannot access the website
Workaround:
None
Fix:
Users of the Puffin Browser can now access the website that is protected by Bot Defense without getting blocked.
For the fix to be applied, both BIG-IP Release and ASU must be installed which contain the fix. Also, it is recommended to enable the following DB variables:
tmsh modify sys db dosl7.proactive_defense_validate_ip value disable
tmsh modify sys db dosl7.cs_validate_ip value disable
Fixed Versions:
13.1.1.4, 14.1.0.2
745514-1 : MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message
Links to More Info: BT745514
Component: Service Provider
Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a SUBSCRIBE message has been processed.
Conditions:
This occurs because the SUBSCRIBE message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.
Impact:
Media addresses in the SDP payload are not translated.
Workaround:
There is no workaround.
Fix:
Hairpin mode is not entered when processing SUBSCRIBE messages
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.2
745465-1 : The tcpdump file does not provide the correct extension
Links to More Info: BT745465
Component: TMOS
Symptoms:
The output file from tcpdump generation is named support.tcpdump even though it is a compressed file.
Conditions:
Whenever tcpdump is generated and downloaded.
Impact:
You must rename the file with the correct file extension and then decompress it to access the .dmp files.
Workaround:
Rename the downloaded file from support.tcpdump to <filename>.tar.gz and decompress it.
Fix:
File name changed to support.tcpdump.tar.gz.
Behavior Change:
The tcpdump file has a different name and file extension - support.tcpdump.tar.gz
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
745404-4 : MRF SIP ALG does not reparse SDP payload if replaced
Links to More Info: BT745404
Component: Service Provider
Symptoms:
When a SIP message is loaded, the SDP is parsed. If modified or replaced, the system does not reparse the modified payload.
Conditions:
This occurs internally while processing SDP in a SIP message.
Impact:
Changes to the SDP are ignored when creating media pinhole flows
Workaround:
None.
Fix:
The SDP payload is now reparsed if modified or replaced.
Fixed Versions:
12.1.5.2, 13.1.3, 14.0.1.1, 14.1.0.2
745324-1 : MCP crash or blocked for a long time when loading configuration
Links to More Info: BT745324
Component: Application Security Manager
Symptoms:
Configuration loading crashes while loading hundreds or thousands of bot-defense profiles at once. The system logs messages in /var/log/ltm:
-- err mcpd[8967]: 01070712:3: Caught configuration exception (0), MCP call 'mcpmsg_set_ulong_item(msg, CID2TAG(cid), val)' failed with error: 16908292, 01020036:3: The requested user role partition (admin Common) was not found.
-- err mcpd[8967]: 01070001:3: Failed to allocate memory for size 66256896 at framework/MCPProcessor.cpp:1041.
-- crit tmsh[640]: 01420001:2: The connection to mcpd has been lost, try again. : framework/RemoteMcpConn.cpp, line 74.
Conditions:
Loading configuration with hundreds or thousands of bot-defense profiles.
Impact:
MCP might crash or be blocked for a long time. The system cannot perform traffic management operations, report system status, or allow reconfiguration, and other daemons are also affected.
Workaround:
Create bot-defense profiles one at a time rather than loading a configuration with hundreds or thousands of bot-defense profiles at once.
Fix:
The configuration load no longer crashes while loading hundreds or thousands of bot-defense profiles at once.
Fixed Versions:
14.1.2.7
745261-2 : The TMM process may crash in some tunnel cases
Links to More Info: BT745261
Component: TMOS
Symptoms:
When Direct Server Return (DSR) or asymmetric routing with a tunnel is deployed, the TMM process may crash.
Conditions:
There are two scenarios that may lead to this issue:
Scenario 1: DSR
- DSR is deployed.
Scenario 2: Asymmetric routing
- The sys db variable connection.vlankeyed is set to 'disable'.
- A VLAN and a tunnel are used to handle asymmetric routing.
Impact:
The TMM process crashes.Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The TMM process no longer crashes.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.8
745027-2 : AVR is doing extra activity of DNS data collection even when it should not
Links to More Info: BT745027
Component: Application Visibility and Reporting
Symptoms:
When collecting DNS data, AVR generates data that is used only for BIG-IQ, even if not connected to BIG-IQ.
Conditions:
DNS Statistics collection or DNS-DoS is configured.
Impact:
avrd process is taking more CPU cycles for activity that is not needed. There is no impact to functionality.
Workaround:
None.
Fix:
The system no longer performs extra computation that is not needed in this case.
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2
744949-1 : MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix
Links to More Info: BT744949
Component: Service Provider
Symptoms:
SIP response messages have the wrong IP address in the FROM header when using NAT64.
Conditions:
If the client's IPv6 address does not match the virtual server's configured IPv6 prefix, the FROM header on a response message will have a different IP address that the request message.
Impact:
The SIP ALG with SNAT system will be unable to establish a call for the client.
Workaround:
There is no workaround at this time.
Fix:
The FROM header will now contain the client's IP address.
Fixed Versions:
13.1.1.5, 14.0.1.1, 14.1.0.2
744937-8 : BIG-IP DNS and GTM DNSSEC security exposure
Links to More Info: K00724442, BT744937
Component: Global Traffic Manager (DNS)
Symptoms:
For more information please see: https://support.f5.com/csp/article/K00724442
Conditions:
For more information please see: https://support.f5.com/csp/article/K00724442
Impact:
For more information please see: https://support.f5.com/csp/article/K00724442
Workaround:
None.
Fix:
For more information please see: https://support.f5.com/csp/article/K00724442
Behavior Change:
Note: After installing a version of the software that includes the fix for this issue, you must set the following db variables:
-- dnssec.nsec3apextypesbitmap
-- dnssec.nsec3underapextypesbitmap.
These two db variables are used globally (i.e., not per-DNSSEC zone) to configure the NSEC3 types bitmap returned in one-off NODATA responses for apex and under-apex responses, respectively.
When the BIG-IP system is queried for a DNS name in which the DNS name exists and is not of the RR type requested, the NSEC3 types bitmap on the response reflects what you configure for the db variable, minus the queried-for type.
When using these variables:
-- Configure type values as all lowercase.
-- Enclose multiple types in quotation marks (e.g., "txt rrsig").
-- Understand that there is likely no need to change the apex type setting; do so with extreme care. The under-apex settings are what you will find helpful in addressing the negative caching issue.
Fixed Versions:
11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
744743-1 : Rolling DNSSEC Keys may stop generating after BIG-IP restart
Links to More Info: BT744743
Component: Global Traffic Manager (DNS)
Symptoms:
Rolling DNSSEC Keys may stop generating when a BIG-IP system restart.
Conditions:
BIG-IP system gets restarted by calling 'bigstart restart' command.
Impact:
Rolling DNSSEC keys can stop generating.
Workaround:
None.
Fix:
Rolling DNSSEC Keys no longer stop regenerating after BIG-IP restart
Fixed Versions:
14.1.2.7
744707-2 : Crash related to DNSSEC key rollover
Links to More Info: BT744707
Component: Global Traffic Manager (DNS)
Symptoms:
When running out of memory, a DNSSKEY rollover event might cause a tmm crash and core dump.
Conditions:
-- System has low memory or is out of memory.
-- DNSSKEY rollover event occurs.
Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
Fix:
Fixed an issue in DNSSEC Key Rollover event that could cause a crash.
Fixed Versions:
12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.6
744686-2 : Wrong certificate can be chosen during SSL handshake
Links to More Info: BT744686
Component: Local Traffic Manager
Symptoms:
If two certificates of the same type are configured in an SSL profile, one marked `usage CA' and the other not, the wrong one could be chosen during the handshake.
Conditions:
Two certificates of the same type are configured in an SSL profile.
Impact:
The wrong certificate could be chosen during the handshake.
Workaround:
Do not configure two certificates of the same type on an SSL profile.
Fixed Versions:
14.1.0.2
744685-2 : BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension
Links to More Info: BT744685
Component: Local Traffic Manager
Symptoms:
An intermediate CA certificate should be considered invalid if the certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension. The BIG-IP system does not enforce this.
Conditions:
The SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop.
Impact:
The system might unexpectedly accept the SSL connection while the peer is using an inappropriate certificate.
Workaround:
None.
Fix:
With this fix, if the SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the SSL handshake if the peer's CA certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension.
Behavior Change:
When authenticating a peer's SSL certificate, the system requires a CA certificate to have the 'Basic Constraints' and 'CA:True' in its extension, like this:
X509v3 Basic Constraints: critical
CA:TRUE
If an SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the handshake if the peer's CA certificate does not satisfy this requirement.
Fixed Versions:
13.1.1.4, 14.0.1.1, 14.1.0.2
744595-3 : DoS-related reports might not contain some of the activity that took place
Links to More Info: BT744595
Component: Application Visibility and Reporting
Symptoms:
Occasionally, some telemetry data of DoS related activity is lost.
Conditions:
No specific condition other than using the BIG-IP system anti-DDoS feature.
Impact:
DoS related reports might not contain some of the activity that takes place.
Workaround:
None.
Fix:
Issue was fixed, all telemetry data is collected without errors.
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2
744589-3 : Missing data for Firewall Events Statistics
Links to More Info: BT744589
Component: Application Visibility and Reporting
Symptoms:
Statistical information that is collected for Firewall event, has some data that is getting lost and not reported.
When this is taking place, the following message appears at avrd log:
Some rows of load_stat_firewall_events_<some number> not loaded
Conditions:
AFM is used, no particular condition that leads to this situation of losing some of the stats, usually takes place under heavy activity.
Impact:
Statistical reports of Firewall Events are missing some the the activity that actually took place.
Workaround:
There is no workaround at this time.
Fix:
Issue with missing data was fixed.
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2
744516-4 : TMM panics after a large number of LSN remote picks
Links to More Info: BT744516
Component: Carrier-Grade NAT
Symptoms:
TMM panics with the assertion 'nexthop ref valid' failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.
Conditions:
An LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.
Impact:
TMM restarts. Traffic is interrupted.
Workaround:
There is no workaround.
Fix:
TMM no longer panics regardless of the number of remote picks.
Fixed Versions:
12.1.4, 13.1.1.4, 14.1.0.6
744407-3 : While the client has been closed, iRule function should not try to check on a closed session
Links to More Info: BT744407
Component: Access Policy Manager
Symptoms:
tmm cores. System posts a message:
access::session exists is used during CLIENT_CLOSED iRule event.
Conditions:
-- Client has closed the connection.
-- iRule function tries to check on a closed session.
-- An 'access session::exists' command is used inside the iRule event CLIENT_CLOSED.
Impact:
tmm may core. Traffic disrupted while tmm restarts.
Workaround:
Do not use the iRule command 'access session::exists' inside CLIENT_CLOSED.
Fix:
Command execution of 'access::session exists' is now prevented in the iRule event CLIENT_CLOSED.
Fixed Versions:
13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2
744347-4 : Protocol Security logging profiles cause slow ASM upgrade and apply policy
Links to More Info: BT744347
Component: Application Security Manager
Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.
Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.
Impact:
ASM upgrade and apply policy are delayed.
Workaround:
There is no workaround at this time.
Fixed Versions:
12.1.4, 13.1.1.4, 14.0.0.5, 14.1.0.2
744280-2 : Enabling or disabling a Distributed Application results in a small memory leak
Links to More Info: BT744280
Component: Global Traffic Manager (DNS)
Symptoms:
Enabling or disabling a Distributed Application results in an 8 byte memory leak.
Conditions:
Enabling or disabling a Distributed Application.
Impact:
8 bytes of memory are leaked every time a Distributed Application is enabled or disabled. If Distributed Applications are repeatedly programmatically enabled and disabled, over time, the system might eventually exhaust all available memory.
Workaround:
None.
Fix:
Enabling or disabling a Distributed Application no longer results in a memory leak.
Fixed Versions:
13.1.3.4, 14.0.0.5, 14.1.2.5
744275-1 : BIG-IP system sends Product-Name AVP in CER with Mandatory bit set
Links to More Info: BT744275
Component: Service Provider
Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.
Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Product-Name AVP.
Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.
Workaround:
Configure an iRule in the MRF transport-config, for example:
ltm rule workaround {
when DIAMETER_EGRESS {
if {[serverside] && [DIAMETER::command] == "257" } {
DIAMETER::avp flags set 269 0
}
}
}
Fix:
This release always clears the Mandatory bit for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.
Fixed Versions:
13.1.3.4, 14.1.0.2
744252-2 : BGP route map community value: either component cannot be set to 65535
Links to More Info: BT744252
Component: TMOS
Symptoms:
The community value for BGP route map entries should allow values of 1-65535 for both components, but it is not allowing 65535 for either component.
Conditions:
-- Using BGP route map community values.
-- Attempting to set one or both components to 65535.
Impact:
Unable to use the full range of BGP route map community values
Workaround:
There is no workaround at this time.
Fix:
This release allows the usage of 65535 for either (or both) BGP route map community values.
Fixed Versions:
13.1.3.6, 14.1.4
744210-2 : DHCPv6 does not have the ability to override the hop limit from the client.
Links to More Info: BT744210
Component: Local Traffic Manager
Symptoms:
DHCPv6 packet may be dropped by a device after the DHCP relay if the client provided hop limit is 1.
Conditions:
DHCPv6 Relay configured on the BIG-IP.
Impact:
Loss of DHCPv6 service.
Workaround:
There is no workaround at this time.
Fix:
Configurable hop limit over-ride capabilities provided for client sent DHCPv6 packets.
Fixed Versions:
13.1.3.2, 14.1.2.3
744204-1 : PCCD may exhaust system memory when compiling
Links to More Info: BT744204
Component: Advanced Firewall Manager
Symptoms:
PCCD will endlessly allocate memory during some compilations, causing the device to become unresponsive.
Conditions:
Certain rare configurations, such as having a single rule with 4095 vlans in Zone configurations.
Impact:
Device becomes unresponsive.
Workaround:
Remove the offending configuration change. In order to do this, first run "bigstart stop pccd" in order to reclaim the memory that PCCD has consumed, and then edit the configuration.
Fixed Versions:
14.1.4.4
744188-1 : First successful auth iControl REST requests will now be logged in audit and secure log files
Links to More Info: BT744188
Component: TMOS
Symptoms:
Previously, when making a REST request from a client for the first time and it is successful, this action was not logged.
Just subsequent REST calls were logged or initial failed REST calls from a client were logged.
Conditions:
Making a successfully auth-ed initial REST request from a new client to BIG-IP.
Impact:
BIG-IP admins would not know when a new client first made a successful REST call to BIG-IP.
Workaround:
None.
Fix:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.
Here's an example of what shows in audit log:
-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user bart2 - RAW: httpd(pam_audit): user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
Here's an example of what shows in secure log:
-- info httpd(pam_audit)[26561]: user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user usr2 - RAW: httpd(pam_audit): user=usr2(usr2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
Subsequent REST calls will continue to be logged normally.
Behavior Change:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.
Subsequent REST calls will continue to be logged normally.
Fixed Versions:
13.1.1.4, 14.0.1.1, 14.1.0.2
743900-1 : Custom DIAMETER monitor requests do not have their 'request' flag set
Links to More Info: BT743900
Component: Local Traffic Manager
Symptoms:
Using the technique detailed in the Article: K14536: Customizing the BIG-IP Diameter monitor https://support.f5.com/csp/article/K14536 to create custom DIAMETER monitor requests fails for any request that uses the numeric form of a DIAMETER command code, because the 'request' flag is not set in the DIAMETER packet.
Conditions:
-- Using custom DIAMETER monitor requests.
-- Using numeric DIAMETER command codes.
Impact:
The monitor probes fail because the BIG-IP system does not set the DIAMETER 'request' flag for requests it sends when using a numeric value for the command code, so the DIAMETER server thinks it is a response
Workaround:
None.
Fix:
Ensured that the 'request' flag is set for all DIAMETER monitor requests.
Fixed Versions:
14.1.0.2
743826-1 : Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0)
Links to More Info: BT743826
Component: Application Visibility and Reporting
Symptoms:
When a pool member is defined with port any(0), calling the GetPoolMember() function, gives an incorrect error message that the pool member was not found.
Conditions:
Pool member with port any(0)
Impact:
Wrong error message printed to avrd.log
Fix:
Added a flag that indicates whether or not to print an error message to the GetPoolMember() function.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
743815-2 : vCMP guest observes connflow reset when a CMP state change occurs.
Links to More Info: BT743815
Component: TMOS
Symptoms:
There is a connflow reset when a CMP state change occurs on a vCMP guest. The system posts log messages similar to the following: CMP Forwarder expiration.
Conditions:
-- vCMP configured.
-- Associated virtual server has a FastL4 profile with loose init and loose close enabled.
Impact:
This might interrupt a long-lived flow and eventually cause an outage.
Workaround:
None.
Fix:
The system now drops the connflow instead of resetting it.
Fixed Versions:
11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7
743803-1 : IKEv2 potential double free of object when async request queueing fails
Links to More Info: BT743803
Component: TMOS
Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.
Conditions:
When an async IPsec crypto operation fails to queue.
Impact:
Restart of tmm. All tunnels lost must be re-established.
Workaround:
No workaround known at this time.
Fixed Versions:
12.1.5, 13.1.1.4, 14.0.0.3, 14.1.0.6
743437-3 : Portal Access: Issue with long 'data:' URL
Links to More Info: BT743437
Component: Access Policy Manager
Symptoms:
HTML page may contain a very long 'data:' URL. Portal Access cannot handle such URLs correctly.
Conditions:
HTML page with very long 'data:' similar to the following example:
data:image/png;base64,...
Such URLs might be several megabytes long.
Impact:
The rewrite plugin cannot process HTML pages with very long URLs and restarts. The page is not sent to the end user client; web application may not work correctly.
Workaround:
There is no workaround at this time.
Fix:
Now Portal Access handles very long 'data:' URLs correctly.
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2
743257-3 : Fix block size insecurity init and assign
Links to More Info: BT743257
Component: Local Traffic Manager
Symptoms:
After an HA failover the block size insecurity checks were creating conditions for an infinite loop. This causes tmm to be killed by sod daemon via SIGABRT.
Conditions:
Rare not reproducible.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
Fix:
The init and assign of block size insecurity were modified and debug checks added. A possible loop condition in ssl renegotiation was removed.
Fixed Versions:
13.1.3.2, 14.0.0.5, 14.1.2.5
743253-3 : TSO in software re-segments L3 fragments.
Links to More Info: BT743253
Component: Local Traffic Manager
Symptoms:
FastL4 does not re-assemble fragments by default, but on a system with software-enabled TSO (sys db tm.tcpsegmentationoffload value disable), those fragments are erroneously re-segmented.
Conditions:
The behavior is encountered on BIG-IP Virtual Edition when setting sys db tm.tcpsegmentationoffload value disable, but does not cause a tmm core on Virtual Edition.
Impact:
Already-fragmented traffic is fragmented again.
Workaround:
None
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
742860-3 : VE: Predictable NIC ordering based on PCI coordinates until ordering is saved.
Links to More Info: BT742860
Component: TMOS
Symptoms:
The order of interfaces in BIG-IP Virtual Edition (VE) is determined by the Linux kernel. The order of interfaces on BIG-IP systems tmm does not match the one determined by the Linux.
Conditions:
-- Repeatedly deploy BIG-IP configurations within KVM with many (e.g., 6 or more) interfaces.
-- Observe the order of devices on the PCI bus and the order that they are enumerated within tmm (1.1, 1.2, 1.3, etc.).
Impact:
Sometimes the order between the two does not match. This makes it difficult to reliably use the order with automation to ensure the right devices belong to the correct VLANs, and other operations.
Workaround:
Interrogate the MAC addresses of interfaces to map them against NIC definitions to determine the order.
Fix:
There is now a predictable NIC ordering based on PCI coordinates until ordering is saved.
Behavior Change:
The NIC ordering is now based on PCI co-ordinates, so you no longer need to interrogate the MAC addresses of interfaces to map them against NIC definitions to determine the order.
Fixed Versions:
13.1.3.6, 14.1.4
742852-1 : Bot Defense protection blocks Safari browser requests while using cross site redirect protection by 'Location' header
Links to More Info: BT742852
Component: Application Security Manager
Symptoms:
Bot defense blocks a request containing a TSPD101 cookie in query string. TSPD101 is sent when using the Safari browser, and cross-site redirect protection is applied on a request.
Conditions:
- ASM provisioned.
- Bot Defense profile attached to a virtual server.
- Cross-site redirection is applied on a request.
- Using the Safari browser.
Impact:
Cross-site requests are blocked during the grace period configured on the bot defense profile.
Workaround:
Disable browser verification in the bot defense profile.
Fix:
Cross-site redirect protection now works as expected when cookie is sent via query string.
Fixed Versions:
14.1.0.2
742829-1 : SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0
Links to More Info: BT742829
Component: Service Provider
Symptoms:
The BIG-IP system incorrectly handles SDP media ports. UAC sends SDP message body publishing capable of handling voice, text, and video. UAS responds, publishing voice, text and video not desired by setting video port to '0'. The BIG-IP system does not honor the fact that UAS does not want video, and translates video port '0' to an ephemeral port, causing the UAC to believe it must open a video channel. When the UAC sends a video connection request, the BIG-IP system sends the request to the wrong port, i.e., to the media port for text, which causes the connection to fail.
Conditions:
RTP media port defined in the SIP message is set to 0.
Impact:
Improper media channel creation.
Workaround:
You can use an iRule workaround to remove the media attributes with ports set to 0 at the ingress, and update the message body size accordingly.
Fixed Versions:
13.1.1.4, 14.0.1.1, 14.1.0.2
742628-3 : A tmsh session initiation adds increased control plane pressure
Links to More Info: BT742628
Component: TMOS
Symptoms:
Under certain circumstances, the Traffic Management Shell (tmsh) can consume more system memory than expected.
Conditions:
-- Multiple users or remote processes connecting to the BIG-IP administrative command-line interface.
-- You are running certain versions of BIG-IP software, specifically:
- 12.1.x versions earlier than 12.1.5.3.
- 13.1.x versions earlier than 13.1.3.4.
- Any 14.x version earlier than 14.1.4, except 14.1.2.6.
- 15.0.x versions earlier than 15.0.1.2.
- 15.1.x versions earlier than 15.1.0.4.
Impact:
Increased control plane pressure. Various delays may occur in both command-line and GUI response. Extreme instances may cause one or more processes to terminate, with potential disruptive effect. Risk of impact from this issue is increased when a large number of automated tmsh sessions are created.
Workaround:
For users with administrative privilege (who are permitted to use the 'bash' shell), the login shell can be changed to avoid invoking tmsh when it may not be needed:
tmsh modify /auth user ADMINUSERNAME shell bash
Fix:
This issue is fixed in the following releases:
-- 12.1.5.3 and later
-- 13.1.3.4 and later
-- 14.1.2.6
-- 14.1.4 and later
-- 15.0.1.2 and later
-- 15.1.0.4 and later
-- 16.0.0 and later
Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.6, 14.1.4, 15.0.1.4, 15.1.0.2
742558-1 : Request Log export document fails to show some UTF-8 characters
Links to More Info: BT742558
Component: Application Security Manager
Symptoms:
After exporting an ASM security event log, the log file exists but the characters are not visible.
Conditions:
Decoding of UTF-8 characters fails in Request Log export on small range of characters.
Impact:
The contents of the log are not human readable.
Workaround:
None.
Fix:
Request Log export document now shows UTF-8 characters correctly.
Fixed Versions:
14.1.0.6
742549-2 : Cannot create non-ASCII entities in non-UTF ASM policy using REST
Links to More Info: BT742549
Component: Application Security Manager
Symptoms:
You cannot create non-ASCII entities (such as URLs and parameters) in a non-UTF-8 policy using REST.
Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII entries using REST.
Impact:
You cannot create an entity (such as a URL or parameter) which contains non-ASCII characters using REST.
Workaround:
Use UTF-8.
Fixed Versions:
13.1.3.6, 14.1.2.7, 15.1.0.5
742251-1 : Add Alibaba Cloud support to Qkview
Links to More Info: BT742251
Component: TMOS
Symptoms:
Qkview has been updated to support obtaining files relevant to the Alibaba Cloud.
Conditions:
Run Qkview.
Impact:
Files related to the Alibaba Cloud were not collected.
Workaround:
None
Fix:
Files related to Alibaba Cloud are now collected.
Fixed Versions:
14.1.0.1
742237-4 : CPU spikes appear wider than actual in graphs
Links to More Info: BT742237
Component: Local Traffic Manager
Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.
Conditions:
CPU usage has spikes.
Impact:
Graphs of CPU spikes appear to last longer than they actually last.
Workaround:
Perform the following procedure:
1. Run the following command to record the 5-second average rather than the 1-second average:
sed -i.bak 's/TMCOLNAME "ratio"/TMCOLNAME "five_sec_avg.ratio"/;s/TMCOLNAME "cpu_ratio_curr"/TMCOLNAME "cpu_ratio_5sec"/g' /config/statsd.conf
2. Restart statsd to load the new configuration:
bigstart restart statsd
Fix:
CPU samples for graphs are averaged over longer time to more closely represent actual time between samples.
Fixed Versions:
12.1.5, 13.1.3.2, 14.1.2.1
742184-3 : TMM memory leak
Links to More Info: BT742184
Component: Local Traffic Manager
Symptoms:
-- High TMM memory utilization;
-- Aggressive sweeper activated;
-- the 'packet', 'xdata' and 'xhead' caches in the memory_usage_stat tmstat table have high 'allocated' and 'curr_allocs' numbers with a steadily increasing profile.
Conditions:
A fastL4 and a L7 profile (e.g. HTTP) are assigned to a virtual server.
Impact:
Degraded performance, possible TMM crash due to out-of-memory condition.
Workaround:
Do not add a L7 profile to a fastL4 virtual server.
Fix:
No memory leak in the TMM.
Note: there are limits to what L7 profiles such as HTTP can do when attached to fastL4 virtual servers, and this fix does not change them.
For more information see:
-- https://support.f5.com/csp/article/K16446
-- https://support.f5.com/csp/article/K16783
Fixed Versions:
13.1.3, 14.1.0.2
742078-6 : Incoming SYNs are dropped and the connection does not time out.
Links to More Info: BT742078
Component: Local Traffic Manager
Symptoms:
There is a hard-coded limit on the number of SYNs forwarded on a FastL4 connection. This might cause a problem when a connection is reused, for example, if a connection is not correctly closed.
Conditions:
-- SYN forwarding on FastL4 connections.
-- The number of SYNs on a single connection reaches the hard-coded limit.
Impact:
If the number of SYNs on a single connection reaches this limit, subsequent incoming SYNs are dropped and the connection might not time out.
Workaround:
There is no workaround.
Fix:
The following command enables the forwarding of an an unlimited number of SYNs:
tmsh modify sys db tm.dupsynenforce value disable
Fixed Versions:
11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
741869-1 : Enable SysDb variable 'Connection.VgL2Transparent' prior to operating the BIG-IP in L2 transparent mode using VLAN groups.
Links to More Info: BT741869
Component: Local Traffic Manager
Symptoms:
Traffic is not passed across the VLAN group.
Conditions:
BIG-IP system configured to operate in L2 transparent mode using VLAN groups.
Impact:
Packets are not forwarded.
Workaround:
Configure a transparent next hop on the virtual server.
Fix:
SysDb variable 'Connection.VgL2Transparent' has been added to enable this functionality.
Behavior Change:
A new SysDb variable called 'Connection.VgL2Transparent' has been added. It can be enabled to enable L2 transparent forwarding in a VLAN group without needing to configure a transparent next hop on the virtual server.
Usage:
tmsh modify sys db Connection.VgL2Transparent value <enable|disable>
It is disabled by default.
Fixed Versions:
14.1.4.4
741862-1 : DNS GUI may generate error or display names with special characters incorrectly.
Links to More Info: BT741862
Component: Global Traffic Manager (DNS)
Symptoms:
-- If a DNS object name (such as a Server or Link) contains a special character, the name may be truncated after the special character when displayed in the GUI.
For example:
DNS -> GSLB -> Server :
- Select a server with name containing a special character (such as # or &).
- Go to Devices, Virtual Servers or Links tab.
- Click on the tab again or go to another tab.
DNS -> GSLB -> Links :
- Select a link with name containing special character (such as # or &).
- Go to Servers or Virtual servers tab, click on the tab again or go to other tab.
In such cases, the characters after the special character disappear in the Server and/or Link name.
-- Certain DNS GUI operations may generate an error such as:
"An error has occurred while trying to process your request."
For example:
DNS -> GSLB -> Pools -> Pool List :
- Select a Pool
- Go to Members tab
- Click Manage
Conditions:
-- The DNS object name may be displayed incorrectly if it contains a special character such as:
#
&
-- An error can occur on BIG-IP versions prior to 15.0.0 that contain the fix for ID1045421 (such as Engineering Hotfixes on versions 14.1.x or 13.1.x with a fix for ID1045421).
Impact:
-- DNS object names display incorrectly and may not be selectable for subsequent operations in the GUI.
-- You may not be able to manage DNS objects in certain contexts in the GUI.
Workaround:
Use the Command Line Interface (tmsh) to manage DNS objects.
Fix:
-- DNS object names containing special characters are displayed properly in the GUI.
-- GUI operations to manage DNS objects do not generate errors in the presence of the fix for ID1045421 on BIG-IP versions prior to 15.0.0.
Fixed Versions:
14.1.4.6
741702-3 : TMM crash
Links to More Info: BT741702
Component: TMOS
Symptoms:
TMM crashes during normal operation.
Conditions:
-- This can occur while passing normal traffic.
-- In this instance, APM and LTM are configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
14.1.4.4
741676-2 : Intermittent crash switching between tunnel mode and interface mode
Links to More Info: BT741676
Component: TMOS
Symptoms:
Changing the policy mode for an IPsec tunnel can crash when switching back and forth between tunnel mode and interface mode.
Conditions:
Changing mode in ipsec-policy from tunnel to interface, or vice versa.
Impact:
A tmm restart, after a core, interrupts all IPsec tunnel service until new SAs are negotiated to replace the old ones.
Workaround:
Start with desired mode, tunnel or interface, and avoid changing the value from one to the other.
Fix:
Changing mode between tunnel and interface now works as expected.
Fixed Versions:
14.1.2.8
741503-1 : The BIG-IP system fails to load base config file when upgrading with static IPv4★
Links to More Info: BT741503
Component: TMOS
Symptoms:
The BIG-IP system cannot load base config when upgrading with static IPv4. By default, the configuration is not moved on previous releases during the installation, but it moves mgmt address settings and the license.
Conditions:
This occurs during upgrade when a static mgmt IPv4 address is configured.
Impact:
Configuration does not load after upgrade.
Workaround:
Manually set the mgmt-dhcp value to 'disabled' in bigip_base.conf file.
Fix:
The BIG-IP system now loads the base config file as expected when upgrading with static IPv4 as mgmt address.
Fixed Versions:
14.1.0.6
741449-3 : alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts
Links to More Info: BT741449
Component: Fraud Protection Services
Symptoms:
JAVASCRIPT_THRESHOLD alert should contain 2 timestamps:
1. component-validation cookie timestamp (set on cookie creation)
2. current BIG-IP timestamp
currently, these timestamps are not available in the alert details
Conditions:
JAVASCRIPT_THRESHOLD alert is triggered
Impact:
it is impossible to analyze the alert
Workaround:
There is no workaround at this time.
Fix:
FPS should always include both timestamps when triggering the JAVASCRIPT_THRESHOLD alert
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2
741222-2 : Install epsec1.0.0 into software partition.★
Links to More Info: BT741222
Component: Access Policy Manager
Symptoms:
On some hardware configurations, after the BIG-IP software upgrade, epsec1.0.0 install fails.
Conditions:
-- Upgrade from earlier versions to BIG-IP 14.1.0.
-- Attempting to install epsec1.0.0.
Note: This occurs on only some hardware platforms, including the following:
+ BIG-IP 4000
+ BIG-IP i2800 series
+ BIG-IP Virtual Edition
+ BIG-IP vCMP Guest
Impact:
Unable to install or use software check with APM endpoint inspection.
Workaround:
There is no workaround other than upgrading to a fixed version of the software.
Fix:
The epsec1.0.0 installation is now performed into active BIG-IP software volume (/var), so this issue no longer occurs.
Fixed Versions:
14.1.2.3, 15.0.1.3
741213-2 : Modifying disabled PEM policy causes coredump
Links to More Info: BT741213
Component: Policy Enforcement Manager
Symptoms:
TMM undergoes core dump after a disabled policy has a new rule added.
Conditions:
-- Add a rule to disabled PEM policy.
-- Enable the PEM policy, and this policy is applied by PCRF.
-- Traffic is generated for this subscriber.
Impact:
TMM restarts. Traffic disrupted while tmm restarts.
Workaround:
Modify a PEM policy only when the policy is enabled.
Fixed Versions:
14.1.2.8
741048-1 : iRule execution order could change after editing the scripts
Links to More Info: BT741048
Component: Local Traffic Manager
Symptoms:
iRule execution order might change. For example, you have the following iRules configured on a virtual server: rule1, rule2, rule3, and they all have CLIENT_ACCEPTED. If you do not specify their priority, or if you specify the same priority to each one, when you edit one, the execution order changes. For example, if you edit the rule2 script, the execution order changes to rule2, rule1, rule3.
Conditions:
Multiple events have the same priority.
Impact:
Execution order changes.
Workaround:
Specify different priorities for iRules containing the same event.
Fix:
iRule execution order is now maintained after editing the scripts.
Fixed Versions:
14.1.0.6
740959-4 : User with manager rights cannot delete FQDN node on non-Common partition
Links to More Info: BT740959
Component: Local Traffic Manager
Symptoms:
A user that has manager rights for a non-Common partition, but not for the /Common partition, may be denied delete privileges for an FQDN template node that is created on the non-Common partition for which the user does have manager rights.
This occurs because ephemeral nodes created from the FQDN template node are 'shared' in the /Common partition, so the delete transaction fails because the user has insufficient permissions to delete the dependent ephemeral nodes on the /Common partition.
Conditions:
-- A user is created with manager rights for a non-Common partition.
-- That user does not have manager rights for the /Common partition;
-- At least one ephemeral node is created from that FQDN template node (due to DNS lookup), which is not also shared by other FQDN template nodes.
-- That user attempts to delete an FQDN template node on the non-Common partition for which the user has manager rights.
Impact:
The transaction to delete the FQDN template node fails due to insufficient permissions. No configuration changes occur as a result of the FQDN template node-delete attempt.
Workaround:
You can use either of the following workarounds:
-- Perform the FQDN template node-delete operation with a user that has manager rights to the /Common partition.
-- Create the FQDN template node on the /Common partition.
Fix:
A user with manager rights for a non-Common partition that has no manager rights to the /Common partition, is now able to successfully delete an FQDN template node created on that non-Common partition.
Fixed Versions:
12.1.5, 14.1.0.6
740589-1 : Mcpd crash with core after 'tmsh edit /sys syslog all-properties'
Links to More Info: BT740589
Component: TMOS
Symptoms:
Syslog-ng consumes more than 95% CPU starving other processes of CPU time. This leads to eventual mcpd crash with core.
Conditions:
Configuring nonexistent local IP addresses and remote log server.
Impact:
Abnormal CPU usage. Potential eventual mcpd crash with core. Traffic disrupted while mcpd restarts.
Workaround:
To mitigate the issue, you can use either of the following:
-- Follow these two steps:
1. Remove the remote log server from the configuration.
2. Replace the nonexistent local IP addresses with self IP addresses.
-- Configure the remote destination host with a unique parameter in the configuration so that syslog does not get confused if there are multiple entries:
udp(192.0.2.1 port(512) localip(192.0.2.200) persist-name(r1));
udp(192.0.2.1 port(512) localip(192.0.2.201) persist-name(r2));
udp(192.0.2.100 port(512) localip(192.0.2.200) persist-name(r3));
udp(192.0.2.100 port(512) localip(192.0.2.201) persist-name(r4));
Fix:
Fixed circular loop due to configuration with empty (duplicate) persist-name
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
740543-1 : System hostname not display in console
Links to More Info: BT740543
Component: TMOS
Symptoms:
Hostname is not displayed in the shell prompt in bash and tmsh.
Conditions:
After reboot or upgrade, login to the host console, shell, or tmsh.
Impact:
Hostname is not displayed in the shell prompt.
Workaround:
Update hostname from GUI/TMSH.
Fix:
Hostname is now displayed in the shell prompt in bash and tmsh.
Fixed Versions:
14.1.0.6
740345-3 : TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled.
Links to More Info: BT740345
Component: Local Traffic Manager
Symptoms:
TMM generates cores files on the device.
Conditions:
Issue is seen when connection mirroring, session mirroring and OCSP stapling is enabled.
Impact:
If a failover happens when a SSL handshake is in progress,
TMM restarts and a core file is generated on the standby device. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6
739963-4 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
Links to More Info: BT739963
Component: Local Traffic Manager
Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.
Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.
Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.
Workaround:
To restore the state of the member, remove it and add it back to the pool.
Fixed Versions:
12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.2
739945-4 : JavaScript challenge on POST with 307 breaks application
Links to More Info: BT739945
Component: Application Security Manager
Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.
Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.
Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.
Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.
Fix:
Having a JavaScript challenge on a POST request with 307 Response no longer prevents the application from working.
Fixed Versions:
12.1.4, 13.1.1.5, 14.0.1.1, 14.1.0.2
739618-2 : When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy
Links to More Info: BT739618
Component: Application Security Manager
Symptoms:
When using AWAF or MSP license, you cannot use the BIG-IP Configuration Utility to set rule to control ASM in an LTM policy.
Conditions:
- AWAF or MSP license
Impact:
Admin cannot use the BIG-IP Configuration Utility create LTM policy that controls ASM, and must use TMSH.
Workaround:
Use TMSH to create the rule instead of GUI:
For example:
create ltm policy Drafts/test99 controls add { asm } requires add { http } rules add { rule1 { actions add { 0 { asm enable policy dummy2 }} ordinal 1 }}
Fix:
Users can now create LTM rule in the BIG-IP Configuration Utility that controls ASM if have AWAF or MSP license.
Fixed Versions:
13.1.3.2, 14.1.2.3, 15.1.0.2
739570-3 : Unable to install EPSEC package★
Links to More Info: BT739570
Component: Access Policy Manager
Symptoms:
Installation of EPSEC package via tmsh fails with error:
Configuration error: Invalid mcpd context, folder not found (/Common/EPSEC/Images).
Conditions:
-- EPSEC package has never been installed on the BIG-IP device.
-- Running the command:
tmsh create apm epsec epsec-package <package_name>.iso local-path /shared/apm/images/<package_name>.iso
Impact:
First-time installation of EPSEC package through tmsh fails.
Workaround:
You can do a first-time installation of EPSEC with the following commands:
tmsh create sys folder /Common/EPSEC
tmsh create sys folder /Common/EPSEC/Images
tmsh install Upload/<package_name>.iso
Fix:
When EPSEC package is installed through tmsh command, the folder /Common/EPSEC/Images gets created if it does not exist.
Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
739507-1 : Improve recovery method for BIG-IP system that has halted from a failed FIPS integrity check
Links to More Info: BT739507
Component: TMOS
Symptoms:
After FIPS 140-2 license is installed on BIG-IP FIPS-certified hardware devices, the system halts while booting upon performing the FIPS integrity check.
Console shows messages similar to:
Starting System Logger Daemon...
[ OK ] Started System Logger Daemon.
[ 14.943495] System halted.
Conditions:
-- The BIG-IP device has a license that includes the FIPS 140-2 option (FIPS full-box license).
-- System element monitored by FIPS 140-2 integrity check has changed.
-- The device is rebooted.
Impact:
The device halts and cannot be used.
Workaround:
Workaround:
[1] Connect a terminal to the BIG-IP serial console port.
[2] From the console, enter the GRUB menu and boot into a partition that does not have a FIPS 140-2-enabled license, or into TMOS Maintenance.
[3] Mount config from the inactive partition (see K51222154: Mounting the filesystem of an inactive partition :: https://support.f5.com/csp/article/K51222154) that was halted, and examine the contents of /config/f5_public/fipserr, which shows the files that were changed, leading to failure of the FIPS 140-2 license-enabled partition.
[4] Restore those files to their original ones.
[5] Truncate the inactive partition's /config/f5_public/fipserr, e.g., by running:
cat /dev/null > /mnt/test/f5_public/fipserr
[6] Reboot.
If the system still halts, repeat from Step [1] above, until this no longer happens.
Fix:
If your device is running a version where ID 739507 is fixed:
[1] Connect a terminal to the BIG-IP serial console port
[2] From the serial console, enter the GRUB menu.
[3] Before the countdown expires, use the Up Arrow and Down Arrow keys to stop the countdown, and select the appropriate boot image.
[4] Press the key 'E' to start the edit options. A new GRUB menu displays.
[5] Use the Up Arrow and Down Arrow keys to navigate to the line that starts with 'linux', or the first line that starts with 'module'.
[6] Add a space, followed by NO_FIPS_INTEGRITY=1 (do not press ENTER).
[7] Press the Ctrl-X sequence or the F10 key to restart the system using the modified options.
The machine boots into the partition containing FIPS 140-2-enabled license.
[8] Examine the content of file /config/f5_public/fipserr to ascertain the cause of the FIPS module startup error.
[9] Fix the problem reported in the aforementioned error file.
[10] Run the test tool /usr/libexec/sys-eicheck.py to ensure that no fatal error is reported, such as:
Integrity Check Result: [ FAIL ]
If fatal errors persist, do not reboot (otherwise the system foes into the halt state, and the steps starting from Step [1] will need to be repeated). Instead, fix the problematic files reported. Rerun the test tool until no error is seen.
Note: You can find information on the sys-eicheck (FIPS) utility in the AskF5 Non-Diagnostic Article K00029945: Using the sys-eicheck (FIPS) utility :: https://support.f5.com/csp/article/K00029945.
[11] Truncate the file /config/f5_public/fipserr:
cat /dev/null > /config/f5_public/fipserr
Fixed Versions:
13.1.1.2, 14.1.4, 15.1.0.5
739505-2 : Automatic ISO digital signature checking not required when FIPS license active★
Links to More Info: BT739505
Component: TMOS
Symptoms:
Automatic ISO digital signature checking occurs but is not required when FIPS license active.
The system logs an error message upon an attempt to install or update the BIG-IP system:
failed (Signature file not found - /shared/images/BIGIP-13.1.0.0.0.1868.iso.sig)
Conditions:
When the FIPS license is active, digital signature checking of the ISO is automatically performed. This requires that both the ISO and the digital signature (.sig) file are uploaded to the system.
Impact:
Installation does not complete if the .sig file is not present or not valid. Installation failure.
Workaround:
To validate the ISO on the BIG-IP system, follow the procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140.
Fix:
The restriction of requiring automatic signature checking of the ISO is removed. The procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140 to perform the checks on or off the BIG-IP system is still valid, but that checking is optional.
Fixed Versions:
13.1.1.2, 14.1.4, 15.1.2.1, 16.0.1.1
739432 : F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems
Links to More Info: BT739432
Component: Access Policy Manager
Symptoms:
F5 Adaptive Auth Configuration is a configuration required on BIG-IP systems. This allows access to F5 Adaptive Authentication Service hosted on the cloud. As the reporting feature is deprecated, the Reports associated with feature are removed from the BIG-IP system. The associated reports are now shown in the F5 Adaptive Auth Service instead.
Conditions:
Admin attempts to view F5 Adaptive Auth reports on the BIG-IP system.
Impact:
Admin cannot use F5 Adaptive Auth Reports on the BIG-IP system. This is because F5 Adaptive Auth Reports functionality has been removed from BIG-IP systems, and is no longer supported.
Workaround:
View the associated reports in the F5 Adaptive Auth Service instead.
Fix:
F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems.
Behavior Change:
The reporting feature of the F5 Adaptive Auth Configuration, which allows access to F5 Adaptive Authentication Service hosted on the cloud, is deprecated with this release, so the Reports associated with feature are removed from the BIG-IP system. The associated reports are now shown in the F5 Adaptive Auth Service instead.
Fixed Versions:
14.1.0.2
739349-3 : LRO segments might be erroneously VLAN-tagged.
Links to More Info: BT739349
Component: Local Traffic Manager
Symptoms:
Segments being processed for large receive offload (LRO) (the action the system performs to aggregate multiple incoming packets within a buffer before passing them up)
might be erroneously VLAN-tagged when LRO is enabled.
Conditions:
-- TCP LRO enabled.
-- Egress VLAN untagged.
Impact:
Egress traffic might sometimes be tagged.
Workaround:
Disable TCP LRO. To enable or disable LRO functionality, you can use the following command syntax:
tmsh modify sys db tm.tcplargereceiveoffload value <enable | disable>
Fix:
The system now ensures that fragment packet flags are correctly set.
Fixed Versions:
13.1.1.4, 14.0.1.1, 14.1.0.2
738964-2 : Instruction logger debugging enhancement
Component: Local Traffic Manager
Symptoms:
Specific platforms may experience a zip-engine lock-up for various reasons. When it happens, the symptoms follow a report pattern that declares the zip-engine requires reset. When resets persist, the instruction logger is unable to diagnose the value of the instructions sent to the zip-engine.
Conditions:
Invalid or unusual compression source data.
Impact:
Compression device goes off-line and CPU usage spikes as it takes over all compression responsibility. Lack of instruction logging makes it difficult to diagnose what occurred.
Workaround:
Disable hardware compression until issue is fixed.
Fix:
A new tcl variable, nitrox::comp_instr_logger has been added. It has four possible values: off, on, force-restart-tmm and force-reboot-host. This variable is used for diagnosing issues with the Nitrox compression engine.
Fixed Versions:
14.1.4.1, 15.1.3
738945-4 : SSL persistence does not work when there are multiple handshakes present in a single record
Links to More Info: BT738945
Component: Local Traffic Manager
Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.
Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.
Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.
Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.
After changing or disabling persistence, the transaction succeeds and no longer hangs.
Fixed Versions:
12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
738943-3 : imish command hangs when ospfd is enabled
Links to More Info: BT738943
Component: TMOS
Symptoms:
- dynamic routing enabled
- ospfd protocol enabled
- imish hangs
Conditions:
- running imish command
Impact:
ability to show dynamic routing state using imish
Workaround:
restart ospfd daemon
Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1
738891-1 : TLS 1.3: Server SSL fails to increment key exchange method statistics
Links to More Info: BT738891
Component: Local Traffic Manager
Symptoms:
When TLS 1.3 is negotiated with a server SSL profile, the key exchange method statistics do not increment.
Conditions:
-- TLS 1.3 is configured on a server SSL profile.
-- TLS 1.3 is the protocol version negotiated.
Impact:
Missing statistics.
Workaround:
None.
Fix:
The key exchange method statistics are now correctly incremented.
Behavior Change:
When TLS 1.3 is now supported for configuration on server SSL profiles, so these statistics are now present.
Fixed Versions:
14.1.0.1
738865-3 : MCPD might enter into loop during APM config validation
Links to More Info: BT738865
Component: Access Policy Manager
Symptoms:
Mcpd crashes after a config sync.
Conditions:
This can occur during configuration validation when APM is configured.
Impact:
Mcpd may take too long to validate the APM configuration and is killed by watchdog, causing a core
Workaround:
Use the Visual Policy Editor to configure access policy instead of tmsh commands.
The Visual Policy Editor does not allow policies to be created if they contain loops.
Fix:
Fixed an mcpd crash related to policy loop detection in APM.
Fixed Versions:
14.1.4.2, 15.1.4
738677-1 : Configured name of wildcard parameter is not sent in data integrity alerts
Links to More Info: BT738677
Component: Fraud Protection Services
Symptoms:
FPS sends a data integrity alert when a parameter is configured with 'Check Data Manipulation' enabled.
the alert includes parameter's actual-name, actual-val-crc, and expected-val-crc.
For wildcard parameters, it is difficult to tell which parameter was found and triggered the data integrity alert, since FPS sends only the actual name that was found in the request.
Conditions:
Wildcard parameter defined for integrity check.
Impact:
Alert analysis is more difficult, as the actual matched parameter is not obvious.
Workaround:
None.
Fix:
FPS now includes wildcard parameter's configured-name in the data integrity alert.
Fixed Versions:
14.1.0.2
738676-1 : Errors when trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests
Links to More Info: BT738676
Component: Application Security Manager
Symptoms:
When trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests
Delete fails with error and exceptions in restjavad.log:
[WARNING][593][30 Jul 2018 14:42:26 UTC][8100/mgmt ForwarderPassThroughWorker] URI:http://localhost:8100/mgmt/tm/asm/events/bot-defense-events?$top=200000, Referrer:https://<local_IP>/dms/bot_defense/bot_requests.php, Method:DELETE, Exception:java.util.concurrent.TimeoutException: remoteSender:<remote_IP>, method:DELETE
Conditions:
This can be encountered when deleting all bot requests while traffic is passing.
Impact:
Delete fails, and there is significant memory consumption in asm_config_server.
Workaround:
None.
Fix:
This release fixes the bot-requests deletion process to not fail with errors and not cause substantial memory consumption in asm_config_server.
Fixed Versions:
14.1.0.2
738593-1 : Vmware Horizon session collaboration (shadow session) feature does not work through APM.
Links to More Info: BT738593
Component: Access Policy Manager
Symptoms:
When the VMware virtual desktop interface (VDI) is configured, session collaboration or shadow session does not work.
Conditions:
-- VMware VDI configured and Desktop resource is accessed with native client or browser.
-- Shadow session is enabled in desktop.
Impact:
Desktop's Shadow session resource icon is not showed on webtop or native client.
Workaround:
N/A
Fix:
Users should see Desktop's shadow session icon when resources are loaded on to webtop or native client.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
738430-3 : APM is not able to do compliance check on iOS devices running F5 Access VPN client
Links to More Info: BT738430
Component: Access Policy Manager
Symptoms:
Compliance check against Microsoft Intune fails when an APM end user attempts a VPN connection from a managed iOS device running the F5 Access VPN client.
Conditions:
-- APM policy is configured to use Microsoft Intune for device compliance check.
-- APM end user is attempting VPN connection using the F5 Access VPN client on an iOS device.
Impact:
APM is not able to do compliance checks on the device, and VPN connection fails.
Workaround:
None.
Fix:
APM can now check iOS devices for compliance against Microsoft Intune.
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6
738330-3 : /mgmt/toc endpoint issue after configuring remote authentication
Links to More Info: BT738330
Component: TMOS
Symptoms:
'Invalid username or password.' error on the /mgmt/toc page after configuring remote authentication.
Conditions:
When remote auth is configured.
Impact:
Cannot configure remote authentication.
After configuring remote authentication, you can login to the mgmt/toc area with the admin user, but using a remote auth user ended up with 'You are not authorized to use this resource'.
Workaround:
On BIG-IP versions since 14.1.0.6 and 13.1.1.5:
Enable 'Fallback to Local' in the remote auth config section on the BIG-IP system:
tmsh modify auth source fallback true.
Both local BIG-IP user 'admin' and LDAP user are now able to authenticate and access https://XX.XX.XX.XX/mgmt/toc.
On other versions of BIG-IP software, there is no workaround.
Fix:
When source type is set to a remote auth method, login now succeeds. If the remote server is unavailable, authentication now falls back to local authentication, if authentication source fallback is set to true.
Behavior Change:
This release allows fallback to local authentication. When the authentication source type is set to a remote authentication source, if the remote server is unavailable, authentication now falls back to local authentication, if authentication source fallback is set to true.
Fixed Versions:
13.1.3.5, 14.1.2.5, 15.0.1.4
738284-2 : Creating or deleting rule list results in warning message: Schema object encode failed
Links to More Info: BT738284
Component: Advanced Firewall Manager
Symptoms:
"Schema object encode failed: No foreign keys found for nested object" warning message is logged into /var/log/ltm while creating or deleting the rule list.
Jul 25 05:44:49 localhost.localdomain warning icr_eventd[4778]: 01a10008:4: Schema object encode failed: No foreign keys found for nested object with tag 17547
Conditions:
Observed when creating or deleting rule list in /var/log/ltm
tmsh create security firewall rule-list rule-list1
tmsh delete security firewall rule-list rule-list1
Impact:
The warning message has no impact on functionality and can be ignored.
Fix:
Log message has been changed to log at the debug level.
Fixed Versions:
13.1.3.2, 14.1.2.3, 15.0.1.1
738108-1 : SCTP multi-homing INIT address parameter doesn't include association's primary address
Links to More Info: BT738108
Component: TMOS
Symptoms:
When multihoming is enabled in an SCTP profile, the source-address of the INIT chunk was not added as an Address parameter in that INIT chunk.
Conditions:
Any SCTP profile where multi-homing is enabled.
Impact:
No impact for peers that implement SCTP in accordance with RFC 4960.
RFC does not require that the address either should or should not be included in the INIT chunk, but does require that an entity receiving an INIT chunk include the source-address in its list regardless of whether that is included in the INIT chunk.
Workaround:
No known workaround.
Fix:
BIG-IP now includes all relevant addresses in the INIT chunk.
Behavior Change:
When multihoming is enabled, the local address will now be added to the INIT chunk. Previously the local address (that is, the address that the datagram is sent from) was not listed as an Address parameter. This is permitted, but not required, by RFC 4960 section 3.3.2.1.
Fixed Versions:
14.1.0.2
738032-1 : BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed.
Links to More Info: BT738032
Component: Local Traffic Manager
Symptoms:
The BIG-IP system maintains an SSL session cache for SSL (https) monitors. After changing the properties of an SSL monitor that might affect the operation of SSL, the BIG-IP continues to reuse an existing SSL session ID.
Conditions:
-- The BIG-IP system has cached session ID from previous SSL session.
-- SSL properties of monitor that might affect the operation of SSL are changed.
-- Monitor is using bigd.
Impact:
Sessions still use cached session ID. If session continues to succeed, session uses cached session ID till expiry.
Workaround:
-- Restart bigd.
-- Remove the monitor from the object and re-apply.
-- Use in-tmm monitors.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
737985-2 : BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode.
Links to More Info: BT737985
Component: Local Traffic Manager
Symptoms:
Services that require Standard Proxy mode cannot be availed of.
Conditions:
A BIG-IP system deployed in an L2 transparent mode using VLAN groups.
Impact:
Prevents services that require Standard Proxy mode from being leveraged in an L2 transparent deployment.
Workaround:
None.
Fix:
Support standard proxy mode.
Fixed Versions:
14.1.2.1
737866-2 : Rare condition memory corruption
Links to More Info: BT737866
Component: Application Security Manager
Symptoms:
BD dameon core
Conditions:
Slow server and slow offload services.
Impact:
A bd crash, traffic distrubance
Workaround:
None.
Fix:
A memory corruption condition was solved.
Fixed Versions:
14.1.0.2
737558-1 : Protocol Inspection user interface elements are active but do not work
Links to More Info: BT737558
Component: Protocol Inspection
Symptoms:
Protocol Inspection (PI) user interface options are present, but are not applied to traffic.
Protocol Inspection (PI) now requires the presence of either an add-on subscription or an AFM standalone license for any of the features to work. A 'Good' or 'Better' license does not activate the PI features. The Configuration Utility still allows you to configure inspection profiles, compliance checks, and signatures, but they are not applied to traffic. There is no feedback that they are not applied.
Conditions:
-- AFM licensed and provisioned through 'Good' or 'Better' license, but no add-on subscription license for Protocol Inspection. Alternately, AFM licensed as an add-on module to another module (typically LTM).
-- PI profile configured and applied to a virtual server or referenced in a firewall rule in an active firewall policy.
Impact:
If you previously had Protocol Inspection configured without the add-on license installed, the features are no longer applied to traffic until the add-on license is obtained. However, the GUI options remain active.
Workaround:
None.
Fixed Versions:
14.1.0.5
737536-2 : Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
Links to More Info: BT737536
Component: TMOS
Symptoms:
The use case is the following:
|OSPF 1|---|Network1|------[|OSPF process 1|---BIG-IP system---|OSPF process 2|]-----|Network2|---|OSPF 2|
Attempting to redistribute default route received from OSPF process that is peering with the Internet to OSPF process 2. However, if that route is removed (e.g., an Internet link goes down), OSPF process 2 removes the associated route and the 'default-information originate' command is the ideal choice, because as long as the OSPF process 1 default route is in the routing table, the default route is redistributed into OSPF process 2. If that route is gone, OSPF process 2 immediately removes it from routing table. Enabling 'default-information originate' on OSPF process 2 does not affect the outcome, and a default route is not injected like it should be.
Conditions:
-- On the BIG-IP system, OSPF routing protocol is enabled on a route-domain.
-- Routing configuration example:
OSPF router config examples:
***
OSPF 1:
!router ospf 1
ospf router-id 10.13.0.7
redistribute ospf
network 10.13.0.0/16 area 0.0.0.1
default-information originate
OSPF 2:
router ospf 1
ospf router-id 10.14.0.5
redistribute ospf
network 10.14.0.0/16 area 0.0.0.1
BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
***
-- Enable 'default-information originate' on BIG-IP OSPF process 2 should allow OSPF process 2 to receive advertised default route from BIG-IP OSPF process 1 if such exists.
# expected OSPF routers configuration on the BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
default-information originate
Impact:
A default route from OSPF process 1 is not advertised into OSPF process 2 routing table.
Workaround:
None.
Fix:
Enabling 'default-information originate' on OSPF process 2 forces OSPF process 2 to receive a default route from OSPF process 1 if such exists.
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2
737423-2 : Binutils vulnerabilities: CVE-2018-7569 CVE-2018-10373 CVE-2018-13033
Component: TMOS
Symptoms:
An integer wraparound has been discovered in the Binary File Descriptor (BFD) library distributed in GNU Binutils up to version 2.30. An attacker could cause a crash by providing an ELF file with corrupted DWARF debug information.
concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by nm-new.
The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file, as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc in libbfd.c. This can occur during execution of nm.
Conditions:
Command-line usage of binutils tools by users with Advanced Shell Access
Impact:
None in default, standard and recommended configurations.
Workaround:
None.
Fix:
Upgraded binutils to an unaffected version.
Fixed Versions:
14.1.0.2
737098-2 : ASM Sync does not work when the configsync IP address is an IPv6 address
Links to More Info: BT737098
Component: TMOS
Symptoms:
If the configsync IP address of the device is configured to be an IPv6 address, changes in ASM configuration do not synchronize across the cluster.
Conditions:
Devices in a Device Group have an IPv6 address set as their configsync IP address.
Impact:
ASM configuration does not synchronize across the Device Group.
Workaround:
Set the configsync IP address to be an IPv4 address and restart the asm_config_server process. To restart the asm_config_server process, run the following command:
pkill -f asm_config_server
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2
737035-2 : New and improved infrastructure for BDoS to share learned traffic characteristics within the device group/cluster setup.
Links to More Info: BT737035
Component: Advanced Firewall Manager
Symptoms:
BDoS feature (AFM/DHD) needs to share learned traffic characteristics across nodes (within a cluster) and across devices (within the device group).
Previous infrastructure used by BDOS could cause spikes in disk usage due to a large number of snapshot files being saved under /config/filestore/ partition (.trash_bin_d and files_d/Common_d/l4bdos_context_d sub-directories).
Conditions:
BDOS feature is enabled on at least 1 context (either at global context or at least 1 virtual server).
Impact:
The /config partition on the BIG-IP system consistently fills up with large numbers of directories/files under /config/filestore/, eventually causing system to run out of disk space under /config partition.
Workaround:
As a workaround, manually delete files/directories filling up under /config/filestore/ partition (.trash_bin_d and files_d/Common_d/l4bdos_context_d sub-directories) to free up disk space.
Fix:
BDOS now uses a new (and improved) infrastructure for sharing data across nodes/devices (within device group/cluster setup) that does not require snapshot files to be maintained under /config/filestore/ partition.
Fixed Versions:
14.0.0.5, 14.1.0.5
734551-3 : L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server
Links to More Info: BT734551
Component: Local Traffic Manager
Symptoms:
Configuration overhead that requires configuration of a virtual server per VLAN group.
Conditions:
A BIG-IP system deployed in an L2 transparent mode using VLAN groups.
Impact:
Configuration overhead to configure virtual server per VLAN group.
Workaround:
None.
Fix:
Prevent the need to configure a virtual server per VLAN group.
Fixed Versions:
14.1.2.1
734291-1 : Logon page modification fails to sync to standby
Links to More Info: BT734291
Component: Access Policy Manager
Symptoms:
Changes in the login page of VPE do not sync to standby.
Conditions:
1. You make changes to the logon page on the active device, making changes to the username or any other field on the login page of VPE.
2. You sync to standby, and it succeeds.
Impact:
When you access in standby device, the customization error failure message appears, and the dialog fails to open in VPE. You cannot see the changes made on the active device from standby device.
Workaround:
Do not make changes to fields on the login page.
Fix:
Changes in the login page of VPE now sync to standby.
Fixed Versions:
13.1.1.5, 14.1.0.6
734228 : False-positive illegal-length violation can appear
Links to More Info: BT734228
Component: Application Security Manager
Symptoms:
A false-positive illegal-length violation.
Conditions:
A chunked request where the request length is more than half of the configured max-request length.
Impact:
False-positive illegal-length violation.
Workaround:
Configure a higher max request length violation.
Fix:
Fixed a false-positive request-length violation.
Fixed Versions:
13.1.1.4, 14.0.1.1, 14.1.2.3
731168-1 : BIG-IP may attempt to write to an out of bounds memory location, causing the bd daemon to crash.
Links to More Info: BT731168
Component: Application Security Manager
Symptoms:
The bd daemon crashes
Conditions:
-- ASM provisioned and passing traffic
-- Other conditions are unknown
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fix:
A possible out of bounds write was fixed.
Fixed Versions:
14.1.4.5
730852-3 : The tmrouted repeatedly crashes and produces core when new peer device is added
Links to More Info: BT730852
Component: TMOS
Symptoms:
There is a tmrouted crash when new peer device is added.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Core produced. Tmrouted crashes repeatedly. Dynamic routing for all route domains is temporarily disrupted.
Workaround:
Have MCP force load as described in K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).
Fixed Versions:
14.1.4.4
727136-1 : One dataset contains large number of variations of TLS hello messages on Chrome
Links to More Info: BT727136
Component: Anomaly Detection Services
Symptoms:
Dataset of TLS fingerprints of clients of a site can consume significantly more space than needed.
Conditions:
-- BADOS with TLS signatures.
-- AFM end user clients using the Mozilla Chrome browser.
Impact:
Dataset is full, so it does not contain a full TLS fingerprints set. As result there is a risk of creating false-positive TLS signatures.
Workaround:
Turn off TLS signatures.
Fix:
Dataset of TLS fingerprints contains unique TLC fingerprints regardless GREASE ciphers.
Fixed Versions:
14.1.0.2
727107-4 : Request Logs are not stored locally due to shmem pipe blockage
Links to More Info: BT727107
Component: Application Security Manager
Symptoms:
An unknown issue causes the communication layer between pabnagd and asmlogd to be become stuck. Messages similar to the following appear in pabnagd.log:
----------------------------------------------------------------------
account |NOTICE|... src/Account.cpp:183|Skipped 36 repeated messages. Request Log protobuf subscription queue is full. Message dropped.
rqlgwriter |WARNIN|... src/RequestLogWriter.cpp:137|Skipped 599 repeated messages. No space to write in shmem.
Messages similar to the following appear in pabnagd.log:
Conditions:
Request Logs are not stored locally due to shmem pipe blockage.
Impact:
Event logs stop logging locally.
Workaround:
Restart policy builder with:
killall -s SIGHUP pabnagd
Fix:
The policy builder now detects the blockage, and restarts the connection with the request logger.
Fixed Versions:
12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
726983-2 : Inserting multi-line HTTP header not handled correctly
Links to More Info: BT726983
Component: Local Traffic Manager
Symptoms:
Using an iRule to insert an HTTP header that contains an embedded newline followed by whitespace is not parsed properly. It can result in the new header being incorrectly split into multiple headers.
Conditions:
iRule which adds a header containing embedded newline followed by whitespace:
HTTP::header insert X-Multi "This is a\n multi-line header"
Impact:
New header does not get parsed properly, and its values are treated like new header values. In some cases the tmm may be restarted.
Workaround:
Ensure that the trailing whitespace text is not present (if not legitimately there). For manipulation of HTTP Cookie headers, use the HTTP::cookie API rather than directly via HTTP::header.
Fix:
Inserting multi-line HTTP header parsed correctly
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1
726734-4 : DAGv2 port lookup stringent may fail
Links to More Info: BT726734
Component: Local Traffic Manager
Symptoms:
Under certain circumstances tmm might not be able to find a local port, and the connection may fail. This happens, for example, for active FTP with mirroring enabled.
Conditions:
Active FTP with mirroring enabled.
Impact:
Connection cannot get established.
Workaround:
There is no workaround other than to disable mirroring.
Fix:
TMM is now always able to find a local port.
Fixed Versions:
13.1.3.2, 14.1.2.8
726647-5 : PEM content insertion in a compressed response may truncate some data
Links to More Info: BT726647
Component: Policy Enforcement Manager
Symptoms:
HTTP compressed response with content insert action can truncate data.
Conditions:
PEM content insertion action with compressed HTTP response.
Impact:
Data might be truncated.
Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.
Fix:
HTTP compressed response with content insert action no longer truncates data.
Fixed Versions:
12.1.4.1, 13.1.1.2, 14.0.0.3, 14.1.0.2
726518-3 : Tmsh show command terminated with CTRL-C can cause TMM to crash.
Links to More Info: BT726518
Component: Local Traffic Manager
Symptoms:
TMM crash when running show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name]
Conditions:
-- Running the command:
show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name].
- The command is terminated by the client connection, aborting with CTRL-C.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not terminate tmsh show commands with CTRL-C.
Fixed Versions:
13.1.3.6, 14.1.2.8, 15.1.2
726487-4 : MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
Links to More Info: BT726487
Component: TMOS
Symptoms:
The MCPD daemon on secondary VIPRION or vCMP blades exits and restarts, logging errors similar to the following:
-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.
-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.
Or:
--- err mcpd[8320]: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).
--- err mcpd[8320]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).... failed validation with error 17236027.
Or:
err mcpd[12620]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Invalid static route modification. A destination change from 172.25.0.1%500 to 172.25.0.1 is not supported... failed validation with error 17237812.
Conditions:
This issue occurs when all of the following conditions are met:
-- VIPRION or vCMP platform with more than one blade.
-- A partition with a non-default route domain.
-- Either:
+ Creating a pool member in that partition while a configuration save is taking place at the same time (either system- or user-initiated).
+ Modifying a route in that partition while a configuration save is taking place at the same time (either system- or user-initiated).
Impact:
If the system is Active, traffic is disrupted as the secondary blades restart. The capacity of the system will be reduced until all blades are on-line again. Additionally, depending on the system configuration, the system may fail over to its peer (if one exists).
Workaround:
There is no workaround other than not to create pool members or modify routes from one client while saving configuration changes in another client. However, this does not help if the configuration save operation was system-initiated.
Fix:
MCPD on secondary blades no longer restarts if a pool member is created or a route is modified in a partition that uses a non-default route domain at the same as the configuration is being saved.
Fixed Versions:
12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.6
726416-3 : Physical disk HD1 not found for logical disk create
Links to More Info: BT726416
Component: TMOS
Symptoms:
The blade error 'Physical disk HD1 not found for logical disk create' is observed when bigstart restart happens on primary blade of chassis-based systems using solid state drives (SSD).
/var/log/ltm shows messages similar to the following:
-- localhost.localdomain debug chmand[25459]: 012a0007:7: mcp_logical_disk mcp_create received
-- localhost.localdomain debug chmand[25459]: 012a0007:7: logical_disk create received: name[HD1] media[general_use_ssd]
-- localhost.localdomain err chmand[25459]: 012a0003:3: Physical disk HD1 not found for logical disk create
-- localhost.localdomain debug chmand[25459]: 012a0007:7: mcp_physical_disk mcp_create received
-- localhost.localdomain debug chmand[25459]: 012a0007:7: physical_disk create received: serial number[S3F3NX0K810723] name[HD1]
and/or
err chmand[4712]: 012a0003:3: Physical disk HD1 not found for logical disk create
ltm log implies that logical disk create is requested before physical disk creation.
Conditions:
This occurs on chassis-based systems (more than one blade) using SSD, when bigstart restart happens on primary blade.
Impact:
The system posts the following error under ltm log:
err chmand[3370]: 012a0003:3: Physical disk HD1 not found for logical disk create.
When system posts the error, it just skips executing couple of lines of code, to be precise two API calls.
These API calls are related to updating DiskInfo and disk wearout information.
This message is benign and can be safely ignored
Workaround:
There is no workaround.
Fix:
The message is not printed anymore
Fixed Versions:
14.1.2.8
726401-1 : ASM cannot complete initial startup with modified management interface on VE
Links to More Info: BT726401
Component: Application Security Manager
Symptoms:
If the management interface is configured to be on a different interface than eth0, ASM fails to start.
Conditions:
-- Running BIG-IP Virtual Edition (VE).
-- The management interface is configured to be on a different interface than eth0.
-- The config file (/etc/ts/common/image.cfg) does not reflect that change.
Impact:
ASM fails to start.
Workaround:
Modify the config file (/etc/ts/common/image.cfg) to match the non-default interface (e.g., eth1 instead of eth0).
Fix:
The management interface is now discovered dynamically during startup.
Fixed Versions:
14.1.2.7
726317-6 : Improved debugging output for mcpd
Links to More Info: BT726317
Component: TMOS
Symptoms:
In some cases, mcpd debugging output is insufficient for diagnosing a problem.
Conditions:
Using debugging in mcpd, specifically, setting log.mcpd.level to debug.
Impact:
None. Has no effect without log.mcpd.level set to debug.
Workaround:
None.
Fix:
New output helps F5 engineers diagnose mcpd problems more easily.
Fixed Versions:
12.1.5, 13.1.3.4, 14.1.0.6
726240-1 : 'Cannot find disk information' message when running Configuration Utility★
Links to More Info: BT726240
Component: TMOS
Symptoms:
When running the Configuration Utility in the GUI, after clicking Next on the License screen, the GUI reports an error and you are unable to proceed: Cannot find disk information.
Conditions:
The conditions that trigger this are unknown; in one scenario, it was observed after running 'tmsh load sys config default', suspending the BIG-IP Virtual Edition (VE) guest, and then restarting it and running the Configuration Utility.
Impact:
You are unable to proceed through the configuration utility.
Workaround:
If this occurs, reboot the device, and the error will fix itself.
Fixed Versions:
14.1.2.1
726176-2 : Platforms using RSS hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
Links to More Info: BT726176
Component: Local Traffic Manager
Symptoms:
The BIG-IP system running RSS DAG hash attempts to reuse ports while pool members remain in a TIME_WAIT state and are unable to process new connections.
Conditions:
This issue occurs when all of the following conditions are met:
-- You are running on a BIG-IP platform using RSS DAG hash, for instance, Z100 and 2000/4000-series hardware platform
-- You have the FastL4 profile associated with a virtual server.
-- The virtual server is configured with source-port preserve.
Impact:
Traffic throughput may be degraded.
Workaround:
Set source-port to change.
Fix:
Platforms running RSS DAG hash now reuse source port at the correct rate when virtual server sets source-port preserve.
Fixed Versions:
13.1.3.2, 14.1.2.3, 15.0.1.1
725791-6 : Potential HW/HSB issue detected
Links to More Info: K44895409, BT725791
Component: TMOS
Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.
With a burst of CRC errors in the SRAM for ePVA transformation cache, it does not trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This occurs because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.
In these cases, there might be the following messages in /var/log/tmm*:
Device error: hsb_lbb* tre2_crc_errs count *
Conditions:
Traffic is offloaded to HSB hardware for acceleration.
Impact:
Hardware accelerated traffic drop.
Workaround:
Switch traffic to software acceleration.
Fix:
Including traffic-critical registers in failover triggers, helps failover happen quickly with minimum disruption to traffic in the case of SRAM hardware failures.
Fixed Versions:
11.6.5.2, 12.1.5.2, 13.1.1.5, 14.1.0.6
725625-1 : BIG-IP VE Cryptographic Offload updated to Intel QAT 1.7 v4.4.0 SDK
Links to More Info: BT725625
Component: TMOS
Symptoms:
Data compression offload to QuickAssist devices is now enabled as part of BIG-IP Virtual Edition (VE) Cryptographic Offload feature.
BIG-IP VE Cryptographic Offload uses the Intel QAT 1.7 SDK. A newer QAT 1.7 SDK v4.4.0 provides code and firmware that fixes several known QAT defects, including a compression defect specific to Lewisburg/Lewis Hill QuickAssist devices.
Conditions:
-- BIG-IP VE SSL Offload is licensed
-- The BIG-IP VE VM has been assigned QAT Virtual Functions.
Impact:
BIG-IP VE Cryptographic and Compression offload are more reliable. The QAT 1.7 v4.4.0 SDK should be installed on the hypervisor host.
Workaround:
None.
Fix:
Several Intel QuickAssist defects have been fixed for
BIG-IP VE Cryptographic and Compression Offload by
upgrading BIG-IP VE to the Intel QAT 1.7 v4.4.0 SDK.
This newer QAT SDK introduces code and firmware support to fix several defects. A new Compress and Verify mode is introduced to work around a compression defect specific to Lewisburg/Lewis Hill QuickAssist devices.
See Intel's QuickAssist Release Notes for additional details:
https://01.org/sites/default/files/downloads//336211-009qatrelnotes.pdf.
Fixed Versions:
14.1.0.3
724824-3 : Ephemeral nodes on peer devices report as unknown and unchecked after full config sync
Links to More Info: BT724824
Component: Local Traffic Manager
Symptoms:
After a Full Configuration Sync is performed in a device cluster, Ephemeral (FQDN) nodes on peers to the device initiating the Configuration Sync will report their status as Unknown with monitor status of Unchecked.
Note: The nodes are still monitored properly by the peer devices even though they are not reported as such.
Conditions:
-- Full configuration sync performed in a device cluster.
-- Ephemeral (FQDN) nodes configured.
Impact:
Monitor status on the peer devices is reported incorrectly.
Workaround:
Any of the following three options will correct reporting status on the peer devices:
-- Restart bigd
-- Cause monitoring to the FQDN nodes to fail for at least one probing interval, and then restore monitoring accessibility.
-- Disable and then re-enable the FQDN node
Each of these workarounds results in the reported status of the FQDN node on the peer reporting correctly again. The workarounds do not prevent a subsequent configuration sync from placing the FQDN nodes back into Unknown status on peers, however.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2
724556-3 : icrd_child spawns more than maximum allowed times (zombie processes)
Links to More Info: BT724556
Component: TMOS
Symptoms:
icrd_child is issued a SIGTERM. The SIGTERM might not succeed in destroying the process, especially if the system is under a lot of load. This leads to zombie processes.
Conditions:
-- The icrd_child process is issued a SIGTERM that does not successfully destroy the icrd_child process.
-- System under heavy load.
Impact:
There are zombie icrd_child processes consuming memory.
Workaround:
Restart the system.
Fix:
Introduced the following configuration in /etc/icrd.conf: sigkillDelaySeconds
If set to 0, or if missing from icrd.conf, SIGKILL will not be issued after SIGTERM is issued to the icrd_child process.
If set to greater than 0, after the specified delay, SIGKILL will be issued after SIGTERM is issued to the icrd_child process if icrd_child process is not terminated.
A 'safe' number for the delay may be 3 seconds, but will depend on your configuration.
Behavior Change:
Introduced the following configuration in /etc/icrd.conf: sigkillDelaySeconds
If set to 0, or if missing from icrd.conf, SIGKILL will not be issued after SIGTERM is issued to the icrd_child process.
If set to greater than 0, after the specified delay, SIGKILL will be issued after SIGTERM is issued to the icrd_child process if icrd_child process is not terminated.
A 'safe' number for the delay may be 3 seconds, but will depend on your configuration.
Fixed Versions:
12.1.5.3, 13.1.3.2, 14.1.2.7
724327-2 : Changes to a cipher rule do not immediately have an effect
Links to More Info: BT724327
Component: Local Traffic Manager
Symptoms:
If a cipher rule is changed, and a cipher group that uses the rule is attached to an SSL profile, the change does not take effect until something else on the SSL profile changes.
Conditions:
-- A cipher group is used by an SSL profile.
-- One of its cipher rules changes.
Impact:
Unexpected behavior occurs because the cipher rule change does not take effect immediately.
Workaround:
After changing the cipher rule that's used by a cipher group, make a change to any SSL profile that uses the associated cipher group.
Fix:
Any changes to a cipher rule or cipher group now takes immediate effect.
Fixed Versions:
13.1.1.4, 14.1.0.2
724109-2 : Manual config-sync fails after pool with FQDN pool members is deleted
Links to More Info: BT724109
Component: TMOS
Symptoms:
If a user, deletes a fqdn pool on one BIG-IP in a cluster and then run a manual config sync with another BIG-IP, the change fails to sync with the other BIG-IPs in the cluster.
Conditions:
- Create fqdn pool in one BIG-IP
- Save sys config
- Run config sync
- Delete fqdn pool
- Save sys config
- Run config sync manually
Result: After deleting fqdn pool in BIG-IP and config sync with another BIG-IP, Manual config sync failed. Still, we can see the deleted fqdn pool in another BIG-IP
Impact:
FQDN pool delete failed in another BIG-IP and manual config sync operation is failed.
Workaround:
The workaround for this issue is to use auto-sync.
Fixed Versions:
12.1.5.3, 13.1.3.2, 14.1.2.1, 15.0.1.1
723790-3 : Idle asm_config_server handlers consumes a lot of memory
Links to More Info: BT723790
Component: Application Security Manager
Symptoms:
Idle asm_config_server handlers needlessly uses a large amount of memory.
Conditions:
This issue might result from several sets of conditions. Here is one:
Exporting a big XML ASM policy and then leaving the BIG-IP system idle. Relevant asm_config_server handler process increases its memory consumption and stays that way, holding on to the memory until it is released with a restart.
Impact:
Unnecessary memory consumption.
Workaround:
1) Lower the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server:
---------------
# perl -pi.bak -e 's/MaxMemorySize=471859200/MaxMemorySize=262144000/' /etc/ts/tools/asm_config_server.cfg
---------------
2) Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
Notes:
-- The provided workaround does not permanently fix the issue. Instead it alleviates the symptoms of memory pressure, by (1) lowering the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server, and (2) freeing up all the memory that is currently taken by all asm_config_server processes.
-- This workaround does not cause any down time; the asm_config_server processes automatically start within ~30 seconds.
Fixed Versions:
12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6
723288-4 : DNS cache replication between TMMs does not always work for net dns-resolver
Links to More Info: BT723288
Component: Global Traffic Manager (DNS)
Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.
Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.
Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.
Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.
Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)
Fixed Versions:
11.6.5.3, 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.6
723112-5 : LTM policies does not work if a condition has more than 127 matches
Links to More Info: BT723112
Component: Local Traffic Manager
Symptoms:
LTM policies do not work if number of matches for a particular condition exceeds 127.
Conditions:
LTM policy that has a condition with more than 127 matches.
Impact:
LTM policy does not match the expected condition.
Workaround:
There is no workaround at this time.
Fix:
LTM policy now works for a condition with more than 127 matches.
Fixed Versions:
14.1.4.4, 15.1.4.1
722707-2 : mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall
Links to More Info: BT722707
Component: Local Traffic Manager
Symptoms:
The 'debug' log for a 'mysql' monitor may incorrectly report data being received from the database when network routing is configured to drop packets from that database, causing confusion when diagnosing packet traffic. This might be stimulated by configuring the firewall to enable traffic to/from the 'mysql' database, and then (after the 'mysql' monitor successfully connecting with the database) changing firewall rules to drop packets returned *from* the database.
Conditions:
-- A 'mysql' monitor successfully connects to the 'MySql' database.
2. Once connection is established, firewall rules are changed to 'DROP' packets returned from the 'MySQL' database, resulting in several entries in the 'mysql' monitor 'debug' log that incorrectly suggest packets were received from the 'MySQL' database.
Impact:
Several log entries may be made in the 'mysql' debug log suggesting packets were received from the 'MySQL' database (after a previous successful database probe connection), when in fact those packets were dropped due to changes in the firewall rules. These log entries may confuse debugging scenarios, but will typically self-correct (such as after three log message entries).
Workaround:
When configuring network traffic for 'MySQL' database resources, ensure symmetry for traffic handling (either bi-directional packet routing between 'bigd' and the 'MySQL' database is supported, or neither 'send' nor 'receive' packet routing to the 'MySQL' database is supported).
Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1
722337-1 : Always show violations in request log when post request is large
Links to More Info: BT722337
Component: Application Security Manager
Symptoms:
The system does not always show violations in request log when post request is large.
Conditions:
A large post request with many parameters is sent.
Impact:
Although the violations is handled correctly, it is not reported.
Workaround:
Disable learning mode.
The internal parameter pb_sampling_high_cpu_load can define what is seen as high CPU load above which sampling does not take place. The default is 60.
-- Using a lower value reduces the chances of sampling data.
-- Using 0 makes sampling never happen and thus this issue does not occur (this slows down automatic policy building).
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1.1
722230-3 : Cannot delete FQDN template node if another FQDN node resolves to same IP address
Links to More Info: BT722230
Component: TMOS
Symptoms:
If multiple FQDN nodes and corresponding pool members are created, with FQDN names that resolve to the same (or a common) IP address, you may not be able to delete any of the affected FQDN nodes even after its corresponding FQDN pool member has been deleted.
Conditions:
This occurs under the following conditions
-- Multiple FQDN template nodes exist with FQDN names that resolve to the same (or a common) IP address.
-- FQDN pool members exist for each FQDN template node, with corresponding ephemeral pool members for each which share the same IP address.
-- One of the FQDN pool members is removed from its pool.
-- You attempt to delete the corresponding FQDN template node.
Impact:
The FQDN template node remains in the configuration and cannot be deleted, while an ephemeral node or pool member exists with an IP address corresponding to that FQDN name.
Workaround:
To work around this issue:
1. Remove all remaining conflicting FQDN pool members (with FQDN names that resolve to the shared/conflicting IP address).
2. Delete the desired FQDN node.
3. Re-create the remaining FQDN pool members to replace those removed in step 1.
Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.3.1, 15.0.1.4, 15.1.0.2
721741-4 : BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
Links to More Info: BT721741
Component: Application Security Manager
Symptoms:
bd log spits this error.
-------
ECARD_POLICY|NOTICE|May 24 04:49:42.035|4143|table.h:2408|IPTableList::del_object key not found in table
ECARD|ERR |May 24 04:49:42.035|4143|table.h:0398|KEY_UPDATE: Failed to REMOVE data will continue to add
-------
Conditions:
Configuring IP Address Exceptions in certain order - w/ and w/o route domain.
Impact:
BD and BD_Agent out-of-sync for IP Address Exception, causes false positives / false negatives
Workaround:
There is no workaround at this time.
Fix:
System no longer generates these false positive/negative log entries.
Fixed Versions:
12.1.3.7, 13.1.1.2, 14.1.0.2
721724-1 : LONG_REQUEST notice print incorrect in BD log
Links to More Info: BT721724
Component: Application Security Manager
Symptoms:
LONG_REQUEST notice print shows incorrect memory usage.
Conditions:
-- A long request is received.
-- View the LONG_REQUEST notice in the BD log.
Impact:
LONG_REQUEST notice is seen in BD logs containing an incorrect value for total memory used by long request buffers. Incorrect logging of total memory used by long request buffers.
Workaround:
None.
Fix:
LONG_REQUEST notice print in BD log now shows correct amount of memory used by long request buffers.
Fixed Versions:
14.1.0.2
721585-1 : mcpd core processing ltm monitors with deep level of inheritance
Links to More Info: BT721585
Component: TMOS
Symptoms:
If the level of ltm monitor inheritance (defaults-from) is too large, i.e 9. then mcpd will fail to send sod a heartbeat within the heartbeat timeout; therefore sod will restart mcpd.
Conditions:
LTM monitors that have 9 levels of inheritance
i.e.
mon1 defaults from mon2, which defaults from mon3, which defaults from mon4 ... to mon10
Impact:
mcpd is restarted which will cause services to failover.
Workaround:
Rework the ltm monitors so that the level of inheritance is less than 9.
Fixed Versions:
14.1.0.2
720610-2 : Automatic Update Check logs false 'Update Server unavailable' message on every run
Links to More Info: BT720610
Component: TMOS
Symptoms:
The Automatic Update Check operation erroneously logs a message indicating that the Update Server is unavailable on every run, successful or not.
Conditions:
The BIG-IP system is configured to run the Automatic Update Check feature.
Impact:
Misleading 'PHONEHOME: Update Server unavailable' messages in the log file, implying that the update server is not available.
Workaround:
None.
Fix:
The Automatic Update Check operation no longer logs false messages.
Fixed Versions:
13.1.3, 14.1.2.7
720440-4 : Radius monitor marks pool members down after 6 seconds
Links to More Info: BT720440
Component: Local Traffic Manager
Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.
Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.
Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.
Workaround:
There is no workaround at this time.
Fix:
The maximum length of time that the radius probe will wait for has been increased from 6 seconds to 30 seconds.
Fixed Versions:
12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.0.5
720219-3 : HSL::log command can fail to pick new pool member if last picked member is 'checking'
Links to More Info: K13109068, BT720219
Component: Local Traffic Manager
Symptoms:
This occurs in certain configurations where the HSL::log command is using a remote high speed log (HSL) pool with failing pool members. If a pool member goes into a 'checking' state and the command attempts to send the log via that pool member, it can fail to send and all future log commands from that iRule will also fail, if that pool member is actually unavailable.
Conditions:
-- Using HSL::log command.
-- iRule with a remote high speed logging configured.
Impact:
Failure to send log messages via HSL.
Workaround:
Follow this procedure:
1. Change the 'distribution' method of the remote high speed config to something else.
2. Save the configuration.
3. Change the method back.
Fix:
This issue no longer occurs. If a 'down' pool member is picked, it will eventually be bypassed to find an 'up' pool member, if possible.
Fixed Versions:
12.1.5, 13.1.3, 14.0.1.1, 14.1.0.2
719589-2 : GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic
Links to More Info: BT719589
Component: Access Policy Manager
Symptoms:
GUI and CLI category lookup test tool (Access Policy :: Secure Web Gateway : Database Settings : URL Category Lookup) can return different categories compared to the actual data-plane traffic
Conditions:
Access Policy, Secure Web Gateway : Database Settings : URL Category Lookup or command line lookup using 'urldb -c' construction.
Impact:
Some websites may be categorized differently depending on whether or not the IP is passed in. Correct category may not be returned.
Workaround:
None.
Fixed Versions:
13.1.3.2, 14.1.2.7
719555-5 : Interface listed as 'disable' after SFP insertion and enable
Links to More Info: BT719555
Component: TMOS
Symptoms:
If an unpopulated front panel interface is disabled, then an SFP inserted and the interface re-enabled, TMSH will continue to display the interface as 'disabled' in 'tmsh show net interface output' commands.
Conditions:
-- BIG-IP appliance or blade.
-- Unpopulated front panel interface is disabled.
-- SFP inserted and the interface re-enabled.
-- Running the command: tmsh show net interface output.
Impact:
Output of the command shows the interface is disabled even though it is enabled and fully operational.
Workaround:
This issue is cosmetic; the interface is functional so it may be used.
To correctly identify the enabled/disabled state of the interface, use the following command: tmsh list net interface
Fixed Versions:
14.1.4, 15.1.1
719338-2 : Concurrent management SSH connections are unlimited
Links to More Info: BT719338
Component: TMOS
Symptoms:
There is no limit to the number of users that can login concurrently onto a BIG-IP system.
Conditions:
Multiple users are logged into the BIG-IP device through SSH at the same time.
Impact:
System can potentially run out of memory.
Workaround:
Provide a way to limit the number of concurrent user SSH sessions.
Fix:
There are new db variables available for specifying SSH session limits, overall, per-user, and for a specific user.
-- Command: modify sys global-settings ssh-session-limit [enable/disable]
Specifies enable/disable of ssh session limit feature.
+ Enables the feature; feature is functional with default values.
+ Defaults: feature is not enabled for admin/root privileged user.
+ Total session limit for all users is 10 sessions.
-- Command: modify sys global-settings ssh-root-session-limit [enable/disable]
Specifies enable/disable of SSH session limit feature for root user.
+ Enables feature for admin/root privileged user.
+ Total session limit for all users is still 10 sessions.
-- Command: modify sys global-settings ssh-max-session-limit <value>
Specifies a global maximum number of SSH sessions.
+ Changes the default global setting limit of 10 to the specified value.
-- Command: modify sys global-settings ssh-max-session-limit-per-user <value>
Specifies a global maximum number of SSH sessions for each user.
+ Sets the maximum session limit per user.
+ Total sessions on the system are still enforced by the setting for ssh-max-session-limit.
-- Command: create auth user <> session-limit <value>
Specifies a user-specific SSH sessions limit.
+ Sets the maximum number of sessions for a particular user.
+ Total sessions on the system are still enforced by the setting for ssh-max-session-limit.
Behavior Change:
There are new db variables available for specifying SSH session limits, overall, per-user, and for a specific user.
-- Command: modify sys global-settings ssh-session-limit [enable/disable]
Specifies enable/disable of ssh session limit feature.
+ Enables the feature; feature is functional with default values.
+ Defaults: feature is not enabled for admin/root privileged user.
+ Total session limit for all users is 10 sessions.
-- Command: modify sys global-settings ssh-root-session-limit [enable/disable]
Specifies enable/disable of SSH session limit feature for root user.
+ Enables feature for admin/root privileged user.
+ Total session limit for all users is still 10 sessions.
-- Command: modify sys global-settings ssh-max-session-limit <value>
Specifies a global maximum number of SSH sessions.
+ Changes the default global setting limit of 10 to the specified value.
-- Command: modify sys global-settings ssh-max-session-limit-per-user <value>
Specifies a global maximum number of SSH sessions for each user.
+ Sets the maximum session limit per user.
+ Total sessions on the system are still enforced by the setting for ssh-max-session-limit.
-- Command: create auth user <> session-limit <value>
Specifies a user-specific SSH sessions limit.
+ Sets the maximum number of sessions for a particular user.
+ Total sessions on the system are still enforced by the setting for ssh-max-session-limit.
Fixed Versions:
13.1.4, 14.1.4, 15.1.1
719304-1 : Inconsistent node ICMP monitor operation for IPv6 nodes
Links to More Info: BT719304
Component: Local Traffic Manager
Symptoms:
While running ping from different blades in a multi-blade environment, pings fail from blades that do not have the tmm that is responsible for pinging the node.
Conditions:
The blade that does not contain the owning tmm is responsible for the node monitors.
Impact:
The node will be incorrectly marked as being unavailable/down.
Workaround:
You can use the following workarounds:
-- Statically assign the NDP entries.
-- Set the route to a gateway that has a non-zero host portion in the address.
Fixed Versions:
13.1.3, 14.1.4
719300-3 : ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address
Links to More Info: BT719300
Component: Local Traffic Manager
Symptoms:
ICMP unreachable packets sent by a server may be received by a client with the BIG-IP system's MAC address as the source MAC address.
Conditions:
BIG-IP deployed in an L2 transparent mode using VLAN groups.
Impact:
May impact services on the client that rely on source MAC address of incoming packets.
Workaround:
None.
Fix:
ICMP packets are now sent via the BIG-IP system in an L2 transparent mode.
Fixed Versions:
14.1.2.1
718790-1 : Virtual server reports unavailable and resets connection erroneously.
Links to More Info: BT718790
Component: Local Traffic Manager
Symptoms:
A Virtual server will respond to client SYN packets with RST and note an internal F5 reset cause of "VIP disabled (administrative)" despite having resources available or fallback functionality configured.
Conditions:
There are a number of different scenarios where this can occur:
1. All pool members marked administratively down, HTTP profile and Fallback Host configured
2. All pool members marked administratively down, iRule configured to select a different, available pool.
3. Pool members available, pool member status modified by ConfigSync operation.
Impact:
Client traffic is rejected by virtual server despite it's ability to successfully handle the traffic.
Workaround:
There are different workarounds based on the scenario:
1. If all pool members are marked administratively down, ensure at least one pool member is in a different state (Available, Offline etc).
2. If one or more pool members are available and a ConfigSync operation caused the behavior, fail over to the Standby BIG-IP and reboot the affected BIG-IP.
Fix:
N/A
Fixed Versions:
14.1.3.1
718573-1 : Internal SessionDB invalid state
Links to More Info: BT718573
Component: TMOS
Symptoms:
TMM crashes.
Conditions:
SessionDB is accessed in a specific way that results in an invalid state.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
14.1.4.4
718405-2 : RSA signature PAYLOAD_AUTH mismatch with certificates
Links to More Info: BT718405
Component: TMOS
Symptoms:
IPsec IKEv2 negotiation with other vendors may fail to establish tunnels when certificate authentication is configured, using either RSA signature or DSS.
The value of PAYLOAD_AUTH does not match when the BIG-IP system compares it with what the remote peer sends. The same certificate works when the BIG-IP system is the initiator, but not when another vendor is the initiator.
Conditions:
Interoperating with other vendors under IKEv2 while using certificates.
Impact:
IKEv2 tunnels fail to establish, failing the second IKE_AUTH exchange in the protocol.
Workaround:
Use pre-shared key authentication.
Fix:
BIG-IP systems now correctly build -- and verify -- AUTH payloads for RSA signatures and DSS, which should match other vendors and succeed, resulting in IKEv2 tunnels being created using certificates.
The DSS signature is no longer DER encoded, and the RSA signature now includes the 15-byte DER prefix (mandated by RFC3447, page 42) before the 20-byte SHA1 digest is signed by RSA.
Fixed Versions:
13.1.1.4, 14.1.0.6
717896-4 : Monitor instances deleted in peer unit after sync
Links to More Info: BT717896
Component: Local Traffic Manager
Symptoms:
An incremental-sync from a modified-node that was set to 'user-down' causes the target-node on the target-device to have only a single monitor instance, rather than the several monitor instances that were present on the from-node.
During the incremental sync, the system issues several messages similar to the following: err mcpd[6900]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 24913.
Conditions:
-- In high availability (HA) configurations.
-- A node is modified, and then manually set to 'user-down'.
-- That node has more than one associated monitor.
-- An incremental-sync occurs to the paired device.
Impact:
After incremental-sync, a single monitor instance exists for the node on a 'backup' unit in an HA configuration, rather than the several monitor instances that exist for that node on the 'active' unit; and that node session is 'enabled' (where the 'from-node' was 'disabled); and that node status may be 'up' (where the 'from-node' was 'user-down'), and later transition to 'down' from a monitor-fail.
Thus, after incremental-sync, the target-node may then be 'down', while the active unit in the HA configuration continues to function as expected.
Workaround:
There are several workarounds:
-- Perform a 'full-sync' (rather than an 'incremental-sync').
-- Ensure the node is 'user-up' (not 'user-down') before the incremental-sync.
-- Perform 'tmsh load sys config' on the target unit. In this case, the 'Invalid monitor rule instance identifier' messages will be seen, but the configuration will successfully load, and the target-unit will run correctly with the expected configuration.
Fix:
An incremental-sync from a modified-node that was set to 'user-down' successfully replicates the several monitor instances on that node to the target-node on the backup device in an HA configuration.
Fixed Versions:
12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
717806-3 : In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured
Links to More Info: BT717806
Component: Local Traffic Manager
Symptoms:
Load average peaks are observed when a high number of monitors (>= 200) are configured across 'n' bigd instances.
Conditions:
When a high number of monitors are configured across 'n' bigd instances. CPU load peaks appear and disappear periodically.
Impact:
No performance impact
Workaround:
None
Fixed Versions:
14.1.4.6
717306-1 : Added ability to use Vip-targeting-Vip with DNS Cache server-side connections
Links to More Info: BT717306
Component: Global Traffic Manager (DNS)
Symptoms:
A Vip-targeting-vip setup for DNS Cache is not possible, as unbound connections does not match to existing VIPs.
Conditions:
Virtual Server with same IP address as outbound DNS Cache server-side connections.
Impact:
Unable to perform Vip-targeting-Vip configurations with DNS Cache connections
Workaround:
None.
Fix:
Added the ability to have DNS Cache server-side connections match to VIPs for VIP-targeting-VIP scenarios with the DB Variable DNSCache.MatchWildcardVip.
Fixed Versions:
14.1.4.2
717100-1 : FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
Links to More Info: BT717100
Component: Local Traffic Manager
Symptoms:
FQDN ephemeral pool members and corresponding FQDN ephemeral nodes may not be created if multiple FQDN template pool members are created rapidly, without the corresponding FQDN template nodes being created first.
The missing FQDN ephemeral pool members may be created an hour after initial operations.
Conditions:
This may occur when all of the following conditions are true:
-- Multiple FQDN template pool members are created rapidly, such as during config load or multiple FQDN template pool members created in a single tmsh cli transaction, without the corresponding FQDN template nodes being created first.
-- The FQDN names in the newly-created FQDN template nodes all resolve to the same IP address.
Impact:
One or more FQDN ephemeral pool members may not be created, which could result in a pool with no members, and any virtual servers using that pool to fail to pass traffic.
Workaround:
The following steps, alone or in combination, may help avoid this issue:
1. Avoid rapid creation of multiple FQDN template pool members (such as by creating multiple in a single tmsh CLI transaction).
2. Create the corresponding FQDN template nodes first, before creating the FQDN template pool members.
Once this issue occurs (such as, after a config load), you can recover from this condition by deleting and recreating the FQDN template pool members that have no corresponding FQDN ephemeral pool members.
In addition, creating the corresponding FQDN template nodes first, with an FQDN 'interval' value set to a shorter timeout than the default (3600 seconds) allows automatic recovery from this condition after the configured FQDN 'interval' period (instead of after the default period of one hour).
Fix:
Ephemeral pool members are now created for each pool under these conditions.
Fixed Versions:
12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
716746-1 : Possible tmm restart when disabling single endpoint vector while attack is ongoing
Links to More Info: BT716746
Component: Advanced Firewall Manager
Symptoms:
tmm restarts.
Conditions:
-- AFM DoS single endpoint (sweep or flood) vector is configured.
-- The attack is ongoing.
-- The attack vector is being mitigated in hardware (HW).
-- The vector is manually disabled.
Impact:
tmm can crash and restart. Traffic disrupted while tmm restarts.
Workaround:
If you do not want to mitigate, set the mitigation_threshold to infinite.
Note: Do not disable the single endpoint vectors when an attack is ongoing and the vector is being mitigated in HW.
Fix:
tmm no longer restarts when disabling single endpoint vector while an attack is ongoing.
Fixed Versions:
13.1.0.7, 14.1.4.2, 15.1.3, 16.0.1.2
716714-4 : OCSP should be configured to avoid TMM crash.
Links to More Info: BT716714
Component: Local Traffic Manager
Symptoms:
TMM generates a core if OCSP is not configured in the SSL profile.
Conditions:
OCSP not configured in the SSL profile.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than configuring OCSP in SSL profiles.
Fix:
In this release, TMM skips processing OCSP if it is not enabled.
Fixed Versions:
13.1.1.4, 14.0.1.1, 14.1.0.2
716167-2 : The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp
Links to More Info: BT716167
Component: Local Traffic Manager
Symptoms:
The MTU of the tmm_bp kernel interface may be out-of-sync with the value of sys db vlan.backplane.mtu as well as out-of-sync with the MTU displayed by the following command:
tmsh show /net vlan all-properties -hidden.
Conditions:
This issue occurs on first-boot after upgrading to versions later than v12.1.1 HF1.
Impact:
From the data plane perspective, this issue can cause excessive IP fragmentation on tmm_bp VLAN and high CPU usage.
In some cases it also causes packet loss.
From the config perspective, this issue has a few smaller impacts:
-- Fragmented packets on the tmm_bp interface for those packets greater in length than the actual MTU of this interface as given by the kernel in response to the command:
ip address list dev tmm_bp | egrep -i mtu or $ifconfig tmm_bp.
Note: This has no impact to the running system. Fragmented packets are reassembled in order for TCP clients of the tmm_bp interface.
-- The sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp as given by either of the following commands:
ip address list dev tmm_bp
ifconfig tmm_bp
-- Similarly, the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the Net::Vlan tmm_bp as returned by the command:
tmsh show net vlan -hidden tmm_bp
Paraphrasing: The value of VLAN tmm_bp MTU (as found in vlan.backplane.MTU) is not applied to the corresponding kernel interface.
Workaround:
A series of subsequent restarts rolls the correct setting by issuing the following commands, in sequence:
tmsh stop sys service all
tmsh start sys service all
To verify the setting is correct, issue the command:
ip addr show dev tmm_bp ; tmsh show net vlan -hidden tmm_bp \; list sys db vlan.backplane.mtu
Fixed Versions:
13.1.3.4, 14.1.0.2
715110-1 : AVR should report 'resolutions' in module GtmWideip
Links to More Info: BT715110
Component: Application Visibility and Reporting
Symptoms:
AVR does not report 'resolutions' in GtmWideip module.
Conditions:
One of the following modules is provisioned: AVR, AFM, or DNS/GTM.
Impact:
There are no statistics reported on 'resolutions' in GtmWideip module.
Workaround:
There is no workaround.
Fix:
AVR now reports 'resolutions' in GtmWideip module.
Fixed Versions:
13.1.0.8, 14.1.0.2
715032-2 : iRulesLX Hardening
Links to More Info: K73302459, BT715032
Component: Local Traffic Manager
Symptoms:
iRulesLX does not follow current best practices and should be updated to ensure layered protections.
Conditions:
-iRulesLX in use
Impact:
iRulesLX does not follow current best practices.
Workaround:
None.
Fix:
iRulesLX now follows current best practices.
Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
714642-4 : Ephemeral pool-member state on the standby is down
Links to More Info: BT714642
Component: Local Traffic Manager
Symptoms:
On a standby BIG-IP system, an ephemeral pool-members state remains user-down after re-enabling an FQDN node on the primary system.
Conditions:
Re-enabling a forced-down FQDN node on the primary system.
Impact:
On the standby system, the ephemeral pool-members are in state: user-down, (forced-down in GUI).
Workaround:
None.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1
714502-2 : bigd restarts after loading a UCS for the first time
Links to More Info: BT714502
Component: Local Traffic Manager
Symptoms:
bigd restarts when loading a UCS for the first time, where the load succeeds; and no related messages are reported in /var/log/ltm; and no bigd core file is produced.
Conditions:
bigd loads a UCS file for the first time, such as after the command:
tmsh load sys ucs no-license keep-current-management-ip no-platform-check
Impact:
The UCS file is correctly reloaded, and bigd restarts with the loaded configuration. No bigd core is produced, and no related messages are found in /var/log/ltm. After restart, bigd performs all system functions as expected.
Workaround:
System runs as expected after the bigd restart, and the user need not take any action.
Fixed Versions:
14.1.2.7, 15.1.0.5
714372-3 : Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari
Links to More Info: BT714372
Component: Local Traffic Manager
Symptoms:
If the BIG-IP system has a web-acceleration which provides a number of caching and optimization options suitable for HTTP/1.1. It uses 'Connection: Keep-Alive' header on a server side, which results in appearance of 'Keep-Alive' header in a response. Such a HTTP header was adopted by the industry but not standardized. When a web-acceleration profile is configured and provides a response, Safari clients do not accept responses with a such header and reject those with a RST_STREAM message.
Conditions:
-- BIG-IP has a virtual server with HTTP/2 profile and a web-acceleration profile.
-- A pool member responds with 'Keep-Alive' header in the following format: Keep-Alive: timeout=<number>, max=<number>.
Impact:
A response to a request is rejected, which might cause incorrect rendering of HTTP page.
Workaround:
Use an iRule to remove the Keep-Alive header:
when HTTP_RESPONSE_RELEASE {
HTTP::header remove keep-alive
}
Alternatively use an LTM Policy where this header is removed from a server's response.
Fixed Versions:
14.1.4.4, 15.0.1.1, 15.1.0.2
714292-3 : Transparent forwarding mode across multiple VLAN groups or virtual-wire
Links to More Info: BT714292
Component: Local Traffic Manager
Symptoms:
This is a virtual-wire or vlan-group deployment scenario in which there is a BIG-IP system connecting two networks with more than one link. This scenario is referred as 'asymmetric deployment'. In this case. the outgoing packet does not have the correct VLAN configured.
Conditions:
-- Virtual-wire or vlan-group configured.
-- BIG-IP system is connecting two networks with more than one link.
-- There is more than one virtual-wire/vlan-group to handle the traffic across multiple links.
-- Packets belonging to a flow arrive on any link with a valid VLAN.
Impact:
The connectivity between the endpoints fails.
Workaround:
None.
Fix:
Transparent forwarding mode now works across multiple VLAN groups or virtual-wire.
Behavior Change:
Transparent forwarding mode now works across multiple VLAN groups or virtual-wire.
Fixed Versions:
14.1.2.1
714176-3 : UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed
Links to More Info: BT714176
Component: TMOS
Symptoms:
-- UCS archive restore fails
-- The Traffic Management Shell (TMSH) and/or /var/log/ltm file show following error message:
01071769:3: Decryption of the field (privatekey) for object (9717) failed. Unexpected Error: Loading configuration process failed.
Conditions:
- Restoring configuration from UCS.
- The UCS is being restored on a different BIG-IP system with a different master key.
Impact:
-- The UCS configuration is not applied.
-- The BIG-IP is not in a fully operational state.
Workaround:
If you encounter this error and dynad is not in use (dynamic debug) you can manually edit bigip_base.conf.
1. Locate the dynad config in /config/bigip_base.conf file:
For example, the dynad config will look like:
sys dynad key {
key $M$jV$VX7HMp5q346nsTYDYFPnYdJLrBPyQSCrDTJYAz4je7KXJAC38fxtDJL35KtF66bq
}
2. Modify the dynad configuration lines to:
sys dynad key {
key "test"
}
3, Save the updated bigip_base.conf file
4. Load the configuration with command: tmsh load sys config
Fix:
The log message is improved to provide the BIG-IP administrator with more specific detail that the dynad key failed to be decrypted.
Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
713817-1 : BIG-IP images are available in Alibaba Cloud
Links to More Info: BT713817
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) images are now available in the Alibaba International Cloud Marketplace.
Conditions:
Create virtual server instance within Alibaba International Cloud environment and select BIG-IP from the list of available images.
Impact:
New offerings for BYOL and PAYG for BIG-IP VE are now available in the Alibaba International Cloud Marketplace.
Workaround:
BIG-IP VE images are now available in Alibaba Cloud.
Fix:
BIG-IP VE images are now available in Alibaba Cloud.
Behavior Change:
BIG-IP VE now supports the Alibaba International Cloud Marketplace.
Fixed Versions:
14.1.0.1
713754-1 : Apache vulnerability: CVE-2017-15715
Links to More Info: K27757011
713614-4 : Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)
Links to More Info: BT713614
Component: TMOS
Symptoms:
Warning similar to below, referencing a non-floating self IP:
Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)
Conditions:
Virtual Server is defined using the same IP address as a non-floating self IP.
Impact:
Virtual Server does not fail over with floating traffic group as expected.
Fixed Versions:
14.1.4.6, 15.1.0.5
712919-2 : Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server.
Links to More Info: K54802336, BT712919
Component: Local Traffic Manager
Symptoms:
When an iRule is removed from a Virtual Server, especially one with explicitly specified high priority (with 'priority' keyword), other iRules on the same Virtual Server may become 'invisible', i.e., they are present but some of them are no longer executed. It may affect all the events or only certain types of them. Under certain conditions the issue may even disappear upon removing another iRule, particularly if it has low priority and handles the same event as the one which introduced the problem.
Conditions:
Removing an iRule from a Virtual Server.
Impact:
Some or all iRules on given Virtual Servers stop being executed.
Workaround:
Restart or reload the configuration.
If removing iRules needs to be performed in run-time and it triggers the problem, you can prevent the issue by having any iRule (even an empty one) for the same event as the iRule which is going to be removed, but with higher priority e.g.. with attribute priority 1'.
Fix:
Corrected scanning of iRules stored behind the one which is being deleted.
Fixed Versions:
13.1.3, 14.0.1.1, 14.1.2.3
712857-3 : SWG-Explicit rejects large POST bodies during policy evaluation
Links to More Info: BT712857
Component: Access Policy Manager
Symptoms:
When an access profile of type SWG-Explicit is being used, there is a 128 KB limit on POST bodies while the policy is being evaluated.
The system posts an error message similar to the following in /var/log/apm:
err tmm[13751]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 3048
Conditions:
This applies only during policy evaluation. After the policy has been set to 'Allow', there is no limit to the POST body.
Impact:
Unable to start an SWG-Explicit policy with a large POST body.
Workaround:
None.
Fix:
Now, you can resolve this issue by modifying db variable 'tmm.access.maxrequestbodysize' to use a value larger than the maximum request size you want to support.
Fixed Versions:
12.1.3.6, 14.1.4.5
712336-1 : bd daemon restart loop
Links to More Info: BT712336
Component: Application Security Manager
Symptoms:
Continuous BD restarts after period where /var was full and then cleaned
Conditions:
/var was full and then cleaned
Impact:
Continuous BD restarts
Workaround:
A) Make a spurious change in a policy and apply it.
OR
B) Restart ASM
Fixed Versions:
12.1.5.3, 14.1.4.4
712335-3 : GTMD may intermittently crash under unusual conditions.
Links to More Info: BT712335
Component: Global Traffic Manager (DNS)
Symptoms:
GTMD may intermittently crash when an unexpected error occurs while creating a statistics row for a resource added to the configuration.
Conditions:
-- A pool member is added to the system.
-- There is an unexpected failure to create the associated statistics row.
Impact:
GTMD restarts. Global traffic functionality is not available while GTMD is restarting.
Workaround:
There is no workaround at this time.
Fix:
GTMD no longer intermittently crashes when a pool member is added to the system, but there is an unexpected failure to create the associated statistics row.
Fixed Versions:
12.1.6, 13.1.4, 14.1.2.7
710930-3 : Enabling BigDB key bigd.tmm may cause SSL monitors to fail
Links to More Info: BT710930
Component: Local Traffic Manager
Symptoms:
When bigd.tmm is enabled, SSL monitors may begin to fail.
Conditions:
-- The in-tmm monitoring feature is enabled via the bigd.tmm db variable (it is disabled by default)
-- The cipher string of the attached SSL profile uses keywords that are invalid with TMM.
Impact:
The cipher string will no longer be valid when bigd.tmm is enabled and the keywords will need to be modified or removed. SSL monitors begin to fail after modifying bigd.tmm.
Workaround:
Modify or remove incompatible keywords from the ciphers string; the in-tmm monitoring feature only allows ciphers that are allowed by SSL profiles.
Fixed Versions:
13.1.3.5, 14.1.3.1
710857-5 : iControl requests may cause excessive resource usage
Links to More Info: K64855220
709126-1 : Localdb authentication may fail
Links to More Info: BT709126
Component: Access Policy Manager
Symptoms:
In Rare scenarios, localdb authentication may fail - due to thread synchronization issue in apmd deamon.
Conditions:
- APM is provisioned
- Using localdb for authentication.
Impact:
Localdb authentication may fail
Workaround:
There is no workaround at this time.
Fix:
Software has been upgraded to fix the race condition issue.
Fixed Versions:
14.1.4
707013-3 : vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest
Links to More Info: BT707013
Component: TMOS
Symptoms:
-- clusterd restarts on secondary blade.
-- Messages similar to the following are logged in each secondary blade's /var/log/ltm file as clusterd restarts:
Management IP (<guest_management_ip>) already in use by (vcmp guest <guest_name>)
-- Messages similar to the following are logged in the primary blade's /var/log/ltm file when clusterd restarts on a secondary blade:
notice clusterd[3676]: 013a0006:5: Hello from slot 1.
notice clusterd[3676]: 013a0006:5: Informing MCP about slot ID 1 member status.
notice clusterd[3676]: 013a0006:5: Goodbye from slot 1.
Conditions:
-- Power-cycling a blade reproduces the issue most of the time.
-- Possibly specific to platform:
+ This issue has been seen multiple hardware platforms, including B2100, B2150, B2250, and PB300.
+ Issue does not reproduce under the same conditions on a VIPRION 4800.
Impact:
Secondary slot on VIPRION hypervisor is in 'INOPERATIVE' state.
Workaround:
On the vCMP Host, copy the file /shared/db/cluster.conf from the primary to each secondary cluster members. For each secondary blade's slot, use a command similar to the following:
scp /shared/db/cluster.conf slot<slot number>:/shared/db/cluster.conf
Note: Implementing the workaround does not prevent the issue from recurring. An upgrade to an unaffected version is recommended.
Fixed Versions:
13.1.1.5, 14.0.1.1, 14.1.0.2
706782-3 : Inefficient APM processing in large configurations.
Links to More Info: BT706782
Component: Access Policy Manager
Symptoms:
In configurations with large numbers of virtual servers or other entities, the apmd, oauth, and localdbmgr processes may consume large amounts of system resources.
Conditions:
-- Large configuration.
-- APM provisioned.
-- Multiple traffic groups exacerbate the effect.
Impact:
Heavy use of odd-numbered CPU cores may slow all control-plane operations, including user-interface response.
Workaround:
None known.
Fixed Versions:
14.1.2.8, 15.0.1.3, 15.1.0.2
706521-4 : The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password
Links to More Info: K21404407, BT706521
Component: TMOS
Symptoms:
TACACS Shared Key is not encrypted in the DB key and is visible to admin and a read-only user.
Conditions:
Configure TACACS+ auditing forwarder.
Impact:
Exposes sensitive information.
Workaround:
None.
Fix:
The sensitive data is not exposed, and this issue is fixed.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
705768-1 : The dynconfd process may core and restart with multiple DNS name servers configured
Links to More Info: BT705768
Component: Local Traffic Manager
Symptoms:
The dynconfd daemon may crash with a core and restart when processing a DNS query when there are multiple DNS name servers configured, or when the list of DNS name servers is changed.
Conditions:
This may occur rarely when FQDN nodes are configured and multiple DNS name servers are configured, including when a name server is added to or removed from the system DNS configuration while a DNS query is active.
Impact:
Resolution of FQDN names for FQDN nodes and pool members may be briefly interrupted while the dynconfd daemon restarts. This may cause a delay in propagation of DNS zone changes to the BIG-IP configuration.
Workaround:
This issue occurs rarely. There is currently no known workaround.
Fix:
The dynconfd process no longer cores and restarts with multiple DNS name servers configured.
Fixed Versions:
12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2
705112-4 : DHCP server flows are not re-established after expiration
Links to More Info: BT705112
Component: Local Traffic Manager
Symptoms:
DHCP relay agent does not have server flows connecting to all active DHCP servers after a while.
Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds
Impact:
DHCP server traffic not load balanced.
Workaround:
None.
Fix:
A new logic to re-establish server flows is introduced to ensure a relay agent will have all DHCP servers connected.
Fixed Versions:
11.5.9, 12.1.4.1, 13.1.3, 14.1.2.5, 15.1.0.2
705037-7 : System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
Links to More Info: K32332000, BT705037
Component: TMOS
Symptoms:
It is possible for the BIG-IP system to present duplicate if_index statistics of network objects, either viewed internally or polled via SNMP.
Conditions:
-- High availability (HA) configuration.
-- Tunnels configured.
-- If dynamic routing is configured, additional impact may be noted.
Impact:
-- Unreliable or confusing statistics via SNMP polling.
-- If dynamic routing is also configured, possible nsm daemon restart, which may lead to loss of dynamic routes.
Workaround:
None.
Fix:
System no longer exhibits duplicate if_index statistics.
Fixed Versions:
12.1.4, 13.1.3, 14.0.1.1, 14.1.2.3
704552-2 : Support for ONAP site licensing
Links to More Info: BT704552
Component: TMOS
Symptoms:
ONAP site licensing not supported.
Conditions:
-- Attempting to use ONAP site licensing
Impact:
BIG-IP system does not license.
Workaround:
None.
Fix:
Ported ONAP site licensing support to this version of the software.
Behavior Change:
This version of the software supports ONAP site licensing.
Fixed Versions:
13.1.0.7, 14.0.0.2, 14.1.4.1
704450-5 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
Links to More Info: BT704450
Component: Local Traffic Manager
Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').
Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.
Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.
Workaround:
Reduce the load on the system.
Fix:
'bigd' does not crash and runs with complete configuration when (re-)starting when BIG-IP runs under heavy configuration resulting in 'mcpd' delaying its configuration of 'bigd'.
Fixed Versions:
12.1.5.2, 13.1.3.2, 14.1.0.2
704198-4 : Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance
Links to More Info: K29403988, BT704198
Component: Global Traffic Manager (DNS)
Symptoms:
Orphaned monitor_instance records in mcpd. Secondary blade restarting in a loop.
Conditions:
Modify the monitor for GTM objects using tmsh with replace-all-with.
Impact:
There is an leaked/extra monitor instance. Restarting the secondary slot results in a restart loop.
Workaround:
Impact of workaround: Might change the primary slot.
Restart services using the following command:
# bigstart restart
Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.5
703593-1 : TMSH tab completion for adding profiles to virtual servers is not working as expected
Links to More Info: BT703593
Component: Local Traffic Manager
Symptoms:
TMSH tab completion for adding profiles to virtual servers does not work. The list of profiles is not displayed when tab is pressed.
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm virtual asdf profiles add {
Configuration Items:
[enter profile name]
Conditions:
List of profiles is not displayed when trying to add profiles during creation of a virtual server.
Impact:
List of available profiles is not displayed.
Workaround:
None.
Fix:
TMSH tab completion for adding profiles to virtual servers now shows the list of profiles.
Fixed Versions:
14.1.0.2
703165-4 : shared memory leakage
Links to More Info: BT703165
Component: Advanced Firewall Manager
Symptoms:
Processes that require shared memory to operate are failing (e.g. pabnagd).
Conditions:
Many shmem segments allocated and used by tmm.
Impact:
Potential failures in any process that requires shared memory segments, causing lack of services such as learning (bd+pabnagd), request logging (pabnagd+asm-config), etc.
Workaround:
There is no workaround at this time.
Fixed Versions:
13.1.3.5, 14.1.2.8
701529-2 : Configuration may not load or not accept vlan or tunnel names as "default" or "all"
Links to More Info: BT701529
Component: TMOS
Symptoms:
As a result of a known issue, configurations containing vlan or tunnels named "default" or "all" are no longer accepted.
Conditions:
Attempting to configure this will result in a log message similar to the following:
root@(f5-ve)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net tunnels tunnel default profile ppp
01070712:3: Cannot create tunnel 'default' in rd1 - ioctl failed: Invalid argument
Impact:
A configuration that contained this in earlier versions and upgraded to the affected version will fail to load.
Workaround:
Change or rename all instances of vlans and/or tunnels named "default" or "all"
Fixed Versions:
13.1.3.4, 14.1.2.7
699515-2 : nsm cores during update of nexthop for ECMP recursive route
Component: TMOS
Symptoms:
The Network Services Module daemon (nsm) cores while processing updates for ECMP recursive route nexthop.
Conditions:
Dynamic routing enabled.
BGP peers provides ECMP routes with recursive nexthop.
Impact:
Failures passing traffic using the dynamic routes.
Workaround:
There is no workaround.
Fix:
nsm is able to process ECMP route updates without problem.
Fixed Versions:
13.1.1.5, 14.1.2.5
697590-2 : APM iRule ACCESS::session remove fails outside of Access events
Links to More Info: BT697590
Component: Access Policy Manager
Symptoms:
ACCESS::session remove fails
Conditions:
iRule calling ACCESS::session remove outside of Access events.
Impact:
APM iRule ACCESS::session remove fails to remove session
Workaround:
Use "ACCESS::session modify" and set the timeout/lifetime to something small, like 1 second. This should cause the session to be deleted due to timeout almost immediately, but note that it will show up in logs as timeout.
Fixed Versions:
13.1.3.2, 14.1.2.1, 15.0.1.1
697331-3 : Some TMOS tools for querying various DBs fail when only a single TMM is running
Links to More Info: BT697331
Component: Service Provider
Symptoms:
Command returns "No route to host" error.
Conditions:
Running diadb, sipdb, genericmsgdb or lsndb when only a single TMM is running.
Impact:
Unable to query SIP, Diameter, Generic-Message and LSN information from its corresponded DB query tool.
Workaround:
N/A
Fix:
Tools for querying various DBs now work regardless of the number of TMMs.
Fixed Versions:
14.1.3, 14.1.3.1, 15.1.1
696755-3 : HTTP/2 may truncate a response body when served from cache
Links to More Info: BT696755
Component: Local Traffic Manager
Symptoms:
BIG-IP systems provide a client-side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached on the BIG-IP system with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag, causing the client to ignore the rest of the response body.
Conditions:
BIG-IP system has a virtual server for which HTTP/2 and Web Acceleration profiles are configured.
Impact:
Some clients' browsers do not retry a resource, causing incorrect rendering of an HTML page.
Workaround:
Adding the following iRule causes the body to be displayed:
when HTTP_RESPONSE_RELEASE {
set con_len [string trim [HTTP::header value Content-Length]]
HTTP::header remove Content-Length
HTTP::header insert Content-Length "$con_len"
}
Fix:
With provided fix, HTTP/2 end users no longer experience the problem of incorrect page rendering due to this issue.
Fixed Versions:
13.1.0.8, 14.1.0.6, 15.1.3, 16.0.1.2
696735-2 : TCP ToS Passthrough mode does not work correctly
Links to More Info: BT696735
Component: Local Traffic Manager
Symptoms:
For Standard virtual server with a TCP profile, when using ToS passthough, the ToS value is not passed from the server to the client-side.
ip-tos-to-client pass-through
link-qos-to-client pass-through
Conditions:
- Standard virtual server.
- TCP profile configured with ToS passthrough.
Impact:
ToS is not passed to the client.
Workaround:
None.
Fix:
ToS is now passed correctly from the server to the client-side.
Fixed Versions:
14.1.0.6
696348-3 : "GTP::ie insert" and "GTP::ie append" do not work without "-message" option
Links to More Info: BT696348
Component: Service Provider
Symptoms:
When adding "GTP::ie insert" and "GTP::ie append" without "-message" option to iRule, there is warning message:
[The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:VALUE"1290 38]
Conditions:
Using "GTP::ie insert" or "GTP::ie append" command without "-message" option
Impact:
The commands still be executed during runtime but the warning message may confuse user.
Fix:
There is no warning message when using "GTP::ie insert" and "GTP::ie append" without "-message" option.
Fixed Versions:
13.1.3.4, 14.1.2.7, 15.1.0.5
695985-4 : Access HUD filter has URL length limit (4096 bytes)
Links to More Info: BT695985
Component: Access Policy Manager
Symptoms:
Access HUD filter cannot process a URL if it is longer than 4096 bytes.
Conditions:
Any URL with a request consisting of more than 4096 bytes.
Impact:
The URL cannot be processed, and client gets a RST.
Workaround:
None.
Fix:
In this release, the URL length limit increased to 8192 bytes.
Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6
695878-2 : Signature enforcement issue on specific requests
Links to More Info: BT695878
Component: Application Security Manager
Symptoms:
Request payload does not get enforced by attack signatures on a certain policy configuration with specific traffic.
Conditions:
-- The violation 'Request exceeds max buffer size' is turned off.
-- The request is longer than the max buffer size (i.e., a request is larger than the internal long_request_buffer_size).
Impact:
Attack signatures are not enforced on the payload of this request at all.
Workaround:
Turn on the violation in blocking 'Request exceed max buffer size'.
Fix:
The operation now looks into part of the payload for the attack signatures enforcement.
Fixed Versions:
11.5.6, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1
692218-3 : Audit log messages sent from the primary blade to the secondaries should not be logged.
Links to More Info: BT692218
Component: TMOS
Symptoms:
Audit log messages sent from the primary blade to the secondaries are logged.
Conditions:
Multi-blade platform.
Impact:
Unnecessary messages in the log file.
Workaround:
None.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
691499-3 : GTP::ie primitives in iRule to be certified
Links to More Info: BT691499
Component: Service Provider
Symptoms:
The following commands in iRules are created and available but not officially tested and approved:
GTP::ie set instance/value
GTP::ie insert
GTP::ie append
GTP::ie remove
Conditions:
Using the following iRule commands:
GTP::ie set instance/value
GTP::ie insert
GTP::ie append
GTP::ie remove
Impact:
Although you can use these iRule commands, their functionality has not been tested and approved.
Workaround:
None.
Fix:
GTP::ie primitives in iRule are now certified.
Behavior Change:
Certified pre-existing iRules:
-- GTP::ie set instance <ie-path> <instance>
Assigns <instance> to the information element (IE) instance at <ie-path>.
-- GTP::ie set value <ie-path> <value>
Assigns <value> to the IE value at <ie-path>.
-- GTP::ie insert <ie-path> <type> <instance> <value>
Inserts a new IE of type <type> and instance <instance> with value <value> at <ie-path>
-- GTP::ie append [<ie-path>] <type> <instance> <value>
Appends a new IE of type <type> and instance <instance> with value <value> to the end of embeded IE of grouped-IE specified by <ie-path> or to the end of message if the grouped-IE <ie-path> is absent.
-- GTP::ie remove <ie-path>
Removes IE specified by <ie-path>.
Fixed Versions:
13.1.3.4, 14.1.2.7, 15.1.0.5
689361-4 : Configsync can change the status of a monitored pool member
Links to More Info: BT689361
Component: Local Traffic Manager
Symptoms:
It is possible for a configsync operation to incorrectly change a monitor's state. For example, it can change an 'unchecked' monitor to 'up', when that unchecked monitor references a node that does not respond to ICMP requests. This may occur when a node does not respond to ICMP requests for exactly one of two paired devices, but a configuration change made to one device causes the 'up' status to be propagated to the 'unchecked' device. Other state changes are possible.
Conditions:
Pool members are monitored and a configsync is initiated from a paired device.
Impact:
The configsync causes the monitor on the standby system to transition to an incorrect state, out of sync with the active system.
Workaround:
There is a workaround for the case described in 'Symptoms':
Ensure network configuration such that a monitored node responds to ICMP requests from both (or neither) of each paired-device. Alternatively, initiate configuration changes only from the device to which the node does not respond to ICMP requests.
Fix:
A configsync no longer causes an unexpected monitor transition on the standby system.
Fixed Versions:
12.1.5.2, 13.1.3.2, 14.1.2.1
688399-2 : HSB failure results in continuous TMM restarts
Links to More Info: BT688399
Component: TMOS
Symptoms:
The TMM is continually restarted due to lack of the HSB PDE device. When this issue occurs, HSB errors may be present in the TMM log files, prior to a TMM core (SIGSEGV).
Conditions:
The conditions under which this occurs are unknown.
Impact:
TMM continually restarts until the unit is rebooted. Traffic disrupted while tmm restarts. The reboot appears to clear the condition.
Workaround:
Manually reboot the unit.
Fix:
The TMM restarts no longer occur.
Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4
687887-3 : Unexpected result from multiple changes to a monitor-related object in a single transaction
Links to More Info: BT687887
Component: Local Traffic Manager
Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction attempts the 'delete key', and then the 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.
Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object, such as (delete, create, modify).
Impact:
The monitor-related object may be unchanged; or monitoring may stop for that object.
Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').
Fix:
Behavior is as-expected when a transaction executes multiple commands (such as 'delete', 'create', 'modify') upon the same monitor-related object (pool, pool_member, node_address, monitor).
Fixed Versions:
12.1.5.3, 13.1.3.2, 14.1.2.3
687759-3 : bd crash
Links to More Info: BT687759
Component: Application Security Manager
Symptoms:
A bd crash.
Conditions:
-- A config change follows a bd crash.
-- There is a policy that is misconfigured, for example, a form-data parsing is applied on a non-form-data payload (such as XML or JSON).
Impact:
bd crashes; system fails over; traffic disturbance occurs.
Workaround:
Set the following internal parameter to 0: max_converted_length_to_cache
Fixed Versions:
12.1.3.6, 13.1.0.8, 14.0.0.5, 14.1.0.6
686783-3 : UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters.
Links to More Info: BT686783
Component: Traffic Classification Engine
Symptoms:
If a UrlCat custom database feed list has URLs containing a www prefix or capital letters, the URLs are not categorized when queried.
Conditions:
The UrlCat custom database feed list with URL containing www prefix or capital letters,
Impact:
Improper classification
Workaround:
Using an iRule can help classify the URL.
Fix:
Normalized the URL before putting in the custom database.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
686059-4 : FDB entries for existing VLANs may be flushed when creating a new VLAN.
Links to More Info: BT686059
Component: Local Traffic Manager
Symptoms:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN.
Conditions:
- Creating a new VLAN with existing VLANs using trunk members.
- STP is enabled on its trunk member.
Impact:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN. This will result in potential network saturation.
Workaround:
To avoid the FDB flushing on trunk member interfaces of existing, unrelated VLANs, ensure that STP is disabled on its trunk member.
Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.7
686043-1 : dos.maxicmpframesize and dos.maxicmp6framesize sys db variables does not work for fragmented ICMP packets
Links to More Info: BT686043
Component: Advanced Firewall Manager
Symptoms:
ICMP/ICMPv6 fragmented packet with size larger than dos.maxicmpframesize is not counted in stats for
'ICMP frame too large' DoS vector.
Conditions:
-- ICMP fragmented packet with size larger than dos.maxicmpframesize is received.
-- ICMPv6 fragmented packet with size larger than dos.maxicmpframesize is received.
Impact:
-- ICMP fragmented packet with size larger than dos.maxicmpframesize is not dropped.
-- ICMP fragmented packet with size larger than dos.maxicmpframesize is not counted in stats for 'ICMP frame too large' DoS vector.
-- ICMPv6 fragmented packet with size larger than dos.maxicmp6framesize is not dropped.
-- ICMPv6 fragmented packet with size larger than dos.maxicmp6framesize is not counted in stats for 'ICMP frame too large' DoS vector.
Workaround:
None.
Fix:
ICMP/ICMPv6 fragmented packets are now dropped if their size is larger than dos.maxicmpframesize/dos.maxicmp6framesize. Drops are counted for 'ICMP frame too large' DoS vector stats.
Fixed Versions:
14.1.4
685904-2 : Firewall Rule hit counts are not auto-updated after a Reset is done
Links to More Info: BT685904
Component: Advanced Firewall Manager
Symptoms:
When a rule is selected and the 'Reset Count' button is clicked, the command is executed but rule stats are not updated in the GUI.
Conditions:
This occurs when resetting the rule hit count stats in the GUI.
Impact:
Incorrect (stale) statistics are seen.
Workaround:
Refresh the page.
Fix:
Rule stats are now correctly updated in the UI after a 'Reset Count' is initiated.
Fixed Versions:
14.1.4.2, 15.1.4
683135-1 : Hardware syncookies number for virtual server stats is unrealistically high
Links to More Info: BT683135
Component: TMOS
Symptoms:
In some situations 'tmsh show ltm virtual' shows unrealistically high hardware (HW) syncookie numbers.
These unrealistically high HW syncookie stats cause AFM DoS TCP synflood vector to have high numbers, and that can cause TCP synflood vector to drop packets in HW based on the configured rate-limit for that vector.
Conditions:
Virtual server with hardware syncookie protection enabled.
Impact:
Stats issue. Can have impact to traffic if AFM TCP Synflood vector is enabled in mitigation mode.
Workaround:
Disable the TCP Synflood vector in mitigate mode.
Since Syncookie is already providing protection, the TCP Synflood option should be enabled only in detect-only mode, if at all.
Fixed Versions:
13.1.3.2, 14.1.2.7
681010-3 : 'Referer' is not masked when 'Query String' contains sensitive parameter
Links to More Info: K33572148, BT681010
Component: Application Security Manager
Symptoms:
While 'Query String' contains masked sensitive parameter value the 'Referer' header sensitive parameter value is exposed.
Conditions:
-- Sensitive parameter is defined in: 'Security :: Application Security : Parameters : Sensitive Parameters'.
-- 'Query String' contains the defined sensitive parameter.
Impact:
"Referer" header contains unmasked value of the sensitive parameter.
Workaround:
Enable 'Mask Value in Logs' in: 'Security :: Application Security : Headers : HTTP Headers :: referer'.
Fix:
The 'Referer' header value is masked in case of sensitive parameter in 'Query String'.
Fixed Versions:
11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
680917-5 : Invalid monitor rule instance identifier
Links to More Info: BT680917
Component: TMOS
Symptoms:
iApp triggers an error while attempting to change server properties for pool members. The error reads "Invalid monitor rule instance identifier"
Conditions:
While changing the server properties associated with the pool members through iApp.
Impact:
Will not be able to change the server properties using iApp.
Fixed Versions:
12.1.5.3, 13.1.3.2, 14.1.2.1
679751-1 : Authorization header can cause a connection reset
Links to More Info: BT679751
Component: Access Policy Manager
Symptoms:
APM resets connections and reports an ERR_ARG from a simple web request.
Conditions:
-- APM profile with User Identification Method as HTTP.
-- APM profile with User Identification Method as OauthToken.
-- HTTP traffic arrives with certain types of Authorization headers.
Impact:
Connections are reset and APM logs ERR_ARG, which is not helpful for understanding the cause.
Workaround:
iRule workaround:
when HTTP_REQUEST {
if { [HTTP::header "Authorization"] contains "Bearer" && [string tolower [HTTP::header "User-Agent"]] contains "onenote" } {
HTTP::header replace Authorization [string map {"Bearer" ""} [HTTP::header Authorization]]
}
}
Fix:
APM no longer resets connections and reports an ERR_ARG from a simple web request.
Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1
675911-13 : Different sections of the GUI can report incorrect CPU utilization
Links to More Info: K13272442, BT675911
Component: TMOS
Symptoms:
The following sections of the GUI can report incorrect or higher than expected CPU utilization:
-- The 'download history' option found in the Flash dashboard.
-- Statistics :: Performance :: Traffic Report (section introduced in version 12.1.0).
Values such as 33%, 66%, and 99% may appear in these sections despite the system being completely idle.
Conditions:
HT-Split is enabled (default for platforms that support it).
Impact:
The CPU history in the exported comma-separated values (CSV) file does not match actual CPU usage.
Workaround:
-- You can obtain CPU history through various other means. One way is to use the sar utility.
- In 12.x and higher versions:
sar -f /var/log/sa6/sa
- or for older data:
sar -f /var/log/sa6/sa.1
- The oldest data is found compressed in /var/log/sa6 and must be gunzipped before use.
- In 11.x:
sar -f /var/log/sa/sa
- or for older data
sar -f /var/log/sa/sa.1
- The oldest data is found compressed in /var/log/sa and must be gunzipped before use.
-- Live CPU utilization can also be obtained through the Performance Graphs, SNMP polling, iControl polling, various command-line utilities such as top, etc.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
673272-4 : Search by "Signature ID is" does not return results for some signature IDs
Links to More Info: BT673272
Component: Application Security Manager
Symptoms:
Search by "Signature ID is" does not return results for some signature IDs.
Conditions:
Request associated with signature that was previously enforced and is now in staging after the attack signature update.
Impact:
You are unable to filter requests by some signature IDs.
Fix:
Fixed an issue with searching by signature ID.
Fixed Versions:
13.1.4, 14.1.4.2, 15.1.4, 16.0.1.2
672963-3 : MSSQL monitor fails against databases using non-native charset
Links to More Info: BT672963
Component: Local Traffic Manager
Symptoms:
MSSQL monitor is fails against databases using non-native charset.
Conditions:
MSSQL monitor configured to monitor a database that is using non-native charset (ISO-8859-1).
Impact:
MSSQL monitoring always marks node / member down.
Workaround:
On BIG-IP v13.x and v14.0.x, you can work around this issue using the following steps:
1. Log in to the BIG-IP console into a bash prompt.
2. Run the following command:
mount -o remount,rw /usr; ln -s /usr/java-64/openjdk/lib/charsets.jar /usr/java/openjdk/lib/charsets.jar; mount -o remount,ro /usr
3. Restart bigd:
bigstart restart bigd
Fix:
MSSQL monitor can be used effectively against a database using a non-native charset.
Fixed Versions:
14.1.4.6
668041-4 : Config load fails when an iRule comment ends with backslash in a config where there is also a policy.★
Links to More Info: K27535157, BT668041
Component: TMOS
Symptoms:
Config load fails when an iRule contains a commented line that ends with an escape character (backslash), and the config also contains an LTM policy. Depending on the iRule, you might also see the following error: Syntax Error:(/config/bigip.conf at line: 42078) double quotes are not balanced.
Conditions:
-- iRule contains commented line that ends with a backslash.
-- The config also contains a policy.
For example, an iRule similar to the first example, and a policy similar to the second:
ltm rule /Common/log_info {
when HTTP_RESPONSE {
#log local0. "Original Location header value: [HTTP::header value Location],\
updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"
}
}
...
ltm policy /Common/Test_Policy {
controls { forwarding }
requires { http tcp }
rules {
TestPol_Rule1 {
actions {
0 {
forward
select
node 10.2.10.20
}
}
conditions {
0 {
tcp
address
matches
values { 10.1.10.20 }
}
}
}
}
strategy /Common/first-match
}
Impact:
Config load fails.
Workaround:
You can use any of the following workarounds:
-- Delete the line of code with the comment.
-- Put the entire comment on one line of code.
-- Divide lengthy comments into a series of smaller ones, so that each comment fits within one line of code.
-- Move the iRule so that it is sequentially before the LTM policy in the config file.
Fix:
Config load no longer fails when an iRule comment ends with backslash in a config where there is also a policy.
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2
663819-1 : APM NTLM Authentication for RDP Client Gateway and Microsoft Exchange Proxy are incompatible with Microsoft workaround for MS17-010 (Wannacry / Eternalblue)
Links to More Info: BT663819
Component: Access Policy Manager
Symptoms:
Microsoft recently released security bulletin MS17-010 (https://technet.microsoft.com/library/security/MS17-010). This bulletin announces a recommended software patch to fix multiple vulnerabilities in SMBv1. It suggests an alternate workaround to disable SMBv1. When this workaround is followed, NTLM Authentication does not work in the following APM configurations:
-- APM RDP Gateway and NTLM Auth.
-- APM Exchange (Outlook Anywhere/ActiveSync) and NTLM Auth.
-- SWG Explicit and NTLM Auth.
Conditions:
-- SMBv1 is disabled as described in the Microsoft workaround in MS17-010.
-- Together with one or more of the following APM/SWG configurations, which can be configured to use NTLM Authentication:
+ APM RDP Gateway and NTLM Auth.
+ APM Exchange (Outlook Anywhere/ActiveSync) and NTLM Auth.
+ SWG Explicit and NTLM Auth.
Impact:
Authentication for connecting clients fails.
Workaround:
Do one of the following:
-- Do not follow the Microsoft workaround to disable SMBv1; instead install the recommended security patch.
-- For Exchange: Reconfigure Exchange CAS pool to use Kerberos Constrained Delegation SSO rather than NTLM. This will ensure that NTLM Passthrough is not used.
-- For RDP Proxy: Instead of RDP Proxy, use the Native RDP resource mode in BIG-IP APM v13.0.0 and later.
-- For SWG Explicit: Reconfigure to use Kerberos Authentication.
Fix:
APM no longer uses SMBv1/v2 protocols. Beginning with BIG-IP software v15.0.0, NTLM passthrough authentication works using Netlogon protocol over TCP directly (MSRPC over TCP). All issues related to SMB protocol are not applicable anymore.
Note: The new functionality was ported to the v14.1.0.5 release as well.
Fixed Versions:
14.1.0.5
661640-1 : Improve fast failover of PIM-based multicast traffic when BIG-IP is deployed as an Active/Standby high availability (HA) pair.
Links to More Info: BT661640
Component: TMOS
Symptoms:
Although the effect differs for different topologies, in general, the multicast traffic is interrupted for 5-to-180 seconds after failover.
Conditions:
Fast failover of PIM-based multicast traffic when the BIG-IP system is deployed as an Active/Standby high availability (HA) configuration.
Impact:
The multicast traffic is interrupted for 5-to-180 seconds after a failover event.
Workaround:
None. This is an improvement request.
Fix:
This release provides improved fast failover of PIM-based multicast traffic when the BIG-IP system is deployed as an Active/Standby high availability (HA) pair.
Fixed Versions:
14.1.4
660913-3 : For ActiveSync client type, browscap info provided is incorrect.★
Links to More Info: BT660913
Component: Access Policy Manager
Symptoms:
Clients using Microsoft ActiveSync are failing access policy evaluation.
Conditions:
-- This occurs with clients using Microsoft ActiveSync.
-- It can be encountered on upgrade if you are upgrading to version 12.1.2 - 14.1.0 from an earlier version.
Impact:
ActiveSync "Client UI" expression will fail and a wrong branch will be selected. As a result Clients using ActiveSync may not be authenticated.
Workaround:
In the VPE change the ActiveSync "Client UI" expression to:
expr { [mcget {session.server.landinguri}] starts_with "/Microsoft-Server-ActiveSync" || [mcget {session.ui.mode}] == 8 }
Fix:
Session variable session.client.browscap_info is now set correctly.
Fixed Versions:
12.1.4.1, 13.1.3.4, 14.1.4.3
658943-2 : Errors when platform-migrate loading UCS using trunks on vCMP guest
Links to More Info: BT658943
Component: TMOS
Symptoms:
During platform migration from a physical BIG-IP system to a BIG-IP vCMP guest, the load fails with one of these messages:
01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.
01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.
Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest.
Impact:
The platform migration fails and the configuration does not load.
Workaround:
You can use one of the following workarounds:
-- Remove all trunks from the source configuration prior to generation of the UCS.
-- Before loading the UCS archive onto the target BIG-IP, edit the archive and remove the trunk configuration from ./config/bigip_base.conf, and then repack the UCS.
-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.
Fixed Versions:
14.1.4.1
653573-6 : ADMd not cleaning up child rsync processes
Links to More Info: BT653573
Component: Anomaly Detection Services
Symptoms:
ADMd daemon on the device is spinning up rsync processes and not cleaning them up properly, which can result in zombie processes.
Conditions:
The rsync process ends via exit (which might occur if there is an issue with the process).
Impact:
Although there is no technical impact, there are many zombie processes left behind.
Workaround:
Restart admd to remove all existing rsync zombies:
bigstart restart admd
Fix:
admd now handles the SIGCHLD signal from rsync, so the issue no longer occurs.
Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.6, 14.1.2.3
652502-3 : SNMP queries return 'No Such Object available' error for LTM OIDs
Links to More Info: BT652502
Component: TMOS
Symptoms:
When the BIG-IP system starts with an expired license, SNMP queries for LTM-related OIDs fail with an error:
No Such Object available on this agent at this OID.
If you re-activate the license or install a new one, the snmpd process is not notified of the change to the license, so it still fails and reports that error message.
The failures recur until the snmpd process is restarted.
Conditions:
The BIG-IP system starts with an expired license.
A new/updated license is activated/reactivated.
Impact:
SNMP queries to LTM OIDs (e.g., ltmRst and ltmVirtual) do not return any data.
Workaround:
After the license is reactivated or a new one installed, restart the snmpd process:
# bigstart restart snmpd
Fixed Versions:
13.1.1.4, 14.1.3.1
648621-6 : SCTP: Multihome connections may not expire
Links to More Info: BT648621
Component: TMOS
Symptoms:
SCTP: Multihome connections may not expire when forcibly deleted.
Conditions:
When the multi-homing connections have been forcibly deleted from tmsh command.
Impact:
The multi-homing connections won't be expired.
Workaround:
Don't manually deleted the multi-homing connections.
Fixed Versions:
11.6.5.3, 12.1.5.2, 13.1.3.4, 14.1.2.1, 15.0.1.4
648270-1 : mcpd can crash if viewing a fast-growing log file through the GUI
Links to More Info: BT648270
Component: TMOS
Symptoms:
If the GUI tries to display a log file that is actively growing by thousands of log entries per second, the GUI might hang, and mcpd could run out of memory and crash.
Conditions:
The GUI tries to display a log file that is actively growing by thousands of log entries per second.
Impact:
mcpd crashes, and it and tmm restart. Traffic disrupted while tmm restarts.
Workaround:
Do not use the GUI to view a log file that is growing by thousands of log entries per second.
Fixed Versions:
11.6.5.2, 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.0.6
648242-4 : Administrator users unable to access all partition via TMSH for AVR reports
Links to More Info: K73521040, BT648242
Component: Application Visibility and Reporting
Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).
Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.
Impact:
AVR reports via TMSH will fail when using partition based entities.
Workaround:
None.
Fix:
Allowing for administrator users to get all partitions available on query.
Fixed Versions:
12.1.3.2, 13.1.0.8, 14.0.0.5, 14.1.4, 15.1.2.1, 16.0.1.1
644192-4 : Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN
Links to More Info: K23022557, BT644192
Component: Global Traffic Manager (DNS)
Symptoms:
Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN.
Conditions:
A CNAME wide IP and a dnx with parent zone.
For example, CNAME wide IP for www.siterequest.com and a dnx zone for siterequest.com.
Impact:
Cache resolvers will remember NXDOMAIN for the entire name. So clients talking to those caches asking for A/AAAA records may actually get NXDOMAIN responses until the negative cache expires.
Workaround:
Option 1: Create a related "www.siterequest.com" txt record in ZoneRunner
Option 2: Create a ltm virtual server iRule, similar to this:
when DNS_RESPONSE {
if { [DNS::question name] eq "www.siterequest.com" } {
if { [DNS::header rcode] eq "NXDOMAIN" } {
DNS::header rcode NOERROR
DNS::authority clear
return
}
}
}
Fix:
A new DB key, 'gtm.allownxdomainoverride', has been added to allow configuring the BIG-IP DNS system to respond with a NOERROR response.
Fixed Versions:
11.6.5.3, 14.1.3.1, 15.1.2, 16.0.1.1
643935-4 : Rewriting may cause an infinite loop while processing some objects
Links to More Info: BT643935
Component: Access Policy Manager
Symptoms:
Browser might become unresponsive when the end user client attempts to access a page containing specific script constructions through Portal Access.
Conditions:
The client application code contains an object that includes a toString() method and property names similar to ones from the JavaScript builtin Location interface.
Impact:
Browser becomes unresponsive when accessing the page through Portal Access.
Workaround:
None.
Fix:
None.
Fixed Versions:
13.1.3.2, 14.0.1.1, 14.1.2.3
641450-7 : A transaction that deletes and recreates a virtual may result in an invalid configuration
Links to More Info: K30053855, BT641450
Component: TMOS
Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.
Config load error:
01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.
Configuration-change-time error in /var/log/ltm:
err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>
Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).
Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.
Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
1. Delete virtual server.
2. Create virtual server (with an empty profile list).
3. Modify the virtual server's profile list.
Fixed Versions:
12.1.5.1, 13.1.3.4, 14.1.2.5
640842-3 : ASM end user using mobile might be blocked when CSRF is enabled
Links to More Info: BT640842
Component: Application Security Manager
Symptoms:
Users report their access is blocked; when you look at the error log, you see CSRF errors.
Conditions:
-- CSRF enabled on ASM.
-- ASM client is using a mobile device.
Impact:
Client is blocked.
Workaround:
None.
Fix:
Enabling access for specific mobile application.
Fixed Versions:
14.1.2.7, 15.1.0.5
639619-7 : UCS may fail to load due to Master key decryption failure on EEPROM-less systems★
Links to More Info: BT639619
Component: TMOS
Symptoms:
The following error:
'Symmetric Unit Key decrypt failure - decrypt failure'
is logged to /var/log/ltm when attempting to load a UCS.
Configuration fails then to load due to a secure attribute decryption failure.
Conditions:
1. UCS contains secure attributes.
2. UCS contains a '/config/bigip/kstore/.unitkey' file.
3. The current '/config/bigip/kstore/.unitkey' file does not match the '.unitkey' file within UCS.
4. System does not utilize an EEPROM for storing its unitkey. (For more information, see K73034260: Overview of the BIG-IP system Secure Vault feature :: https://support.f5.com/csp/article/K73034260.)
Impact:
The configuration fails to load.
Workaround:
Perform the following procedure:
1. Stop the system:
# bigstart stop
2. Replace the '/config/bigip/kstore/.unitkey' file with the '.unitkey' file from the UCS
3. Replace the '/config/bigip/kstore/master' file with the 'master' file from the UCS
4. Remove the mcp db to forcibly reload the keys:
# rm -f /var/db/mcpd.bin
# rm -f /var/db/mcpd.info
5. Restart the system and reload the configuration:
# bigstart start
# tmsh load sys config
or
# reboot
Fix:
The system now always reload the .unitkey from storage when loading other keys, so the UCS loads as expected.
Fixed Versions:
11.6.4, 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
636842-2 : A FastL4 virtual server may drop a FIN packet when mirroring is enabled
Links to More Info: K51472519, BT636842
Component: Local Traffic Manager
Symptoms:
A FastL4 virtual server may drop a FIN packet when mirroring is enabled.
Conditions:
- The virtual server uses the FastL4 profile.
- The virtual server performs mirroring.
- The tm.fastl4_ack_mirror db key is enabled (default).
- The client or the server sends a FIN packet, immediately followed by a RST packet.
Impact:
The BIG-IP system forwards the RST packet but not the FIN packet.
As the RST sent by one of the TCP endpoints would have its sequence number increased by 1 to account for the FIN packet, the other TCP endpoint may not accept the RST as the FIN packet was never seen.
This issue is exacerbated if the FIN packet also carries application data (for example, if it is actually a FIN,PSH,ACK packet). In this case, the other TCP endpoint never sees the application data contained within the packet, and the sequence number in the RST will be off by more than just 1.
Ultimately this can cause application failures and also the two connection flows to stall for some time.
Workaround:
To workaround this issue you can either:
1) Disable mirroring for the virtual server (but this comes with a loss of functionality, which may not be acceptable).
or
2) Disable the tm.fastl4_ack_mirror db key (but this would affect all FastL4 virtual servers performing mirroring on the box).
Fix:
A FastL4 virtual server no longer drops a FIN packet when mirroring is enabled.
Fixed Versions:
12.1.5.1, 13.1.3.2, 14.1.2.5
629787-1 : vCMP hypervisor version mismatch may cause connection mirroring problems.
Links to More Info: BT629787
Component: Local Traffic Manager
Symptoms:
Connections may not be mirrored correctly when vCMP hypervisors use different software versions.
Conditions:
Mirroring for a pair of vCMP guest is enabled.
vCMP hypervisors use different DAG software versions.
Impact:
Connections are mirrored incorrectly.
Workaround:
Use the same hypervisor software version when mirroring is configured for a pair of vCMP guests.
Fix:
Mirroring connection isn't established anymore when vCMP hypervisors use different DAG software versions.
Fixed Versions:
14.1.3
621260-2 : mcpd core on iControl REST reference to non-existing pool
Links to More Info: BT621260
Component: TMOS
Symptoms:
MCPd cores when attempting to create a pool and a monitor reference by using a REST call such as:
curl -u admin:admin -H "Content-Type: application/json" -X POST http://localhost:8100/tm/ltm/pool -d'{"name":"test_pool","monitor":" "}'
Conditions:
The monitor reference in the REST call must be comprised of a single space character.
Impact:
MCPd restarts, causing many of the system daemons to restart as well.
Workaround:
Don't use spaces in the monitor reference name.
Fixed Versions:
11.6.5.1, 12.1.5.1, 13.1.1.5, 14.0.1.1, 14.1.0.2
620301-1 : Policy import fails due to missing signature System in associated Signature Set
Links to More Info: BT620301
Component: Application Security Manager
Symptoms:
ASM policy import fails due to a missing System, used in an associated Signature Set.
Conditions:
ASM policy is imported using an export file from a device with a more recent ASM Signature Update.
Impact:
The ASM policy import fails.
Workaround:
Update the ASM Signature on the target device before importing the policy.
Fixed Versions:
12.1.5.1, 14.1.2.3
617929-2 : Support non-default route domains
Links to More Info: BT617929
Component: Local Traffic Manager
Symptoms:
Some connections are reset.
Conditions:
This occurs when the device is configured with non-default route domains when connecting to other tmms over the backplane.
Impact:
Traffic processing failure.
Workaround:
None.
Fix:
The system now supports non-default route domains when connecting to other tmms over the backplane.
Note: As a result of this fix, there is a behavior change: The iRule 'node' method now requires that you specify a route_domain to in order for the traffic to be sent to a node assigned to a route domain.
Behavior Change:
The iRule 'node' method now requires a route_domain to be specified in order for the traffic to be sent to a node that is assigned to a route domain.
Fixed Versions:
13.1.3.4, 14.1.2.8, 15.0.1.3
615934-4 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
Links to More Info: BT615934
Component: TMOS
Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.
Conditions:
If there is an existing key/certificate, and the key/certificate management iControl/SOAP functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.
Impact:
Key/certificate overwrite using iControl operations might fail.
Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.
Fixed Versions:
13.1.3.5, 14.1.4, 15.1.3
608952-3 : MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2
Links to More Info: BT608952
Component: Local Traffic Manager
Symptoms:
MSSQL health monitor always shows down.
Conditions:
The Microsoft SQL server that is being monitored has disabled support for legacy security protocols, and supports only versions TLSv1.1 and TLSv1.2.
Impact:
MSSQL monitor is unable to perform health checking when SQL Server is configured to require TLSv1.1 or TLSv1.2.
Workaround:
None.
Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.5
605675-4 : Sync requests can be generated faster than they can be handled
Links to More Info: BT605675
Component: TMOS
Symptoms:
Configuration changes in quick succession might generate sync change messages faster than the receiving BIG-IP system can parse them. The sending BIG-IP system's queue for its peer connection fills up, mcp fails to allocate memory, and then the system generates a core file.
Conditions:
Configuration changes in quick succession that might generate sync-change messages.
Impact:
Core file and sync operation does not complete as expected. The possibility for this occurring depends on the size and complexity of the configuration, which impacts the time required to sync, and the traffic load occurring at the time of the sync operation.
Workaround:
None.
Fixed Versions:
11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.2
602396-1 : EPSEC Upload Package Button Is Greyed Out
Links to More Info: BT602396
Component: Access Policy Manager
Symptoms:
The EPSEC upload package button is greyed out when there are multiple traffic groups.
Conditions:
-- Multiple traffic groups are configured.
-- Viewing the 'Upload Package' button on the System :: Software Management : Antivirus Check Updates : Package Status.
Impact:
'Upload Package' button is greyed out. Cannot upload packages for Antivirus Check Update.
Workaround:
Delete one of the traffic groups till the button is available.
Fix:
EPSEC Upload button is not disabled when there are multiple traffic groups. Enabling/Disabling works correctly.
Fixed Versions:
14.1.2.8
601220-3 : Multi-blade trunks seem to leak packets ingressed via one blade to a different blade
Links to More Info: BT601220
Component: TMOS
Symptoms:
When a multi-blade VIPRION deployment first starts up or recovers from a chassis-wide force-offline/release-offline event, multi-blade trunks seem to leak packets that ingressed on one blade, out the same trunk's member interfaces on other blades.
Conditions:
-- Multi-blade VIPRION deployment.
-- Chassis-wide reboot or force-offline/release-offline event occurs or re-license the BIG-IP
Impact:
The upstream switch L2 FDB records may be flapping up to 20 seconds.
For a switch that has an 'L2 Flapping based loop detection/mitigation' mechanism (For example 'Cisco ACI endpoint learning'), the impact is to suppress the FDB learning for a certain configured time.
For a switch that has a basic MAC learning function, the impacts should be the following.
-- Frames be forwarded to an unexpected port.
-- Packet lost for UDP traffic
-- Retransmission or reset for TCP traffic.
-- Application delay or failure
Workaround:
There is no workaround.
Fix:
Multi-blade trunks no longer leak packets from one blade to another blade in the chassis.
Fixed Versions:
14.1.4.1
601189-4 : The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode
Links to More Info: BT601189
Component: Local Traffic Manager
Symptoms:
The BIG-IP system might send TCP packets out of order in Fastl4 in syncookie mode.
Conditions:
-- Fastl4 VS.
-- syncookie mode.
Impact:
TCP packet are sent out of order.
Workaround:
None.
Fix:
The BIG-IP system no longer sends TCP packets out of order in Fastl4 in syncookie mode.
Fixed Versions:
12.1.5.1, 13.1.3.2, 14.1.2.5
600985-1 : Network access tunnel data stalls
Links to More Info: BT600985
Component: Access Policy Manager
Symptoms:
In certain scenarios, the network access tunnel stays up; however, no data transfer occurs on the tunnel. This issue occurs intermittently.
Conditions:
The cause of this issue is not yet known.
Impact:
Data stalls on the tunnel and hence wont be able to access any applications. However, Edge Client shows the VPN tunnel as 'Connected'.
Workaround:
Manually re-establish the tunnel.
Fixed Versions:
13.1.3, 14.1.2.7
599567-4 : APM assumes SNAT automap, does not use SNAT pool
Links to More Info: BT599567
Component: Local Traffic Manager
Symptoms:
When a virtual server configured to use a SNAT pool is also associated with APM (for example, when configured as a RDP gateway), the SNAT pool setting is not honored.
Also SNAT configuration of 'None' does not work. It always works as if it is configured with Automap.
Conditions:
SNAT pool configured.
-- APM configured (one example is deploying the Horizon View iApp for APM).
Impact:
The VLAN Self IP address is used instead of the SNAT pool addresses.
Workaround:
First, follow the configuration details in K03113285: Overview of BIG-IP APM layered virtual servers :: https://support.f5.com/csp/article/K03113285, to ensure everything is configured properly.
Then ensure that the appropriate SNAT pool is set on the new layered forwarding virtual sever.
Note: This workaround does not work when using a pool of VMware vCenter Server (VCS) as configured by default with the iApp.
Fix:
The system now honors the virtual server SNAT configuration.
Fixed Versions:
12.1.5, 13.1.1.5, 14.0.1.1, 14.1.2.5
593536-7 : Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations
Links to More Info: K64445052, BT593536
Component: TMOS
Symptoms:
Devices do not have matching configuration, but system reports device group as being 'In Sync'.
Conditions:
This occurs when the following conditions are met:
-- Device Service Cluster Device Group with incremental sync is enabled.
-- A ConfigSync operation occurs where a configuration transaction fails validation.
-- A subsequent (or the final) configuration transaction is successful.
Impact:
The BIG-IP system incorrectly reports that the configuration is in-sync, despite the fact that it is not in sync. You might experience various, unexpected failures or unexplained behavior or traffic impact from this.
Workaround:
Turn off incremental sync (by enabling 'Full Sync' / 'full load on sync') for affected device groups.
Once the systems are in sync, you can turn back on incremental sync, and it will work as expected.
Fixed Versions:
14.1.2.8, 15.1.1
591732-5 : Local password policy not enforced when auth source is set to a remote type.
Links to More Info: BT591732
Component: TMOS
Symptoms:
Local password policy not enforced when auth source is set to a remote type. Any non-default password policy change is not enforced for local users.
Conditions:
1) Some part of the local password policy has been changed from the default values, for example, changing the password minimum-length to 15 where the default is 6.
2) The auth source is set to a remote source, such as LDAP, AD, TACACS.
Impact:
The system does not enforce any of the non-default local password policy options.
For example:
-- Even if the minimum-length is set to 15, a local user's password can be set to something less than 15.
Another example:
-- Even if max-duration is set to 90 days, the password does not expire for 99999 days (the default).
Note: Impact may vary among versions:
-- minimum-length policy works in v11.x and v12.x, but fails in v13.x later.
-- max-duration policy fails in all affected versions.
Workaround:
None
Fix:
The BIG-IP system now honors the password policy settings for local accounts. However, this does not address complexity issues. That is tracked under ID 928161. For more information see https://cdn.f5.com/product/bugtracker/ID928161.html
Fixed Versions:
12.1.5.1, 13.1.3.5, 14.1.3.1, 15.0.1.4
583084-8 : iControl produces 404 error while creating records successfully
Links to More Info: K15101680, BT583084
Component: TMOS
Symptoms:
iControl produces an HTTP 404 - Not Found error message while creating the BIG-IP DNS topology record successfully.
Conditions:
Creating GTM topology record without using full path via iControl.
Impact:
Resulting code/information is not compatible with actual result.
For a post request, the create command and the list command are formed and executed, and the name in the curl request and the name in the list response are compared to verify whether or not it is the actual object. When a create command is executed with properties that are not fullPath (e.g., in iControl), it still creates the object with fullPath. So list returns the name with fullPath and compares it with the name that does not contain the fullPath, and the comparison fails because the names do not match.
Workaround:
Use the full path when creating BIG-IP DNS topology records using iControl.
Fix:
The system now compares both names, ignoring the partition '/Common' if the exact comparison fails.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2
581921-5 : Required files under /etc/ssh are not moved during a UCS restore
Links to More Info: K22327083, BT581921
Component: TMOS
Symptoms:
The SSH files required for SSH sign on are not transferred when performing a UCS restore operation. Further, files are not transferred even during upgrade.
Conditions:
This can happen when performing a UCS restore operation, or when upgrading from one version to the next.
Impact:
This might impact SSH operations.
Workaround:
Add the /etc/ssh directory to the UCS backup configuration. This causes all subsequent UCS backup and restore operations will now include the /etc/ssh/ directory.
To complete this procedure, refer to K4422: Viewing and modifying the files that are configured for inclusion in a UCS archive :: https://support.f5.com/csp/article/K4422.
Fix:
The correct folder is now present when performing a UCS restore operation, so that all of the files required for the operation of SSH are transferred.
Fixed Versions:
11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.1.1, 14.1.0.6
579219-3 : Access keys missing from SessionDB after multi-blade reboot.
Links to More Info: BT579219
Component: Access Policy Manager
Symptoms:
Reboot a 4-blade vCMP guest. Now, only the master key for catalog remained. All subkeys are missing.
Conditions:
This can occur intermittently during a reboot in a multi-blade vCMP guest configured with APM.
Impact:
Some Access subkeys may be missing after the reboot.
Workaround:
Reboot the primary blade.
Fixed Versions:
14.1.2.8, 15.1.1
569859-5 : Password policy enforcement for root user when mcpd is not available
Links to More Info: BT569859
Component: TMOS
Symptoms:
When the mcpd configuration database is not available password policy is not enforced when changing passwords for the user 'root' using the command-line utility 'passwd' utility.
Conditions:
-- Advanced shell access
-- mcpd is not available.
-- Change root password with the 'passwd' utility.
Impact:
Root password may be set to a string that does not comply with the current password policy.
Workaround:
None.
Fix:
The system now enforces the password policy for root user, even when mcpd is not available.
Fixed Versions:
14.1.4.1, 15.1.3
528894-7 : Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition
Links to More Info: BT528894
Component: TMOS
Symptoms:
Configuration stanzas that do not belong in the files of a non-Common partition appear there. These stanzas could include, for example, 'net trunk' or 'sys ha-group' objects.
Conditions:
-- The system includes partitions other than Common.
-- Configuration in a partition other than Common is modified.
-- A Config-Sync operation not involving an overwrite takes place (it is also possible to reproduce this issue on a standalone BIG-IP system by doing a save operation like the following: "tmsh save sys config partitions { Common other }").
Impact:
/config/partitions/<partition_name>/bigip_base.conf will contain extraneous config stanzas (such as the ones mentioned in Symptoms).
/config/bigip_base.conf will no longer contain config stanzas that belong there.
Note that the impact is mostly cosmetic. An affected device will still be able to correctly load its configuration even if some config stanzas appear in the wrong flat config file.
However, Administrators performing audits of the flat config files will be perplexed as to why some stanzas are moving back and forth between partitions.
Workaround:
If you wish to restore your flat config files to their proper state after the issue has already occurred, simply run "tmsh save sys config" on the affected device.
Alternatively, to prevent the issue in the first place, you can Config-Sync using the following command "tmsh run cm config-sync force-full-load-push to-group <device-group>".
Note that neither workaround is permanent and the issue will reoccur.
Fixed Versions:
14.1.4.6, 15.1.5
522241-1 : Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete
Links to More Info: BT522241
Component: Local Traffic Manager
Symptoms:
After running the tmsh command "show ltm dns cache records <key|msg|nameserver|rrset> cache <name> count-only" you may experience the following symptoms:
- One of the TMM instances on the system climbs to 100% CPU utilization for a prolonged amount of time.
- The odd-numbered hyperthread (i.e. 1) corresponding to the even-numbered hyperthread (i.e. 0) where the busy TMM instance is running is partially halted by the HT-Split feature (this will be observable in utilities such as "top" and by the presence of "Idle enforce starting" log messages in the /var/log/kern.log file).
- After waiting for a very long time, the tmsh command may not actually return and display a record count.
- The tmsh command does not respond to CTRL+C and continues running.
Conditions:
A DNS cache contains a large number of records and the BIG-IP Administrator runs the following tmsh command to determine the exact record count:
"show ltm dns cache records <key|msg|nameserver|rrset> cache <name> count-only"
Impact:
Due to the high CPU utilization, traffic handling is impaired. Control-plane processes can also become affected, leading to different issues (this depends on the size and load of the BIG-IP system). For example, the lacpd process can become descheduled causing trunks to flap.
Workaround:
Do not run the specified tmsh command.
If you have run the specified tmsh command and this has not returned after a very long time and you want restore normal system operation, perform the following steps:
1) Press CTRL+Z to background execution of the command.
2) Enter the "killall -9 tmsh" command (if you have multiple tmsh commands running and only want to kill the affected one, you will have to identify the correct tmsh process using utilities such as ps and top).
If your login shell is tmsh and not bash, simply close your SSH session to the BIG-IP system (as you won't be able to perform the aforementioned steps).
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7
504522-4 : Trailing space present after 'tmsh ltm pool members monitor' attribute value
Links to More Info: BT504522
Component: Local Traffic Manager
Symptoms:
Values returned from the tmsh command 'ltm pool pool members monitor' have a trailing space, such as returning '/Common/myhttps ' (note the trailing-space). This trailing-space is also observed for the value returned from a REST call.
Conditions:
'tmsh' or a REST call is used to return the 'monitor' for pool members.
Impact:
Scripts or custom applications processing this returned output may wish to 'trim' whitespace on the value (as a trailing space is present); or should not assume the trailing space will be present in the future (as this behavior is not guaranteed).
Workaround:
Use a script or custom applications to 'trim' trailing whitespace for returned values.
Fix:
Values returned from the tmsh command 'ltm pool pool members monitor' no longer have a trailing space.
Fixed Versions:
12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.6
489572-4 : Sync fails if file object is created and deleted before sync to peer BIG-IP
Links to More Info: K60934489, BT489572
Component: TMOS
Symptoms:
Sync fails if you create/import a file object and delete it before triggering manual sync; ltm logs contain messages similar to the following:
Standby:
-- err mcpd[7339]: 01070712:3: Caught configuration exception (0), Failed to sync files..
-- err mcpd[7339]: 01071488:3: Remote transaction for device group /Common/test to commit id 42 6079477704784246664 /Common/test failed with error 01070712:3: Caught configuration exception (0), Failed to sync files...
Active:
-- err mcpd[6319]: 0107134a:3: File object by name (/Common/filename) is missing.
Conditions:
This occurs when the following conditions are met:
-- BIG-IP systems configured for high availability (HA) are not configured to sync automatically, and incremental synchronization is enabled (these are the default settings).
-- One or more file objects are created and deleted before performing a sync from Active to Standby.
Impact:
Sync fails.
Workaround:
When you create/add a file object, make sure to sync before deleting it.
If a system is already in this state, perform a full sync and overwrite the configuration, as described in K13887: Forcing a BIG-IP device group member to initiate a ConfigSync operation :: https://support.f5.com/csp/#/article/K13887.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
484683-2 : Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer.
Links to More Info: BT484683
Component: TMOS
Symptoms:
-- After a configuration synchronization (ConfigSync) operation, the peer of a high-availability (HA) pair cannot show the summary of cert-chain using the command:
tmsh run sys crypto check-cert verbose enabled
-- After a ConfigSync operation, Certificate Subjects may be missing or empty when viewed in the Configuration Utility/GUI under System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: <certificate>.
Conditions:
Conditions leading to this issue include:
1. On the command line or in the GUI, set up an high availability (HA) configuration.
2. Import Certificate chain to one BIG-IP system.
3. Perform a ConfigSync operation to sync the certificate chain to the high availability (HA) peer.
Impact:
After a ConfigSync operation, the certificate chain summary is not created on other high availability (HA) peers.
Workaround:
1. Copy the cert-chain file to a location on the system (e.g., /shared/tmp/).
2. Update the cert-chain using a command similar to the following:
modify sys file ssl-cert Cert-Chain_Browser_Serv.crt source-path file:/shared/tmp/Cert-Chain_Browser_Serv.crt_5361_1.
Note: The step above causes the units to be out of sync, so an additional config-sync operation is required to bring the units 'In Sync' again.
Fixed Versions:
13.1.3.2, 14.1.2.7
478450-2 : Improve log details when "Detection invalid host header ()" is logged
Links to More Info: BT478450
Component: Access Policy Manager
Symptoms:
There is no way for the APM admin to determine the source of the sessions for the log message "Detected invalid host header ()", even at debug level logging.
Conditions:
1- Create APM virtual with any access policy
2- On another BIG-IP, create a pool with an HTTPS monitor to that APM virtual server.
3- Notice the logging in APM.
Impact:
It is difficult for admin to determine the source of the error.
Fix:
New addition to the log message:
"Detected invalid host header () originating from IP <IP address>"
Fixed Versions:
14.1.2.8
470346-2 : Some IPv6 client connections get RST when connecting to APM virtual
Links to More Info: BT470346
Component: Access Policy Manager
Symptoms:
IPv6 clients connecting to APM virtual server that renders some page, e.g., logon page, webtop, or message box, might get connection resets.
Conditions:
IPv6 client has the last 4 bytes of the IP address set to some special-purpose address, e.g., multicast address.
Impact:
Client connection is reset.
Workaround:
Change the last 4 bytes of the client IPv6 address to avoid the IPv4 special-address range.
Fix:
All IPv6 clients can now connect through APM virtual server, regardless of the values of the last 4 bytes of the address.
Fixed Versions:
14.1.4.3, 15.1.4
440599-1 : Added DB Variable to configure 'difok' variable in password policy
Links to More Info: BT440599
Component: TMOS
Symptoms:
The difok variable enforces the number of characters that must differ between a user's old password and new password. Prior to this release, the number of characters that must differ was not configurable, and just stayed at the default value.
Conditions:
Attempting to configure a required number of characters a new password must differ from the old.
Impact:
The number of characters that were required to differ between an old and new password were set by default and could not be configured.
Workaround:
None.
Fix:
This release adds a db variable that allows for configuration of the difok variable from TMSH using the command:
modify /sys db password.difok value <value>
Fixed Versions:
14.1.4.1
431503-3 : TMSH crashes in rare initial tunnel configurations
Links to More Info: K14838, BT431503
Component: TMOS
Symptoms:
In rare BIG-IP configuration scenarios, TMM may crash during its startup process when the tunnel configurations are loaded.
Conditions:
During TMM startup, a tunnel is created, then immediately removed during the configuration load period, when TMM neighbor messages may be in flight via the tunnel. When the race condition fits, the neighbor message may land on an invalid tunnel.
Impact:
TMM crash in rare race conditions.
Workaround:
None.
Fix:
TMM no longer crashes on neighbor messages during the initial tunnel config load process.
Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1
423519-2 : Bypass disabling the redirection controls configuration of APM RDP Resource.
Component: Access Policy Manager
Symptoms:
User can bypass RDP resource redirection restrictions between RDP remote machine and local machine.
Conditions:
1. Create RDP resource. Disable redirection parameter.
2. Launch the resource.
3. Launch RDP Client, enable redirection parameter.
Impact:
User can bypass RDP resource restrictions.
Workaround:
NA
Fix:
User is not allowed to perform any redirection controls of the RDP resource.
Fixed Versions:
14.1.4.6
405329-2 : The imish utility cores while checking help strings for OSPF6 vertex-threshold
Component: TMOS
Symptoms:
The imish (vtysh) utility dumps core while checking help strings for the OSPF6 vertex-threshold command from OSPF mode.
Conditions:
-- Routing enabled.
-- Configuring OSPF vertex-threshold for either IPv4 or IPv6.
-- Requesting help for the OSPF6 vertex-threshold command.
Impact:
There is an imish (vtysh) crash.
Workaround:
None.
Fix:
Updated with the proper help strings for the OSPF6 vertex-threshold command.
Fixed Versions:
14.1.4.6, 15.1.0.5
1087201-4 : OpenSSL Vulnerability: CVE-2022-0778
Links to More Info: K31323265
1078721-4 : TMM may consume excessive resources while processing ICAP traffic
Component: Service Provider
Symptoms:
Undisclosed ICAP traffic may cause an increase in TMM resource utilization.
Conditions:
ICAP profile enabled
Impact:
Undisclosed ICAP traffic may cause an increase in TMM resource utilization.
Workaround:
N/A
Fix:
TMM does not consume excessive resources while processing ICAP traffic.
Fixed Versions:
14.1.4.6
1072197-3 : Issue with input normalization in WebSocket.
Component: Application Security Manager
Symptoms:
Under certain conditions, attack signature violations might not be triggered in WebSocket scenario.
Conditions:
- ASM handles WebSocket flow.
- Malicious WebSocket message contains specific characters.
Impact:
Attack detection is not triggered as expected.
Workaround:
N/A
Fix:
Attack detection is now triggered as expected.
Fixed Versions:
14.1.4.6
1072057-3 : "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy.
Links to More Info: BT1072057
Component: Advanced Firewall Manager
Symptoms:
The GUI incorrectly displays the sources address in certain conditions.
1. If the source address of a firewall policy is not empty (that is, some specific IP addresses available to the rule), the word "Any" is displayed.
2. If the source address is empty (that is, no specific IP addresses exist), nothing (empty) is displayed.
Conditions:
Viewing a firewall policy in the GUI via Security > Firewall > policy.
Impact:
No functional impact
Workaround:
N/A
Fix:
Fixed a display issue with the source address field.
Fixed Versions:
14.1.4.6
1071365-3 : iControl SOAP WSDL hardening
Component: TMOS
Symptoms:
Under certain conditions iControl SOAP does not follow best practices for WSDL processing.
Conditions:
- Authenticated administrative user
- WSDL processing
Impact:
iControl SOAP does not follow current best practices.
Workaround:
N/A
Fix:
iControl SOAP now processes WSDL files according to current best practices.
Fixed Versions:
14.1.4.6
1070033 : Virtual server may not fully enter hardware SYN Cookie mode.
Links to More Info: BT1070033
Component: Advanced Firewall Manager
Symptoms:
The SYN Cookies Status of a virtual server shows 'full-hardware', but the 'Total Software' counter of software SYN Cookies continues to increment together with the 'Total Hardware' SYN Cookie counter during a SYN flood attack.
Conditions:
On platforms with multiple HSB modules each TMM connects to only one of the modules. This depends on platform, BIG-IP version and selected turboflex profile.
The simplest way to check is to look at the epva_flowstat tmstat table. If there is only one row per TMM and there are more than one distinct mod_id numbers, then the device is affected. For example:
$ tmctl -s tmm,mod_id,pdenum,slot_id epva_flowstat
tmm mod_id pdenum slot_id
--- ------ ------ -------
0 1 0 0
1 1 8 0
2 2 0 0
3 2 8 0
Impact:
A portion of the SYN flood attack is handled in software, which might have some performance impact.
Workaround:
N/A
Fix:
All TMMs now correctly enter hardware SYN Cookie mode.
Fixed Versions:
14.1.4.6
1069745 : GUI issues in Security->NetworkFirewall->Active Rules, rule movement to 101, 201 position.
Component: Advanced Firewall Manager
Symptoms:
"Commit Changes to System" does not perform the expected action.
Conditions:
1. Move a rule from any position to 101, 201 or 301 etc.
2. Click "Commit Changes to system" button.
Impact:
Changes are not saved.
Workaround:
Use TMSH to move the rule.
Fix:
Fixed an issue preventing saving of config changes when rules are moved.
Fixed Versions:
14.1.4.6
1069449-3 : ASM attack signatures may not match cookies as expected
Component: Application Security Manager
Symptoms:
Under certain conditions ASM attack signatures may not match cookies as expected.
Conditions:
- Specially crafted cookies
Impact:
Attack signatures are not detected as expected.
Workaround:
N/A
Fix:
ASM attack signatures now match cookies as expected.
Fixed Versions:
14.1.4.6
1067993-6 : APM Windows Client installer hardening
Component: Access Policy Manager
Symptoms:
The APM Windows Client installer does not follow current best practices.
Conditions:
- APM Windows Client installer
- Unspecified user action
Impact:
The APM Windows Client installer process does not operate as expected.
Workaround:
None
Fix:
The APM Windows Client installer now follows current best practices.
Fixed Versions:
14.1.4.6
1067285-3 : Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.'
Component: Application Security Manager
Symptoms:
F5 Networks, Inc.
F5 Networks Inc.
F5 Networks appear as F5, Inc.
Conditions:
NA
Impact:
F5 Networks, Inc
F5 Networks
F5 Networks Inc will appear as F5, Inc to the end user, be it online help, or any ASM related screens.
Workaround:
NA
Fix:
F5 Networks, Inc
F5 Networks
F5 Networks Inc will appear as F5, Inc to the end user, be it online help, or any ASM related screens.
Fixed Versions:
14.1.4.6
1066285-1 : Master Key decrypt failure - decrypt failure.
Links to More Info: BT1066285
Component: TMOS
Symptoms:
After MCPD restarts or the system reboots:
-- the system is inoperative and MCPD may be restarting
-- the logs report this error:
err mcpd[12444]: 01071769:3: Decryption of the field (value) for object (config.auditing.forward.sharedsecret) failed while loading configuration that is encrypted with a different master key.
-- the system may be reporting this error:
load_config_files[5635]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command.
This may occur during a system upgrade.
Conditions:
When config.auditing.forward.sharedsecret is encrypted and masterkey value is changed.
Impact:
MCPD will continuously restart, and the system will remain inoperative.
Workaround:
If a system is affected by this issue, set the DB key back to its default value. Once the configuration is loaded, set the DB key back to the correct value:
- tmsh modify /sys db config.auditing.forward.sharedsecret value '<null>'
After changing the SecureValue master key but before encountering the issue, run the following command to update the value of the DB key on-disk:
setdb config.auditing.forward.sharedsecret "$(getdb config.auditing.forward.sharedsecret)"
Fix:
N/A
Fixed Versions:
14.1.4.6
1064617-3 : DBDaemon process may write to monitor log file indefinitely
Links to More Info: BT1064617
Component: Local Traffic Manager
Symptoms:
If debug logging is enabled for a database monitor (mssql, mysql, postgresql or oracle), the DBDaemon process may write to a monitor log file indefinitely, including after the monitor log file is rotated and/or deleted.
Conditions:
This problem may occur when:
- using a database monitor (mssql, mysql, postgresql or oracle) which is configured with the "debug" value set to "yes"
- using a database monitor (mssql, mysql, postgresql or oracle) for a pool member which is configured with the "logging" set to "enabled"
Impact:
The DBDaemon process may write debug logging messages to the affected monitor log file indefinitely, including after the monitor log file has been rotated and/or deleted.
As a result, storage in the /var/log volume may be consumed to the point that other logging cannot be performed, and the BIG-IP instance may be restarted/rebooted.
Workaround:
To work around this issue, restart the DBDaemon process.
To find the PID of the DBDaemon process, observe the output of the following command:
ps -ef |grep -v grep | grep DB_monitor.jar | awk '{print($2)}'
To confirm whether the DBDaemon process is writing to a monitor log file, and if so, which file:
lsof -p $(ps -ef | grep -v grep | grep DB_monitor.jar | awk '{print($2)}') | grep -e COMMAND -e '/var/log/monitors'
To kill the DBDaemon process:
kill $(ps -ef | grep -v grep | grep DB_monitor.jar | awk '{print($2)}')
NOTE:
Killing the DBDaemon process will cause a short-term loss of database monitoring functionality, until DBDaemon is restarted by the next database monitor probe.
Fixed Versions:
14.1.4.6
1062513-2 : GUI returns 'no access' error message when modifying a GTM pool property.
Links to More Info: BT1062513
Component: Global Traffic Manager (DNS)
Symptoms:
When you modify a GTM pool property and then click "Update," the next page displays the error message "No access."
When you modify GTM pool properties using the GUI, the properties do not update or display.
Conditions:
This occurs when you modify a GTM pool property using the GUI.
Impact:
You cannot change a GTM pool property using the GUI.
Workaround:
Use TMSH to change the GTM pool property.
OR
Click on "Update" a second time in the GUI.
Fix:
N/A
Fixed Versions:
14.1.4.6
1060933-3 : Issue with input normalization.
Component: Application Security Manager
Symptoms:
Under certain conditions, attack signature violations may not be triggered.
Conditions:
- ASM provisioned with XML content profile
- Request contains XML body
Impact:
Attack detection is not triggered as expected.
Workaround:
None
Fix:
Attack detection is now triggered as expected.
Fixed Versions:
14.1.4.6
1060409-4 : Behavioral DoS enable checkbox is wrong.
Component: Anomaly Detection Services
Symptoms:
Behavioral DoS Enabled indicator is wrongly reported after configuration change, when no traffic is injected to the virtual server.
Conditions:
Behavioral DoS is enabled and then disabled when no traffic is injected to the virtual server.
Impact:
After server health is stabilized and constant, the BIG-IP system doesn't report the configuration changes.
Workaround:
Send 1-2 requests to the server and the configuration will be updated.
Fix:
Behavioral DoS enabled/disabled flag is now reported correctly.
Fixed Versions:
14.1.4.6
1059185-3 : iControl REST Hardening
Component: TMOS
Symptoms:
Under certain conditions iControl REST does not follow current best practices.
Conditions:
- Authenticated administrative user
- iControl REST request
Impact:
iControl REST does not follow current best practices.
Workaround:
N/A
Fix:
iControl REST now follows current best practices.
Fixed Versions:
14.1.4.6
1058677-3 : Not all SCTP connections are mirrored on the standby device when auto-init is enabled.
Links to More Info: BT1058677
Component: TMOS
Symptoms:
When auto-init is enabled, Not all SCTP connections are mirrored to the standby device.
Conditions:
-- SCTP Profile and Mirroring.
-- Auto initialization is enabled.
Impact:
Only half of the connections are mirrored to the standby device.
Workaround:
Disable auto initialization:
tmsh modify ltm message-routing diameter peer <affected_peer> { auto-initialization disabled }
Fix:
SCTP connections are mirrored successfully to standby device.
Fixed Versions:
14.1.4.6
1058645-3 : ipsecalg blocks Sophos ISAKMP negotiation during tunnel setup.
Links to More Info: BT1058645
Component: Advanced Firewall Manager
Symptoms:
Sophos IPsec clients cannot connect to a Sophos firewall when ipsecalg is configured on the forwarding virtual server.
The Sophos client initially attempts to start the tunnel using aggressive mode. The Sophos firewall does not support remote users attempting aggressive mode and responds with Notify Message Type INVALID-PAYLOAD-TYPE. The tunnel setup cannot proceed correctly after that point.
Conditions:
-- Sophos client is installed on remote user devices.
-- Sophos firewall is the remote endpoint in the IPsec tunnel.
Note: The Sophos client and firewall combination is the only known failing use-case.
Impact:
Sophos clients cannot start an IPsec tunnel.
Workaround:
The Sophos client cannot be configured to use main mode instead of starting with aggressive mode. The Sophos firewall does not support aggressive mode for remote user IPsec tunnels.
Therefore, create an iRule and add the iRule to the ipsecalg virtual server. The iRule simply contains this:
when SERVER_DATA {
# Only execute on first server side packet of conflow.
event disable
if { [UDP::payload length] < 40 } { return; }
binary scan [UDP::payload] x8x8cH2cx9x10S payload_type ver exch_type noti_type
# Depending on throughput, the amount of logging here may be problematic
#log local0. "payload_type : $payload_type"
#log local0. "ver : $ver"
#log local0. "exch_type : $exch_type"
#log local0. "noti_type : $noti_type"
if { $payload_type == 11 && $ver == 10 && $exch_type == 5 && $noti_type == 1 } {
log local0. "Closing ipsecalg connection"
after 1 { reject }
}
}
Fix:
Sophos clients can now bring up an IPsec tunnel with a Sophos firewall.
Fixed Versions:
14.1.4.6
1058469-3 : Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working.
Links to More Info: BT1058469
Component: Local Traffic Manager
Symptoms:
A virtual server which is part of an iApp service and which was previously working correctly now rejects all traffic.
Upon inspecting the log, entries similar to the following examples may be noticed:
==> /var/log/tmm <==
<13> Oct 28 23:41:36 bigip1 notice hudfilter_init: clientside matches TCP position. 0 0
==> /var/log/ltm <==
Oct 28 23:41:36 bigip1 err tmm[21251]: 01010008:3: Proxy initialization failed for /Common/my.app/my-vs. Defaulting to DENY.
Oct 28 23:41:36 bigip1 err tmm[21251]: 01010008:3: Listener config update failed for /Common/my.app/my-vs: ERR:ERR_UNKNOWN
Conditions:
This issue is known to occur when strict-updates is disabled for an iApp service which includes a non-default NTLM profile.
Impact:
Traffic outage as the affected virtual server(s) no longer passes any traffic.
Workaround:
To recover an affected system, either restart TMM (bigstart restart tmm) or delete and redeploy the iApp service.
To prevent this issue from occurring again, modify the iApp configuration to use the default NTLM profile rather than a custom one (if the iApp template involved allows this).
Fix:
Disabling strict-updates for an iApp service, which includes a non-default NTLM profile, no longer causes virtual servers associated with the profile to suddenly stop working.
Fixed Versions:
14.1.4.6
1057809-4 : Saved dashboard hardening
Component: TMOS
Symptoms:
Saved dashboards do not follow current best practices.
Conditions:
- Authenticated administrative user
- Saved dashboard
Impact:
Dashboards do not follow current best practices.
Workaround:
N/A
Fix:
Saved dashboards now follow current best practices.
Fixed Versions:
14.1.4.6
1057801-4 : TMUI does not follow current best practices
Component: TMOS
Symptoms:
The TMUI does not follow current best practices.
Conditions:
- Authenticated administrative user
- TMUI request
Impact:
TMUI does not follow current best practices.
Workaround:
N/A
Fix:
TMUI now follows current best practices.
Fixed Versions:
14.1.4.6
1056993-4 : 404 error is raised on GUI when clicking "App IQ."
Component: TMOS
Symptoms:
When the App IQ menu option is clicked in the GUI workflow, (GUI: System ›› Configuration >> App IQ) the result is "Not Found. The requested URL was not found on this server."
Conditions:
Clicking the App IQ menu option in the GUI workflow, GUI: System ›› Configuration >> App IQ.
Impact:
Not able to access App IQ page.
Workaround:
Navigate directly to the following page on your BIG-IP (replacing <BIG-IP> with the IP/hostname of the system):
https://<BIG-IP>/tmui/tmui/system/appiq_ng/views/settings.html
Fix:
N/A
Fixed Versions:
14.1.4.6
1056933-2 : TMM may crash while processing SIP traffic
Component: Service Provider
Symptoms:
Under certain conditions, TMM may coredump while processing SIP traffic
Conditions:
- SIP ALG is configured
Impact:
TMM crash leading to a traffic interruption and failover event.
Workaround:
By using SIP::discard under specific conditions in SIP_RESPONSE iRule.
Fix:
SIP traffic is now processed as expected.
Fixed Versions:
14.1.4.6, 15.1.5
1055453 : Blocking page trims the last digit of the Support ID.
Links to More Info: BT1055453
Component: Application Security Manager
Symptoms:
The Support ID in a blocking page has the last digit trimmed.
Conditions:
Support ID that is 20 digits.
Impact:
Support ID shown in a response page does not match what is shown in event log screen in GUI and in remote logging.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
14.1.4.6
1052929-2 : MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized.
Links to More Info: BT1052929
Component: Local Traffic Manager
Symptoms:
When MCPD starts, it may log an error message reporting an issue communicating with the onboard FIPS HSM. If the HSM is uninitialized, this message is erroneous, and an be ignored.
Depending on the hardware platform, the message may be one of the following:
err mcpd[12345]: 01b50049:3: FIPSUserMgr Error: An internal login failure is being experienced on the FIPS card. Please issue 'FIPSutil loginreset -r' followed by 'bigstart restart' for a password reset. You will need your FIPS Security Officer password to reset the password..
err mcpd[12345]: 01b50049:3: FIPSUserMgr Error: An internal login failure is being experienced on the FIPS card. The FIPS card must be reinitialized, which will erase its contents..
Conditions:
-- BIG-IP system with an onboard FIPS HSM, or a vCMP guest running on a BIG-IP system with an onboard FIPS HSM
-- the FIPS HSM is not initialized, i.e. "fipsutil info" reports "FIPS state: -1".
Impact:
This message can be ignored when the FIPS HSM is not in-use, and is uninitialized.
Workaround:
Initialize the FIPS HSM following the instructions in the F5 Platforms : FIPS Administration manual.
Fixed Versions:
14.1.4.6
1052153-1 : Signature downloads for traffic classification updates via proxy fail
Component: Traffic Classification Engine
Symptoms:
Downloading IM package via proxy fails.
Conditions:
Downloading the IM file through a proxy.
Impact:
Auto-download IM package from f5.com will fail
Workaround:
Disable the proxy and trigger the IM package download from the management interface.
Fix:
Fixed an issue with downloading updates through a proxy.
Fixed Versions:
14.1.4.6
1051797-3 : Linux kernel vulnerability: CVE-2018-18281
Component: TMOS
Symptoms:
Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks.
Conditions:
A syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap().
Impact:
A stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused.
Workaround:
N/A
Fix:
Kernel updated to address CVE-2018-18281
Fixed Versions:
14.1.4.6
1051561-3 : iControl REST request hardening
Component: TMOS
Symptoms:
iControl REST does not follow current best practices.
Conditions:
- iControl REST request
Impact:
iControl REST does not follow current best practices.
Workaround:
N/A
Fix:
iControl REST now follows current best practices.
Fixed Versions:
14.1.4.6
1051213-3 : Increase default value for violation 'Check maximum number of headers'.
Links to More Info: BT1051213
Component: Application Security Manager
Symptoms:
Due to recent change in browsers, up to 7 headers are newly inserted in the request.
In ASM, there is default limit of 20 headers. So, when legitimate requests have more than 20 headers, they're blocked with violation "Maximum Number of Headers exceeded".
Conditions:
When the number of headers passed in request is greater than the value of maximum number of headers set, then this violation is raised.
Impact:
Legitimate requests are blocked with violation "Maximum Number of Headers exceeded" when number of header is greater than the value set for the policy (default 20).
Workaround:
Increase "Check maximum number of headers" to 30 under Learning and Blocking settings screen for a policy.
Fix:
Increased default value of maximum number of headers to 30.
Fixed Versions:
14.1.4.6
1051209-3 : BD may not process certain HTTP payloads as expected
Component: Application Security Manager
Symptoms:
Under certain conditions BD may not process HTTP payloads as expected.
Conditions:
- HTTP request
Impact:
Payloads are not processed as expected, potentially leading to missed signature matches.
Workaround:
N/A
Fix:
BD now processes HTTP payloads as expected.
Fixed Versions:
14.1.4.6
1050697-2 : Traffic learning page counts Disabled signatures when they are ready to be enforced
Component: Application Security Manager
Symptoms:
The traffic learning page counts Disabled signatures when they are ready to be enforced.
Conditions:
Policy has a disabled signature.
Impact:
Traffic learning page shows different counts of "ready to be enforced" signatures compared to Security ›› Application Security : Security Policies : Policies List ›› <policy name>
Workaround:
None
Fixed Versions:
14.1.4.6
1050537-3 : GTM pool member with none monitor will be part of load balancing decisions.
Links to More Info: BT1050537
Component: Global Traffic Manager (DNS)
Symptoms:
A GTM pool member containing no monitor (status=BLUE) is not included in load balancing decisions.
Conditions:
GTM pool member the monitor value set to none.
Impact:
GTM does not load balance to this pool member.
Workaround:
N/A
Fix:
Handled GTM pool with "none" monitor
Behavior Change:
GTM pool members with "none" monitor are now part of load balancing decisions
Fixed Versions:
14.1.4.6
1049229-3 : When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays.
Links to More Info: BT1049229
Component: Advanced Firewall Manager
Symptoms:
An authenticated administrative user tries to create a sub-rule under the Network Firewall rule list from the GUI and is redirected to a 'No Access' error page.
Conditions:
This error can occur when you create a sub-rule under the Network Firewall rule list in the TMOS GUI on a version of BIG-IP (including engineering hotfixes) that include the fixes for BIG-IP bugs ID1032405 and ID941649.
Impact:
The user cannot create a sub-rule under the Network Firewall rule list in the TMOS GUI.
Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.
Fix:
After the fixes for ID1032405 and ID941649 are installed, the "No Access" errors no longer occur when you create a sub-rule under the Network Firewall rule list in the TMOS GUI.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1048141-1 : Sorting pool members by 'Member' causes 'General database error'
Links to More Info: BT1048141
Component: TMOS
Symptoms:
The configuration utility (web UI) returns 'General database error' when sorting pool members. The pool member display does not work for the duration of the login.
Conditions:
Sorting the pool member list by member.
Impact:
A pool's pool member page cannot be displayed.
Workaround:
Clear site and cached data on browser and do not sort by pool member.
Fix:
Pool members can be sorted by member.
Fixed Versions:
14.1.4.6
1047389-1 : Bot Defense challenge hardening
Component: Application Security Manager
Symptoms:
Under certain conditions, the Bot Defense profile does not follow current best practices.
Conditions:
Bot Defense profile used
Impact:
The Bot Defense profile does not follow current best practices.
Workaround:
None
Fix:
The Bot Defense profile now follows current best practices.
Fixed Versions:
14.1.4.6
1047169-3 : GTM AAAA pool can be deleted from the configuration despite being in use by an iRule.
Links to More Info: BT1047169
Component: TMOS
Symptoms:
A BIG-IP Administrator is incorrectly able to delete a GTM AAAA pool from the configuration, despite this object being referenced in an iRule in use by an AAAA wideip.
An error similar to the following example will be visible in the /var/log/gtm file should the iRule referencing the pool run after the pool has been deleted:
err tmm[11410]: 011a7001:3: TCL error: Rule /Common/my_rule <DNS_REQUEST> - GTM Pool 'my_pool' of type 'A' not found (line 1)GTM Pool 'my_pool' of type 'A' not found (line 1) invoked from within "pool my_pool"
Note the error message incorrectly reports the pool as type A (it should report type AAAA).
Conditions:
-- Two GTM pools of type A and AAAA share the same exact name (which is legal).
-- The pool name is referenced in an iRule by the 'pool' command.
-- The iRule is in use by an AAAA wideip.
-- A BIG-IP Administrator attempts to delete the AAAA pool.
Impact:
The system incorrectly allows the deletion of the AAAA pool from the configuration.
Consequently, the next time the GTM configuration is reloaded from file, the operation will fail.
Additionally, traffic which relied on the pool being present in the configuration will fail.
Fixed Versions:
14.1.4.6
1047089-4 : TMM may terminate while processing TLS/DTLS traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions TMM may terminate while proxying traffic between TLS and DTLS.
Conditions:
- Virtual configured for server-side DTLS
- Virtual configured for client-side TLS
Impact:
TMM may terminate, leading to a failover event.
Workaround:
N/A
Fix:
TMM may no longer be configured for DTLS/TLS gateway traffic.
Fixed Versions:
14.1.4.6, 15.1.5
1047053-1 : TMM may consume excessive resources while processing RTSP traffic
Component: Service Provider
Symptoms:
Under certain conditions, TMM may consume excessive resources while processing RTSP traffic.
Conditions:
- RTSP profile enabled
- Undisclosed traffic
Impact:
An increase in TMM resource utilization, potentially leading to a crash and failover event.
Workaround:
N/A
Fix:
TMM now processes RTSP traffic as expected.
Fixed Versions:
14.1.4.6, 15.1.5
1046693-2 : TMM with BFD confgured might crash under significant memory pressure
Links to More Info: BT1046693
Component: TMOS
Symptoms:
TMM might crash when processing BFD traffic under high memory pressure.
Conditions:
- BFD in use.
- TMM under high memory pressure.
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
14.1.4.6
1046669-3 : The audit forwarders may prematurely time out waiting for TACACS responses
Links to More Info: BT1046669
Component: TMOS
Symptoms:
If a TACACS server takes longer than five seconds to respond, the audit forwarder will reset the connection.
Conditions:
-- Using remote TACACS logging.
-- TACACS server takes longer than 5 seconds to respond to logging requests.
Impact:
Misleading log messages.
Fix:
The time that a BIG-IP system will wait for a response from a TACACS server is now configurable using the DB variable config.auditing.forward.tacacs.timeout.response.
Behavior Change:
The time that a BIG-IP system will wait for a response from a TACACS server is now configurable using the DB variable config.auditing.forward.tacacs.timeout.response.
Fixed Versions:
14.1.4.6
1045913-4 : COMPRESS::disable/COMPRESS::enable don't work reliably for selective compression
Links to More Info: BT1045913
Component: Local Traffic Manager
Symptoms:
When using selective compression, COMPRESS::disable after a compressed response on the same connection will remove the Accept-Encoding header on the subsequent request and then correctly not compress the response. The Accept-Encoding header should be left in place to allow the server to compress the response, if able.
Conditions:
1. Virtual server with HTTP profile and selective compression using conditional COMPRESS::disable/COMPRESS::enable iRules with a server capable of responding with compressed content.
2. A client requests compressed documents over a persistent connection
Impact:
Client may receive some uncompressed responses in cases where compression was expected.
Workaround:
An iRule that can insert an Accept-Encoding header at HTTP_REQUEST_RELEASE time which would allow the server to compress, if capable.
Fixed Versions:
14.1.4.5
1045549-2 : BFD sessions remain DOWN after graceful TMM restart
Links to More Info: BT1045549
Component: TMOS
Symptoms:
BFD sessions remain DOWN after graceful TMM restart
Conditions:
TMM is gracefully restarted, for example with 'bigstart restart tmm' command.
Impact:
BFD sessions remain DOWN after graceful TMM restart
Workaround:
After restarting TMM, restart tmrouted.
Fixed Versions:
14.1.4.6
1045421-3 : No Access error when performing various actions in the TMOS GUI
Links to More Info: K16107301, BT1045421
Component: TMOS
Symptoms:
An authenticated administrative user is redirected to a 'No Access' error page while performing various actions in the TMOS GUI, including when trying to:
-- Apply a policy to a virtual server
-- Import images (TMOS images / hotfixes / apmclients)
-- Export/apply an APM policy
-- Run the high availability (HA) setup wizard
-- Export a certificate/key through one of the following paths:
---- System / Certificate Management : Traffic Certificate Management : SSL Certificate List / test-renew-self-sign / Renew
---- DNS / GSLB : Pools : Pool List / Click Testpool / Click Members / Click Manage
---- System / Software Management : APM Clients / Import
---- System / Certificate Management : Traffic Certificate Management : SSL Certificate List / NewSSLCert / Certificate / Export / Click Download
Conditions:
This may occur when performing various actions in the TMOS GUI on a version of BIG-IP software (including Engineering Hotfixes) that includes fixes for ID1032405 :: https://cdn.f5.com/product/bugtracker/ID1032405.html and ID941649 :: https://cdn.f5.com/product/bugtracker/ID941649.html .
Impact:
Cannot perform various actions in the TMOS GUI.
Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.
Fix:
'No Access' errors no longer occur when performing various actions in the TMOS GUI under these conditions.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1045229-3 : APMD leaks Tcl_Objs as part of the fix made for ID 1002557
Links to More Info: BT1045229
Component: Access Policy Manager
Symptoms:
APMD memory grows over time causing OOM killer to kill apmd
Conditions:
Access policy has resource assignment agents/variable assignments
Impact:
APMD memory grows over time and OOM killer may terminate apmd thereby affecting traffic. Access traffic disrupted while apmd restarts.
If APMD is not killed by OOM killer the system may start thrashing and become unstable, generally resulting in cores from innocent processes that are no longer scheduled correctly - keymgmtd, bigd, mcpd are typical victims.
Ultimately system may restart automatically as watchdogs fail.
Fixed Versions:
14.1.4.5
1045101-2 : Bd may crash while processing ASM traffic
Component: Application Security Manager
Symptoms:
Bd may crash when handling HTTP requests with APM and ASM.
Conditions:
- ASM and APM are provisioned
- Session awareness is enabled and "Use APM Username and Session ID" is selected in "Application Username" configuration
- Specially crafted HTTP request
Impact:
Bd crash leading to a traffic disruption and failover event.
Workaround:
N/A
Fix:
Bd now process ASM and APM traffic as expected.
Fixed Versions:
14.1.4.6, 15.1.5, 16.1.2.1
1044425-4 : NSEC3 record improvements for NXDOMAIN
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP DNSSEC NSEC3 records for NXDOMAIN responses can be improved to support current best practices.
Conditions:
- DNSSEC zone configured
Impact:
BIG-IP DNSSEC NSEC3 records for NXDOMAIN responses do not follow current best practices.
Workaround:
N/A
Fix:
BIG-IP DNSSEC NSEC3 records for NXDOMAIN responses now follow current best practices.
Fixed Versions:
14.1.4.6
1044121-1 : APM logon page is not rendered if db variable "ipv6.enabled" is set to false
Links to More Info: BT1044121
Component: Access Policy Manager
Symptoms:
When accessing a Virtual Server with an access policy, users are redirected to the hangup page.
Conditions:
Db variable "ipv6.enabled" is set to false
Impact:
Users will not be able to access the virtual server and associated resources behind it.
Workaround:
Keep the value of db variable "ipv6.enabled" set to true.
# setdb "ipv6.enabled" true
Fixed Versions:
14.1.4.5
1043385-2 : No Signature detected If Authorization header is missing padding.
Component: Application Security Manager
Symptoms:
If the Authentication scheme value in the Authorization header contains extra/missing padding in base64, then ASM does not detect any attack signatures.
Conditions:
HTTP request with Authorization header contains base64 value with extra/missing padding.
Impact:
Attack signature not detected.
Workaround:
N/A
Fix:
Base64 values with extra/missing padding has been handled to detect attack signature
Fixed Versions:
14.1.4.6
1043357-2 : SSL handshake may fail when using remote crypto client
Links to More Info: BT1043357
Component: Local Traffic Manager
Symptoms:
ServerSSL handshake fails when verifying ServerKeyExchange message.
Conditions:
Remote crypto client is configured and the ServerSSL profile connects using an ephemeral RSA cipher suite.
Impact:
The virtual server is unable to connect to the backend server.
Workaround:
Use non-ephemeral RSA or ECDSA cipher suite on ServerSSL.
Fix:
Fix remote crypto client.
Fixed Versions:
14.1.4.6
1043277-2 : 'No access' error page displays for APM policy export and apply options.
Links to More Info: K06520200, BT1043277
Component: TMOS
Symptoms:
An authenticated administrative user is redirected to a 'NO ACCESS' error page while exporting/applying an APM policy in the TMOS GUI.
Conditions:
This issue can occur when exporting/applying an APM policy in the TMOS GUI on a version of BIG-IP software (including Engineering Hotfixes) that includes fixes for ID1032405 :: https://cdn.f5.com/product/bugtracker/ID1032405.html and ID941649 :: https://cdn.f5.com/product/bugtracker/ID941649.html.
Impact:
Cannot export/apply an APM policy in the TMOS GUI.
Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.
Fix:
'No Access' errors no longer occur when exporting/applying an APM policy in the TMOS GUI under these conditions.
Fixes introduced for ID1045421 and ID1049229 (i.e., both fixes) resolve this issue.
Fixed Versions:
14.1.4.5, 15.1.4.1
1043017-2 : Virtual-wire with standard-virtual fragmentation
Links to More Info: BT1043017
Component: Local Traffic Manager
Symptoms:
A standard virtual-server configured on top of a virtual-wire has unexpected handling of fragmented IP traffic.
Conditions:
Standard virtual-server configured on top of a virtual-wire handling fragmented IP traffic.
Impact:
- Fragments missing on egress.
- Packet duplication on egress.
Workaround:
Use fastl4 virtual-server instead.
Fixed Versions:
14.1.4.6
1042993-1 : Provisioning high availability (HA) setup wizard fails to load, reports 'No Access'
Links to More Info: K19272127, BT1042993
Component: TMOS
Symptoms:
An authenticated administrative user is redirected to a 'NO ACCESS' error page while running the high availability (HA) setup wizard.
Conditions:
This may occur when running the high availability (HA) setup wizard in the TMOS GUI on a version of BIG-IP software (including Engineering Hotfixes) that includes fixes for ID1032405 :: https://cdn.f5.com/product/bugtracker/ID1032405.html and ID941649 :: https://cdn.f5.com/product/bugtracker/ID941649.html .
Impact:
You are unable to run/finish the Config Sync/HA setup wizard to completion.
Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.
Fix:
'NO ACCESS' error pages no longer appear while running the high availability (HA) setup wizard in the TMOS GUI under these conditions.
Fixed Versions:
14.1.4.5, 15.1.4.1
1042069-3 : Some signatures are not matched under specific conditions.
Component: Application Security Manager
Symptoms:
Some signatures are not matched and attack traffic can pass through.
Conditions:
There are more than 20 signatures that have a common keyword with a signature that does not match (and has a common keyword and a new keyword).
Impact:
Attacking traffic can bypass the WAF.
Workaround:
N/A
Fix:
Attack signatures that share words with other attack signatures will be matched correctly now.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2.1
1042009-3 : Mcpd fails to reply if a request is proxied to another daemon and the connection to that daemon closes
Links to More Info: BT1042009
Component: TMOS
Symptoms:
Mcpd does not reply to the request if the publisher's connection closes/fails, in this case when bcm56xxd
is restarted. The perceivable signs of the failure are the snmpwalk failing with a timeout and the
"MCPD query response exceeding" log messages
Conditions:
1) Configure snmp on the BIG-IP so you can run snmpwalk locally on the BIG-IP.
2) From one session on the BIG-IP, run a snmpwalk in the while loop.
while true;do date; snmpwalk -v2c -c public 127.0.0.1 sysDot1dbaseStat;sleep 2;done
Sample output:
Sat Aug 21 00:57:23 PDT 2021
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatResetStats.0 = INTEGER: 0
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatMacAddr.0 = STRING: 0:23:e9:e3:8b:41
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatNumPorts.0 = INTEGER: 12
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatType.0 = INTEGER: transparentonly(2)
3) From a second session on the BIG-IP restart bcm56xxd
bigstart restart bcm56xxd
4a) the snmpwalk will continually report the following:
Timeout: No Response from 127.0.0.1
And snmpd will continually log "MCPD query response exceeding" every 30 seconds in /var/log/ltm
Impact:
SNMP stopped responding to queries after upgrade
Workaround:
Snmpd restart
Fixed Versions:
14.1.4.6
1040821-2 : Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes
Links to More Info: BT1040821
Component: TMOS
Symptoms:
Address Translation and Port Translation checkboxes are automatically checked under the virtual server's advanced configuration.
Conditions:
Virtual Server's Advanced configuration option is selected followed by adding an iRule or a pool.
Impact:
The Address and Port translation options are automatically checked when the default is to have them unchecked.
Workaround:
Manually un-check Address Translation and Port Translation checkboxes under virtual server's advanced configuration
Fixed Versions:
14.1.4.6
1040361-3 : TMM crashes during its startup when TMC destination port list attached/deleted to virtual server.
Links to More Info: BT1040361
Component: Local Traffic Manager
Symptoms:
-- Log message written to TMM log file:
panic: ../kern/page_alloc.c:736: Assertion "vmem_hashlist_remove not found" failed.
Conditions:
-- Virtual Server using a traffic-matching-criteria (TMC) with a destination-port-list, with multiple distinct ranges of ports.
-- Config changes to virtual server with traffic-matching criteria can cause memory corruption which can lead to delayed TMM crashes.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use Traffic Matching Criteria with destination port lists.
TMM restart is required in case the virtual server is modified with traffic-matching-criteria related config.
Fix:
TMM no longer crashes under these conditions.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2
1039329-3 : MRF per peer mode is not working in vCMP guest.
Links to More Info: BT1039329
Component: Service Provider
Symptoms:
MRF diameter setup, in peer profile "auto-initialization" and "per peer" mode are enabled, but no connection attempts towards the pool member occur.
When the mode is switched to "per tmm" or "per blade", connections are established.
Conditions:
The peer connection mode in the peer profile is set to "per peer".
Impact:
The "per peer" setting does not work.
Workaround:
Switch the connection mode to "per tmm" or "per blade"
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
1039205-1 : DNSSEC key stored on netHSM fails to generate if the key name length is > 24
Links to More Info: BT1039205
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC keys are not generated successfully.
Errors in logs similar to:
gtm1 err tmsh[4633]: 01420006:3: Key management library returned bad status: -20, Domain names must be 63 characters or less.
Conditions:
Create DNSSEC key with a name longer than 24:
# tmsh create ltm dns dnssec key DNSSEC_with_long_name_21_ key-type zsk use-fips external
Impact:
DNSSEC keys are not generated successfully.
Fixed Versions:
14.1.4.6
1039049-1 : Installing EHF on particular platforms fails with error "RPM transaction failure"
Links to More Info: BT1039049
Component: TMOS
Symptoms:
-- Installing an EHF fails with the error "RPM transaction failure"
-- Errors similar to the following are seen in the liveinstall.log file:
info: RPM: /var/tmp/rpm-tmp.LooFVF: line 11: syntax error: unexpected end of file
info: RPM: error: %preun(fpga-tools-atlantis-15.1.3-0.0.11.i686) scriptlet failed, exit status 2
Conditions:
-- Installing an EHF that contains an updated version of the 'fpga-tools-atlantis' package
-- Using the following platforms:
+ BIG-IP i4600 / i4800
+ BIG-IP i2600 / i2800
+ BIG-IP i850
Impact:
EHF installation fails.
Workaround:
None
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1038913-2 : The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category
Component: Application Visibility and Reporting
Symptoms:
In GUI "Security ›› Reporting : Application : Charts" filtering "View By" as IP Intelligence "Last Week", "Last Month" and "Last Year" reports show the "Safe" category instead of "Aggregated".
Conditions:
-- ASM is provisioned
-- The system is under heavy traffic
-- The number of stats records per report period (5 min) is higher than 10,000
Impact:
Inaccurate Last Week IPI reporting
Fixed Versions:
14.1.4.6
1038741-2 : NTLM type-1 message triggers "Unparsable request content" violation.
Links to More Info: BT1038741
Component: Application Security Manager
Symptoms:
When internal parameter for "authorization header decode failure" is disabled, Valid NTLM type-1 message will be blocked with "Unparsable request content" violation.
Conditions:
Disable internal parameter ignore_authorization_header_decode_failure
Impact:
Valid NTLM Type-1 message will be blocked by ASM.
Workaround:
Enable internal parameter ignore_authorization_header_decode_failure, ASM will not block the NTLM type-1 message request
Fixed Versions:
14.1.4.6
1038733-2 : Attack signature not detected for unsupported authorization types.
Component: Application Security Manager
Symptoms:
ASM does not detect an Unsupported Bearer authorization type that contains header value in base64 format.
Conditions:
HTTP Request containing Bearer Authorization header which
contain a matching signature in base64 encoded format.
Impact:
ASM does not raise a violation and does not block the request.
Workaround:
N/A
Fix:
ASM decodes base64 value in Bearer Authorization header and perform attack signature matching, raises violation and block request if it contains attack.
Fixed Versions:
14.1.4.6
1038629-3 : DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client
Links to More Info: BT1038629
Component: Local Traffic Manager
Symptoms:
With the DTLS virtual server, when client sends the CLOSE_NOTIFY alert, BIG-IP is simply closing the connection without sending the CLOSE_NOTIFY back to client as well as the backend server. This causes the backend server to not close/shutdown the connection completely.
Conditions:
This issue occurs with all DTLS virtual servers which has associated client-ssl and server-ssl profiles.
Impact:
Backend server and client will have a dangling connection for certain period of time (Based on the timeout implementation at the respective ends).
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
1037457-3 : High CPU during specific dos mitigation
Component: Application Security Manager
Symptoms:
CPU is high.
Conditions:
A dos attack with specific characteristic is active and the policy is configured in a specific way.
Impact:
While the attack is mitigated on the BIG-IP system and does not reach the server, the CPU of the BIG-IP increases and this may impact other services on the BIG-IP device.
Workaround:
N/A
Fix:
A specific high CPU scenario during dos attacks was fixed.
Fixed Versions:
14.1.4.6
1036521-4 : TMM crash in certain cases
Links to More Info: BT1036521
Component: Application Security Manager
Symptoms:
TMM crash in certain case when dosl7 is attached
Conditions:
TMM is configured with dosl7
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
N/A
Fixed Versions:
14.1.4.6
1035853-4 : Transparent DNS Cache can consume excessive resources.
Links to More Info: K41415626, BT1035853
Component: Global Traffic Manager (DNS)
Symptoms:
Under certain conditions, the Transparent DNS Cache can consume excessive resources.
Conditions:
- GTM/DNS is provisioned
- Transparent DNS Cache is configured on a virtual server
Impact:
Excessive resource consumption, which can lead to increased server-side load.
Workaround:
N/A
Fix:
The Transparent DNS Cache now consumes resources as expected.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2
1035133-2 : Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab
Links to More Info: BT1035133
Component: Application Visibility and Reporting
Symptoms:
In various BIG-IQ GUI forms under the "Monitoring" tab (for example Monitoring -> Local Traffic -> HTTP), data for some time periods are missing.
Multiple "Unexpected end of ZLIB input stream" errors appear in BIG-IQ DCD logs under /var/log/appiq/gc_agent-manager.log
Conditions:
BIG-IP is attached to BIG-IQ, traffic volume is high
Impact:
Data in BIG-IQ are missing therefore some graphs show incorrect information
Workaround:
None
Fix:
Fixed an issue with missing statistics.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1034941-3 : Exporting and then re-importing "some" XML policy does not load the XML content-profile properly
Links to More Info: BT1034941
Component: Application Security Manager
Symptoms:
Exporting and then re-importing an existing ASM policy in XML format does not load its XML content-profile properly. An XML content-profile containing a firewall configuration shows the 'Import URL' as N/A for most .xsd files.
Conditions:
Corner case, when the second import_url value is null
Impact:
The import_url field is set as N/A for all files, except for the first one
Workaround:
None
Fix:
Fixed incorrect XML export when we've multiple import_url in content-profile
Fixed Versions:
14.1.4.6
1034589-3 : No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration.
Links to More Info: BT1034589
Component: TMOS
Symptoms:
It is possible to delete a Pool or Trunk from the configuration while one or more high availability (HA) Groups still reference it.
As a result, the configuration of affected high availability (HA) Groups is automatically and silently adjusted (i.e. the deleted object is no longer referenced by any high availability (HA) Group).
The lack of warning about this automatic change could lead to confusion.
Conditions:
A pool or trunk is deleted from the configuration while still being referenced from a high availability (HA) Group.
Impact:
The automatic and silent removal of the deleted object from all high availability (HA) Groups may go unnoticed by BIG-IP Administrators, with potential consequences on the failover behavior of the devices.
Fix:
A warning message is logged to /var/log/ltm, and is also presented in tmsh.
Fixed Versions:
14.1.4.6
1034449 : Excessive CPU consumption by platform_agent.
Links to More Info: BT1034449
Component: TMOS
Symptoms:
The platform_agent process consumes excessive CPU.
Conditions:
-- BIG-IP tenant on VELOS.
-- Certain process restarts may cause this, for example api-svc-gw.
Impact:
System performance might be degraded due to high CPU usage on some cores.
Workaround:
Choose one option:
(1) Restart the blade that the platform_agent is consuming high CPU on.
or
(2) Set the running Tenant back to Provisioned, then Deployed, to start it again.
Fix:
Fixed large CPU consumption by platform_agent.
Fixed Versions:
14.1.4.4
1034365-1 : DTLS handshake fails with DTLS1.2 client version
Links to More Info: BT1034365
Component: Local Traffic Manager
Symptoms:
DTLS handshake will be unsuccessful when client initiates a handshake with BIG-IP with DTLS1.2 version
Conditions:
When there is a DTLS client which supports both DTLS 1.0 and DTLS 1.2, then this problem could occur.
Impact:
DTLS handshakes can fail.
Workaround:
If possible, force the client to use only DTLS 1.0 in the client hello negotiation.
Fixed Versions:
14.1.4.5, 15.1.5
1033837-3 : REST authentication tokens persist on reboot★
Component: TMOS
Symptoms:
REST authentication tokens persist across reboots. Current best practices require that they be invalidated at boot.
Conditions:
- REST authentication token in use
- BIG-IP restarts
Impact:
REST authentication tokens are not invalidated at boot.
Workaround:
NA
Fix:
REST authentication are invalidated at boot.
Behavior Change:
Existing REST tokens are now invalidated on boot; new tokens will need to be generated after a reboot.
Fixed Versions:
14.1.4.6
1033829 : Unable to load Traffic Classification package
Links to More Info: BT1033829
Component: Traffic Classification Engine
Symptoms:
After installation and initial configuration, the latest Traffic Classification IM package fails to load.
Conditions:
This type of behavior is observed when the system is configured as follows,
1. LTM provisioned
2. Create virtual servers with classification profile
3. Then provision PEM module
4. Do a Hitless upgrade
Impact:
The latest Traffic Classification IM package fails to load.
Workaround:
Once the TMM is restarted after the issue, the latest IM is loaded.
Fix:
The traffic classification package now loads successfully.
Fixed Versions:
14.1.4.5
1032689-4 : UlrCat Custom db feedlist does not work for some URLs
Links to More Info: BT1032689
Component: Traffic Classification Engine
Symptoms:
The first URL getting normalized is not classified.
Conditions:
The URL contains caps or 'www' is not getting categorized in few cases.
Impact:
The 'custom' category is not displayed for all the apps available in the feedlist file.
Workaround:
None
Fix:
Starting normalized lines with \n.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1032077-3 : TACACS authentication fails with tac_author_read: short author body
Links to More Info: BT1032077
Component: TMOS
Symptoms:
If a TACACS user is part of a group with 10s of attribute value pairs (AVPs) were the length of all the avp's combined is such that the authorization reply message from the TACACS server is segmented, the login will fail.
The error message that is logged when the login fails is
"tac_author_read: short author body, 4468 of 6920: Operation now in progress" Where the numbers 4468 and 6920 will vary.
Conditions:
- TACACS authentication
- TACACS user that is part of a group where the combined length of the AVPs is greater then the largest TCP segment the TACACS server is able to send.
Impact:
User is unable to login.
Workaround:
If possible, reduce the number of attributes of the TACACS group or user.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1031425-1 : Provide a configuration flag to disable BGP peer-id check.
Links to More Info: BT1031425
Component: TMOS
Symptoms:
A fix for ID 945265 (https://cdn.f5.com/product/bugtracker/ID945265.html) introduced strict checking of a peer-id. This check might be not desired in some configurations.
Conditions:
EBGP peering with two routers in the same autonomous system, configured with the same peer-id.
Impact:
BIG-IP will not pass the NLRIs between two eBGP peers. The following message can be seen in debug logs:
172.20.10.18-Outgoing [RIB] Announce Check: 0.0.0.0/0 Route Remote Router-ID is same as Remote Router-ID
Workaround:
Change peer-ids to be unique on eBGP peers.
Fix:
New, neighbor-specific, af-specific configuration option is provided to allow routes to be passed to external peers sharing the same router-id. The check is done on egress, so the configuration should be changed towards the peer that is supposed to receive a route.
router bgp 100
bgp graceful-restart restart-time 120
neighbor as200 peer-group
neighbor as200 remote-as 200
neighbor as200 disable-peerid-check
neighbor 172.20.8.16 peer-group as200
neighbor 172.20.8.16 disable-peerid-check
neighbor 172.20.10.18 peer-group as200
neighbor 172.20.10.18 disable-peerid-check
!
address-family ipv6
neighbor as200 activate
neighbor as200 disable-peerid-check
neighbor 172.20.8.16 activate
neighbor 172.20.8.16 disable-peerid-check
neighbor 172.20.10.18 activate
neighbor 172.20.10.18 disable-peerid-check
exit-address-family
When configured on a single neighbor it will cause session to be re-established.
When configured on a peer-group a manual session restart is required for changes to take effect.
Fixed Versions:
14.1.4.6
1031029 : "Use of uninitialized value" warning observed during UCS restore.
Links to More Info: BT1031029
Component: Application Security Manager
Symptoms:
An intermittent warning message "Use of uninitialized value" can occur while restoring a UCS file.
Conditions:
Unknown
Impact:
A warning message is printed but the UCS file loads successfully. The message can be safely ignored.
Workaround:
None
Fix:
Fixed alarming warning observed while restoring UCS.
Fixed Versions:
14.1.4.5
1030853-3 : Route domain IP exception is being treated as trusted (for learning) after being deleted
Links to More Info: BT1030853
Component: Application Security Manager
Symptoms:
Traffic is considered trusted for learning even though a trusted IP exception was deleted.
Conditions:
Creating and deleting a route domain-specific IP exception
Impact:
Traffic learning suggestions scores are miscounted.
In automatic policy builder mode the policy can be updated by the policy builder based on the wrong score counting.
Workaround:
Stop and restart learning for the relevant policy
Fix:
When a route domain IP Exception configured for trusted learning is deleted, the upcoming suggestions scores will be calculated correctly without considering the deleted IP trusted.
Fixed Versions:
14.1.4.6
1030845-3 : Time change from TMSH not logged in /var/log/audit.
Links to More Info: BT1030845
Component: TMOS
Symptoms:
Whenever time is changed, the message is not logged in /var/log/audit.
Conditions:
This occurs when the system time is changed manually using either the 'date' command or 'tmsh modify sys clock'.
Impact:
The time change is not logged to the audit log.
Workaround:
N/A
Fix:
Time changes are now logged to the audit log.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1030665 : Apmd crashes during shutdown under certain conditions
Links to More Info: BT1030665
Component: Performance
Symptoms:
Apmd is observed to have crashed with SIGABRT
Conditions:
During shutdown sequence
Impact:
Minimal, since it happens when apmd is shutting down.
Workaround:
No workaround
Fix:
Apmd will no longer crash during shutdown
Fixed Versions:
14.1.4.4
1030645-2 : BGP session resets during traffic-group failover
Links to More Info: BT1030645
Component: TMOS
Symptoms:
BGP session might be hard reset during a traffic group failover. The following log is displayed:
BGP[11111]: BGP : %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down Peer reset due to nh address change
Conditions:
Floating self-ips defined on a single vlan/subnet, with different traffic-groups configured.
Impact:
BGP session goes down during traffic-group failover.
Fix:
Soft clear is performed instead.
Fixed Versions:
14.1.4.6
1029897-3 : Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members.
Links to More Info: K63312282, BT1029897
Component: Local Traffic Manager
Symptoms:
The BIG-IP system may pass malicious requests to server-side pool members.
Conditions:
1. The BIG-IP LTM has one or more virtual servers configured to proxy HTTP/2 requests from the client-side to HTTP/1 requests on the server-side.
2. An HTTP/2 client sends a request with one of the following issues and the BIG-IP passes it to the server-side pool members:
a. H2.TE request line injection
I. An HTTP/1 request embedded within an HTTP/2 pseudo-header value
II. Individual carriage return (CR) or line feed (LF) allowed within an HTTP/2 pseudo-header
b. Request line injection (folder traps)
c. Request line injection (rule bypass)
Impact:
Malicious HTTP/2 requests can be translated to HTTP/1 requests and sent to the pool member web server. Depending on the behavior of the pool member web server, this can lead to an HTTP request smuggling attack. When the affected virtual server is configured with the OneConnect profile, an attacker might be able to impact the responses sent to a different client.
Workaround:
You can configure the BIG-IP ASM system or Advanced WAF to block an HTTP/1 request that is embedded within an HTTP/2 pseudo header value from being sent to the backend server.
Fix:
This has been fixed so that client requests are appropriately rejected by BIG-IP.
Fixed Versions:
14.1.4.6
1029397-2 : Tmm may crash with SIP-ALG deployment in a particular race condition
Links to More Info: BT1029397
Component: Service Provider
Symptoms:
Tmm crashes in SIP-ALG deployment, when lsn DB callback is returned from a different tmm, and the SIP connection has been lost on tmm where the REGISTER request arrived.
Conditions:
--- SIP-ALG is deployed
--- Processing of SIP REGISTER message at server side
--- lsn DB entry is mapped to a different tmm
Impact:
Traffic disrupted while tmm restarts
Workaround:
NA
Fix:
Tmm no longer crashes in this race condition
Fixed Versions:
14.1.4.6, 15.1.5
1026605-3 : When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes
Links to More Info: BT1026605
Component: Local Traffic Manager
Symptoms:
When bigd.mgmtroutecheck is enabled and monitors are configured in a non-default route-domain, bigd may calculate the interface index incorrectly. This can result in monitor probes improperly being denied when they egress a non-mgmt VLAN. Or monitor probes might be allowed to egress the management interface
Conditions:
-- Bigd.mgmtroutecheck is enabled.
-- Monitor probes in a non-default route domain
-- More than one VLAN configured in the route-domain
Impact:
Monitor probes may be denied even thought they egress a non-mgmt VLAN.
Monitor probes may be improperly allowed out a mgmt interface.
/var/log/ltm:
err bigd.0[19431]: 01060126:3: Health check would route via mgmt port, node fc02:0:0:b::1%1. Check routing table.
bigd debug log:
:(_do_ping): probe denied; restricted egress device and route check [ tmm?=false td=true tr=false addr=fc02:0:0:b::1%1:0 srcaddr=none ]
Workaround:
Disable bigd.mgmtroutecheck, reduce the number of VLANs inside the route-domain
Fix:
The Bigd interface index is now calculated properly
Fixed Versions:
14.1.4.6
1026549-4 : Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd
Links to More Info: BT1026549
Component: TMOS
Symptoms:
For some BIG-IP Virtual Edition drivers, TMM may occasionally communicate an incorrect interface state change that might cause the interface to flap.
Conditions:
-- BIG-IP Virtual Edition using ixlv, ixvf, mlx5, or xnet drivers.
-- More TMMs and interfaces configured make this issue more likely to happen, but it happens randomly.
Impact:
In the case where the interface is part of a trunk a flap will occur when this happens.
There may be other as-yet unknown impacts for this issue.
Workaround:
Use a different VE driver than one of the ones listed above.
Fix:
BIG-IP Virtual Edition drivers no longer communicate incorrect interface states to mcpd.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1025529-3 : TMM generates core when iRule executes a nexthop command and SIP traffic is sent
Links to More Info: BT1025529
Component: Service Provider
Symptoms:
If an iRule uses the 'nexthop' command to select a VLAN for a virtual server, TMM may crash.
Conditions:
-- Virtual server with SIP profile and iRule that executes a 'nexthop' command
-- SIP network traffic occurs
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Avoid using 'nexthop vlan' in an iRule in a SIP environment.
Fix:
iRule creation does not cause any TMM core.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2.1
1024877-1 : Systemd[]: systemd-ask-password-serial.service failed.
Links to More Info: BT1024877
Component: TMOS
Symptoms:
After doing PXE installation with BIG-IP iso, you encounter an error in the dmesg log:
systemd-ask-password-serial.service failed
Conditions:
This occurs after performing a PXE install.
Impact:
This log message is cosmetic and can be safely ignored.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
14.1.4.4, 15.1.4.1
1024621-2 : Re-establishing BFD session might take longer than expected.
Links to More Info: BT1024621
Component: TMOS
Symptoms:
It might take a few minutes for a BFD session to come up. During this time you will notice session state transition multiple times between 'Admin Down' <-> 'Down'.
Conditions:
BFD peer trying to re-establish a session with BIG-IP, choosing ephemeral ports dis-aggregating to different TMMs.
Impact:
It might take a few minutes for a BFD session to come up.
Workaround:
Increasing Tx/Rx timers will minimize a chance of hitting the problem (For example 1000 TX/RX)
Fixed Versions:
14.1.4.6
1024553-3 : GTM Pool member set to monitor type "none" results in big3d: timed out
Links to More Info: BT1024553
Component: Global Traffic Manager (DNS)
Symptoms:
A pool member is marked down with a 'none' type monitor attached.
Conditions:
-- GTM pool member with a 'none' monitor configured
Impact:
Setting a pool member to have "none" monitor should result in a blue "checking" status but it may mark the pool member as down/unavailable.
Workaround:
NA.
Fixed Versions:
14.1.4.5, 15.1.5
1023993-2 : Brute Force is not blocking requests, even when auth failure happens multiple times
Component: Application Security Manager
Symptoms:
Send traffic with multiple Authorization headers in the request after configuring the brute force. The traffic will not be blocked, when it is supposed to be.
Conditions:
When there is more than one Authorization header present in the requests.
Impact:
Brute force is possible with specially crafted requests having multiple Authorization headers and will be able to bypass brute force checks.
Workaround:
Enable "Illegal repeated header violation" and configure Authorization header repeated occurrence to disallow.
Fix:
ASM detects the brute force attempt with multiple Authorization headers in the request.
Fixed Versions:
14.1.4.6
1023437-4 : Buffer overflow during attack with large HTTP Headers
Component: Anomaly Detection Services
Symptoms:
When the HTTP Headers are larger than 1024 characters and one of the anomalous textual headers is located after 1024, a buffer overflow might occur.
Conditions:
HTTP or TLS Signature protection is activated and during attack anomalous request arrives.
Impact:
Most of the time results in bad characters in the signature name, more rarely results in Memory Access Violation which could be exploited as buffer overflow attack.
Fix:
Enforce HTTP metadata size limit to be within the first 1024 characters of the HTTP Headers payload.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
1023341-3 : HSM hardening
Component: Local Traffic Manager
Symptoms:
Under certain conditions, HSM interactions do not follow current best practices.
Conditions:
- HSM in use
Impact:
Certain HSM interactions do not follow current best practices.
Workaround:
N/A
Fix:
HSM interactions now follow current best practices.
Fixed Versions:
14.1.4.6, 16.1.1
1022637-3 : A partition other than /Common may fail to save the configuration to disk
Links to More Info: BT1022637
Component: TMOS
Symptoms:
A mismatch between the running-configuration (i.e. what is returned by "tmsh list ...") and the saved-configuration (i.e. what is stored in the flat configuration files) for a partition other than /Common, despite a "tmsh save config" operation was just performed (either by the user or as a result of a config-sync).
Conditions:
- One or more partitions other than /Common exist on the system.
- One or more of said partitions have no more configuration objects defined in them (i.e. are empty).
- A config save operation similar to "tmsh save sys config partitions { Common part1 [...] }" occurs, either manually initiated by an Administrator or as a result of a config-sync operation (in which case the device-group must be configured for manual synchronization).
Impact:
Should a BIG-IP Administrator notice the mismatch, the only immediate impact is confusion as to why the config save operation was not effective.
However, as the flat config files are now out-of-date, performing a config load operation on a unit in this state will resurrect old configuration objects that had been previously deleted.
On an Active unit, this may affect traffic handling. On a redundant pair, there is the risk that the resurrected objects may make it to the Active unit after a future config-sync operation.
Workaround:
If you notice the mismatch, you can resolve it by performing a config save operation for all partitions (i.e. "tmsh save sys config").
Fix:
Non /Common partitions now get saved to disk as intended.
Fixed Versions:
14.1.4.6, 15.1.5
1022269-3 : False positive RFC compliant violation
Links to More Info: BT1022269
Component: Application Security Manager
Symptoms:
False positive RFC compliant violation.
Conditions:
Authorization header with specific types.
Impact:
False positive violations.
Workaround:
Turn on an internal parameter:
/usr/share/ts/bin/add_del_internal add ignore_authorization_header_decode_failure 1
Fix:
Added tolerance to the authorization headers parser.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.2
1021485-1 : VDI desktops and apps freeze with Vmware and Citrix intermittently
Links to More Info: BT1021485
Component: Access Policy Manager
Symptoms:
VMware VDI:
Blank screen is seen while opening remote desktop when VDI is configured with VMware.
Citrix:
Desktop freezes immediately after opening remote desktop when VDI is configured with Citrix.
Conditions:
VMware VDI:
-- VDI is configured with VMware
-- Desktop or App is launched using native client from Webtop.
wait till 2X inactivity timeout if inactivity timeout
Citrix:
-- VDI is configured with Citrix
-- Desktop or App is launched using native client from Webtop.
-- Configure Inactivity timeout to 0.
Impact:
VDI desktops freeze while opening or immediately after opening.
The following error is seen in APM logs:
"Session stats update failed: ERR_NOT_FOUND"
Workaround:
No
Fix:
Users should not experience any intermittent desktop freeze.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1021417-4 : Modifying GTM pool members with replace-all-with results in pool members with order 0
Links to More Info: BT1021417
Component: Global Traffic Manager (DNS)
Symptoms:
GTMpool has multiple members with order 0.
Conditions:
There is an overlap for the pool members for the command replace-all-with and the pool members to be replaced.
Impact:
Multiple pool members have the same order.
Workaround:
Perform this procedure:
1. Delete all pool members from the GTM pool.
2. Use replace-all-with.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1021061-2 : Config fails to load for large config on platform with Platform FIPS license enabled
Links to More Info: BT1021061
Component: Global Traffic Manager (DNS)
Symptoms:
Config fails to load.
Conditions:
-- Platforms with Platform FIPS license enabled.
-- There are several ways to encounter this. One is with a large GTM (DNS) configuration that requires extending the gtmd stats file.
Impact:
Config file fails to load. For the gtmd configuration, gtmd repeatedly logs error messages similar to:
err gtmd[14954]: 011af002:3: TMSTAT error 'Invalid argument' creating row '/Common/vs_45_53' in table 'gtm_vs_stat'
For merged daemon, reports messages similar to:
err merged[9166]: 011b0900:3: TMSTAT error tmstat_row_create: Invalid argument.
Workaround:
None
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
1020941-3 : HTTP/2 header frames decoding may fail with COMPRESSION_ERROR when frame delivered in multiple xfrags
Links to More Info: BT1020941
Component: Local Traffic Manager
Symptoms:
HTTP/2 request fails with COMPRESSION_ERROR.
Conditions:
HTTP/2 header frames are received in multiple xfrags in such a way that the first 2 bytes of 'encoded' header-field 'value-length' are the last 2 bytes of the xfrag, and the remaining bytes are in the next xfrag.
Impact:
The header value length is incorrectly updated, and the HTTP/2 request fails.
Workaround:
None
Fix:
HTTP/2 now parses the request, regardless of its xfrags distribution.
Fixed Versions:
14.1.4.5, 15.1.4
1020789-2 : Cannot deploy a four-core vCMP guest if the remaining cores are in use.
Links to More Info: BT1020789
Component: TMOS
Symptoms:
When trying to deploy a vCMP guest on an i11800 vCMP host using four or more cores while all of the other cores are in use, the following error message may be seen:
err mcpd[<pid>]: 0107131f:3: Could not allocate vCMP guest (<guest_name>) because fragmented resources
--------------------------------------------------
one more similar issue has raised for 8 guests allocation failure
When trying to deploy a eight core guest on an i11800 vCMP host where four 2 cores are in use, the following error message may be seen:
0107131f:3: Could not allocate vCMP guest (guest-8cores-A) because fragmented resources
Conditions:
-- VCMP provisioned and all or most cores are in use.
-- Attempt to deploy a guest.
This is more likely to occur with vCMP guests that use four or more cores.
Impact:
All of the available cores cannot be used.
Workaround:
You may be able to work around this by deploying the largest guests first, then any remaining 2-core guests.
There is currently no other fix.
Fix:
N/A
Fixed Versions:
14.1.4.6
1020717-2 : Policy versions cleanup process sometimes removes newer versions
Component: Application Security Manager
Symptoms:
The policy versions cleanup process sometimes removes versions in incorrect order. Newer versions are removed while older versions are preserved.
Conditions:
"maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg" has very low value.
Impact:
Newer versions are removed.
Workaround:
increase value of "maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg"
Fixed Versions:
14.1.4.6
1020705-3 : tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name
Links to More Info: BT1020705
Component: Application Visibility and Reporting
Symptoms:
Output of "tmsh show analytics dos-l3 report view-by attack-id" command has changed from version 13.x to 15.x. "Attack type" was removed from the system, so it was automatically replaced by the first metric "allowed-requests-per-second". For DOS L3 "Attack type" was replaced by "Vector Name" but it currently is not shown in the report along wit "Attack ID"
Conditions:
AFM is provisioned
Impact:
This change might cause scripts to fail if they use the name of the field.
Workaround:
1) edit /etc/avr/monpd/monp_dosl3_entities.cfg file. Change [dosl3_attack_id] section the following way: add 'vector_name' to measures list and add an additional parameter 'default_measure' as specified below :
[dosl3_attack_id]
...
measures=allowed_requests_per_sec,count,drop_per_sec,drop_count,total_per_sec,total_count,attacks_count,attack_type_name,category_name,vip_name,period,vector_name
default_measure=vector_name
...
2) edit /etc/avr/monpd/monp_dosl3_measures.cfg file. Add in the end the following section:
[vector_name]
id=vector_crc
formula=IF(count(distinct FACT.vector_crc)>1,'Aggregated',attack_vector_str)
merge_formula=IF(count(distinct vector_name)>1,'Aggregated',vector_name)
dim=AVR_DIM_DOS_VIS_ATTACKS_VECTOR
dim_id=attack_vector_crc
tmsh_display_name=vector-name
display_name=Vector
comulative=false
priority=65
3) restart the BIG-IP system: bigstart restart
After the system is up you can apply the same tmsh command: "tmsh show analytics dos-l3 report view-by attack-id"
You will get a result similar to 13.x. Note that "attack_type_name" is replaced by "vector-name"
Fix:
Workaround applied as fix.
Fixed Versions:
14.1.4.4, 15.1.3.1, 16.1.2
1020349-1 : APM daemon may crash if CRLDP agent cannot find a certificate to validate CRL
Links to More Info: BT1020349
Component: Access Policy Manager
Symptoms:
APM daemon (apmd) crashes and a coredump is created at '/var/core/'
Conditions:
-- Configure On-Demand Cert Auth with any Auth Mode
-- 'Request/Require'
-- Configure AAA CRLDP
Impact:
All CRLDP based authentications fail.
Workaround:
None
Fix:
The system now handles this condition.
Fixed Versions:
14.1.4.4
1019853-3 : Some signatures are not matched under specific conditions
Links to More Info: K30911244, BT1019853
Component: Application Security Manager
Symptoms:
Some signatures are not matched, attacking traffic may pass through.
Conditions:
- Undisclosed signature conditions
Impact:
Attacking traffic can bypass the WAF.
Workaround:
N/A
Fix:
Signatures are now matched as expected.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1019613-2 : Unknown subscriber in PBA deployment may cause CPU spike
Links to More Info: BT1019613
Component: Carrier-Grade NAT
Symptoms:
in PBA deployment, a CPU spike may be observed if the subscriber-id log is enabled and the subscriber-id is unknown.
Conditions:
-- PBA configuration
-- Address translation persistent is enabled
-- Subscriber-id log is enabled
-- There is an unknown subscriber
Impact:
Overall system capacity reduces.
Workaround:
Disable subscriber-id logging.
Fix:
Unknown subscriber in PBA deployment no longer causes a CPU spike.
Fixed Versions:
14.1.4.6
1019161-5 : Windows installer(VPN through browser components installer) as administrator user uses temporary folder to create files★
Component: Access Policy Manager
Symptoms:
- A privileged process creates folders with user permission while installation.
Conditions:
- Downloading VPN components while connecting to VS for the first time from browser.
Impact:
- No functional impact.
Workaround:
- Download and install web based VPN components using BIG-IP components installer page.
Fix:
- Ensured that folder is created with administrator privileges.
Fixed Versions:
14.1.4.6
1019085-2 : Network virtual-addresses fail to retain the "icmp-echo enabled" property following an upgrade or reload of the configuration from file.★
Links to More Info: BT1019085
Component: TMOS
Symptoms:
Network virtual-addresses default to "arp disabled" and "icmp-echo disabled". However, a BIG-IP Administrator can change these settings to "enabled", if required.
Either following a software upgrade or a reload of the configuration from file, network virtual-addresses that had previously been set to "icmp-echo enabled" revert to the default of "icmp-echo disabled".
Conditions:
- One or more network virtual-addresses configured with "icmp-echo enabled".
- A software upgrade or reload of the configuration from file occurs (for example, taking and restoring a UCS archive, removing the mcpd binary database and reloading the config, etc.).
Impact:
Traffic failures can occur as a result of the affected network virtual-addresses not being presented to the surrounding network as originally intended by the BIG-IP Administrator.
Workaround:
Manually configure the affected virtual-addresses to "icmp-echo enabled" again. This workaround is not permanent, and the issue will occur again in the future given the right conditions.
Fix:
Network virtual-addresses no longer lose the "icmp-echo enabled" property.
Fixed Versions:
14.1.4.6
1019081-2 : HTTP/2 hardening
Links to More Info: K97045220, BT1019081
Component: Local Traffic Manager
Symptoms:
Under certain condition, the HTTP/2 profile does not follow current best practices
Conditions:
- HTTP/2 profile enabled
Impact:
The HTTP/2 profile does not follow current best practices.
Workaround:
N/A
Fix:
TMM now processes HTTP/2 traffic as expected
Fixed Versions:
14.1.4.5, 15.1.3.1
1018613-4 : Modify wideip pools with replace-all-with results pools with same order 0
Links to More Info: BT1018613
Component: Global Traffic Manager (DNS)
Symptoms:
Multiple wideip pools have the order 0.
Conditions:
There are overlap for the pools for command replace-all-with and the pools to be replaced.
Impact:
iQuery flapping between GTMs.
Workaround:
First delete all pools from the wideip and then use replace-all-with.
Fixed Versions:
14.1.4.6
1018577-2 : SASP monitor does not mark pool member with same IP Address but different Port from another pool member
Links to More Info: BT1018577
Component: Local Traffic Manager
Symptoms:
When the LTM SASP monitor is applied to a pool with multiple members having the same IP Address but different Ports, only one of the pool members with the duplicated IP Address will be monitored (marked UP or DOWN as appropriate). Other pool members sharing the same IP Address will remain in a 'checking' state.
Conditions:
This occurs when using the SASP monitor in a pool with multiple members having the same IP Address but different Ports.
For example:
ltm pool sasp_test_pool {
members {
sasp_1:80 {
address 10.10.10.1
}
sasp_1:8080 {
address 10.10.10.1
}
sasp_2:80 {
address 10.10.10.2
}
sasp_2:8080 {
address 10.10.10.2
}
}
monitor sasp_test
}
In this case, only one pool member with a given IP Address will be correctly monitored by the sasp monitor.
Any additional pool members with the same IP Address but different port will not be monitored by the SASP monitor and will remain in a 'checking' state.
Impact:
Not all pool members may be effectively/accurately monitored by the SASP monitor.
Fix:
The ltm sasp monitor correctly monitors members of a pool which share the same IP Address but different Ports.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1018493-3 : Response code 304 from TMM Cache always closes TCP connection.
Links to More Info: BT1018493
Component: Local Traffic Manager
Symptoms:
When a virtual server is configured to accelerate HTTP traffic, it caches responses with 200 and 304 response codes. Serving a response with "304 Not Modified" code, TMM may close a connection to a client.
Conditions:
-- A virtual server has a web-acceleration profile (without a web application for versions prior 16.0.0).
-- A response with code 304, stored in TMM cache, is served to a request.
Impact:
A client needs to open a new TCP connection every time when a response with "304 Not Modified" code is served.
Fix:
TMM correctly serves a response with "304 Not Modified" code, allowing to correctly handle TCP connection status.
Fixed Versions:
14.1.4.5, 15.1.4, 16.1.2
1017645-3 : False positive HTTP compliance violation
Links to More Info: BT1017645
Component: Application Security Manager
Symptoms:
False-positive HTTP compliance violation.
Conditions:
Authorization header with bearer token and/or some other authorization headers types.
Impact:
False-positive traffic blocking.
Workaround:
Turn on an internal parameter by entering the following command from the BIG-IP CLI:
/usr/share/ts/bin/add_del_internal add ignore_authorization_header_decode_failure 1
Then restart ASM for this to take effect:
bigstart restart asm
Fix:
The RFC compliance violation is no longer issued for unknown types of authorization headers.
Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
1017533-1 : Using TMC might cause virtual server vlans-enabled configuration to be ignored
Links to More Info: BT1017533
Component: Local Traffic Manager
Symptoms:
When switching between traffic-matching-criteria (TMC) and regular virtual-server configuration, the vlans-enabled option might be ignored, causing unexpected traffic handling.
Conditions:
Changing virtual-server configuration when using traffic-matching-criteria.
Impact:
Unexpected traffic handling and disruption
Workaround:
Avoid using TMC (port lists and address lists). When in a 'faulty' state you can try changing vlan-enabled on and changing it back on the virtual server, you might need to clear existing connections afterwards.
Follow below articles.
K53851362: Displaying and deleting BIG-IP connection table entries from the command line
K52091701: Handling Connections that have been matched to the wrong Virtual Server.
Fixed Versions:
14.1.4.6
1017513-2 : Config sync fails with error Invalid monitor rule instance identifier
Links to More Info: BT1017513
Component: Local Traffic Manager
Symptoms:
If you remove or attach a different monitor to an fqdn pool, then perform a full config-sync, an error occurs:
Load failed from /Common/bigip1 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 58.
Conditions:
-- BIG-IP device is configured with fqdn nodes/pools with monitors.
-- Modify an fqdn pool to remove or attach a different monitor.
-- Run the command: run cm config-sync to-group Failover
-- Perform a full config-sync.
Impact:
Sync to the peer device(s) fails.
Workaround:
Use incremental-sync.
Fixed Versions:
14.1.4.5, 16.1.2.1
1017153-1 : Asmlogd suddenly deletes all request log protobuf files and records from the database.
Links to More Info: BT1017153
Component: Application Security Manager
Symptoms:
Asmlogd suddenly deletes all request log protobuf files and records from the database.
Additionally, after the deletion happens, newly generated event logs seen in database do not show up in TMUI.
Conditions:
-- ASM provisioned
-- Config-sync setup, with frequent sync recovery and/or with a manual-sync device-group with ASM sync enabled.
Impact:
Sudden loss of request logs.
Workaround:
Delete all empty partitions and restart asmlogd.
1) View all the partitions:
# perl -MF5::Db::Partition -MData::Dumper -MF5::DbUtils -e 'print Dumper(F5::Db::Partition::retrieve_partitions_info(dbh => F5::DbUtils::get_dbh(), table_name => "PRX.REQUEST_LOG"))'
Take note of the 'PARTITION_NAME' and 'TABLE_ROWS' for each partition.
2) For every partition_X (in PARTITION_NAME) with '0' in TABLE_ROWS, delete it by:
# perl -MF5::Db::Partition -MF5::DbUtils -e 'F5::Db::Partition::delete_partition(dbh => F5::DbUtils::get_dbh(), table_name => "PRX.REQUEST_LOG", partition_name => "partition_X")'
3) restart asmlogd if and after done all deletes:
# pkill -f asmlogd
NOTE: this workaround is temporary. Meaning, that the number of empty partitions will again accumulate and the same issue will happen again. The MAX number of partitions is - 100. Thus, it is advised to monitor the total number of *empty* partitions and repeat the workaround periodically. A cron script should work well. Normally, empty partitions should NOT accumulate. Thus, it is safe to run this script once an hour and remove all empty partitions.
Optionally, if you are having TMUI issue with newly generated event logs, perform the additional command below to delete rows from PRX.REQUEST_LOG_PROPERTIES for which no corresponding rows exist in PRX.REQUEST_LOG.
# mysql -t -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e 'delete from PRX.REQUEST_LOG_PROPERTIES where request_log_id > (select id from PRX.REQUEST_LOG order by id desc limit 1)'
Fix:
Upgrading to a fixed software version will not delete accumulated partitions and will not clear the symptom away. The fix will prevent ASM from accumulating partitions unnecessarily in the scenarios.
If your ASM system is experiencing this and partitions are accumulated, perform the workaround to clear the symptom. Using a fixed software version, you only need to perform the workaround once. You no longer have to perform it periodically.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1016657-4 : TMM may crash while processing LSN traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing LSN traffic
Conditions:
- LSN listener enabled
- Packet filtering enabled
Impact:
TMM crash leading to a failover event
Workaround:
N/A
Fix:
TMM now processes LSN traffic as expected
Fixed Versions:
14.1.4.6
1016449-1 : After certain configuration tasks are performed, TMM may run with stale Self IP parameters.
Links to More Info: BT1016449
Component: Local Traffic Manager
Symptoms:
A Self IP instantiated by performing specific configuration tasks (see Conditions) does not work (e.g. the system does not respond to ARP requests for it).
On the contrary, the system continues to use (e.g. respond to ARP requests for) an old version of the Self IP specifying a different address.
Conditions:
This issue is known to occur when one of the following operations is performed:
- Restoring a UCS or SCF archive in which a Self IP with a specific name specifies a different address.
- Performing a config-sync between redundant units in which the sender changes a Self IP with a specific name to use a different address. For example:
tmsh delete net self <name>
tmsh create net self <name> address <new_address> ...
tmsh run cm config-sync to_group ...
- Performing specific tmsh CLI transactions involving Self IP modifications.
Impact:
The system does not utilise the configured Self IP address. Traffic will be impacted as a result (for example, in connections to the unit, in snat automap, etc.).
Workaround:
Restart TMM (bigstart restart tmm) on affected units.
Fix:
TMM now correctly handles supported Self IP address modifications.
Fixed Versions:
14.1.4.6
1016441-2 : RFC Enforcement Hardening
Component: Local Traffic Manager
Symptoms:
When the HTTP profile RFC Enforcement Flag is enabled, certain non-RFC compliant headers are still allowed.
Conditions:
- Virtual Server with HTTP profile.
- RFC Enforcement Flag enabled.
- HTTP request with non-RFC compliant headers.
Impact:
Non-RFC compliant headers passed to server.
Workaround:
N/A
Fix:
BIG-IP will drop non-RFC compliant HTTP requests when the RFC compliance flag is ON.
Fixed Versions:
14.1.4.6
1016049-3 : EDNS query with CSUBNET dropped by protocol inspection
Links to More Info: BT1016049
Component: Local Traffic Manager
Symptoms:
EDNS query might be dropped by protocol inspection with an error log in /var/log/ltm similar to:
info tmm[21575]: 23003139 SECURITYLOG Drop sip:192.168.0.0 sport:64869 dip:1.1.1.1 dport:53 query:test.f5.com qtype:malformed attack:malformed
Conditions:
Query containing CSUBNET option.
Impact:
Some queries might fail.
Fixed Versions:
14.1.4.6
1015209-1 : Memory may be leaked when handling chunked responses
Links to More Info: BT1015209
Component: Local Traffic Manager
Symptoms:
Memory leak may occur while handling chunked responses.
Conditions:
1. HTTP virtual server with traffic processing that causes the response to be unchunked/rechunked.
2. Make a request for a document through the virtual server that results in a chunked response from the server.
Impact:
Memory use rises over time and does not return to original level.
Workaround:
None
Fixed Versions:
14.1.4.4
1015201-1 : HTTP unchunking satellite leaks ERR_MORE_DATA which can cause connection to be aborted.
Links to More Info: BT1015201
Component: Local Traffic Manager
Symptoms:
The HTTP unchunking satellite leaks ERR_MORE_DATA when processing payload - this error code is then returned to other filters which will abort the connection due to this unexpected error (like PLUGIN).
Conditions:
Virtual server with HTTP, compression and NTLM profiles.
Impact:
Connection is aborted
Fix:
HTTP unchunking satellite no longer leaks ERR_MORE_DATA.
Connection is not aborted and response is received by the client.
Fixed Versions:
14.1.4.4, 15.1.5
1015161-3 : Ephemeral pool member may not be created when FQDN resolves to address that matches static node
Links to More Info: BT1015161
Component: Local Traffic Manager
Symptoms:
An ephemeral pool member may not created if the FQDN name resolves to a new IP address that matches an existing statically-configured node.
When this occurs, a message like the following appears in the LTM log:
err mcpd[4498]: 01070734:3: Configuration error: node (/Common/_auto_10.10.120.12) not found.
Note that the node name in the message is the expected name of an ephemeral node created for this address, not the actual name of the statically-configured node with that IP address.
Conditions:
This may occur if:
-- The FQDN node and pool member are created with the "autopopulate enabled" option.
-- The FQDN name resolves to more than one IP address.
-- One of these IP addresses was not included in the previous DNS query result.
-- There is a statically-configured node with the same IP address.
Impact:
An ephemeral pool member is not created for the IP address newly included in the DNS query result. This results in traffic not being load-balanced to all of the expected pool members.
Workaround:
Use one of the following methods to prevent this issue from occurring:
-- Avoid creating statically-configured nodes using the same IP addresses returned by resolution of configured node/pool member FQDN names.
-- Configure the FQDN pool member with "autopopulate disabled" (default), which creates only a single ephemeral pool member.
Perform this sequence of actions to recover from an occurrence of this issue:
1. Remove any pool members referencing the conflicting IP address(es) from their respective pool(s).
2. Delete the statically-configured node(s) using the conflicting IP address(es).
3. Add any pool members referencing the conflicting IP address(es) back to their respective pool(s).
Fix:
Ephemeral pool members are successfully created when the corresponding FQDN name resolves to one or more new IP addresses that conflict with statically-configured nodes.
Fixed Versions:
14.1.4.5
1015133-2 : Tail loss can cause TCP TLP to retransmit slowly.
Links to More Info: BT1015133
Component: Local Traffic Manager
Symptoms:
If a long tail loss occurs during transmission, TCP might be slow to recover.
Conditions:
-- A virtual server is configured with the TCP profile attached.
-- SACK and TLP are enabled.
-- A tail loss of multiple packets sent by the BIG-IP occurs.
Impact:
BIG-IP retransmits one packet per RTT, causing a long recovery. The impact is more pronounced if an entire window is lost.
Workaround:
Disabling TLP may improve performance in this particular case, but may degrade performance in other situations.
Fix:
A new sys db key was added: tm.tcpaggressivepartialack (disabled by default). When enabled, more data is retransmitted every RTT, similar to slow-start.
Behavior Change:
A new sys db key was added: tm.tcpaggressivepartialack (disabled by default). When enabled, more data is retransmitted every RTT, similar to slow-start.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
1015093-4 : The "iq" column is missing from the ndal_tx_stats table
Links to More Info: BT1015093
Component: TMOS
Symptoms:
When viewing the ndal_tx_stats statistics table, the "iq" column is not present.
Conditions:
-- BIG-IP Virtual Edition.
-- Viewing statistics tables.
Impact:
Missing statistic; less information available.
Fixed Versions:
14.1.4.5, 15.1.4.1
1013145-3 : APM Hardening
Links to More Info: K32734107
1012721-2 : Tmm may crash with SIP-ALG deployment in a particular race condition
Links to More Info: BT1012721
Component: Service Provider
Symptoms:
Tmm crashes in SIP-ALG deployment
Conditions:
--- SIP-ALG is deployed
--- While processing first SIP REGISTER at server-side
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Tmm no longer crashes in this race condition
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.1
1012521-4 : BIG-IP UI file permissions
Links to More Info: BT1012521
Component: Advanced Firewall Manager
Symptoms:
Some GUI files have incorrect permission settings.
Conditions:
Files installed by the security-ui rpm.
Impact:
File permissions are incorrect.
Fix:
Installation script updated to set permissions to remove write privileges for the Group and User level
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
1012221-3 : Message: childInheritanceStatus is not compatible with parentInheritanceStatus★
Links to More Info: BT1012221
Component: Application Security Manager
Symptoms:
The BIG-IP system is unable to deploy a revision of upgraded child policies and you see an error:
Failed pushing changed objects to device <device>: Could not update the Section 'Threat Campaigns'. childInheritanceStatus is not compatible with parentInheritanceStatus.
Conditions:
-- An ASM Child Policy is present on the BIG-IP device in a version earlier than 14.0.0
-- The BIG-IP system is upgraded to version 14.0.0 or later
Impact:
This corruption impacts BIG-IQ interactions with the Child Policy and causes exported Child Policies to be incorrect.
Workaround:
After upgrading, perform the following:
1. Log into the BIG-IP Configuration Utility
2. Go to Security :: Application Security :: Security Policies :: Policies List
3. Select the first Parent Policy
4. Go to Inheritance settings and change Threat Campaigns from None to Optional
5. Click Save Changes
6. Change Threat Campaigns from Optional back to None
7. Click Save Changes
8. Click Apply
9. Repeat steps 3-8 for each additional Parent Policy
Fixed Versions:
14.1.4.6
1011285-3 : The iControl REST API no longer accepts an empty 'lastResortPool' property for wide IP objects.
Links to More Info: BT1011285
Component: Global Traffic Manager (DNS)
Symptoms:
If you attempt a POST or PATCH iControl REST request against a wide IP, and you include an empty 'lastResortPool' property in the JSON body, the system rejects the request as invalid and returns the following validation error:
{
"code": 400,
"message": "\"last-resort-pool\" requires a value",
"errorStack": [],
"apiError": 26214401
}
Conditions:
A POST or PATCH command against a wide IP object includes an empty lastResortPool property.
Impact:
Inability to create or modify the wide IP object.
Workaround:
You can use either of the following, depending on what you want to do:
-- To create a new wide IP object, remove the empty 'lastResortPool' property from the JSON body.
-- To remove the last-resort-pool from an already existing wide IP, define the property as follows instead:
"lastResortPool":"none"
Fixed Versions:
14.1.4.6, 15.1.5
1011069-4 : Group/User R/W permissions should be changed for .pid and .cfg files.
Component: Application Security Manager
Symptoms:
The following files should be set with lower permissions:
/etc/ts/dcc/dcc.cfg (-rw-rw--w-)
/run/asmcsd.pid (-rw-rw--w-)
/run/bd.pid (-rw-rw--w-)
/run/dcc.pid (-rw-rw--w-)
/run/pabnagd.pid (-rw-rw--w-)
Conditions:
Always
Impact:
Incorrect file permissions.
Workaround:
chmod 664 <files_list>
Fix:
The corrected permissions 664 are applied to the given list of files.
Fixed Versions:
14.1.4.6
1011061-1 : Certain attack signatures may not match in multipart content
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM may not correctly detect attack signatures.
Conditions:
- ASM provisioned
- Request contains a specially-crafted multipart body
Impact:
Attack detection is not triggered as expected.
Workaround:
None
Fix:
Attack detection is now triggered as expected.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1010393-3 : Unable to relax AS-path attribute in multi-path selection
Links to More Info: BT1010393
Component: TMOS
Symptoms:
In BIG-IP versions where ID933461 (https://cdn.f5.com/product/bugtracker/ID933461.html) is fixed, you are unable to relax AS-path attribute in multi-path selections.
Conditions:
BGP multi-path routes with different AS_PATH attributes.
Impact:
Some routes might not be considered as multipath. ECMP routes are not installed properly.
Workaround:
Consider using 'bgp bestpath as-path ignore' or alter the AS_PATH attribute upstream.
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
1009949-1 : High CPU usage when upgrading from previous version★
Links to More Info: BT1009949
Component: TMOS
Symptoms:
When upgrading version from 12.x to 14.1.4, ospfd has high cpu utilization.
Conditions:
-- OSPF is enabled.
-- The BIG-IP system is upgraded from 12.x to 14.1.4.
Impact:
Performance Impact.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
1009161 : SSL mirroring protect for null sessions
Links to More Info: BT1009161
Component: Local Traffic Manager
Symptoms:
Possible tmm crash during ssl handshake with connection mirroring enabled.
Conditions:
14.1 after changes applied for ID760406 and ssl handshake dropped during ssl handshake session state.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable connection mirroring
Fix:
Prevent possible crash on ssl connection mirroing in 14.1
Fixed Versions:
14.1.4.5
1009133 : BIG-IP vCMP guests that have HA Groups configured to include trunk scoring may fail to upgrade properly★
Links to More Info: BT1009133
Component: TMOS
Symptoms:
BIG-IP vCMP guests with high availability (HA) Groups that include scoring of trunk members are unable to upgrade.
After rebooting into the new software version, the system will report errors similar to the following when loading the configuration:
Loading configuration...
Loading schema version: 13.1.3.4
/config/bigip_base.conf
/config/bigip_user.conf
/config/bigip.conf
Loading schema version: 14.1.4.1
010712a5:3: Ha_group <HA group name> unknown trunk <trunk name>.
Unexpected Error: Loading configuration process failed.
Conditions:
-- vCMP guest using HA Groups that include scoring of trunk members.
-- Upgrading to an affected version, or loading a UCS file on an affected version.
Impact:
Unable to upgrade.
Workaround:
-- Before upgrading vCMP guest to an affected version, remove all trunks from the HA Group. This should be done on the standby unit first to prevent a failover. The trunks can then be re-added to the HA Group after the upgrade.
-- If already booted into an affected version, edit the /config/bigip_base.conf to add a line like the following declaring the trunk exists, and reload the configuration or reboot:
net trunk <trunk name> { }
Fix:
BIG-IP vCMP guests that have HA Groups configured to include trunk scoring now upgrade properly.
Fixed Versions:
14.1.4.2
1009049-6 : browser based vpn did not follow best practices while logging.★
Component: Access Policy Manager
Symptoms:
sensitive information is visible in logs in case of an upgrade.
Conditions:
auto upgrade enabled on big-ip
browser based vpn components are auto updated while establishing vpn.
Impact:
sensitive information could be misused to establish a vpn connection
Workaround:
disable auto upgrade on big-ip and manually install using an installer.
Fix:
The sensitive information is masked during upgrade.
Fixed Versions:
14.1.4.6
1009037-4 : Tcl resume on invalid connection flow can cause tmm crash
Links to More Info: BT1009037
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm crashes.
Tmm logs contain a line that looks like: "Oops @ 0x2bbd463:139: Unallocated flow while polling for rule work. Skipping."
Conditions:
1) iRule uses a function that may suspend iRule processing (see https://support.f5.com/csp/article/K12962 for more about this).
2) The connflow associated with the iRule is being torn down by tmm.
3) Depending upon the exact timing there is a rare chance that the iRule will resume on the wrong connflow which can cause a core.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1008837-3 : Control plane is sluggish when mcpd processes a query for virtual server and address statistics
Links to More Info: BT1008837
Component: TMOS
Symptoms:
When there are thousands of rows in the virtual_server_stat table and mcpd receives a query for for all virtual server or virtual address statistics, mcpd can take a long time to process the request.
There might be thousands of rows if thousands of virtual servers server are configured.
There could also be thousands of rows if there are virtual servers configured for source or destination address lists, where those lists contain tens or hundreds of addresses.
Conditions:
-- Thousands of virtual_server_stat rows.
-- mcpd processes a query_stats request for the virtual_server_stat table.
Impact:
When mcpd is processing a query for virtual server statistics:
-- TMSH and GUI access is very slow or non-responsive.
-- SNMP requests timeout.
-- mcpd CPU usage is high.
Workaround:
None
Fixed Versions:
14.1.4.4, 15.1.4
1008501-4 : TMM core
Links to More Info: BT1008501
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
Transparent monitors monitoring a virtual server's IP address.
Note: Although this is the current understanding of the issue, it is not clear whether this is an true requirement for the issue to occur.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
14.1.4.6
1008269-4 : Error: out of stack space
Links to More Info: BT1008269
Component: TMOS
Symptoms:
When polling for profile statistics via iControl REST, the BIG-IP system returns an error:
Error: out of stack space
Conditions:
Polling stats via iControl REST.
Impact:
You are intermittently unable to get stats via iControl REST.
Workaround:
None
Fixed Versions:
14.1.4.6
1008265-4 : DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond★
Component: Advanced Firewall Manager
Symptoms:
DoS Flood and Sweep vector states are disabled after upgrade.
Conditions:
DoS Flood and Sweep vectors are enabled prior to an upgrade to software release 14.x and beyond.
Impact:
DoS Flood and Sweep vector states are disabled. System is susceptible to a DoS attack.
Workaround:
Reset the DoS Flood and Sweep vectors to their previous state.
Fix:
Removed default disabled state from upgrade scripts so that both vectors were restored to previous configured state
Fixed Versions:
14.1.4.6
1008017-1 : Validation failure on Enforce TLS Requirements and TLS Renegotiation
Links to More Info: BT1008017
Component: Local Traffic Manager
Symptoms:
The configuration load fails with an error:
err mcpd[4182]: 0107186b:3: Invalid "enforce-tls-requirements" value for profile /prod/my_profile. In Virtual Server (/common/my_virtual_server) an http2 profile with enforce-tls-requirements enabled is incompatible with client-ssl/server-ssl profile with renegotiation enabled. Value must be disabled.
Conditions:
BIG-IP system allows this configuration and fails later:
-- Virtual server with HTTP/2, HTTP, and client SSL profiles (with renegotiation disabled).
1. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile (by default it is enabled).
2. Add server SSL profile with 'TLS Renegotiation' enabled.
3. Save the configuration.
4. Load the configuration.
Impact:
The configuration will not load if saved.
Workaround:
If enabling 'Enforce TLS Requirements' in a HTTP/2 profile configured on a virtual server, ensure that 'TLS Renegotiation' is disabled in the Server SSL profiles on that virtual server.
Fix:
There is now a validation check to prevent this configuration, which is the correct functionality.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1007629-2 : APM policy configured with many ACL policies can create APM memory pressure
Links to More Info: BT1007629
Component: Access Policy Manager
Symptoms:
High APM memory usage even in idle state when no traffic is flowing.
Conditions:
APM policies configured with resource assignment agents with ACL policies configured. The idle state memory usage will be proportional to the number of resource assignment agents and ACL policies configured
Impact:
If idle state memory of APM is high then less memory is available for use during traffic flow and thereby can lead to OOM crashes and failover.
Workaround:
None
Fix:
APM policy configured with many ACL policies no longer creates APM memory pressure
Fixed Versions:
14.1.4.4, 15.1.4.1
1007505 : TLS handshake times out if intermediate CA cert status cannot be determined
Links to More Info: BT1007505
Component: Local Traffic Manager
Symptoms:
The BIG-IP system resets an HTTPS connection. SSL handshake failure logs appear in /var/log/ltm:
warning tmm1[2555]: 01260013:4: SSL Handshake failed for TCP 10.0.0.l0:443 -> 10.0.0.20:60716
In the server-side packet trace, there is no Client Key Exchange message in response to the Server Hello Done message. The connection then is reset 10 seconds after the Server Hello Done message.
Conditions:
-- OCSP is configured for the server SSL profile.
-- The OCSP responder cannot determine the intermediate CA cert status.
Impact:
Clients cannot connect to the HTTPS pool members.
Workaround:
For each affected host, add the certificate of the issuer of the server certificate to the CA bundle specified in the Trusted CA field of the server SSL profile.
Fixed Versions:
14.1.4.3
1007113-4 : Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds
Links to More Info: BT1007113
Component: Service Provider
Symptoms:
In case of diameter over SCTP, while aborting the connection of the pool member, if SCTP INIT is sent by the BIG-IP system before the SCTP ABORT is processed, the pool member is marked UP (provided the SCTP connection is established successfully), and then goes down later, immediately after ABORT is fully processed.
Conditions:
The time difference between SCTP ABORT and SCTP INIT is very small, i.e., 2 seconds or less
Impact:
Pool member is marked DOWN even though it is active
Workaround:
If the watchdog is configured in the diameter session profile (i.e., watchdog-timeout is greater than 0), the pool member is marked UP after DWA is received from the pool member.
Fix:
The system now marks the pool member as UP if DWA is received from the pool member.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1007109-4 : Flowmap entry is deleted before updating its timeout to INDEFINITE
Links to More Info: BT1007109
Component: Service Provider
Symptoms:
A sessiondb entry cannot be looked up.
Conditions:
A connection takes more than 5 seconds to establish. For example, in SCTP, the connection establishment might take more than 5 seconds with a maximum timeout of 60 seconds
Impact:
The session db lookup failure leads to the establishment of a new connection, even though there is an existing connection to the pool member.
Workaround:
Increase the temporary timeout of the session db entry to 60 seconds.
Fix:
Fixed the temporary timeout of the session db entry
Fixed Versions:
14.1.4.6
1006893-1 : Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core
Links to More Info: BT1006893
Component: Access Policy Manager
Symptoms:
When ACCESS::oauth is used after ACCESS::session create/delete in an iRule event, TMM may core.
Conditions:
ACCESS::oauth is used after ACCESS::session create/delete in an iRule event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround
Fix:
TMM does not core and functionality works as expected.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1005433 : LTM Pool Members may not be updated accurately when multiple identical database monitors are configured
Links to More Info: BT1005433
Component: Local Traffic Manager
Symptoms:
When two or more database monitors (MSSQL, MySQL, PostgreSQL, Oracle) with identical 'send' and 'recv' strings are configured and applied to different LTM pools (with at least one pool member in each), the monitor status of some LTM pool members may not be correct.
Other parameters of the affected monitors that differ (such as 'recv row' or 'recv column' indicating where the specified 'recv' string should be found in the result set) may cause LTM pool members using one of the affected monitors to connect to the same database to be marked UP, while LTM pool members using another affected monitor may be marked DOWN.
As a result of this issue, LTM pool members that should be marked UP or DOWN by the configured monitor may instead be marked according to another affected monitor's configuration, resulting in the affected LTM pool members being intermittently marked with an incorrect state.
After the next monitor ping interval, affected LTM pool members members may be marked with the correct state.
Conditions:
This may occur when multiple database monitors (MSSQL, MySQL, PostgreSQL, Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different LTM pools/members.
For example:
ltm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
recv none
send "select version();"
...
}
Impact:
Monitored LTM pool members using a database monitor (MSSQL, MySQL, PostgreSQL, Oracle) randomly go offline/online.
Workaround:
To avoid this issue, configure each database monitor with values that make the combined parameters unique by changing either the 'send' or the 'recv' parameters, or both.
For example:
ltm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
recv 5.7
send "select version();"
...
}
Fix:
The system now correctly updates LTM pool members when multiple identical database monitors are configured.
Fixed Versions:
14.1.4.5
1005109-1 : TMM crashes when changing traffic-group on IPv6 link-local address
Links to More Info: BT1005109
Component: Local Traffic Manager
Symptoms:
TMM crashes when changing the traffic-group on an IPv6 link-local address.
Conditions:
Changing the traffic-group on an IPv6 link-local address.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
1005105-4 : Requests are missing on traffic event logging
Links to More Info: BT1005105
Component: Application Security Manager
Symptoms:
Some traffic requests are missing in Security :: Event Logs.
Conditions:
-- Local logging enabled
-- Two or more virtual servers passing heavy traffic
Impact:
High CPU load prevents the Policy Builder from analyzing and sending all traffic requests to the request log.
Workaround:
None
Fix:
The Policy Builder now attempts to send traffic requests to the request log, even when learning analysis is limited due to high CPU load.
Fixed Versions:
14.1.4.5, 15.1.4, 16.1.1
1004929-4 : During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid.
Links to More Info: BT1004929
Component: TMOS
Symptoms:
While receiving a config sync operation, mcpd on a secondary blade may restart, logging:
err mcpd[6383]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020012:3: A unsigned four-byte integer message item is invalid.... failed validation with error 16908306
Conditions:
-- A VIPRION system (or cluster-based vCMP guest) with more than one blade processes a full configuration load, i.e. as a result of running "tmsh load sys config" or receiving a full-load config sync from peer BIG-IP.
-- The system generates a large number of warning messages during a configuration load, whose total length is larger than 65,535 bytes.
These warnings can be seen in the output of "tmsh load sys config" or "tmsh load sys config verify", or are logged under message ID 01071859
An example of such a warning is:
SSLv2 is no longer supported and has been removed. The 'sslv2' keyword in the cipher string of the ssl profile (/Common/ssl-profile-1) has been ignored.
Impact:
MCPD on secondary blades restart. Those blades are inoperative while services restart.
Workaround:
Address the warnings reported by the system.
Fixed Versions:
14.1.4.5, 15.1.5
1004897-3 : 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason
Links to More Info: BT1004897
Component: Local Traffic Manager
Symptoms:
In HTTP2 setup, when the header count from the client request exceeds max-header-count value in the HTTP profile , COMPRESSION_ERROR(0x09) is seen in GoAway frame instead of FRAME_SIZE_ERROR(0x06)
Conditions:
- Virtual server with HTTP2 enabled
- A http2 request has a header count that exceeds 'Maximum Header Count' in the HTTP profile (default value is 64)
Impact:
Wrong GoAway Reason is logged
Fix:
When header count in client request exceeds max-header-count value in HTTP profile
1) FRAME_SIZE_ERROR(0x06) error code sent with GoAway frame
2) In http2 profile stats (tmsh show ltm profile http2 all) 'Max Headers Exceeded' is logged as GoAway reason
Fixed Versions:
14.1.4.4
1004833-1 : NIST SP800-90B compliance
Links to More Info: BT1004833
Component: TMOS
Symptoms:
Common Criteria and FIPS 140-2 certifications require compliance with NIST SP800-90B; this completes that compliance.
Conditions:
This applies to systems requiring Common Criteria and/or FIPS 140-2 compliance.
Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 14.1.4.2 or BIG-IP 15.1.2.1) will not be running a Common Criteria and/or FIPS 140-2 certified configuration.
Workaround:
None
Fix:
Apply this fix to ensure that the system is compliant with NIST SP800-90B.
Fixed Versions:
14.1.4.2, 15.1.4
1004517-3 : BIG-IP tenants on VELOS cannot install EHFs
Links to More Info: BT1004517
Component: TMOS
Symptoms:
BIG-IP tenants created on VELOS using v14.1.4 software earlier than v14.1.4.3 cannot accept engineering hotfixes (EHF).
Conditions:
Installing EHF updates to BIG-IP tenants on VELOS running BIG-IP v14.1.4 software earlier than v14.1.4.3.
Impact:
EHF installation fails.
Workaround:
None
Fix:
BIG-IP tenants on VELOS can now install EHFs.
Fixed Versions:
14.1.4.3
1004417-1 : Provisioning error message during boot up★
Links to More Info: BT1004417
Component: TMOS
Symptoms:
Error message in /var/log/ltm:
Could not retrieve DB variable for (provision.datastor)
Conditions:
Upgrade BIG-IP software from version 12.x to version 13.x or higher.
Impact:
The error message is logged after the first boot after the upgrade. There is no impact on functionality and the error message can be ignored.
Workaround:
None
Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
1004069-2 : Brute force attack is detected too soon
Links to More Info: BT1004069
Component: Application Security Manager
Symptoms:
A Brute force attack is detected too soon.
Conditions:
The login page has the expected header validation criteria.
Impact:
The attack is detected earlier than the setpoint.
Workaround:
N/A
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2
1003633-4 : There might be wrong memory handling when message routing feature is used
Links to More Info: BT1003633
Component: Service Provider
Symptoms:
The following log is observed from /var/log/ltm
Oops @ 0x28c3060:232: buf->ref == 0
Conditions:
Message routing is used either by
- Generic message (ltm message-routing generic) or
- HTTP2 with Message router option enabled
Impact:
For most cases, this kind of incorrect memory handling may only generate warning log message. In rare case, it might lead to a tmm crash.
Workaround:
N/A
Fix:
Wrong memory handling in message routing is fixed.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1003257-3 : ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected
Links to More Info: BT1003257
Component: TMOS
Symptoms:
ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' commands are not working properly. The address is always set to interface-configured global/local addresses respectively.
Conditions:
Using BGPv4 with IPv6 capability extension and a route-map with 'set ipv6 next-hop' and/or 'set ipv6 next-hop local' configuration.
Impact:
Wrong next-hop is advertised.
Workaround:
None.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1002945-1 : Some connections are dropped on chained IPv6 to IPv4 virtual servers.
Links to More Info: BT1002945
Component: Local Traffic Manager
Symptoms:
IPv6 virtual servers targeting IPv4 virtual servers (for example, using the 'virtual' iRule command) might drop traffic coming from some clients unexpectedly.
Conditions:
- IPv6 to IPv4 virtual server chaining.
Impact:
Traffic is dropped.
Workaround:
None
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1002809-2 : OSPF vertex-threshold should be at least 100
Links to More Info: BT1002809
Component: TMOS
Symptoms:
OSPF vertex-threshold should be at least 100, but you are able to set it to any number between 0 and 10000000.
Conditions:
-- Using OSPFv2/OSPFv3
-- Configuring the vertex-threshold setting
Impact:
When the setting is less than the default of 100, routes may not be installed properly.
Workaround:
Ensure that vertex-threshold is set to 100 (default) or above.
Fixed Versions:
14.1.4.6
1002565-4 : OpenSSL vulnerability CVE-2021-23840
Links to More Info: K24624116
1002557-3 : Tcl free object list growth
Links to More Info: BT1002557
Component: Access Policy Manager
Symptoms:
Apmd memory usage grows over time when a single agent with a Tcl object is shared across multiple threads.
Conditions:
This is encountered in APM environments when passing traffic.
Impact:
Tcl free object list grows and apmd memory usage increases over time.
Workaround:
None
Fixed Versions:
14.1.4.4, 15.1.4.1
1002385-4 : Fixing issue with input normalization
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM does not follow current best practices.
Conditions:
- ASM provisioned
Impact:
Attack detection is not triggered as expected
Workaround:
N/A
Fix:
Attack detection is now triggered as expected
Fixed Versions:
14.1.4.6, 15.1.5, 16.1.2.1
1002109-4 : Xen binaries do not follow security best practices
Links to More Info: BT1002109
Component: TMOS
Symptoms:
The following xen* binaries have multiple violations of security best practices.
usr/bin/xenstore
/usr/bin/xenstore-exists
/usr/bin/xenstore-ls
/usr/bin/xenstore-read
/usr/bin/xenstore-rm
/usr/bin/xenstore-watch
/usr/bin/xenstore-chmod
/usr/bin/xenstore-list
/usr/bin/xenstore-write
Conditions:
The violations can be seen on BIG-IP by running following script.
https://github.com/slimm609/checksec.sh
Impact:
The issue lead to violation of security best practices.
Fix:
Fixed an issue with certain xen* binaries.
Fixed Versions:
14.1.4.4, 15.1.4
1001509-1 : Client going through to BIG-IP SSL forward proxy might not be able to trust forged certificates
Links to More Info: K11162395, BT1001509
Component: Local Traffic Manager
Symptoms:
-- A client system or browser does not trust forged certificates, and reports a cert verification warning: ERR_CERT_AUTHORITY_INVALID.
-- The forged certificate received by the client has the same values set for AKI and SKI certificate extensions.
Conditions:
Client SSL profile in SSL forward proxy is configured with the same certificate for Cert Key Chain and CA Cert Key Chain, and that certificate has an SKI extension.
Impact:
Client does not trust forged certificates and can not connect to the backend.
Workaround:
Modify the Cert Key Chain on the Client SSL profile to have a different certificate from CA Cert Key Chain.
You can find details in K11162395: A client browser may not trust the certificate issued by the BIG-IP SSL forward proxy :: https://support.f5.com/csp/article/K11162395
Fix:
Certificate forged by SSL forward proxy does not contain AKI and SKI extensions, so this issue no longer occurs.
Fixed Versions:
14.1.4.3, 15.1.3
1001337 : Cannot read single sign-on configuration from GUI when logged in as guest
Links to More Info: BT1001337
Component: Access Policy Manager
Symptoms:
When logging in to the BIG-IP GUI and attempting to read an existing single sign-on configuration from Access :: Single Sign-On, you see the following error from GUI.
General database error retrieving information.
Conditions:
-- The logged in BIG-IP user account is configured with the guest role.
-- Go to Access :: Single Sign-On to read existing SSO configurations.
Impact:
Cannot read SSO configurations from the GUI when logged on as guest.
Workaround:
Use tmsh commands to read SSO configuration.
Fix:
BIG-IP users with guest user account roles can now read SSO configurations from the GUI.
Fixed Versions:
14.1.4.5, 15.1.4.1
1001041-2 : Reset cause 'Illegal argument'
Links to More Info: BT1001041
Component: Access Policy Manager
Symptoms:
Client connections get aborted usually after the full transfer of the HTTP Post request.
If logging of reset reason is enabled using:
tmsh modify sys db tm.rstcause.log value enable
LTM logs report the reset reason as 'Illegal Argument'.
Conditions:
Any transaction that takes a long time to complete can result in this issue. This issue can be triggered if there is a large POST request or if the backend server is slow in responding to the requests.
Impact:
Clients cannot post large files to backend servers with APM PingAccess support.
Workaround:
None
Fix:
The timeout is now properly handled for large post requests, so that no reset occurs.
Fixed Versions:
14.1.4.4, 15.1.4
1000973-2 : Unanticipated restart of TMM due to heartbeat failure
Links to More Info: BT1000973
Component: TMOS
Symptoms:
A tmm thread might stall while yielding the CPU, and trigger a failsafe restart of the tmm process. A core file might be generated without any message logged in /var/log/*.
High resolution timers (hrtimer) may be lost.
Conditions:
This occurs when data in kernel hrtimer module is corrupted by a kernel bug, so a tmm thread may fail to wake at the appropriate time after having entered a planned short sleep.
The precise details in this particular case are not knowable.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Very rarely, this might take a long time, in which case there is no mitigation except to wait for the operation to complete.
Alternatively, the unit might remain offline, in which rebooting the system is the better option.
Fix:
Fixed kernel issue that led to an unanticipated restart of tmm due to heartbeat failure.
Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
1000741-4 : Fixing issue with input normalization
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM does not follow current best practices.
Conditions:
- ASM provisioned
Impact:
Attack detection is not triggered as expected
Workaround:
N/A
Fix:
Attack detection is now triggered as expected
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
1000021-4 : TMM may consume excessive resources while processing packet filters
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may consume excessive resources while processing packet filters.
Conditions:
- Packet filters in use
Impact:
Excessive resource consumption, potentially leading to memory exhaustion and reduced performance or a failover event.
Workaround:
N/A
Fix:
TMM now processes packet filters as expected.
Fixed Versions:
14.1.4.6, 15.1.5
Known Issues in BIG-IP v14.1.x
TMOS Issues
| ID Number | Severity | Links to More Info | Description |
| 860245-3 | 1-Blocking | BT860245 | SSL Orchestrator configuration not synchronized across HA peers after upgrade from 14.1.2.x |
| 858173-1 | 1-Blocking | BT858173 | SSL Orchestrator RPM not installed on HA-peer after upgrade from 14.1.2.1★ |
| 1050969-4 | 1-Blocking | BT1050969 | After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid |
| 1049085-1 | 1-Blocking | BT1049085 | Booting into a newly installed hotfix volume may stall on RAID-capable platforms★ |
| 1032761-1 | 1-Blocking | BT1032761 | HA mirroring may not function correctly. |
| 997793-1 | 2-Critical | K34172543, BT997793 | Error log: Failed to reset strict operations; disconnecting from mcpd★ |
| 993481-4 | 2-Critical | Jumbo Frame issue with DPDK-eNIC. | |
| 992865-2 | 2-Critical | BT992865 | Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances |
| 992097-1 | 2-Critical | BT992097 | Incorrect hostname is seen in logging files |
| 990853-4 | 2-Critical | BT990853 | Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway. |
| 988645-2 | 2-Critical | BT988645 | Traffic may be affected after tmm is aborted and restarted |
| 987113-2 | 2-Critical | BT987113 | CMP state degraded while under heavy traffic |
| 979045-4 | 2-Critical | BT979045 | The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms |
| 950673-2 | 2-Critical | BT950673 | Hardware Syncookie mode not cleared when deleting/changing virtual server config. |
| 950201-1 | 2-Critical | BT950201 | Tmm core on GCP |
| 943109-3 | 2-Critical | BT943109 | Mcpd crash when bulk deleting Bot Defense profiles |
| 941893-2 | 2-Critical | BT941893 | VE performance tests in Azure causes loss of connectivity to objects in configuration |
| 940453 | 2-Critical | BT940453 | Restjavad restarting with java.lang.OutOfMemoryError |
| 940225-3 | 2-Critical | BT940225 | Not able to add more than 6 NICs on VE running in Azure |
| 937481 | 2-Critical | BT937481 | Tomcat restarts with error java.lang.OutOfMemoryError |
| 929133-3 | 2-Critical | BT929133 | TMM continually restarts with errors 'invalid index from net device' and 'device_init failed' |
| 909673-1 | 2-Critical | BT909673 | TMM crashes when VLAN SYN cookie feature is used on iSeries i2x00 and i4x00 platforms |
| 885961 | 2-Critical | BT885961 | Tagged VLAN works only if it is configured in virtual wire. |
| 882757-3 | 2-Critical | BT882757 | sflow_agent crash SIGABRT in the cleanup flow |
| 866957-1 | 2-Critical | BT866957 | Load balancing IPsec tunnels |
| 865653-4 | 2-Critical | BT865653 | Wrong FDB table entries with same MAC and wrong VLAN combination |
| 858877-1 | 2-Critical | BT858877 | SSL Orchestrator config sync issues between HA-pair devices |
| 851785-1 | 2-Critical | BT851785 | BIG-IP 10350V-F platform reported page allocation failures in N3FIPS driver |
| 842669-1 | 2-Critical | BT842669 | Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log |
| 829661-2 | 2-Critical | BT829661 | TCP connection fails to establish when an SFC policy is enabled |
| 812237-1 | 2-Critical | BT812237 | i10000 series appliances with HDVC part number 505-0030 missing name in show sys hardware and on LCD |
| 780437-2 | 2-Critical | BT780437 | Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration. |
| 776117-3 | 2-Critical | BT776117 | BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type |
| 758929-2 | 2-Critical | BT758929 | Bcm56xxd MIIM bus access failure |
| 756830-1 | 2-Critical | BT756830 | BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict' |
| 751924-2 | 2-Critical | BT751924 | TSO packet bit fails IPsec during ESP encryption |
| 750588-1 | 2-Critical | BT750588 | While loading large configurations on BIG-IP systems, some daemons may core intermittently. |
| 747203-2 | 2-Critical | BT747203 | Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding |
| 746464-1 | 2-Critical | BT746464 | MCPD sync errors and restart after multiple modifications to file object in chassis |
| 746122-1 | 2-Critical | BT746122 | 'load sys config verify' resets the active master key to the on-disk master key value |
| 743946-2 | 2-Critical | BT743946 | Tmsh loads schema versions 12.x and earlier which are no longer supported★ |
| 742764-3 | 2-Critical | BT742764 | If two racoon daemon are spawned on startup, one fails and cores. |
| 742419-5 | 2-Critical | BT742419 | BIG-IP NIC teaming of SR-IOV interfaces does not work under VMware ESXi |
| 737692-3 | 2-Critical | BT737692 | Handle x520 PF DOWN/UP sequence automatically by VE |
| 717785-2 | 2-Critical | BT717785 | Interface-cos shows no egress stats for CoS configurations |
| 698931-1 | 2-Critical | BT698931 | Corrupted SessionDB messages causes TMM to crash |
| 662301-4 | 2-Critical | BT662301 | 'Unlicensed objects' error message appears despite there being no unlicensed config |
| 382363-5 | 2-Critical | K30588577 | min-up-members and using gateway-failsafe-device on the same pool. |
| 1077789-2 | 2-Critical | BT1077789 | System might become unresponsive after upgrading.★ |
| 1076921-3 | 2-Critical | BT1076921 | Log hostname should be consistent when it contains ' . ' |
| 1075905 | 2-Critical | BT1075905 | TCP connections may fail when hardware SYN Cookie is active |
| 1065041-2 | 2-Critical | BT1065041 | Web Application shows 'Not Found' in GUI. |
| 1048853-4 | 2-Critical | BT1048853 | "IKE VBUF" memory leak debug. |
| 1048169 | 2-Critical | BT1048169 | Panic and silent reboots on High Availability (HA) pair |
| 1041865-2 | 2-Critical | BT1041865 | Correctable machine check errors [mce] should be suppressed |
| 1035121-1 | 2-Critical | BT1035121 | Configsync syncs the node's monitor status |
| 1027637-2 | 2-Critical | BT1027637 | System controller failover may cause dropped requests |
| 1024269-3 | 2-Critical | BT1024269 | Forcing a file system check on the next system reboot does not check all filesystems. |
| 1012493-3 | 2-Critical | BT1012493 | Systemauth.primaryadminuser set to anything but 'admin' causes internal error for mcp-state check |
| 999021-4 | 3-Major | BT999021 | IPsec IKEv1 tunnels fail after a config sync from Standby to Active |
| 998957-4 | 3-Major | BT998957 | Mcpd consumes excessive CPU while collecting stats. |
| 998649-2 | 3-Major | BT998649 | Log hostname should be consistent when it contains ' . ' |
| 997561-2 | 3-Major | BT997561 | TMM CPU imbalance with GRE/TB and GRE/MPLS traffic |
| 997541-2 | 3-Major | BT997541 | Round-robin GRE Disaggregator for hardware and software |
| 995605-3 | 3-Major | BT995605 | PVA accelerated traffic does not update route domain stats |
| 995097-4 | 3-Major | BT995097 | Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file. |
| 994365-4 | 3-Major | BT994365 | Inconsistency in tmsh 'object mode' for some configurations |
| 994361-4 | 3-Major | BT994361 | Updatecheck script hangs/Multiple updatecheck processes |
| 992813-3 | 3-Major | BT992813 | The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations. |
| 992253-1 | 3-Major | BT992253 | Cannot specify IPv6 management IP addresses using GUI |
| 992053-2 | 3-Major | BT992053 | Pva_stats for server side connections do not update for redirected flows |
| 988793-1 | 3-Major | BT988793 | SecureVault on BIG-IP tenant does not store unit key securely |
| 988745-2 | 3-Major | BT988745 | On reboot, 'could not find platform object' errors may be seen in /var/log/ltm |
| 987949 | 3-Major | BT987949 | Error message during boot up★ |
| 987301-2 | 3-Major | BT987301 | Software install on vCMP guest via block-device may fail with error 'reason unknown' |
| 987081-4 | 3-Major | BT987081 | Alarm LED remains active on Secondary blades even after LCD alerts are cleared |
| 985537-3 | 3-Major | BT985537 | Upgrade Microsoft Hyper-V driver★ |
| 981485-3 | 3-Major | BT981485 | Neurond enters a restart loop after FPGA update. |
| 977953-1 | 3-Major | BT977953 | Show running config interface CLI could not fetch the interface info and crashes the imi |
| 977657-1 | 3-Major | BT977657 | SELinux errors when deploying a vCMP guest. |
| 976013-3 | 3-Major | BT976013 | If bcm56xxd starts while an interface is disabled, the interface cannot be enabled afterwards |
| 972785-4 | 3-Major | BT972785 | Unable to create virtual server with a non-zero Route Domain for custom partition via iControl SOAP |
| 969329-1 | 3-Major | BT969329 | Dashboard: Chart title/legend 'Control Plane' needs to be modified within dashboard of BIG-IP |
| 967557-3 | 3-Major | BT967557 | Improve apm logging when loading sys config fails due to corruption of epsec rpm database |
| 966949-3 | 3-Major | BT966949 | Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node |
| 965941-3 | 3-Major | BT965941 | Creating a net packet filter in the GUI does not work for ICMP for IPv6 |
| 964125-3 | 3-Major | BT964125 | Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members. |
| 960029-3 | 3-Major | BT960029 | Viewing properties for IPv6 pool members in the Statistics page in the GUI returns an error |
| 959241-3 | 3-Major | BT959241 | Fix for ID871561 might not work as expected on the VCMP host |
| 959057-4 | 3-Major | BT959057 | Unable to create additional login tokens for the default admin user account |
| 958833-3 | 3-Major | BT958833 | After mgmt ip change via GUI, brower is not redirected to new address |
| 958601-3 | 3-Major | BT958601 | In the GUI, searching for virtual server addresses does not match address lists |
| 957993-3 | 3-Major | BT957993 | Unable to set a port list in the GUI for an IPv6 address for a virtual server |
| 957637-3 | 3-Major | BT957637 | Pfmand crash during bootup |
| 956625-3 | 3-Major | BT956625 | Port and port-list type are both stored in a traffic-matching-criteria object |
| 955953-3 | 3-Major | BT955953 | iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg' |
| 955897-3 | 3-Major | BT955897 | Configuration may fail to load with named virtual-address for 0.0.0.0 in a non-zero route domain★ |
| 953477-4 | 3-Major | BT953477 | Syncookie HW mode not cleared when modifying VLAN config. |
| 950153-1 | 3-Major | BT950153 | LDAP remote authentication fails when empty attribute is returned |
| 948601-4 | 3-Major | File object checksum attribute is not updated when an external data-group file or external monitor file is edited from GU | |
| 946121-1 | 3-Major | BT946121 | SNMP user added with password less than 8 characters through tmsh is allowed but fails during snmpwalk. |
| 945413-4 | 3-Major | BT945413 | Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync |
| 943669-5 | 3-Major | BT943669 | B4450 blade reboot |
| 943653-3 | 3-Major | BT943653 | Allow 32-bit processes to use larger area of virtual address space |
| 943045-1 | 3-Major | BT943045 | Inconsistency in node object name and node IPv6 address when IPv6 pool-member is created without providing node object name. |
| 941381-1 | 3-Major | BT941381 | MCP restarts when deleting an application service with a traffic-matching-criteria |
| 939249-4 | 3-Major | BT939249 | iSeries LCD changes to secure mode after multiple reboots |
| 937601-1 | 3-Major | BT937601 | The ip-tos-to-client setting does not affect traffic to the server. |
| 936093-3 | 3-Major | BT936093 | Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline |
| 935485-3 | 3-Major | BT935485 | BWC: flows might stall when using dynamic BWC policy |
| 933329-3 | 3-Major | BT933329 | The process plane statistics do not accurately label some processes |
| 930825-3 | 3-Major | BT930825 | System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors |
| 928697-3 | 3-Major | BT928697 | Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT |
| 928389-4 | 3-Major | BT928389 | GUI becomes inaccessible after importing certificate under import type 'certificate' |
| 928353-3 | 3-Major | BT928353 | Error logged installing Engineering Hotfix: Argument isn't numeric★ |
| 927025-4 | 3-Major | BT927025 | Sod restarts continuously |
| 925797-3 | 3-Major | BT925797 | Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pools members |
| 925469-3 | 3-Major | BT925469 | SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo |
| 924297-1 | 3-Major | BT924297 | Ltm policy MCP objects are not being synced over to the peer device |
| 923745-1 | 3-Major | BT923745 | Ctrl-Alt-Del reboots the system |
| 922885-2 | 3-Major | K27872027, BT922885 | BIG-IP Virtual Edition does not pass traffic on ESXi 6.5 |
| 922613-1 | 3-Major | BT922613 | Tunnels using autolasthop might drop traffic with ICMP route unreachable |
| 922153-4 | 3-Major | BT922153 | Tcpdump is failing on tmm 0.x interfaces |
| 921149-2 | 3-Major | BT921149 | After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy |
| 921121-1 | 3-Major | BT921121 | Tmm crash with iRule and a PEM Policy with BWC Enabled |
| 920761-3 | 3-Major | BT920761 | Changing a virtual server type in the GUI may change some options; changing back to the original type does not restore original values |
| 920517-3 | 3-Major | BT920517 | Rate Shaping Rate Class 'Queue Method' and 'Drop Policy' defaults are incorrect in the GUI |
| 919401-3 | 3-Major | BT919401 | Disallow adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in TMSH when ICAP is not licensed |
| 919185-4 | 3-Major | BT919185 | Request adapt and response adapt profile options should not be available in the GUI when ICAP is not licensed |
| 915557-4 | 3-Major | BT915557 | The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status. |
| 915493-3 | 3-Major | BT915493 | imish command hangs when ospfd is enabled |
| 913573-1 | 3-Major | BT913573 | Unable to complete REST API PUT request for 'tm/ltm/data-group/internal' endpoint. |
| 909505-1 | 3-Major | BT909505 | Creating LTM data group external object fails. |
| 909485-1 | 3-Major | BT909485 | Deleting LTM data-group external object incorrectly reports 200 when object fails to delete |
| 908753-1 | 3-Major | BT908753 | Password memory not effective even when password policy is configured |
| 908453-2 | 3-Major | BT908453 | Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly |
| 907549-3 | 3-Major | BT907549 | Memory leak in BWC::Measure |
| 906505-4 | 3-Major | BT906505 | Display of LCD System Menu cannot be configured via GUI on iSeries platforms |
| 905749-2 | 3-Major | BT905749 | imish crash while checking for CLI help string in BGP mode |
| 904401-2 | 3-Major | BT904401 | Guestagentd core |
| 903265-1 | 3-Major | BT903265 | Single user mode faced sudden reboot |
| 901989-4 | 3-Major | BT901989 | Boot_marker writes to /var/log/btmp |
| 900485-4 | 3-Major | BT900485 | Syslog-ng 'program' filter does not work |
| 899933-4 | 3-Major | BT899933 | Listing property groups in TMSH without specifying properties lists the entire object |
| 899085-4 | 3-Major | BT899085 | Configuration changes made by Certificate Manager role do not trigger saving config |
| 898577-4 | 3-Major | BT898577 | Executing a command in "mgmt tm" using iControl REST results in tmsh error |
| 898389-3 | 3-Major | BT898389 | Traffic is not classified when adding port-list to virtual server from GUI |
| 895845-3 | 3-Major | BT895845 | Implement automatic conflict resolution for gossip-conflicts in REST |
| 895781-3 | 3-Major | BT895781 | Round Robin disaggregation does not disaggregate globally |
| 894593 | 3-Major | BT894593 | High CPU usage caused by the restjavad daemon continually crashing and restarting |
| 894133-3 | 3-Major | BT894133 | After ISO upgrade the SSL Orchestrator guided configuration user interface is not available.★ |
| 892445-4 | 3-Major | BT892445 | BWC policy names are limited to 128 characters |
| 891221-4 | 3-Major | BT891221 | Router bgp neighbor password CLI help string is not helpful |
| 888081-1 | 3-Major | BT888081 | BIG-IP VE Migration feature fails for 1NIC |
| 886649-3 | 3-Major | BT886649 | Connections stall when dynamic BWC policy is changed via GUI and TMSH |
| 884989-3 | 3-Major | BT884989 | IKE_SA's Not mirrored of on Standby device if it reboots |
| 884729-4 | 3-Major | BT884729 | The vCMP CPU usage stats are incorrect |
| 883149-4 | 3-Major | BT883149 | The fix for ID 439539 can cause mcpd to core. |
| 882833-4 | 3-Major | BT882833 | SELinux issue cause zrd down★ |
| 882709-2 | 3-Major | BT882709 | Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors★ |
| 882609-3 | 3-Major | BT882609 | ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back |
| 880689-3 | 3-Major | BT880689 | Update oprofile tools for compatibility with current architecture |
| 880473-3 | 3-Major | BT880473 | Under certain conditions, the virtio driver may core during shutdown |
| 880013-3 | 3-Major | BT880013 | Config load fails after changing the BIG-IP Master key which has an encrypted key in it's configuration |
| 879969-3 | 3-Major | BT879969 | FQDN node resolution fails if DNS response latency >5 seconds |
| 879001-3 | 3-Major | BT879001 | LDAP data is not updated consistently which might affect authentication. |
| 878893-1 | 3-Major | BT878893 | During system shutdown it is possible the for sflow_agent to core |
| 878277 | 3-Major | BT878277 | Unexpected Error: Can't display all items, can't get object count from mcpd |
| 877145-2 | 3-Major | BT877145 | Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException |
| 876809-1 | 3-Major | BT876809 | GUI cannot delete a cert with a name that starts with * and ends with .crt |
| 872165-1 | 3-Major | BT872165 | LDAP remote authentication for REST API calls may fail during authorization |
| 871705-4 | 3-Major | BT871705 | Restarting bigstart shuts down the system |
| 867549-4 | 3-Major | BT867549 | LCD touch panel reports "Firmware update in progress" indefinitely★ |
| 867253-1 | 3-Major | BT867253 | Systemd not deleting user journals |
| 867249-3 | 3-Major | BT867249 | New SNMP authentication type and privacy protocol algorithms not available in UI |
| 867177-1 | 3-Major | BT867177 | Outbound TFTP and Active FTP no longer work by default over the management port |
| 865225-4 | 3-Major | BT865225 | 100G modules may not work properly in i15000 and i15800 platforms |
| 864321-1 | 3-Major | BT864321 | Default Apache testing page is reachable at <mgmt-ip>/noindex |
| 862693-2 | 3-Major | BT862693 | PAM_RHOST not set when authenticating BIG-IP using iControl REST |
| 862525-3 | 3-Major | GUI Browser Cache Timeout option is not available via tmsh | |
| 860181-3 | 3-Major | BT860181 | After sync failure due to lack of local self-IP on the peer, adding in the self-IP does not resolve the sync error |
| 853617-3 | 3-Major | BT853617 | Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles |
| 853161-1 | 3-Major | BT853161 | Restjavad has different behavior for error responses if the body is over 2k |
| 852785-1 | 3-Major | BT852785 | Exposing counters from FIPS device registers allows debugging when cards fail |
| 852565-3 | 3-Major | BT852565 | On Device Management::Overview GUI page, device order changes |
| 851837-3 | 3-Major | BT851837 | Mcpd fails to start for single NIC VE devices configured in a trust domain |
| 851021-3 | 3-Major | BT851021 | Under certain conditions, 'load sys config verify file /config/bigip.conf' may result in a 'folder does not exist' error |
| 850997-3 | 3-Major | BT850997 | 'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page |
| 850357-3 | 3-Major | BT850357 | LDAP - tmsh cannot add config to nslcd.conf |
| 846141-3 | 3-Major | BT846141 | Unable to use Rest API to manage GTM pool members that have an pipe symbol '|' in the server name. |
| 844925-2 | 3-Major | BT844925 | Command 'tmsh save /sys config' fails to save the configuration and hangs |
| 843661-3 | 3-Major | BT843661 | TMSH allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command |
| 841721-3 | 3-Major | BT841721 | BWC::policy detach appears to run, but BWC control is still enabled |
| 838337-3 | 3-Major | BT838337 | The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST. |
| 828873-2 | 3-Major | BT828873 | Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor |
| 827293-2 | 3-Major | BT827293 | TMM may crash running remote tcpdump |
| 827209-2 | 3-Major | BT827209 | HSB transmit lockup on i4600 |
| 827021-2 | 3-Major | BT827021 | MCP update message may be lost when primary blade changes in chassis |
| 826437 | 3-Major | BT826437 | CSR subject fields with comma(,) are truncated during certificate renewal via the GUI. |
| 826313-4 | 3-Major | BT826313 | Error: Media type is incompatible with other trunk members★ |
| 826265-3 | 3-Major | BT826265 | The SNMPv3 engineBoots value restarts at 1 after an upgrade |
| 824809-4 | 3-Major | BT824809 | bcm56xxd watchdog restart |
| 819457-3 | 3-Major | BT819457 | LTM high availability (HA) sync should not sync GTM zone configuration |
| 819261-3 | 3-Major | BT819261 | Log HSB registers when parts of the device becomes unresponsive |
| 818505-3 | 3-Major | BT818505 | Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
| 817089-1 | 3-Major | Incorrect source MAC address with hardware acceleration (ePVA) and asymmetric routing | |
| 814353-3 | 3-Major | BT814353 | Pool member silently changed to user-disabled from monitor-disabled |
| 814273-3 | 3-Major | BT814273 | Multicast route entries are not populating to tmm after failover |
| 812493-2 | 3-Major | BT812493 | When engineID is reconfigured, snmp and alert daemons must be restarted★ |
| 811041-5 | 3-Major | BT811041 | Out of shmem, increment amount in /etc/ha_table/ha_table.conf |
| 810613-2 | 3-Major | BT810613 | GUI Login History hides informative message about max number of lines exceeded |
| 810373-1 | 3-Major | BT810373 | Errors running 'config' command |
| 809509-1 | 3-Major | BT809509 | Resource Admin User unable to download UCS using Rest API. |
| 808485-2 | 3-Major | BT808485 | Add 'virtual-server' argument to 'tmsh help sys connection' for version 14.x |
| 808277-4 | 3-Major | BT808277 | Root's crontab file may become empty |
| 807837-3 | 3-Major | BT807837 | Upgrade fails when client-ssl inherits proxy-ca-key/cert with error message: Client SSL profile (/Common/child): must have at least one set of CA type cert-key-chain.★ |
| 807313-1 | 3-Major | Encountering apmd out of memory events and process getting halted | |
| 806881-2 | 3-Major | BT806881 | Loading the configuration may not set the virtual server enabled status correctly |
| 804529-3 | 3-Major | BT804529 | REST API to /mgmt/tm/ltm/pool/members/stats will fail for some pools |
| 803457-2 | 3-Major | BT803457 | SNMP custom stats cannot access iStats |
| 803157-1 | 3-Major | BT803157 | LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots |
| 798885-2 | 3-Major | BT798885 | SNMP response times may be long when processing requests |
| 797953 | 3-Major | BT797953 | Workaround for SSLo deployment failure from BigIQ to BIG-IP |
| 797609-2 | 3-Major | BT797609 | Creating or modifying some virtual servers to use an address or port list may result in a warning message |
| 796985-1 | 3-Major | BT796985 | Default IPv4 IP address is assigned to Alt-Address in isolated vCMP guest; vCMP host or guest are upgraded and guest is 'Inoperative'★ |
| 791365-2 | 3-Major | BT791365 | Bad encryption password error on UCS save |
| 791061-2 | 3-Major | BT791061 | Config load in /Common removes routing protocols from other partitions |
| 789181-3 | 3-Major | BT789181 | Link Status traps are not issued on VE based BIG-IP systems |
| 788645-4 | 3-Major | BT788645 | BGP does not function on static interfaces with vlan names longer than 16 characters. |
| 786633-1 | 3-Major | BT786633 | Debug-level messages are being logged even when the system is not set up for debug logging |
| 784733-3 | 3-Major | BT784733 | GUI LTM Stats page freezes for large number of pools |
| 783293-1 | 3-Major | BT783293 | Special chars < > & displayed incorrectly in BIG-IP GUI logon banner window |
| 782613-5 | 3-Major | BT782613 | Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp |
| 781733-2 | 3-Major | BT781733 | SNMPv3 user name configuration allows illegal names to be entered |
| 780745-2 | 3-Major | BT780745 | TMSH allows creation of duplicate community strings for SNMP v1/v2 access |
| 778041-1 | 3-Major | BT778041 | tcpdump fails with an unclear message when the 'epva' option is used on non-epva platforms (directly or through 'all' option) |
| 777389-1 | 3-Major | BT777389 | In rare occurrences related to PostgreSQL monitor, the mcpd process restarts |
| 776489-2 | 3-Major | BT776489 | Remote authentication attempts to resolve only LDAP host against the first three name servers configured. |
| 775845-2 | 3-Major | BT775845 | Httpd fails to start after restarting the service using the iControl REST API |
| 775797-2 | 3-Major | BT775797 | Previously deleted user account might get authenticated |
| 775733-1 | 3-Major | BT775733 | /etc/qkview_obfuscate.conf not synced across blades |
| 773577-2 | 3-Major | BT773577 | SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted |
| 773333-2 | 3-Major | BT773333 | IPsec CLI help missing encryption algorithm descriptions |
| 773173-1 | 3-Major | BT773173 | LTM Policy GUI is not working properly |
| 772497-5 | 3-Major | BT772497 | When BIG-IP is configured to use a proxy server, updatecheck fails |
| 771137-2 | 3-Major | BT771137 | vCMP host reports much larger 'Virtual-disk' usage than du reports on the guest |
| 770657-2 | 3-Major | BT770657 | On hardware platforms with ePVA, some valid traffic is blocked when in L2 transparent mode and syn cookies are enabled |
| 769029-1 | 3-Major | BT769029 | Non-admin users fail to create tmp dir under /var/system/tmp/tmsh |
| 767305-2 | 3-Major | BT767305 | If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried |
| 765969-1 | 3-Major | BT765969 | HSB register dump missing from hsb_snapshot |
| 764969-3 | 3-Major | BT764969 | ILX no longer supports symlinks in workspaces as of v14.1.0 |
| 762097-1 | 3-Major | BT762097 | No swap memory available after upgrading to v14.1.0 and above★ |
| 761321-2 | 3-Major | BT761321 | 'Connection Rate Limit' is hidden, but 'Connection Rate Limit Mode' is not |
| 760932-3 | 3-Major | BT760932 | Part of audit log messages are also in other logs when strings are long |
| 760354-5 | 3-Major | BT760354 | Continual mcpd process restarts after removing big logs when /var/log is full |
| 759737-2 | 3-Major | BT759737 | Control and Analysis Plane CPU usage statistics are inaccurate for single core vCMP guests |
| 759258-2 | 3-Major | BT759258 | Instances shows incorrect pools if the same members are used in other pools |
| 757787-2 | 3-Major | BT757787 | Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI. |
| 757572 | 3-Major | BT757572 | Virtual Edition doesn't support forging MAC addresses with Mellanox ConnectX-3 virtual functions |
| 756820-2 | 3-Major | BT756820 | Non-UTF8 characters returned from /bin/createmanifest |
| 756088-2 | 3-Major | BT756088 | The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address |
| 753423-6 | 3-Major | BT753423 | Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation |
| 753001-1 | 3-Major | mcpd can be killed if the configuration contains a very high number of nested references | |
| 752994-1 | 3-Major | BT752994 | Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod |
| 751581-3 | 3-Major | BT751581 | REST API Timeout while queriying large number of persistence profiles |
| 751409-1 | 3-Major | BT751409 | MCP Validation does not detect when virtual servers differ only by overlapping VLANs |
| 751024-4 | 3-Major | BT751024 | i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd |
| 749757-2 | 3-Major | BT749757 | -s option in qkview help does not indicate maximum size |
| 749011-1 | 3-Major | BT749011 | Datasync may start background tasks during high disk IO utilization |
| 748295-1 | 3-Major | BT748295 | TMM crashes on shutdown when using virtio NICs for dataplane |
| 748044 | 3-Major | BT748044 | RAID status in tmsh is not updated when disk is removed or rebuild finishes |
| 747676-3 | 3-Major | BT747676 | Remote logging needs 'localip' to set source IP properly |
| 746758-3 | 3-Major | BT746758 | Qkview produces core file if interrupted while exiting |
| 744924-1 | 3-Major | BT744924 | Bladed unit goes offline after UCS install |
| 744740-1 | 3-Major | BT744740 | After upgrade, dhclient overwrites configured hostname, even when 'sys management-dhcp' does not contain the 'host-name' in the request-options.★ |
| 744730-1 | 3-Major | BT744730 | After increasing the disk size on a VE or VCMP guest a manual reboot is required for the increase to go into effect. |
| 744520-1 | 3-Major | BT744520 | virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface |
| 743234-4 | 3-Major | BT743234 | Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons |
| 743132-6 | 3-Major | BT743132 | mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile |
| 742753-4 | 3-Major | BT742753 | Accessing the BIG-IP system's WebUI via special proxy solutions may fail |
| 742170-2 | 3-Major | BT742170 | REST PUT command fails for data-group internal |
| 739820-1 | 3-Major | BT739820 | Validation does not reject IPv6 address for TACACS auth configuration |
| 739118-1 | 3-Major | BT739118 | Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration |
| 738881-3 | 3-Major | BT738881 | Qkview does not collect any data under certain conditions that cause a timeout |
| 737739-1 | 3-Major | BT737739 | Bash shell still accessible for admin even if disabled |
| 737346-1 | 3-Major | BT737346 | After entering username and before password, the logging on user's failure count is incremented. |
| 727191-1 | 3-Major | BT727191 | Invalid arguments to run sys failover do not return an error |
| 725646-4 | 3-Major | BT725646 | The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly |
| 724653-2 | 3-Major | BT724653 | In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync. |
| 721020-1 | 3-Major | BT721020 | Changes to the master key are reverted after full sync |
| 719030-1 | 3-Major | BT719030 | IPv6 address is not set in the GUI if IPv4 is set to automatic (dhcp) |
| 718291-2 | 3-Major | BT718291 | iHealth upload error does not clear |
| 718108-3 | 3-Major | BT718108 | It is not possible to core the icrd_child process if iControl REST requests were sent to the BIG-IP system using non-admin accounts |
| 715379-3 | 3-Major | BT715379 | IKEv2 accepts asn1dn for peers-id only as file path of certificate file |
| 711747-1 | 3-Major | BT711747 | Vcmp_pde_state_memcpy core during http traffic and pfmand resets. |
| 708991-2 | 3-Major | BT708991 | Newly entered password is not remembered. |
| 703226-1 | 3-Major | BT703226 | Failure when using transactions to create and publish policies |
| 703090-5 | 3-Major | BT703090 | With many iApps configured, scriptd may fail to start |
| 701341-4 | 3-Major | K52941103, BT701341 | If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts |
| 698933-6 | 3-Major | BT698933 | Setting metric-type via ospf redistribute command may not work correctly |
| 691219-1 | 3-Major | BT691219 | Hardware syncookie mode is used when global auto last hop is disabled. |
| 690928-1 | 3-Major | BT690928 | System posts error message: 01010054:3: tmrouted connection closed |
| 688627-2 | 3-Major | BT688627 | OPT-0043 40G optical transceiver cannot be unbundled into 4x10G |
| 688231-4 | 3-Major | BT688231 | Unable to set VET, AZOT, and AZOST timezones |
| 673952-4 | 3-Major | BT673952 | 1NIC VE in high availability (HA) device-group shows 'Changes Pending' after reboot |
| 671372-5 | 3-Major | K01930721, BT671372 | When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified. |
| 669046-4 | 3-Major | BT669046 | Handling large replies to MCP audit_request messages |
| 658850-2 | 3-Major | BT658850 | Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP |
| 657834-5 | 3-Major | K45005512, BT657834 | Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent |
| 627760-6 | 3-Major | BT627760 | Gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card |
| 606032-5 | 3-Major | BT606032 | Network Failover-based high availability (HA) in AWS may fail |
| 591305-3 | 3-Major | BT591305 | Audit log messages with "user unknown" appear on install |
| 587821-8 | 3-Major | BT587821 | vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor. |
| 566995-1 | 3-Major | BT566995 | bgpd might crash in rare circumstances. |
| 554506-2 | 3-Major | K47835034, BT554506 | PMTU discovery from management does not work |
| 538283-3 | 3-Major | BT538283 | iControl REST asynchronous tasks may block other tasks from running |
| 508302-5 | 3-Major | BT508302 | Auto-sync groups may revert to full sync |
| 499348-9 | 3-Major | BT499348 | System statistics may fail to update, or report negative deltas due to delayed stats merging. |
| 493740-2 | 3-Major | BT493740 | tmsh allows cipher group creation with non-existent "require" or "exclude" cipher rule. |
| 486712-5 | 3-Major | BT486712 | GUI PVA connection maximum statistic is always zero |
| 469724-2 | 3-Major | BT469724 | When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire |
| 409062-1 | 3-Major | K20008325 | ArcSight HSL is not supported for most system daemons |
| 398683-3 | 3-Major | K12304 | Use of a # in a TACACS secret causes remote auth to fail |
| 385013-4 | 3-Major | Certain user roles do not trigger a sync for a 'modify auth password' command | |
| 342319-3 | 3-Major | BIND forwarder server list and the recursion and forward options. | |
| 291256-2 | 3-Major | Changing 'Minimum Length' and 'Required Characters' might result in an error | |
| 1093973-4 | 3-Major | BT1093973 | Tmm may core when BFD peers select a new active device. |
| 1091725-2 | 3-Major | BT1091725 | Memory leak in IPsec |
| 1091345-4 | 3-Major | BT1091345 | The /root/.bash_history file is not carried forward by default during installations. |
| 1090313-1 | 3-Major | BT1090313 | Virtual server may remain in hardware SYN cookie mode longer than expected |
| 1085837-4 | 3-Major | BT1085837 | Virtual server may not exit from hardware SYN cookie mode |
| 1080925-1 | 3-Major | BT1080925 | Changed 'ssh-session-limit' value is not reflected after restarting mcpd |
| 1080297-3 | 3-Major | BT1080297 | ZebOS does not show "log syslog" in the running configuration |
| 1077533-2 | 3-Major | BT1077533 | BIG-IP fails to restart services after mprov runs during boot. |
| 1077405-4 | 3-Major | BT1077405 | Ephemeral pool members may not be created with autopopulate enabled. |
| 1076801-1 | 3-Major | BT1076801 | Loaded system increases CPU usage when using CS features |
| 1076785-1 | 3-Major | BT1076785 | Virtual server may not properly exit from hardware SYN Cookie mode |
| 1076377-1 | 3-Major | BT1076377 | OSPF path calculation for IA and E routes is incorrect. |
| 1075729 | 3-Major | BT1075729 | Virtual server may not properly exit from hardware SYN Cookie mode |
| 1074841-3 | 3-Major | BT1074841 | Invalid syslog configuration kills syslog-ng after restarting syslog-ng. |
| 1074053-3 | 3-Major | BT1074053 | Delay in displaying the "Now Halting..." message while performing halt from LCD. |
| 1073429-3 | 3-Major | BT1073429 | Auth partition definition is incorrectly synchronized to peer and then altered. |
| 1072081-3 | 3-Major | BT1072081 | Imish segmentation fault when running 'ip pim sparse-mode ?' on interface config. |
| 1067797-3 | 3-Major | BT1067797 | Trunked interfaces that share a MAC address may be assigned in the incorrect order. |
| 1065757 | 3-Major | Virtual servers may not receive TCP SYN packets when another virtual server is in SYN Cookie mode | |
| 1065549 | 3-Major | BT1065549 | BIG-IP does not fail gracefully when a TX error is detected in the kernel ixgbevf driver. |
| 1064893-3 | 3-Major | BT1064893 | Keymgmtd memory leak occurrs while configuring ca-bundle-manager. |
| 1064461-2 | 3-Major | BT1064461 | PIM-SM will not complete RP registration over tunnel interface when floating IP address is used. |
| 1063473-3 | 3-Major | BT1063473 | While establishing a high availability (HA) connection, the number of npus in DAG context may be overwritten incorrectly |
| 1063237-2 | 3-Major | BT1063237 | Stats are incorrect when the management interface is not eth0 |
| 1062953-3 | 3-Major | BT1062953 | Unable to save configuration via tmsh or the GUI. |
| 1062901-3 | 3-Major | BT1062901 | The 'trap-source' and 'network' SNMP properties are ineffective, and SNMP traps may be sent from an unintended interface. |
| 1062857-1 | 3-Major | BT1062857 | Non-tmm source logs stop populating after a system time change. |
| 1061905-1 | 3-Major | BT1061905 | Adding peer unit into device trust changes the failover address family. |
| 1061469-3 | 3-Major | BT1061469 | High levels of Pause frames from HSB to Switch can impact monitors and high availability (HA) connectivity |
| 1060349 | 3-Major | BT1060349 | VCMP Guest 14.1.4.4: java cores. |
| 1060181-2 | 3-Major | BT1060181 | SSL handshakes fail when using CRL certificate validator. |
| 1060145-3 | 3-Major | BT1060145 | Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2. |
| 1058789-4 | 3-Major | BT1058789 | Virtual addresses are not created from an address list that includes an IP address range. |
| 1058765-4 | 3-Major | BT1058765 | Virtual Addresses created from an address list with prefix all say Offline (enabled) |
| 1057913 | 3-Major | BT1057913 | Fix traffic flow when using SR-IOV and trunking with xnet-mlxv5. |
| 1057709-2 | 3-Major | BT1057709 | Invalid Certificate for all BIG-IP VE OVA images on vCenter 7.0U2. |
| 1057501-2 | 3-Major | BT1057501 | Expired DST Root CA X3 resulting in http agent request failing. |
| 1054041-2 | 3-Major | BT1054041 | Neuron-based platforms may activate SYN Cookies for the wrong virtual server |
| 1053617 | 3-Major | BT1053617 | Some of the ePVA flow status descriptors may be incorrectly dropped |
| 1052893-1 | 3-Major | Configuration option to delay reboot if dataplane becomes inoperable | |
| 1046261-3 | 3-Major | BT1046261 | Asynchronous REST task IDs do not persist across process restarts |
| 1045277-1 | 3-Major | BT1045277 | The /var partition may become 100% full requiring manual intervention to clear space |
| 1044577-3 | 3-Major | BT1044577 | TMM crash on BIG-IP Virtual Edition using DPDK and xnet drivers |
| 1044281-3 | 3-Major | BT1044281 | In some cases, cpcfg does not trigger selinux relabel, leaving files unlabeled |
| 1044089 | 3-Major | BT1044089 | ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI. |
| 1042737-2 | 3-Major | BT1042737 | BGP sending malformed update missing Tot-attr-len of '0. |
| 1042589-3 | 3-Major | BT1042589 | Wrong trunk_id is associated in bcm56xxd. |
| 1041317-3 | 3-Major | BT1041317 | MCPD delay in processing a query_all message if the update_status bit is set |
| 1040573-1 | 3-Major | BT1040573 | REST operation takes a long time when two different users perform tasks in parallel |
| 1040277-1 | 3-Major | BT1040277 | Syslog-ng issue may cause logging to stop and possible reboot of a system |
| 1036613-4 | 3-Major | BT1036613 | Client flow might not get offloaded to PVA in embryonic state |
| 1036557-4 | 3-Major | BT1036557 | Monitor information not seen in GUI |
| 1036541-2 | 3-Major | BT1036541 | Inherited-traffic-group setting of floating IP does not sync on incremental sync |
| 1036461-2 | 3-Major | BT1036461 | icrd_child may core with high numbers of open file descriptors. |
| 1036097-2 | 3-Major | BT1036097 | VLAN failsafe does not trigger on guest |
| 1036009-1 | 3-Major | Fix DPDK RSS configuration settings | |
| 1035661-1 | 3-Major | BT1035661 | REST Requests return 401 Unauthorized when using Basic Auth |
| 1033689-3 | 3-Major | BT1033689 | BGP route map community value cannot be set to the required range when using AA::NN notation |
| 1033333-2 | 3-Major | BT1033333 | FIPS: importing a stub SSL key file results in 2 keys that share the same FIPS device |
| 1032821-4 | 3-Major | BT1032821 | Syslog: invalid level/facility from /usr/libexec/smart_parse.pl |
| 1032257-3 | 3-Major | BT1032257 | Forwarded PVA offload requests fail on platforms with multiple PDE/TMM |
| 1031117-3 | 3-Major | BT1031117 | The mcpd error for virtual server profiles incompatible needs to have more details |
| 1031025-1 | 3-Major | BT1031025 | Nitrox 3 FIPS: Upgrade from v12.1.x to v14.1.x results in new .key.exp files for the FIPS keys created before upgrade.★ |
| 1027481-1 | 3-Major | BT1027481 | 'error: /bin/haloptns unexpected error -- 768' log messages generated on A110 and D112 platforms |
| 1027477-1 | 3-Major | BT1027477 | Virtual server created with address-list in custom partition non-RD0 does not create listener |
| 1027237-4 | 3-Major | BT1027237 | Cannot edit virtual server in GUI after loading config with traffic-matching-criteria |
| 1026989-3 | 3-Major | BT1026989 | More specific dynamic or static routes created for application traffic processing can erroneously replace the route to the management subnet. |
| 1026973-3 | 3-Major | BT1026973 | Static routes created for application traffic processing can erroneously replace the route to the management subnet. |
| 1026861-1 | 3-Major | BT1026861 | Live Update of Browser Challenges and Anti-Fraud are not cleaned up |
| 1026581-3 | 3-Major | BT1026581 | NETFLOW/IPFIX observationTimeMilliseconds Information Element value is not populated correctly. |
| 1026273-3 | 3-Major | BT1026273 | HA failover connectivity using the cluster management address does not work on VIPRION platforms★ |
| 1025513-3 | 3-Major | BT1025513 | PAM Authenticator can cause authorization failure if it fails to lock /var/log/tallylog |
| 1025261-1 | 3-Major | BT1025261 | When restjavad.useextramb is set, java immediately uses more resident memory in linux |
| 1024661-1 | 3-Major | SCTP forwarding flows based on VTAG for bigproto | |
| 1024421-3 | 3-Major | BT1024421 | At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log |
| 1022997-4 | 3-Major | BT1022997 | TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC) |
| 1021925-2 | 3-Major | BT1021925 | During bootup AWS BIG-IP endpoint was not licensed when custom gateway configured over management interface |
| 1021873-3 | 3-Major | BT1021873 | TMM crash in IPIP tunnel creation with a pool route |
| 1021109-2 | 3-Major | BT1021109 | The cmp-hash VLAN setting does not apply to trunked interfaces. |
| 1020377-4 | 3-Major | BT1020377 | Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon |
| 1020277-3 | 3-Major | BT1020277 | Mcpd may run out of memory when build image is missing★ |
| 1020089-3 | 3-Major | BT1020089 | MCP validation should prevent defining multiple virtual servers with the same virtual address but with different subnet masks |
| 1019793-1 | 3-Major | BT1019793 | Image2disk does not work on F5OS BIG-IP tenant.★ |
| 1019285-4 | 3-Major | BT1019285 | Systemd hangs and is unresponsive |
| 1019129-2 | 3-Major | BT1019129 | Changing syslog remote port requires syslog-ng restart to take effect |
| 1018673-3 | 3-Major | BT1018673 | Virtual Edition systems replicate host traffic to all TMMs when a multicast MAC address is the traffic's nexthop |
| 1018309-2 | 3-Major | BT1018309 | Loading config file with imish removes the last character |
| 1018165-3 | 3-Major | BT1018165 | GUI display of DHCPv6 profile not correct for virtual server in non-default route-domain |
| 1017897-3 | 3-Major | BT1017897 | Self IP address creation fails with 'ioctl failed: No such device' |
| 1017857-4 | 3-Major | BT1017857 | Restore of UCS leads to incorrect UID on authorized_keys★ |
| 1015453-4 | 3-Major | BT1015453 | Under some circumstances, the "Local Traffic" menu in System -> Configuration is inaccessible in the GUI |
| 1014285-2 | 3-Major | BT1014285 | Set auto-failback-enabled moved to false after upgrade★ |
| 1014073 | 3-Major | BT1014073 | SSL Orchestrator iApp block out of sync in high availability (HA) environment |
| 1013649-3 | 3-Major | BT1013649 | Leftover files in /var/run/key_mgmt after key export |
| 1012601-1 | 3-Major | BT1012601 | Alarm LED and LCD alert cleared prematurely on startup for missing PSU input |
| 1012449-4 | 3-Major | BT1012449 | Unable to edit custom inband monitor in the GUI |
| 1012049-4 | 3-Major | BT1012049 | Incorrect virtual server list returned in response to status request |
| 1011265 | 3-Major | BT1011265 | Failover script cannot read /config/partitions/ after upgrade★ |
| 1010341-1 | 3-Major | BT1010341 | Slower REST calls after update for CVE-2021-22986 |
| 1007909-4 | 3-Major | BT1007909 | Tcpdump with :p (peer flow) flag does not capture forwarded between TMMs |
| 1006345-2 | 3-Major | BT1006345 | Static mac entry on trunk is not programmed on CPU-only blades |
| 1004469-3 | 3-Major | BT1004469 | SNMP OID ltmSipsessionProfileStatVsName and ltmSiprouterProfileStatVsName returns empty string |
| 1001069 | 3-Major | BT1001069 | VE CPU higher after upgrade, given same throughput |
| 1000325-3 | 3-Major | BT1000325 | UCS load with 'reset-trust' may not work properly if base configuration fails to load★ |
| 983021-3 | 4-Minor | BT983021 | Tmsh does not correctly handle the app-service for data-group records |
| 964533-4 | 4-Minor | BT964533 | Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs. |
| 962605-2 | 4-Minor | BIG-IP may go offline after installing ASU file with insufficient disk space | |
| 962249 | 4-Minor | BT962249 | Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm |
| 957461-3 | 4-Minor | BT957461 | Creating virtual server with IPv6 address or port list in destination should display source address in IPv6 format |
| 955593-3 | 4-Minor | BT955593 | "none" missing from the error string when snmp trap is configured with an invalid network type |
| 955057-3 | 4-Minor | BT955057 | UCS archives containing a large number of DNS zone files may fail to restore.★ |
| 946509 | 4-Minor | BT946509 | Time-limited key expiration not enforced |
| 944485-4 | 4-Minor | BT944485 | License activation through proxy server uses IP address in proxy CONNECT, not nameserver |
| 943597-3 | 4-Minor | BT943597 | 'Upper Bound' and 'Lower Bound' thresholds are not displayed in Connections line chart |
| 942401 | 4-Minor | BT942401 | After 'mosreboot', MOS fails to update grub default boot location back to TMOS |
| 939757-3 | 4-Minor | BT939757 | Deleting a virtual server might not trigger route injection update. |
| 939517-3 | 4-Minor | BT939517 | DB variable scheduler.minsleepduration.ltm changes to default value after reboot |
| 933809 | 4-Minor | BT933809 | Too many interrupts from console serial port starve TMM for CPU time |
| 931629-1 | 4-Minor | BT931629 | External trunk fdb entries might end up with internal MAC addresses. |
| 929813-1 | 4-Minor | BT929813 | "Error loading object from cursor" while updating a client SSL profile |
| 929173-1 | 4-Minor | BT929173 | Watchdog reset due to CPU stall detected by rcu_sched |
| 928665-1 | 4-Minor | BT928665 | Kernel nf_conntrack table might get full with large configurations. |
| 927441-2 | 4-Minor | BT927441 | Guest user not able to see virtual server details when ASM policy attached |
| 921369-2 | 4-Minor | BT921369 | Signature verification for logs fails if the log files are modified during log rotation |
| 921001-3 | 4-Minor | BT921001 | After provisioning change, pfmand might keep interfaces down on particular platforms |
| 918013-3 | 4-Minor | BT918013 | Log message with large wchan value |
| 915473-2 | 4-Minor | BT915473 | Accessing Dashboard page with AVR provisioned causes continuous audit logs |
| 915141-4 | 4-Minor | BT915141 | Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown' |
| 911713-2 | 4-Minor | BT911713 | Delay in Network Convergence with RSTP enabled |
| 906449-4 | 4-Minor | BT906449 | Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load |
| 904661-2 | 4-Minor | BT904661 | Mellanox NIC speeds may be reported incorrectly on Virtual Edition |
| 901985-4 | 4-Minor | BT901985 | Extend logging for incomplete HTTP requests |
| 896693-2 | 4-Minor | BT896693 | Patch installation is failing for iControl REST endpoint. |
| 896689-2 | 4-Minor | BT896689 | Asynchronous tasks can be managed via unintended endpoints |
| 893813-1 | 4-Minor | BT893813 | Modifying pool enables address and port translation in TMUI |
| 893093-4 | 4-Minor | BT893093 | An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing. |
| 884953-2 | 4-Minor | BT884953 | IKEv1 IPsec daemon racoon goes into an endless restart loop |
| 876249 | 4-Minor | BT876249 | Top command shows tmm 0.0% CPU usage under load |
| 869237-3 | 4-Minor | Management interface might become unreachable when alternating between DHCP/static address assignment. | |
| 860573-2 | 4-Minor | BT860573 | LTM iRule validation performance improvement by tracking procedure/event that have been validated |
| 858549-4 | 4-Minor | BT858549 | GUI does not allow IPv4-Mapped IPv6 Address to be assigned to self IPs |
| 857045-3 | 4-Minor | BT857045 | LDAP system authentication may stop working |
| 848681-5 | 4-Minor | BT848681 | Disabling the LCD on a VIPRION causes blade status lights to turn amber |
| 846521-5 | 4-Minor | BT846521 | Config script does not refresh management address entry properly when alternating between dynamic and static |
| 843293-2 | 4-Minor | BT843293 | When L7 performance FPGA is loaded, "tmsh show sys fpga" shows standard-balanced-fpga. |
| 838925-5 | 4-Minor | BT838925 | Rewrite URI translation profile can cause connection reset while processing malformed CSS content |
| 832665-2 | 4-Minor | BT832665 | The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5 |
| 832653 | 4-Minor | BT832653 | Azure scan table warnings can be ignored. |
| 828625-1 | 4-Minor | BT828625 | User shouldn't be able to configure two identical traffic selectors |
| 826297-1 | 4-Minor | BT826297 | Address list as source/destination for virtual server cannot be changed from tmsh |
| 826189-2 | 4-Minor | BT826189 | The WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask. |
| 824205-1 | 4-Minor | BT824205 | GUI displays error when a virtual server is modified if it is using an address-list |
| 822253-3 | 4-Minor | BT822253 | After starting up, mcpd may have defunct child "run" and "xargs" processes |
| 819429-3 | 4-Minor | BT819429 | Unable to scp to device after upgrade: path not allowed |
| 819421-3 | 4-Minor | BT819421 | Unable to scp/sftp to device after upgrade★ |
| 818737-1 | 4-Minor | BT818737 | Improve error message if user did not select a address-list or port list in the GUI |
| 818417-2 | 4-Minor | BT818417 | Flowspecd starts with message: Shm segment not found in /etc/ha_table/ha_table.conf. |
| 818297 | 4-Minor | BT818297 | OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure |
| 816353-1 | 4-Minor | BT816353 | Unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1 |
| 809089-2 | 4-Minor | BT809089 | TMM crash after sessiondb ref_cnt overflow |
| 808481-4 | 4-Minor | BT808481 | Hertfordshire county missing from GTM Region list |
| 807309-2 | 4-Minor | BT807309 | Incorrect Active/Standby status in CLI Prompt after failover test |
| 805325-2 | 4-Minor | BT805325 | tmsh help text contains a reference to bigpipe, which is no longer supported |
| 800189-1 | 4-Minor | BT800189 | Changing log level may not increase logging to the verbosity expected |
| 795429-3 | 4-Minor | BT795429 | Unrelated iControl REST transaction error message is returned when committing a transaction without any tasks. |
| 793077 | 4-Minor | BT793077 | Failed SSH logins no longer log entries into the audit log file |
| 784981-1 | 4-Minor | BT784981 | Modifying 'local-ip' for a remote syslog requires restarting syslog-ng |
| 766321-1 | 4-Minor | BT766321 | boot slots created on pre-14.x systems lack ACLs |
| 761981-2 | 4-Minor | BT761981 | Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors |
| 761084-3 | 4-Minor | BT761084 | Custom monitor fields appear editable for Auditor, Operator, or Guest |
| 760570 | 4-Minor | BT760570 | The BIG-IP installer fails to automatically detect installation media.★ |
| 759852-1 | 4-Minor | BT759852 | SNMP configuration for trap destinations can cause a warning in the log |
| 759606-2 | 4-Minor | BT759606 | REST error message is logged every five minutes on vCMP Guest |
| 759590-4 | 4-Minor | BT759590 | Creation of RADIUS authentication fails with service types other than 'authenticate only' |
| 758706-1 | 4-Minor | BT758706 | Importing a cert with an expiration time of 'Dec 31 23:59:59 9999' causes errors in the GUI |
| 758348-1 | 4-Minor | BT758348 | Cannot access GUI via hostname when it contains _ (underscore character) |
| 758105-3 | 4-Minor | BT758105 | Drive model WDC WD1005FBYZ-01YCBB2 must be added to pendsect drives.xml |
| 757167-1 | 4-Minor | BT757167 | TMM logs 'MSIX is not supported' error on vCMP guests |
| 756714-2 | 4-Minor | BT756714 | UIDs on /home directory are scrambled after upgrade★ |
| 756401-2 | 4-Minor | BT756401 | IKEv2 debug logging often omits SPI values that would identify the SAs involved |
| 755450-1 | 4-Minor | BT755450 | Memory leak when using lots of iApps |
| 755343-2 | 4-Minor | BT755343 | Phonehome_upload crashes when Automatic Phone Home is disabled |
| 753712-3 | 4-Minor | BT753712 | Incorrect warning: Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family. |
| 746152-1 | 4-Minor | BT746152 | Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column |
| 742105-2 | 4-Minor | BT742105 | Displaying network map with virtual servers is slow |
| 725591-1 | 4-Minor | BT725591 | Changing the management IP of an Active device in Device Service Cluster will cause Active/Active |
| 724994-4 | 4-Minor | API requests with 'expandSubcollections=true' are very slow | |
| 722647-4 | 4-Minor | BT722647 | The configuration of some of the Nokia alerts is incorrect |
| 714705-4 | 4-Minor | BT714705 | Excessive "The Service Check Date check was skipped" log messages. |
| 713183-3 | 4-Minor | BT713183 | Malformed JSON files may be present on vCMP host |
| 712241-2 | 4-Minor | BT712241 | A vCMP guest may not provide guest health stats to the vCMP host |
| 697329-1 | 4-Minor | BT697329 | Warning message: get_db failed for is_provisioned wam - returning not-provisioned. |
| 696363-2 | 4-Minor | BT696363 | Unable to create SNMP trap in the GUI |
| 694765-2 | 4-Minor | BT694765 | Changing the system's admin user causes vCMP host guest health info to be unavailable |
| 694595-1 | 4-Minor | BT694595 | Some process names may have last character truncated when viewing in iHealth |
| 689147-2 | 4-Minor | BT689147 | Confusing log messages on certain user/role/partition misconfiguration when using remote role groups |
| 675772-1 | 4-Minor | BT675772 | IPsec tunnels fail when traffic-selectors share one IPsec interface mode policy |
| 674026-3 | 4-Minor | BT674026 | iSeries AOM web UI update fails to complete.★ |
| 673573-3 | 4-Minor | BT673573 | tmsh logs boost assertion when running child process and reaches idle-timeout |
| 659579-3 | 4-Minor | BT659579 | Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time |
| 646768-2 | 4-Minor | K71255118, BT646768 | VCMP Guest CM device name not set to hostname when deployed |
| 631083-4 | 4-Minor | BT631083 | Some files in home directory are overwritten on password change |
| 603693-3 | 4-Minor | K52239932, BT603693 | Brace matching in switch statement of iRules can fail if literal strings use braces |
| 550526-6 | 4-Minor | K84370515, BT550526 | Some time zones prevent configuring trust with a peer device using the GUI. |
| 539648-2 | 4-Minor | K45138318, BT539648 | Disabled db var Watchdog.State prevents vCMP guest activation. |
| 472645-1 | 4-Minor | BT472645 | Memory issues when there is a lot of data in /var/annotate (annotations for dashboard) |
| 447522-3 | 4-Minor | BT447522 | GUI: SNMPV3 Incorrectly requires "OID" when creating an SNMP user. |
| 1089005-2 | 4-Minor | BT1089005 | Dynamic routes might be missing in the kernel on secondary blades. |
| 1082193-1 | 4-Minor | BT1082193 | TMSH: Need to update the version info for SERVER_INIT in help page |
| 1080317-1 | 4-Minor | BT1080317 | Logged hostname not consistent when hostname contains "." |
| 1076253-4 | 4-Minor | BT1076253 | IKE library memory leak |
| 1072237-3 | 4-Minor | BT1072237 | Retrieval of policy action stats causes row handle leak |
| 1067617-2 | 4-Minor | BT1067617 | BGP default route not advertised after mid-session OPEN. |
| 1065821-2 | 4-Minor | BT1065821 | Cannot create an iRule with a newline between event and opening brace. |
| 1064753-2 | 4-Minor | BT1064753 | OSPF LSAs are dropped/rate limited incorrectly. |
| 1062385-2 | 4-Minor | BT1062385 | BIG-IP has an incorrect limit on the number of monitored HA-group entries. |
| 1060769-3 | 4-Minor | BT1060769 | The /mgmt/tm/sys/performance/all-stats and /mgmt/tm/sys/performance/throughput iControl REST endpoints cannot be successfully parsed by common JSON libraries. |
| 1059441 | 4-Minor | BT1059441 | Upgrading with a configuration that contains objects with properties that override the TCP profile can result in incorrect property values being used.★ |
| 1057925-2 | 4-Minor | BT1057925 | GTP iRule generates a warning. |
| 1055053-2 | 4-Minor | BT1055053 | "tmsh load sys config default" does not clear Zebos config files. |
| 1053037-4 | 4-Minor | BT1053037 | MCP error on loading a UCS archive with a global flow eviction policy |
| 1050413-2 | 4-Minor | BT1050413 | Drive model HGST HUS722T1TALA604 must be added to pendsect drives.xml. |
| 1044893-2 | 4-Minor | BT1044893 | Kernel warnings from NIC driver Realtek 8139 |
| 1041765-3 | 4-Minor | BT1041765 | Racoon may crash in rare cases |
| 1038449-1 | 4-Minor | BT1038449 | Crash is observed on MCP due to SIGABRT on process_free |
| 1036265-2 | 4-Minor | BT1036265 | Overlapping summary routes might not be advertised after ospf process restart. |
| 1035017-3 | 4-Minor | Remove unused CA-bundles | |
| 1034509-3 | 4-Minor | BT1034509 | Sensor read errors on VIPRION C2200 chassis |
| 1033969-1 | 4-Minor | BT1033969 | MPLS label stripping needs next protocol indicator |
| 1032921-2 | 4-Minor | BT1032921 | VCMP Guest CPU usage shows abnormal values at the Host |
| 1029173-2 | 4-Minor | BT1029173 | MCP daemon does not log an error message upon connection failure to PostgreSQL server. |
| 1025965-4 | 4-Minor | BT1025965 | Audit role users cannot see folder properties under sys-folder |
| 1024301-3 | 4-Minor | BT1024301 | Missing required logs for "tmsh modify disk directory" command |
| 1022297-2 | 4-Minor | BT1022297 | In BIG-IP GUI using "Select All" with filters is not working appropriately for policies |
| 1020109-3 | 4-Minor | BT1020109 | Subnet mask property of virtual addresses not displayed in management GUI |
| 1019141 | 4-Minor | BT1019141 | REST endpoint /mgmt/tm/ltm/pool does not set ratio-value to default when session value is updated to user-disabled |
| 1011217-2 | 4-Minor | BT1011217 | TurboFlex Profile setting reverts to turboflex-base after upgrade★ |
| 1011081-1 | 4-Minor | BT1011081 | Connection lost to the Postgres client during the BIG-IP bootup process |
| 1003469-3 | 4-Minor | BT1003469 | The BIG-IP GUI fails to reset the statistics for an IPv6 pool member and returns an error. |
| 1003081-1 | 4-Minor | BT1003081 | GRE/TB-encapsulated fragments are not forwarded. |
| 999673 | 5-Cosmetic | BT999673 | Message 'err sha256_generic module not installed' when booting up |
| 965457-3 | 5-Cosmetic | BT965457 | OSPF duplicate router detection might report false positives |
| 964421-3 | 5-Cosmetic | BT964421 | Error '01070734:3: Configuration error: Signing key and signing certificate must be set simultaneously' |
| 818777-3 | 5-Cosmetic | BT818777 | MCPD error - Trouble allocating MAC address for VLAN object |
| 769145-2 | 5-Cosmetic | BT769145 | Syncookie threshold warning is logged when the threshold is disabled |
| 761621-2 | 5-Cosmetic | BT761621 | Ephemeral FQDN pool members in Partition shown as Common under Local Traffic > Pools > "Members" |
| 679431-4 | 5-Cosmetic | BT679431 | In routing module the 'sh ipv6 interface <interface> brief' command may not show header |
| 1022421-2 | 5-Cosmetic | BT1022421 | Pendsec utility incorrectly starts on i2x00/i4x00 platform with NON WD disk |
| 1004413 | 5-Cosmetic | BT1004413 | DB variables for provisioning the modules are not loaded during BIG-IP upgrade★ |
Local Traffic Manager Issues
| ID Number | Severity | Links to More Info | Description |
| 999669-3 | 2-Critical | BT999669 | Some HTTPS monitors are failing after upgrade when config has different SSL option★ |
| 967249-3 | 2-Critical | BT967249 | TMM may leak memory early during its startup process, and may continue to do so indefinitely. |
| 949137-4 | 2-Critical | BT949137 | Clusterd crash and vCMP guest failover |
| 944381-4 | 2-Critical | BT944381 | Dynamic CRL checking for client certificate is not working when TLS1.3 is used. |
| 938545-4 | 2-Critical | BT938545 | Oversize plugin Tcl object results can result in 0-length messages and plugin crash |
| 937649-2 | 2-Critical | BT937649 | Flow fwd broken with statemirror.verify enabled and source-port preserve strict |
| 935193 | 2-Critical | BT935193 | With APM and AFM provisioned, single logout ( SLO ) fails |
| 927633-3 | 2-Critical | BT927633 | Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic |
| 864897-1 | 2-Critical | BT864897 | TMM may crash when using "SSL::extensions insert" |
| 851385-4 | 2-Critical | BT851385 | Failover takes too long when traffic blade failure occurs |
| 841469-4 | 2-Critical | BT841469 | Application traffic may fail after an internal interface failure on a VIPRION system. |
| 835505-2 | 2-Critical | BT835505 | Tmsh crash potentially related to NGFIPS SDK |
| 833173-2 | 2-Critical | BT833173 | SFP interface flap on 2xxx/4xxx platform |
| 831161-3 | 2-Critical | BT831161 | An iRule before HTTP_REQUEST calling persist none can crash tmm |
| 824437-2 | 2-Critical | BT824437 | Chaining a standard virtual server and an ipother virtual server together can crash TMM. |
| 812269-1 | 2-Critical | BT812269 | TMM might crash with traffic while deleting a pool member |
| 807857-3 | 2-Critical | BT807857 | TMM can leak memory under specific traffic and iRule configurations. |
| 763145-1 | 2-Critical | BT763145 | TMM Crash when using certain HTTP iRules with HTTP Security Profile |
| 758491-1 | 2-Critical | BT758491 | When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys |
| 756789-1 | 2-Critical | BT756789 | TMM cores when receiving HTTP/2 request if mirroring is configured |
| 748558-1 | 2-Critical | BT748558 | Under unlikely circumstances, TMM hangs and is terminated by the failover daemon |
| 726900-1 | 2-Critical | BT726900 | Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters |
| 712534 | 2-Critical | BT712534 | DNSSEC keys are not generated when configured to use an external FIPS device |
| 663925-3 | 2-Critical | BT663925 | Virtual server state not updated with pool- or node-based connection limiting |
| 632553-4 | 2-Critical | K14947100, BT632553 | DHCP: OFFER packets from server are intermittently dropped |
| 625807-1 | 2-Critical | BT625807 | Tmm cores in bigproto_cookie_buffer_to_server |
| 474797-4 | 2-Critical | BT474797 | Nitrox crypto hardware may attempt soft reset while currently resetting |
| 1091021-4 | 2-Critical | BT1091021 | The BIG-IP system may take no fail-safe action when the bigd daemon becomes unresponsive. |
| 1086677-2 | 2-Critical | TMM Crashes in xvprintf() because of NULL Flow Key | |
| 1074517-3 | 2-Critical | BT1074517 | Tmm may core while adding/modifying traffic-class attached to a virtual server |
| 1073897-4 | 2-Critical | BT1073897 | TMM core due to memory corruption |
| 1073609-2 | 2-Critical | BT1073609 | Tmm may core while using reject iRule command in LB_SELECTED event. |
| 1071449-2 | 2-Critical | BT1071449 | Statsd memory leak on platforms with license disabled processors. |
| 1070181-1 | 2-Critical | BT1070181 | Secondary MCPD crashes with Configuration error |
| 1067669-3 | 2-Critical | BT1067669 | TCP/UDP virtual servers drop all incoming traffic. |
| 1048097-1 | 2-Critical | BT1048097 | Under certain conditions, using the HTTP::retry iRule command causes TMM to crash. |
| 1047581-1 | 2-Critical | BT1047581 | Ramcache can crash when serving files from the hot cache |
| 1039145-5 | 2-Critical | BT1039145 | Tenant mirroring channel disconnects with peer and never reconnects after failover. |
| 1030185-2 | 2-Critical | BT1030185 | TMM may crash when looking up a persistence record using "persist lookup" iRule commands |
| 1024241-3 | 2-Critical | BT1024241 | NULL TLS records from client to BIG-IP results in SSL session termination |
| 1020645-3 | 2-Critical | BT1020645 | When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered |
| 999881-3 | 3-Major | BT999881 | Tcl command 'string first' not working if payload contains Unicode characters. |
| 998253-1 | 3-Major | BT998253 | SNI configuration is not sent via HTTPS when in-tmm monitors are disabled |
| 996785-1 | 3-Major | BT996785 | NGFIPS device lockup can cause mcpd crash |
| 996649-3 | 3-Major | BT996649 | Improper handling of DHCP flows leading to orphaned server-side connections |
| 995201-3 | 3-Major | BT995201 | IP fragments for the same flow are dropped if they are received on different VLANs and route domains. |
| 994081-3 | 3-Major | BT994081 | Traffic may be dropped with an Immediate idle timeout setting. |
| 993517-4 | 3-Major | BT993517 | Loading an upgraded config can result in a file object error in some cases |
| 991501-2 | 3-Major | BT991501 | Pool members with HTTPS monitor may be incorrectly marked down. |
| 991265-1 | 3-Major | BT991265 | Persistence entries point to the wrong servers for longer periods of time |
| 985925-4 | 3-Major | BT985925 | Ipv6 Routing Header processing not compatible as per Segments Left value. |
| 985749-4 | 3-Major | BT985749 | TCP exponential backoff algorithm does not comply with RFC 6298 |
| 985401-4 | 3-Major | BT985401 | ProxySSL virtual servers should work with web acceleration (ramcache) profiles attached |
| 984897-4 | 3-Major | BT984897 | Some connections performing SSL mirroring are not handled correctly by the Standby unit. |
| 978953-1 | 3-Major | BT978953 | The value of the sys db variable vlan.backplane.mtu intermittently out-of-sync with the value of the MTU of the kernel interface tmm_bp during the initial boot up |
| 976525-2 | 3-Major | BT976525 | Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled |
| 976101-1 | 3-Major | BT976101 | TMM crash after deleting an interface from a virtual wire vlan |
| 975725-2 | 3-Major | BT975725 | Wildcard virtual servers do not forward L3 unicast traffic sent to L2 broadcast |
| 974501-3 | 3-Major | BT974501 | Excessive memory usage by mirroring subsystem when remirroring |
| 971217-3 | 3-Major | BT971217 | AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations. |
| 968949-4 | 3-Major | BT968949 | Keepalives aren't sent in FIN_WAIT_2 when using a TCP profile |
| 968509 | 3-Major | Response headers are not parsed correctly causing subsequent requests stall at BIG-IP | |
| 967425-3 | 3-Major | mcp error: 0x1020036 at ../mcp/db_pool.c:461 | |
| 967353-4 | 3-Major | BT967353 | HTTP proxy should trim spaces between a header field-name and colon in its downstream responses. |
| 966785-3 | 3-Major | BT966785 | Rate Shaping stops TCP retransmission |
| 963241-1 | 3-Major | BT963241 | Standby unit shows a high number of total connections after enabling mirroring. |
| 962913-3 | 3-Major | BT962913 | The number of native open connections in the SSL profile is higher than expected |
| 961653-1 | 3-Major | BT961653 | Unable to retrieve DNS link statistics via SNMP OID gtmLinkStatRate |
| 961001-3 | 3-Major | BT961001 | Arp requests not resolved for snatpool members when primary blade goes offline |
| 958785-4 | 3-Major | BT958785 | FTP data transfer does not complete after QUIT signal |
| 956109-3 | 3-Major | BT956109 | Modifying a traffic-matching-criteria with a port-list during a full sync may result in an incorrect configuration on the sync target |
| 953601-2 | 3-Major | BT953601 | HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions |
| 950005-3 | 3-Major | BT950005 | TCP connection is not closed when necessary after HTTP::respond iRule |
| 948985 | 3-Major | BT948985 | Workaround to address Nitrox 3 compression engine hang |
| 948065-4 | 3-Major | BT948065 | DNS Responses egress with an incorrect source IP address. |
| 947125-3 | 3-Major | BT947125 | Unable to delete monitors after certain operations |
| 945601-3 | 3-Major | BT945601 | An incorrect LTM policy rule may be matched when a policy consists of multiple rules with TCP address matching conditions. |
| 945189-1 | 3-Major | BT945189 | HTTPS monitor fails due to missing ECDHE-RSA-AES256-CBC-SHA★ |
| 944173-3 | 3-Major | BT944173 | SSL monitor stuck does not change TLS version |
| 942217-2 | 3-Major | BT942217 | Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available' |
| 938561 | 3-Major | BT938561 | TMM SIGSEGV |
| 938309-3 | 3-Major | BT938309 | In-TMM Monitors time out unexpectedly |
| 937769-3 | 3-Major | BT937769 | SSL connection mirroring failure on standby with sslv2 records |
| 937573-4 | 3-Major | BT937573 | Connections drop in virtual server with Immediate Action On Service Down set to Drop |
| 936441-3 | 3-Major | BT936441 | Nitrox5 SDK driver logging messages |
| 935793-3 | 3-Major | BT935793 | With mirroring enabled on a SIP virtual server, connections on the standby are reset with MBLB internal error (Routing problem)★ |
| 934697-2 | 3-Major | BT934697 | Route domain not reachable (strict mode) |
| 934017 | 3-Major | BT934017 | Problems may occur after creating a node named '_auto_<IP address>' |
| 932857-3 | 3-Major | BT932857 | Delays marking Nodes or Pool Members DOWN with in-TMM monitoring |
| 932825-3 | 3-Major | BT932825 | Delayed Gratuitous ARPs may cause traffic to go to the previous active BIG-IP device |
| 932461-2 | 3-Major | BT932461 | Cert update on server SSL profile on HTTPS monitor: BIG-IP not using the updated certificate. |
| 928445-2 | 3-Major | BT928445 | HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2 |
| 928137 | 3-Major | BT928137 | Unsupported key type error on FIPS card while creating keys |
| 927713-5 | 3-Major | BT927713 | Clsh reboot hangs when executed from the primary blade. |
| 927589-4 | 3-Major | BT927589 | ILX::call command response get truncated |
| 926513-3 | 3-Major | BT926513 | HTTP/2 clone pool fails to receive traffic with the clone pool (server) option selected. |
| 922641-2 | 3-Major | BT922641 | Any iRules that park in a clientside or serverside command leave the iRule attached to the wrong flow |
| 922413-3 | 3-Major | BT922413 | Excessive memory consumption with ntlmconnpool configured |
| 921541-4 | 3-Major | BT921541 | When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker. |
| 920789-4 | 3-Major | BT920789 | UDP commands in iRules executed during FLOW_INIT event fail |
| 920285-2 | 3-Major | BT920285 | WS::disconnect may result in TMM crash under certain conditions |
| 920205-1 | 3-Major | BT920205 | Rate shaping might suppress TCP RST |
| 918277-4 | 3-Major | BT918277 | Slow Ramp does not take into account pool members' ratio weights |
| 914061-3 | 3-Major | BT914061 | BIG-IP may reject a POST request if it comes first and exceeds the initial window size |
| 912293-1 | 3-Major | BT912293 | Persistence might not work properly on virtual servers that utilize address lists |
| 910673-2 | 3-Major | BT910673 | Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM' |
| 910273-4 | 3-Major | BT910273 | SSL Certificate version always displays as '1' in the GUI |
| 910105-2 | 3-Major | BT910105 | Partial HTTP/2 payload may freeze on the BIG-IP system |
| 909997-1 | 3-Major | BT909997 | Virtual server status displays as unavailable when it is accepting connections |
| 909677-4 | 3-Major | BT909677 | HTTP/2 full proxy always sets the :scheme pseudo-header for HTTPS requests where the server-side connection is not encrypted |
| 907177-4 | 3-Major | BT907177 | Priority of embedded APM iRules is ignored |
| 906653-4 | 3-Major | BT906653 | Server side UDP immediate idle-timeout drops datagrams |
| 905477-4 | 3-Major | BT905477 | The sdmd daemon cores during config sync when multiple devices configured for iRules LX |
| 904625-4 | 3-Major | BT904625 | Changes to SSL.CertRequest.* DB variables cause high availability (HA) devices go out of sync |
| 903581-2 | 3-Major | BT903581 | The pkcs11d process cannot recover under certain error condition |
| 901569-2 | 3-Major | BT901569 | Loopback traffic might get dropped when VLAN filter is enabled for a virtual server. |
| 898733-1 | 3-Major | BT898733 | SSL handshakes fail on secondary blades for Thales keys created with fipskey.nethsm after upgrade to 14.1.x and re-import of the keys from HSM |
| 898685-2 | 3-Major | BT898685 | Order of ciphers changes after updating cipher group |
| 897185-1 | 3-Major | BT897185 | Resolver cache not using random port distribution |
| 896245-1 | 3-Major | BT896245 | Inconsistency is observed in ARP behavior across releases |
| 895649-3 | 3-Major | BT895649 | Improve TCP analytics goodput reports |
| 895205-4 | 3-Major | BT895205 | A circular reference in rewrite profiles causes MCP to crash |
| 895165-4 | 3-Major | BT895165 | Traffic-matching-criteria with "any" protocol overlaps with explicit protocols |
| 892801-4 | 3-Major | BT892801 | When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent" |
| 891145-3 | 3-Major | BT891145 | TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal |
| 887265-1 | 3-Major | BT887265 | BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration★ |
| 887045-4 | 3-Major | BT887045 | The session key does not get mirrored to standby. |
| 885325-4 | 3-Major | BT885325 | Stats might be incorrect for iRules that get executed a large number of times |
| 883133-1 | 3-Major | BT883133 | TLS_FALLBACK_SCSV with TLS1.3 |
| 883049-4 | 3-Major | BT883049 | Statsd can deadlock with rrdshim if an rrd file is invalid |
| 882725-3 | 3-Major | BT882725 | Mirroring not working properly when default route vlan names not match. |
| 881937-3 | 3-Major | BT881937 | TMM and the kernel choose different VLANs as source IPs when using IPv6. |
| 881065-2 | 3-Major | BT881065 | Adding port-list to Virtual Server changes the route domain to 0 |
| 881041-1 | 3-Major | BT881041 | BIG-IP system may forward IP broadcast packets back to the incoming VLAN interface via a forwarding virtual server. |
| 878253-3 | 3-Major | BT878253 | LB::down no longer sends an immediate monitor probe |
| 876569-4 | 3-Major | BT876569 | QAT compression codec produces gzip stream with CRC error |
| 876145-2 | 3-Major | BT876145 | Nitrox5 failure on vCMP guest results in all crypto requests failing. |
| 874877-3 | 3-Major | BT874877 | Bigd monitor reports misleading error messages |
| 874317-3 | 3-Major | BT874317 | Client-side asymmetric routing could lead to SYN and SYN-ACK on different VLAN |
| 873677-5 | 3-Major | BT873677 | LTM policy matching does not work as expected |
| 871045-3 | 3-Major | BT871045 | IP fragments are disaggregated to separate TMMs with hardware syncookies enabled |
| 868033-3 | 3-Major | BT868033 | SSL option "passive-close" option is unused and should be removed |
| 867985-2 | 3-Major | BT867985 | LTM policy with a 'shutdown' action incorrectly allows iRule execution |
| 864649-1 | 3-Major | BT864649 | The client-side connection of a dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server never expires from the connection table |
| 863165-1 | 3-Major | BT863165 | Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members. |
| 862069-3 | 3-Major | BT862069 | Using non-standard HTTPS and SSH ports fails under certain conditions |
| 862001-3 | 3-Major | BT862001 | Improperly configured NTP server can result in an undisciplined clock stanza |
| 860277-2 | 3-Major | BT860277 | Default value of TCP Profile Proxy Buffer High Low changed in 14.1 |
| 852325-3 | 3-Major | BT852325 | HTTP2 does not support Global SNAT |
| 851121-3 | 3-Major | BT851121 | Database monitor DBDaemon debug logging not enabled consistently |
| 851101-2 | 3-Major | BT851101 | Unable to establish active FTP connection with custom FTP filter |
| 846977-3 | 3-Major | BT846977 | TCP:collect validation changed in 12.0.0: the first argument can no longer be zero★ |
| 846873-3 | 3-Major | BT846873 | Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure |
| 844421 | 3-Major | BT844421 | Cipher ordering in cipher rules can be wrong |
| 843317-1 | 3-Major | BT843317 | The iRules LX workspace imported with incorrect SELinux contexts |
| 842425-3 | 3-Major | BT842425 | Mirrored connections on standby are never removed in certain configurations |
| 842137-5 | 3-Major | BT842137 | Keys cannot be created on module protected partitions when strict FIPS mode is set |
| 841369-1 | 3-Major | BT841369 | HTTP monitor GUI displays incorrect green status information |
| 841341-4 | 3-Major | BT841341 | IP forwarding virtual server does not pick up any traffic if destination address is shared. |
| 840785-3 | 3-Major | BT840785 | Update documented examples for REST::send to use valid REST endpoints |
| 832133-3 | 3-Major | BT832133 | In-TMM monitors fail to match certain binary data in the response from the server. |
| 827441-1 | 3-Major | BT827441 | Changing a UDP virtual server with an immediate timeout to a TCP virtual server can cause connections to fail |
| 824433-1 | 3-Major | BT824433 | Added HTTP2 and HTTP3 request/response statistic fields to the HTTP profile |
| 823825-5 | 3-Major | BT823825 | Renaming high availability (HA) VLAN can disrupt state-mirror connection |
| 818789-5 | 3-Major | BT818789 | Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile |
| 818097-4 | 3-Major | BT818097 | Plane CPU stats too high after primary blade failover in multi-blade chassis |
| 816205-3 | 3-Major | BT816205 | IPsec passthrough scenario may not forward ICMP unreachable messages from the server-side |
| 815405-4 | 3-Major | BT815405 | GUI update of Child FastL4 profile overwrites CLI-only customized settings (options that are not available in GUI) |
| 815089-3 | 3-Major | BT815089 | On a system with no VLANs, you can create virtual servers or SNATs that have identical address/port combinations |
| 813673-2 | 3-Major | BT813673 | The HTTP Explicit proxy does not work correctly with IPv6 clients connecting to IPv4 destinations over CONNECT to IPv4 targets. |
| 812693-2 | 3-Major | BT812693 | Connection in FIN_WAIT_2 state may fail to be removed |
| 812497-1 | 3-Major | BT812497 | VE rate limit should not count packet that does not have a matched vlan or matched MAC address |
| 808017-2 | 3-Major | BT808017 | When using a variable as the only parameter to the iRule persist command, the iRule validation fails |
| 805561-4 | 3-Major | BT805561 | Change of pool configuration in OneConnect environment can impact active traffic |
| 801549-3 | 3-Major | BT801549 | Persist records do not expire properly if mirroring is configured incorrectly |
| 801541-2 | 3-Major | BT801541 | Persist records do not expire properly if HA peer is unavailable |
| 795933-2 | 3-Major | BT795933 | A pool member's cur_sessions stat may incorrectly not decrease for certain configurations |
| 795285 | 3-Major | BT795285 | Key creation on non-existing NetHSM partition stays in create-fail loop for CloudHSM |
| 794505-3 | 3-Major | BT794505 | OSPFv3 IPv4 address family route-map filtering does not work |
| 794385-2 | 3-Major | BT794385 | BGP sessions may be reset after CMP state change |
| 787973-3 | 3-Major | BT787973 | Potential memory leak when software crypto request is canceled. |
| 785361-1 | 3-Major | BT785361 | In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped |
| 784565-2 | 3-Major | BT784565 | VLAN groups are incompatible with fast-forwarded flows |
| 783145-4 | 3-Major | BT783145 | Pool gets disabled when one of its pool member with monitor session is disabled |
| 780857-3 | 3-Major | BT780857 | HA failover network disruption when cluster management IP is not in the list of unicast addresses |
| 779633-1 | 3-Major | BT779633 | BIG-IP system reuses serverside TIME_WAIT connections irrespective of TMMs used |
| 779137-2 | 3-Major | BT779137 | Using a source address list for a virtual server does not preserve the destination address prefix |
| 778501-1 | 3-Major | BT778501 | LB_FAILED does not fire on failure of HTTP/2 server connection establishment |
| 774817-2 | 3-Major | BT774817 | ICMP packets are intermittently forwarded out of both VLAN group members |
| 773229-2 | 3-Major | BT773229 | Replacing a virtual server's FastL4 profile can cause traffic to fail in specific circumstances |
| 767217-2 | 3-Major | BT767217 | Under certain conditions when deleting an iRule, an incorrect dependency error is seen |
| 766601 | 3-Major | BT766601 | SSL statistics are updated even in forward proxy bypass |
| 766593-1 | 3-Major | BT766593 | RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20 |
| 763093-3 | 3-Major | BT763093 | LRO packets are not taken into account for ifc_stats (VLAN stats) |
| 761869-3 | 3-Major | BT761869 | WMI monitor may return negative values |
| 761389-1 | 3-Major | BT761389 | Disabled Virtual Server Dropping the Virtual Wire traffic |
| 758596-2 | 3-Major | BT758596 | Unable to associate cipher group with long name profile |
| 758006-1 | 3-Major | BT758006 | Thales nethsm-thales-rfs-install.sh script failing with / partition full |
| 757505-3 | 3-Major | BT757505 | peer-cert-mode set to 'always' does not work when client-ssl is enabled with session-ticket |
| 757431-1 | 3-Major | BT757431 | mcpd process killed after upgrade from 12.1.3★ |
| 757369-1 | 3-Major | BT757369 | HTTP monitor with a configured username/password fails when in-tmm monitoring is enabled |
| 757029-2 | 3-Major | BT757029 | Ephemeral pool members may not be created after config load or reboot |
| 756313-2 | 3-Major | BT756313 | SSL monitor continues to mark pool member down after restoring services |
| 755791-2 | 3-Major | BT755791 | UDP monitor not behaving properly on different ICMP reject codes. |
| 755631-1 | 3-Major | BT755631 | UDP / DNS monitor marking node down |
| 754604-2 | 3-Major | BT754604 | iRule : [string first] returns incorrect results when string2 contains null |
| 753526-1 | 3-Major | BT753526 | IP::addr iRule command does not allow single digit mask |
| 753482-1 | 3-Major | BT753482 | Proxy initialization fails/port denied when excessively large max header size is set in the HTTP/1 profile |
| 753159-1 | 3-Major | BT753159 | Pool IP ToS/QoS settings are not preserved on mirrored FastL4 connections |
| 752858-1 | 3-Major | BT752858 | HTTP commands do not return an error when called from an invalid state |
| 752766-1 | 3-Major | BT752766 | The BIG-IP system might fail to read SFPs after a reboot |
| 751451-3 | 3-Major | BT751451 | When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles |
| 750705-2 | 3-Major | BT750705 | LTM logs are filled with error messages while creating/deleting virtual wire configuration |
| 750204-3 | 3-Major | BT750204 | Add support for P-521 curve in the X.509 chain to SSL LTM |
| 749519-1 | 3-Major | BT749519 | Error messages seen while running "run sys crypto nethsm-test" tool |
| 748886-2 | 3-Major | BT748886 | Virtual server stops passing traffic after modification |
| 748529-1 | 3-Major | BT748529 | BIG-IP Virtual Edition with cloudhsm integration needs to restart tmm after a fresh install |
| 748052-1 | 3-Major | BT748052 | pkcs11 test utility is failing when running nethsm-test on BIG-IP systems configured for AWS CloudHSM |
| 745545-1 | 3-Major | BT745545 | CMP forwarded LRO host packets do not restore LRO flag |
| 745291-2 | 3-Major | BT745291 | The BIG-IP HTTP2 filter makes inappropriate assumptions about requests and responses without content lengths |
| 742838-1 | 3-Major | BT742838 | A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition |
| 740977-1 | 3-Major | BT740977 | Tracert and traceroute from client does not display route path |
| 739475-4 | 3-Major | BT739475 | Site-Local IPv6 Unicast Addresses support. |
| 738450-1 | 3-Major | BT738450 | Parsing pool members as variables with IP tuple syntax |
| 723306-1 | 3-Major | BT723306 | Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition |
| 718288-2 | 3-Major | BT718288 | MCPD might crash on secondary blades when DNSSEC client-facing SOA zone serial not updated |
| 709952-2 | 3-Major | BT709952 | Disallow DHCP relay traffic to traverse between route domains |
| 709381-2 | 3-Major | BT709381 | iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out. |
| 700639-4 | 3-Major | BT700639 | The default value for the syncookie threshold is not set to the correct value |
| 686395-2 | 3-Major | BT686395 | With DTLS version1, when client hello uses version1.2, handshake shall proceed |
| 668459-3 | 3-Major | BT668459 | Asymmetric transparent nexthop traffic only updates ingress interface |
| 598707-6 | 3-Major | BT598707 | Path MTU does not work in self-IP flows |
| 574762-1 | 3-Major | Forwarding flows leak when a routing update changes the egress vlan | |
| 512490-12 | 3-Major | BT512490 | Increased latency during connection setup when using FastL4 profile and connection mirroring. |
| 505037-5 | 3-Major | K01993279, BT505037 | Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop |
| 369640-5 | 3-Major | K17195 | iRules might return incorrect data when multiple partitions and/or folders contain objects with the same name |
| 315765-3 | 3-Major | BT315765 | The BIG-IP system erroneously performs a SNAT translation after the SNAT translation address has been disabled. |
| 1091969-1 | 3-Major | BT1091969 | iRule 'virtual' command does not work for connections over virtual-wire. |
| 1091785-4 | 3-Major | BT1091785 | DBDaemon restarts unexpectedly and/or fails to restart under heavy load |
| 1088597-4 | 3-Major | BT1088597 | TCP keepalive timer can be immediately re-scheduled in rare circumstances |
| 1088173-1 | 3-Major | BT1088173 | With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile |
| 1087569-2 | 3-Major | BT1087569 | Changing max header table size according HTTP2 profile value may cause stream/connection to terminate |
| 1086473-1 | 3-Major | BT1086473 | BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake |
| 1083989-3 | 3-Major | BT1083989 | TMM may restart if abort arrives during MBLB iRule execution |
| 1083621-3 | 3-Major | BT1083621 | The virtio driver uses an incorrect packet length |
| 1083589-1 | 3-Major | BT1083589 | Some connections are dropped on chained IPv6 to IPv4 virtual servers. |
| 1082225-2 | 3-Major | BT1082225 | Tmm may core while Adding/modifying traffic-class attached to a virtual server. |
| 1080985-3 | 3-Major | Route Domain ID specified in Address list does not take effect on virtual server IP via TMC. | |
| 1079769-3 | 3-Major | BT1079769 | Tmm utilizing the virtio driver might crash after modifying several IPv6 virtual servers |
| 1079237-3 | 3-Major | BT1079237 | After certain configuration tasks are performed, TMM may run with stale SNAT translation parameters. |
| 1077553-1 | 3-Major | BT1077553 | Traffic matches the wrong virtual server after modifying the port matching configuration |
| 1076577-1 | 3-Major | BT1076577 | iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg' |
| 1075045-3 | 3-Major | BT1075045 | Proxy initialization failed, Defaulting to DENY, after applying additional profile to a virtual server |
| 1074505-3 | 3-Major | BT1074505 | Traffic classes are not attached to virtual server at TMM start |
| 1072953-1 | 3-Major | BT1072953 | Memory leak in traffic management interface. |
| 1071385-1 | 3-Major | BT1071385 | SSL session resumption using session tickets is incorrectly logging handshake failure messages |
| 1070957-3 | 3-Major | BT1070957 | Database monitor log file backups cannot be rotated normally. |
| 1068673-1 | 3-Major | BT1068673 | SSL forward Proxy triggers CLIENTSSL_DATA event on bypass. |
| 1068445-3 | 3-Major | BT1068445 | TCP duplicate acks are observed in speed tests for larger requests |
| 1067469-2 | 3-Major | BT1067469 | Discrepancy in virtual server stats with LRO enabled. |
| 1065429-1 | 3-Major | BT1065429 | LACP trunks flap continuously when used in virtual-wire configuration |
| 1065013-2 | 3-Major | BT1065013 | Tmm crash with iRuleLX plugin in use |
| 1063977-1 | 3-Major | BT1063977 | Tmsh load sys config merge fails with "basic_string::substr" for non-existing key. |
| 1063865-4 | 3-Major | BT1063865 | Blade remains in an INOPERATIVE state after being moved to new chassis. |
| 1063453-3 | 3-Major | BT1063453 | FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets. |
| 1059573-2 | 3-Major | BT1059573 | Variation in a case insensitive value of an operand in LTM policy may fail in some rules. |
| 1056401-2 | 3-Major | BT1056401 | Valid clients connecting under active syncookie mode might experience latency. |
| 1053741-2 | 3-Major | BT1053741 | Bigd may exit and restart abnormally without logging a reason |
| 1053149-3 | 3-Major | BT1053149 | A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received. |
| 1051153-2 | 3-Major | BT1051153 | DHCP fails intermittently when the connection is through BIG-IP. |
| 1046717-1 | 3-Major | BT1046717 | Tmm crash when utilizing one-connect with inband monitors and ECMP or pool routes. |
| 1043985-3 | 3-Major | BT1043985 | After editing an iRule, the execution order might change. |
| 1043805-1 | 3-Major | BT1043805 | ICMP traffic over NAT does not work properly. |
| 1043009-2 | 3-Major | BT1043009 | TMM dump capture for compression engine hang |
| 1042913-1 | 3-Major | BT1042913 | Pkcs11d CPU utilization jumps to 100% |
| 1040957-3 | 3-Major | BT1040957 | The ipother profile can be used with incompatible profiles in a virtual server |
| 1040045-1 | 3-Major | BT1040045 | Unable to delete trunk member on a VCMP guest |
| 1040017-2 | 3-Major | BT1040017 | Final ACK validation during flow accept might fail with hardware SYN Cookie |
| 1039277-2 | 3-Major | BT1039277 | TMM core |
| 1037645-3 | 3-Major | BT1037645 | TMM may crash under memory pressure when using iRule 'AES::key' command |
| 1036169-2 | 3-Major | BT1036169 | VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500". |
| 1036093-2 | 3-Major | BT1036093 | Tmm sends out neighbor advertisements for the link local addresses even if IPv6 is disabled |
| 1036013-1 | 3-Major | BT1036013 | BIG-IP systems may terminate connections prematurely when a TLS close-notify alert is received |
| 1034953-1 | 3-Major | BT1034953 | In explicit proxy, HTTP_STATCODE missing from syslog |
| 1033537-2 | 3-Major | BT1033537 | Cookie persistence profile only examines the first cookie. |
| 1032013-1 | 3-Major | Traffic source port is changing on egress | |
| 1029069-3 | 3-Major | Non-ASCII characters are not displayed correctly. | |
| 1025089-4 | 3-Major | BT1025089 | Pool members marked down by database monitor due to stale cached connection |
| 1024225-2 | 3-Major | BT1024225 | BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request |
| 1023529-3 | 3-Major | BT1023529 | FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory. |
| 1022453-1 | 3-Major | BT1022453 | IPv6 fragments are dropped when packet filtering is enabled. |
| 1022429 | 3-Major | BT1022429 | Unexpected tmm core |
| 1021837-1 | 3-Major | BT1021837 | When a virtual server has an inline service profile configured, connections will be reset with cause "No server selected" |
| 1020069-3 | 3-Major | BT1020069 | Equinix SmartKey HSM is not working with nethsm-partition 'fortanix' |
| 1019641-2 | 3-Major | BT1019641 | SCTP INIT_ACK not forwarded |
| 1019261-3 | 3-Major | BT1019261 | In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile. |
| 1018765-3 | 3-Major | BT1018765 | Changing the sshd port breaks some BIG-IP utilities on a multi-bladed system |
| 1017885-3 | 3-Major | BT1017885 | Wildcard server-name does not match multiple labels in FQDN |
| 1017801-4 | 3-Major | BT1017801 | Internal listeners (cgc, ftp data, etc) all share the same listener_key stats |
| 1017721-2 | 3-Major | BT1017721 | WebSocket does not close cleanly when SSL enabled. |
| 1017421-2 | 3-Major | BT1017421 | SASP Monitor does not log significant error conditions at default logging level |
| 1017029-2 | 3-Major | BT1017029 | SASP monitor does not identify specific cause of failed SASP Registration attempt |
| 1016921-1 | 3-Major | BT1016921 | SSL Connection mirroring - session resumption does not occur on standby when the session ticket is enabled |
| 1016909-3 | 3-Major | BT1016909 | BIG-IP iRule commands FLOW::this or FLOW::peer can create zombie flows. |
| 1016589-4 | 3-Major | BT1016589 | Incorrect expression in STREAM::expression might cause a tmm crash |
| 1015817-4 | 3-Major | BT1015817 | Flows rejected due to no return route do not increment rejection stats |
| 1014633-2 | 3-Major | BT1014633 | Transparent / gateway monitors may fail if there is no route to a node |
| 1013209-3 | 3-Major | BT1013209 | BIG-IP components relying on ca-bundle.crt may stop working after upgrade★ |
| 1012813-4 | 3-Major | BT1012813 | Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file" |
| 1012009-2 | 3-Major | BT1012009 | MQTT Message Routing virtual may result in TMM crash |
| 1010209-4 | 3-Major | BT1010209 | BIG-IP configuration allows literal CR and LF characters in LTM monitor send and recv strings |
| 1006157-5 | 3-Major | BT1006157 | FQDN nodes not repopulated immediately after 'load sys config' |
| 1004689-2 | 3-Major | BT1004689 | TMM might crash when pool routes with recursive nexthops and reselect option are used. |
| 1004609-3 | 3-Major | SSL forward proxy virtual server may set empty SSL session_id in server hello. | |
| 1004445-3 | 3-Major | BT1004445 | Warning not generated when maximum prefix limit is exceeded. |
| 1000561-2 | 3-Major | BT1000561 | Chunk size incorrectly passed to client-side |
| 1000069-4 | 3-Major | BT1000069 | Virtual server does not create the listener |
| 999709-3 | 4-Minor | BT999709 | iRule 'pool'/'virtual' commands not triggered in CLIENT_ACCEPTED with HTTP/2. |
| 994269-3 | 4-Minor | BT994269 | Message: 'double flow removal' in LTM log file |
| 990173-4 | 4-Minor | BT990173 | Dynconfd repeatedly sends the same mcp message to mcpd |
| 987885-3 | 4-Minor | BT987885 | Half-open unclean SSL termination might not close the connection properly |
| 987401-4 | 4-Minor | BT987401 | Increased TMM memory usage on standby unit after pool flap |
| 982993-3 | 4-Minor | BT982993 | Gateway ICMP monitors with IPv6 destination and IPV6 transparent nexthop might fail |
| 962181-3 | 4-Minor | BT962181 | iRule POLICY command fails in server-side events |
| 956025-3 | 4-Minor | BT956025 | HTTP profile response-chunking "unchunk" option does not remove Content-Length from response header |
| 950729 | 4-Minor | BT950729 | URI::basename iRule command may include the semicolon and additional characters. |
| 947937-3 | 4-Minor | BT947937 | HTTP iRule commands may fail to execute within the "fallback-host" HTTP profile field. |
| 947745-4 | 4-Minor | BT947745 | Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error |
| 942793-3 | 4-Minor | BT942793 | BIG-IP system cannot accept STARTTLS command with trailing white space |
| 940837-1 | 4-Minor | BT940837 | The iRule command node is not triggered in CLIENT_ACCEPTED with HTTP/2. |
| 932553-3 | 4-Minor | BT932553 | An HTTP request is not served when a remote logging server is down |
| 932045-1 | 4-Minor | BT932045 | Memory leak when creating/deleting LTM node object |
| 931469-5 | 4-Minor | BT931469 | Redundant socket close when half-open monitor pings |
| 929429-4 | 4-Minor | BT929429 | Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed |
| 922005-5 | 4-Minor | BT922005 | Stats on a certain counter for web-acceleration profile may show excessive value |
| 921993-4 | 4-Minor | BT921993 | LTM policy with a 'contains' operator does not work as expected when using an external data group. |
| 921477-4 | 4-Minor | BT921477 | Health monitors may fail when the HTTP RFC Compliance option is enabled in a dual BIG-IP setup. |
| 916485-4 | 4-Minor | BT916485 | Tmsh install sys crypto key (SafeNet) command creates a duplicate mcp object |
| 914589-3 | 4-Minor | BT914589 | VLAN Failsafe timeout is not always respected |
| 911853-4 | 4-Minor | BT911853 | Stream filter chunk-size limits filter to a single match per ingress buffer |
| 910965-3 | 4-Minor | BT910965 | Overflow of Multicast table filling the tmm log |
| 904537-4 | 4-Minor | BT904537 | The csyncd process may keep trying to sync the GeoIP database to a secondary blade |
| 901485-3 | 4-Minor | BT901485 | HTTP_RESPONSE_RELEASE is not raised for HTTP early response |
| 898753-3 | 4-Minor | BT898753 | Multicast control-plane traffic requires handling with AFM policies |
| 898201-4 | 4-Minor | BT898201 | Fqdn nodes are not getting populated after BIG-IP reboot when DNS server is accessed through a local virtual server. |
| 880697-3 | 4-Minor | BT880697 | URI::query command returning fragment part, instead of query part |
| 869565-4 | 4-Minor | BT869565 | Disabling of HTTP/2 profile on server side does not prevent h2 in ALPN |
| 869553-3 | 4-Minor | BT869553 | HTTP2::disable fails for server side allowing HTTP/2 traffic |
| 858309-1 | 4-Minor | BT858309 | Setting a self IP with an IPv6 Address with an embedded IPv4 address causes tmm to continually restart |
| 844337-2 | 4-Minor | BT844337 | Tcl error log improvement for node command |
| 838405-1 | 4-Minor | BT838405 | Listener traffic-group may not be updated properly when spanning is in use. |
| 834217-5 | 4-Minor | BT834217 | Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window. |
| 832233-3 | 4-Minor | BT832233 | The iRule regexp command issues an incorrect warning |
| 829021-4 | 4-Minor | BT829021 | BIG-IP does not account a presence of http2 profile when response payload is modified |
| 818721-1 | 4-Minor | BT818721 | Virtual address can be deleted while it is in use by an address-list. |
| 807397-2 | 4-Minor | BT807397 | IRules ending with a comment cause config verification to fail |
| 802721-2 | 4-Minor | BT802721 | Virtual Server iRule does not match an External Data Group key that's 128 characters long |
| 787905-4 | 4-Minor | BT787905 | Improve initializing TCP analytics for FastL4 |
| 783969 | 4-Minor | BT783969 | An invalid SSL close_notify might be sent in some cases. |
| 781113-1 | 4-Minor | BT781113 | Support to enable/disable reusing serverside TIME_WAIT connections |
| 774261-1 | 4-Minor | BT774261 | PVA client-side current connections stat does not decrease properly |
| 774173-2 | 4-Minor | BT774173 | WebUI - Cipher Group preview causes high availability (HA) sync state to become Changes Pending |
| 763197-3 | 4-Minor | BT763197 | Flows not mirrored on wildcard Virtual Server with opaque VLAN group |
| 760590-2 | 4-Minor | BT760590 | TCP Verified-Accept with proxy-mss enabled does not honor the route-metrics cache when sending the SYN to the server |
| 758704 | 4-Minor | BT758704 | Excessive 'GuestInfoAddNicEntry: NIC limit (16) reached' logging |
| 758435-1 | 4-Minor | BT758435 | Ordinal value in LTM policy rules sometimes do not work as expected★ |
| 742603-1 | 4-Minor | BT742603 | WebSocket Statistics are updated to differentiate between client and server sides |
| 738045-5 | 4-Minor | BT738045 | HTTP filter complains about invalid action in the LTM log file. |
| 722534-1 | 4-Minor | BT722534 | load sys config merge not supported for iRulesLX |
| 688397-1 | 4-Minor | BT688397 | Reset causes for HTTP/2 streams are not recorded |
| 683534-4 | 4-Minor | BT683534 | 'tmsh show sys connection' command prompt displaying 4 billion connections is misleading |
| 640374-1 | 4-Minor | BT640374 | DHCP statistics are incorrect |
| 562808-2 | 4-Minor | K08689048, BT562808 | TMM might core when renaming an existing pool containing pool members |
| 544958-1 | 4-Minor | BT544958 | Monitors packets are sent even when pool member is 'Forced Offline'. |
| 1093545-2 | 4-Minor | BT1093545 | Attempts to create illegal virtual-server may lead to mcpd crash. |
| 1080341-2 | 4-Minor | BT1080341 | Changing an L2-forward virtual to any other virtual type might not update the configuration. |
| 1067025-2 | 4-Minor | BT1067025 | Rate-shaping + immediate timeout causing connection to stall. |
| 1064725-2 | 4-Minor | BT1064725 | False alarm log message on ltm as CHMAN request for tag:19 as failed. |
| 1064669-3 | 4-Minor | BT1064669 | Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash. |
| 1037153-4 | 4-Minor | BT1037153 | iRule "log" command to remote destinations may cause TMM to leak memory |
| 1035757-2 | 4-Minor | BT1035757 | iRulesLX restart leaves stale files in /var/tmstat/blade/tmplugin_ilx_* |
| 1034865-4 | 4-Minor | BT1034865 | CACHE::enable failed on private/no-store content |
| 1031673 | 4-Minor | BT1031673 | TLS 1.3 cipher suites listed in the wrong order on GUI and TMSH. |
| 1030533-3 | 4-Minor | BT1030533 | The BIG-IP system may reject valid HTTP responses from OCSP servers. |
| 1027805-2 | 4-Minor | BT1027805 | DHCP flows crossing route-domain boundaries might fail. |
| 1016045-2 | 4-Minor | BT1016045 | OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows. |
| 1015793-3 | 4-Minor | BT1015793 | Length value returned by TCP::payload is signed and can appear negative |
| 1015117-2 | 4-Minor | BT1015117 | Headers are corrupted during modification/insertion if a mix of end-of-line markers <CRLF> and <LF> are used |
| 1013937-3 | 4-Minor | BT1013937 | In-TMM HTTP and HTTPS monitors require RFC-compliant send strings to work. |
| 1011889-3 | 4-Minor | BT1011889 | The BIG-IP system does not handle DHCPv6 fragmented traffic properly |
| 1004953-2 | 4-Minor | BT1004953 | HTTP does not fall back to HTTP/1.1★ |
| 979213-3 | 5-Cosmetic | BT979213 | Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM. |
| 968581-3 | 5-Cosmetic | BT968581 | TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description |
| 897437-3 | 5-Cosmetic | BT897437 | First retransmission might happen after syn-rto-base instead of minimum-rto. |
Performance Issues
| ID Number | Severity | Links to More Info | Description |
| 1004633-4 | 2-Critical | BT1004633 | Performance degradation on KVM and VMware platforms. |
| 948417-5 | 3-Major | BT948417 | Network Management Agent (Azure NMAgent) updates causes Kernel Panic |
| 747960-2 | 4-Minor | BT747960 | BIG-IP VE with 1nic does not handle fragmented traffic to webui or ssh properly |
Global Traffic Manager (DNS) Issues
| ID Number | Severity | Links to More Info | Description |
| 993921-1 | 2-Critical | BT993921 | TMM SIGSEGV |
| 940733-2 | 2-Critical | K29290121, BT940733 | Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt★ |
| 913729-4 | 2-Critical | BT913729 | Support for DNSSEC Lookaside Validation (DLV) has been removed. |
| 887681-2 | 2-Critical | BT887681 | Tmm SIGSEGV in rrset_array_lock,services/cache/rrset.c |
| 722741-1 | 2-Critical | BT722741 | Damaged tmm dns db file causes zxfrd/tmm core |
| 705869-4 | 2-Critical | BT705869 | TMM crashes as a result of repeated loads of the GEOIP database |
| 264701-3 | 2-Critical | K10066 | GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608) |
| 1077701-3 | 2-Critical | BT1077701 | GTM "require M from N" monitor rules do not report when the number of "up" responses change |
| 1031945-2 | 2-Critical | BT1031945 | DNS cache configured and tmm stuck in 'not ready' state indefinitely after TMM restart or reboot★ |
| 1027657-2 | 2-Critical | BT1027657 | Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules. |
| 994221-4 | 3-Major | BT994221 | ZoneRunner returns error 'Resolver returned no such record' |
| 990929-4 | 3-Major | BT990929 | Status of GTM monitor instance is constantly flapping |
| 987709-3 | 3-Major | BT987709 | Static target string as CNAME pool member might cause config load failure if wide IP with same name exists in another partition |
| 977625-4 | 3-Major | BT977625 | GTM persistence records linger in tmm |
| 977113-4 | 3-Major | BT977113 | Unable to configure dependency for GTM virtual server if pool member dependency exists |
| 973341-4 | 3-Major | BT973341 | Customized device certs will break scripts relying on /config/httpd/conf/ssl.crt/server.crt |
| 969553-3 | 3-Major | BT969553 | A DNS Cache (or Network DNS Resolver) returns SERVFAIL to some queries. |
| 967737-4 | 3-Major | BT967737 | DNS Express: SOA stops showing up in statistics from second zone transfer |
| 966461-4 | 3-Major | BT966461 | Tmm leaks memory after each DNSSEC query when netHSM is not connected |
| 965053-1 | 3-Major | BT965053 | [Regression of ID787881 & ID761032] DNSX fails to sign zone transfer using tsig key after failure |
| 958325-3 | 3-Major | BT958325 | Updating DNS pool monitor via transaction leaves dangling monitor_rule in MCP DB |
| 958157-2 | 3-Major | BT958157 | Hash collisions in fastDNS packet processing |
| 940469-2 | 3-Major | BT940469 | Unsupported option in /etc/resolv.conf causes failure to sync DNS Zone configuration |
| 936777-4 | 3-Major | BT936777 | Old local config is synced to other devices in the sync group. |
| 936417-1 | 3-Major | BT936417 | DNS/GTM daemon big3d does not accept ECDH or DH ciphers |
| 936361-3 | 3-Major | BT936361 | IPv6-based bind (named) views do not work |
| 920817-4 | 3-Major | BT920817 | Wide IP operations performed in quick succession result in missing resource records and out of sync journals. |
| 918693-3 | 3-Major | BT918693 | Wide IP alias validation error during sync or config load |
| 913917-4 | 3-Major | BT913917 | Unable to save UCS |
| 912761-4 | 3-Major | BT912761 | Link throughput statistics are different |
| 911241-4 | 3-Major | BT911241 | The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug |
| 903521-4 | 3-Major | BT903521 | TMM fails to sign responses from BIND when BIND has 'dnssec-enable no' |
| 899253-4 | 3-Major | BT899253 | [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist |
| 880125-3 | 3-Major | BT880125 | WideIP (A) created together with aliases (CNAME) causes missing A records in ZoneRunner |
| 879301-3 | 3-Major | BT879301 | When importing a BIND zone file, SRV/DNAME/NAPTR RRs do not have correct $ORIGIN appended |
| 879169-3 | 3-Major | BT879169 | RESOLV::lookup @<virtual server name> may not work★ |
| 862949-1 | 3-Major | BT862949 | ZoneRunner GUI is unable to display CAA records |
| 821589-2 | 3-Major | BT821589 | DNSSEC does not insert NSEC3 records for NXDOMAIN responses |
| 813221-1 | 3-Major | BT813221 | Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync |
| 795633-3 | 3-Major | BT795633 | GUI and REST API unable to add virtual servers containing a space in the name to a pool |
| 781985-1 | 3-Major | BT781985 | DNSSEC zone SEPS records may be wiped out from running configuration |
| 779793-2 | 3-Major | BT779793 | [LC] Error Message "Cannot modify the destination address of monitor" for destination * bigip_link monitor |
| 779769-2 | 3-Major | BT779769 | [LC] [GUI] destination cannot be modified for bigip-link monitors |
| 779185-3 | 3-Major | BT779185 | Forward zone deleted when wideip updated |
| 777245-1 | 3-Major | BT777245 | DNSSEC client-facing SOA zone serial does not update when DNSSEC related RR changes |
| 774225-3 | 3-Major | BT774225 | mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting |
| 760835-1 | 3-Major | BT760835 | Static generation of rolling DNSSEC keys may be missing when the key generator is changed |
| 760833-1 | 3-Major | BT760833 | BIG-IP GTM might not always sync a generation of a DNSSEC key from its partner |
| 760615-2 | 3-Major | BT760615 | Virtual Server discovery may not work after a GTM device is removed from the sync group |
| 756177-2 | 3-Major | BT756177 | GTM marks pool members down across datacenters |
| 751540-3 | 3-Major | BT751540 | GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server |
| 746137-1 | 3-Major | BT746137 | DNSSEC: Creating a new DNSSEC Zone can result in gtmd attempting to sync every 10 seconds |
| 745859-1 | 3-Major | BT745859 | DNSSEC: gtmd leaks memory when dnssec keys on a dnssec zone are auto-rolling |
| 745035-2 | 3-Major | BT745035 | gtmd crash |
| 744787-4 | 3-Major | K04201069, BT744787 | Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias |
| 739553-1 | 3-Major | BT739553 | Setting large number for Wide IP Persistence TTL breaks Wide IP persistence |
| 726164-1 | 3-Major | BT726164 | Rolling DNSSEC Keys can stop regenerating after a length of time on the standby system |
| 718230-1 | 3-Major | BT718230 | Attaching a BIG-IP monitor type to a server with already defined virtual servers is not prevented |
| 716701-3 | 3-Major | BT716701 | In iControl REST: Unable to create Topology when STATE name contains space |
| 708421-3 | 3-Major | K52142743, BT708421 | DNS::question 'set' options are applied to packet, but not to already parsed dns_msg |
| 679316-7 | 3-Major | BT679316 | iQuery connections reset during SSL renegotiation |
| 665117-7 | 3-Major | K33318158, BT665117 | DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping |
| 222220-4 | 3-Major | K11931 | Distributed application statistics are not passed correctly. |
| 1091249-4 | 3-Major | BT1091249 | BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address. |
| 1083405-1 | 3-Major | BT1083405 | "Error connecting to named socket" from zrd |
| 1082197-3 | 3-Major | BT1082197 | RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response |
| 1076401-2 | 3-Major | BT1076401 | Memory leak in TMM (ldns) when exceeding dnssec.maxnsec3persec. |
| 1075469-3 | 3-Major | BT1075469 | DNS GUI: Refreshing a DNS Express record sometimes fails to populate the server. |
| 1071301-3 | 3-Major | BT1071301 | GTM server does not get updated even when the virtual server status changes. |
| 1071233-3 | 3-Major | BT1071233 | GTM Pool Members may not be updated accurately when multiple identical database monitors are configured |
| 1070953-2 | 3-Major | BT1070953 | Dnssec zone transfer could cause numerous gtm sync events. |
| 1067309-3 | 3-Major | BT1067309 | GTMD cored followed by TMM core SIGSEGV due to illegal GTM server reference. |
| 1066397-3 | 3-Major | BT1066397 | GTM persists to last resort pool members even when primary pool members become available. |
| 1064205-3 | 3-Major | GSLB virtual server's status can't be changed from the drop-down selection box on its properties page. | |
| 1063829-4 | 3-Major | BT1063829 | Zxfrd could run out of memory because zone db files are not efficiently recycled. |
| 1055077-4 | 3-Major | BT1055077 | Modifying the datacenter does not check GTM server configuration for prober-pool. |
| 1046785-4 | 3-Major | BT1046785 | Missing GTM probes when max synchronous probes are exceeded. |
| 1044873-3 | 3-Major | BT1044873 | Deleted GTM link is not removed from virtual server object and causes load failure. |
| 1041889-4 | 3-Major | BT1041889 | RRSIG missing for CNAME with RDATA in different zone |
| 1041801-3 | 3-Major | BT1041801 | TMM crashes when handling Network DNS resolver Traffic. |
| 1041625-2 | 3-Major | BT1041625 | Virtual server flapping when the active and standby devices have different configuration. |
| 1033897-2 | 3-Major | BT1033897 | DNSSEC keys generated independently are still in use after GTM sync |
| 1030237-3 | 3-Major | BT1030237 | Zxfrd core and continual restart when out of configured space |
| 1024905-3 | 3-Major | BT1024905 | GTM monitor times out if monitoring a virtual server with translation address |
| 1003233-1 | 3-Major | BT1003233 | SNMP Polling can cause inconsistencies in gtm link stats. |
| 1001101-4 | 3-Major | BT1001101 | Cannot update/display GTM/DNS listener route advertisement correctly |
| 996261-4 | 4-Minor | BT996261 | Zrd in restart loop with empty named.conf |
| 995369-4 | 4-Minor | BT995369 | DNSSEC manual key created with other algorithms ends up using RSA/SHA1 algorithm |
| 959613-4 | 4-Minor | BT959613 | SIP/HTTPS monitor attached to generic-host virtual server and pool shows 'blank' reason |
| 947217-3 | 4-Minor | BT947217 | Fix of ID722682 prevents GTM config load when the virtual server name contains a colon★ |
| 889801-3 | 4-Minor | BT889801 | Total Responses in DNS Cache stats does not increment when an iRule suspending command is present under DNS_RESPONSE. |
| 886145-4 | 4-Minor | BT886145 | The 'Reconnect' and 'Reconnect All' buttons do not work if reached via a particular section of the DNS GUI. |
| 882933-3 | 4-Minor | BT882933 | Nslookup might generate a core during system restart |
| 839361-4 | 4-Minor | BT839361 | iRule 'drop' command does not drop packets when used in DNS_RESPONSE |
| 822393-2 | 4-Minor | BT822393 | Prober pool selected on server or data center not being displayed after selection in Internet Explorer |
| 808913-3 | 4-Minor | BT808913 | Big3d cannot log the full XML buffer data |
| 792813-2 | 4-Minor | BT792813 | The iRule command 'DNS::edns0 subnet address' returns an empty string when subnet info is not received |
| 790113-2 | 4-Minor | BT790113 | Cannot remove all wide IPs from GTM distributed application via iControl REST |
| 775801-2 | 4-Minor | BT775801 | [GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener |
| 760117-1 | 4-Minor | BT760117 | Duplicate error messages in log when updating a zone through ZoneRunner GUI |
| 755282-1 | 4-Minor | BT755282 | [GTM] bigip_add password prompt for IPv4-mapped IPv6 address |
| 752216-6 | 4-Minor | K33587043, BT752216 | DNS queries without the RD bit set may generate responses with the RD bit set |
| 712926-1 | 4-Minor | BT712926 | GTM server device 'replace-all-with' reports error with specific server config |
| 708680-1 | 4-Minor | BT708680 | TMUI is unable to change the Alias Address of DNS/GTM Monitors |
| 464708-1 | 4-Minor | BT464708 | DNS logging does not support Splunk format log |
| 1084673-4 | 4-Minor | BT1084673 | GTM Monitor "require M from N" status change log message does not print pool name |
| 1067821-4 | 4-Minor | BT1067821 | Stats allocated_used for region inside zxfrd is overflowed |
| 1026813-4 | 4-Minor | BT1026813 | LCD IP address is missing from /etc/hosts on iSeries |
| 1014761-4 | 4-Minor | BT1014761 | [DNS][GUI] Not able to enable/disable pool member from pool member property page |
| 1008233-4 | 4-Minor | BT1008233 | The gtm_add command fails but reports no error |
| 985001-2 | 5-Cosmetic | BT985001 | Taiwan, Hong Kong, and Macau Are Defined As Countries in DNS/GTM Topology Definition |
Application Security Manager Issues
| ID Number | Severity | Links to More Info | Description |
| 956889-3 | 2-Critical | BT956889 | /var fills up very quickly |
| 887621-1 | 2-Critical | BT887621 | ASM virtual server names configuration CRC collision is possible |
| 884945-3 | 2-Critical | BT884945 | Latency reduce in case of empty parameters. |
| 865981-3 | 2-Critical | BT865981 | ASM GUI and REST become unresponsive upon license change |
| 857677-1 | 2-Critical | BT857677 | Security policy changes are applied automatically after asm process restart |
| 1068237-3 | 2-Critical | BT1068237 | Some attack signatures added to policies are not used. |
| 1050089-2 | 2-Critical | TMM crash in certain cases | |
| 1048685-1 | 2-Critical | BT1048685 | Rare TMM crash when using Bot Defense Challenge |
| 1039633 | 2-Critical | BT1039633 | A signature match is not highlighted correctly under certain conditions |
| 1015881-1 | 2-Critical | BT1015881 | TMM might crash after configuration failure |
| 1000789-3 | 2-Critical | BT1000789 | ASM-related iRule keywords may not work as expected |
| 995889-3 | 3-Major | BT995889 | Username/Password JSON elements of login page detected as case sensitive when the policy is configured as case insensitive |
| 986937-4 | 3-Major | BT986937 | Cannot create child policy when the signature staging setting is not equal in template and parent policy |
| 974985-4 | 3-Major | Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable | |
| 974513-3 | 3-Major | BT974513 | Dropped requests are reported as blocked in Reporting/charts |
| 966633-3 | 3-Major | BT966633 | Policy entity search with non-ASCII value filter returns no results in REST/GUI in non-UTF-8 policies |
| 966613-3 | 3-Major | BT966613 | Cannot create XML profile based on WSDL when wsdl contains empty soap:address – getting error ‘Column 'object_uri' cannot be null’ |
| 962493-3 | 3-Major | Request is not logged | |
| 962489-3 | 3-Major | False positive enforcement of parameters with specific configuration | |
| 959965-4 | 3-Major | Asmlogd stops deleting old protobufs | |
| 959957-4 | 3-Major | BT959957 | Asmlogd stops deleting old protobufs |
| 951113-1 | 3-Major | BT951113 | ASM logging illegal events despite adding legal logging profile |
| 943441-3 | 3-Major | BT943441 | Issues in verification of Bot Defense with F5 Anti-Bot Mobile SDK |
| 937445-3 | 3-Major | BT937445 | Incorrect signature context logged in remote logger violation details field |
| 929005-1 | 3-Major | BT929005 | TS cookie is set in all responses |
| 923221-1 | 3-Major | BT923221 | BD does not use all the CPU cores |
| 921665-1 | 3-Major | BT921665 | Policy Signatures: updating a filtered list causes all signatures to be updated |
| 905681 | 3-Major | BT905681 | Incorrect enforcement of policy parameters |
| 902445-1 | 3-Major | BT902445 | ASM Policy Event Logging stops working after 'No space in shmem' error disconnection mitigation |
| 891181-4 | 3-Major | BT891181 | Wrong date/time treatment in logs in Turkey/Istambul timezone |
| 890169-1 | 3-Major | BT890169 | URLs starting with double slashes might not be loaded when using a Bot Defense Profile. |
| 886533-1 | 3-Major | BT886533 | Icap server connection adjustments |
| 874185-3 | 3-Major | BT874185 | Incorrect Alarm/Block flags displayed for Signature with previously enforced rule |
| 867777-2 | 3-Major | BT867777 | Remote syslog server cannot parse violation detail buffers as UTF-8. |
| 853989-3 | 3-Major | BT853989 | DOSL7 Logs breaks CEF connector by populating strings into numeric fields |
| 853565-1 | 3-Major | BT853565 | VCMP host primary blade reboot causes security policy loss in the VCMP guest primary blade |
| 849349-3 | 3-Major | BT849349 | Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db. |
| 838269-1 | 3-Major | BT838269 | ASM cannot save sync file after MySQL corruption following forcible restart |
| 829029-3 | 3-Major | BT829029 | Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error |
| 808749-2 | 3-Major | BT808749 | Duplicate user-defined Signature Set based on Attack Type is created upon policy import |
| 761565-1 | 3-Major | BT761565 | ASM BD core when custom captcha page configured size more than 45K with %ASM.captcha.support_id% placeholder is at the end |
| 759840-1 | 3-Major | BT759840 | False positive 'Null in request' violation or bare byte subviolations |
| 752217-1 | 3-Major | BT752217 | Invalid Bot Defense Cookie might be raised when browser is open for too long |
| 748851-3 | 3-Major | BT748851 | Bot Detection injection include tags which may cause faulty display of application |
| 707643-2 | 3-Major | BT707643 | ASM Single page application causes JavaScript error when cross domain request is sent |
| 703678-2 | 3-Major | BT703678 | Cannot add 'secure' attributes to several ASM cookies |
| 1085661-4 | 3-Major | BT1085661 | Standby system saves config and changes status after sync from peer |
| 1083913-3 | 3-Major | BT1083913 | Missing error check in ICAP handling |
| 1082461-4 | 3-Major | BT1082461 | The enforcer cores during a call to 'ASM::raise' from an active iRule |
| 1080613-3 | 3-Major | BT1080613 | "Installation of Automatically Downloaded Updates" configuration in LiveUpdate is lost during the first tomcat restart, after upgrading to versions having the fix of ID907025.★ |
| 1078765-3 | 3-Major | BT1078765 | Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer. |
| 1072165-4 | 3-Major | BT1072165 | Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format |
| 1070073-1 | 3-Major | ASM Signature Set accuracy filter is wrong on GUI. | |
| 1069729-1 | 3-Major | BT1069729 | TMM might crash after a configuration change. |
| 1069137-4 | 3-Major | BT1069137 | Missing AWAF sync diagnostics |
| 1069133-2 | 3-Major | BT1069133 | ASMConfig memory leak. |
| 1069113-3 | 3-Major | BT1069113 | ASM process watchdog should be less aggressive. |
| 1062493-3 | 3-Major | BT1062493 | BD crash close to it's startup |
| 1061617-2 | 3-Major | Some of the URL Attack signatures are not detected in the URL if "Handle Path Parameters" is configured "As Parameters". | |
| 1058597-2 | 3-Major | BT1058597 | Bd crash on first request after system recovery. |
| 1057557-3 | 3-Major | BT1057557 | Exported policy has greater-than sign '>' not escaped to '>' with response_html_code tag. |
| 1056957-4 | 3-Major | BT1056957 | An attack signature can be bypassed under some scenarios. |
| 1051589-3 | 3-Major | Missing configuration after upgrade★ | |
| 1048949-4 | 3-Major | BT1048949 | TMM xdata leak on websocket connection with asm policy without websocket profile |
| 1036969-4 | 3-Major | BT1036969 | Chrome sometimes ignores cross-site bot-defense cookies |
| 1036057-3 | 3-Major | BT1036057 | Add support for line folding in multipart parser. |
| 1033025-3 | 3-Major | BT1033025 | TMM might crash when unsupported bot iRule is used |
| 1033017-5 | 3-Major | BT1033017 | Policy changes learning mode to automatic after upload and sync |
| 1031461-5 | 3-Major | Session awareness entries aren't mirrored to both sides of an active-active deployment. | |
| 1030133-4 | 3-Major | BT1030133 | BD core on XML out of memory |
| 1029989-3 | 3-Major | CORS : default port of origin header is set 80, even when the protocol in the header is https | |
| 1029373-6 | 3-Major | BT1029373 | Firefox 88+ raising Suspicious browser violations with bot defense |
| 1028473-3 | 3-Major | URL sent with trailing slash might not be matched in ASM policy | |
| 1023889-1 | 3-Major | BT1023889 | HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message |
| 1021609-3 | 3-Major | BT1021609 | Improve matching of URLs with specific characters to a policy. |
| 1020149-1 | 3-Major | BT1020149 | Bot Defense does not support iOS's WKWebView framework |
| 1017557-4 | 3-Major | BT1017557 | ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN |
| 1017261-4 | 3-Major | BT1017261 | Configuraton update triggers from MCP to ASM are ignored |
| 1014973-2 | 3-Major | BT1014973 | ASM changed cookie value. |
| 1011093-2 | 3-Major | BT1011093 | Remote log messages are separated into 2 lines if max_request_size limit falls exactly on \n char. |
| 1006181-1 | 3-Major | BT1006181 | ASM fails to start if different ASM policies use login pages with the same name★ |
| 994013-3 | 4-Minor | BT994013 | Modifying bot defense allow list via replace-all-with fails with match-order error |
| 991765-1 | 4-Minor | BT991765 | Inheritance of staging_period_in_days from policy template |
| 984521-1 | 4-Minor | BT984521 | Accept-Encoding header is stripped by Bot Defense profile in case of incompatible file extension and a dot in the file name |
| 974409-1 | 4-Minor | False Positive "Surfing Without Human Interaction" | |
| 972709 | 4-Minor | BT972709 | Bot defense print "No chal chk - cannot get anomaly action" errors to log |
| 948241-1 | 4-Minor | Count Stateful anomalies based only on Device ID | |
| 945821-3 | 4-Minor | BT945821 | Remote logging conditions adjustments |
| 937541-3 | 4-Minor | Wrong display of signature references in violation details | |
| 932893-3 | 4-Minor | BT932893 | Content profile cannot be updated after redirect from violation details in Request Log |
| 923233-2 | 4-Minor | BT923233 | Incorrect encoding in 'Logout Page' for non-UTF8 security policy |
| 906737-1 | 4-Minor | BT906737 | Error message: 'templates/' is not a directory |
| 887625-1 | 4-Minor | BT887625 | Note should be bold back, not red |
| 882729-1 | 4-Minor | BT882729 | Applied Blocking Masks discrepancy between local/remote event log |
| 875373-2 | 4-Minor | BT875373 | Unable to add domain with leading '.' through webUI, but works with tmsh. |
| 842029-1 | 4-Minor | BT842029 | Unable to create policy: Inherited values may not be changed. |
| 841985-3 | 4-Minor | BT841985 | TSUI GUI stuck for the same session during long actions |
| 807569-1 | 4-Minor | BT807569 | Requests fail to load when backend server overrides request cookies and Bot Defense is used |
| 797821-1 | 4-Minor | BT797821 | Logging profiles on /Common cannot be configured with publishers on other folders |
| 765365-1 | 4-Minor | BT765365 | ASM tries to send response cookies after response headers already forwarded - makes CSRF false positive |
| 759671-1 | 4-Minor | BT759671 | Unescaped slash in RE2 in user-defined signature should not be allowed |
| 758615-1 | 4-Minor | BT758615 | Reconstructed POST request is dropped after DID cookies are deleted |
| 757486-3 | 4-Minor | BT757486 | Errors in IE11 console appearing with Bot Defense profile |
| 756998-1 | 4-Minor | BT756998 | DoSL7 Record Traffic feature is not recording traffic |
| 754750-1 | 4-Minor | BT754750 | Policy validation error 'All blocking flags are unset' appears even when a violation is set to block |
| 753988-1 | 4-Minor | BT753988 | Proactive Bot Defense : unable to modify existing allow list entry attributes in GUI - 'This whitelist item already exists' pop-up is shown |
| 753462-1 | 4-Minor | BT753462 | TimeoutException when filtering request logs |
| 752797-1 | 4-Minor | BT752797 | BD is not correctly closing a shared memory segment |
| 749680-1 | 4-Minor | BT749680 | Install All Updates button is active when it should not be |
| 747905-4 | 4-Minor | BT747905 | 'Illegal Query String Length' violation displays wrong length |
| 747657-1 | 4-Minor | BT747657 | Paging controller changed |
| 746984-4 | 4-Minor | BT746984 | False positive evasion violation |
| 744226-1 | 4-Minor | BT744226 | DoSL7-related logs are not throttled |
| 547428-1 | 4-Minor | BT547428 | Unexpected storage-format string causes asm restart |
| 1084857-4 | 4-Minor | BT1084857 | ASM::support_id iRule command does not display the 20th digit |
| 1073625-4 | 4-Minor | BT1073625 | Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled. |
| 1067917-3 | 4-Minor | BT1067917 | Attaching iRule DOSL7::enable when mitigation is not enabled at dosl7 profile, it is not showing warning in GUI. |
| 1059421-1 | 4-Minor | Bot Signature is not updated when the signature rule is updated. | |
| 1058665-3 | 4-Minor | BT1058665 | Bot signature with a semicolon followed by a space is not detected. |
| 1057713-5 | 4-Minor | "South Sudan" is missing from the ASM Geolocation Enforcement list. | |
| 1046317-3 | 4-Minor | Violation details are not populated with staged URLs for some violation types | |
| 1040513-2 | 4-Minor | BT1040513 | The counter for "FTP commands" is always 0. |
| 1035361-5 | 4-Minor | Illegal cross-origin after successful CAPTCHA | |
| 1026457-1 | 4-Minor | "Security ›› Event Logs : Protocol : FTP, SMTP" page returns a "500 Internal Server" error | |
| 1026277-3 | 4-Minor | Apply Policy can get ignored in auto-sync setup, while importing/replacing several existing policies with policies that have Policy Builder enabled | |
| 1017149-4 | 4-Minor | User-defined bot sigs that are created in tmsh don't overlap staged factory bot sigs | |
| 1014573-3 | 4-Minor | BT1014573 | Several large arrays/objects in JSON payload may core the enforcer |
| 1005309-1 | 4-Minor | BT1005309 | Additional Tcl variables showing information from the AntiBot Mobile SDK |
| 1005181-1 | 4-Minor | BT1005181 | Bot Defense Logs indicate the mobile debugger is used even when it is not |
| 750353-1 | 5-Cosmetic | BT750353 | Manual Device Group Put in Pending State With No Indication |
| 1029689-4 | 5-Cosmetic | BT1029689 | Incosnsitent username "SYSTEM" in Audit Log |
Application Visibility and Reporting Issues
| ID Number | Severity | Links to More Info | Description |
| 812993-1 | 1-Blocking | BT812993 | Monpd process consumes considerable amount of RAM on systems with many virtual servers |
| 932189-4 | 3-Major | BT932189 | Incorrect BD Swap Size units on ASM Resources chart |
| 852577-2 | 3-Major | BT852577 | [AVR] Analytic goodput graph between different time period has big discrepancy |
| 808801-2 | 3-Major | BT808801 | AVRD crash when configured to send data externally |
| 746837-2 | 3-Major | BT746837 | AVR JS injection can cause error on page if the JS was not injected |
| 1031585 | 3-Major | BT1031585 | Failover due to TMM crash |
| 950305-4 | 4-Minor | BT950305 | Analytics data not displayed for Pool Names |
| 910777-4 | 4-Minor | BT910777 | Sending ASM report via AWS SES failed duo to wrong content type |
| 898373-1 | 4-Minor | BT898373 | Unclear message: TakesTooLong was 0.00 exceeded the lower threshold of 10000 |
| 930217-4 | 5-Cosmetic | BT930217 | Zone colors in ASM swap usage graph are incorrect |
Access Policy Manager Issues
| ID Number | Severity | Links to More Info | Description |
| 349706-1 | 0-Unspecified | NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN | |
| 893953-3 | 1-Blocking | BT893953 | Portal Access: Chrome/Edge browser: cookie transport: sync XMLHttpRequests should not be used in onbeforeunload handlers |
| 965837-1 | 2-Critical | BT965837 | When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection |
| 965777-3 | 2-Critical | BT965777 | Per-request policy authentication becomes unresponsive |
| 930625-3 | 2-Critical | BT930625 | TMM crash is seen due to double free in SAML flow |
| 927289 | 2-Critical | BT927289 | [APM] Intermittent issues with generating built-in or custom access reports |
| 904441-4 | 2-Critical | BT904441 | APM vs_score for GTM-APM load balancing is not calculated correctly |
| 761373-2 | 2-Critical | BT761373 | Debug information logged to stdout |
| 523313-2 | 2-Critical | K17574, BT523313 | aced daemon might crash on exit |
| 1063261-3 | 2-Critical | BT1063261 | TMM crash is seen due to sso_config objects. |
| 998473-1 | 3-Major | BT998473 | NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL) |
| 949105-4 | 3-Major | BT949105 | Error log seen on Category Lookup SNI requests for same connection |
| 947613-1 | 3-Major | BT947613 | APM reset after upgrade and modify of LDAP Group Lookup★ |
| 944029-2 | 3-Major | BT944029 | Support challenge response agent to handle Access-Challenge when Logon agent is not in policy |
| 934825 | 3-Major | BT934825 | Restarting MCPD via command line may not restart the aced process |
| 924697-4 | 3-Major | BT924697 | VDI data plane performance degraded during frequent session statistic updates |
| 920541-2 | 3-Major | BT920541 | Incorrect values in 'Class Attribute' in Radius-Acct STOP request |
| 918053-3 | 3-Major | BT918053 | [Win][EdgeClient] 'Enable Always Connected mode' is checked for all connectivity profiles with same Parent profile. |
| 903501-1 | 3-Major | BT903501 | VPN Tunnel establishment fails with some ipv6 address |
| 898381-1 | 3-Major | BT898381 | Changing the setting of apm-forwarding-fastl4 profile does not take effect |
| 892861-1 | 3-Major | BT892861 | Cannot configure aaa OAuth provider - invalid x509 file |
| 858005-3 | 3-Major | When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:" | |
| 857589-2 | 3-Major | BT857589 | On Citrix Workspace app clicking 'Refresh Apps' after signing out fails with message 'Refresh Failed' |
| 844573-3 | 3-Major | BT844573 | Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret. |
| 815753-2 | 3-Major | BT815753 | TMM leaks memory when explicit SWG is configured with Kerberos authentication |
| 806809-1 | 3-Major | BT806809 | JWT Claim value without quotes is invalid |
| 794585-2 | 3-Major | BT794585 | User cannot log in after license reactivation on vCMP host |
| 788473-2 | 3-Major | BT788473 | Email sent from APM is not readable in some languages |
| 777165-1 | 3-Major | BT777165 | Occasional crash from sessiondump |
| 761303-2 | 3-Major | BT761303 | Upgrade of standby BIG-IP system results in empty Local Database |
| 759392-2 | 3-Major | BT759392 | HTTP_REQUEST iRule event triggered for internal APM request |
| 758618 | 3-Major | BT758618 | Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned |
| 758542-3 | 3-Major | BT758542 | OAuth database instance appears empty after upgrade from v13.x★ |
| 757848-1 | 3-Major | BT757848 | F5 Adaptive Authentication feature has been removed |
| 757822-1 | 3-Major | BT757822 | Subroutine name should use partition name and policy name |
| 756454-1 | 3-Major | BT756454 | Tmm crash when per-request policies are in use |
| 752077-2 | 3-Major | BT752077 | Kerberos replay cache leaks file descriptors |
| 750170-2 | 3-Major | BT750170 | SP Connector config changes causes BIG-IP tmm core sometimes during handling of SAML SLO request |
| 749477-1 | 3-Major | BT749477 | Provisioning URLDB and SWG simultaneously produces a confusing error message if neither module was originally provisioned |
| 748451-3 | 3-Major | BT748451 | Manager users cannot perform changes in per-request policy properties |
| 748070 | 3-Major | BT748070 | API Protection feature inadvertently allows editing of associated access policy |
| 744316-4 | 3-Major | BT744316 | Config sync of APM policy fails with Cannot update_indexes validation error. |
| 738547-3 | 3-Major | BT738547 | SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII |
| 711056-1 | 3-Major | BT711056 | License check VPE expression fails when access profile name contains dots |
| 680855-3 | 3-Major | BT680855 | Safari 11 sometimes start more than one session |
| 666845-2 | 3-Major | K08684622, BT666845 | Rewrite plugin can accumulate memory used for patching very large files |
| 597955-2 | 3-Major | BT597955 | APM can generate seemingly spurious error log messages |
| 566235-3 | 3-Major | BT566235 | Profile License May Be Missing After Failover or Blade Configuration Change In Chassis HA |
| 552444-4 | 3-Major | BT552444 | Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD |
| 547692-5 | 3-Major | BT547692 | Firewall-blocked KPASSWD service does not cause domain join operation to fail |
| 534187-5 | 3-Major | BT534187 | Passphrase protected signing keys are not supported by SAML IDP/SP |
| 527119-7 | 3-Major | BT527119 | An iframe document body might be null after iframe creation in rewritten document. |
| 470916-4 | 3-Major | BT470916 | Using native View clients, cannot launch desktops and applications from multiple VMware back-ends |
| 1074285 | 3-Major | BT1074285 | Apmd crashes while handling JWT tokens. |
| 1063345-2 | 3-Major | Urldbmgrd may crash while downloading the database. | |
| 1056669 | 3-Major | BT1056669 | Clicking the ActiveX RDP Resources icon does not display the ActiveX RDP web page. |
| 1054677-3 | 3-Major | BT1054677 | Ng_export fails for users with the 'pager' option enabled in their 'cli preference' configuration. |
| 1053309-3 | 3-Major | Localdbmgr leaks memory while syncing data to sessiondb and mysql. | |
| 1042505-3 | 3-Major | BT1042505 | Session variable "session.user.agent" does not get populated for edge clients |
| 1041989-2 | 3-Major | BT1041989 | APM Portal Access does not add automatically the / after the URL encoded (after the '$$'), Redirect breaks |
| 1040817 | 3-Major | BT1040817 | Users are shown the prompt to change their password even though the corresponding PSO object fetch from Active Directory fails. |
| 1039941-1 | 3-Major | BT1039941 | [WIN]Webtop offers to download f5vpn when it is already installed |
| 1037877-1 | 3-Major | BT1037877 | OAuth Claim display order incorrect in VPE |
| 1024757 | 3-Major | BT1024757 | Adding more than three disabled log-settings to access profile causes apmd to restart |
| 1024437-4 | 3-Major | BT1024437 | Urldb index building fails to open index temp file |
| 1022877-1 | 3-Major | Ping missing from list of Types for OAuth Client | |
| 1022493-1 | 3-Major | BT1022493 | Slow file descriptor leak in urldbmgrd (sockets open over time) |
| 1018877-4 | 3-Major | BT1018877 | Subsession variable values mixing between sessions |
| 1010597-3 | 3-Major | BT1010597 | Traffic disruption when virtual server is assigned to a non-default route domain★ |
| 1007677-3 | 3-Major | BT1007677 | Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector' |
| 1000669-1 | 3-Major | BT1000669 | Tmm memory leak 'string cache' leading to SIGFPE |
| 990601 | 4-Minor | APM Logs shows message "Access encountered error: "ERR_INPROGRESS. File: ../modules/hudfilter/access/access.c" without any impact on functionality. | |
| 982817 | 4-Minor | BT982817 | TMM crash when executing iRule command ACCESS::respond from HTTP_REQUEST event |
| 963129-2 | 4-Minor | BT963129 | RADIUS Accounting Stop message fails via layered virtual server |
| 949957-3 | 4-Minor | BT949957 | RDP: Username is pre-filled with f5_apm* string after clicking on webtop resource on Mobile Clients (iOS & Android) |
| 944093-3 | 4-Minor | BT944093 | Maximum remaining session's time on user's webtop can flip/flop |
| 869541-1 | 4-Minor | BT869541 | Series of unexpected <aborted> requests to same URL |
| 867705-2 | 4-Minor | BT867705 | URL for IFRAME element may not be normalized in some cases |
| 866953-2 | 4-Minor | BT866953 | Portal Access: F5_Inflate_onclick wrapper functionality needs refining |
| 860041-2 | 4-Minor | BT860041 | Portal Access: 5_Deflate_removeEventListener wrapper need to be added |
| 848217-2 | 4-Minor | Portal Access: default port encoded in rewritten url, need to be removed from host header in request to backend | |
| 840257-2 | 4-Minor | BT840257 | Portal Access: HTML iframe sandbox attribute is not supported |
| 840249-3 | 4-Minor | BT840249 | With BIG-IP as a SAML IdP, important diagnostic information is not logged |
| 819233-5 | 4-Minor | BT819233 | Ldbutil utility ignores '--instance' option if '--list' option is specified |
| 810825 | 4-Minor | BT810825 | Export, then import of pool outside of a default route domain may fail |
| 778333-3 | 4-Minor | BT778333 | GUI/CLI max-in-progress discrepancy occurs after upgrade from v11.x to v13.x or later |
| 755739-1 | 4-Minor | BT755739 | SAML metadata import (SP or IdP) fails if the metadata file has both SPSSODescriptor and IdPSSODescriptor |
| 753512-1 | 4-Minor | BT753512 | Portal Access: Resource with '?' in query part of URL cannot be created. |
| 712542-3 | 4-Minor | BT712542 | Network Access client caches the response for /pre/config.php |
| 707294-2 | 4-Minor | BT707294 | When BIG-IP as OAuth AS has missing OAuth Profile in the Access profile, the error log is not clear |
| 567503-6 | 4-Minor | K03293396, BT567503 | ACCESS:session remove can result in confusing ERR_NOT_FOUND logs |
| 547947-3 | 4-Minor | BT547947 | Feeding empty username and password to the Logon Page followed by RadiusAuthAgent shows the session as Logged out |
| 1079441-3 | 4-Minor | BT1079441 | APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries |
| 1041137-1 | 4-Minor | Windows Defender blocks edge client. | |
| 1040829-2 | 4-Minor | BT1040829 | Errno=(Invalid cross-device link) after SCF merge |
| 1022973-3 | 4-Minor | BT1022973 | Sessiondb entries related to Oauth module not cleaned up in certain conditions |
| 1004077-1 | 4-Minor | BT1004077 | When configuring from VPE, audit logs from mcp records the user as admin, even if done by another user |
| 826049-1 | 5-Cosmetic | French language spelling error in BIG-IP Edge Client message window | |
| 498926 | 5-Cosmetic | BT498926 | Client can fail to start a new session in multi-domain SSO. |
WebAccelerator Issues
| ID Number | Severity | Links to More Info | Description |
| 900825-2 | 3-Major | BT900825 | WAM image optimization can leak entity reference when demoting to unoptimized image |
| 890573-2 | 3-Major | BT890573 | BigDB variable wam.cache.smallobject.threshold may not pickup its value on restart |
| 890401-2 | 3-Major | BT890401 | Restore correct handling of small object when conditions to change cache type is satisfied |
| 792045-1 | 3-Major | BT792045 | Prevent WAM cache type change for small objects |
| 761027 | 3-Major | BT761027 | Web Browser Hang on Reading Compressed Data from BIG-IP |
| 751383-1 | 4-Minor | BT751383 | Invalidation trigger parameter values are limited to 256 bytes |
| 748031-1 | 4-Minor | BT748031 | Invalidation trigger parameter containing reserved XML characters does not create invalidation rule |
| 489960-4 | 4-Minor | BT489960 | Memory type stats is incorrect |
Wan Optimization Manager Issues
| ID Number | Severity | Links to More Info | Description |
| 863601-1 | 2-Critical | BT863601 | Panic in TMM due to internal mirroring interactions |
Service Provider Issues
| ID Number | Severity | Links to More Info | Description |
| 946897 | 2-Critical | BT946897 | MRF SIP status remains unknown on GUI |
| 917637-1 | 3-Major | BT917637 | Tmm crash with ICAP filter |
| 911485 | 3-Major | BT911485 | When MRF is in use, TCP::release does not immediately remove data from the TCP payload |
| 908477-4 | 3-Major | BT908477 | Request-adapt plus request-logging causes HTTP double-chunking in an ICAP request |
| 895801-4 | 3-Major | BT895801 | Changing an MRF transport-config's TCP profile does not take effect until TMM is restarted |
| 831105-1 | 3-Major | BT831105 | Session timeout in diadb entry is updated to 180 on unsuccessful transaction |
| 790949-2 | 3-Major | BT790949 | MRF Router Profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' Do Not Match Behavior. |
| 767977 | 3-Major | BT767977 | Source port unexpectedly changes on message connections |
| 759370-2 | 3-Major | BT759370 | FIX protocol messages parsed incorrectly when fragmented between the body and the trailer. |
| 755311-1 | 3-Major | BT755311 | No DIAMETER Disconnect-Peer-Request message sent when TMM is shutting down |
| 753501-1 | 3-Major | BT753501 | iRule commands (such as relate_server) do not work with MRP SIP |
| 749528-1 | 3-Major | BT749528 | IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap |
| 749041-2 | 3-Major | BT749041 | MRSIP log of subscriber deletion outputs '(null)" for subscriber URI |
| 748355-2 | 3-Major | BT748355 | MRF SIP curr_pending_calls statistic can show negative values. |
| 1082885-3 | 3-Major | BT1082885 | MR::message route virtual asserts when configuration changes during ongoing traffic |
| 1038057-3 | 3-Major | BT1038057 | Unable to add a serverssl profile into a virtual server containing a FIX profile |
| 1008169-4 | 3-Major | BT1008169 | BIG-IP systems disconnect the DIAMETER transport connection if it receives an answer message without a Result-Code AVP |
| 916781-2 | 4-Minor | BT916781 | Validation error while attaching DoS profile to GTP virtual |
| 844169-2 | 4-Minor | BT844169 | TMSH context-sensitive help for diameter session profile is missing some descriptions |
Advanced Firewall Manager Issues
| ID Number | Severity | Links to More Info | Description |
| 965897-3 | 2-Critical | BT965897 | Disruption of mcpd with a segmentation fault during config sync |
| 964989-1 | 2-Critical | BT964989 | AFM DOS half-open does not handle wildcard virtual servers properly. |
| 850117-1 | 2-Critical | BT850117 | Autodosd crash after assigning dos profile with custom signatures to a virtual server |
| 720045-3 | 2-Critical | BT720045 | IP fragmented UDP DNS request and response packets dropped as DNS Malformed |
| 603124-2 | 2-Critical | BT603124 | Minimum allowed refresh interval is 10 minutes |
| 1048425-2 | 2-Critical | BT1048425 | Packet tester crashes TMM when vlan external source-checking is enabled |
| 1040685 | 2-Critical | BT1040685 | Core file on blade slot2 after reboot (TMM SIGSEGV in pktclass_classifier) |
| 998701-1 | 3-Major | BT998701 | Active_zombie_port_blocks counter from fw_lsn_pool_pba_stat stats may reach unrealistically large value. |
| 987133-1 | 3-Major | BT987133 | Non-EDNS response with RCODE FORMERR are blocked by dns-qdcount-limit vector. |
| 977153-4 | 3-Major | BT977153 | Packet with routing header IPv6 as next header in IP layer fails to be forwarded |
| 968953-4 | 3-Major | BT968953 | Unnecessary authorization header added in the response for an IP intelligence feed list request |
| 964625-2 | 3-Major | BT964625 | Improper processing of firewall-rule metadata |
| 953425-2 | 3-Major | BT953425 | Hardware syncookie mode not cleared when changing dos-device-vector enforcement |
| 952521-3 | 3-Major | BT952521 | Memory allocation error while creating an address list with a large range of IPv6 addresses★ |
| 935769-1 | 3-Major | BT935769 | Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time |
| 918905-3 | 3-Major | BT918905 | PCCD restart loop when using more than 256 FQDN entries in Firewall Rules |
| 915221-2 | 3-Major | BT915221 | DoS unconditionally logs MCP messages to /var/tmp/mcpd.out |
| 881985-2 | 3-Major | BT881985 | AFM FQDN rule matching is broken when multiple FQDN's in firewall policies resolve to the same IP address |
| 871457 | 3-Major | BT871457 | Cannot enable logging for management firewall with LTM only provisioned |
| 867321-6 | 3-Major | BT867321 | Error: Invalid self IP, the IP address already exists. |
| 857897-1 | 3-Major | BT857897 | Address and port lists are not searchable within the GUI |
| 844597-2 | 3-Major | BT844597 | AVR analytics is reporting null domain name for a dns query |
| 818705-2 | 3-Major | BT818705 | afm_cmi.py daemon can cause very high BIG-IP CPU utilization(>90%) |
| 813969-3 | 3-Major | BT813969 | Network DoS reporting events as 'not dropped' while in fact, events are dropped |
| 813057-2 | 3-Major | BT813057 | False positive attack detection on DoS profile vectors for unbalanced traffic |
| 812481-2 | 3-Major | BT812481 | HSL may work unreliably for Management-IP firewall rules |
| 793217-2 | 3-Major | BT793217 | HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation |
| 787969-1 | 3-Major | BT787969 | Validation error regarding disabling DoS Software Mode is unclear |
| 759799-1 | 3-Major | BT759799 | New rules cannot be compiled |
| 751538-1 | 3-Major | BT751538 | Incorrect eps rate for ICMP fragmented DoS vector |
| 749761-3 | 3-Major | BT749761 | AFM Policy with Send to Virtual and TMM crash in a specific scenario |
| 742120-1 | 3-Major | BT742120 | MCPd crash seen during load sys config |
| 740324-1 | 3-Major | [NAT UNI][UI]: Need logic to extract virtual servers with NAT policy attached/inherited to be shown in CGNAT Virtuals | |
| 663946-6 | 3-Major | BT663946 | The vCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments |
| 1079985 | 3-Major | BT1079985 | int_drops_rate shows an incorrect value |
| 1076477 | 3-Major | BT1076477 | AFM allows deletion of a firewall policy even if it's being used in a route domain. |
| 1069321 | 3-Major | BT1069321 | High iowait and pgstat wait warnings every hours due to excessive logging in autodosd.out |
| 1067405-2 | 3-Major | BT1067405 | TMM crash while offloading / programming bad actor connections to hardware. |
| 1047933-3 | 3-Major | BT1047933 | Virtual server security policy - An error has occurred while trying to process your request |
| 1039993-1 | 3-Major | AFM NAT Excessive number of logs "Port Block Updated" and "LSN_PB_UPDATE" | |
| 1020061-2 | 3-Major | BT1020061 | Nested address lists can increase configuration load time |
| 1019557-3 | 3-Major | BT1019557 | Bdosd does not create /var/bdosd/*.json |
| 1019453-4 | 3-Major | BT1019453 | Core generated for autodosd daemon when synchronization process is terminated |
| 1012581-4 | 3-Major | BT1012581 | Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered |
| 1011445-4 | 3-Major | Recovery after DoS attack uses SYN cookies inefficiently. | |
| 981145-4 | 4-Minor | BT981145 | DoS events do not include the attack name for "tcp syn ack flood" |
| 935865-3 | 4-Minor | BT935865 | Rules that share the same name return invalid JSON via REST API |
| 928177-1 | 4-Minor | BT928177 | Syn-cookies might get enabled when performing multiple software upgrades. |
| 837101-1 | 4-Minor | BT837101 | AVR and BIG-IQ stats show N/A bar for Source IP and domain name on DNS query packet |
| 1022213-2 | 4-Minor | BT1022213 | DDOS: BDOS: Warning messages related to high availability (HA) watchdog seen on system bring up |
Policy Enforcement Manager Issues
| ID Number | Severity | Links to More Info | Description |
| 829657-2 | 2-Critical | BT829657 | Possible TMM crash with a multi-IP PEM subscriber configured with more than 16 IP addresses |
| 760518-4 | 2-Critical | BT760518 | PEM flow filter with DSCP attribute optimizes traffic resulting in some PEM action enforcement |
| 756576 | 2-Critical | Fetching non-configured 3GPP-RAT-TYPE subscriber attribute using iRule can crash tmm. | |
| 750491-4 | 2-Critical | BT750491 | PEM Once-Every content insertion action may insert more than once during an interval |
| 924589-4 | 3-Major | BT924589 | PEM ephemeral listeners with source-address-translation may not count subscriber data |
| 829653-3 | 3-Major | BT829653 | Memory leak due to session context not freed |
| 814941-1 | 3-Major | BT814941 | PEM drops new subscriber creation if historical aggregate creation count reaches the max limit |
| 781485-4 | 3-Major | BT781485 | PEM with traffic group can lead to local cache leaks on STANDBY if there is an ACTIVE-ACTIVE transition |
| 764901-2 | 3-Major | BT764901 | PEM policy filters rules memory gets leaked if policy is deleted before deleting the rules |
| 752163-1 | 3-Major | BT752163 | PEM::session info cannot set subscriber type and ID |
| 747065-2 | 3-Major | BT747065 | PEM iRule burst of session ADDs leads to missing sessions |
| 726011-4 | 3-Major | BT726011 | PEM transaction-enabled policy action lookup optimization to be controlled by a sys db |
| 670994-5 | 3-Major | BT670994 | There is no validation for IP address on the ip-address-list for static subscriber |
| 1089829-2 | 3-Major | BT1089829 | PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers |
| 1084993-3 | 3-Major | BT1084993 | [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching |
| 1043525 | 3-Major | BT1043525 | TMM crash produces error message "spmdb_session_get_ip_stat_ref." |
| 1020041-1 | 3-Major | "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs | |
| 1015501-1 | 3-Major | BT1015501 | Changes to DHCP Profile are not used by tmm |
| 911585 | 4-Minor | BT911585 | PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval |
| 815901-3 | 4-Minor | BT815901 | Add rule to the disabled pem policy is not allowed |
Carrier-Grade NAT Issues
| ID Number | Severity | Links to More Info | Description |
| 751719-1 | 2-Critical | BT751719 | UDP::hold/UDP::release does not work correctly |
| 812705-1 | 3-Major | BT812705 | 'translate-address disabled' setting for LTM virtual server does not have any effect with iRules for NAT64 traffic |
| 1064217-3 | 3-Major | BT1064217 | Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T. |
| 1034009-2 | 4-Minor | BT1034009 | CGNAT+Subscriber Discovery - NAT IP with wrong route domain on the CGNAT Log |
Fraud Protection Services Issues
| ID Number | Severity | Links to More Info | Description |
| 660759-1 | 3-Major | BT660759 | Cookie hash persistence sends alerts to application server. |
Anomaly Detection Services Issues
| ID Number | Severity | Links to More Info | Description |
| 1071181 | 3-Major | Improving Signature Detection Accuracy | |
| 1010717-4 | 3-Major | BT1010717 | Default DoS profile creation from tmsh is incorrectly interpreted by DoS profile GUI |
Traffic Classification Engine Issues
| ID Number | Severity | Links to More Info | Description |
| 901041-4 | 2-Critical | BT901041 | CEC update using incorrect method of determining number of blades in VIPRION chassis★ |
| 984657-2 | 3-Major | BT984657 | Sysdb variable not working from tmsh |
| 1058349 | 3-Major | BT1058349 | Requirement of new signatures to detect IMO and Google Duo service. |
| 1013629-2 | 3-Major | BT1013629 | URLCAT: Vulnerability Scan finds many Group/User Read/Write (666/664/662) files |
Device Management Issues
| ID Number | Severity | Links to More Info | Description |
| 720434-3 | 2-Critical | BT720434 | Multi-blade Chassis iAppLX Package upgrade sync is incomplete across blades |
| 663754-3 | 2-Critical | BT663754 | Modifying the default management port can break internal functionality |
| 942521-4 | 3-Major | BT942521 | Certificate Managers are unable to move certificates to BIG-IP via REST |
| 880565-3 | 3-Major | BT880565 | Audit Log: "cmd_data=list cm device recursive" is been generated continuously |
| 717174-1 | 3-Major | BT717174 | WebUI shows error: Error getting auth token from login provider★ |
| 1049237-3 | 4-Minor | BT1049237 | Restjavad may fail to cleanup ucs file handles even with ID767613 fix |
iApp Technology Issues
| ID Number | Severity | Links to More Info | Description |
| 974193-3 | 3-Major | BT974193 | Error when trying to create a new f5.vmware_view.v1.5.9 iApp |
| 842193-3 | 3-Major | BT842193 | Scriptd coring while running f5.automated_backup script |
| 818069-4 | 3-Major | BT818069 | GUI hangs when iApp produces error message |
| 1004697-1 | 3-Major | BT1004697 | Saving UCS files can fail if /var runs out of space |
| 829861 | 4-Minor | BT829861 | iApp UI broken when referencing to iApp profile /Common/_sys_radius_proto_imsi |
| 802189-2 | 4-Minor | BT802189 | iApps: Calling 'Package Require <PKG>' in a template with a manager role is not supported |
Protocol Inspection Issues
| ID Number | Severity | Links to More Info | Description |
| 802449-1 | 2-Critical | BT802449 | Valid GTP-C traffic may cause buffer overflow |
| 778225-3 | 3-Major | BT778225 | vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host |
| 1070677-2 | 3-Major | Learning phase does not take traffic into account - dropping all. | |
| 1069977 | 3-Major | Repeated TMM SIGABRT during ips_flow_process_data | |
| 1013777-1 | 3-Major | An error is encountered when enabling reset-learning to all the signatures of a protocol inspection profile in the GUI. | |
| 760740-1 | 4-Minor | BT760740 | Mysql error is displayed when saving UCS configuration on BIG-IP system when MySQL is not running |
Guided Configuration Issues
| ID Number | Severity | Links to More Info | Description |
| 960133-3 | 1-Blocking | AGC 8.0 installation failure | |
| 982801-4 | 3-Major | BT982801 | AGC hardening |
In-tmm monitors Issues
| ID Number | Severity | Links to More Info | Description |
| 854129-4 | 3-Major | BT854129 | SSL monitor continues to send previously configured server SSL configuration after removal |
| 1046917-2 | 3-Major | BT1046917 | In-TMM monitors do not work after TMM crashes |
| 1002345-1 | 3-Major | BT1002345 | Transparent DNS monitor does not work after upgrade★ |
| 788257-1 | 4-Minor | BT788257 | Bigd.mgmtroutecheck setting ignored by in-tmm monitors after bigstart restart |
SSL Orchestrator Issues
| ID Number | Severity | Links to More Info | Description |
| 956913-1 | 2-Critical | BT956913 | HTTPS traffic may fail for Inbound topology gateway mode |
| 852157 | 2-Critical | BT852157 | Previously deployed SSL Orchestrator topology may cause deployment failures. |
| 1055361-3 | 2-Critical | BT1055361 | Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a tmm crash. |
| 964617-3 | 3-Major | BT964617 | Connector error "CONNECTOR: Invalid external event HUDEVT_SENT in state Init |
| 890721-3 | 3-Major | BT890721 | SSL Orchestrator sends reset to the client when an initial ingress data arrives 5 seconds after tcp connection establishment |
| 822249-1 | 3-Major | BT822249 | Throughput degradation while uploading when using TAP device in service chain for SSL Orchestrator |
| 756604-4 | 3-Major | BT756604 | iRule Command TCP::release does not work correctly with argument 0. |
| 1029869-4 | 3-Major | BT1029869 | Use of ha-sync script may cause gossip communications to fail |
| 1029585-4 | 3-Major | BT1029585 | Use of ha-sync script may cause platforms in a sync-failover device group to fall out of sync |
| 1095145-1 | 4-Minor | BT1095145 | Virtual server responding with ICMP unreachable after using /Common/service |
Known Issue details for BIG-IP v14.1.x
999881-3 : Tcl command 'string first' not working if payload contains Unicode characters.
Links to More Info: BT999881
Component: Local Traffic Manager
Symptoms:
Tcl command 'string first' returns an incorrect value when Unicode characters are present in the payload.
Conditions:
-- Tcl command 'string first' is used in iRules.
-- Payload contains Unicode characters.
Impact:
Traffic processing with iRules that contains the 'string first' command might not work as expected.
Workaround:
You can use any of the following workarounds:
-- Use iRuleLX.
-- Do not use Unicode characters in the payload.
-- Use a custom Tcl proc to iterate through the string using lindex
999709-3 : iRule 'pool'/'virtual' commands not triggered in CLIENT_ACCEPTED with HTTP/2.
Links to More Info: BT999709
Component: Local Traffic Manager
Symptoms:
The 'pool'/'virtual' iRule commands cause the specified pool to be used directly. However, with HTTP/2, the 'pool'/'virtual' command may fail to execute within the CLIENT_ACCEPTED event. This results in no traffic being sent.
Conditions:
-- A 'pool'/'virtual' command is used under CLIENT_ACCEPTED event.
-- An HTTP/2 profile applied to virtual server.
-- The HTTP/2 protocol in use.
-- HTTP/2 Message Routing is disabled.
Impact:
With HTTP/2 configured, the iRule 'pool'/'virtual' commands fail to execute within the CLIENT_ACCEPTED event, causing no traffic to be sent to the desired pool/virtual.
Workaround:
As a workaround, you may use HTTP_REQUEST event instead of CLIENT_ACCEPTED in iRule syntax.
999673 : Message 'err sha256_generic module not installed' when booting up
Links to More Info: BT999673
Component: TMOS
Symptoms:
The BIG-IP system logs an error message when booting up in v14.1.3 and v14.1.3.1 on platforms with Intel Crypto.
-- err /etc/sysconfig/modules/quickassist.modules[2061]: sha256_generic module not installed.
Conditions:
This occurs when rebooting BIG-IP devices containing Intel Crypto:
-- BIG-IP i15600 / i15800 platforms
-- BIG-IP i4800 platform
-- VIPRION B4450N blade
Impact:
This message is benign and you can safely ignore it.
Workaround:
None
999669-3 : Some HTTPS monitors are failing after upgrade when config has different SSL option★
Links to More Info: BT999669
Component: Local Traffic Manager
Symptoms:
Some HTTPS monitors are failing after upgrade when the config has different SSL option properties for different monitors.
Conditions:
-- Individual SSL profiles exist for different HTTPS monitors with SSL parameters.
-- A unique server SSL profile is configured for each HTTP monitor (one with cert/key, one without).
Impact:
Some HTTPS monitors fail. Pool is down. Virtual server is down.
Workaround:
None
999021-4 : IPsec IKEv1 tunnels fail after a config sync from Standby to Active
Links to More Info: BT999021
Component: TMOS
Symptoms:
When racoon (the IKEv1 daemon) sees a tunnel config change, which occurs due to a config sync from the standby device, the change causes tmm and racoon to have conflicting views on the state of that tunnel.
If the IKEv1 tunnel is up at the time of the config change, tmm fails to restart the tunnel.
Conditions:
-- IPsec IKEv1 tunnel in use.
-- Changes made to IPsec IKEv1 tunnel on the Standby BIG-IP device, which are then sync'd to the Active BIG-IP device.
-- And/or a full config sync from the Standby to Active BIG-IP system.
Impact:
IPsec IKEv1 tunnels fail and do not start again.
Workaround:
-- Do not make changes to IPsec IKEv1 tunnels on the Standby device.
-- Avoid full syncs from Standby to Active.
How to recover when the problem occurs:
-- Disable the affected ike-peer and re-enable it.
998957-4 : Mcpd consumes excessive CPU while collecting stats.
Links to More Info: BT998957
Component: TMOS
Symptoms:
Mcpd CPU utilization is 100%.
Conditions:
This can occur when the BIG-IP system has a large number of virtual servers, pools, and pool members for which statistics are being collected.
Impact:
CPU utilization by mcpd is excessive.
Workaround:
None
998701-1 : Active_zombie_port_blocks counter from fw_lsn_pool_pba_stat stats may reach unrealistically large value.
Links to More Info: BT998701
Component: Advanced Firewall Manager
Symptoms:
Under certain conditions, the active_zombie_port_blocks counter from fw_lsn_pool_pba_stat statistics may reach an unrealistically large value.
Conditions:
-- VIPRION system with more than one blade
-- ASM is provisioned
-- Network address translation is in use
-- Source translation type: Dynamic PAT
-- PAT mode: Port Block Allocation
Impact:
Active_zombie_port_blocks counter indications are incorrect. Otherwise system functionality is unaffected.
Workaround:
None
998649-2 : Log hostname should be consistent when it contains ' . '
Links to More Info: BT998649
Component: TMOS
Symptoms:
Messages that are logged to journald use the configured hostname, while sylog-ng uses the hostname (machine name) and truncates it starting at the first '.' (period). This results in hostnames being inconsistent when it contains '.'; e.g., 'my.hostname' is logged as 'my' by syslog-ng, and 'my.hostname' by journald. This can make it difficult for log analysis tools to work with the log files.
Conditions:
-- Hostname contains a period
-- Viewing log files emitted from journald and from syslog-ng
Impact:
The full hostname is logged for system logs while logs that go directly to syslog-ng use a truncated hostname.
Workaround:
None.
998473-1 : NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL)
Links to More Info: BT998473
Component: Access Policy Manager
Symptoms:
NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL)
Conditions:
1. NTLM front-end authentication is enabled.
2. Active Directory users are subscribed to more than one hundred groups.
Impact:
NTLM authentication for Active Directory users which are subscribed to more than hundred groups will fail.
Workaround:
None
998253-1 : SNI configuration is not sent via HTTPS when in-tmm monitors are disabled
Links to More Info: BT998253
Component: Local Traffic Manager
Symptoms:
The Server Name Indication (SNI) extension is missing on the HTTPS handshake.
Conditions:
-- Global in-tmm monitors are disabled
-- HTTPS monitor traffic
Impact:
The HTTPS client-server handshake occurs without a TLS SNI.
Workaround:
None
997793-1 : Error log: Failed to reset strict operations; disconnecting from mcpd★
Links to More Info: K34172543, BT997793
Component: TMOS
Symptoms:
After rebooting the device you are unable to access the GUI. When checking the ltm logs in the SSH / console, it repeatedly prompts an error:
Failed to reset strict operations; disconnecting from mcpd.
Conditions:
Previous EPSEC packages that are still residing on the system from old BIG-IP versions is installing upon boot. An internal timer can cause the installation to be aborted and all daemons to be restarted via 'bigstart restart'
Impact:
Mcpd fails to fully load and the device fails to come up fully, and it cannot pass traffic.
Workaround:
1. Stop the overdog daemon first by issuing the command:
systemctl stop overdog
2. Restart all services by issuing the command:
bigstart restart
3. Wait for 10 to 20 mins until EPSEC packages are successfully installed and mcpd successfully starts.
997561-2 : TMM CPU imbalance with GRE/TB and GRE/MPLS traffic
Links to More Info: BT997561
Component: TMOS
Symptoms:
When handling unidirectional GRE traffic, a lack of inner payload entropy can lead to CPU pinning.
In some circumstances, handling this traffic should not require maintaining state across TMMs.
Conditions:
This occurs with GRE/TB (transparent ethernet bridging) and GRE/MPLS traffic.
Impact:
TMM utilization across CPUs is imbalanced, which can impact overall device performance.
Workaround:
None
997541-2 : Round-robin GRE Disaggregator for hardware and software
Links to More Info: BT997541
Component: TMOS
Symptoms:
GRE tunnel traffic is pinned to one CPU.
Conditions:
GRE traffic is passed through BIG-IP system.
Impact:
Traffic is pinned to one CPU and overall performance is degraded.
Workaround:
None
996785-1 : NGFIPS device lockup can cause mcpd crash
Links to More Info: BT996785
Component: Local Traffic Manager
Symptoms:
MCPD process crashes with SIGABORT signal.
Conditions:
This can occur if the NGFIPS HSM device locks up.
Impact:
Traffic disrupted while mcpd restarts.
Workaround:
Restart of the system may recover the NGFIPS HSM device lockup if the there is no hardware issue.
996649-3 : Improper handling of DHCP flows leading to orphaned server-side connections
Links to More Info: BT996649
Component: Local Traffic Manager
Symptoms:
When there are multiple client-side flows tied to a single server-side DHCP flow, timeout handling on the client-side flows is incorrect and might lead to a server-side flow getting orphaned. This results in traffic from the server not making its way back to the client.
Conditions:
Regular DHCP virtual server in use.
Impact:
Traffic is not passed to the client.
Workaround:
None.
996261-4 : Zrd in restart loop with empty named.conf
Links to More Info: BT996261
Component: Global Traffic Manager (DNS)
Symptoms:
The zrd process enters a restart loop:
logger[20015]: Re-starting zrd
Conditions:
This occurs when /var/named/config/named.conf is empty.
Impact:
The zrd process enters a restart loop. If the device is in a sync group, zrd enters a restart loop on all devices.
Workaround:
Restore content to the named.conf file.
995889-3 : Username/Password JSON elements of login page detected as case sensitive when the policy is configured as case insensitive
Links to More Info: BT995889
Component: Application Security Manager
Symptoms:
A JSON element of a page behaves in a case-sensitive manner even if the policy is configured as case insensitive.
Conditions:
- Using JSON in a page
- Authentication type is json/ajax
- The policy is configured case-insensitive
- JSON element seen in a request has uppercase letter(s)
Impact:
Case-insensitive configuration fails to detect uppercase JSON elements in a page. This may cause, for example, brute force protection to not trigger.
Workaround:
None
995605-3 : PVA accelerated traffic does not update route domain stats
Links to More Info: BT995605
Component: TMOS
Symptoms:
PVA accelerated traffic does not update route domain stats
Conditions:
-- PVA accelerated traffic.
-- Viewing the route domain stats.
Impact:
The route domain stats may be inaccurate
Workaround:
Use the virtual server stats or ifc_stats instead.
995369-4 : DNSSEC manual key created with other algorithms ends up using RSA/SHA1 algorithm
Links to More Info: BT995369
Component: Global Traffic Manager (DNS)
Symptoms:
Generated DNSSEC keys always use RSA/SHA1 algorithm.
Conditions:
DNSSEC keys are generated with manual key management method.
Impact:
You are unable to create DNSSEC keys with other algorithms.
Workaround:
Choose automatic key management method.
995201-3 : IP fragments for the same flow are dropped if they are received on different VLANs and route domains.
Links to More Info: BT995201
Component: Local Traffic Manager
Symptoms:
When duplicate IP fragments for the same flow (same connection tuple and flow ID) are simultaneously received on different VLANs or route domains, IP datagram reassembly fails.
Conditions:
-- Multicast traffic where identical fragments arrive on two different VLANs.
-- IP fragments for the same flow are received on different VLANs.
-- Alternatively, IP fragments for the same flow are received on different route domains.
Impact:
IP fragments that fail reassembly are dropped.
Workaround:
None
995097-4 : Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file.
Links to More Info: BT995097
Component: TMOS
Symptoms:
After reloading the configuration from a file, management-dhcp supersede options whose values contained a double quote character (") no longer contain the character.
For instance, after reloading the configuration, the following section:
# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
supersede-options {
domain-name {
value { "example.com" }
}
domain-name-servers {
value { 8.8.8.8 }
}
domain-search {
value { "example.com" }
}
}
}
Becomes:
# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
supersede-options {
domain-name {
value { example.com }
}
domain-name-servers {
value { 8.8.8.8 }
}
domain-search {
value { example.com }
}
}
}
This also affects the configuration file for the dhclient/dhclient6 daemons that the system automatically generates from the aforementioned config stanza.
Conditions:
This issue occurs when the following statements apply:
--- The values of management-dhcp supersede options contain double quote characters.
--- The configuration is reloaded from file.
The BIG-IP system reloads the configuration from file in the following cases:
-- When you issue the 'tmsh load sys config' command.
-- After an upgrade, as the mcpd binary database does not exist yet.
-- When troubleshooting requires removing the mcpd binary database and reloading the config from file.
-- When the system is relicensed.
-- When system provisioning changes.
-- When a UCS/SCF archive is restored.
-- When someone merges in config from file or terminal (but this is limited to the actual contents being merged in, not the entire configuration).
Impact:
The in-memory mcpd configuration relating to management-dhcp supersede options is incorrect.
The /etc/dhclient.conf file that is automatically generated contains incorrect syntax.
As a result of this, the dhclient/dhclient6 daemons fail to parse the file and run with an incomplete configuration.
Ultimately, the system does not behave as configured in regard to its management-dhcp configuration.
Workaround:
Reapply the desired management-dhcp supersede-options configuration using the tmsh utility.
For example, to restore the intended in-memory configuration shown under Symptoms, you would run within tmsh:
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options none
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name-servers { value add { 8.8.8.8 } } }
# save sys config
On versions earlier than 15.0.0, you must also restart the dhclient/dhclient6 daemons by running:
bigstart restart dhclient dhclient6
Note that the workaround is not permanent and will be invalidated the next time the config is loaded from file again.
994365-4 : Inconsistency in tmsh 'object mode' for some configurations
Links to More Info: BT994365
Component: TMOS
Symptoms:
Tmsh does not support object mode when modifying certain configurations, such as the node configuration. This results in misleading error 'not found' even though the configuration is available.
Conditions:
Modify node config results in error, even though the config is present.
# Node Object 'example' is created successfully
(tmos)# create ltm node example address 1.2.3.4
# On modifying the node 'example', tmsh gives error
(tmos)# modify ltm node example
Data Input Error: node "example" not found
The modify command does work when a property is specified:
(tmos)# modify ltm node example description "Node 1234"
Impact:
Inconsistent tmsh syntax when using 'object mode' for modifying the configuration.
Workaround:
Use 'tmsh modify' commands, or the GUI, to make the required changes without 'entering' the object in tmsh.
994361-4 : Updatecheck script hangs/Multiple updatecheck processes
Links to More Info: BT994361
Component: TMOS
Symptoms:
Multiple updatecheck and 'rpm -qf' processes running simultaneously.
Updatecheck is not functional
Conditions:
Updatecheck is run periodically via a cronjob. Updatecheck runs 'rpm -qf' command.
Impact:
Due to that 'rpm -qf' command hangs. This causes multiple updatecheck and 'rpm -qf' processes. High CPU and memory usage.
The most likely explanation is that rpmdb has gotten corrupted.
Workaround:
To rebuild rpmdb:
1. Halt all running updatecheck and 'rpm -qf' processes.
2. Run these commands:
rm /var/lib/rpm/__db*
rpm --rebuilddb
994269-3 : Message: 'double flow removal' in LTM log file
Links to More Info: BT994269
Component: Local Traffic Manager
Symptoms:
The LTM log contains messages similar to the following:
Oops @ 0x290cfa0:1129: double flow removal.
Conditions:
FastL4 virtual server with iRule containing the FLOW_INIT command.
Impact:
Memory_usage_stat and tmm/umem_usage_stat might reflect incorrect values under increased traffic load when the underlying double flow removal messages persist continuously on the blades.
Workaround:
None
994221-4 : ZoneRunner returns error 'Resolver returned no such record'
Links to More Info: BT994221
Component: Global Traffic Manager (DNS)
Symptoms:
ZoneRunner returns error 'Resolver returned no such record'.
Conditions:
When trying to retrieve TXT records with single backslash.
Impact:
Not able to manage TXT record.
Workaround:
Use double backslashes to retrieve TXT records.
994081-3 : Traffic may be dropped with an Immediate idle timeout setting.
Links to More Info: BT994081
Component: Local Traffic Manager
Symptoms:
When the idle timeout is set to Immediate, flows may be expired while packets are buffered. Buffered packets are dropped. This can impact iRules and non-L4 virtual servers.
Conditions:
-- idle timeout set to Immediate.
-- iRules are configured
-- non-L4 virtual servers (fastl4, ip fwd, l2 fwd) are used.
-- debug tmm is in use
Impact:
Traffic is dropped.
Workaround:
You can use either workaround:
-- Configure an L4 virtual server.
-- Consider removing iRules.
994013-3 : Modifying bot defense allow list via replace-all-with fails with match-order error
Links to More Info: BT994013
Component: Application Security Manager
Symptoms:
An error occurs when modifying the allow list (or in case of 'load sys config verify' with similar configuration):
01b90026:3: Bot defense profile (/Common/bot-defense-device-id-generate-before-access) error: match-order should be unique.
Conditions:
-- Either modification via replace-all-with:
tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist replace-all-with { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 { match-order 2 source-address ::/32 url /bar } }
-- Or delete all, add, save and load-verify:
tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist delete { all }
tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist add { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 {match-order 2 source-address ::/32 url /bar}}
tmsh save sys config
load sys config verify
Impact:
You are unable to add-replace the bot defense allow list configuration
Workaround:
You can use either of the following workarounds:
-- Change match-order of defaults in profile_base.conf to use match-order 3 and up (and load config).
-- Change match-order of custom modify command (to continue with match-order 3 and up).
993921-1 : TMM SIGSEGV
Links to More Info: BT993921
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes on SIGSEGV.
Conditions:
This is a rarely occurring issue associated with the iRule command 'pool XXXX member XXXX'.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use 'pool XXXX member XXXX' iRule command.
993517-4 : Loading an upgraded config can result in a file object error in some cases
Links to More Info: BT993517
Component: Local Traffic Manager
Symptoms:
After an upgrade from a version prior to 13.1.0, when loading a configuration that has had an HTTPS monitor in it, if that configuration has not yet been saved, you may see errors like this in the LTM log:
-- 0107134a:3: File object by name (DEFAULT) is missing.
If you run 'tmsh load sys config verify' on this configuration, the system also posts the error on the screen.
Conditions:
-- Upgrading from a version prior to 13.1.0.
-- At least one HTTPS monitor that has the kEDH cipher in its cipherlist.
-- Upgrading to version 13.1.1.4 or later.
-- Loading the configuration (either automatically on startup, or manually).
Impact:
Other than the error message, there is no impact.
Workaround:
After the initial reboot, save the configuration.
993481-4 : Jumbo Frame issue with DPDK-eNIC.
Component: TMOS
Symptoms:
TMM crashes
Conditions:
-- TMM is using DPDK driver w/ Cisco eNIC
-- TMM receives Jumbo-sized packet
Impact:
Traffic disrupted while TMM restarts.
Workaround:
A) Use a different driver such as sock.
B) Do not use or accept Jumbo-frames. One way to perform this is to set the MTU to <= 1500 using the following tmsh command:
tmsh modify net vlan external mtu 1500
992865-2 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances
Links to More Info: BT992865
Component: TMOS
Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.
Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
+ BIG-IP i11000 series (C123)
+ BIG-IP i15000 series (D116)
Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.
Workaround:
None
992813-3 : The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations.
Links to More Info: BT992813
Component: TMOS
Symptoms:
The mcpd daemon performs validation of the request-options and supersede-options a BIG-IP administrator specifies via the tmos.sys.management-dhcp endpoint in tmsh.
As the list of dhcp-options known to mcpd is outdated, it is possible you may be returned an error when attempting to configure valid request-options or supersede-options.
For example, you may be returned the following error when attempting to supersede the domain-search option:
01071627:3: Management Dhcp resource supersede-option - Invalid dhcp option: domain-search
Conditions:
You attempt to configure a dhcp-option unknown to mcpd as part of the request-options or supersede-options properties.
Note: A common dhcp-option of which mcpd has no knowledge is domain-search. You are unlikely to experience this issue unless you are requesting or superseding this particular dhcp-option.
Impact:
You are unable to instantiate the desired management-dhcp configuration.
Workaround:
None
992253-1 : Cannot specify IPv6 management IP addresses using GUI
Links to More Info: BT992253
Component: TMOS
Symptoms:
You are unable to set the IPv6 mgmt IP address using the GUI, even if the IPv6 address format is a not a short address. When you submit the change, the field is empty.
Conditions:
Attempt to set up IPv6 management address using the GUI
Impact:
You are unable to configure IPv6 management addresses using the GUI.
Workaround:
Use tmsh:
tmsh create sys management-ip <address>/<netmask>
tmsh create sys management-route default-inet6 <address>
992097-1 : Incorrect hostname is seen in logging files
Links to More Info: BT992097
Component: TMOS
Symptoms:
-- On the local blade, slot information is missing from LTM logs. Only the hostname is logged.
-- For messages received from another blade, the hostname is replaced by the word "slotX".
Conditions:
Multi-bladed VIPRION or VIPRION-based vCMP guest.
Impact:
Remote log collectors cannot identify the log message based on hostname and/or blade number.
Workaround:
None
992053-2 : Pva_stats for server side connections do not update for redirected flows
Links to More Info: BT992053
Component: TMOS
Symptoms:
Pva_stats for server side connections do not update for the re-directed flows
Conditions:
-- Flows that are redirected to TMM.
-- Server flows are offloaded to PVA.
Impact:
PVA stats do not reflect the offloaded flow.
Workaround:
None
991765-1 : Inheritance of staging_period_in_days from policy template
Links to More Info: BT991765
Component: Application Security Manager
Symptoms:
Enforcement readiness period of newly created Policy does not get its value from Policy Template.
Conditions:
Creating new ASM Policy from a template with an Enforcement readiness period different from the default (default is 7).
Impact:
Newly created policy has an incorrect configuration.
Workaround:
Create the Policy using tmsh or REST API.
991501-2 : Pool members with HTTPS monitor may be incorrectly marked down.
Links to More Info: BT991501
Component: Local Traffic Manager
Symptoms:
A pool with an HTTPS monitor may have its members marked down due to the monitor not being able to find a matching cipher for the SSL connection. This occurs when the @STRENGTH keyword is provided in the cipher suites list in the server SSL profile used by the HTTPS monitor, because bigd does not handle this keyword correctly.
Conditions:
Problem is observed when all conditions listed below are met:
- The db variable bigd.tmm set to disable (default setting).
- Pool is using an HTTPS monitor.
- The HTTPS monitor uses a custom server SSL profile.
- The server SSL profile uses a cipher string with @STRENGTH keyword.
Impact:
Pool members are wrongly marked down, preventing them from handling incoming traffic.
Workaround:
1. Select the cipher group instead of cipher suites in the server SSL profile.
2. Manually enter the ciphers in the desired order.
991265-1 : Persistence entries point to the wrong servers for longer periods of time
Links to More Info: BT991265
Component: Local Traffic Manager
Symptoms:
Persistence entries point to the wrong servers for a longer than expected.
Conditions:
A pool member goes down, causing the persistence entry to change to a new pool member. Then, the pool member comes back up.
Impact:
The persistence entry does not change to the pool member that came back up. It does not expire as client requests using this cookie continue to refresh the persistence entry that goes to the wrong server.
This can delay recovery of the pool members when they are marked down for regular maintenance, or if all pool members are cycled up/down periodically, it causes persistence entries to point to the wrong servers for longer periods of time than necessary.
Workaround:
None.
990929-4 : Status of GTM monitor instance is constantly flapping
Links to More Info: BT990929
Component: Global Traffic Manager (DNS)
Symptoms:
Status of GTM monitor instance is constantly flapping.
Conditions:
GTM devices in a GTM sync group configured with IP addresses that can not communicate with each other.
Impact:
Resources are marked offline constantly.
Workaround:
Remove from the GTM server object definition the IP addresses that do not communicate with each other.
990853-4 : Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway.
Links to More Info: BT990853
Component: TMOS
Symptoms:
The mcpd daemon restarts on all secondary VIPRION blades after logging error messages similar to the following example to the /var/log/ltm file:
-- err mcpd[6250]: 0107098a:3: The ip address (10.10.10.3%1) for a VCMP Mgmt IP in partition () references a route domain (1) in a different partition (part1). Objects may only reference objects in the same or the 'Common' partition
-- err mcpd[6250]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107098a:3: The ip address (10.10.10.3%1) for a VCMP Mgmt IP in partition () references a route domain (1) in a different partition (part1). Objects may only reference objects in the same or the 'Common' partition... failed validation with error 17238410.
Conditions:
-- Multi-blade VIPRION system provisioned as vCMP host.
-- The system is configured with partitions using non-default route-domains.
-- Using the GUI, an Administrator attempts to modify the management IP address or management gateway of a vCMP guest.
-- A non-Common partition is selected in the GUI Partition drop-down menu when making the change.
Impact:
MCPD restarts, causing all other daemons on the blade to restart as well. The vCMP guests running on the affected blades suffer an outage and are unable to process traffic while the daemons restart.
Workaround:
Ensure that when you make management IP address or gateway changes to a vCMP guest, you do so while the Common partition is selected in the GUI.
990601 : APM Logs shows message "Access encountered error: "ERR_INPROGRESS. File: ../modules/hudfilter/access/access.c" without any impact on functionality.
Component: Access Policy Manager
Symptoms:
APM Logs show message as below:
Access encountered error: "ERR_INPROGRESS. File: ../modules/hudfilter/access/access.c"
Conditions:
While establishing Network access tunnel, there is a prompt displayed with message “Revocation information ……” on the webtop. This is usually when using a self-signed certificate/revoked certificate.
Impact:
No impact on functionality.
990173-4 : Dynconfd repeatedly sends the same mcp message to mcpd
Links to More Info: BT990173
Component: Local Traffic Manager
Symptoms:
If dynconfd sends a single message to mcpd containing two or more operations, and one of the operations fails mcpd validation, dynconfd repeatedly sends same message to mcpd.
An example of two operations in one mcp message would be an ephemeral node creation and an ephemeral pool member creation in a single mcp message.
Conditions:
This can occur when:
-- Using FQDN nodes and FQDN pool members.
-- There is an additional issue where the message from dynconfd fails validation within mcpd (e.g., a misconfiguration in which the monitor assigned to the pool is configured with a wildcard destination and the pool member is added to the pool with a port of '0' or 'any'.
Impact:
By repeatedly resending the same messages, which fail repeatedly, dynconfd causes increased mcpd CPU utilization.
This might cause the population of ephemeral nodes and pool members to fail and become out of sync with what the DNS server is resolving.
Workaround:
Examine the LTM logs for mcpd error messages indicating failed attempts to create ephemeral nodes or ephemeral pool members, and resolve the cause of the failed node or pool-member creation.
988793-1 : SecureVault on BIG-IP tenant does not store unit key securely
Links to More Info: BT988793
Component: TMOS
Symptoms:
BIG-IP tenants running on the VELOS platform do not store the SecureVault unit key securely.
Conditions:
BIG-IP tenant running on the VELOS platform.
Impact:
The BIG-IP tenant does not utilize secure storage for unit key.
Workaround:
None
988745-2 : On reboot, 'could not find platform object' errors may be seen in /var/log/ltm
Links to More Info: BT988745
Component: TMOS
Symptoms:
During a reboot, several error messages are logged in /var/log/ltm:
-- err mcpd[9401]: 01070710:3: Database error (0), get_platform_obj: could not find platform object - sys/validation/Platform.cpp, line 188.
-- err chmand[6578]: 012a0003:3: hal_mcp_process_error: result_code=0x1070710 for result_operation=eom result_type=eom
Conditions:
This occurs when either of the following conditions is met:
-- A fresh installation of a BIG-IP system.
-- A reboot after forcing the mcpd process to reload the BIG-IP configuration,
Impact:
There is no functional impact to these error messages.
Workaround:
None.
988645-2 : Traffic may be affected after tmm is aborted and restarted
Links to More Info: BT988645
Component: TMOS
Symptoms:
Traffic may be affected after tmm is aborted and restarted.
/var/log/tmm contains a lot of "DAG Proxy failed" messages.
Conditions:
-- A BIG-IP device is deployed in a VELOS tenant
-- Tmm aborts and restarts for some reason.
Impact:
Traffic disrupted while tmm restarts. Traffic may be disrupted even after tmm has restarted.
Workaround:
Reboot the tenant
987949 : Error message during boot up★
Links to More Info: BT987949
Component: TMOS
Symptoms:
Error messages are found in /var/log/ltm:
Could not retrieve DB variable for (provision.datastor): status 0xff00
Write F5 license shared memory device failed err = -5
Dossier data not available from hypervisor.
Database error (0), get_platform_obj: could not find platform object - sys/validation/Platform.cpp, line 188.
hal_mcp_process_error: result_code=0x1070710 for result_operation=eom result_type=eom
Setting /sys/kernel/debug/x86/ibpb_enabled failed. Request ibpb=0 ignored
Blade 2 turned RED: Quorum: perfect time sync, high availability (HA) TABLE offline
Device error: init Cannot get pci config register data for device 00:0e:00
do_grpc_call_to_platform: Bad return code from gRPC call to platform: 12 GRPC Message ddos:GlobalVectorPriorityRequest unsupported
Conditions:
Upgrade BIG-IP software to version 14.1.4.
Impact:
The error message is logged after the first boot after the upgrade. There is no impact on functionality and the error message can be ignored.
Workaround:
None
987885-3 : Half-open unclean SSL termination might not close the connection properly
Links to More Info: BT987885
Component: Local Traffic Manager
Symptoms:
Upon receiving TCP FIN from the client in the middle of the SSL Application Data, the BIG-IP system does not close the connection on either client- or server-side (i.e., it does not 'forward' the FIN on the server-side as it normally does) causing the connection to go stale until the timeout is reached.
Conditions:
-- TCP and SSL profiles configured on a virtual server.
-- Client terminates the connection in the middle of an SSL record.
Impact:
Connection termination does not happen. Connection remains in the connection table until idle timeout is reached.
Workaround:
None.
987709-3 : Static target string as CNAME pool member might cause config load failure if wide IP with same name exists in another partition
Links to More Info: BT987709
Component: Global Traffic Manager (DNS)
Symptoms:
GTM config fails to load with errors similar to this:
01070726:3: Pool 5 /Common/cnamepool1 in partition Common cannot reference GTM wideip pool member 5 /Common/cnamepool1 gslb.mycompany.com /App2/gslb.mycompany.com 1 in partition App2
Unexpected Error: Loading configuration process failed
Conditions:
There is a wide IP with the same name in another partition as the static target CNAME pool member.
Impact:
Gtm config fails to load.
Workaround:
Create the wide IP first and then add the static target CNAME pool member.
987401-4 : Increased TMM memory usage on standby unit after pool flap
Links to More Info: BT987401
Component: Local Traffic Manager
Symptoms:
TMM memory usage on a BIG-IP standby device might be substantially higher than an active device.
Conditions:
Standby device with UDP mirroring traffic and datagram-load-balancing disabled.
Impact:
The standby device may not be able to take over traffic when failover happens.
Workaround:
None.
987301-2 : Software install on vCMP guest via block-device may fail with error 'reason unknown'
Links to More Info: BT987301
Component: TMOS
Symptoms:
When installing an engineering hotfix (EHF) on a vCMP guest via block-device, sometimes it fails with 'reason unknown'.
-- /var/log/liveinstall may contain an error similar to:
I/O error : Input/output error
/tmp/lind_util.voCQOs/BIGIP1610/install/fsinfo.xml:1: parser error : Document is empty
-- /var/log/kern.log may contain an error similar to:
Aug 14 14:15:54 bigip1 info kernel: attempt to access beyond end of device
Aug 14 14:15:54 bigip1 info kernel: sr0: rw=0, want=3560560, limit=312712
Conditions:
This might occur after multiple attempts to install an EHF on a vCMP guest via block-device:
tmsh install sys software block-device-hotfix Hotfix-BIGIP-14.1.2.6.0.77.2-ENG.iso volume HD1.3
Impact:
Sometimes the EHF installation fails on the guest.
Workaround:
-- Retry the software installation.
-- If the software installation continues to fail, copy the ISO images into the vCMP guest, and use those to perform the installation.
987133-1 : Non-EDNS response with RCODE FORMERR are blocked by dns-qdcount-limit vector.
Links to More Info: BT987133
Component: Advanced Firewall Manager
Symptoms:
When a client sends a DNS request to a non-EDNS-capable server, the server may send a legitimate response with RCODE FORMERR and no DNS data. The MALFORM DNS vector blocks those requests if the dns-qdcount-limit vector is enabled.
Conditions:
-- The client sends a DNS request to NON-EDNS capable server.
-- The server replies with RCODE FORMERR and no DNS data.
-- The dns-qdcount-limit vector is enabled.
Impact:
AFM erroneously detects an attack and mitigates it, and the client does not get a response from the EDNS server
Workaround:
Disable dns-qdcount-limit vector:
security dos device-config /Common/dos-device-config {
dos-device-vector {
dns-nxdomain-query {
state disabled
}
}
}
987113-2 : CMP state degraded while under heavy traffic
Links to More Info: BT987113
Component: TMOS
Symptoms:
When a VELOS 8 blade system is under heavy traffic, the clustered multiprocessing (CMP) state could become degraded. The symptom could exhibit a dramatic traffic performance drop.
Conditions:
Exact conditions are unknown; the issue was observed while under heavy traffic with all 8 blades configured for a tenant.
Impact:
System performance drops dramatically.
Workaround:
Lower traffic load.
987081-4 : Alarm LED remains active on Secondary blades even after LCD alerts are cleared
Links to More Info: BT987081
Component: TMOS
Symptoms:
When a condition occurs which causes an alert message to be logged to the LCD display for a VIPRION chassis, the Alarm LED on the blade where the condition was reported may be set (to solid or flashing amber or red) according to the severity of the reported condition.
When the LCD alert messages are cleared, the Alarm LED on the Primary blade in the chassis will be cleared (or set according to remaining alert messages if only a subset of messages are cleared).
However, the Alarm LED on the Secondary blades in the chassis will not be cleared, and will continue to indicate the highest severity of the previously reported alert messages.
Conditions:
This occurs when:
-- A condition is reported by a Secondary blade in the chassis which causes its Alarm LED to be set (to solid or flashing amber or red) and a message logged to the chassis LCD display.
-- The LCD alert messages are cleared, such as by issuing the 'tmsh reset-stats sys alert lcd' command.
Impact:
The Alarm LED on one or more Secondary blades in the chassis continues to indicate an alert condition even after the previously reported alert messages have been cleared.
Workaround:
To restore the Secondary blade LEDs to their proper state, restart the fpdd daemon on each affected blade.
For example, if the Alarm LED is not reset on the blade in slot 4, issue one of the following commands from the console of the Primary blade in the chassis:
-- clsh --slot=4 "bigstart restart fpdd"
-- ssh slot4 "bigstart restart fpdd"
Alternately, you may log in to the console of the affected blade and issue the 'bigstart restart fpdd' command directly.
986937-4 : Cannot create child policy when the signature staging setting is not equal in template and parent policy
Links to More Info: BT986937
Component: Application Security Manager
Symptoms:
When trying to create a child policy, you get an error:
FAILURE: "Could not update the Policy policy1. Inherited values may not be changed."
Conditions:
-- Parent policy created with signature staging disabled.
-- Creating a new child policy with that policy as a parent.
Impact:
You are unable to create the child policy and the system presents an error.
Workaround:
Create the policy without assigning it to the parent, and then assign it to the parent policy on the Inheritance Settings page.
985925-4 : Ipv6 Routing Header processing not compatible as per Segments Left value.
Links to More Info: BT985925
Component: Local Traffic Manager
Symptoms:
Packet should forward the packet with the route header unmodified when Segments Left is 0 (zero). It performs as expected when Segments Left is non-zero by dropping the packet and sending an ICMP error.
Conditions:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
With Next Header field in IP header being Routing Header for IPv6, BIG-IP system fails to forward the ICMPv6 Echo Request packet to server, rather, it drops the packet.
Workaround:
None
985749-4 : TCP exponential backoff algorithm does not comply with RFC 6298
Links to More Info: BT985749
Component: Local Traffic Manager
Symptoms:
The algorithms used for TCP exponential backoff are different for SYN and non-SYN packets.
Conditions:
Using TCP.
Impact:
Retransmission timeout interval depends on the inclusion/exclusion of SYN flag.
Workaround:
None
985537-3 : Upgrade Microsoft Hyper-V driver★
Links to More Info: BT985537
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) on Azure has an issue where the BIG-IP system raises a kernel panic soon after a Network Management Agent update occurs on the host.
When performance tests are run on VE in Microsoft Azure, the BIG-IP system loses all connectivity to the pools and becomes unresponsive.
Conditions:
-- Azure Host performs a Network Management Agent (NMAgent) update while TMM is running.
-- Running performance tests of VE in Azure.
Impact:
The BIG-IP system might restart and the GUI becomes unresponsive during performance testing.
Workaround:
None.
985401-4 : ProxySSL virtual servers should work with web acceleration (ramcache) profiles attached
Links to More Info: BT985401
Component: Local Traffic Manager
Symptoms:
Attempting to attach a web acceleration profile to a virtual server that has an SSL profile with ProxySSL enabled will result in the following validation error:
A validation error similar to:
01070734:3: Configuration error: Proxy SSL is not compatible with Web Acceleration profile on Virtual Server (<virtual server name>).
Conditions:
-- Virtual server using an SSL profile with ProxySSL enabled.
-- Attaching a web acceleration (webacceleration) profile to the virtual server.
Impact:
Unable to use the web acceleration profile with ProxySSL virtual servers.
Workaround:
Avoid using ProxySSL virtual servers with web acceleration (ramcache) profiles attached.
985001-2 : Taiwan, Hong Kong, and Macau Are Defined As Countries in DNS/GTM Topology Definition
Links to More Info: BT985001
Component: Global Traffic Manager (DNS)
Symptoms:
Taiwan, Hong Kong, and Macau are defined as countries in DNS/GTM Topology definition.
Conditions:
In GUI screen, under GSLB/Topology/Records and GSLB/Topology/Regions, 'Country' field can be used to specify Taiwan, Hong Kong, and Macau.
Impact:
Taiwan, Hong Kong, and Macau can be configured as countries in GSLB/Topology screens.
Workaround:
Change 'Country' label to 'Country/Location' and the 'Country/State' label to 'Country/Location/State'.
984897-4 : Some connections performing SSL mirroring are not handled correctly by the Standby unit.
Links to More Info: BT984897
Component: Local Traffic Manager
Symptoms:
Some of the connections performing SSL mirroring do not advance through TCP states as they should on the Standby unit.
Additionally, these connections do not get removed from the connection table of the Standby unit when the connections close. Instead, they linger on until the idle timeout expires.
Conditions:
A virtual server configured to perform SSL connection mirroring.
Impact:
Should the units fail over, some connections may not survive as expected.
Additionally, given a sufficient load and a long idle timeout, this could cause unnecessary TMM memory utilization on the Standby unit.
Workaround:
None.
984657-2 : Sysdb variable not working from tmsh
Links to More Info: BT984657
Component: Traffic Classification Engine
Symptoms:
When cloud_only system db variable is enabled, urlcat_query returns categorization from webroot from tmsh
Conditions:
The following sys db variable is enabled: cloud_only
You attempt to run the following command:
tmsh list sys db urlcat_query
Impact:
Sysdb variables does not work from tmsh
984521-1 : Accept-Encoding header is stripped by Bot Defense profile in case of incompatible file extension and a dot in the file name
Links to More Info: BT984521
Component: Application Security Manager
Symptoms:
Bot Defense profile checks if a page is not an HTML page by checking the file extension (among other ways).
In case the filename contains a dot (.) - the parsing is wrong and it is not detected as incompatible. As a result, the Accept-Encoding header is removed (to allow injection in the response).
Conditions:
-- Bot Defense profile is attached to s virtual server configured with any response injection (Device ID, Browser Verification, or Single Page Application).
Request is sent to an incompatible file extension (one of gif,png,bmp,jpg,ico,css,mp3,mp4,mpg,avi,wmv,mov,3gp,fla,swf,js), and filename contains a dot (.).
Impact:
Accept-Encoding header is removed, causing the server to not send a gzipped response.
Workaround:
Add this specific URL to sys db:
dosl7.parse_html_excluded_urls
983021-3 : Tmsh does not correctly handle the app-service for data-group records
Links to More Info: BT983021
Component: TMOS
Symptoms:
-- The guishell shows the app_id as the default application for the folder /Common/example_app.app and not what was specified, which was 'none'.
-- If the record has an app_id configured, the output of tmsh list data-group should list the app-service.
Conditions:
Create an application service using tmsh.
Impact:
-- Unable to properly manage the lifecycle of data-group records created via an iApp.
-- Unable to update data-group records at all via iControl REST, because the entire set of records must be managed altogether, and strict-updates prevents the existing records from being modified.
-- Inconsistent behavior across a save-and-load operation.
(The app-service is not serialized to the configuration, so after save and load, the app-service is dropped from the data-group records.)
Workaround:
After every iApp template deploy/update, run the following command:
tmsh save sys config && tmsh load sys config
982993-3 : Gateway ICMP monitors with IPv6 destination and IPV6 transparent nexthop might fail
Links to More Info: BT982993
Component: Local Traffic Manager
Symptoms:
Gateway ICMP monitors configured with IPv6 destinations and IPv6 transparent nexthop do not work if the IPv6 destination address is not directly connected, but reachable via an intermediate hop.
Conditions:
An IPv6 monitor's destination address is not directly connected, but reachable via intermediate hop.
Impact:
Monitor status remains DOWN.
Workaround:
Consider monitoring the actual target.
982817 : TMM crash when executing iRule command ACCESS::respond from HTTP_REQUEST event
Links to More Info: BT982817
Component: Access Policy Manager
Symptoms:
ACCESS::respond inside a HTTP_REQUEST Event causes tmm to crash.
Conditions:
Using a iRule like the following:
when HTTP_REQUEST {
if { [HTTP::uri] eq "/redirect_url"} {
ACCESS::respond 302 Location "/new_redirected_url"
}
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Move the ACCESS::respond command to the HTTP::respond command:
when HTTP_REQUEST {
if { [HTTP::uri] eq "/redirect_url"} {
HTTP::respond 302 Location "/new_redirected_url"
}
}
982801-4 : AGC hardening
Links to More Info: BT982801
Component: Guided Configuration
Symptoms:
AGC does not follow current best practices.
Conditions:
- APM is provisioned
- AGC used for Azure AD Application
Impact:
AGC does not follow current best practices.
Workaround:
N/A
981485-3 : Neurond enters a restart loop after FPGA update.
Links to More Info: BT981485
Component: TMOS
Symptoms:
After FPGA firmware upgrade, the neurond process might enter a restart loop, unable to recover.
When the problem is present you might see logs similar to:
-- notice chmand[6674]: 012a0005:5: FPGA PNP FW upgrade check: req type 0, file:Latest
-- notice chmand[6674]: 012a0005:5: FPGA: Requesting type: 0, vers: Latest
-- notice chmand[6674]: 012a0005:5: FPGA: current type: 2, vers: hsb_5SGXEA7H2F35C2_t37dc_1d10_v5.23.5.0_d20.06.11.00.bit
-- notice chmand[6674]: 012a0005:5: FPGA: match for type: 0, vers: hsb_5SGXEA7H2F35C2_t37dc_1d10_v5.6.7.0_d20.06.11.00.bit
-- notice chmand[6674]: 012a0005:5: removed /var/db/mcpdb.* FPGA current disk firmware updated to: /L7L4_BALANCED_FPGA type: 0
-- notice chmand-fpga-pnp[17551]: Stopping TMM, BCM56xxd, and neurond
-- notice logger[17553]: /bin/bash /etc/init.d/fw_pnp_upgrade upgrade restart ==> /usr/bin/bigstart stop tmm bcm56xxd neurond
Conditions:
FPGA firmware mismatch, leading to FPGA firmware upgrade.
Impact:
Enhanced flow acceleration provided by the Neuron chip cannot be utilized.
Workaround:
Perform a full system restart.
981145-4 : DoS events do not include the attack name for "tcp syn ack flood"
Links to More Info: BT981145
Component: Advanced Firewall Manager
Symptoms:
BIG-IQ does not display the attack name for a 'tcp syn ack flood' attack.
Conditions:
DoS on BIG-IP enabled to address 'tcp syn ack flood' attack.
Impact:
Lack of DoS attack information. The mitigation occurs as expected. Only the notification information is missing.
Workaround:
None.
979213-3 : Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.
Links to More Info: BT979213
Component: Local Traffic Manager
Symptoms:
Upon reviewing the performance graphs in the GUI, you may notice significant spikes in the Throughput(bits) and Throughput(packets) graphs.
The spikes may report unrealistically high levels of traffic.
Note: Detailed throughput graphs are not affected by this issue.
Conditions:
This issue occurs when the following conditions are met:
-- The BIG-IP device is a physical system.
-- TMM was restarted on the system.
-- At some point, at least one interface was up on the system and recorded some traffic.
Impact:
This issue is purely cosmetic but might cause concern when reviewing the performance graphs.
Workaround:
None.
979045-4 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms
Links to More Info: BT979045
Component: TMOS
Symptoms:
After installing an Engineering Hotfix version of BIG-IP v14.1.0 or later, certain BIG-IP hardware systems. The Trusted Platform Module (TPM), status is showing as INVALID.
Conditions:
This may occur:
-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
- ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
- ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
- ID963017 (https://cdn.f5.com/product/bugtracker/ID963017.html)
-- The issue is observed only on the following platforms:
- i11600 / i11800
- i11400-DS / i11600-DS / i11800-DS
Impact:
The TPM status INVALID indicates that the system integrity is compromised when it is actually valid.
Workaround:
None.
978953-1 : The value of the sys db variable vlan.backplane.mtu intermittently out-of-sync with the value of the MTU of the kernel interface tmm_bp during the initial boot up
Links to More Info: BT978953
Component: Local Traffic Manager
Symptoms:
During the initial boot of the device the MTU of the tmm_bp kernel interface is out-of-sync with the value of sys db vlan.backplane.mtu as well as out-of-sync with the MTU displayed by the following command:
tmsh show /net vlan all-properties -hidden.
tmsh list net vlan tmm_bp all-properties -hidden.
Additionally, running the following command:
modify sys db vlan.backplane.mtu value <some value> (within the range accepted), and saving the configuration change does not last through a reboot.
Conditions:
This issue occurs on the first boot intermittently.
Impact:
When the values are seen at non-sync, after the modification of the backplane vlan mtu and saving the config, changing the mtu config value does not last through a reboot.
Workaround:
Rebooting the device resolves the issue
977953-1 : Show running config interface CLI could not fetch the interface info and crashes the imi
Links to More Info: BT977953
Component: TMOS
Symptoms:
The confd command 'show running-config' does not display interface information if nsm and bgpd are the only processes running.
If you run 'show running-config interface', imi crashes.
Conditions:
1. nsm and bgpd are the daemons running.
2. Run the "show running-config" command
Impact:
Imish cannot retrieve interface information from the show running-config command.
Workaround:
* Enable OSPF. For example,
# tmsh modify /net route-domain 0 routing-protocol add { BGP OSPFv3 }
# ps -ef | egrep -i ospf
root 11954 4654 0 11:25 ? S 0:00 ospf6d%0
977657-1 : SELinux errors when deploying a vCMP guest.
Links to More Info: BT977657
Component: TMOS
Symptoms:
An error occurs:
SELinux avc: denied { write } for pid=9292 comm="rpm" name="rpm".
Conditions:
The error occurs when the system is started back up after provisioning VCMP.
Impact:
SELinux avc is denied write permission for rpm_var_lib_t.
977625-4 : GTM persistence records linger in tmm
Links to More Info: BT977625
Component: Global Traffic Manager (DNS)
Symptoms:
-- GTM persistence records are not cleared.
-- GTM still answers from persist records even though the persist records not listed by the "tmsh show gtm persist" command.
Conditions:
Persistence for wideip or application is disabled and then enabled quickly afterwards
Impact:
GTM answers from stale persist records.
Workaround:
Do not enable persistence right after disabling.
977153-4 : Packet with routing header IPv6 as next header in IP layer fails to be forwarded
Links to More Info: BT977153
Component: Advanced Firewall Manager
Symptoms:
BIG-IP systems fail to follow RFC 5095, which specifies the traffic should be forwarded.
Conditions:
This symptom is found when the following conditions are met:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
This failure in forwarding ICMP error message prevents the BIG-IP AFM product from completing certification.
Workaround:
None.
977113-4 : Unable to configure dependency for GTM virtual server if pool member dependency exists
Links to More Info: BT977113
Component: Global Traffic Manager (DNS)
Symptoms:
The following error is displayed when configuring GTM virtual server dependency:
01020037:3: The requested GTM depends (/Common/Generic-Host GH-VS1 /Common/DC1-DNS1 /Common/VS1) already exists.
Conditions:
The pool member dependency exists for the same virtual server.
Impact:
Not able to configure GTM virtual server dependency at GTM server level.
Workaround:
First creating GTM virtual server dependency at GTM server level, and then create pool member dependency.
976525-2 : Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled
Links to More Info: BT976525
Component: Local Traffic Manager
Symptoms:
In BIG-IP v13.1.3.2 and later, there is new functionality to SNAT the traffic coming from the host system. When there are multiple routes to a destination address and transparent monitors are in use, tmm occasionally picks the wrong source IP for these connections.
Conditions:
-- The db variable snat.hosttraffic is enabled.
-- Gateway pool with multiple members.
-- Transparent monitors.
Impact:
The system chooses the wrong source IP address for the egress interface. That incorrect source IP address might cause traffic to return on the wrong VLAN.
Workaround:
Use either of the following workarounds:
-- Disable VLAN keyed connections: modify sys db connection.vlankeyed value disable
-- Upgrade to a version with a fix for ID 826905 (https://cdn.f5.com/product/bugtracker/ID826905.html) and disable snat.hosttraffic.
976101-1 : TMM crash after deleting an interface from a virtual wire vlan
Links to More Info: BT976101
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
-- Virtual wire enabled
-- Delete an interface from the virtual wire vlan.
Impact:
Traffic disrupted while tmm restarts.
976013-3 : If bcm56xxd starts while an interface is disabled, the interface cannot be enabled afterwards
Links to More Info: BT976013
Component: TMOS
Symptoms:
A disabled interface is not getting enabled.
Conditions:
-- An interface is disabled
-- bcm56xxd is restarted
Impact:
The interface remains on disable state and no traffic passes via that interface.
Workaround:
Restart bcm56xxd again.
975725-2 : Wildcard virtual servers do not forward L3 unicast traffic sent to L2 broadcast
Links to More Info: BT975725
Component: Local Traffic Manager
Symptoms:
L3 unicast traffic with L2 broadcast destination MAC (ff:ff:ff:ff:ff:ff) matching wildcard virtual servers is not handled properly.
Conditions:
Wildcard virtual server is configured to handle such traffic.
Impact:
Traffic will not be forwarded properly.
Workaround:
Use specific non-wildcard virtual-server.
974985-4 : Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable
Component: Application Security Manager
Symptoms:
Non http traffic isn't forwarded to the backend server
Conditions:
- ASM provisioned
- DoS Application or Bot Defense profile assigned to a virtual server
- DOSL7::disable applied at when CLIENT_ACCEPTED {}
Impact:
Broken webapps with non-http traffic
Workaround:
Instead of using DOSL7::disable, redirect non-http traffic to non-http aware virtual server using the iRule command virtual <virtual_server_name>
974513-3 : Dropped requests are reported as blocked in Reporting/charts
Links to More Info: BT974513
Component: Application Security Manager
Symptoms:
Dropped requests are reported as blocked in Reporting/charts.
Conditions:
Request is dropped (or client side challenge / captcha is not answered) as part of a brute force mitigation or a slow post attack causes dropping of a request.
Impact:
Data reported might be incorrect. There is a filter for dropped requests which, when selected, does not show anything, even when there are drops.
Workaround:
None.
974501-3 : Excessive memory usage by mirroring subsystem when remirroring
Links to More Info: BT974501
Component: Local Traffic Manager
Symptoms:
Aggressive sweeper messages are seen in /var/log/ltm similar to the following:
Dec 31 02:35:44 bigip1 warning tmm[25306]: 011e0002:4: sweeper_segment_cb_any: Aggressive mode /Common/default-eviction-policy activated (0) (global memory). (26227799/30854144 pages)
In severe cases, tmm might restart and generate a core file due to an out of memory condition.
Conditions:
The active BIG-IP has a large number of mirrored fastL4 connections.
The active BIG-IP reconnects the statemirror connection to the standby BIG-IP. This is indicated by messages similar to the following in /var/log/ltm:
Dec 31 02:35:37 bigip1 err tmm[25306]: 01340001:3: high availability (HA) Connection with peer 10.25.0.11:1029 for traffic-group /Common/traffic-group-1 established.
Impact:
A portion of the connections handled by the BIG-IP might be dropped causing traffic interruption for those connections. In severe cases, tmm might restart causing traffic interruption.
974409-1 : False Positive "Surfing Without Human Interaction"
Component: Application Security Manager
Symptoms:
When using Bot Defense profile, and an application contains many HTML pages which are not qualified (not even accept: text/html), a "Surfing Without Human Interaction" anomaly is mis-counted and falsely raised.
Conditions:
-- Bot Defense Profile is attached to a virtual server.
-- The application contains many HTML pages which can be detected as such from the request.
Impact:
Real clients might or might not be blocked, it depends on the environment.
Workaround:
None.
974193-3 : Error when trying to create a new f5.vmware_view.v1.5.9 iApp
Links to More Info: BT974193
Component: iApp Technology
Symptoms:
Error when trying to create a f5.vmware_view.v1.5.9 iApp
Configuration Warning: New virtual address (/Common/10.10.10.10) used by server with access profile attached has traffic group (/Common/traffic-group-1) that is different from existing one (/Common/traffic-group-exchange). Change it to the existing one
Conditions:
-- Create a new f5.vmware_view.v1.5.9 iApp
-- iApp uses a traffic group other than the default traffic-group-1
Impact:
Unable to create new f5.vmware_view.v1.5.9 iApp
Workaround:
None.
973341-4 : Customized device certs will break scripts relying on /config/httpd/conf/ssl.crt/server.crt
Links to More Info: BT973341
Component: Global Traffic Manager (DNS)
Symptoms:
Bigip_add, big3d_install, gtm_add will not work.
Conditions:
Device cert is customized.
Impact:
Bigip_add, big3d_install, gtm_add not work.
Workaround:
Copy the content of the new cert to default file "/etc/httpd/conf/ssl.crt/server.crt".
972785-4 : Unable to create virtual server with a non-zero Route Domain for custom partition via iControl SOAP
Links to More Info: BT972785
Component: TMOS
Symptoms:
While creating a virtual server using iControl SOAP you get an error:
error_string : 0107004d:3: Virtual address (/VPN_WEB_01/0.0.0.0%201) encodes IP address (0.0.0.0%201) which differs from supplied IP address field (10.10.10.50%201).'
Conditions:
-- Using iControl SOAP to create a virtual server.
-- The virtual server is assigned to a partition that uses a non-default route domain.
Impact:
Unable to create the virtual server with the iControl SOAP command.
Workaround:
First create the virtual server with a default Virtual Address ('0.0.0.0'). and then update the virtual address with the desired address.
Example:
ltm.LocalLB.VirtualServer.create([{'name': 'vs_test_9095', 'address': '0.0.0.0', 'port': 9090, 'protocol': 'PROTOCOL_TCP'}], ['255.255.255.255'], [{'type': 'RESOURCE_TYPE_POOL'}], [[{'profile_context': 'PROFILE_CONTEXT_TYPE_ALL', 'profile_name': 'fastL4'}]])
ltm.LocalLB.VirtualServer.set_destination_v2(['vs_test_9095'],[{'address': '10.10.10.50', 'port': 9090}])
972709 : Bot defense print "No chal chk - cannot get anomaly action" errors to log
Links to More Info: BT972709
Component: Application Security Manager
Symptoms:
Bot defense is enabled and "No chal chk - cannot get anomaly action" errors are printed to the log.
Conditions:
Bot defense is enabled and "Browser Verification" is used
Impact:
Errors a periodically printed to the log. They can be ignored.
Workaround:
N/A
971217-3 : AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations.
Links to More Info: BT971217
Component: Local Traffic Manager
Symptoms:
An HTTP Security profile can be created and enabled within Advanced Firewall Manager's Protocol Security options. The HTTP Security Profile contains various protocol checks that can be enabled and disabled to allow customization of security checks. When the "Unparsable request content" check is selected, BIG-IP will incorrectly indicate that HTTP POST requests with Content-Length:0 are not allowed assuming that these requests are unparsable. POST requests with Content-Length:0 can still be checked by enabling the "POST request with Content-Length: 0" option in the same profile.
Conditions:
-- HTTP Protocol Security Profile configured with the "Unparsable request content" check.
-- Client sends HTTP POST request with Content-Length:0
Impact:
POST requests of Content-Length 0 cannot be disabled separately from general "Unparsable request content".
Workaround:
None.
969553-3 : A DNS Cache (or Network DNS Resolver) returns SERVFAIL to some queries.
Links to More Info: BT969553
Component: Global Traffic Manager (DNS)
Symptoms:
- A DNS Cache (or Network DNS Resolver) returns SERVFAIL responses to clients, despite the BIG-IP system receiving a good (albeit delayed) response from upstream servers.
- When this happens, the BIG-IP system rejects the responses from the upstream servers with ICMP errors (Destination unreachable - Port unreachable).
- If the db key dnscacheresolver.loglevel is set to debug5, the following error message is visible in the /var/log/ltm file when this issue occurs:
debug tmm[13147]: DNScache: request example.com. has exceeded the maximum number of glue fetches 17 to a single delegation point
- If a Network DNS Resolver is used with an HTTP Explicit Proxy profile, the symptoms can appear as "503 Service Unavailable" responses to clients due to DNS lookup failure.
Conditions:
This issue occurs when the following conditions are met:
- A DNS Cache (or Network DNS Resolver) is in use on the BIG-IP system.
- The aforementioned object is configured with a forward-zone that uses multiple servers to perform resolutions.
- The RTT of the servers fluctuates. For example, the servers are generally fast to reply for most domains, but take extra time to reply for a given domain.
- 'Randomize Query Character Case' is enabled in the DNS Cache (or Network DNS Resolver).
- If the requests for the domain take a long time to resolve, BIG-IP may reply with SERVFAIL.
Impact:
Clients of the BIG-IP DNS Cache (or Network DNS Resolver) are not returned an answer. As a result, application failures may occur.
Workaround:
You can work around this issue by changing 'Randomize Query Character Case' to 'No' in the DNS Cache (or Network DNS Resolver) settings.
969329-1 : Dashboard: Chart title/legend 'Control Plane' needs to be modified within dashboard of BIG-IP
Links to More Info: BT969329
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) uses a virtualized core, so there is no hyper-threading. This means the data plane and control plane share a single CPU core. However, the Dashboard allows you to select CPU data for 'Control Plane' beside System Average.
Conditions:
View GUI Dashboard on BIG-IP VE or HTsplit-disabled appliances.
Impact:
Dashboard chart title creates confusion.
Workaround:
None.
968953-4 : Unnecessary authorization header added in the response for an IP intelligence feed list request
Links to More Info: BT968953
Component: Advanced Firewall Manager
Symptoms:
Empty authorization header in the response for an IP intelligence feed list request.
Conditions:
Feed list configured without username/password pair.
Impact:
Feed List request from dwbld adds unnecessary Authorization header. There is no functional impact.
Workaround:
None.
968949-4 : Keepalives aren't sent in FIN_WAIT_2 when using a TCP profile
Links to More Info: BT968949
Component: Local Traffic Manager
Symptoms:
When a client-side connection goes into FIN_WAIT_2, BIG-IP does not send keepalives even if they are being sent on the server-side connection.
Conditions:
- Virtual server configured with a TCP profile and network listener.
Impact:
Client-side connections timeout prematurely.
As a result, the server-side connections end up being open indefinitely.
Workaround:
No workaround currently known.
968581-3 : TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description
Links to More Info: BT968581
Component: Local Traffic Manager
Symptoms:
The TMSH command "show /ltm profile ramcache" has a max-response option to output a number of records designated in this parameter. Due to calculation algorithm, the command may output less records than RAMCACHE stores or more records than the limit prescribes.
Conditions:
-- A virtual server is configured on BIG-IP.
-- A webacceleration profile with no web application is attached to the virtual server.
-- Traffic is sent over the virtual server with a number of unique cacheable documents that exceed a designated limit.
Impact:
Output of the command may not match to actual list of stored documents in RAMCACHE.
968509 : Response headers are not parsed correctly causing subsequent requests stall at BIG-IP
Component: Local Traffic Manager
Symptoms:
Web browsers are able to connect to a virtual server and send a POST request, but subsequents fail.
Conditions:
-- Standard virtual server with the default http profile
-- Client sends a POST request with Expect: 100-continue header, but does not send a POST body
-- Back-end web server returns 401 Not Authorized and a long response body
Impact:
Subsequent client requests stall at the BIG-IP.
967737-4 : DNS Express: SOA stops showing up in statistics from second zone transfer
Links to More Info: BT967737
Component: Global Traffic Manager (DNS)
Symptoms:
Start of Authority (SOA) record is not displayed in zone statistics.
Conditions:
The issue appears after the 2nd zone transfer.
Impact:
This is a cosmetic issue without any actual impact.
Workaround:
None
967557-3 : Improve apm logging when loading sys config fails due to corruption of epsec rpm database
Links to More Info: BT967557
Component: TMOS
Symptoms:
Loading sys config fails and mcpd may not be running properly due to corruption of EPSEC rpm database. It is difficult to tell from logs that the issue is with epsec rpm database. This error may be the only indication:
emerg load_config_files[10761]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command.
Conditions:
Loading of sys config fails due to corruption of EPSEC rpm database.
Impact:
Difficult to troubleshoot the root cause for config load failure.
967425-3 : mcp error: 0x1020036 at ../mcp/db_pool.c:461
Component: Local Traffic Manager
Symptoms:
After a node has been 'moved' / renamed, modification of objects referencing the node may result in a database error and issues with the intended action.
In particular, when a node which is associated with a pool is moved, it will appears to be successful, however, after modifying the session / user status, it will result in an error.:
mcp error: 0x1020036 at ../mcp/db_pool.c:461
Conditions:
In particular, when a node which is associated with a pool is moved, it will appears as successful, however, after modifying the session / user status, it will result in a DB error.
Impact:
A after modifying the pool, an error will be logged.
Connections will continue to be accepted despite all members in the pool being down/disabled.
967353-4 : HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.
Links to More Info: BT967353
Component: Local Traffic Manager
Symptoms:
Client receives no response along with a connection reset by the BIG-IP system.
Conditions:
-- HTTP profile is enabled on the BIG-IP system.
-- Server sends HTTP response with one or more header field names separated with the trailing colon by a space.
Impact:
HTTP responses that should be delivered to the client by the proxy are not being sent out.
Workaround:
None
967249-3 : TMM may leak memory early during its startup process, and may continue to do so indefinitely.
Links to More Info: BT967249
Component: Local Traffic Manager
Symptoms:
TMM leaks memory in the packet and xdata components. The aggressiveness of the leak depends on how much traffic TMM receives from the Linux host subsystem.
Conditions:
- A BIG-IP system running more than 1 TMM instance.
- Early during its startup process, TMM begins receiving traffic from the Linux host subsystem destined to the network (e.g., remote syslog traffic routed to its destination through TMM).
- Depending on the system's configuration, TMM attempts to set up flow forwarding for the aforementioned traffic. This may happen, for instance, if the egress VLAN is configured for 'cmp-hash src-ip'.
- TMM hasn't fully completed its startup process yet.
Impact:
TMM leaks memory.
If the flow set up during early TMM startup continues to receive a constant stream of new packets, then the flow may live on indefinitely, and TMM may continue to leak memory indefinitely.
In the example of remote syslog traffic, this could happen, for instance, if the box keeps logging messages at a sustained rate.
Eventually, TMM may be unable to allocate any more memory and crash. Traffic disrupted while tmm restarts.
Workaround:
You can work around this issue by ensuring that TMM does not receive any traffic from the Linux host subsystem for forwarding during early startup.
In the example of remote syslog destinations, you could specify the management IP address of the system as the source IP address for the traffic, thus forcing the traffic out of the management port instead of TMM. This implies the management port has a suitable working route to the destination.
966949-3 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node
Links to More Info: BT966949
Component: TMOS
Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.
Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230
This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.
Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.
Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")
966785-3 : Rate Shaping stops TCP retransmission
Links to More Info: BT966785
Component: Local Traffic Manager
Symptoms:
When rate shaping is applied to a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.
Conditions:
This issue occurs when both of the following conditions are met:
-- Virtual server configured with a rate shaping.
-- Standard type of virtual server.
Impact:
The BIG-IP system does not retransmit unacknowledged data segments.
Workaround:
None
966633-3 : Policy entity search with non-ASCII value filter returns no results in REST/GUI in non-UTF-8 policies
Links to More Info: BT966633
Component: Application Security Manager
Symptoms:
WAF policy entities (such as parameters) are not found when filtering by non-ASCII values in REST/GUI in non-UTF-8 policies.
Conditions:
WAF policy is defined as non-UTF-8, and a non-ASCII value is used in an entity search filter.
Impact:
No results are returned.
Workaround:
None
966613-3 : Cannot create XML profile based on WSDL when wsdl contains empty soap:address – getting error ‘Column 'object_uri' cannot be null’
Links to More Info: BT966613
Component: Application Security Manager
Symptoms:
Perl error returned when saving new XML content profile using wsdl file with empty soap:address node "<soap:address/>".
Conditions:
Creating a new content profile using a wsdl file which contains a "<soap:address/>" node which does not have a "location" attribute value.
When this content profile is saved, ASM attempts to create an associated URL with no value, which fails validation.
Impact:
After trying to save the content profile, you see an error message: "Could not create XML Profile; Error: DBD::mysql::db do failed: Column 'object_uri' cannot be null"
Workaround:
Delete the node "<soap:address/>" from the wsdl file
966461-4 : Tmm leaks memory after each DNSSEC query when netHSM is not connected
Links to More Info: BT966461
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm memory increases per DNSSEC query.
Conditions:
NetHSM is configured but is disconnected
Impact:
Tmm high memory consumption.
Workaround:
Connect the netHSM.
965941-3 : Creating a net packet filter in the GUI does not work for ICMP for IPv6
Links to More Info: BT965941
Component: TMOS
Symptoms:
When using the GUI to create a 'net packet-filter' rule to block ICMP packets, the filter does not block IPv6 packets.
Conditions:
-- Using the GUI to create a packet filter rule to block incoming ICMP packets.
-- Attempting to block an IPv6 address.
Impact:
Packets get through the filter unexpectedly.
Workaround:
Modify the packet filter manually using tcpdump syntax. For example, the following syntax is used to block ICMP packets for both IPv4 and IPv6:
icmp or icmp6
965897-3 : Disruption of mcpd with a segmentation fault during config sync
Links to More Info: BT965897
Component: Advanced Firewall Manager
Symptoms:
The mcpd process on the peer device fails with a segfault, restarts and then segfaults again in a loop
Numerous messages may be logged in the "daemon" logfile of the following type:
emerg logger[2020]: Re-starting mcpd
Conditions:
-- High availability (HA) configuration
-- A port-and-address list configuration is changed to be only an address list
-- A config sync occurs
Impact:
Continuous restarts of mcpd process on the peer device.
Workaround:
One possible measure for getting the peer-machine "mcpd" out of its failure mode is to command the still-functioning system to push a "full" config sync to the appropriate device group. Doing this twice consecutively may be necessary.
# tmsh run /cm config-sync force-full-load-push to-group APPROPRIATE-DEVICE-GROUP
965837-1 : When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection
Links to More Info: BT965837
Component: Access Policy Manager
Symptoms:
When BIG-IP is configured with a PingAccess profile and an SSL profile is associated with both the BIG-IP virtual server and a ping access configuration, an active connection to the virtual server may lead to a TMM crash.
Conditions:
-- SSL is configured on both the BIG-IP virtual server that contains the ping access profile and ping access configuration.
-- Active connection to the BIG-IP virtual server
-- Config sync is triggered or "tmsh load sys config" is triggered
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
965777-3 : Per-request policy authentication becomes unresponsive
Links to More Info: BT965777
Component: Access Policy Manager
Symptoms:
Per-request policy execution can appear to be slow during subroutine evaluation, and apmd appears to take a large amount of CPU.
Conditions:
The per-request policy is using subroutine to execute an authentication related agent that is dispatched to apmd for completion. These typically involve authentication agents that interact with an external authentication server, such as LDAP, RADIUS, or AD.
Impact:
Connectivity may be impaired or lost.
Workaround:
Failover the high availability (HA) pair, or restart apmd.
965457-3 : OSPF duplicate router detection might report false positives
Links to More Info: BT965457
Component: TMOS
Symptoms:
OSPF duplicate router detection might report false positives
Conditions:
Router sends LSA that is looped in network and sent back to its origin.
Impact:
Cosmetic
965053-1 : [Regression of ID787881 & ID761032] DNSX fails to sign zone transfer using tsig key after failure
Links to More Info: BT965053
Component: Global Traffic Manager (DNS)
Symptoms:
DNSX fails to sign zone transfer using tsig key.
Conditions:
A transfer error occurs while DNSX is initializing.
Impact:
DNSX zones are not been updated.
Workaround:
Re-enter the tsig key secret.
964989-1 : AFM DOS half-open does not handle wildcard virtual servers properly.
Links to More Info: BT964989
Component: Advanced Firewall Manager
Symptoms:
AFM DOS half-open vector does not handle wildcard virtual servers properly.
Conditions:
-- Wildcard virtual-server.
-- AFM DOS half-open vector configured.
-- Attacks towards multiple destinations covered by a single virtual-server.
Impact:
- Wrong statistics reporting.
- Wrong status of syncookie protection.
- Unexpected traffic drops.
Workaround:
Split wildcard virtual server into a series of /32 virtual servers.
964625-2 : Improper processing of firewall-rule metadata
Links to More Info: BT964625
Component: Advanced Firewall Manager
Symptoms:
The 'mcpd' process may suffer a failure and be restarted.
Conditions:
Adding very large firewall-policy rules, whether manually, or from config-sync, or from BIG-IQ.
Impact:
-- MCPD crashes, which disrupts both control-plane and data-plane processing while services restart.
-- Inability to configure firewall policy.
Workaround:
Reduce the number of firewall policy rules.
964617-3 : Connector error "CONNECTOR: Invalid external event HUDEVT_SENT in state Init
Links to More Info: BT964617
Component: SSL Orchestrator
Symptoms:
Error log "CONNECTOR: Invalid external event HUDEVT_SENT in state Init" seen in ltm logs and traffic might stall and ultimately will be abort/reset.
Conditions:
SSL Orchestrator with services inserted after Category lookup based on HTTP_CONNECT and client side does not accept (zero window) or SSL Orchestrator send buffer is full for HTTP CONNECT request response.
Impact:
Connection will stall and will be aborted / reset.
964533-4 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.
Links to More Info: BT964533
Component: TMOS
Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.
Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.
Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.
There is no impact other than additional log entries.
Workaround:
None.
964421-3 : Error '01070734:3: Configuration error: Signing key and signing certificate must be set simultaneously'
Links to More Info: BT964421
Component: TMOS
Symptoms:
The error message '01070734:3: Configuration error: Signing key and signing certificate must be set simultaneously' is unclear.
It fails to indicate which rewrite profile has failed validation, and it is not clear that the error has something to do with the validation of rewrite profiles.
Conditions:
A BIG-IP Administrator is attempting to configure an invalid rewrite profile (one where the 'signing certificate' and 'signing key' options are not simultaneously set).
Impact:
A confusing error message is logged, which makes it difficult to know what to do next.
964125-3 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.
Links to More Info: BT964125
Component: TMOS
Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.
There is more then one avenue where node statistics would be queried.
The BIG-IP Dashboard for LTM from the GUI is one example.
Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.
Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.
963241-1 : Standby unit shows a high number of total connections after enabling mirroring.
Links to More Info: BT963241
Component: Local Traffic Manager
Symptoms:
On a high availability (HA) pair of BIG-IPs configured with mirroring enabled, some flows that are killed immediately will cause two flows to be created on the Standby device.
The flows on the Standby are short lived, with the only concerning factor being that the stats are climbing much faster than on the Active.
Conditions:
-- Mirroring enabled.
-- A connection is shut down.
Impact:
Incorrect stats on standby.
Since the issue only appears when a connection is being shut down, all of the traffic on the active device should have a working mirrored flow on the standby.
Workaround:
None.
963129-2 : RADIUS Accounting Stop message fails via layered virtual server
Links to More Info: BT963129
Component: Access Policy Manager
Symptoms:
RADIUS Stop messages do not exit the BIG-IP device after a client disconnects.
Conditions:
BIG-IP is configured with APM and multiple virtual servers and an iRule.
Impact:
RADIUS Accounting Stop is not sent.
Workaround:
None
962913-3 : The number of native open connections in the SSL profile is higher than expected
Links to More Info: BT962913
Component: Local Traffic Manager
Symptoms:
The number of native open connections in the SSL profile shows a value that is higher than expected.
Conditions:
SSL renegotiation is enabled. Other conditions are unknown.
Impact:
The SSL stats are incorrectly reading higher than expected.
Workaround:
Disable SSL renegotiation.
962605-2 : BIG-IP may go offline after installing ASU file with insufficient disk space
Component: TMOS
Symptoms:
When installing an ASU file, if there is not enough disk space in /var, the clntcp update file might become corrupted, causing datasyncd to be offline (and thus cause the entire BIG-IP offline)
Conditions:
-- ASM/FPS provisioned.
-- Installing ASU file.
-- Not enough space in /var partition.
Impact:
Device goes offline.
Workaround:
Delete the update file:
tmsh delete security datasync update-file /Common/datasync-global/update-file-clntcap_update_ (auto complete)
962493-3 : Request is not logged
Component: Application Security Manager
Symptoms:
A request is not logged in the local and/or remote logs.
Conditions:
A request has evasions detected on very large parameters.
Impact:
A missing request in the log.
Workaround:
N/A
962489-3 : False positive enforcement of parameters with specific configuration
Component: Application Security Manager
Symptoms:
False positive parameters are being detected in the payload and enforced wrongly.
Conditions:
The URL is not defined (also not as wildcard - not defined at all) and the request has a payload.
Impact:
False positive enforcement - may lead to wrong violations and wrong blocking of requests.
Workaround:
None.
962249 : Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm
Links to More Info: BT962249
Component: TMOS
Symptoms:
Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm
Conditions:
This message shows always on all platforms.
Impact:
No functional impact.
962181-3 : iRule POLICY command fails in server-side events
Links to More Info: BT962181
Component: Local Traffic Manager
Symptoms:
BIG-IP provides an iRule command POLICY to retrieve information on or manipulate an LTM policy attached to a virtual. This command fails when it is used in server-side event like HTTP_RESPONSE.
Conditions:
-- Configure a virtual server with one or more LTM policies.
-- The virtual server has an iRule with a POLICY command executed on a server side (e.g. HTTP_RESPONSE).
Impact:
A command returns an incorrect value and may cause unexpected outcomes in an iRule execution.
961653-1 : Unable to retrieve DNS link statistics via SNMP OID gtmLinkStatRate
Links to More Info: BT961653
Component: Local Traffic Manager
Symptoms:
Unable to retrieve link statistics via SNMP OID gtmLinkStatRate
config # snmpwalk -c public localhost F5-BIGIP-GLOBAL-MIB::gtmLinkStatRate
F5-BIGIP-GLOBAL-MIB::gtmLinkStatRate = No Such Object available on this agent at this OID
Conditions:
A BIG-IP DNS/LC system configured with link objects.
Try to do an snmpwalk for F5-BIGIP-GLOBAL-MIB::gtmLinkStatRate which is not successful.
Impact:
BIG-IP DNS system link statistics cannot be retrieved via SNMP.
Workaround:
No workaround.
961001-3 : Arp requests not resolved for snatpool members when primary blade goes offline
Links to More Info: BT961001
Component: Local Traffic Manager
Symptoms:
Arp requests not resolved for snatpool members and traffic does not go through when the primary blade becomes offline.
Conditions:
-- VIPRION platforms serving as AAA and Diameter virtual server to load-balance.
-- route-domain configured other than 0.
-- Radius authentication pool and snatpool are configured.
-- Primary blade goes offline and new Primary is not elected.
Impact:
Traffic failure when primary became offline.
Workaround:
Disable primary blade which is offline.
960133-3 : AGC 8.0 installation failure
Component: Guided Configuration
Symptoms:
Attempting to install the AGC 8.0 results in the following error:
"Failed to load IApp artifacts from f5-iappslx-waf-bot-protection: java.lang.IllegalStateException: Failed to post template to block collection: ..."
Conditions:
The AGC is upgraded to a newer version via the "Access >> Guided Configuration" -> " Upgrade Guided Configuration".
Impact:
AGC 8.0 package is not installed.
Workaround:
Important: This workaround will delete all existing iApp configurations.
1. Download the latest AGC 8.0 package.
2. Open a new browser tab (first) and navigate to "Access >> Guided Configuration"
3. Open a new browser tab (second) and navigate to iApps >> Templates: Templates LX. Select all templates and click “Delete”.
4. In the second tab navigate to iApps >> Package Management LX. Select all existing packages and click “Uninstall”.
5. In the first tab click "Upgrade Guided Configuration" click and install the downloaded package.
960029-3 : Viewing properties for IPv6 pool members in the Statistics page in the GUI returns an error
Links to More Info: BT960029
Component: TMOS
Symptoms:
While attempting to view the properties for pool members via the Statistics page in the GUI, you see an error:
Instance not found: /Common/1234:80
Conditions:
-- A pool with at least one pool member with an IPv6 address.
-- Attempting to view the IPv6 pool member's properties via the Statistics page in the GUI.
Impact:
Unable to see the pool member's properties.
Workaround:
Use TMSH to view pool member properties:
# tmsh show ltm pool <pool name> members {<pool members>}
959965-4 : Asmlogd stops deleting old protobufs
Component: Application Security Manager
Symptoms:
Protobuf files are being cleaned only when trying to write to the protobuf file and on startup.
Conditions:
This occurs during normal operation.
Impact:
/var/asmdata1 can run out of disk space.
Workaround:
None
959957-4 : Asmlogd stops deleting old protobufs
Links to More Info: BT959957
Component: Application Security Manager
Symptoms:
Asmlogd restarts and there are asmlogd errors:
asmlogd|ERR|Oct 19 13:46:35.199|6005|,,asmlogd ended unexpectedly
asmlogd|ERR|Oct 19 13:46:35.203|6005|,,Can't call method "size" on an undefined value at /usr/local/share/perl5/F5/RequestLog.pm line 1902.
Conditions:
Disk is full -- the following warnings are being displayed:
err diskmonitor[3483]: 011d0004:3: Disk partition /var/asmdata1 (slot 1) has only 0% free
Impact:
Old protobuf files are not cleaned up.
Workaround:
0) If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
https://support.f5.com/csp/article/K14956
https://support.f5.com/csp/article/K42497314
1) To identify the empty partitions, look into:
SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G
2) For every partition that is empty, manually (or via shell script) execute this sql:
ALTER TABLE PRX.REQUEST_LOG DROP PARTITION empty_partition_name
where 'empty_partition_name' is the partition name as 'p100001'
4) Increase 'open_files_limit' to '10000'.
--------------------------------
In the /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter to 10000.
2. Restart MySQL:
bigstart restart mysql
--------------------------------
5) pkill asmlogd
Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.
959613-4 : SIP/HTTPS monitor attached to generic-host virtual server and pool shows 'blank' reason
Links to More Info: BT959613
Component: Global Traffic Manager (DNS)
Symptoms:
When you double-monitor a Generic Host Virtual Server (pool level + virtual server level) using the same SIP/HTTPS monitor, the 'Reason' is omitted from the output. 'tmsh show gtm server <server> virtual-servers' shows a "blank" reason for monitoring failure/success.
Conditions:
Double-monitor a Generic Host virtual server (pool level + virtual server level) using the same SIP/HTTPS monitor.
Impact:
Impedes your ability to identify the failure/success reason quickly.
Workaround:
Do not use the same monitor on both the virtual server and the pool level.
959241-3 : Fix for ID871561 might not work as expected on the VCMP host
Links to More Info: BT959241
Component: TMOS
Symptoms:
Attempting to deploy an engineering hot fix (EHF) for ID871561 (https://cdn.f5.com/product/bugtracker/ID871561.html) fails in the same manner
Conditions:
-- Attempting to install an EHF containing a fix for ID871561 on a vCMP guest
-- The fix for ID871561 has not already been applied to the vCMP guest
Impact:
Unable to perform software installations on vCMP guests using installation media located on the vCMP host even if fix for ID871561 is available on VCMP guest.
Workaround:
Option 1:
===========
Make sure that the .iso files for both base image and engineering hotfix are copied to the vCMP guest (under /shared/images) before starting the installation. If installing the software from the command line, use syntax similar to the following:
tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>
Option 2:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. You can restart the vCMP guest and perform a hotfix installation on top of already installed base image, using syntax similar to the following:
tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>
Option 3:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. Ensure there is copy of the engineering hotfix image locally within the vCMP Guest.
Then restart the lind service on the vCMP Guest:
tmsh restart sys service lind
If running the vCMP Guest on multiple slots, you may need to restart lind on all slots. From the primary slot on the vCMP Guest, run:
clsh tmsh restart sys service lind
The hotfix installation should begin again, this time using the hotfix from within the /shared/images/ location on the vCMP Guest.
Option 4:
===========
Manually eject the CD from the vCMP guest's virtual CD drive, and then restart lind. On the vCMP Guest:
1. Confirm the wrong ISO image is still locked (inserted in the CD drive):
isoinfo -d -i /dev/cdrom
Note: Pay attention to the volume ID in the output from within the vCMP guest.
2. Unlock (eject) the image:
eject -r -F /dev/cdrom && vcmphc_tool -e
3. Verify the CD drive is now empty:
isoinfo -d -i /dev/cdrom
The output should report an error that includes:
<...> Sense Code: 0x3A Qual 0x00 (medium not present) Fru 0x0 <…>
4. Restart lind:
tmsh restart sys service lind
If running the vCMP Guest on multiple slots, you may need to restart lind on all vCMP Guest slots. From the primary slot on the vCMP Guest, run:
clsh tmsh restart sys service lind
959057-4 : Unable to create additional login tokens for the default admin user account
Links to More Info: BT959057
Component: TMOS
Symptoms:
When remote user authentication is configured, BIG-IP systems apply maximum active login token limitation of 100 to the default admin user account.
Conditions:
Remote Authentication is configured
Impact:
Unable to create more than 100 tokens for admin when remote authentication is configured
958833-3 : After mgmt ip change via GUI, brower is not redirected to new address
Links to More Info: BT958833
Component: TMOS
Symptoms:
After changing the management IP address via the GUI, the browser is not redirected, and reports Unable to connect BIG-IP device.
Conditions:
Change the Management IP address from the GUI and submit the change.
Impact:
Browser does not get redirected to the new address
Workaround:
Access the GUI by manually going to the new Management IP.
958785-4 : FTP data transfer does not complete after QUIT signal
Links to More Info: BT958785
Component: Local Traffic Manager
Symptoms:
When a QUIT signal is sent over an FTP connection to an FTP virtual server during a data transfer, the data connection is closed immediately instead of waiting until the transfer is complete.
Conditions:
- BIG-IP configured with an FTP virtual server
- A client connects to the FTP virtual server
- Client starts an FTP data transfer
- Client sends a QUIT signal before the data transfer completes.
Impact:
FTP data connections are closed prematurely, causing incomplete data transfers.
Workaround:
This does not occur if the FTP profile for the FTP virtual server has inherit-parent-profile set to enable.
958601-3 : In the GUI, searching for virtual server addresses does not match address lists
Links to More Info: BT958601
Component: TMOS
Symptoms:
In the GUI, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address list that contains an address that matches that search string, those virtual servers will not show up in the search results.
Similarly, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address that matches the search string, but are using a port list, those virtual servers will not show up in the search results.
Conditions:
-- Using Address Lists or Port lists with a virtual server.
-- Using the GUI to search for virtual servers based on address.
Impact:
Virtual servers that should match a search are not found.
Workaround:
None.
958325-3 : Updating DNS pool monitor via transaction leaves dangling monitor_rule in MCP DB
Links to More Info: BT958325
Component: Global Traffic Manager (DNS)
Symptoms:
Dangling monitor rule after pool deletion.
# tmsh delete gtm monitor tcp tcp_test
01070083:3: Monitor /Common/tcp_test is in use
Conditions:
Using transaction to delete pool and create pool of same name with different monitor.
Impact:
Unable to delete the remaining monitor.
Workaround:
Run:
1. # bigstart restart mcpd
Or
2. Do not combine deletion and re-create pool in the same transaction.
958157-2 : Hash collisions in fastDNS packet processing
Links to More Info: BT958157
Component: Global Traffic Manager (DNS)
Symptoms:
FastDNS packet processing might cause unexpected traffic drops.
Conditions:
-- FastDNS is in use.
The problem is more likely to occur on a systems with a low number of TMMs.
Impact:
Unexpected traffic drops
957993-3 : Unable to set a port list in the GUI for an IPv6 address for a virtual server
Links to More Info: BT957993
Component: TMOS
Symptoms:
When creating a virtual server in the GUI with an IPv6 destination address and a port list (shared object) or a source address list (shared object), the system returns an error similar to:
0107028f:3: The destination (0.0.0.0) address and mask (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) for virtual server (/Common/vs03-v6_dns) must be be the same type (IPv4 or IPv6).
Conditions:
-- Creating or updating a virtual server.
-- Attempting to use an IPv6 Host address with a Port List shared object or a Source Address List shared object.
Impact:
Unable to create/modify virtual server.
Workaround:
Create an Address List shared object with the IPv6 address in it and use that instead of the Host address.
957637-3 : Pfmand crash during bootup
Links to More Info: BT957637
Component: TMOS
Symptoms:
The pfmand process crashes and writes out a core during bootup on certain platforms.
Conditions:
-- Platforms i4000/i2000/i4800/i2800/i4600/i2600/i850.
-- BIG-IP software version is v14.1.x, v15.1.x, or v16.1.x.
Impact:
Network connection lost while pfmand restarts.
Workaround:
None
957461-3 : Creating virtual server with IPv6 address or port list in destination should display source address in IPv6 format
Links to More Info: BT957461
Component: TMOS
Symptoms:
In the GUI, while creating a virtual server with an IPv6 address or a port list in destination, the BIG-IP system should display the source address in IPv6 format rather than IPv4 format 0.0.0.0/0.
Conditions:
This is encountered while creating a virtual server with an IPv6 address or port list in destination.
Impact:
The IPv6 address list is displayed in IPv4 notation.
Workaround:
This is a cosmetic issue. The correct addresses are used.
956913-1 : HTTPS traffic may fail for Inbound topology gateway mode
Links to More Info: BT956913
Component: SSL Orchestrator
Symptoms:
HTTPS traffic may fail for Inbound topology gateway mode.
Conditions:
-- SSL Orchestrator is licensed and provisioned.
-- Inbound topology with gateway mode is selected and gateway iRule is attached to wildcard virtual.
-- HTTPS Traffic is intercepted.
-- SNI is not sent in clientHello.
Impact:
HTTPS traffic may fail.
Workaround:
Pass SNI from the client if not already sent in clientHello.
956889-3 : /var fills up very quickly
Links to More Info: BT956889
Component: Application Security Manager
Symptoms:
Policy history files fill /var disk partition
Conditions:
Very large configuration with substantial history and config sync enabled
Impact:
ASM sync fails due to /var being full
Workaround:
The properties in '/etc/ts/tools/policy_history.cfg' file, for cleaning as a file-based configuration option, are a Support-oriented configuration option aimed to help in these cases.
956625-3 : Port and port-list type are both stored in a traffic-matching-criteria object
Links to More Info: BT956625
Component: TMOS
Symptoms:
Using "tmsh load sys config replace file ..." to change a traffic matching criteria's port type from port to port-list (or vice-versa) results in both types ending up in the traffic matching criteria object.
Conditions:
-- Using traffic-matching-criteria.
-- Using "tmsh load sys config replace file ..." or "tmsh load sys config merge file ..." to change the port to a port-list (or vice-versa).
Impact:
-- System does not load the desired configuration.
-- Virtual servers may match/process more traffic than expected.
956109-3 : Modifying a traffic-matching-criteria with a port-list during a full sync may result in an incorrect configuration on the sync target
Links to More Info: BT956109
Component: Local Traffic Manager
Symptoms:
In a device service cluster, changing a traffic-matching-criteria object's port configuration and then performing a full-sync will cause the sync target's traffic-matching-criteria ports to be modified incorrectly.
Once systems are in this state, further ConfigSyncs may result in these error messages:
err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 250 6869100131892804718 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..
Conditions:
-- Two or more BIG-IPs in a DSC.
-- Using traffic-matching-criteria, and making changes.
Impact:
BIG-IP configurations are out of sync (even though they show "In Sync"). Affected virtual servers will process more traffic than configured.
Workaround:
On an affected system, perform one of the two procedures to correct MCPD's in-memory configuration:
1. Remove the traffic-matching criteria from all virtual servers (or only affected virtual servers, if known), and then re-add the traffic-matching criteria.
2. Save the configuration and then follow the procedure in
K13030: Forcing the mcpd process to reload the BIG-IP configuration.
tmsh save sys config
clsh touch /service/mcpd/forceload
clsh reboot
956025-3 : HTTP profile response-chunking "unchunk" option does not remove Content-Length from response header
Links to More Info: BT956025
Component: Local Traffic Manager
Symptoms:
When the HTTP profile response-chunking option is set to "unchunk", chunked responses will be unchunked and the Transfer-Encoding header is removed.
If the server sends a chunked response with both Transfer-Encoding and Content-Length headers, Transfer-Encoding is removed but Content-Length is not. This causes the client to receive a response with an erroneous Content-Length header.
Conditions:
- HTTP virtual server with response-chunking set to "unchunk"
- Server response with both Transfer-Encoding and Content-Length headers present
Impact:
Malformed HTTP response received by client as length of response should be determined by closure of connection, not erroneous Content-Length header.
Workaround:
Implement iRule: at HTTP_RESPONSE time, remove the Content-Length header if the Transfer-Encoding header is also present.
955953-3 : iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg'
Links to More Info: BT955953
Component: TMOS
Symptoms:
'table' command fails to resume causing processing of traffic to halt due to 'irule_scope_msg' causing iRule processing to proceed in a way that 'table' does not expect.
Conditions:
- iRule using 'table' command
- Diameter 'irule_scope_msg' enabled
Impact:
Traffic processing halts (no crash)
955897-3 : Configuration may fail to load with named virtual-address for 0.0.0.0 in a non-zero route domain★
Links to More Info: BT955897
Component: TMOS
Symptoms:
When reading the configuration from /config files, the BIG-IP system may fail to load the configuration regarding a virtual server with a named virtual-address for address 0.0.0.0 in a non-default route domain:
err mcpd[21812]: 0107028b:3: The source (0.0.0.0%123) and destination (0.0.0.0) addresses for virtual server (/Common/vs1) must be in the same route domain.
Unexpected Error: Loading configuration process failed.
Conditions:
-- An LTM virtual-address object with a name.
-- The virtual-address's address is 0.0.0.0 (or the keyword 'any'). The IPv6 address :: (or the keyword 'any6') is not affected.
-- The virtual-address's address is in a route domain other than route domain 0. The route domain can be the partition's default route domain.
-- An LTM virtual server that uses the affected address as its destination.
Example:
tmsh create net route-domain 123
tmsh create ltm virtual-address allzeros-rd123 address 0.0.0.0%123
tmsh create ltm virtual allzeros-rd123 destination 0.0.0.0%123:0
tmsh save sys config
Impact:
The configuration fails to load from disk when the affected objects do not yet exist in running memory or binary cache, for example, during:
- Reinstalling
- Upgrading
- Loading manual changes to the /config/*.conf files
- MCP force-reload
Other operations such as rebooting, relicensing, and reloading the same configuration (such as 'tmsh load sys config' are not affected.
Workaround:
Replace the configuration that uses a named virtual-address with the direct address. Here is an example of the configuration in bigip.conf:
ltm virtual-address allzeros-rd123 {
address any%123
mask any
}
ltm virtual allzeros-rd123 {
destination allzeros-rd123:0
mask any
source 0.0.0.0%123
}
This can be rewritten to remove the virtual-address object, and replace the virtual server destination with the address (0.0.0.0 or 'any'):
ltm virtual allzeros-rd123 {
destination any%123:0
mask any
source 0.0.0.0%123
}
955593-3 : "none" missing from the error string when snmp trap is configured with an invalid network type
Links to More Info: BT955593
Component: TMOS
Symptoms:
When you try to configure an SNMP trap with an invalid network type, you get a confusing error:
01070911:3: The requested enumerated (aaa) is invalid (, mgmt, other) for network in /Common/snmpd trapsess (/Common/i2_2_2_1_1)
Conditions:
SNMP trap is configured with an invalid network enum type.
Impact:
The word 'none' is not shown in the error string.
955057-3 : UCS archives containing a large number of DNS zone files may fail to restore.★
Links to More Info: BT955057
Component: TMOS
Symptoms:
This issue can manifest in the following ways:
- Failure to restore a UCS archive to the currently active boot location (i.e. restoring a backup).
- Failure to restore a UCS archive to a different boot location by means of using the cpcfg utility (or the the "Install Configuration" option when changing boot locations in the Web UI).
- Failure to restore a UCS archive as part of a software upgrade (if rolling forward the configuration was requested, which is the default BIG-IP behavior).
In all cases, error messages similar to the following example are returned to the user:
/bin/sh: /bin/rm: Argument list too long
Fatal: executing: /bin/sh -c rm -fr /var/named/config/namedb/*
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.
Conditions:
This issue occurs when a large number of DNS zone files are already present in the /var/named/config/namedb directory of the boot location to which the UCS archive is being restored.
Impact:
The UCS archive fails to restore. Additionally:
- If the UCS archive was being restored on the currently active boot location, the named and zrd daemons may not be running after the failure, leading to traffic outages.
- If the UCS archive was being restored as part of an upgrade, the installation will fail and the destination boot location will be marked as failed (thus preventing a BIG-IP Administrator from activating it).
Workaround:
Depending on the failure mode, perform one of the following workarounds:
- If you were restoring a UCS archive on the currently active boot location, run the following command, and then attempt the UCS archive restore operation again:
find /var/named/config/namedb -mindepth 1 -delete
- If you encountered the failure during an upgrade, it should mean you were installing an Engineering Hotfix (otherwise the /var/named/config/namedb directory on the destination boot location would have been empty).
Installing an Engineering Hotfix will actually perform two separate installations - first the base version, and then the hotfix on top of that. Each installation restores the source location's UCS archive.
The UCS installation performed during the base installation will work, and the one performed during the hotfix installation will fail (because DNS zone files are already in place now, and they will fail to be deleted).
In this case, you can work around the issue by performing two distinct installations (to the same destination boot location). First the base version by itself, and then the hotfix installation by itself:
Perform the first installation with the liveinstall.moveconfig and liveinstall.saveconfig db keys disabled. Perform the second installation after enabling the liveinstall.moveconfig and liveinstall.saveconfig db keys again.
- If you encountered the failure while using the cpcfg utility (or equivalent WebUI functionality), take a UCS archive instead, download it off of the BIG-IP or save it in a shared directory (e.g. /var/tmp), boot the system into the destination boot location, run the below command, and then restore the UCS archive:
find /var/named/config/namedb -mindepth 1 -delete
953601-2 : HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions
Links to More Info: BT953601
Component: Local Traffic Manager
Symptoms:
HTTPS monitor marks pool member/nodes as down and they remain down until bigd is restarted or the monitor instance is removed and created again.
Conditions:
BIG-IP is configured with restrictive ciphers that are only compatible with TLS 1.2 (ECDH+AESGCM) but all of the TLS protocol versions are allowed. When HTTPS monitor TLS 1.0 handshake fails, due to incompatible ciphers with the server being monitored. It does not try TLS 1.2 version and marks pool members or nodes as down.
Impact:
HTTPS monitor shows pool members or nodes down when they are up.
Workaround:
Restart bigd or remove and add monitors.
953477-4 : Syncookie HW mode not cleared when modifying VLAN config.
Links to More Info: BT953477
Component: TMOS
Symptoms:
Changing VLAN configuration can cause BIG-IP get stuck in hardware syncookie mode.
Conditions:
- Changing VLAN configuration when vlan-based syncookies are active.
For a list of platforms that support hardware syncookie protection, see https://support.f5.com/csp/article/K14779
Impact:
Device is stuck in hardware syncookie mode and generates syncookies.
Workaround:
Run the following command:
tmsh restart sys service tmm
Impact of workaround: restarting tmm disrupts traffic.
953425-2 : Hardware syncookie mode not cleared when changing dos-device-vector enforcement
Links to More Info: BT953425
Component: Advanced Firewall Manager
Symptoms:
Changing DOS vector enforcement configuration can cause BIG-IP to get stuck in hardware syncookie mode.
Conditions:
- Changing DOS vector enforcement configuration when device is in global syncookie mode.
For a list of platforms that support hardware syncookie protection, see https://support.f5.com/csp/article/K14779
Impact:
Device is stuck in hardware syncookie mode and generates syncookies.
Workaround:
Run the following command:
tmsh restart sys service tmm
Impact of workaround: restarting tmm disrupts traffic.
952521-3 : Memory allocation error while creating an address list with a large range of IPv6 addresses★
Links to More Info: BT952521
Component: Advanced Firewall Manager
Symptoms:
When trying to create a large IPv6 address-list IP range either via the GUI, tmsh, or from loading a previously saved config, MCPd will temporarily experience memory exhaustion and report an error "01070711:3: Caught runtime exception, std::bad_alloc"
Conditions:
When adding an IPv6 address range that contains a very large number of IPs. This does not affect IPv4.
Impact:
The IP address range cannot be entered. If upgrading from a non-affected version of TMOS where an IP range of this type has been saved to the config, a std::bad_alloc error will be printed when loading the config after upgrading.
Workaround:
Use CIDR notation or multiple, smaller IP ranges.
951113-1 : ASM logging illegal events despite adding legal logging profile
Links to More Info: BT951113
Component: Application Security Manager
Symptoms:
When switching from "Log illegal requests" to "Log all requests" the security logging profile does not log legal requests.
Conditions:
ASM is provisioned.
Impact:
"Log all requests" security logging profile does not log legal requests.
Workaround:
Before switching from "Log illegal requests" to "Log all requests" (or vice versa) switch to "none":
-------------------------
# tmsh modify ltm virtual <Your_VS_Name> security-log-profiles replace-all-with { "Log illegal requests" }
# tmsh modify ltm virtual <Your_VS_Name> security-log-profiles none
# tmsh modify ltm virtual <Your_VS_Name> security-log-profiles replace-all-with { "Log all requests" }
-------------------------
950729 : URI::basename iRule command may include the semicolon and additional characters.
Links to More Info: BT950729
Component: Local Traffic Manager
Symptoms:
The URI::basename iRule command allows for the basename part of a given uri string to be extracted. However, the semicolon character ';' is reserved and is often used to delimit parameters and parameter values suggesting that it should not be included in the basename of the uri.
Conditions:
- Configured iRule command URI::basename
- HTTP Request uri containing the semicolon character.
Impact:
The iRule command URI::basename may provide the incorrect basename of specific uris as it may include a semicolon as well as additional characters.
Workaround:
None.
950673-2 : Hardware Syncookie mode not cleared when deleting/changing virtual server config.
Links to More Info: BT950673
Component: TMOS
Symptoms:
Modifying a virtual server can cause BIG-IP to get stuck in hardware syncookie mode.
Conditions:
-- A virtual server is in hardware syncookie mode.
-- Modifying or deleting the virtual server
For a list of platforms that support hardware syncookie protection, see https://support.f5.com/csp/article/K14779
Impact:
Device is stuck in hardware syncookie mode and generates syncookies.
Workaround:
tmsh restart sys service tmm
Impact of workaround: restarting tmm disrupts traffic.
950305-4 : Analytics data not displayed for Pool Names
Links to More Info: BT950305
Component: Application Visibility and Reporting
Symptoms:
You cannot see reports (statistics->analytics->pool) when you choose to view by pool names.
Conditions:
This is encountered in the statistics screen.
Impact:
You can't see the statistics->analytics->pool report when you choose view by pool names.
950201-1 : Tmm core on GCP
Links to More Info: BT950201
Component: TMOS
Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.
TMM panic with this message in a tmm log file:
panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.
Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141
-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.
Note: Each of these workarounds have performance impact.
950153-1 : LDAP remote authentication fails when empty attribute is returned
Links to More Info: BT950153
Component: TMOS
Symptoms:
LDAP /AD Remote authentication fails and the authenticating service may crash.
The failure might be intermittent.
Conditions:
LDAP/AD server SearchResEntry includes attribute with empty or NULL value.
This can be seen in tcpdump of the LDAP communication in following ways
1. No Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue:
2. 1. NULL Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue: 00
Impact:
Logging in via the GUI will fail silently
Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log
The logs will be similar to :
info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000]
info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0
Workaround:
There is no Workaround on the LTM side.
For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue
950005-3 : TCP connection is not closed when necessary after HTTP::respond iRule
Links to More Info: BT950005
Component: Local Traffic Manager
Symptoms:
HTTP does not close the TCP connection on the client if response is sent via HTTP::respond.
Conditions:
- TCP profile is used.
- HTTP profile is used.
- HTTP::respond iRule is used (via HTTP_RESPONSE_RELEASE).
- HTTP sends "Connection: close" header.
Impact:
TCP connection lives longer than needed.
Workaround:
None
949957-3 : RDP: Username is pre-filled with f5_apm* string after clicking on webtop resource on Mobile Clients (iOS & Android)
Links to More Info: BT949957
Component: Access Policy Manager
Symptoms:
When user connects to the virtual server using Browser on their iPhone or Android device, webtop displays RDP resource. When they click on it, if SSO is not enabled, Remote Desktop Client App pops up with username pre-filled with string starting with f5_apm.
Conditions:
-- APM Webtop is configured with Single Sign-on disabled RDP resource.
-- Access the RDP resource from iOS or Android using RDP client.
Impact:
Remote Desktop Client App pops up with username pre-filled with string starting with f5_apm.
Workaround:
User needs to clear the username field and enter the actual username.
949137-4 : Clusterd crash and vCMP guest failover
Links to More Info: BT949137
Component: Local Traffic Manager
Symptoms:
Clusterd crashes and a vCMP guest fails over.
Conditions:
The exact conditions under which this occurs are unknown. It can occur during normal operation.
Impact:
Memory corruption and clusterd can crash, causing failover.
Workaround:
None.
949105-4 : Error log seen on Category Lookup SNI requests for same connection
Links to More Info: BT949105
Component: Access Policy Manager
Symptoms:
Client connections are reset and you see an error in /var/log/apm : "(ERR_NOT_FOUND) Category Lookup failed or a Category Lookup agent is not present in the policy before Response Analytics"
Conditions:
-- Category Lookup agent (lookup type SNI) in the per-request policy before Request or Response Analytics agent
-- Multiple requests sent in the same SSL connection.
Impact:
Connections are reset or they follow the fallback branch for subsequent requests in the same SSL connection
948985 : Workaround to address Nitrox 3 compression engine hang
Links to More Info: BT948985
Component: Local Traffic Manager
Symptoms:
Occasionally the Nitrox3 compression engine hangs.
In /var/log/ltm:
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.
Conditions:
The BIG-IP system uses Nitrox 3 hardware compression chip: 5xxx, 7xxx, 12250, and B2250.
You can check if your platform has nitrox3 by running the following command:
tmctl -w 200 compress -s provider
provider
--------
bzip2
lzo
nitrox3 <--------
zlib
Impact:
The Nitrox3 hardware compression system becomes unavailable and the compression mode switches to software compression. This can lead to high CPU usage.
Workaround:
Disable HTTP compression or use software compression.
948601-4 : File object checksum attribute is not updated when an external data-group file or external monitor file is edited from GU
Component: TMOS
Symptoms:
SHA1 checksum attribute/property of the file object is not persisted/published/propagated to the MCP datastore/GUI.
Conditions:
This could be observed when an external data-group file or external monitor file definition is edited from GUI.
Below mentioned is the workflow where the issue can be seen/replicated,
System ›› File Management : Data Group File List >> FILE
Edit the "definition" field of the file object & click update.
1.) edit sys file data-group "filename"
2.) list sys file data-group "filename"
Aforementioned commands can be used from TMOS shell to understand the correct behavior that is expected when the same is done from GUI
Impact:
You are unable to identify whether the file object was modified by just validating/comparing the file object's metadata/schema property i.e. "checksum SHA1"
Workaround:
None
948417-5 : Network Management Agent (Azure NMAgent) updates causes Kernel Panic
Links to More Info: BT948417
Component: Performance
Symptoms:
- TMM crashes
- kernel panics
- BIG-IP core file created
- Cloud Failover Extension unexpected behavior (where applicable)
Conditions:
- BIG-IP Azure Virtual Edition
- Azure Host performs a Network Management Agent (NMAgent) update while TMM is running
- BIG-IP VE using Accelerated Networking
Impact:
- Traffic disrupted while tmm restarts
- BIG-IP restarts
- Cloud Failover Extension state data lost (where applicable)
Workaround:
- Disable Accelerated Networking on BIG-IP network interfaces (Reversed settings from Azure documentation)
Individual VMs & VMs in an availability set
First stop/deallocate the VM or, if an Availability Set, all the VMs in the Set:
Azure CLI
az vm deallocate \
--resource-group myResourceGroup \
--name myVM
Important, please note, if your VM was created individually, without an availability set, you only need to stop/deallocate
the individual VM to disable Accelerated Networking. If your VM was created with an availability set, all VMs contained in
the availability set will need to be stopped/deallocated before disabling Accelerated Networking on any of the NICs.
Once stopped, disable Accelerated Networking on the NIC of your VM:
Azure CLI
az network nic update \
--name myNic \
--resource-group myResourceGroup \
--accelerated-networking false
Restart your VM or, if in an Availability Set, all the VMs in the Set and confirm that Accelerated Networking is disabled:
Azure CLI
az vm start --resource-group myResourceGroup \
--name myVM
948241-1 : Count Stateful anomalies based only on Device ID
Component: Application Security Manager
Symptoms:
Currently when Device ID is enabled, the BIG-IP system counts stateful anomalies on both IP and Device ID. When a client has a proxy (without XFF), and many requests arrive with the same IP, this can cause false positives
Conditions:
- Bot Defense profile is attached to a virtual server.
- Bot Defense profile has "Browser Verification" set to "Verify After Access" or "Device ID Mode" set to "Generate After Access".
Impact:
False positives may occur in case of a proxy without XFF
Workaround:
None
948065-4 : DNS Responses egress with an incorrect source IP address.
Links to More Info: BT948065
Component: Local Traffic Manager
Symptoms:
DNS responses over a certain size egress the BIG-IP with an incorrect source IP address set.
Conditions:
Large responses of ~2460 bytes from local BIND
Impact:
The response to the client appears to be coming from the wrong source IP address, and the request fails.
Workaround:
Change 'max-udp-size' in BIND to a smaller value reduces the size of response, which stops the fragmentation.
Note: This workaround has limitations, as some records in 'Additional Section' are truncated.
947937-3 : HTTP iRule commands may fail to execute within the "fallback-host" HTTP profile field.
Links to More Info: BT947937
Component: Local Traffic Manager
Symptoms:
The BIG-IP system can redirect a request to a fallback host when the target pool is unavailable. If the configured fallback host within the HTTP profile contains HTTP iRule commands such as HTTP::host or HTTP::uri, the corresponding HTTP request can fail. A connection reset may be encountered instead.
Conditions:
- HTTP profile with "fallback-host" profile option configured containing an HTTP iRule command.
Impact:
When utilizing the HTTP profile with "fallback-host" profile option with HTTP iRule commands, incorrect connection resets can be seen by the client instead of the correct HTTP response.
Workaround:
Attaching an iRule containing HTTP::redirect or similar command to the virtual server can be used instead of the fallback host-profile option to redirect traffic to another virtual server.
947745-4 : Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error
Links to More Info: BT947745
Component: Local Traffic Manager
Symptoms:
Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error message:
hud_tcp_serverside_handler/3676: 10.0.0.20.21 - 10.10.10.1.51147: unexpected serverside message HUDEVT_CHILD_CONNECTE
Conditions:
FTP profile is in use
Impact:
Logs entries in the log file
Workaround:
None
947613-1 : APM reset after upgrade and modify of LDAP Group Lookup★
Links to More Info: BT947613
Component: Access Policy Manager
Symptoms:
-- Per-Request Policy fails.
-- APM reset the connection.
Conditions:
Upgrade from 13.1.3.4 to 15.1.0.4 and modify the LDAP Group Lookup.
Impact:
APM resets the connection.
Workaround:
1. Create a new empty object with the same expression as the LDAP Group Lookup.
2. Restart the system:
bigstart restart tmm
947217-3 : Fix of ID722682 prevents GTM config load when the virtual server name contains a colon★
Links to More Info: BT947217
Component: Global Traffic Manager (DNS)
Symptoms:
GTM is unable to load the configuration.
Conditions:
-- GTM has been upgraded to a version with fix for ID722682 from a version that does not have the fix for ID722682
-- A GTM server has a name with no colon
-- That GTM server has a virtual server with colon in the name
-- That virtual server is added to a pool
Impact:
GTM config file cannot be loaded successfully after upgrade.
Workaround:
Edit bigip_gtm.conf manually to delete "\\" or replace colon ":" with other non-reserved char. such as "-".
947125-3 : Unable to delete monitors after certain operations
Links to More Info: BT947125
Component: Local Traffic Manager
Symptoms:
Unable to delete monitor with an error similar to:
01070083:3: Monitor /Common/my-mon is in use.
Conditions:
-- HTTP monitors are attached directly to pool members, or node-level monitors exist.
-- Performing an operation that causes the configuration to get rebuilt implicitly, such as "reloadlic".
Impact:
Unable to delete object(s) no longer in use.
Workaround:
When the system gets into this state, save and reload the configuration:
tmsh save sys config && tmsh load sys config
946897 : MRF SIP status remains unknown on GUI
Links to More Info: BT946897
Component: Service Provider
Symptoms:
The MRF SIP virtual server status remains unknown(blue) even though the status of the pool is green.
Conditions:
Configure MRF SIP virtual server with pools and all MRF profiles (session and router).
Impact:
The status of MRF SIP virtual server remains unknown(blue)
Workaround:
NA
946509 : Time-limited key expiration not enforced
Links to More Info: BT946509
Component: TMOS
Symptoms:
An eval license does not expire on the day that is indicated.
Conditions:
-- Time-limited (eval) registration key installed
-- Perpetual key exists for the same module
Impact:
The time-limited key does not expire on the device
Workaround:
Restarting the device activates enforcement of time-limited keys.
946121-1 : SNMP user added with password less than 8 characters through tmsh is allowed but fails during snmpwalk.
Links to More Info: BT946121
Component: TMOS
Symptoms:
Whenever snmp user is added with short password (less than 8 characters), tmsh allows this during creation but throws an error when snmpwalk is done. But in GUI it throws error "Password must have at least 8 characters." during creation itself.
Conditions:
Configuring snmp user from tmsh with password less than 8 characters leads to this problem of getting error during snmp walk.
Impact:
snmpwalk fails
Workaround:
Configure snmp user with password greater than or equal to 8 characters.
945821-3 : Remote logging conditions adjustments
Links to More Info: BT945821
Component: Application Security Manager
Symptoms:
When "Null in multi-part" violation is detected, BIG-IP logs it to remote log even when the violation is not set to blocked in Learning and Blocking settings
Conditions:
This happens when "Null in multi-part" violation is detected
Impact:
Incorrect logging to remote logs
Workaround:
None
945601-3 : An incorrect LTM policy rule may be matched when a policy consists of multiple rules with TCP address matching conditions.
Links to More Info: BT945601
Component: Local Traffic Manager
Symptoms:
An incorrect LTM policy rule is picked up e.g. a rule which should match first is omited.
Conditions:
Policy contains multiple rules which employ TCP address matching condition.
Impact:
Inocorrect LTM policy is applied.
945413-4 : Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync
Links to More Info: BT945413
Component: TMOS
Symptoms:
BIG-IP systems in a device group do not stay in sync if config sync is manual and constantly syncs if config sync is automatic.
The BIG-IP system constantly downloads the certificate bundle if the CA-bundle manager config includes a URL.
Conditions:
The CA-bundle manager is configured.
Impact:
The keymgmtd and mcpd process gets into a loop that causes constant config changes and if the ca-bundle-manager includes a URL, the BIG-IP system constantly downloads the bundle.
945189-1 : HTTPS monitor fails due to missing ECDHE-RSA-AES256-CBC-SHA★
Links to More Info: BT945189
Component: Local Traffic Manager
Symptoms:
After upgrade, the 'DEFAULT' cipher in the server SSL profile attached to the HTTPS monitor does not include the ECDHE-RSA-AES256-CBC-SHA cipher suite in the Client Hello.
Conditions:
After upgrade, HTTPS monitor cipherlist is read from server SSL profile ciphers and set to DEFAULT after upgrade.
Impact:
1. Upgrade breaks the SSL pool monitoring.
2. It is also possible that the pools monitoring succeeds but with different ciphers
That can cause multiple issues:
2a. After upgrade, the ciphers are of a lower strength, and now the traffic is vulnerable to attacks
2b. After upgrade, the ciphers are of a higher strength, causing BIGD overload up to control plane crashes and device reboots
Workaround:
Set ciphers as DEFAULT:+SHA:+3DES:+EDH for profile server-ssl
944485-4 : License activation through proxy server uses IP address in proxy CONNECT, not nameserver
Links to More Info: BT944485
Component: TMOS
Symptoms:
License activation http/https request has the license server IP address instead of license server domain name.
Conditions:
When the proxy server and proxy port are configured and delete default management route.
Impact:
This causes your proxy server to disallow the connection
Workaround:
None.
944381-4 : Dynamic CRL checking for client certificate is not working when TLS1.3 is used.
Links to More Info: BT944381
Component: Local Traffic Manager
Symptoms:
In SSL reverse proxy, dynamic CRL checking for client certificate is not working when TLS 1.3 handshake is used.
The SSL handshake successfully completed even though the client certificate is revoked.
Conditions:
-- Dynamic CRL checking enabled on a client-ssl profile
-- The client-side SSL handshake uses TLS1.3.
Impact:
The handshake should fail but complete successfully
944173-3 : SSL monitor stuck does not change TLS version
Links to More Info: BT944173
Component: Local Traffic Manager
Symptoms:
The SSL monitor remains in the current TLS version and does not switch to another version when a server changes.
Conditions:
-- SSL monitor configured.
-- Server configuration changes from TLSv1.2 to TLSv1.
Impact:
Pool members marked down.
Workaround:
Use the In-TMM monitor.
944093-3 : Maximum remaining session's time on user's webtop can flip/flop
Links to More Info: BT944093
Component: Access Policy Manager
Symptoms:
When an Access Policy is configured with Maximum Session Timeout, the rendered value of maximum remaining session's time can flip/flop in seconds on a user's webtop
Conditions:
Access Policy is configured with Maximum Session Timeout >= 60000 secs
Impact:
End users will see the remaining time being continually reset.
944029-2 : Support challenge response agent to handle Access-Challenge when Logon agent is not in policy
Links to More Info: BT944029
Component: Access Policy Manager
Symptoms:
In case of Multi-Factor Authentication (MFA), the challenge response is handled by the 401 response agent, in the following scenario:
-- The policy does not have logon page agent.
-- AAA/Radius server action is configured to send challenge response to the client.
-- The policy has a 401 response logon agent.
The APM end user client sees the credentials popup for 401 response.
After entering and sending credentials (challenge response code received from RSA server via email or SMS), the Access Policy action fails.
Conditions:
-- Challenge response via RSA server or other.
-- Logon Page logon agent not implemented.
Impact:
Unable to use challenge response sent by RSA (or AAA RADIUS server).
Workaround:
None
943669-5 : B4450 blade reboot
Links to More Info: BT943669
Component: TMOS
Symptoms:
In a rare scenario, a B4450 blade suddenly reboots.
Conditions:
This occurs when there is heavy traffic load on VIPRION B4450 blades. The root cause is unknown. It happens extremely rarely.
Impact:
Traffic disrupted while the blade reboots.
Workaround:
None.
943653-3 : Allow 32-bit processes to use larger area of virtual address space
Links to More Info: BT943653
Component: TMOS
Symptoms:
-- The mcpd daemon terminates due to lack of memory
-- The merged daemon logs 'Cannot allocate memory' error
Conditions:
-- May be caused by large configurations
-- May be caused by heap fragmentation over time
Impact:
32-bit processes may fragment/exhaust their heaps and may not have sufficient contiguous memory to function correctly.
Note that the only two 32-bit processes where this has been seen on are mcpd and merged.
Workaround:
None
943597-3 : 'Upper Bound' and 'Lower Bound' thresholds are not displayed in Connections line chart
Links to More Info: BT943597
Component: TMOS
Symptoms:
On the dashboard, the line chart of 'Throughput', 'CPU Usage', and 'Memory Usage' can show the line of thresholds that indicates 'Upper Bound' and 'Lower Bound', but there is no line of thresholds on the line chart of 'Connections'.
Conditions:
Create a custom line chart for 'Connections' that includes 'Upper Bound' and 'Lower Bound'.
Impact:
Line Chart of 'Connections' does not display 'Upper Bound' and 'Lower Bound' thresholds.
Workaround:
None.
943441-3 : Issues in verification of Bot Defense with F5 Anti-Bot Mobile SDK
Links to More Info: BT943441
Component: Application Security Manager
Symptoms:
Verification may be incomplete when using the F5 Anti-Bot Mobile SDK with the Bot Defense profile.
Conditions:
-- Using the Bot Defense profile together with the F5 Anti-Bot Mobile SDK.
-- Enabling the Mobile Applications section in the profile.
Impact:
Mobile application verification may be incomplete.
Workaround:
None
943109-3 : Mcpd crash when bulk deleting Bot Defense profiles
Links to More Info: BT943109
Component: TMOS
Symptoms:
When bulk deleting a large number of Bot Defense profiles (around 450 profiles) using TMSH, mcpd could crash.
Conditions:
This can be encountered during bulk delete of Bot Defenese profiles via tmsh.
Impact:
Crash of mcpd causing failover.
Workaround:
Delete the Bot Defense profiles in smaller batches to avoid the possible crash.
943045-1 : Inconsistency in node object name and node IPv6 address when IPv6 pool-member is created without providing node object name.
Links to More Info: BT943045
Component: TMOS
Symptoms:
When using Ansible to create a pool that contains an IPv6 pool member, you get an error:
0107003a:3: Pool member node and existing node cannot use the same IP Address.
Conditions:
-- Creating a new pool via Ansible.
-- A new IPv6 pool member is used.
-- The IPv6 pool member's name is not included.
Impact:
Pool creation fails.
Workaround:
If you are unable to specify the pool member name, you can use other available configuration tools like tmsh, the GUI, or AS3.
942793-3 : BIG-IP system cannot accept STARTTLS command with trailing white space
Links to More Info: BT942793
Component: Local Traffic Manager
Symptoms:
When an SMTPS profile is applied on a virtual server and the SMTP client sends a STARTTLS command containing trailing white space, the BIG-IP system replies with '501 Syntax error'. The command is then forwarded to the pool member, which can result in multiple error messages being sent to the SMTP client.
Conditions:
-- A virtual server is configured with an SMTPS profile.
-- The SMTP client sends a STARTTLS command with trailing spaces.
Impact:
The SMTP client is unable to connect to the SMTP server.
Workaround:
Use an SMTP client that does not send a command containing trailing white space.
942521-4 : Certificate Managers are unable to move certificates to BIG-IP via REST
Links to More Info: BT942521
Component: Device Management
Symptoms:
You cannot upload a cert/key via the REST API if you are using a certificate manager account
Conditions:
-- Using the REST API to upload a certificate and/or key
-- User is logged in as a Certificate Manager
Impact:
Unable to upload certificates as Certificate Manager
Workaround:
Use admin account instead of using Certificate Manager account to upload certs and keys
942401 : After 'mosreboot', MOS fails to update grub default boot location back to TMOS
Links to More Info: BT942401
Component: TMOS
Symptoms:
MOS fails to update the grub boot location and reports errors:
[ 21.85823] setup[697]: Use of uninitialized value $l_id in concatenation (.) or string at /usr/share/perl5/tm_install/Process.pm line 2739.
[ 21.87256] setup[697]: error: boot entry .4 does not exist
[ 21.87629] setup[697]: info: Switching to TMOS .4 for default boot selection.
Conditions:
When the 'mosreboot' command is given, the following three actions occur:
1. Updates the grub default boot location to point at MOS.
2. Reboots.
3. Within MOS, updates the grub default to point back at the previous (TMOS) boot location.
Step 3 does not occur in the following scenario:
-- The MOS version is from v15.0.0 or later.
-- BIG-IP system is from v14.1.x or earlier.
Impact:
The 'mosreboot' results are not temporary, and rebooting from MOS when done causes the system to boot back into MOS again.
Workaround:
Use grub_default, or select a different boot location from the GRUB menu during boot.
switch_root:/# grub_default -l
HD1.3 active no default no title BIG-IP 13.1.1.5 Build 0.0.4 <HD1.3>
HD1.4 active no default no title BIG-IP 14.1.2.6 Build 0.0.2 <HD1.4>
switch_root:/# grub_default -b HD1.4
info: default boot location changed to HD1.4.
[ 200.103744] EXT4-fs (dm-0): mounting ext2 file system using the ext4 subsystem
[ 200.112743] EXT4-fs (dm-0): mounted filesystem without journal. Opts: (null)
switch_root:/#
942217-2 : Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available'
Links to More Info: BT942217
Component: Local Traffic Manager
Symptoms:
With certain configurations, virtual server keeps rejecting connections for rstcause 'VIP down' after 'trigger' events.
Conditions:
Required Configuration:
-- On the virtual server, the service-down-immediate-action is set to 'reset' or 'drop'.
-- The pool member has rate-limit enabled.
Required Conditions:
-- Monitor flap, or adding/removing monitor or configuration change made with service-down-immediate-action.
-- At that time, one of the above events occur, the pool member's rate-limit is active.
Impact:
Virtual server keeps rejecting connections.
Workaround:
Delete one of the conditions.
Note: The affected virtual server may automatically recover upon the subsequent monitor flap, etc., if no rate-limit is activated at that time.
941893-2 : VE performance tests in Azure causes loss of connectivity to objects in configuration
Links to More Info: BT941893
Component: TMOS
Symptoms:
When performance tests are run on BIG-IP Virtual Edition (VE) in Microsoft Azure, the BIG-IP system loses all connectivity to the pools, virtual servers, and management address. It remains unresponsive until it is rebooted from the Azure console.
Conditions:
Running performance tests of VE in Azure.
Impact:
The GUI becomes unresponsive during performance testing. VE is unusable and must be rebooted from the Azure console.
Workaround:
Reboot from the Azure console to restore functionality.
941381-1 : MCP restarts when deleting an application service with a traffic-matching-criteria
Links to More Info: BT941381
Component: TMOS
Symptoms:
After deleting an application service that contains a virtual server and a traffic-matching-criteria, the mcpd daemon crashes.
Conditions:
-- BIG-IP application service configuration containing a virtual server with traffic-matching-criteria
-- Application service is deleted
Impact:
Traffic and control plane disrupted while mcpd restarts.
Workaround:
None.
940837-1 : The iRule command node is not triggered in CLIENT_ACCEPTED with HTTP/2.
Links to More Info: BT940837
Component: Local Traffic Manager
Symptoms:
The node iRule command causes the specified server node to be used directly, thus bypassing any load-balancing. However, with HTTP/2, the node command may fail to execute within the CLIENT_ACCEPTED event. This results in no traffic being sent to configured node.
Conditions:
-- A node command is used under CLIENT_ACCEPTED event.
-- An HTTP/2 profile applied to virtual server.
-- The HTTP/2 protocol in use.
Impact:
With HTTP/2 configured, the iRule node command fails to execute within the CLIENT_ACCEPTED event, causing no traffic to be sent to the desired node.
Workaround:
As a workaround, you may use HTTP_REQUEST event instead of CLIENT_ACCEPTED in iRule syntax.
940733-2 : Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt★
Links to More Info: K29290121, BT940733
Component: Global Traffic Manager (DNS)
Symptoms:
The system fails during the boot-up process, reports a libcrypto validation error, and the system halts. The console will show this error:
Power-up self-test failures:
OpenSSL: Integrity test failed for libcrypto.so
This occurs after one of the following:
-- Upgrading a FIPS-enabled BIG-IP system, booting to a volume running an earlier software version
-- running big3d_install from a BIG-IP GTM to an LTM
Conditions:
-- FIPS-licensed BIG-IP system.
-- Upgrade.
-- Boot into an volume running an earlier version of the software.
Another way to encounter the issue is:
-- FIPS-licensed BIG-IP LTM.
-- BIG-IP DNS (GTM) device running a higher software version than the LTM.
-- Run big3d_install from GTM pointing to FIPS-licensed LTM.
Impact:
System boots to a halted state.
Workaround:
Before booting to the volume with the earlier version, delete /shared/bin/big3d.
Note: This issue might have ramifications for DNS/GTM support. DNS/GTM is not FIPS certified.
If the target software volume has already experienced this issue (the system boots to a halted state), follow the instructions in K25205233: BIG-IP System halted while booting. Halt at boot after FIPS Integrity Check Result FAIL :: https://support.f5.com/csp/article/K25205233, in addition to deleting /shared/bin/big3d.
For additional information, see K29290121: Rollback after upgrade or big3d_install may cause FIPS to halt system on boot :: https://support.f5.com/csp/article/K29290121.
940469-2 : Unsupported option in /etc/resolv.conf causes failure to sync DNS Zone configuration
Links to More Info: BT940469
Component: Global Traffic Manager (DNS)
Symptoms:
The 'gtm_add' script fail to sync configuration information from the peer when 'options inet6' is present in /etc/resolv.conf.
Conditions:
The option 'options inet6' is used in /etc/resolv.conf.
Impact:
The 'gtm_add' script removes the current config and attempts to copy over the config from the remote GTM. When the remote copy fails, the local device is left without any config.
Workaround:
Remove the 'options inet6' from /etc/resolv.conf.
940453 : Restjavad restarting with java.lang.OutOfMemoryError
Links to More Info: BT940453
Component: TMOS
Symptoms:
The BIG-IP configuration contains a large number of configuration, restjavad is restarting with java.lang.OutOfMemoryError
Conditions:
-- BIG-IP system with no extra memory given to restjavad.
-- The configuration contains a large number objects.
Impact:
Restjavad restarts frequently due to OutOfMemory error.
Workaround:
To workaround the issue you need to give restjavad extra memory. To do so please perform the following steps:
1. On GUI go to System :: Resource Provisioning.
The line for Management has a drop-down box for Small, Medium, or Large. Set this to Large.
2. Connect to CLI.
Run the following commands:
tmsh modify sys db restjavad.useextramb value true
3. Restart restjavad processes.
bigstart restart restjavad
940225-3 : Not able to add more than 6 NICs on VE running in Azure
Links to More Info: BT940225
Component: TMOS
Symptoms:
Azure BIG-IP Virtual Edition (VE) with more than 6 NICs fails to boot.
Conditions:
-- Standard_DS4_v2 Azure instance type.
-- Mellanox ConnectX-3 ethernet controller.
-- A greater-than-2-NIC template is used, for example https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/standalone/n-nic/existing-stack/byol with "numberOfAdditionalNics" set.
-- Accelerated networking is enabled on two or more NICs.
Impact:
Not able to boot BIG-IP VM with 8 NICs, which should be supported for Standard_DS4_v2 instance type:
8 vCPU
28 GiB
8 Max NICs
Adding more NICs to the instance makes the device fail to boot.
Workaround:
None
939757-3 : Deleting a virtual server might not trigger route injection update.
Links to More Info: BT939757
Component: TMOS
Symptoms:
When multiple virtual servers share the same virtual address, deleting a single virtual server might not trigger a route injection update.
Conditions:
-- Multiple virtual servers sharing the same destination address
-- One of the virtual servers is deleted
Impact:
The route remains in the routing table.
Workaround:
Disable and re-enable the virtual address after deleting a virtual server.
939517-3 : DB variable scheduler.minsleepduration.ltm changes to default value after reboot
Links to More Info: BT939517
Component: TMOS
Symptoms:
Running the command 'tmsh list /sys db scheduler.minsleepduration.ltm'
shows that the value is -1.
The db variable 'scheduler.minsleepduration.ltm' is set to -1 on mcpd startup.
This overwrites a custom value.
Conditions:
-- The db variable 'scheduler.minsleepduration.ltm' has a non-default value set.
-- A reboot occurs.
Impact:
The db variable 'scheduler.minsleepduration.ltm' reverts to the default value. When the db variable reverts to the default value of unset -1, tmm uses more CPU cycles when idle.
Workaround:
None
939249-4 : iSeries LCD changes to secure mode after multiple reboots
Links to More Info: BT939249
Component: TMOS
Symptoms:
After repeatedly rebooting an iSeries platform, the LCD can become erroneously set to secure mode on its own, and you are unable to use the menus on the LCD.
Conditions:
-- Repeated reboots of the device.
-- The db lcd.showmenu value initially set to enable are required.
-- Other required conditions are not fully known.
Impact:
-- LCD becomes set to secure mode.
-- The bigdb variable lcd.showmenu is changed to 'disable'.
Workaround:
Run the commands:
tmsh modify sys db lcd.showmenu value disable
tmsh modify sys db lcd.showmenu value enable
This clears the secure mode of the LCD.
938561 : TMM SIGSEGV
Links to More Info: BT938561
Component: Local Traffic Manager
Symptoms:
TMM crashes on SIGSEGV.
Conditions:
TMM crashes when all the following conditions are satisfied.
- Using the ipother profile.
- An iRule fires the CLIENT_ACCEPTED event. Just the event is enough. No command is required.
- Egress VLAN is using non-default mtu.
- Packet with the 'don't fragment' flag set.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
938545-4 : Oversize plugin Tcl object results can result in 0-length messages and plugin crash
Links to More Info: BT938545
Component: Local Traffic Manager
Symptoms:
Bd crashes.
Conditions:
-- ASM enabled.
-- iRule used.
-- Command arguments are greater than maximum MPI message size.
Impact:
ASM traffic disrupted while bd restarts.
Workaround:
None.
938309-3 : In-TMM Monitors time out unexpectedly
Links to More Info: BT938309
Component: Local Traffic Manager
Symptoms:
When using the in-TMM monitoring feature, monitored targets (nodes/pool members) may be marked DOWN unexpectedly if there is a delay in responding to ping attempts.
Specifically, if the ping response from the target is delayed by more than the 'interval' value configured for the monitor, but less than the 'timeout' value configured for the monitor, the target may be marked DOWN.
Conditions:
This may occur when either:
-- In-TMM monitoring is enabled (sys db bigd.tmm = enable) and the monitor type uses in-TMM monitoring; OR
-- Bigd is configured to NOT reuse the same socket across consecutive ping attempts (sys db bigd.reusesocket = disable)
AND:
-- The monitored target does not respond to ping attempts within the 'interval' value configured for the monitor.
Impact:
The monitored target may be marked DOWN if it does not respond to ping attempts within the 'interval' value configured for the monitor, instead of within the 'timeout' value configured for the monitor.
Workaround:
To work around this issue, use one of the following methods:
-- Disable in-TMM monitoring and enable bigd socket reuse (sys db bigd.tmm = disable, and sys db bigd.reusesocket = enable).
-- Configure the monitor with an 'interval' value longer than the expected response time for the monitored target(s).
937769-3 : SSL connection mirroring failure on standby with sslv2 records
Links to More Info: BT937769
Component: Local Traffic Manager
Symptoms:
Standby device in TLS/SSL connection-mirroring config does not handle SSLv2 records correctly.
Conditions:
SSLv2 records processed by standby high availability (HA) device.
Impact:
Standby device fails handshake, active will finish handshake resulting in non mirrored connection.
937649-2 : Flow fwd broken with statemirror.verify enabled and source-port preserve strict
Links to More Info: BT937649
Component: Local Traffic Manager
Symptoms:
Flow forwarding does not work with statemirror.verify enabled and source-port is preserve strict. Depending on the number of tmms and the IP addresses/ports on the network, this causes return traffic to get dropped.
Traffic captures show packets leaving the BIG-IP system on one tmm and being returned on another. The return traffic that encounters the second tmm is dropped.
Conditions:
-- Mirroring is enabled.
-- High availability (HA) peer is connected.
-- The source-port setting is preserve-strict.
-- The statemirror.verify option is enabled.
-- There is more than one tmm.
Impact:
Server-side return traffic to the BIG-IP is dropped. This causes connection timeouts and resets.
Workaround:
-- Disable statemirror.verify, disable source-port preserve-strict, disable mirroring.
-- On BIG-IP Virtual Edition (VE), add the following to tmm_init.tcl on both units and restart tmm:
ndal ignore_hw_dag yes
937601-1 : The ip-tos-to-client setting does not affect traffic to the server.
Links to More Info: BT937601
Component: TMOS
Symptoms:
The ip-tos-to-client setting is intended to apply to client traffic only. Server traffic IP ToS values are configured on the pool using the ip-tos-to-server property.
This is a change in behavior in that previously ip-tos-to-client was loosely interpreted to apply to server traffic as well if not overwritten by the pool.
Conditions:
The ip-tos-to-client value is set in the L4/L7 profile.
Impact:
IP ToS values in traffic to the server is unmodified.
Workaround:
Use the ip-tos-to-server property on pools to change IP ToS values to the server.
Alternatively, use an iRule to set the IP ToS to the server. For example:
when SERVER_CONNECTED {
IP::tos 63
}
937573-4 : Connections drop in virtual server with Immediate Action On Service Down set to Drop
Links to More Info: BT937573
Component: Local Traffic Manager
Symptoms:
In a virtual server configured with Immediate Action On Service Down set to Drop and an iRule to pick a pool different from the one attached to the virtual server, if the default pool is attached in an offline state, connections are always dropped even when the default pool becomes available later.
Conditions:
- Virtual server configured with Immediate Action On Service Down set to Drop.
- An iRule selects a different pool from the one attached to the virtual server.
Impact:
Connections are silently dropped.
Workaround:
Change the virtual server's Immediate Action On Service Down setting to None.
937541-3 : Wrong display of signature references in violation details
Component: Application Security Manager
Symptoms:
The number '1' is added to the signature reference in violation details in the Request Log.
Conditions:
You click the '?' icon near signature name to view signature details and there are references for this signature
Impact:
The number 1 is shown before the link
937481 : Tomcat restarts with error java.lang.OutOfMemoryError
Links to More Info: BT937481
Component: TMOS
Symptoms:
In the GUI, while trying to list a large configuration, tomcat restarts with error java.lang.OutOfMemoryError: Java heap space due to a large read operation.
Conditions:
-- From the GUI, navigate to Local Traffic :: Pools :: Pool List.
-- The configuration contains approximately 10,000 objects (objects include pools, nodes, virtual servers, etc.).
Impact:
When the system attempts to list the large configuration, tomcat restarts, resulting in 503 error.
Workaround:
Use the provision.tomcat.extramb database variable to increase the maximum amount of Java virtual memory available to the tomcat process.
Impact of workaround: Allocating additional memory to Apache Tomcat may impact the performance and stability of the BIG-IP system. You should perform this procedure only when directed by F5 Technical Support after considering the impact to Linux host memory resources.
-- Using a utility such as free or top, determine if you have enough free memory available to use this procedure.
For example, the following output from the free utility shows 686844 kilobytes available:
total used free shared buffers cachedMem:
16472868 15786024 686844 807340 827748 2543836
-/+ buffers/cache: 12414440 4058428
Swap: 1023996 0 1023996
-- View the current amount of memory allocated to the tomcat process by typing one of the following commands:
ps | grep " -client" | egrep -o Xmx'[0-9]{1,5}m'
The command output appears similar to the following example:
Xmx260m
Xmx260m
-- View the current value of the provision.tomcat.extramb database variable by typing the following command
tmsh list /sys db provision.tomcat.extramb
-- Set the provision.tomcat.extramb database variable to the desired amount of additional memory to be allocated using the following command syntax:
modify /sys db provision.tomcat.extramb value <MB>
-- If the device is part of a high availability (HA) configuration, the provision.tomcat.extramb database value should be synchronized to the peer devices from the command line. To run the ConfigSync process, use the following command syntax:
tmsh run /cm config-sync <sync_direction> <sync_group>
For example, the following command pushes the local device's configuration to remote devices in the Syncfailover device group:
tmsh run /cm config-sync to-group Syncfailover
-- Restart the tomcat process by typing the following command:
restart /sys service tomcat
937445-3 : Incorrect signature context logged in remote logger violation details field
Links to More Info: BT937445
Component: Application Security Manager
Symptoms:
An incorrect context (request) is logged for URL signatures in the violation details field.
Conditions:
-- ASM is running with a remote logger that has the violation_details field assigned.
-- A URL signature is matched.
Impact:
The logs do not provide the correct information, which might result in confusion or the inability to use the logged information as intended.
Workaround:
None.
936777-4 : Old local config is synced to other devices in the sync group.
Links to More Info: BT936777
Component: Global Traffic Manager (DNS)
Symptoms:
Newly added DNS/GTM device may sync old local config to other devices in the sync group.
Conditions:
Newly added DNS/GTM device has a more recent change than other devices in the sync group.
Impact:
Config on other DNS/GTM devices in the sync group are lost.
Workaround:
You can use either of the following workarounds:
-- Make a small DNS/GTM configuration change before adding new devices to the sync group.
-- Make a small DNS/GTM configuration change on the newly added device to re-sync the correct config to other DNS/GTM devices.
936441-3 : Nitrox5 SDK driver logging messages
Links to More Info: BT936441
Component: Local Traffic Manager
Symptoms:
The system kernel started spontaneously logging messages at an extremely high rate (~3000 per second):
Warning kernel: EMU(3)_INT: 0x0000000000000020
warning kernel: sum_sbe: 0
warning kernel: sum_dbe: 0
warning kernel: sum_wd: 0
warning kernel: sum_gi: 0
warning kernel: sum_ge: 0
warning kernel: sum_uc: 1
The above set of messages seems to be logged at about 2900-3000 times a second.
These messages continue after TMM fails its heartbeat and is killed. The system is rebooted by the host watchdog.
Conditions:
These messages are triggered by Nitrox5 driver when EMU microcode cache errors corrected by hardware.
Impact:
High rate of logging messages. The tmm heartbeat eventually fails, and tmm is restarted. Traffic disrupted while tmm restarts.
Workaround:
None.
936417-1 : DNS/GTM daemon big3d does not accept ECDH or DH ciphers
Links to More Info: BT936417
Component: Global Traffic Manager (DNS)
Symptoms:
The DNS/GTM big3d daemon does not accept ECDH or DH ciphers.
Conditions:
Connections to big3d with ECDH or DH ciphers.
Impact:
ECDH/DH ciphers do not work with big3d.
Workaround:
Do not use ECDH/DH ciphers.
936361-3 : IPv6-based bind (named) views do not work
Links to More Info: BT936361
Component: Global Traffic Manager (DNS)
Symptoms:
Bind does not match IPv6 addresses configured for a zone view, and returns REFUSED responses, rather than the
expected answers.
After enabling debug logging in bind (see K14680), the apparent source address of the IPv6 DNS requests shows as being in the fe80::/96 range, rather than the IPv6 source address that sent the request.
For example:
debug 1: client @0x579bf188 fe80::201:23ff:fe45:6701%10#4299: no matching view in class 'IN'
Conditions:
- BIG-IP DNS is provsioned
- One or more ZoneRunner views is defined using IPv6 addresses.
- A DNS query is sent from an IPv6 source address
Impact:
You cannot use DNS views in bind (zonerunner) based on IPv6 addresses.
Workaround:
If possible, use only IPv4 addresses to define views for DNS queries
936093-3 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline
Links to More Info: BT936093
Component: TMOS
Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.
Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.
Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.
Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:
/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr
This can be accomplished using a command such as:
truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr
935865-3 : Rules that share the same name return invalid JSON via REST API
Links to More Info: BT935865
Component: Advanced Firewall Manager
Symptoms:
When retrieving rule stats on a firewall policy, if two rules that share the same name but one of which is directly attached to the policy while the other is attached via a rule list, then a invalid JSON is returned. The JSON has identical keys for each entry associated with the rule. This is an invalid JSON structure that cannot be parsed correctly (Or data for one of the rules is lost)
Conditions:
A firewall policy that has one of rule directly attached to the policy while the other is attached via a rule list, and both rules share the same name.
Impact:
Invalid JSON structure returned for stat REST API call
Workaround:
Ensure that no rule shares its name with another rule.
935793-3 : With mirroring enabled on a SIP virtual server, connections on the standby are reset with MBLB internal error (Routing problem)★
Links to More Info: BT935793
Component: Local Traffic Manager
Symptoms:
When a virtual server with a SIP profile has mirroring enabled, connections on the standby unit will be removed shortly after being created. If tm.rstcause.log is enabled the reset cause message appears similar to the following:
-- err tmm1[18383]: 01230140:3: RST sent from 10.2.207.208:5080 to 10.2.207.201:31597, [0x2c1c820:1673] MBLB internal error (Routing problem).
-- err tmm1[18383]: 01230140:3: RST sent from 10.2.207.209:51051 to 10.2.207.202:5080, [0x2c1c820:931] MBLB internal error.
Conditions:
-- BIG-IP Virtual Edition (VE) running on 2000/4000 platforms using RSS hash.
-- Platforms with more than 1 tmm.
Impact:
Mirrored connections on the standby unit are removed.
Workaround:
-- On BIG-IP VE, add the following to tmm_init.tcl on both units and restart tmm:
ndal ignore_hw_dag yes
935769-1 : Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time
Links to More Info: BT935769
Component: Advanced Firewall Manager
Symptoms:
Version upgrade takes more time than usual when the config contains address-lists with a lot of IP addresses. The same delay will be observed with 'tmsh load sys config' as well.
Conditions:
-- Configure address-list with 10K to 20K IP addresses or address ranges or subnets.
-- Attempt upgrade / reboot of the platform.
Impact:
Version upgrade / 'tmsh load sys config' process takes a long time than usual.
Workaround:
1) Convert continuous individual addresses in the address-lists to IP address ranges and subnets if possible.
2) Remove the huge address-lists from config before the upgrade and add back after the upgrade process is finished.
935485-3 : BWC: flows might stall when using dynamic BWC policy
Links to More Info: BT935485
Component: TMOS
Symptoms:
When multiple flows are passing through the single instance of BWC policy, one or more flows might stall for a few seconds or more. The fairness among the flows is also affected.
Conditions:
-- BWC dynamic policy is enabled.
-- Multiple flows are passing through a single instance of the BWC dynamic policy.
Impact:
Some of the flows may stall.
Workaround:
None.
935193 : With APM and AFM provisioned, single logout ( SLO ) fails
Links to More Info: BT935193
Component: Local Traffic Manager
Symptoms:
SAML Single log out (SLO) fails on BIG-IP platforms. The SAML module on the BIG-IP system reports following error messages:
-- SAML SSO: Error (12) Inflating SAML Single Logout Request
-- SAML SSO: Error (12) decoding SLO message
-- SAML SSO: Error (12) extracting SAML SLO message
Conditions:
Failures occur with Redirect SLO.
Impact:
SAML single logout does not work.
Workaround:
Use POST binding SLO requests.
934825 : Restarting MCPD via command line may not restart the aced process
Links to More Info: BT934825
Component: Access Policy Manager
Symptoms:
Configurations with secure ID authentication may face issues after restarting MCPD using the command line (bigstart restart mcpd).
Conditions:
Executing the "bigstart restart mcpd" from command line does not always restart the aced process.
Impact:
Configurations with secure ID authentication may face issues after restarting MCPD and may not restart the aced process.
Workaround:
"bigstart restart mcpd" is not the recommended way to restart MCPD. Please restart the BIG-IP system to reflect any changes you have made.
934697-2 : Route domain not reachable (strict mode)
Links to More Info: BT934697
Component: Local Traffic Manager
Symptoms:
Network flows are reset and errors are found in /var/log/ltm:
Route domain not reachable (strict mode).
Conditions:
This might happen in either of the following scenarios:
Scenario 1
==========
-- LTM with iRules configured.
-- The iRule directs traffic to a node that is in a route domain.
Scenario 2
==========
-- LTM with an LTM policy configured.
-- The policy directs traffic to a node that is in a route domain.
Impact:
Traffic is not sent to the node that is in a route domain.
The iRule 'node' method and/or LTM policy 'node' specification require a route_domain to be specified in order for the traffic to be sent to a node that is assigned to a route domain.
Workaround:
Specify the node along with Route domain ID.
-- For iRules, change from this:
when HTTP_REQUEST {
node 10.10.10.10 80
}
To this (assuming route domain 1):
when HTTP_REQUEST {
node 10.10.10.10%1 80
}
-- For LTM policies, change from this:
actions {
0 {
forward
select
node 10.2.35.20
}
}
To this (assuming route domain 1):
actions {
0 {
forward
select
node 10.2.35.20%1
}
}
934017 : Problems may occur after creating a node named '_auto_<IP address>'
Links to More Info: BT934017
Component: Local Traffic Manager
Symptoms:
If a node is created and named '_auto_<IP address>', various problems may occur, including but not limited to:
-- If the node is configured as an FQDN template node, no ephemeral nodes may be created based on the FQDN name.
-- If the node is configured as an FQDN template node, when the node is deleted, an ephemeral node may be created based on the FQDN name of the deleted node.
-- If the node is configured as an FQDN template node with autopopulate enabled, when the node is deleted, ephemeral nodes may be created based on the FQDN name of the deleted node, but with no FQDN template node.
-- If the node is configured as an FQDN template node and then deleted, any ephemeral nodes remaining must be deleted manually.
Conditions:
This may occur if:
-- A node is created with a name of the form '_auto_<IP address>', such as:
- _auto_10.10.10.10 (IPv4 address 10.10.10.10).
- _auto_fe80..f811.3eff.fe06.9ab9 (IPv6 address fe80::f811:3eff:fe06:9ab9)
-- FQDN template nodes are configured (including the node described above) with FQDN names that resolve to the IP address embedded in the node name.
Impact:
-- Ephemeral nodes (and pool members) may not be created based on resolution of the FQDN name in the configured node.
-- Ephemeral nodes may be created unexpectedly after the configured node is deleted.
-- Ephemeral nodes created unexpectedly after the configured node is deleted must be deleted manually.
Workaround:
Do not create any node with a name beginning with '_auto_'.
That is a reserved name used for creation of FQDN ephemeral nodes.
933809 : Too many interrupts from console serial port starve TMM for CPU time
Links to More Info: BT933809
Component: TMOS
Symptoms:
Tmm crashes and the following error is found in the kernel log file:
"err kernel: serial8250: too much work for irq4".
Conditions:
This can be encountered when running tcpdump and dumping the output to the console while the device is under heavy load.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
933329-3 : The process plane statistics do not accurately label some processes
Links to More Info: BT933329
Component: TMOS
Symptoms:
The plane process statistics can be used to track the statistics of processes even though the process ID has changed over time. The processes are characterized as belonging to the control plane, data plane, or analysis plane. Some of the processes are incorrectly labeled.
Conditions:
Viewing the plane process statistics when diagnosing plane usage on the BIG-IP system.
Impact:
The percentage of usage of each plane can be confusing or incorrect.
Workaround:
None.
932893-3 : Content profile cannot be updated after redirect from violation details in Request Log
Links to More Info: BT932893
Component: Application Security Manager
Symptoms:
BIG-IP issues a redirect to the content profile form that contains relevant violation details in the Request Log. If you follow this redirect and try to update profile, the action fails.
Conditions:
This occurs if you follow the redirect to the content profile page from the violation details page in the Request Log, and then try to update the profile
Impact:
You are unable to update the content profile.
Workaround:
Go to the list content profile page, and update the content profile from there.
932857-3 : Delays marking Nodes or Pool Members DOWN with in-TMM monitoring
Links to More Info: BT932857
Component: Local Traffic Manager
Symptoms:
When configured with a large number of in-TMM monitors, Nodes or Pool Members may not be marked DOWN immediately after the configured timeout period once the target stops responding to pings.
Conditions:
This may occur when:
-- In-TMM monitoring is enabled (via sys db bigd.tmm).
-- A large number of Nodes and/or Pool Members (several hundreds or thousands) are configured and monitored.
Impact:
Nodes or Pool Members which are not responsive may not be marked DOWN in a timely fashion.
Workaround:
You can work around this issue by disabling in-TMM monitoring, at the expense of decreased monitoring performance (higher CPU usage by the bigd daemon).
932825-3 : Delayed Gratuitous ARPs may cause traffic to go to the previous active BIG-IP device
Links to More Info: BT932825
Component: Local Traffic Manager
Symptoms:
When the standby system in a High Availability (HA) group becomes active, it sends out gratuitous ARPs to advertise its ownership of IP addresses and direct traffic to itself. In rare conditions, when becoming active, other processes may send out traffic before Gratuitous ARPs are generated.
Conditions:
-- HA configured
-- Protocols in use that generate frequent and fast signaling messages
Impact:
This has been observed as an issue for IPsec during failover, causing tunnel stability issues after failover. No other protocols are known to be affected by the issue.
Workaround:
None
932553-3 : An HTTP request is not served when a remote logging server is down
Links to More Info: BT932553
Component: Local Traffic Manager
Symptoms:
BIG-IP systems provide an option to sanitize HTTP traffic via the http_security profile. When the profile is configured to alarm on a violation, it is possible that a connection to the violating client is reset if a remote logging server is marked down.
Conditions:
-- A BIG-IP system has an HTTP profile and and an http_security profile with the alarm option set.
-- A remote logging server is configured via a BIG-IP pool.
-- The pool has a monitor that marks all the pool members down.
-- A request with an HTTP violation is processed and triggers an alarm configured in the http_security profile.
Impact:
-- A TCP connection to a client is reset by the BIG-IP system.
-- The web page may not render, or may not render as expected.
-- Data are not delivered to a server with a POST request.
Workaround:
None.
932461-2 : Cert update on server SSL profile on HTTPS monitor: BIG-IP not using the updated certificate.
Links to More Info: BT932461
Component: Local Traffic Manager
Symptoms:
If you overwrite the certificate that is configured on the server SSL profile and used with the HTTPS monitor, the BIG-IP system still uses an old certificate.
After you update the certificate, the stored certificate is incremented, but monitor logging indicates it is still using the old certificate.
Conditions:
--Create a pool with an HTTPS pool member.
--Create an HTTPS monitor with cert and key.
--Assign the HTTPS monitor to the HTTPS pool.
--Update the certificate via GUI or tmsh.
Impact:
The monitor still tries to use the old certificate, even after the update.
Workaround:
Use either of the following workarounds:
-- Restart bigd:
bigstart restart bigd
-- Modify the server SSL profile cert key, set it to 'none', and switch back to the original cert key name.
The bigd utility successfully loads the new certificate file.
932189-4 : Incorrect BD Swap Size units on ASM Resources chart
Links to More Info: BT932189
Component: Application Visibility and Reporting
Symptoms:
The 'BD Swap Size' reported on the 'Security :: Reporting : ASM Resources : Memory Utilization' page is much too high and incorrect.
Conditions:
ASM provisioned.
Impact:
Graphically reported BD swap memory usage is incorrect.
Workaround:
None.
932045-1 : Memory leak when creating/deleting LTM node object
Links to More Info: BT932045
Component: Local Traffic Manager
Symptoms:
A memory leak occurs when creating/deleting an LTM node object.
Conditions:
-- Create a node object.
-- Delete the node object.
Impact:
This gradually causes tmm memory pressure, and eventually severe outcome is possible such as aggressive mode sweeper and tmm restart. Traffic disrupted while tmm restarts.
Workaround:
Refrain continuous creation/deletion of LTM nodes.
931629-1 : External trunk fdb entries might end up with internal MAC addresses.
Links to More Info: BT931629
Component: TMOS
Symptoms:
The vCMP host might have external trunk with internal MAC addresses. This is visible via 'tmsh show net fdb'.
Conditions:
-- vCMP is provisioned and has guests deployed on it.
-- vCMP host uses trunks.
-- Create VLANs using trunks and assign it to guests.
-- Guests need to be in high availability (HA) configuration.
Impact:
Traffic processing is disrupted.
Workaround:
None.
931469-5 : Redundant socket close when half-open monitor pings
Links to More Info: BT931469
Component: Local Traffic Manager
Symptoms:
Sockets and log files are closed and re-opened twice instead of one time when the half-open TCP monitor pings successfully.
Conditions:
This occurs when the half-open monitor pings successfully.
Impact:
Minor performance impact.
Workaround:
None.
930825-3 : System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors
Links to More Info: BT930825
Component: TMOS
Symptoms:
The following symptoms may be seen when the HSB is experiencing a large number of XLMAC errors and is unable to recover from the errors. After attempting XLMAC recovery fails, the system fails over to the peer unit, goes offline, and closes down links.
The TMM logs contain messages similar to the following:
-- notice The number of the HSB XLMAC recovery operation 11 or fcs failover count 0 reached threshold 11 on bus: 3.
-- notice HA action is triggered due to XLMAC/FCS errors on HSB1 on bus 3.
-- notice HSBE2 1 disable XLMAC TX/RX at runtime.
-- notice HA failover action is cleared.
Followed by a failover event message.
Conditions:
It is unknown under what conditions the XLMAC errors occur.
Impact:
The BIG-IP system fails over.
Workaround:
None.
930625-3 : TMM crash is seen due to double free in SAML flow
Links to More Info: BT930625
Component: Access Policy Manager
Symptoms:
When this issue occurs the TMM will crash
Conditions:
Exact reproduction steps are not known but it occurs during SAML transactions
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
930217-4 : Zone colors in ASM swap usage graph are incorrect
Links to More Info: BT930217
Component: Application Visibility and Reporting
Symptoms:
In GUI ASM memory utilization chart, 'BD swap size, Total swap size' graph show inconsistent background colors. It looks like these colors are assigned with an assumption that swap usage is shown as percentage but it is shown as absolute value.
Conditions:
-- ASM is provisioned.
-- Viewing ASM memory utilization chart/
Impact:
Potential confusion viewing colors in ASM memory utilization chart.
Workaround:
None. This is a cosmetic issue only.
929813-1 : "Error loading object from cursor" while updating a client SSL profile
Links to More Info: BT929813
Component: TMOS
Symptoms:
When updating a client-ssl profile in the GUI, the update fails and the GUI displays the following error:
"Error loading object from cursor"
Conditions:
- Client SSL profiles with inheritance: Parent -> Child -> Grand Child.
- Parent SSL profile uses cert-key-chain
Impact:
Unable to edit the profile using the GUI.
Workaround:
Use tmsh or iControl to update the Client SSL profile
929429-4 : Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed
Links to More Info: BT929429
Component: Local Traffic Manager
Symptoms:
Whenever you create Oracle or SQL (mssql, mysql or postgresql) database monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.
Conditions:
-- Create an Oracle or SQL database LTM monitor.
-- Add a pool member to the Oracle or SQL database monitor created.
-- Platform FIPS is licensed.
Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.
Workaround:
None.
929173-1 : Watchdog reset due to CPU stall detected by rcu_sched
Links to More Info: BT929173
Component: TMOS
Symptoms:
Rcu_sched detected CPU stall, which can cause vCMP host reboot. The device reboots without core and records "Host Watchdog timeout."
Typically there will logs in kern.log similar to:
err kernel: : [526684.876928] INFO: rcu_sched detected stalls on CPUs/tasks: ...
Conditions:
Host undergoing a watchdog reset in a vCMP environment.
Impact:
CPU RCU stalls and host watchdog reboots
929133-3 : TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'
Links to More Info: BT929133
Component: TMOS
Symptoms:
VLANs with a name that that start with "eth" will cause tmm to fail and restart.
Conditions:
Vlan name that starts with "eth"
Impact:
Since tmm fails to start, the BIG-IP cannot serve traffic.
Workaround:
Rename all vlans that start with "eth"
929005-1 : TS cookie is set in all responses
Links to More Info: BT929005
Component: Application Security Manager
Symptoms:
ASM sends a new cookie in every response, even though there is no change to the cookie name-plus-value.
Conditions:
-- ASM enabled.
-- Hostname is configured in the ASM policy.
-- The pool member sends different cookie values each time.
Impact:
ASM sends a Set-Cookie in every response, and it always sets the same cookie value.
Workaround:
None.
928697-3 : Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT
Links to More Info: BT928697
Component: TMOS
Symptoms:
When debug mode is enabled, racoon2 logs packet payloads during IKE negotiation. When multiple proposals are present in an IKE_SA_INIT packet, the logging of the proposal payloads is incorrect.
Conditions:
The initiator sends more than one proposal.
Impact:
Diagnosing connection issues is more difficult.
Workaround:
During debugging, ignore IKE_SA_INIT packet dump in the logs.
928665-1 : Kernel nf_conntrack table might get full with large configurations.
Links to More Info: BT928665
Component: TMOS
Symptoms:
Linux host connections are unreliable, and you see warning messages in /var/log/kern.log:
warning kernel: : [182365.380925] nf_conntrack: table full, dropping packet.
Conditions:
This can occur during normal operation for configurations with a large number of monitors, for example, 15,000 or more active entries.
Impact:
Monitors are unstable/not working at all.
Workaround:
1. Modify /etc/modprobe.d/f5-platform-el7-conntrack-default.conf
increasing the hashsize value:
options nf_conntrack hashsize=262144
2. Save the file.
3. Reboot the system.
928445-2 : HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2
Links to More Info: BT928445
Component: Local Traffic Manager
Symptoms:
HTTPS monitor state is down when server_ssl profile cipher string has the value 'TLSv1_2'.
-- configured cipherstring TLSv1_2/TLSv1_1 is rejected by OpenSSL.
Conditions:
-- Pool member is attached with HTTPS monitor.
-- Monitor is configured with an SSL profile.
-- The configured server_ssl profile has cipher string as DEFAULT:!TLSv1_2.
Impact:
Pool status is down.
Workaround:
-- Enable 'in-tmm' monitoring.
-- Use SSL options available in the server SSL profile to disable TLSv1_2 or TLSv1_1 instead of cipher string.
-- Use the same cipher string with cipher group / cipher rule that is attached to the SSL profile.
928389-4 : GUI becomes inaccessible after importing certificate under import type 'certificate'
Links to More Info: BT928389
Component: TMOS
Symptoms:
After importing a new certificate, httpd goes down and the GUI becomes inaccessible.
Conditions:
Upload new certificate using Import-type 'Certificate' option.
Impact:
The GUI is inaccessible as soon as you import a new device certificate using import-type 'Certificate'.
Workaround:
Manually copy the matching key to /config/httpd/conf/ssl.key/server.key and restart apache (bigstart restart httpd)
If you do not have the matching key, generate a new key/cert pair from the command line by following K9114
928353-3 : Error logged installing Engineering Hotfix: Argument isn't numeric★
Links to More Info: BT928353
Component: TMOS
Symptoms:
When installing an Engineering Hotfix, the following error may be logged in /var/log/liveinstall.log:
Argument "" isn't numeric in numeric eq (==) at /var/tmp/install/pkgcpio/usr/local/lib/tm_install/Hotfix.pm line 651.
Conditions:
This error may occur when installing an Engineering Hotfix, if the Engineering Hotfix does not include an update to the nash-initrd component.
Impact:
The error message gives a mistaken impression that the Engineering Hotfix did not install successfully. However, it does install correctly, and the system operates without issue. You can safely ignore this message.
Workaround:
None.
928177-1 : Syn-cookies might get enabled when performing multiple software upgrades.
Links to More Info: BT928177
Component: Advanced Firewall Manager
Symptoms:
Syn-cookie protection of FastL4/TCP profile might get enabled when performing multiple software upgrades.
Conditions:
-- Performing an upgrade from version earlier than 14.0.0 to a version higher than or equal to 14.0.0.
-- Then performing another upgrade.
Impact:
Value of profile attribute syn-cookie-enable might be changed during an upgrade.
Workaround:
Save configuration before starting each upgrade.
928137 : Unsupported key type error on FIPS card while creating keys
Links to More Info: BT928137
Component: Local Traffic Manager
Symptoms:
Crypto key will not be generated on FIPS 140 Hardware Device
Conditions:
While generating Crypto key with the below parameters.
key-type ec-private
curve-name prime256v1
security-type fips
Impact:
Edge Client for Mac users will not be able to connect.
Workaround:
None
927713-5 : Clsh reboot hangs when executed from the primary blade.
Links to More Info: BT927713
Component: Local Traffic Manager
Symptoms:
-- When 'clsh reboot' is executed on the primary blade, it internally calls ssh reboot on all secondary blades and then reboots the primary blade. The 'clsh reboot' script hangs, and there is a delay in rebooting the primary blade.
-- Running 'ssh reboot' on secondary blades hangs due to sshd sessions getting killed after network interface down.
Conditions:
-- Running 'clsh reboot' on the primary blade.
-- Running 'ssh reboot' on secondary blades.
Impact:
A secondary blade is not rebooted until clsh or ssh closes the connection to that blade.
Workaround:
Perform a reboot from the GUI.
927633-3 : Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic
Links to More Info: BT927633
Component: Local Traffic Manager
Symptoms:
Log messages written to /var/log/ltm:
-- notice tmm2[30394]: 01010259:5: External Datagroup (/Common/dg1) queued for update.
-- notice panic: ../kern/sys.c:1081: Assertion "entry != NULL" failed.
Conditions:
-- Create datagroups.
-- Some condition causes a datagroup to not be present (e.g., delete, rename operations, or another, internal operation).
-- Load the config.
Impact:
Internal mapping of external datagroup fails. Datagroup creation fails.
Workaround:
None.
927589-4 : ILX::call command response get truncated
Links to More Info: BT927589
Component: Local Traffic Manager
Symptoms:
If a response to an ILX::call command is larger than 64 KB, data is truncated.
Conditions:
-- iRule script including an ILX::call command in use.
-- Return response is greater than 64 KB.
Impact:
iRule fails and the connection aborts.
Workaround:
None.
927441-2 : Guest user not able to see virtual server details when ASM policy attached
Links to More Info: BT927441
Component: TMOS
Symptoms:
When ASM is attached to a Virtual Server, a BIG-IP user account configured with the Guest role cannot see virtual server details. An error message is printed instead:
01070823:3: Read Access Denied: user (guestuser) type (GTM virtual score).
Conditions:
-- ASM Policy attached to virtual server.
-- Logging onto the BIG-IP system using an account configured with the guest user role.
-- Running the command:
tmsh show ltm virtual detail
Impact:
Cannot view virtual server details.
Workaround:
None.
927289 : [APM] Intermittent issues with generating built-in or custom access reports
Links to More Info: BT927289
Component: Access Policy Manager
Symptoms:
When running the All Sessions report from Access :: Overview : Access Reports, the report generation times out.
Conditions:
Running built-in or custom access reports that take a long time to be generated.
Impact:
Inability to generate the access report.
Workaround:
None.
927025-4 : Sod restarts continuously
Links to More Info: BT927025
Component: TMOS
Symptoms:
After upgrading to v14.1.2.6, sod keeps restarting and dumping core.
Conditions:
This occurs when /dev/shm/chmand is missing and the system restarts chmand and sod upon reload.
Note: It is unknown how this condition might occur.
Impact:
Unstable sod process can affect failover functionality in BIG-IP systems.
Note: This happens only the first time after upgrade. To recover, you must power down the system for a full reboot.
Workaround:
Run the following command:
restorecon /dev/shm/chmand
926513-3 : HTTP/2 clone pool fails to receive traffic with the clone pool (server) option selected.
Links to More Info: BT926513
Component: Local Traffic Manager
Symptoms:
HTTP/2 Clone pools are not working when the Clone Pool (Server) option is selected. This issue occurs when a HTTP/2 profile (Server) or HTTP/2 full-proxy configuration is enabled and an HTTP/2 clone pool is set on a virtual server. This issue prevents traffic from being copied to the appropriate clone pool member.
Conditions:
A virtual server provisioned with the following configuration:
--HTTP/2 default pool.
--HTTP/2 clone pool (server).
--HTTP/2 profile (server) or HTTP/2 profile full-proxy configuration.
Impact:
Clone pools (server) do not mirror HTTP/2 traffic.
Workaround:
None.
925797-3 : Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pools members
Links to More Info: BT925797
Component: TMOS
Symptoms:
There there are thousands of FQDN nodes and thousands of pools that have FQDN pool members, mcpd can run out of memory during a full config sync.
The mcpd process might fail and restart or it might remain running but have its virtual memory so fragmented that queries to mcpd might fail to allocate memory.
One of signs that this has occurred is a non-zero free_fail count in the tmstat table vmem_kstat.
Conditions:
-- Thousands of FQDN nodes
-- Thousands of pools with FQDN pool members
-- Full config sync.
Impact:
-- The mcpd process might restart.
-- The config save operation fails:
tmsh save /sys config fails
-- Other queries to mcpd fail.
Workaround:
None.
925469-3 : SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo
Links to More Info: BT925469
Component: TMOS
Symptoms:
When using the Certificate Order Manager to request new Multi-Domain certificate from the Sectigo Certificate Authority (CA), the request the BIG-IP sends is missing the field 'subjectAltName'.
Conditions:
-- Certificate Order Manager is configured to send requests to the Comodo/Sectigo CA.
-- Configure a new key with Subject Alternative Name (SAN).
Impact:
The BIG-IP system sends a request to the Sectigo CA that is missing the 'subjectAltName' field. That makes Certificate Order Manager not suitable for requesting Multi-Domain certificates.
Workaround:
There is no workaround other than not using Certificate Order Manager for Multi-Domain certificates.
924697-4 : VDI data plane performance degraded during frequent session statistic updates
Links to More Info: BT924697
Component: Access Policy Manager
Symptoms:
Data plane performance for VDI use cases (Citrix/VMware proxy) is degraded during frequent access session statistic updates.
Conditions:
APM is used as VDI proxy for Citrix or VMware.
Impact:
APM's VDI proxy does not perform to its full capacity.
Workaround:
None.
924589-4 : PEM ephemeral listeners with source-address-translation may not count subscriber data
Links to More Info: BT924589
Component: Policy Enforcement Manager
Symptoms:
When a PEM profile is associated with a protocol that can create dynamic server-side listeners (such as FTP), and source-address-translation is also enabled on the virtual server, traffic on that flow (for example ftp-data) is not associated with the subscriber, and is therefore not counted or categorized.
Conditions:
-- Listener configured with PEM and FTP profiles
-- Some form of source address translation is enabled on the listener (for example, SNAT, Automap, SNAT Pool)
Impact:
Inaccurate subscriber traffic reporting and classification.
Workaround:
None.
924297-1 : Ltm policy MCP objects are not being synced over to the peer device
Links to More Info: BT924297
Component: TMOS
Symptoms:
An LTM policy does not sync to the peer device, but the devices report "In Sync".
Conditions:
-- Sync/failover device group with full load on sync disabled
-- A draft policy is attached to a parent policy's rule actions and published.
-- A config sync occurs (manually or automatically)
Impact:
The LTM policy does not sync to the peer device.
Workaround:
Perform a full config sync:
tmsh run cm config-sync force-full-load-push to-group <device group name>
923745-1 : Ctrl-Alt-Del reboots the system
Links to More Info: BT923745
Component: TMOS
Symptoms:
A device reboot occurs when pressing Ctrl-Alt-Del.
Conditions:
This occurs when pressing Ctrl-Alt-Del or sending the command to a BIG-IP Virtual Edition (VE) virtual console.
Impact:
Accidental reboots are possible. You should not reboot VE using Ctrl-Alt-Del.
Workaround:
Run the following command:
systemctl mask ctrl-alt-del.target
923233-2 : Incorrect encoding in 'Logout Page' for non-UTF8 security policy
Links to More Info: BT923233
Component: Application Security Manager
Symptoms:
Fields in 'Logout Page' for a non-UTF8 security policy has incorrect encoding for values, including non-English characters in the GUI and iControl REST.
Conditions:
This can be encountered while creating a non-UTF8 security policy via iControl REST, where the 'expected' and 'unexpected' fields contain non-UTF8 content.
Impact:
Logout Page field values are displayed with the wrong encoding.
Workaround:
None.
923221-1 : BD does not use all the CPU cores
Links to More Info: BT923221
Component: Application Security Manager
Symptoms:
Not all CPUs are utilized. The CPUs that are not loaded are those with ID greater than 31.
Conditions:
BIG-IP software is installed on a device with more than 32 cores.
Impact:
ASM does not use all of the available CPU cores.
Workaround:
Run the following commands from bash shell.
1. # mount -o remount,rw /usr
2. Modify the following file on the BIG-IP system:
/usr/local/share/perl5/F5/ProcessHandler.pm
Important: Make a backup of the file before editing.
3. Change this:
ALL_CPUS_AFFINITY => '0xFFFFFFFF',
To this:
ALL_CPUS_AFFINITY => '0xFFFFFFFFFFFF',
4. # mount -o remount,ro /usr
5. Restart the asm process:
# bigstart restart asm.
922885-2 : BIG-IP Virtual Edition does not pass traffic on ESXi 6.5
Links to More Info: K27872027, BT922885
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) does not pass traffic when deployed on ESXi 6.5 hypervisors, when the VE is using VMXNET 3 network interfaces (VMXNET 3 interfaces are the default).
'tmsh show net interface' indicates that one or more interfaces are not initialized.
Conditions:
-- BIG-IP VE running on VMware ESXi 6.5 hypervisor.
Impact:
Traffic does not pass through non-mgmt interfaces.
Workaround:
-- On the BIG-IP systems, you can switch to the 'sock' driver.
Note: The workarounds that switch driver must be applied individually to devices, as they do not synchronize via ConfigSync.
IMPORTANT: The driver must be configured the same way on all devices in a sync-failover device group.
1, At the command prompt, run the following command to enable the sock driver in tmm_init.tcl:
echo "device driver vendor_dev 15ad:07b0 sock" >> tmm_init.tcl
2. Restart tmm:
tmsh restart sys service tmm
-- After restarting, the sock driver should be listed in the 'driver_in_use' column when running the following command.
tmctl -d blade tmm/device_probed
pci_bdf pseudo_name type available_drivers driver_in_use
------------ ----------- --------- --------------------- -------------
0000:03:00.0 F5DEV_PCI xnet, vmxnet3, sock,
0000:0b:00.0 1.1 F5DEV_PCI xnet, vmxnet3, sock, sock
0000:13:00.0 1.2 F5DEV_PCI xnet, vmxnet3, sock, sock
0000:1b:00.0 1.3 F5DEV_PCI xnet, vmxnet3, sock, sock
922641-2 : Any iRules that park in a clientside or serverside command leave the iRule attached to the wrong flow
Links to More Info: BT922641
Component: Local Traffic Manager
Symptoms:
iRule commands issued after a clientside or serverside command operate on the wrong peer flow.
Conditions:
An iRule contains a script that parks in a clientside or serverside command.
Examples of parking commands include 'table' and 'persist'.
Impact:
The iRule commands operate on the wrong peer flow.
Workaround:
Avoid using commands that park inside the clientside or serverside command.
922613-1 : Tunnels using autolasthop might drop traffic with ICMP route unreachable
Links to More Info: BT922613
Component: TMOS
Symptoms:
Traffic that should be encapsulated and sent via tunnel might get dropped with an ICMP error, destination unreachable, unreachable route. This happens in a scenario where no route exists towards the remote tunnel endpoint and the BIG-IP system relies on autolasthop to send the encapsulated traffic back to the other end of the tunnel.
Conditions:
No route exists to the other end of the tunnel.
Impact:
Traffic dropped with ICMP error, destination unreachable, unreachable route.
Workaround:
Create a route towards the other remote end of the tunnel.
922413-3 : Excessive memory consumption with ntlmconnpool configured
Links to More Info: BT922413
Component: Local Traffic Manager
Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.
Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.
Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.
Workaround:
None.
922153-4 : Tcpdump is failing on tmm 0.x interfaces
Links to More Info: BT922153
Component: TMOS
Symptoms:
The tcpdump command exits immediately with an error:
errbuf ERROR:TMM side closing: Aborted
tcpdump: pcap_loop: TMM side closing: Aborted
Conditions:
Capturing the packets on tmm interfaces.
Impact:
Unable to capture the packets on specific tmm interfaces.
Workaround:
There are two possible workarounds:
-- Start tcpdump on the tmm that actually owns the interface using the TCPDUMP_ADDR command; for example, using blade1 for 1/0.16, run the command:
TCPDUMP_ADDR=127.1.1.16 tcpdump -w testcap.pcap -s 0 -i 1/0.16
-- Send the TCPDUMP_ADDR command to a specific tmm, which could work from any blade (127.20.<slot>.<tmmnumber+1> (e.g. 127.20.1.1 == slot1/tmm0, 127.20.2.16 == slot2/tmm15):
TCPDUMP_ADDR=127.20.1.16 tcpdump -w testcap.pcap -s 0 -i 1/0.16
922005-5 : Stats on a certain counter for web-acceleration profile may show excessive value
Links to More Info: BT922005
Component: Local Traffic Manager
Symptoms:
When the BIG-IP system is configured to use the RAM Cache feature, a corresponding profile may report an excessively large value for the cache_misses_all counter under certain conditions.
Conditions:
-- The BIG-IP system has a virtual server with web-acceleration profile without an application (RAM Cache feature).
-- The virtual receives uncacheable requests which are interrupted by a client or are not served by a server.
Impact:
A value for cache_misses_all incurs an arithmetic overflow, and shows an excessive number comparable with 1.8e19. The issue has no functional impact; the system operates as normal.
Workaround:
None.
921993-4 : LTM policy with a 'contains' operator does not work as expected when using an external data group.
Links to More Info: BT921993
Component: Local Traffic Manager
Symptoms:
If a combination of other operators and the 'contains' operator are used in LTM Policy, searches might fail if the hashing-based operators have not populated the target entries.
Conditions:
-- LTM policy with 'contains' operator.
-- Use of external datagroups.
Impact:
LTM policy might not work as expected with external data groups.
Workaround:
Use either of the following workarounds:
-- If applicable, change the 'contains' operator to 'starts_with' in the policy.
-- Change the policy into an iRule (executing '[class get <datagroup]' )
921665-1 : Policy Signatures: updating a filtered list causes all signatures to be updated
Links to More Info: BT921665
Component: Application Security Manager
Symptoms:
After making a change to a filtered list of signatures, ASM updates all signatures instead.
Conditions:
This can occur when applying changes to a filtered signatures list two or more times in rapid succession.
Impact:
All signatures may be updated without the intention to do so.
Workaround:
You can use either workaround:
-- Apply the filter after each action.
-- Reload the page
921541-4 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.
Links to More Info: BT921541
Component: Local Traffic Manager
Symptoms:
The HTTP session initiated by curl hangs.
Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
+ B4450N (A114)
+ i4000 (C115)
+ i10000 (C116/C127)
+ i7000 (C118)
+ i5000 (C119)
+ i11000 (C123)
+ i11000 (C124)
+ i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.
Impact:
Connection hangs, times out, and resets.
Workaround:
Use software compression.
921477-4 : Health monitors may fail when the HTTP RFC Compliance option is enabled in a dual BIG-IP setup.
Links to More Info: BT921477
Component: Local Traffic Manager
Symptoms:
With the HTTP RFC enforcement profile option enabled, incoming health monitor requests without an HTTP version in the request line (HTTP/0.9) may fail to produce the correct result for dual BIG-IP configurations. This can result in incoming health monitor traffic being incorrectly blocked when traveling through a virtual server. These health monitors will be unable to provide the correct availability of the intended resource. The default HTTP and HTTPS monitors as well as any custom monitors with a missing HTTP version in their requests could see this issue.
Conditions:
A dual BIG-IP configuration may provisioned with the following considerations.
-- One or more BIG-IP systems are in the network path for monitor traffic.
-- The first BIG-IP system uses a health monitor that initiates a health check request (without an HTTP version) in the request line (HTTP/0.9) against a second BIG-IP system.
-- The second (downstream) BIG-IP system has a virtual server that is the endpoint for the monitor. The virtual server is configured with an HTTP profile with the HTTP RFC Compliance profile option selected.
Impact:
Rather than receiving the correct health check result, the original BIG-IP system can fail to report whether the second BIG-IP is available.
Workaround:
You can use http_head_f5 monitor to perform health checks.
921369-2 : Signature verification for logs fails if the log files are modified during log rotation
Links to More Info: BT921369
Component: TMOS
Symptoms:
Rotated log files that are modified immediately after log rotation and before signature generation can cause signature verification failure.
Conditions:
-- Log integrity feature is enabled.
-- A log rotation event occurs
Impact:
Signature verification may fail on rotated log files.
921149-2 : After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy
Links to More Info: BT921149
Component: TMOS
Symptoms:
All Bandwidth Controller (BWC) stats are 0 (zero) even though traffic is passing.
Conditions:
-- A BWC policy is attached to a virtual server.
-- The virtual server with the attached BWC policy is modified.
Impact:
The system disassociates the BWC policy from the virtual server. Traffic is no longer throttled according to the policy rules.
Workaround:
To reattach the policy, detach the Bandwidth Controller policy from the virtual server, and then reapply it.
921121-1 : Tmm crash with iRule and a PEM Policy with BWC Enabled
Links to More Info: BT921121
Component: TMOS
Symptoms:
Tmm crashes while passing traffic through PEM.
Conditions:
-- PEM policy with bandwidth controller.
-- iRule makes a traffic decision based on certain unique PEM sessions.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
921001-3 : After provisioning change, pfmand might keep interfaces down on particular platforms
Links to More Info: BT921001
Component: TMOS
Symptoms:
After a provisioning change, pfmand might keep interfaces down.
Conditions:
-- Provisioning change on the following platforms:
+ i850
+ i2600 / i2800
+ i4600 / i4800
+ 2000- and 4000-series
-- Link Down Time on Failover configured to a non-zero value (the default is '10').
Impact:
Interfaces remain DOWN.
Workaround:
Follow this procedure:
1. Set db failover.standby.linkdowntime to '0'.
2. To bring interfaces UP again, restart pfmand:
bigstart restart pfmand
920817-4 : Wide IP operations performed in quick succession result in missing resource records and out of sync journals.
Links to More Info: BT920817
Component: Global Traffic Manager (DNS)
Symptoms:
Two issues occur with Wide IP operations performed in quick succession:
1. DNS Zone syncing is missing resource records.
2. In some cases it throws named/zrd error: journal rollforward failed: journal out of sync with zone.
Conditions:
This issue can occur when a large number of configuration changes, including Wide IP changes, are made simultaneously on multiple GTM/DNS devices in a sync group.
Impact:
DNS resource records can be missing from the BIND DNS database.
The impact of this issue is that if GSLB Load Balancing falls back to BIND, the DNS resource records may not be present.
Manually remove the .jnl files in order to restore named/zrd on all GTMs.
Workaround:
Restrict configuration (Wide IP) changes to one GTM/DNS device in a device group.
Note: It is also possible to turn off zone syncing. GTM/DNS configuration is still synced, but you lose the ability to sync non-Wide IP changes to the BIND DB.
If you do not use ZoneRunner to add additional non-Wide IP records, this is only a problem when GSLB resorts fallback to BIND.
This can be mitigated with DNSX and DNS (off device) for non Wide IP Resource Records.
Manually remove the .jnl files in order to restore named/zrd on all GTMs.
920789-4 : UDP commands in iRules executed during FLOW_INIT event fail
Links to More Info: BT920789
Component: Local Traffic Manager
Symptoms:
UDP commands in iRules executed during FLOW_INIT event fail.
Conditions:
An iRule that contains UDP commands is executed on the FLOW_INIT event.
Impact:
UDP commands in iRules executed during FLOW_INIT event fail.
Workaround:
None.
920761-3 : Changing a virtual server type in the GUI may change some options; changing back to the original type does not restore original values
Links to More Info: BT920761
Component: TMOS
Symptoms:
In the GUI if you change a virtual server from one type to another, there may be changes automatically applied to some of the settings. If you change the type back to its original value, those changes remain, and are saved when you click Update.
Conditions:
-- Modifying a virtual server from one type to another, and then changing it back to the original type.
-- Clicking Update.
Impact:
Unexpected configuration changes, which can lead to unexpected behavior of the BIG-IP system.
Workaround:
To prevent unwanted changes, when you change a virtual server's type and then change it back within the same session, click Cancel instead of Update.
920541-2 : Incorrect values in 'Class Attribute' in Radius-Acct STOP request
Links to More Info: BT920541
Component: Access Policy Manager
Symptoms:
'Class Attribute' value in the Radius-Acct STOP request from the BIG-IP APM system does not match the 'Class Attribute' value in the Radius-Acct START request from the RADIUS server.
Conditions:
-- Access policy is configured with RADIUS Acct VPE item to send accounting messages to RADIUS server when users log on and off.
Impact:
RADIUS server does not log accounting information properly.
Workaround:
This workaround textually describes reconfiguring an access policy in the Visual Policy Editor (VPE). Descriptions may not be as straightforward as in regular GUI workarounds.
This is a description of the visual layout of the policy:
Start --+-- Logon Page --+-- RADIUS Auth --+-- RADIUS Acct --+-- Variable Assign (1) --+-- Advanced Resource Assign --+-- Variable Assign --+-- Allow
1. Decode the class attribute and save it in a temporary variable:
-- Click Variable Assign (1); in the two sub-areas, enter the following:
temp.radius.last.attr.class.decoded
expr { [mcget -decode {session.radius.last.attr.class}] }
2. Copy the temporary variable into the class session var:
-- Click Variable Assign; in the two sub-areas, enter the following:
session.radius.last.attr.class,
expr { [mcget {temp.radius.last.attr.class.decoded}] }
In this way, when you log out, and APM sends the RADIUS Stop accounting message, it uses the decoded value that is saved in the session.radius.last.attr.class variable.
920517-3 : Rate Shaping Rate Class 'Queue Method' and 'Drop Policy' defaults are incorrect in the GUI
Links to More Info: BT920517
Component: TMOS
Symptoms:
When creating a Rate Shaping Rate Class in the GUI, the default values for 'Queue Method' and 'Drop Policy' are not correct.
Conditions:
-- Creating a Rate Shaping Rate Class in the GUI.
-- Leaving 'Queue Method' and 'Drop Policy' settings as their defaults.
Impact:
Unexpected values in the configuration: 'Queue Method' is 'sfq' and 'Drop Policy' is 'tail'.
Workaround:
You can use either of the following workarounds:
-- Manually set the 'Queue Method' and 'Drop Policy' when creating a Rate Shaping Rate Class object. These settings are available in the 'Advanced' view of the 'General Properties' section. 'Queue Method' should be 'pfifo' and 'Drop Policy' should be 'fred'.
-- Use TMSH to create Rate Shaping Rate Class objects.
920285-2 : WS::disconnect may result in TMM crash under certain conditions
Links to More Info: BT920285
Component: Local Traffic Manager
Symptoms:
The WebSocket profile allows use of the WS::disconnect iRule command to gracefully terminate a connection with a client or a server. Use of this command may result in crash if tmm parts the iRule before execution completes.
Conditions:
-- BIG-IP has a virtual server configured with a WebSocket profile.
-- An iRule the includes the WS::disconnect command is attached to the virtual server.
-- BIG-IP is under heavy load and/or the iRule requires an extended time to execute, which might happen, for example, during execution on an iRule, tmm might park the iRule execution because the operation takes more CPU cycle than tmm can allocate to complete the iRule execution.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
920205-1 : Rate shaping might suppress TCP RST
Links to More Info: BT920205
Component: Local Traffic Manager
Symptoms:
When rate shaping is configured, the system might suppress TCP RSTs issued by itself.
Conditions:
Rate shaping is configured.
Impact:
The rate-shaping instance drops TCP RSTs; the endpoint is not informed about the ungraceful shutdown.
Workaround:
Do not use rate-shaping.
919401-3 : Disallow adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in TMSH when ICAP is not licensed
Links to More Info: BT919401
Component: TMOS
Symptoms:
If ICAP is not licensed, the system does not prevent you from adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in the CLI. If these profiles are configured, traffic does not pass through the virtual server and the following error is reported in /var/log/ltm:
crit tmm[3328]: 01010022:2: ICAP feature not licensed
Conditions:
-- ICAP is not licensed.
-- At least one virtual server has been configured with a Request Adapt Profile and/or a Response Adapt Profile.
Impact:
Traffic does not pass through the affected virtual servers.
Workaround:
Remove any configured Request Adapt Profiles and Response Adapt Profiles from virtual servers.
919185-4 : Request adapt and response adapt profile options should not be available in the GUI when ICAP is not licensed
Links to More Info: BT919185
Component: TMOS
Symptoms:
The Request Adapt Profile and Response Adapt Profile settings are visible when creating or editing a virtual server in the GUI on systems that do not have ICAP licensed. If these profiles are configured, traffic does not pass through the virtual server and the following error is reported in /var/log/ltm:
crit tmm[3328]: 01010022:2: ICAP feature not licensed
Conditions:
-- ICAP is not licensed.
-- At least one virtual server has been configured with a Request Adapt Profile and/or a Response Adapt Profile.
Impact:
Traffic does not pass through the affected virtual servers.
Workaround:
Remove any configured Request Adapt Profiles and Response Adapt Profiles from virtual servers.
918905-3 : PCCD restart loop when using more than 256 FQDN entries in Firewall Rules
Links to More Info: BT918905
Component: Advanced Firewall Manager
Symptoms:
PCCD enters a restart loop, until the configuration is changed such that 256 or fewer FQDN entries are in use. Errors are reported to the terminal screen:
pccd[23494]: 015d0000:0: pccd encountered a fatal error and will be restarted shortly...
Conditions:
Greater than 256 FQDN entries are in use in Firewall Rules.
Impact:
PCCD goes into a restart loop. PCCD is not functional until there are 256 or fewer entries.
Workaround:
Use 256 or fewer FQDN entries in Firewall Rules.
To aid in the removal of extra rules when using tmsh, you can prevent PCCD restart messages from flooding the console:
1. Stop PCCD to halt the restart messages:
bigstart stop pccd
2. Modify the configuration.
3. Bring PCCD back up:
bigstart start pccd
918693-3 : Wide IP alias validation error during sync or config load
Links to More Info: BT918693
Component: Global Traffic Manager (DNS)
Symptoms:
DB validation exception occurs during sync or config load:
01070734:3: Configuration error: DB validation exception, unique constraint violation on table (gtm_wideip_alias) object ID (1 /Common/alias.test.com www.test.com). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:gtm_wideip_alias status:13)
Unexpected Error: Loading configuration process failed.
Conditions:
-- Wide IP has an alias associated with it.
-- Sync or load the config.
Impact:
You are unable to load config or full sync from peer GNS/GTM.
Workaround:
Follow this procedure:
1. Delete the wide IP alias on the destination device.
2. Try the sync or load config operation again.
918277-4 : Slow Ramp does not take into account pool members' ratio weights
Links to More Info: BT918277
Component: Local Traffic Manager
Symptoms:
When a pool member is within its slow-ramp period, and is a member of a pool that uses a static-ratio-based load balancing algorithm, its ratio weight is not taken into account when balancing connections to it. If it has a ratio that is higher than other pool members, this can result in a sudden influx of connections once the pool member exits the slow-ramp period.
Conditions:
-- Pool with a non-zero slow-ramp timeout and a static-ratio-based load balancing algorithm.
-- Pool members within the pool have different ratio weights.
-- At least one pool member is inside its slow-ramp period.
Impact:
The pool member could still be overwhelmed despite the attempt to slow-ramp connections to it.
Workaround:
None.
918053-3 : [Win][EdgeClient] 'Enable Always Connected mode' is checked for all connectivity profiles with same Parent profile.
Links to More Info: BT918053
Component: Access Policy Manager
Symptoms:
The default value of 'Enable Always Connected' becomes enabled for connectivity profiles after adding 'Server List' to one of the connectivity profiles with the same Parent profile.
Conditions:
-- Add 'Server List' to one of the connectivity profiles with the same Parent profile.
-- Enable the 'Always Connected mode' setting for one of the connectivity profiles.
Impact:
This change affects all of the connectivity profiles. The parent-child inheritance logic is broken.
Workaround:
Manually uncheck the setting in all new profiles where 'Enable Always Connected' is not needed.
918013-3 : Log message with large wchan value
Links to More Info: BT918013
Component: TMOS
Symptoms:
A message is logged with a very large wchan (waiting channel, WCHAN :: Sleeping in Function) value that corresponds to -1 when read as signed instead of unsigned.
Conditions:
This happens in normal operation.
Impact:
The message is not accurately reporting the wchan value
Workaround:
Look at the /proc/PID/stack file for the correct wchan value.
917637-1 : Tmm crash with ICAP filter
Links to More Info: BT917637
Component: Service Provider
Symptoms:
Tmm crashes while passing traffic.
Conditions:
-- Per-request policies configured.
-- ICAP is configured.
This is rare condition that occurs intermittently.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
916781-2 : Validation error while attaching DoS profile to GTP virtual
Links to More Info: BT916781
Component: Service Provider
Symptoms:
Validation error is observed while attaching DoS security profile to GPRS Tunneling Protocol (GTP) virtual server.
Conditions:
Attach DoS security profile to GTP virtual server.
Impact:
Validation error. Cannot attach DoS profile to GTP virtual server.
Workaround:
None.
916485-4 : Tmsh install sys crypto key (SafeNet) command creates a duplicate mcp object
Links to More Info: BT916485
Component: Local Traffic Manager
Symptoms:
Running 'tmsh install sys crypto key' command for SafeNet keys creates a new mcp object with the keyname as the label name in HSM, and with the duplicate key-id.
Conditions:
This happens when trying to install the key using the key-label as the argument.
Impact:
Even after deleting the tmsh key (tmsh delete sys crypto key), the BIG-IP system can still pass traffic because there's a duplicate key pointing to the same key in the HSM.
Workaround:
None.
915557-4 : The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.
Links to More Info: BT915557
Component: TMOS
Symptoms:
When using the pool statistics GUI page, the page stops displaying and the GUI shows the following error:
General database error retrieving information.
Conditions:
You attempt to apply a Status filter (e.g., Available) to display only some pools.
Impact:
The Status filter is not usable. Additionally, the page continues not to display even after you navigate away from the page and later return to it.
Workaround:
There is no workaround to prevent the issue, but if you wish to access that page again (and not use the Status filter), you can do so by clearing your browser's cache.
915493-3 : imish command hangs when ospfd is enabled
Links to More Info: BT915493
Component: TMOS
Symptoms:
Running the imish command hangs when ospfd is enabled.
Conditions:
-- Dynamic routing enabled.
-- The ospfd protocol is enabled.
-- Running the imish command.
Impact:
The imish operation hangs.
Workaround:
Restart the ospfd daemon.
915473-2 : Accessing Dashboard page with AVR provisioned causes continuous audit logs
Links to More Info: BT915473
Component: TMOS
Symptoms:
Navigating to Statistics :: Dashboard in the GUI with AVR or APM provisioned causes continuous audit logging and restjavad logs.
Conditions:
-- AVR provisioned
-- An administrator navigates to Statistics :: Dashboard.
Impact:
The continuous extra logs might lead to confusion and may not be helpful.
Workaround:
None.
915221-2 : DoS unconditionally logs MCP messages to /var/tmp/mcpd.out
Links to More Info: BT915221
Component: Advanced Firewall Manager
Symptoms:
Excessive and large DoS debug messages associated with tmsh commands and stat queries are logged to /var/tmp/mcpd.out which is not log-rotated.
Conditions:
-- AFM is provisioned.
-- DoS queries executed via tmsh.
Impact:
Disk space is consumed on the filesystem for /var/tmp, which can eventually lead to follow-on failures when the disk fills up.
Workaround:
Delete or purge /var/tmp/mcpd.out.
915141-4 : Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'
Links to More Info: BT915141
Component: TMOS
Symptoms:
Availability status of virtual server can be left 'available' even if the corresponding pool's availability becomes 'unknown'.
Conditions:
- Pool member is configured as an FQDN node.
- You set monitor to 'none' with the pool.
Impact:
Inconsistent availability status of pool and virtual server.
Workaround:
Set the FQDN node to 'force offline', and then 'enable'. This triggers virtual server's status updates and syncs to pool.
914589-3 : VLAN Failsafe timeout is not always respected
Links to More Info: BT914589
Component: Local Traffic Manager
Symptoms:
VLAN Failsafe timeout is triggered later than its configured interval.
Conditions:
-- Rarely happen on first failover. More commonly occurs on 3rd/4th failover.
-- Specific conditions that cause this issue are not known.
Impact:
VLAN Failsafe timeout might be triggered later than it is configured.
The exact impact varies based on the configuration and traffic activity.
Workaround:
Use another form of automatic failover if needed (gateway failsafe, ha-groups, etc.).
914061-3 : BIG-IP may reject a POST request if it comes first and exceeds the initial window size
Links to More Info: BT914061
Component: Local Traffic Manager
Symptoms:
HTTP/2 protocol allows a negative flow-control window on initial stage of communication while first 65,535 bytes of payload are delivered from a peer. BIG-IP may break this requirement.
Conditions:
-- BIG-IP has a virtual server with http2 profile.
-- A configured receive window size in the http2 profile is below 64K (default 32K).
-- A peer sends POST request with payload exceeding initial receive window size over HTTP/2 connection.
Impact:
BIG-IP denies the POST request and sends RST_STREAM.
913917-4 : Unable to save UCS
Links to More Info: BT913917
Component: Global Traffic Manager (DNS)
Symptoms:
You are unable to create a backup UCS.
You see a warning in /var/log/restjavad.0.log:
[WARNING][8100/tm/shared/sys/backup/306b4630-aa74-4a3d-af70-0d49bdd1d89e/worker UcsBackupTaskWorker] Failure with backup process 306b4630-aa74-4a3d-af70-0d49bdd1d89e.
This is followed by a list of some files in /var/named/config/namedb/.
Conditions:
Named has some Slave zones configured and is going through frequent zone transfer.
Impact:
You are unable to create a UCS file.
Workaround:
Stop named zone transfer while doing UCS backup.
913729-4 : Support for DNSSEC Lookaside Validation (DLV) has been removed.
Links to More Info: BT913729
Component: Global Traffic Manager (DNS)
Symptoms:
Following the deprecation of DNSSEC lookaside validation (DLV) by the Internet Engineering Task Force (IETF), support for this feature has been removed from the product.
Conditions:
Attempting to use DLV.
Impact:
Cannot use DLV.
Workaround:
None. DLV is no longer supported.
913573-1 : Unable to complete REST API PUT request for 'tm/ltm/data-group/internal' endpoint.
Links to More Info: BT913573
Component: TMOS
Symptoms:
When REST API PUT request is call to modify LTM data-group internal without 'type' field in body-content, it fails intermittently with a 400 error.
--{"code":400,"message":"invalid property value \"type\":\"\"","errorStack":[],"apiError":26214401}
The 'type' field is not getting populated with default value and is set to null string "" instead.
Conditions:
-- PUT REST API request used to modify LTM data-group internal.
-- Type field is not specified in the body-content.
Impact:
Unable to update the configuration object (LTM data-group internal) with REST API PUT.
Workaround:
Include 'type' field inside PUT request body content for the operation to succeed.
Example Curl Command:
-- curl -isku <username>:<password> -H "Content-Type: application/json" -X PUT -d '{"records":[{"name":"1.1.1.1"}, {"name":"1.1.1.2"}], "type":"ip"}' https://localhost/mgmt/tm/ltm/data-group/internal/~Common~<Name>
912761-4 : Link throughput statistics are different
Links to More Info: BT912761
Component: Global Traffic Manager (DNS)
Symptoms:
Different link throughput statistics are seen on GTM/DNS systems that are connected by full-mesh iQuery.
Conditions:
-- The same link is used on different BIG-IP addresses as a pool member in the default gateway pool.
-- A forwarding virtual server is used.
Impact:
Each GTM/DNS server might get different link throughput for the same link, and therefore make less-than-optimal decisions.
Workaround:
Do not use the same uplink for different BIG-IP devices.
912293-1 : Persistence might not work properly on virtual servers that utilize address lists
Links to More Info: BT912293
Component: Local Traffic Manager
Symptoms:
-- Connections to the virtual server might hang.
-- Increased tmm CPU utilization.
Conditions:
-- A virtual server is configured with a traffic-matching-criteria that utilizes a source-address-list and/or destination-address-list.
-- The virtual server utilizes certain persistence one of the following persistence types:
+ Source Address (but not hash-algorithm carp)
+ Destination Address (but not hash-algorithm carp)
+ Universal
+ Cookie (only cookie hash)
+ Host
+ SSL session
+ SIP
+ Hash (but not hash-algorithm carp)
Impact:
-- High tmm CPU utilization.
-- Stalled connections.
Workaround:
Enable match-across-virtuals in the persistence profile.
Note: Enabling match-across-virtuals might might affect the behavior of other virtual servers in the configuration that utilize persistence.
911853-4 : Stream filter chunk-size limits filter to a single match per ingress buffer
Links to More Info: BT911853
Component: Local Traffic Manager
Symptoms:
The chunk-size profile setting of the stream filter limits memory by capping the match string allocated from an ingress buffer to <chunksize> bytes. This implicitly limits the maximum size of the match, potentially resulting in missed matches beyond chunk-size within the same ingress buffer. For more information, see:
https://support.f5.com/csp/article/K39394712
Conditions:
A stream filter is configured with the chunk-size parameter set and ingress data arrives which contains matches beyond the configured chunk-size in the buffer.
Impact:
Potential matches beyond the configured chunk-size will be sent unmodified by the stream filter, potentially resulting in missed matches.
Workaround:
None.
911713-2 : Delay in Network Convergence with RSTP enabled
Links to More Info: BT911713
Component: TMOS
Symptoms:
The BIG-IP system does not to Rapid Spanning Tree Protocol (RSTP) Bridge Protocol Data Units (BPDUs) with only the proposal flag ON (i.e., without the agreement flag ON).
Conditions:
-- Neighbor Switch sends RSTP BPDU with only proposal flag ON.
-- The agreement flag is not ON.
Impact:
Network convergence takes more time than expected.
Workaround:
None.
911585 : PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval
Links to More Info: BT911585
Component: Policy Enforcement Manager
Symptoms:
PEM sessions go to a stale state and the Credit Control Request (CCRi) is not sent.
Conditions:
-- PEM is configured and passing normal PEM traffic.
-- Using BIG-IP Virtual Edition (VE)
Impact:
Session is not established.
Workaround:
None.
911485 : When MRF is in use, TCP::release does not immediately remove data from the TCP payload
Links to More Info: BT911485
Component: Service Provider
Symptoms:
Tmm crashes because the TCP::payload is not flushed after the TCP::release command.
Conditions:
If a virtual server is configured for MRF, when TCP::release is used, it does not immediately remove the specified number of bytes from the TCP payload, leading to the possibility that these bytes could be retrieved multiple times by successive calls to TCP::payload.
Impact:
Tmm crash leads to unavailability of service. Traffic disrupted while tmm restarts.
Workaround:
For example, if a GENERICMESSAGE_INGRESS event is included in the iRule, then when it gets executed the bytes are removed from the payload.
Another way to do it was to explicitly call 'TCP::payload replace 0 <bytes released> ""'.
911241-4 : The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug
Links to More Info: BT911241
Component: Global Traffic Manager (DNS)
Symptoms:
The iqsyncer utility leaks memory.
Conditions:
-- There is a large bigip_gtm.conf.
-- The log.gtm.level is set to debug.
Impact:
The iqsyncer utility exhausts memory and is killed.
Workaround:
Do not set log.gtm.level equal to or higher than debug.
910965-3 : Overflow of Multicast table filling the tmm log
Links to More Info: BT910965
Component: Local Traffic Manager
Symptoms:
Whenever a new multicast entry is added to an already full table, an error is logged to /var/log/tmm
Conditions:
This warning occurs when the multicast table is full
Impact:
When this condition occurs, this can fill the tmm log with these warning messages
Workaround:
None.
910777-4 : Sending ASM report via AWS SES failed duo to wrong content type
Links to More Info: BT910777
Component: Application Visibility and Reporting
Symptoms:
When you attempt to send an ASM report via AWS SES, the message bounces with the following message:
Could not send e-mails: SMTP Error: data not accepted.; Transaction failed: Expected MIME type, got ;; Error code: 554.
This occurs because the BIG-IP system is sending out the report message with an empty Content-Type in the multipart MIME, which the AWS mail host cannot process.
Conditions:
This is encountered in the following scenario:
1. Set up SMTP and ASM schedule report.
2. Click Send Now, and get the error message in GUI.
3. SSH into the BIG-IP system.
4. Add this line under the following snippet:
[admin@bigip:Active:Standalone] ~ # chmod 644 /var/ts/dms/script/avrexport/avrmail.php
[admin@bigip:Active:Standalone] ~ # vi /var/ts/dms/script/avrexport/avrmail.php
if (!$mail_subject) $mail_subject = "BIG-IP Analytics Report";
if (!$mail_body) $mail_body = "Attached to this e-mail is a BIG-IP Analytics Report issued at $mail_time\n\n";
if (!$mail_from) $mail_from = 'BIG-IP Reporter';
if (!$mail_content_type) $mail_content_type = 'text/html'; <<<< Add this line for add text/html into content type.
[admin@bigip:Active:Standalone] ~ # chmod 444 /var/ts/dms/script/avrexport/avrmail.php
5. Click Send Now again and it works.
Note: To use AWS SES, you must verify your email address first (as a Sender). You can search SES in AWS and verify your email in Email Addresses. AWS sends an email. Click the embedded link after receipt, and then you can use it as the Sender address on the BIG-IP system.
Impact:
Cannot receive ASM reports.
910673-2 : Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'
Links to More Info: BT910673
Component: Local Traffic Manager
Symptoms:
Thales installation script fails with error message.
ERROR: Could not reach Thales HSM "<ip>". Make sure the HSM IP address is correct and that the HSM is accessible to the BIG-IP.
Conditions:
This occurs when the ICMP ping is blocked between the BIG-IP system and netHSM.
Impact:
Thales/nCipher NetHSM client software installation fails.
Workaround:
Unblock ICMP ping between the BIG-IP system and netHSM.
910273-4 : SSL Certificate version always displays as '1' in the GUI
Links to More Info: BT910273
Component: Local Traffic Manager
Symptoms:
In GUI an SSL certificate's version is displayed as '1', even if its version is higher than 1.
Conditions:
-- Viewing an SSL certificate in the GUI.
-- The SSL certificate's version is higher than 1.
Impact:
SSL certificate's version is displayed as '1'. There is no functional impact.
Workaround:
None.
910105-2 : Partial HTTP/2 payload may freeze on the BIG-IP system
Links to More Info: BT910105
Component: Local Traffic Manager
Symptoms:
HTTP/2 allows sending the payload in both directions gradually, until a frame with an END_STREAM flag closes a direction. The BIG-IP does not properly handles an early response from a server when HTTP router is configured on a virtual and partial payload sent in each direction. In this case, communication over the stream hangs.
Conditions:
-- Virtual server is configured on the BIG-IP system with HTTP and HTTP/2 profiles on both the client and server sides.
-- HTTP router profile is configured on the virtual server.
-- Client sends a request and delivers a partial payload, waiting for a response from a server.
-- Server responds with a partial payload.
Impact:
A response with a partial payload is not delivered to a client. Communication freezes on that specific stream.
Workaround:
None.
909997-1 : Virtual server status displays as unavailable when it is accepting connections
Links to More Info: BT909997
Component: Local Traffic Manager
Symptoms:
After a rate limit is triggered and released, the virtual server status in the GUI remains as 'unavailable'. The virtual server resumes accepting new connections while the GUI shows the virtual server is unavailable.
Conditions:
-- The virtual server has a source address list configured.
-- Address lists define more than one address.
-- The connections are over the rate limit, and the virtual server status is marked unavailable.
-- The number of connections falls below the limit.
Impact:
Actual virtual server status is not reflected in GUI.
Workaround:
If the deployment design allows, you can use either of the following workarounds:
-- Remove the source address list from the virtual server.
-- Have a single address in the source address list.
909677-4 : HTTP/2 full proxy always sets the :scheme pseudo-header for HTTPS requests where the server-side connection is not encrypted
Links to More Info: BT909677
Component: Local Traffic Manager
Symptoms:
When using HTTP/2, the :scheme pseudo-header appears to always be set to HTTPS on requests, even when the server-side connection is not encrypted.
Conditions:
-- Using an HTTP/2 virtual server.
-- The server-side connection that is unencrypted.
Impact:
The impact of this issue varies based on how the application reacts at the server-side.
Workaround:
None.
909673-1 : TMM crashes when VLAN SYN cookie feature is used on iSeries i2x00 and i4x00 platforms
Links to More Info: BT909673
Component: TMOS
Symptoms:
TMM crashes when VLAN SYN cookie feature is used.
Conditions:
-- Configuring for VLAN SYN cookie use.
-- Running on iSeries i2800/i2600 and i4800/i4600 platforms.
Impact:
Tmm crashes and traffic processing stops. Traffic disrupted while tmm restarts.
Workaround:
None.
909505-1 : Creating LTM data group external object fails.
Links to More Info: BT909505
Component: TMOS
Symptoms:
iControl REST command to create a data group fails if you do not set the externalFileName variable.
The same command works in tmsh, and you are not required to specify the externalFileName.
Conditions:
-- Creating a data group using iControl REST.
-- POST payload does not contain the externalFileName variable.
Impact:
You are unable to create the data group.
Workaround:
The command works if you specify the externalFileName parameter:
curl -sku $PASS https://$HOST/mgmt/tm/ltm/data-group/external -X POST -H "Content-type: application/json" -d '{"name":"fooBar", "externalFileName":"fooBar.txt"}'
909485-1 : Deleting LTM data-group external object incorrectly reports 200 when object fails to delete
Links to More Info: BT909485
Component: TMOS
Symptoms:
When you delete an LTM external data-group object using iControl REST, it incorrectly returns '200 OK' even though the object is not deleted.
Conditions:
-- Deleting an external data-group object via iControl REST.
-- The LTM external data-group object is referenced by another object (such as an iRule).
Impact:
The object still exists, even though the system returns a '200 OK' message indicating that the operation completed successfully.
Workaround:
None.
908753-1 : Password memory not effective even when password policy is configured
Links to More Info: BT908753
Component: TMOS
Symptoms:
The BIG-IP system does not prevent you from specifying previously used passwords, even if Secure Password Enforcement is enabled with password memory set to a non-zero value.
Conditions:
-- Password memory in auth settings is not 0 (zero).
-- Attempt to specify a previously specified password
Impact:
Password history to prevent user from using same password is not enforced.
Workaround:
None.
908477-4 : Request-adapt plus request-logging causes HTTP double-chunking in an ICAP request
Links to More Info: BT908477
Component: Service Provider
Symptoms:
When an HTTP chunked request is sent to a virtual server that has both a request-adapt (e.g., for ICAP), and a request-logging profile attached, the request that is sent to the ICAP server is doubly chunked.
Conditions:
-- A virtual server is configured with both a request-adapt (ICAP) and request-logging profile.
-- HTTP chunked requests are sent to this virtual server.
Impact:
Data corruption in the HTTP stream.
Workaround:
You can use either of the following workarounds:
-- Force rechunking on the HTTP profile:
request-chunking rechunk
-- Remove the request-logging profile (and potentially log requests) using an iRule instead.
908453-2 : Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly
Links to More Info: BT908453
Component: TMOS
Symptoms:
When a trunk is configured with a name longer than 32 characters on a vCMP host, guests update the working-mbr-count for the trunk incorrectly when another trunk on the host changes. This might result in vCMP guests failing over unexpectedly.
Conditions:
-- Trunk configured with a name longer than 32 characters on vCMP host.
-- Trunk made available to guests for high availability (HA) Group scoring.
-- At least one other trunk configured on vCMP host.
-- Interface state changes in any other trunk.
Impact:
The vCMP guests may fail over unexpectedly.
Workaround:
Do not use trunk names longer than 32 characters.
907549-3 : Memory leak in BWC::Measure
Links to More Info: BT907549
Component: TMOS
Symptoms:
Memory leak in BWC calculator.
Conditions:
When the HSL log publisher is attached to the BWC::Measure instance in the Bandwidth policy.
Impact:
A memory leak occurs.
Workaround:
None.
907177-4 : Priority of embedded APM iRules is ignored
Links to More Info: BT907177
Component: Local Traffic Manager
Symptoms:
Custom iRule events are executed before the embedded APM iRule events, despite the custom iRule's priority value being larger than the APM iRule's priority value.
Conditions:
-- APM is provisioned.
-- Custom iRule with a priority value larger the APM iRule's priority value.
Impact:
Custom iRule event is executed before APM iRule event.
Workaround:
None.
906737-1 : Error message: 'templates/' is not a directory
Links to More Info: BT906737
Component: Application Security Manager
Symptoms:
Some of the Templates class values are incorrectly initialized with the wrong base directory, so every time specific pages are opened in browser a message is written to var/log/ts/ui/debug.log:
'templates/' is not a directory.
Conditions:
Open Live Update, Policies Lists, Policies Summary, and several other pages under the Security heading.
Impact:
No functional impact, but log entries are added.
Workaround:
None
906653-4 : Server side UDP immediate idle-timeout drops datagrams
Links to More Info: BT906653
Component: Local Traffic Manager
Symptoms:
With immediate idle-timeout, flows may be closed before a datagram is forwarded.
Conditions:
-- Immediate idle-timeout is set on the server context of a UDP virtual server.
Impact:
Datagrams are dropped periodically depending on traffic load.
Workaround:
None.
906505-4 : Display of LCD System Menu cannot be configured via GUI on iSeries platforms
Links to More Info: BT906505
Component: TMOS
Symptoms:
In the BIG-IP Graphical User Interface (TMUI), display of the System Menu on the LCD front panel of most BIG-IP platforms can be enabled or disabled under System :: Configuration :: Device :: General.
However, on iSeries appliances, the 'Display LCD System Menu' option does not appear on this page.
Conditions:
This occurs on the following iSeries appliances:
-- i850
-- i2000-series (i2600/i2800)
-- i4000-series (i4600/i4800)
-- i5000-series (i5600/i5800/i5820-DF)
-- i7000-series (i7600/i7600-D/i7800/i7800-D/i7820-DF)
-- i10000-series (i10600/i10600-D/i10800/i10800-D)
-- i11000-series (i11600/i11800/i11400-DS/i11600-DS/i11800-DS)
-- i15000-series (i15600/i15800)
Impact:
The 'Display LCD System Menu' option cannot be configured via the GUI.
Workaround:
You can enable display of the LCD System Menu using the Command Line (CLI) by running the following commands, in sequence:
tmsh mod sys global-settings lcd-display [enabled|disabled]
tmsh mod sys db lcd.showmenu value [enabled|disabled]
906449-4 : Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load
Links to More Info: BT906449
Component: TMOS
Symptoms:
The text that describes the monitor state of an LTM node, pool member, or monitor instance also contains a timestamp that initially indicates when the monitor set the affected node or pool member to the indicated state. This timestamp can be affected by other actions, such as incremental or full config sync and config load.
The monitor-state description and timestamp can be viewed in the CLI (CLI/TMSH) and GUI (TMUI) as follows:
-- From the CLI/TMSH:
tmsh show ltm monitor <monitor_type> <monitor_name>
This command shows the state of ltm nodes or pool members currently monitored by the specified ltm health monitor, as in the following example:
-------------------------------------
LTM::Monitor /Common/mysql_test
-------------------------------------
Destination: 10.10.200.28:3296
State time: down for 1hr:58mins:42sec
| Last error: No successful responses received before deadline. @2020.03.25 14:10:24
-- From the GUI:
+ Navigate to Local Traffic :: Nodes : Node List :: <node_name>. The 'Availability' field shows text describing the node's monitored state with a timestamp.
+ Navigate to Local Traffic :: Pools : Pool List :: <pool_name>, under the Members tab, click the pool member name. The 'Availability' field shows text describing the pool member's monitored state with a timestamp.
Conditions:
This may occur under the following conditions:
-- If an incremental config sync occurs from one high availability (HA) member to another member or to the device group:
+ The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on HA members receiving the incremental config sync.
+ If a Node or Pool Member has been marked DOWN by a monitor, its timestamp may be updated in the GUI (Node List/Pool-Member list) on HA members receiving the incremental config sync.
-- If a full/forced config sync occurs from one HA member to another member or to the device group:
+ The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on HA members receiving the incremental config sync.
+ The timestamp for all Nodes or Pool Members may be updated in the GUI (Node List/Pool-Member list) on HA members receiving the incremental config sync.
-- If a config load occurs:
+ The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on the HA member where the config load occurred.
+ The timestamp for all Nodes or Pool Members may be updated in the GUI (Node List/Pool-Member list) on the HA member where the config load occurred.
Impact:
The timestamp indicated next to the monitored-state description for an LTM Node or Pool Member indicates when the Node or Pool Member was updated in ways other than by its configured monitor. Thus, this timestamp may not indicate the actual time of the monitor event suggested by the description text.
Workaround:
None.
905749-2 : imish crash while checking for CLI help string in BGP mode
Links to More Info: BT905749
Component: TMOS
Symptoms:
imish crashes while checking the help strings of '(no) neighbor x.x.x.x fall-over bfd ?' when Border Gateway Protocol (BGP) is configured.
Conditions:
-- Configure BGP.
-- Check for help strings in imish using the '?' (question mark) character.
Impact:
imish crash.
Although imish crashes, BGP functionality is not impacted.
Workaround:
Avoid using '?' while entering the commands.
905681 : Incorrect enforcement of policy parameters
Links to More Info: BT905681
Component: Application Security Manager
Symptoms:
A parameter is not enforced correctly (i.e., it shows as a false positive or a false negative).
Conditions:
-- The parameter is configured as a global wildcard parameter.
-- The parameter also appears as an explicit parameter on a different policy.
-- Other conditions related to the name of the parameter may apply (e.g., numerical suffix).
Impact:
Enforcement returns false-positive or false-negative results.
Workaround:
Change the parameters to either explicit parameters or URL-level parameters assigned to all the URLs.
905477-4 : The sdmd daemon cores during config sync when multiple devices configured for iRules LX
Links to More Info: BT905477
Component: Local Traffic Manager
Symptoms:
The iRules LX workspaces belong on only one device in a Device Service Cluster (DSC). If you have the same iRules LX workspace configured on multiple devices and then perform a config sync operation, the sdmd daemon cores.
Conditions:
-- Multiple devices configured with the same iRules LX workspace in a DSC.
-- Change one of the devices such that the configuration requires a config sync.
-- Perform the config sync.
Impact:
The sdmd daemon cores. Although having multiple devices configured with the same iRules LX workspace is an incorrect configuration, sdmd should not core.
Workaround:
When the iRules LX workspace is correctly configured, i.e., on only one device in a DSC, there is no need to config sync, so this issues does not occur.
904661-2 : Mellanox NIC speeds may be reported incorrectly on Virtual Edition
Links to More Info: BT904661
Component: TMOS
Symptoms:
Speeds for Mellanox NICs on BIG-IP Virtual Edition may be reported incorrectly. The behavior varies depending on what driver is in use:
- Speeds are always reported as 10G when the mlxvf5 driver is used, regardless of the actual speed of the interface.
- Speeds are reported as either 10G or 40G when the xnet driver is used. This is accurate unless the actual NIC speed is greater than 40G, in which is it will still be reported as 40G.
Conditions:
-- BIG-IP Virtual Edition
-- Using a Mellanox NIC with the mlxvf5 or xnet driver
Impact:
Possibly incorrect media speed reported. (Actual speed is correct, regardless of what is displayed.)
904625-4 : Changes to SSL.CertRequest.* DB variables cause high availability (HA) devices go out of sync
Links to More Info: BT904625
Component: Local Traffic Manager
Symptoms:
The GUI saves SSL certificate/CSR subject fields data into SSL.CertRequest.* DB variables to use them in pre-populating subject fields for subsequent modifications.
Conditions:
-- SSL certificate/CSR modification through GUI.
-- Changing the content of the SSL.CertRequest.* DB variables.
-- High availability (HA) configuration.
Impact:
HA devices go out of sync.
Workaround:
SSL.CertRequest.* DB variables are used only as GUI SSL certificate/CSR pre-populated suggestions.
You can still review and modify them before completing SSL certificate/CSR modification operation, so it is safe to sync them onto the high availability (HA) peer.
904537-4 : The csyncd process may keep trying to sync the GeoIP database to a secondary blade
Links to More Info: BT904537
Component: Local Traffic Manager
Symptoms:
The most common symptom is when csyncd repeatedly syncs the GeoIP files and loads the GeoIP database, causing a large number of Clock advanced messages on all tmms.
Repeated log messages similar to the following are reported when a secondary slot logs into the primary slot to load the sys geoip database:
-- info sshd(pam_audit)[17373]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=x.x.x.x attempts=1 start="Wed Apr 29 13:50:49 2020".
-- notice tmsh[17401]: 01420002:5: AUDIT - pid=17401 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys geoip.
Conditions:
-- VIPRION or vCMP guests.
-- Either of the following:
- First installing the GeoIP database if the /shared/GeoIP/v2 directory does not exist.
- When a new blade is installed into a chassis.
Impact:
Repeated logs of Clock advanced messages.
Workaround:
Run the command:
clsh bigstart restart csyncd
904441-4 : APM vs_score for GTM-APM load balancing is not calculated correctly
Links to More Info: BT904441
Component: Access Policy Manager
Symptoms:
Output from the 'show ltm virtual <vs> detail' command reports an incorrect value for the APM Module-Score.
Conditions:
-- Using GTM/DNS and APM.
-- Configure an access profile attached to a virtual server.
-- Configure a non-zero number for 'Max Concurrent Users' for the access profile.
-- Access the virtual server.
Impact:
GTM/DNS load balancing does not work as expected.
Workaround:
None.
904401-2 : Guestagentd core
Links to More Info: BT904401
Component: TMOS
Symptoms:
Guestagentd crashes on a vCMP guest.
Conditions:
This can occur during normal operation in a vCMP environment.
Impact:
Guestagentd crashes on the vCMP guest, and the vCMP host does not have accurate guest information, such as version, provisioning, high availability (HA) status, and tmm status.
Workaround:
None.
903581-2 : The pkcs11d process cannot recover under certain error condition
Links to More Info: BT903581
Component: Local Traffic Manager
Symptoms:
When the connection between the BIG-IP system and HSM (SafeNet) is interrupted, pkcs11d is unable to recover in some case.
Conditions:
Connection between the BIG-IP system and the HSM device is interrupted.
Impact:
SSL handshake failure.
Workaround:
Restart the pkcs11d process using the following command:
restart /sys service pkcs11d
903521-4 : TMM fails to sign responses from BIND when BIND has 'dnssec-enable no'
Links to More Info: BT903521
Component: Global Traffic Manager (DNS)
Symptoms:
TMM fails to sign responses from BIND.
Conditions:
BIND has 'dnssec-enable no' in named.conf.
Impact:
TMM fails to sign responses from BIND.
Workaround:
Remove 'dnssec-enable no' from named.conf in options section.
903501-1 : VPN Tunnel establishment fails with some ipv6 address
Links to More Info: BT903501
Component: Access Policy Manager
Symptoms:
VPN Tunnel establishment fails with some ipv6 address
Conditions:
- APM is provisioned.
- Network Access with IPv6 virtual server is configured.
Impact:
VPN Tunnel cannot be established.
Workaround:
1. Disable the DB variable isession.ctrl.apm:
tmsh modify sys db isession.ctrl.apm value disable
2. Perform 'Apply Access Policy' for the access policy attached to the virtual server.
Important: The iSession control channel is needed if optimized apps are configured, so use this workaround only when 'No optimized apps are configured' is set (available in the GUI by navigating to Access :: Connectivity / VPN : Network Access (VPN) : Network Access Lists :: {NA resources} :: 'Optimization' tab).
903265-1 : Single user mode faced sudden reboot
Links to More Info: BT903265
Component: TMOS
Symptoms:
Being logged into the system in single user mode (emergency shell) causes a sudden automatic reboot after some time (~5-to-10 minutes, or longer).
Conditions:
-- Using iSeries platforms.
-- When logged into the emergency shell by appending rd.break to kernel command line.
Impact:
The device reboots after some time. Because of the automatic reboot, you cannot reliably use the emergency shell.
Workaround:
None.
902445-1 : ASM Policy Event Logging stops working after 'No space in shmem' error disconnection mitigation
Links to More Info: BT902445
Component: Application Security Manager
Symptoms:
ASM event logging stops working.
Conditions:
This can occur during normal ASM operation. It occurs after ASM executes 'No space in shmem' error disconnection mitigation, and this error is logged.
Impact:
ASM Policy Event Logging stop working; new event is not saved.
Workaround:
Restart asmlogd and pabnagd:
pkill asmlogd
pkill pabnagd
901989-4 : Boot_marker writes to /var/log/btmp
Links to More Info: BT901989
Component: TMOS
Symptoms:
The boot_marker is written to /var/log/btmp, but /var/log/btmp is a binary file.
A message similar to:
Apr 21 09:19:52 bigip1 warning sshd[10901]: pam_lastlog(sshd:session): corruption detected in /var/log/btmp
... may be logged to /var/log/secure.
Conditions:
-- Rebooting a BIG-IP.
Impact:
Since this file is unknowingly corrupt at first boot, any potential investigation needing this data may be compromised.
Workaround:
After bootup you can truncate the file.
$ truncate --size 0 /var/log/btmp
901985-4 : Extend logging for incomplete HTTP requests
Links to More Info: BT901985
Component: TMOS
Symptoms:
Logging is not triggered for incomplete HTTP requests.
Conditions:
- HTTP profile is configured.
- Request-log profile is configured.
- HTTP request is incomplete.
Impact:
Logging is missing for incomplete HTTP requests.
Workaround:
None.
901569-2 : Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.
Links to More Info: BT901569
Component: Local Traffic Manager
Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow.
Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.).
Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server.
Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue.
901485-3 : HTTP_RESPONSE_RELEASE is not raised for HTTP early response
Links to More Info: BT901485
Component: Local Traffic Manager
Symptoms:
When server sends the response early (before the request is completed), client-side HTTP sends the response but does not raise HTTP_RESPONSE_RELEASE.
Conditions:
- HTTP profile is configured.
- Request-log profile is configured.
- HTTP request is incomplete.
Impact:
Timeout occurs and the BIG-IP system sends shutdown.
Workaround:
None
901041-4 : CEC update using incorrect method of determining number of blades in VIPRION chassis★
Links to More Info: BT901041
Component: Traffic Classification Engine
Symptoms:
There is an issue with the script used for the Traffic Intelligence (CEC (Classification Engine Core)) Hitless Upgrade that misses installing on some blades during install/deploy on VIPRION systems.
Symptoms include:
-- POST error in the GUI.
-- Automatic classification updates are downloaded successfully, but downloaded packages disappear after some time if you do not proceed to install/deploy.
Conditions:
-- CEC hitless update.
-- Using VIPRION chassis.
Impact:
Unable to auto-update Classification signature package on all slots, because the slot count reported for CEC is 0. These packages are installed only on the current slot.
Workaround:
Install the package manually on each slot.
Note: When you refresh the GUI page, the downloaded package appears in the 'Available to Install' list, and you can proceed to install on each slot.
900825-2 : WAM image optimization can leak entity reference when demoting to unoptimized image
Links to More Info: BT900825
Component: WebAccelerator
Symptoms:
WAM image optimization can leak entity reference when demoting to unoptimized image.
WAM allows PNG files to be optimized to WEBP and JPG files to be optimized to JPEG XR formats, based on capabilities inferred from the client's User-Agent value. Once the optimized version is in the cache, internal check failures might cause the entity/document to be reverted to the unoptimized version. If this unoptimized version is already present in the cache, a reference to the corresponding entity is leaked, thus causing the entity to be held in memory along with attached resource/document objects and associated storage (UCI).
Conditions:
-- WAM-optimized PNG files (to WEBP) and JPG files (to JPEG XR) on tye system.
-- A policy change occurs that causes an internal check to fail.
Note: This can also occur in some cases without actual changes to the policy if the optimization step is skipped by wamd.
Impact:
WAM image optimization might leak entity reference.
Workaround:
None.
900485-4 : Syslog-ng 'program' filter does not work
Links to More Info: BT900485
Component: TMOS
Symptoms:
The 'program' filter type does not work with the BIG-IP system's version of syslog-ng.
Conditions:
-- Using the 'program' expression in a syslog-ng filter.
Impact:
Unable to filter messages as expected.
Workaround:
None.
899933-4 : Listing property groups in TMSH without specifying properties lists the entire object
Links to More Info: BT899933
Component: TMOS
Symptoms:
When listing a property group, if you do not specify any specific properties within that group, the entire object is listed.
Conditions:
-- Using TMSH to list a property group of an object.
-- Not specifying any properties within the property group.
Impact:
Unexpected output.
Workaround:
None.
899253-4 : [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist
Links to More Info: BT899253
Component: Global Traffic Manager (DNS)
Symptoms:
Making changes to wide IP pools through GUI management do not take effect.
Conditions:
-- GTM configuration contains a sufficiently high number of pools (~ 15,000).
-- Using the GUI to assign a pool to a wide IP.
Impact:
Changes do not take effect. Unable to use the GUI to manage which pools are associated with a wide IP.
Workaround:
Use TMSH.
899085-4 : Configuration changes made by Certificate Manager role do not trigger saving config
Links to More Info: BT899085
Component: TMOS
Symptoms:
Configuration changes made in the BIG-IP GUI by a user with role 'Certificate Manager' do not result in the configuration being saved.
If the system is rebooted (or MCPD restarted) without saving the configuration, those changes will be lost.
Conditions:
-- User with role 'Certificate Manager'.
-- Changes made in GUI.
-- System rebooted.
Impact:
Loss of configuration changes.
Workaround:
Users with a 'Certificate Manager' role can save the configuration from tmsh:
tmsh save /sys config
Alternately, another user can save the configuration.
898753-3 : Multicast control-plane traffic requires handling with AFM policies
Links to More Info: BT898753
Component: Local Traffic Manager
Symptoms:
AFM virtual-server specific rules are being matched against control-plane traffic.
Conditions:
-- Broadcast OSPF configured.
-- AFM provisioned.
-- OSPF neighbor configured.
Impact:
OSPF neighborship is not formed.
Workaround:
Add an AFM route-domain policy.
898733-1 : SSL handshakes fail on secondary blades for Thales keys created with fipskey.nethsm after upgrade to 14.1.x and re-import of the keys from HSM
Links to More Info: BT898733
Component: Local Traffic Manager
Symptoms:
SSL handshakes intermittently fail for virtual servers using HSM keys.
In /var/log/ltm you see errors:
err pkcs11d[6575]: 01680002:3: Key table lookup failed. error.
Conditions:
1. Keys were created on earlier versions of BIG-IP software with fipskey.nethsm wrapper, and the device was upgraded to 14.1.0 or later.
2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm wrapper.
3. The platform is a multi-bladed Viprion.
This can occur after applying the workaround for ID758491:
https://cdn.f5.com/product/bugtracker/ID758491.html
Impact:
SSL handshakes that arrive on the secondary blade(s) fail.
Handshakes arriving on the primary blade work fine.
Workaround:
Re-install the Thales client after the upgrade.
898685-2 : Order of ciphers changes after updating cipher group
Links to More Info: BT898685
Component: Local Traffic Manager
Symptoms:
The order of cipher results may change with no modification in the cipher group.
Conditions:
Click 'Update' in a cipher group in the GUI without making any changes.
Impact:
The order of the ciphers changes. During a handshake, SSL/TLS may not be able to select ciphers in the preferred order.
Workaround:
Create a cipher rule with the preferred cipher order and include only a single rule in cipher group allow list.
898577-4 : Executing a command in "mgmt tm" using iControl REST results in tmsh error
Links to More Info: BT898577
Component: TMOS
Symptoms:
When you try to update the frequency of live-update using iControl REST, it results in a java exception being returned instead of updating the value.
Conditions:
When a command for updating the frequency of live updates is executed using iControl REST in an ASM configured BIG-IP.
Impact:
You are unable to update the frequency of live-update via iControl REST.
898389-3 : Traffic is not classified when adding port-list to virtual server from GUI
Links to More Info: BT898389
Component: TMOS
Symptoms:
Traffic is not matching to the virtual server.
Conditions:
Using the GUI to configure traffic-matching-criteria by adding port-list to the virtual server.
Impact:
Traffic loss.
Workaround:
Creating traffic-matching-criteria from the command line
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm traffic-matching-criteria tmc_name_here destination-address-inline <IP ADDR>%10 route-domain <Route domain name>
898381-1 : Changing the setting of apm-forwarding-fastl4 profile does not take effect
Links to More Info: BT898381
Component: Access Policy Manager
Symptoms:
Changing the setting of apm-forwarding-fastl4 profile does not take effect and is not getting applied to the last leg of client-initiated VPN traffic.
Conditions:
- APM is configured on the BIG-IP system.
- BIG-IP Administrator (Admin) has configured a VPN tunnel.
- Admin is trying to change the TCP characteristic of the last leg of VPN tunnel traffic by tuning the parameters of FastL4 profile apm-forwarding-fastl4.
Impact:
Admin cannot enforce the updated values of apm-forwarding-fastl4 profile on the last leg of client-imitated VPN tunnel traffic.
Workaround:
None.
898373-1 : Unclear message: TakesTooLong was 0.00 exceeded the lower threshold of 10000
Links to More Info: BT898373
Component: Application Visibility and Reporting
Symptoms:
The system presents an unclear error message: TakesTooLong was 0.00 exceeded the lower threshold of 10000.
Conditions:
This occurs when the AVR page load times drop below the lower acceptable threshold.
Impact:
The message is unclear, making resolution difficult. A more accurate message might be: The AVR page load took 0.00, which is lower than the threshold of 10000.
Workaround:
None.
898201-4 : Fqdn nodes are not getting populated after BIG-IP reboot when DNS server is accessed through a local virtual server.
Links to More Info: BT898201
Component: Local Traffic Manager
Symptoms:
After reboot, no access to services host using fqdn nodes.
-- fqdn nodes are not populated with IP addresses.
-- Unable to access virtual servers served by pools using fqdn nodes.
Conditions:
The issue happens after the BIG-IP is rebooted.
-- when DNS server is accessed through a local virtual server.
-- Single arm cloud BIG-IP with virtual server listening for DNS requests to redirect.
Impact:
-- FQDN DNS requests bypassing the listening virtual server.
-- Unable to access the pools of those configured fqdn nodes.
Workaround:
-- restarting dynconfd.
-- Running a script to trigger off "Tmm ready" and either delete the bad flow(s) or a specific connflow entry.
-- change the dummy dns server to be something in the same subnet as the single interface.
897437-3 : First retransmission might happen after syn-rto-base instead of minimum-rto.
Links to More Info: BT897437
Component: Local Traffic Manager
Symptoms:
If a TCP profile is configured with a syn-rto-base value that is lower than minimum-rto, the first retransmission might happen after syn-rto-base.
This behavior is encountered only if the BIG-IP system is unable to compute the new RTO value before the retransmission timer expires, meaning:
-- The BIG-IP system has not received a packet with a TCP timestamp reply.
-- The BIG-IP system has not received an ACK for a timed sequence number.
Conditions:
Configured value of syn-rto-base is lower than minimum-rto.
Impact:
Retransmission might happen sooner than expected.
Workaround:
There are two possible workarounds:
-- Avoid using a syn-rto-base value that is lower than the minimum-rto value (the default values are 3 seconds for syn-rto-base and 1 second for minimum-rto).
-- Consider enabling timestamps to allow faster RTT measurement.
897185-1 : Resolver cache not using random port distribution
Links to More Info: BT897185
Component: Local Traffic Manager
Symptoms:
Outgoing queries to backend dns server use incremented port numbers instead of being distributed random ports.
Conditions:
-- Fix of ID726176 is applied (see https://cdn.f5.com/product/bugtracker/ID726176.html )
Impact:
The port numbers are incremented.
896693-2 : Patch installation is failing for iControl REST endpoint.
Links to More Info: BT896693
Component: TMOS
Symptoms:
iControl REST async endpoint /mgmt/tm/task/util/ihealth behaving inconsistently:
-- A call to VALIDATE the async task is rejected with the error message: 'Operation is not allowed on component /util/ihealth.'
-- The task can be started by calling a different endpoint (e.g., /mgmt/tm/task/cli/script). In this case, the task completes immediately, however, a qkview generating iHealth util is still running. At the end, the qkview is generated.
Conditions:
-- Use iControl REST to create an async task for creating qkview using 'ihealth' with -n option (just generate file, do not upload to iHealth).
-- Try starting the async task by changing the status to VALIDATING.
Impact:
Patch for iControl REST endpoint is not successful. Patch operation is accepted by /mgmt/tm/task/cli/script/ but rejected by /mgmt/tm/task/util/ihealth.
Workaround:
None.
896689-2 : Asynchronous tasks can be managed via unintended endpoints
Links to More Info: BT896689
Component: TMOS
Symptoms:
An asynchronous task created on one endpoint can be started using some other endpoint
Conditions:
Create an asynchronous task e.g. creating qkview using ihealth
using endpoint /mgmt/tm/task/util/ihealth
Gather the task id of the created asynchronous task and send it to a different endpoint e.g. /mgmt/tm/task/cli/script
Impact:
The asynchronous task can be started using this endpoint but this is not intended behavior.
896245-1 : Inconsistency is observed in ARP behavior across releases
Links to More Info: BT896245
Component: Local Traffic Manager
Symptoms:
Creating and deleting VLANs/self IPs might end up with a different number of GARP responses, depending on the BIG-IP software version.
You might notice the differences when comparing older and newer releases, for example, comparing v14.1.0 and earlier compared with versions older than v14.1.0.
Conditions:
This might become evident when you upgrade from an older version.
Impact:
There is no functional impact as a result of this discrepancy.
Workaround:
None.
895845-3 : Implement automatic conflict resolution for gossip-conflicts in REST
Links to More Info: BT895845
Component: TMOS
Symptoms:
The devices in a high availability (HA) environment are out of sync in strange ways; config sync status indicates 'In Sync', but iApps such as SSL Orchestrator are out of sync.
Conditions:
-- high availability (HA) environment with two or more devices.
-- Gossip used for config sync. (Note: Gossip sync is used by BIG-IQ for BIG-IP config sync by iAppLX.)
-- A gossip conflict occurs for some reason.
You can detect gossip conflicts at the following iControl REST endpoint:
/mgmt/shared/gossip-conflicts
You can check gossip sync status at the following iControl REST endpoint:
/mgmt/shared/gossip
Impact:
If there are gossip conflicts, the devices requires manual intervention to get back in sync.
Workaround:
When two devices are out of sync with different generation numbers due to gossip conflict, you can use the following guidance to resolve the conflict:
1. Update devices info to use the same generation number.
2. This info found on REST Storage worker. Storage worker uses the selflink plus a generation number as the key to a given set of data.
3. Add the data from the unit with the highest generation number to the other unit.
4. Must also take care to increase the generation number on the new data to match that of the highest generation
Commands used:
1. Look for GENERATION_MISSING and gossip-conflict objects:
tmsh list mgmt shared gossip-conflicts
2. Get the 'selflink in remoteState' attribute. This self link is same across all devices and checks on the browser with each device to discover the device that is on the highest generation number:
tmsh list mgmt shared gossip-conflicts <OBJECT_ID>
3. Now you know what device contains the most recent version of your data, run this command to get up-to-date data:
restcurl /shared/storage?key=<everything after 'https://localhost/mgmt/' on selflink>
4. Make a post to the out-of-date device that includes the info from the up-to-date device as the post body:
restcurl -X POST /shared/storage -d '{<data from above command>}'
895801-4 : Changing an MRF transport-config's TCP profile does not take effect until TMM is restarted
Links to More Info: BT895801
Component: Service Provider
Symptoms:
After modifying an MRF transport-config to use a different TCP profile, TMM must be restarted for this change to take effect. tmm crash
Conditions:
-- Using MRF with a transport-config.
-- Modifying the transport-config so that it uses a different TCP profile.
Impact:
Expected changes do not take effect until TMM is restarted.
Workaround:
Restart TMM.
Note: Traffic is disrupted while tmm restarts.
895781-3 : Round Robin disaggregation does not disaggregate globally
Links to More Info: BT895781
Component: TMOS
Symptoms:
Traffic is not disaggregated uniformly as expected.
Conditions:
-- A multi-blade chassis with one HSB.
-- Traffic is received on blade one.
-- The imbalance is more pronounced when the IP variation is small.
Impact:
Some TMMs may use relatively more CPU.
Workaround:
None.
895649-3 : Improve TCP analytics goodput reports
Links to More Info: BT895649
Component: Local Traffic Manager
Symptoms:
TCP analytics reports very large goodput values under rare conditions.
Conditions:
-- TCP or FastL4 filter is in use.
-- TCP analytics is enabled.
-- A specific sequence number space is observed during the data transfer.
Impact:
TCP reports a very large goodput value to AVR. This also impacts the average goodput reports as the high value reported shifts the average value to a considerably large one.
Workaround:
None.
895205-4 : A circular reference in rewrite profiles causes MCP to crash
Links to More Info: BT895205
Component: Local Traffic Manager
Symptoms:
MCPD crash when modifying rewrite profile.
Conditions:
-- More than one rewrite profile is configured.
-- At least two rewrite profiles are referencing each other circularly.
Impact:
MCPD crash. For a Device Service Cluster this results in a failover. For a standalone system, this results in an outage.
Workaround:
Do not create circular references with profiles.
895165-4 : Traffic-matching-criteria with "any" protocol overlaps with explicit protocols
Links to More Info: BT895165
Component: Local Traffic Manager
Symptoms:
An error like the example below when defining "any" protocol after previously defining traffic-matching-criteria with explicit protocols.
01b90011:3: Virtual Server /Common/vs-tcp's Traffic Matching Criteria /Common/vs-tcp_IP_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs-any destination address, source address, service port.
Conditions:
-- Previously defining traffic-matching-criteria with explicit protocols
-- Afterwards defining virtual server with "any" protocol
Impact:
Cannot define a valid virtual server with "any" protocol
Workaround:
N/A
894593 : High CPU usage caused by the restjavad daemon continually crashing and restarting
Links to More Info: BT894593
Component: TMOS
Symptoms:
Restjavad may become unstable if the amount of memory required by the daemon exceeds the value allocated for its use.
Conditions:
The memory required by the restjavad daemon may grow significantly in system configurations with either a high volume of device statistics collection (AVR provisioning), or a with relatively large number of LTM objects managed by the REST framework (SSL Orchestrator provisioning).
Impact:
The overall system performance is degraded during the continuous restart of the restjavad daemon due to a relatively high CPU usage.
Workaround:
Increase the memory allocated for the restjavad daemon (e.g., 2 GB), by running the following commands in a BIG-IP terminal.
tmsh modify sys db restjavad.useextramb value true
tmsh modify sys db provision.extramb value 2048
bigstart restart restjavad
894133-3 : After ISO upgrade the SSL Orchestrator guided configuration user interface is not available.★
Links to More Info: BT894133
Component: TMOS
Symptoms:
After the ISO upgrade, any attempt to access the SSL Orchestrator guided configuration user interface results in the following error:
The requested URL /iapps/f5-iappslx-ssl-orchestrator/sgc/sgcIndex.html was not found on this server.
Conditions:
Upgrade the BIG-IP system.
Impact:
Cannot perform SSL Orchestrator configuration tasks using the SSL Orchestrator guided configuration user interface.
Workaround:
(1) Query the f5-iappslx-ssl-orchestrator package ID (9beb912b-4f1c-3f95-94c3-eb1cbac4ab99), and use the returned ID in the following step.
restcurl shared/iapp/installed-packages | jq -r '.items[] | select(.appName=="f5-iappslx-ssl-orchestrator") | .id'
9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
(2) Delete existing f5-iappslx-ssl-orchestrator package references.
restcurl -X DELETE shared/iapp/global-installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
restcurl -X DELETE shared/iapp/installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
(3) Stop the REST framework daemons.
bigstart stop restjavad restnoded
(4) Make sure the /var/iapps/www/ directory exists.
mkdir -p /var/iapps/www/
(5) Create the RPMS.save directory.
mkdir -p /var/config/rest/iapps/RPMS.save
(6) Check if the current f5-iapplx-ssl-orchestrator RPM (e.g., 14.1.0-5.5.8) is present at the default location.
ls -la /var/config/rest/iapps/RPMS/
-- If it is not present, try to get it from either the /usr/share/packages/f5-iappslx-ssl-orchestrator/ directory or from the remote high availability (HA) peer device (/var/config/rest/iapps/RPMS/). Make sure the RPM version matches the current SSL Orchestrator configuration/version (e.g., 14.1.0-5.5.8). If you cannot find a copy of your original RPM locally, download the latest RPM available for your chosen BIG-IP version from downloads.f5.com.
-- Once obtained, copy the RPM to /var/config/rest/iapps/RPMS/ (locally).
(7) Copy the current f5-iapplx-ssl-orchestrator (e.g., 14.1.0-5.5.8) RPM to the RPMS.save directory.
cp /var/config/rest/iapps/RPMS/f5-iappslx-ssl-orchestrator-14.1.0-5.5.8.noarch.rpm /var/config/rest/iapps/RPMS.save/
(8) Make sure you have only one f5-iappslx-ssl-orchestrator RPM in the RPMS.save/ directory and that it matches the RPM version. Remove other RPMs, if any.
(9) Remove the current SSL Orchestrator user interface artifacts.
rm -rf /var/iapps/www/f5-iappslx-ssl-orchestrator/
rm -rf /var/config/rest/iapps/f5-iappslx-ssl-orchestrator
(10) Restart the REST framework.
bigstart restart restjavad restnoded
(11) Wait at least 30 seconds.
(12) Open TMUI (the GUI) on the affected device, and navigate to SSL Orchestrator :: Configuration.
(13) The SSL Orchestrator Self-Guided Configuration page should initialize and eventually load successfully.
893953-3 : Portal Access: Chrome/Edge browser: cookie transport: sync XMLHttpRequests should not be used in onbeforeunload handlers
Links to More Info: BT893953
Component: Access Policy Manager
Symptoms:
Error message in browser console:
Uncaught DOMException: Failed to execute 'send' on VM41 cache-fm.js:618
'XMLHttpRequest': Failed to load ''https://appportal.omo.nl/private/fm/volatile.html': Synchronous XHR in page dismissal. See https://www.chromestatus.com/feature/4664843055398912 for more details.
Conditions:
Setting and/or getting cookies in onbeforeunload/onunload handlers defined by the web-application.
Impact:
Web-application does not function as expected. Behavior varies, depending on web-application control flow.
Workaround:
Important: This workaround will work until later versions of Chrome and Edge Browser are released. You can refer to the release notes for these browsers to determine when functionality is removed.
Use an iRule to allow sync requests from onbeforeunload, onunload, and other page dismissal events.
This is intended to inject into responses from the BIG-IP virtual server header, Origin-Trial, using a token obtained from the Google Chrome developer console. This token allows for use of synchronous requests in page dismissal events. It should work for Chrome and Microsoft Edge browsers where such sync requests are disabled now.
To obtain the token you need to use the following iRule with your virtual server:
1. Go to the Chrome Origin Trials page:
https://developers.chrome.com/origintrials/#/trials/active.
2. Click the 'REGISTER' button to the right of 'Allow Sync XHR In Page Dismissal'.
3. Enter the origin of your virtual server and other information:
https://domain_of_your_virtual_server.
4. Click REGISTER.
By doing this, you obtain a token to use in place of the token provided in the following iRule.
Note: For additional info about Origin Trials and how they work:
https://github.com/GoogleChrome/OriginTrials/blob/gh-pages/developer-guide.md
when HTTP_RESPONSE_RELEASE {
HTTP::header insert Origin-Trial Aq5OZcJJR3m8XG+qiSXO4UngI1evq6n8M33U8EBc+G7XOIVzB3hlNq33EuEoXZQEt30Yv2W6YgFelr2aGUkmowQAAABieyJvcmlnaW4iOiJodHRwczovLzEwLjE5Mi4xNTIuMzk6NDQzIiwiZmVhdHVyZSI6IkFsbG93U3luY1hIUkluUGFnZURpc21pc3NhbCIsImV4cGlyeSI6MTU5ODk5NzIyMX0=
}
893813-1 : Modifying pool enables address and port translation in TMUI
Links to More Info: BT893813
Component: TMOS
Symptoms:
When modifying the pool for a virtual server, address translation and port translation checkboxes are enabled irrespective of their initial state.
Conditions:
-- Creating a virtual server using the GUI
-- Advanced Configuration is selected
-- Address Translation or Port Translation checkboxes are initially unchecked
-- You modify a pool from this screen
Impact:
Virtual server is created with address and port translation enabled.
Workaround:
You can disable it by again editing the virtual server.
893093-4 : An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing.
Links to More Info: BT893093
Component: TMOS
Symptoms:
The intended screen does not show when you navigate in the WebUI to either of the following locations:
-- System :: Certificate Management :: Device Certificate Management->Device Trust Certificates
-- DNS :: GSLB :: Servers :: Trusted Server Certificates
The system returns the following error:
An error has occurred while trying to process your request.
Additionally, a Java stack trace is also logged to the /var/log/tomcat/catalina.out file.
Conditions:
An extraneous SSL CSR file is present in the /config/big3d or /config/gtm directory.
-- When the extraneous file is in the /config/big3d directory, the System :: Certificate Management :: Device Certificate Management :: Device Trust Certificates screen is affected.
-- When the extraneous file is in the /config/gtm directory, the DNS :: GSLB :: Servers :: Trusted Server Certificates screen is affected.
Impact:
The WebUI cannot be used to inspect those particular SSL certificate stores.
Workaround:
The /config/big3d and /config/gtm directories are meant to contain only one file each (client.crt and server.crt, respectively).
You can resolve this issue by inspecting those directories and removing any file that may have been accidentally copied to them.
For more information on those directories, refer to: K15664: Overview of BIG-IP device certificates (11.x - 15.x) :: https://support.f5.com/csp/article/K15664.
892861-1 : Cannot configure aaa OAuth provider - invalid x509 file
Links to More Info: BT892861
Component: Access Policy Manager
Symptoms:
An error is encountered when trying to create Ping or Custom type OAuth provider:
General error: 01070712:3: unable to validate certificate, invalid x509 file (/Common/textcert.crt). in statement [SET TRANSACTION END].
Conditions:
-- Access :: Federation : OAuth Client / Resource Server : Provider:: Create
-- Select 'custom' or 'ping' as the type.
-- Attempt a Discover operation to the <provider-hostname> on a server representing a custom- or ping-type provider, and then save the settings.
Impact:
Operation fails. Cannot use Ping or a Custom type OAuth provider.
Workaround:
None
892801-4 : When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent"
Links to More Info: BT892801
Component: Local Traffic Manager
Symptoms:
When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent".
Conditions:
-- An Internal Virtual Server is created without an existing 0.0.0.0 virtual address.
Impact:
The Internal Virtual Server will be considered unavailable and will not process traffic.
Workaround:
Create a 0.0.0.0 virtual address prior to creating the Internal Virtual Server.
892445-4 : BWC policy names are limited to 128 characters
Links to More Info: BT892445
Component: TMOS
Symptoms:
A 128-character limit for BWC policy object names is enforced and reports an error:
01070088:3: The requested object name <name> is invalid.
Conditions:
Attempting to create a BWC policy object with a name longer than 128 characters.
Impact:
Unable to create BWC policy objects with names that have more than 128 characters.
Workaround:
Use fewer than 128 characters when creating a BWC policy.
891221-4 : Router bgp neighbor password CLI help string is not helpful
Links to More Info: BT891221
Component: TMOS
Symptoms:
Unable to confirm the supported encryption types.
enable or add BGP routing protocol to a route domain
imish >> enable >> conf t >> router bgp 20065004 >> neighbor 1.2.3.4 password ?
b7000.lab[0](config-router)#neighbor 1.1.1.1 password ?
WORD Encryption Type or the password
Conditions:
Configuring the bgp neighbor with encryption password.
Impact:
Unable to confirm the supported encryption types.
Workaround:
None.
891181-4 : Wrong date/time treatment in logs in Turkey/Istambul timezone
Links to More Info: BT891181
Component: Application Security Manager
Symptoms:
There is mismatch between server and GUI timezone treatment for Turkey/Istambul timezone.
Conditions:
User sets Turkey/Istambul timezone on BIG-IP
Impact:
When filtering logs by time period, results differ from set period by an hour
Workaround:
Define time period one hour earlier for filtering ASM logs
891145-3 : TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal
Links to More Info: BT891145
Component: Local Traffic Manager
Symptoms:
SYNs received with TSVal <= TS.Recent are dropped without sending an ACK in FIN-WAIT-2 state.
Conditions:
-- Timestamps are enabled in TCP profile.
-- Local TCP connection is in FIN-WAIT-2 state.
-- Remote TCP connection abandoned the flow.
-- A new TCP connection sends a SYN with TSVal <= TS.Recent to the local connection.
Impact:
The new TCP connection cannot infer the half-open state of Local TCP connections, which prevents faster recovery of half-open connections. The local TCP connection stays around for a longer time.
Workaround:
There are two workarounds:
-- Reduce the Fin Wait 2 timeout (the default: 300 sec) so that TCP connection is terminated sooner.
-- Disable TCP Timestamps.
890721-3 : SSL Orchestrator sends reset to the client when an initial ingress data arrives 5 seconds after tcp connection establishment
Links to More Info: BT890721
Component: SSL Orchestrator
Symptoms:
SSL Orchestrator sends reset to the client when an initial ingress data arrives 5 seconds after tcp connection establishment. Reset cause is "cl side error (No error)".
Conditions:
-- SSL Orchestrator is licensed and provisioned.
-- Per-request policy is attached to virtual server.
Impact:
SSL Orchestrator/BIG-IP rejects the client connection.
Workaround:
Modify 'tmm.access.prp_global_timeout' sys db value from default 5 seconds to some appropriate value like 30 or 60 seconds.
Example:
Following command sets this sys db variable value to 60 seconds.
#tmsh modify sys db tmm.access.prp_global_timeout value 60
890573-2 : BigDB variable wam.cache.smallobject.threshold may not pickup its value on restart
Links to More Info: BT890573
Component: WebAccelerator
Symptoms:
BIG-IP WAM/AAM provides a faster cache store called small object cache. To get into this cache, an object must have its size below a threshold defined in BigDB variable wam.cache.smallobject.threshold. BIG-IP does not always pickup this value after a restart of TMM.
Conditions:
- WAM/AAM is provisioned;
- A virtual server is configured with a webacceleration profile having a web application.
Impact:
When small object cache has a non-default value, it may incorrectly place an object into Small Object cache (faster cache store) or MetaStor (slower cache store), causing performance impact.
Workaround:
Reset wam.cache.smallobject.threshold value.
890401-2 : Restore correct handling of small object when conditions to change cache type is satisfied
Links to More Info: BT890401
Component: WebAccelerator
Symptoms:
BIG-IP system software allows you to cache HTTP responses with WAM/AMM web applications. There is a special storage location for small-size objects. If a caching object is about to exceed a threshold limit, the BIG-IP system might change its caching storage to MetaStor. A fix for ID 792045 introduced an issue for instances in which it does not, which resulted in not serving a cached object.
Conditions:
-- WAM/AAM is provisioned.
-- Virtual server has a webacceleration profile with a web application.
-- The BIG-IP software contains a fix for ID 792045.
Impact:
The BIG-IP system resets a connection with an error, a cached object is not served, and the rendering of a client's webpage is not correct.
Workaround:
None.
890169-1 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
Links to More Info: BT890169
Component: Application Security Manager
Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.
Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.
Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.
Workaround:
None.
889801-3 : Total Responses in DNS Cache stats does not increment when an iRule suspending command is present under DNS_RESPONSE.
Links to More Info: BT889801
Component: Global Traffic Manager (DNS)
Symptoms:
Upon close inspection of the statistics of a particular DNS Cache, for example by running the command 'tmsh show ltm dns cache resolver <name>', you realize that the 'Total Responses' counter for the cache is not incrementing as much as it should be.
Specifically, by comparing the counter with packet captures or the stats of the DNS Profile, you realize the system is under-reporting 'Total Responses'.
Conditions:
The virtual server using the DNS Cache also uses an iRule which happens to include a suspending command (e.g., 'table') under the DNS_RESPONSE event.
Impact:
The incorrect DNS Cache statistics may confuse or mislead a BIG-IP Administrator.
No traffic impact exists as part of this issue. Responses are still being served from the cache even when the counter says they are not.
Workaround:
None.
888081-1 : BIG-IP VE Migration feature fails for 1NIC
Links to More Info: BT888081
Component: TMOS
Symptoms:
When a saved UCS is attempted to be restored in a new BIG-IP Virtual Edition (VE) in order to migrate the configuration, it fails.
load_config_files[28221]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- 01071412:3: Cannot delete IP (x.x.x.x) because it is used by the system config-sync setting.
Conditions:
The UCS load step might fail if the DB variable Provision.1NicAutoconfig is set to disable.
Impact:
The UCS restore fails.
Workaround:
The DB variable can be set to enable before loading the UCS.
# tmsh modify sys db provision.1nicautoconfig value enable
887681-2 : Tmm SIGSEGV in rrset_array_lock,services/cache/rrset.c
Links to More Info: BT887681
Component: Global Traffic Manager (DNS)
Symptoms:
TMM Cored with SIGSEGV.
Conditions:
N/A.
Impact:
Traffic disrupted while tmm restarts.
887625-1 : Note should be bold back, not red
Links to More Info: BT887625
Component: Application Security Manager
Symptoms:
Under Session Hijacking :: Device Session Hijacking by Device ID Tracking, the note text below the 'enable' checkbox is shown in bold red color
Note : Device-ID mode must be configured in bot profile for this option to work.
Conditions:
This always occurs.
Impact:
The Note does not indicate a hazardous situation (as might be implied by the color), so the text should be black instead of red.
Workaround:
None.
887621-1 : ASM virtual server names configuration CRC collision is possible
Links to More Info: BT887621
Component: Application Security Manager
Symptoms:
A policy add/modify/delete fails with the following error:
-- crit g_server_rpc_handler_async.pl[19406]: 01310027:2: ASM subsystem error (asm_config_server.pl ,F5::ASMConfig::Handler::log_error_and_rollback): Failed on insert to DCC.VS_RAMCACHE (DBD::mysql::db do failed: Duplicate entry '375946375' for key 'PRIMARY').
Conditions:
This can occur when adding a policy. The chance of it occurring increases when there are many virtual servers.
Impact:
Every config update fails.
Workaround:
Figure out which virtual servers have the CRC collision (by looking into DCC.RAMCACHE_VS). Change the name of one of these virtual servers.
You can get the name of the affected virtual server by using the entry reported in the 'Duplicate entry' log, and running this command.
mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e 'SELECT * FROM DCC.VS_RAMCACHE WHERE vs_name_crc = 375946375'
887265-1 : BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration★
Links to More Info: BT887265
Component: Local Traffic Manager
Symptoms:
When booting to a boot location for the first time, the system does not come on-line.
Conditions:
-- There is a large configuration.
-- VLAN failsafe is configured, and the failsafe-action is something other than failover.
-- The BIG-IP system is an appliance.
Impact:
BIG-IP processes continually restart (VLAN failsafe-action failover-restart-tm), or the BIG-IP system continually reboots (VLAN failsafe-action reboot)
Workaround:
Either disable VLAN failsafe or set the failsafe-action to failover during an upgrade.
887045-4 : The session key does not get mirrored to standby.
Links to More Info: BT887045
Component: Local Traffic Manager
Symptoms:
When a session variable key length is 65 KB, session mirroring fails for that specific key.
Conditions:
-- APM high availability (HA) setup.
-- Access Policy is configured and synced across both devices.
-- A session variable key of ~65 KB arrives
Impact:
The session key does not get mirrored to standby.
Workaround:
None
886649-3 : Connections stall when dynamic BWC policy is changed via GUI and TMSH
Links to More Info: BT886649
Component: TMOS
Symptoms:
Connections stall when dynamic BWC policy is changed via GUI and TMSH.
Conditions:
Issue is seen when you have a dynamic bandwidth control policy configured, and you make a change to the policy via the GUI and TMSH.
Impact:
Connection does not transfer data.
Workaround:
Restart TMM. Delete the relevant configuration, create a new configuration, and apply it.
886533-1 : Icap server connection adjustments
Links to More Info: BT886533
Component: Application Security Manager
Symptoms:
Request getting to the ICAP server takes a long time to process (several seconds), which makes the whole transaction slower than expected. When testing the connection to the ICAP server itself, you determine that it is fast.
Conditions:
This happens especially with large file uploads that are mixed with smaller file uploads. The smaller uploads are waiting for the bigger upload.
Impact:
Slow responses to specific requests.
Workaround:
None.
886145-4 : The 'Reconnect' and 'Reconnect All' buttons do not work if reached via a particular section of the DNS GUI.
Links to More Info: BT886145
Component: Global Traffic Manager (DNS)
Symptoms:
The 'Reconnect' and 'Reconnect All' buttons (introduced in BIG-IP version 14.1.0 to restart some or all iQuery connections) do not work when clicked.
The 'Reconnect' button does not become enabled when a server is selected from the list, and an error is logged in the browser console.
The 'Reconnect All' button is clickable but returns the error when clicked:
No response action specified by the request.
Conditions:
You have accessed the buttons via the following GUI path:
DNS :: GSLB :: Data Centers :: [dc name] > Servers
Impact:
The buttons do not work, making the corresponding feature unavailable from the GUI.
Workaround:
Access the buttons using the following alternative GUI path:
DNS :: GSLB :: Servers
885961 : Tagged VLAN works only if it is configured in virtual wire.
Links to More Info: BT885961
Component: TMOS
Symptoms:
Traffic drops occur if a VLAN is not configured on a virtual wire.
Conditions:
Incoming traffic with a different VLAN that is not part of virtual wire configuration.
Impact:
Traffic drop can be observed.
Workaround:
You can use either of the following workarounds:
-- Allow the traffic on all the VLANs of a virtual wire by enabling 4kvlans:
1. tmsh modify sys db bcm56xxd.vwire.4kvlans value enable
2. bigstart restart bcm56xxd
-- Configure the corresponding tag on virtual wire.
885325-4 : Stats might be incorrect for iRules that get executed a large number of times
Links to More Info: BT885325
Component: Local Traffic Manager
Symptoms:
iRules that execute a lot can make stats counters large enough to overflow in a relatively short amount of time (e.g., a couple of months).
Conditions:
Execute an iRule a lot (e.g., make the total number of executions greater than 32 bits) and check its stats.
Impact:
After the total number exceeds 32 bits, the counter stats are no longer valid.
Workaround:
None.
884989-3 : IKE_SA's Not mirrored of on Standby device if it reboots
Links to More Info: BT884989
Component: TMOS
Symptoms:
After rebooting the standby BIG-IP device, IKE SA's are not mirrored.
Conditions:
-- IPSEC is configured in a high availability (HA) environment
-- Standby device is rebooted
Impact:
IKE_SA's will have to be renegotiated.
The performance impact is minimal.
884953-2 : IKEv1 IPsec daemon racoon goes into an endless restart loop
Links to More Info: BT884953
Component: TMOS
Symptoms:
The IKEv1 IPsec daemon racoon goes into an endless restart loop.
2020-01-02 08:36:36: ERROR: /etc/racoon/racoon.conf.BIG-IP:376: "}" duplicated sainfo: loc='ANONYMOUS', rmt='10.42.80.0/24', peer='ANY', id=0
2020-01-02 08:36:36: ERROR: fatal parse failure (1 errors)
2020-01-02 08:36:36: ERROR: failed to parse configuration file.
Conditions:
Duplicate wildcard traffic-selectors, one with ::/0 and one with 0.0.0.0/0, attached to different IPsec policies.
Impact:
IPsec IKEv1 tunnels cannot be established.
Workaround:
Configure duplicate traffic-selectors only when they are attached to interface mode IPsec policies.
884945-3 : Latency reduce in case of empty parameters.
Links to More Info: BT884945
Component: Application Security Manager
Symptoms:
Traffic load with many empty parameters may lead to increased latency.
Conditions:
Sending requests with many empty parameters
Impact:
Traffic load with many empty parameters may cause increased latency through the BIG-IP system.
Workaround:
None
884729-4 : The vCMP CPU usage stats are incorrect
Links to More Info: BT884729
Component: TMOS
Symptoms:
The vCMP CPU usage stats are incorrect when process on a secondary blade has the same PID as that of primary blade's qemu process.
Conditions:
A process on a secondary blade has the same PID as that of primary blade's qemu process.
Impact:
The vCMP CPU usage stats are intermittently incorrect.
Workaround:
None.
883149-4 : The fix for ID 439539 can cause mcpd to core.
Links to More Info: BT883149
Component: TMOS
Symptoms:
Mcpd cores during config sync.
Conditions:
This has only been observed once. The device was going from standby to active, and the connection between the BIG-IP peers stalled out.
Impact:
Mcpd cores. Traffic disrupted while mcpd restarts.
Workaround:
NA
883133-1 : TLS_FALLBACK_SCSV with TLS1.3
Links to More Info: BT883133
Component: Local Traffic Manager
Symptoms:
Possible handshake failure with some combinations of TLS Fallback Signaling Cipher Suite Value (SCSV) and SSL profile protocol versions.
Conditions:
-- Using fallback SCSV suites.
-- Using certain client SSL profile protocol versions (e.g., the virtual server is configured for TLS1.3, and the client is configured for TLS1.0 - TLS1.2).
Impact:
Possible handshake failure.
Workaround:
None.
883049-4 : Statsd can deadlock with rrdshim if an rrd file is invalid
Links to More Info: BT883049
Component: Local Traffic Manager
Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.
You may see errors:
-- err statsd[5005]: 011b0600:3: Error ''/var/rrd/endpisession' is too small (should be 15923224 bytes)' during rrd_update for rrd file '/var/rrd/endpisession'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/endpisession'.
Conditions:
Truncation of a binary file in /var/rrd.
Impact:
Stats are no longer collected. Statsd and rrdshim deadlock.
Workaround:
Remove the truncated file and restart statsd:
bigstart restart statsd
882933-3 : Nslookup might generate a core during system restart
Links to More Info: BT882933
Component: Global Traffic Manager (DNS)
Symptoms:
Nslookup generates a core file. The core file name might start with "nslookup", "isc-worker", "isc-timer" or "isc-socket".
Conditions:
Multiple instances of nslookup are running when the system shuts down.
Impact:
A core file is generated. However, since this is during system shutdown, the impact should be minimal.
882833-4 : SELinux issue cause zrd down★
Links to More Info: BT882833
Component: TMOS
Symptoms:
After upgrading BIG-IP software, zrd fails to start.
There are errors in /var/log/daemon.log:
err named[19356]: open: /config/named.conf: permission denied
Conditions:
This can occur after upgrading, for example, when upgrading from version 14.1.0.6 to 15.0.1.1.
Impact:
DNS service disrupted as zrd fails to start after reboot.
Workaround:
Run the following command after upgrading:
restorecon -rF /var/named/
882757-3 : sflow_agent crash SIGABRT in the cleanup flow
Links to More Info: BT882757
Component: TMOS
Symptoms:
Disabling DHCP on the management port causes sflow_agent to crash.
Conditions:
This does not always occur, but when it does occur, it crashes when disabling DHCP on the management port.
Impact:
sflow_agent crashes.
Workaround:
Do not disable DHCP on the management port
882729-1 : Applied Blocking Masks discrepancy between local/remote event log
Links to More Info: BT882729
Component: Application Security Manager
Symptoms:
Applied Blocking Masks discrepancy between local/remote event log, ASM logging event logs both locally and remotely to BIG-IQ has discrepancy.
Conditions:
This occurs when "Applied Blocking Masks" logs are emitted on a device where local and remove event logging is configured.
Impact:
This is cosmetic but can lead to confusion.
882725-3 : Mirroring not working properly when default route vlan names not match.
Links to More Info: BT882725
Component: Local Traffic Manager
Symptoms:
When using two BIG-IP systems to mirror traffic, mirroring functions correctly if the default gateway VLAN names match; however, if default gateway VLAN names don't match, then the BIG-IP system does not mirror client-side packets to the peer, which causes the standby BIG-IP system to reset all client-side flows on failover.
Conditions:
-- Two BIG-IP LTM BIG-IP Virtual Edition (VE) systems configured as a high availability (HA) pair.
-- Default gateway VLAN names don't match between them.
Impact:
BIG-IP system does not mirror client-side packets to the peer, which causes the next-active device to reset all client-side flows on failover.
Upon failover all flows are being RST just like a typical failover scenario without mirroring implemented.
Workaround:
Use same VLAN name on all external VLANs that might be used for mirroring.
882709-2 : Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors★
Links to More Info: BT882709
Component: TMOS
Symptoms:
Traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.
This may manifest as traffic failing after an upgrade from earlier (unaffected) software versions.
Note: This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.
This is due to an interoperability issue between RedHat Enterprise Linux (RHEL) and Microsoft Hyper-V, which seems to affect RHEL v7.3 and RHEL v7.5.
Hyper-V on Windows Server 2016 and Windows Server 2012 do not seem to identify the version of the built-in LIS correctly on Centos 7.3 or Centos 7.5 (which are built on RHEL 7.3 and RHEL 7.5 respectively).
Although there is a statement of support by Microsoft for VLAN tagging on RHEL 7.3 and 7.5 when running on Hyper-V, that functionality does not appear to work at present: Supported CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V :: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/Supported-CentOS-and-Red-Hat-Enterprise-Linux-virtual-machines-on-Hyper-V.
Conditions:
-- BIG-IP VE is deployed on a Hyper-V hypervisor.
-- VLAN configured in BIG-IP VE with tagged interfaces, e.g.:
net vlan external {
interfaces {
1.1 {
tagged
}
}
tag 4000
}
-- At present, VLAN tagging on the v14.x and v15.x releases does not work because those releases are running on CentOS 7.3 and 7.5 respectively, which both are affected by the MS/RHEL interoperability issue.
-- BIG-IP v12.x and v13.x use a different (older) CentOS version, so VLAN tagging works without issue on those releases.
Impact:
-- The system does not prevent you from configuring tagged VLANs, even though they do not pass traffic.
-- Although upgrades complete and you can reboot into the new boot location (or you can set up on Hyper-V from scratch), traffic does not pass (into the guest) across VLANs that are tagged.
Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.
Workaround:
Essentially, there is no workaround in this release; you must reconfigure the virtual machine to use separate, untagged interfaces for each VLAN.
Note: Although this is technically a problem between Hyper-V and the built-in LIS on RHEL 7.3/7.5, this issue is being tracked internally in this bug.
882609-3 : ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back
Links to More Info: BT882609
Component: TMOS
Symptoms:
After setting a device's ConfigSync IP to 'none' and then back to an actual IP address, the device remains in a disconnected state, and cannot establish ConfigSync connections to other BIG-IP systems in its trust domain.
MCPD periodically logs messages in /var/log/ltm:
err mcpd[27610]: 0107142f:3: Can't connect to CMI peer a.b.c.d, TMM outbound listener not yet created.
Conditions:
--- BIG-IP system is in a trust domain with other BIG-IP systems.
--- Local device's ConfigSync IP is set to 'none', and then back to an actual IP address.
Impact:
Devices unable to ConfigSync.
Workaround:
This workaround will disrupt traffic while TMM restarts:
1. Ensure the local ConfigSync IP is set to an IP address.
2. Restart TMM:
bigstart restart tmm
This workaround should not disrupt traffic:
Copy and paste the following command into the Advanced Shell (bash) on a BIG-IP system, and then run it. This sets the ConfigSync IP for all device objects to 'none', and then back to their correct values.
TMPFILE=$(mktemp -p /var/tmp/ ID882609.XXXXXXX); tmsh -q list cm device configsync-ip > "$TMPFILE"; sed 's/configsync-ip .*$/configsync-ip none/g' "$TMPFILE" > "$TMPFILE.none"; tmsh load sys config merge file "$TMPFILE.none"; echo "reverting back to current"; tmsh load sys config merge file "$TMPFILE"
881985-2 : AFM FQDN rule matching is broken when multiple FQDN's in firewall policies resolve to the same IP address
Links to More Info: BT881985
Component: Advanced Firewall Manager
Symptoms:
AFM FQDN rule matching is broken when multiple FQDN's in firewall policies resolve to the same IP address
Conditions:
-- A firewall policy contains multiple rules
-- Two or more rules point to different fully qualified domain names (FQDNs).
-- Both FQDNs resolve to the same IP address
Impact:
Firewall rule action won't be correctly applied to traffic, causing some traffic to be processed incorrectly by BIG-IP.
Workaround:
Configure FQDN's in such way that no two FQDN's will resolve to the same IP address. If you need to use multiple FQDNs with the same IP address in a policy, configure one as FQDN and the other as a resolved IP address.
881937-3 : TMM and the kernel choose different VLANs as source IPs when using IPv6.
Links to More Info: BT881937
Component: Local Traffic Manager
Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, can use a MAC and IPv6 source address from different VLANs.
Conditions:
-- Multiple VLANs configured with IPv6 addresses.
-- Multiple routes to the same destination, either the same or more specific, default routes, etc., that cover the traffic destination.
-- Changes are made to routes that cause the traffic to the destination to shift from one VLAN and gateway to another. This can be typically observed with dynamic routing updates.
- The db key snat.hosttraffic is set to disable.
Impact:
Traffic to the destination may fail because the incorrect source IPv6/MAC address is used, which might cause monitor traffic to fail.
Workaround:
tmsh list sys db snat.hosttraffic
tmsh modify sys db snat.hosttraffic value enable
tmsh save sys config
881065-2 : Adding port-list to Virtual Server changes the route domain to 0
Links to More Info: BT881065
Component: Local Traffic Manager
Symptoms:
When attaching the port-list to virtual server dest:port-list, the route domain of the virtual server is changed to the default value of 0, and the port-list is not correctly applied. This is encountered in the GUI but not in the CLI.
Conditions:
Using port-list along with virtual server in non default route domain using the GUI.
Impact:
You are unable to use the GUI to attach a port-list that uses a non-default route domain to a virtual server.
Workaround:
Use tmsh to attach a port-list to a virtual server if the port-list uses a non-default route domain.
881041-1 : BIG-IP system may forward IP broadcast packets back to the incoming VLAN interface via a forwarding virtual server.
Links to More Info: BT881041
Component: Local Traffic Manager
Symptoms:
Some received packets are retransmitted back on the incoming VLAN interface.
Conditions:
The symptom is found with the following conditions:
1. A forwarding virtual server is configured.
2. A packet is received whose destination MAC address is its unicast VLAN MAC address and the destination IP address is the broadcast address of that subnet.
Impact:
Broadcast packets are forwarded back to the incoming VLAN interface might result in loops if there are multiple gateways on the network.
Workaround:
None.
880697-3 : URI::query command returning fragment part, instead of query part
Links to More Info: BT880697
Component: Local Traffic Manager
Symptoms:
The iRule URI commands are designed to parse a given URI string to each components such as scheme (URI::protocol) or authority (URI::host). The URI::query command is designed to return the query part of an URI, but the returned string contains the fragment part. For example, for the URI "foo://example.com:8042/over/there?name=ferret#nose" (an example from Section 3, RFC 3986), URI::query returns "name=ferret#nose". The "#nose" part should not be present in the return value
Conditions:
Create a test rule with URI having '#' like this.
when HTTP_REQUEST {
# from RFC 3986 Section 3
set url "foo://example.com:8042/over/there?name=ferret#nose"
log local0. "query: [URI::query $url]"
}
Impact:
URI operations that involve #fragments may fail.
Workaround:
NA
880689-3 : Update oprofile tools for compatibility with current architecture
Links to More Info: BT880689
Component: TMOS
Symptoms:
Current operf as shipped with BIG-IP is out of date and will not work.
Per the oprofile page (https://oprofile.sourceforge.io/news/) the version included in our systems (0.9.9) was released in 2013.
Conditions:
Opcontrol still works but operf will not load.
# operf --version
use the opcontrol command instead of operf.
Impact:
Outdated operf means that it cannot be used for troubleshooting purposes.
880565-3 : Audit Log: "cmd_data=list cm device recursive" is been generated continuously
Links to More Info: BT880565
Component: Device Management
Symptoms:
The system generates and logs the following message continuously, at the rate of 3 times a minute, in /var/log/audit:
-- bigip1 notice tmsh[47755]: 01420002:5: AUDIT - pid=47755 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=cd / ;
-- bigip1 notice tmsh[47755]: 01420002:5: AUDIT - pid=47755 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=list cm
Conditions:
This occurs during normal operation.
Impact:
Audit log file contains numerous 'cmd_data=list cm device recursive' messages.
Workaround:
-- To suppress all messages, do the following:
1. Edit the 'include' section of syslog configuration to suppress audit logs of 'cmd_data=cd /' and 'cmd_data=list cm device recursive':
# tmsh edit /sys syslog all-properties
2. Replace 'include none' with following syntax:
===
sys syslog {
- snip -
include "
filter f_audit {
facility(local0) and match(AUDIT) and not match(\"cmd_data=list cm device recursive|cmd_data=cd /\");
};"
- snip -
}
-- To filter the messages sent to existing remote syslog servers, do the following:
1. Set sys syslog remote-servers none:
# tmsh modify sys syslog remote-servers none
2. Define the remote syslog server in the 'sys syslog include' statement.
3. Add the following filter:
filter f_remote_server {
not (facility(local0) and message(\"AUDIT\") and match(\"cmd_data=list cm device recursive|cmd_data=cd /\"));
};
Result: The system sends all messages to the remote syslog server, excluding the messages that match the filter.
Here is a sample filter, with sample data:
sys syslog {
include "
filter f_remote_server {
not (facility(local0) and message(\"AUDIT\") anD match(\"cmd_data=list cm device recursive|cmd_data=cd /\"));
};
destination d_remote_loghost {
udp(\"10.0.0.1\" port(514));
};
log {
source(s_syslog_pipe);
filter(f_remote_server);
destination(d_remote_loghost);
};
"
}
880473-3 : Under certain conditions, the virtio driver may core during shutdown
Links to More Info: BT880473
Component: TMOS
Symptoms:
If the virtio driver fails to initialize, it may core during shutdown.
Conditions:
-- Using the virtio VE driver.
-- The virtio driver fails initialization and shuts down instead.
Impact:
TMM cores during driver shutdown.
880125-3 : WideIP (A) created together with aliases (CNAME) causes missing A records in ZoneRunner
Links to More Info: BT880125
Component: Global Traffic Manager (DNS)
Symptoms:
Creating WideIP with aliases at the same time causes ZoneRunner to create CNAME RRset without matching A RRset on the peer.
Conditions:
Creating WideIP with aliases at the same time(using GUI or tmsh) causes ZoneRunner to create CNAME RRset without matching A RRset on the peer.
Impact:
GTM peer will not respond with correct answer for DNS request.
Workaround:
Create wideip with two steps.
880013-3 : Config load fails after changing the BIG-IP Master key which has an encrypted key in it's configuration
Links to More Info: BT880013
Component: TMOS
Symptoms:
Config load fails with an error:
01071769:3: Decryption of the field (privatekey) for object (12004) failed.
Unexpected Error: Loading configuration process failed.
Conditions:
-- BIG-IP configuration has a secured attribute, for example an encrypted dynad key
-- The master key password is changed
-- The configuration is loaded before saving the changes
Impact:
"tmsh load sys config" fails.
Workaround:
After modifying the master key password, save the configuration and then perform the tmsh load sys configuration.
879969-3 : FQDN node resolution fails if DNS response latency >5 seconds
Links to More Info: BT879969
Component: TMOS
Symptoms:
When resolving FQDN names for FQDN nodes/pool members, pending DNS requests are timed out after 5 seconds with no response from the DNS server.
If there is a persistent latency of 5 seconds or greater in the DNS server responses, FQDN name resolution will fail and ephemeral nodes/pool members will not be created.
Conditions:
- BIG-IP using FQDN nodes/pool members
- Persistent latency of 5 seconds or greater in the DNS server responses
Impact:
Ephemeral pool members may not be created, thus no traffic will be sent to the intended pool members.
Workaround:
Resolve any persistent latency issues that might cause delays of 5 seconds or more in DNS server responses.
879301-3 : When importing a BIND zone file, SRV/DNAME/NAPTR RRs do not have correct $ORIGIN appended
Links to More Info: BT879301
Component: Global Traffic Manager (DNS)
Symptoms:
When importing a BIND zone file, $ORIGIN is appended for rdata from SRV and NAPTR RRs, also not appended for DNAME's owner label.
Conditions:
$ORIGIN is used in original zone files and use zone runner to import.
Impact:
Zone files are not generated correctly.
Workaround:
Do not use $ORIGIN.
879169-3 : RESOLV::lookup @<virtual server name> may not work★
Links to More Info: BT879169
Component: Global Traffic Manager (DNS)
Symptoms:
In v13 later, iRule command RESOLV::lookup @<vs name> does not work
Conditions:
The virtual server targeted by the RESOLV::lookup command is not configured with IP protocol UDP ("ip-protocol udp" in TMSH)
Impact:
The DNS virtual is working while iRule RESOVE::lookup does not send request to the virtual.
Workaround:
Either of these:
1. Modify the target virtual server to specify an IP protocol of UDP
2. Replace the name with IP address to workaround the issue.
set hostip [RESOLV::lookup @198.51.100.1 -a $hostname]
879001-3 : LDAP data is not updated consistently which might affect authentication.
Links to More Info: BT879001
Component: TMOS
Symptoms:
Change not updated in LDAP when the system auth source ('systemauth.source' DB key/'Auth Source Type') is set to Active Directory.
This change is not applied when the setting is modified (e.g., from local or LDAP to Active Directory, or from Active Directory to LDAP). Instead, the change is applied only when MCPD is rewriting the file for other reasons.
Conditions:
Changing the 'systemauth.source' DB key/'Auth Source Type':
-- From local to Active Directory.
-- From LDAP to Active Directory.
-- From Active Directory to LDAP.
Impact:
LDAP data is not updated consistently, and authentication might fail.
Workaround:
None.
878893-1 : During system shutdown it is possible the for sflow_agent to core
Links to More Info: BT878893
Component: TMOS
Symptoms:
The shutdown sequence of the sflow_agent can include a timeout waiting for a response that results in an assert and core file.
Conditions:
BIG-IP reboot can cause the sflow_agent to core.
Impact:
There is a core file in the /var/core directory after a system reboot.
878277 : Unexpected Error: Can't display all items, can't get object count from mcpd
Links to More Info: BT878277
Component: TMOS
Symptoms:
While running 'tmsh show running-config' on the standby device, you get an mcp error:
Unexpected Error: Can't display all items, can't get object count from mcpd
Conditions:
-- High availability (HA) environment.
-- A configuration sync is in progress.
--
Impact:
The standby device briefly displays 'Sync Failure' and eventually returns to 'In Sync'. During this time, you may get an mcp error while trying to display the running config.
Workaround:
None
878253-3 : LB::down no longer sends an immediate monitor probe
Links to More Info: BT878253
Component: Local Traffic Manager
Symptoms:
The iRule command LB::down is supposed to send an immediate monitor probe, but it does not.
Conditions:
-- Executing LB::down in an iRule.
Impact:
A monitor probe is not immediately sent, which may cause a pool member to be marked down longer than it should be.
877145-2 : Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException
Links to More Info: BT877145
Component: TMOS
Symptoms:
You are unable to log in to iControl REST via /mgmt/toc/.
Also a NullPointerException is logged to /var/log/restjavad log.
Conditions:
This can be encountered intermittently while using iControl REST.
Impact:
Login failure.
Workaround:
None.
876809-1 : GUI cannot delete a cert with a name that starts with * and ends with .crt
Links to More Info: BT876809
Component: TMOS
Symptoms:
If a cert is created with a name that begins with * (asterisk) and ending with .crt, you cannot delete it using the GUI.
Conditions:
-- Certificate with a name similar to *example.crt.
-- Select the checkbox in the GUI and click Delete.
Impact:
GUI displays the message: No records to display. The '*example' certificate is still present.
Workaround:
You can use TMSH to delete it without issue.
Note that the asterisk needs to be escaped in tmsh, e.g.:
tmsh delete sys file ssl-cert '\*example'
876569-4 : QAT compression codec produces gzip stream with CRC error
Links to More Info: BT876569
Component: Local Traffic Manager
Symptoms:
When an HTTP compression profile is enabled on BIG-IP platforms with Intel QuickAssist Technology (Intel QAT) compression accelerators, gzip errors are produced.
Conditions:
This occurs when the following conditions are met:
-- The following platforms with Intel QAT are affected:
+ 4450 blades
+ i4600/i4800
+ i10600/i10800
+ i7600/i7800
+ i5600/i5800
+ i11600/i11800
+ i11400/i11600/i11800
+ i15600/i15800
-- The compression.qat.dispatchsize variable is set to any of the following values:
+ 65535
+ 32768
+ 16384
+ 8192
-- The size of the file being compressed is a multiple of the compression.qat.dispatchsize value, for exampld:
+ 65355*32768
+ 8192*32768
Impact:
Clients cannot decompress the compressed file because there is an invalid gzip footer.
Workaround:
Disable hardware compression and use software compression.
876249 : Top command shows tmm 0.0% CPU usage under load
Links to More Info: BT876249
Component: TMOS
Symptoms:
On BIG-IP Virtual Edition (VE) running in KVM, the 'top' command shows tmm as having 0.0% CPU usage.
This is a Red Hat known issue and has been fixed under the RHEL7.5 kernel.
Conditions:
-- BIG-IP KVM VE with NIC provisioned from OVS-DPDK bridge (Physical Intel 82599 10G NIC).
-- Looking at tmm CPU usage via the top command.
Impact:
Top command shows inaccurate CPU usage
Workaround:
None.
876145-2 : Nitrox5 failure on vCMP guest results in all crypto requests failing.
Links to More Info: BT876145
Component: Local Traffic Manager
Symptoms:
Nitrox5 SSL card failure on a vCMP guest deployed on i11000 platform might cause all SSL transactions to fail.
Conditions:
- i11000 platform.
- vCMP guest.
- Nitrox5 card experiences a failure.
Impact:
- SSL transactions do not complete the handshake.
- Following logs can be seen in /var/log/ltm :
01260013:4 SSL Handshake failed for TCP 10.1.1.5:55368 -> 10.1.1.55:443
01260009:4: 10.2.36.5:55384 -> 10.1.1.1:443: Connection error: ssl_hs_vfy_vfydata_cont:14608: alert(47) verify failed
875373-2 : Unable to add domain with leading '.' through webUI, but works with tmsh.
Links to More Info: BT875373
Component: Application Security Manager
Symptoms:
It is possible to create certain domain matches with leading dot '.' in tmsh, but not in the GUI.
Conditions:
Advanced WAF bot signature configuration with domain with a leading . character.
Impact:
You are unable to use the GUI to create custom bot-defense signatures.
Workaround:
Use tmsh to add custom bot-defense signatures as follows:
tmsh create security bot-defense signature ockerdocker category Crawler domains add {.ockerdocker} rule "headercontent:\"Google_Analytics_Snippet_Validator\"; useragentonly; nocase;"
874877-3 : Bigd monitor reports misleading error messages
Links to More Info: BT874877
Component: Local Traffic Manager
Symptoms:
When a recv string is used with an HTTP/HTTP2/HTTPS/TCP monitor, the HTTP status code is collected and in the event of failure, the most recent value (from before the failure) is retrieved and used as part of the log output. This can result in a message that is misleading.
Conditions:
-- BIG-IP system configured to monitor an HTTP/HTTP2 server.
-- BIG-IP system configured to monitor an HTTPS/TCP monitor, and the bigd.tmm is set to 'enable'.
Impact:
Misleading log messages; difficulty in identifying the actual cause of the monitor failure.
This occurs because the system stores the 'last error' string for these monitors. This can be misleading, especially when a receive string is used. Here is an example:
-- A BIG-IP system is monitoring an HTTP server that is returning proper data (i.e., matching the receive string).
-- The HTTP server goes down. Now the BIG-IP system will have a last error string of 'No successful responses received before deadline' or 'Unable to connect'.
-- The HTTP server goes back up and works for a while.
-- For some reason, the HTTP server's responses no longer match the receive string.
In this case, a message is logged on the BIG-IP system:
notice mcpd[6060]: 01070638:5: Pool /Common/http member /Common/n.n.n.n:n monitor status down. [ /Common/my_http_monitor: down; last error: /Common/my_http_monitor: Unable to connect @2020/01/09 04:18:20. ] [ was up for 4hr:18mins:46sec ]
The 'Unable to connect' last error reason is not correct: the BIG-IP system can connect to the HTTP server and even gets responses back, but they don't match the receive string.
874317-3 : Client-side asymmetric routing could lead to SYN and SYN-ACK on different VLAN
Links to More Info: BT874317
Component: Local Traffic Manager
Symptoms:
When BIG-IP is configured with at least two VLANs/interfaces, and a virtual server with auto-lasthop disabled, then when that virtual server receives a SYN from a client and sends the SYN/ACK directly back to the client on a different VLAN/interface, it currently expects the ACK to be received on the outgoing interface unless the client is not directly connected and the connection is using a default gateway.
Conditions:
-- The BIG-IP is configured with two VLANs/interfaces for a client (one for incoming packets, one for outgoing packets, i.e. asymmetric routing).
-- The client using asymmetric routing is connecting to a virtual server with auto-lasthop disabled.
-- The outgoing route to the client (from the BIG-IP) is directly connected to the client (i.e. on the same network; not going through a gateway).
-- The DB variable connection.vlankeyed has the value "enabled" (which is the default).
Impact:
The mismatch could lead to connections failing to establish.
Workaround:
Use only a single VLAN on the client side, or disable the DB variable "connection.vlankeyed".
874185-3 : Incorrect Alarm/Block flags displayed for Signature with previously enforced rule
Links to More Info: BT874185
Component: Application Security Manager
Symptoms:
When Signature Staging is disabled globally, signatures containing previously enforced rules are displayed with Alarm/Block flags set to 'No'. This occurs even if the signature is fully enabled and the associated Set is set to Learn/Alarm/Block.
Conditions:
-- Signature Staging is disabled globally.
-- A signature has a previously enforced rule.
This occurs when an F5-provided signature is taken out of staging, and the signature is then updated by ASU.
Impact:
The signature appears in the Attack Signature GUI page as having alarm and blocking disabled, although the signature does block correctly.
Workaround:
None.
873677-5 : LTM policy matching does not work as expected
Links to More Info: BT873677
Component: Local Traffic Manager
Symptoms:
Policy matching may fail to work as expected
Conditions:
Having many conditions with the same operand may trigger an issue where the wrong transition is taken.
This may also be triggered by very complex policies with large numbers of rules.
Impact:
LTM policy matching does not work as expected.
Workaround:
None.
872165-1 : LDAP remote authentication for REST API calls may fail during authorization
Links to More Info: BT872165
Component: TMOS
Symptoms:
LDAP (or Active Directory) remote authentication fails during authorization for REST API calls.
Clients receive 401 Unauthorized messages and /var/log/restjavad.x.log may report messages similar to the following:
-- [I][1978][26 Mar 2021 13:23:36 UTC][8100/shared/authn/login AuthnWorker] User remoteuser failed to login from 192.0.2.1 using the tmos authentication provider
-- [WARNING][807][26 Mar 2021 14:43:24 UTC][RestOperationIdentifier] Failed to validate Authentication failed.
Conditions:
LDAP (or Active Directory) remote authentication configured with a User Template instead of a Bind Account.
Impact:
Unable to authenticate as remote-user for access that uses authorization, like REST API calls.
Workaround:
You can use either of the following workarounds:
-- Configure LDAP/AD remote authentication to utilize a Bind account instead of the User Template.
-- Create a local user account for each remote user, allowing local authorization (authentication remains remote).
871705-4 : Restarting bigstart shuts down the system
Links to More Info: BT871705
Component: TMOS
Symptoms:
The 'bigstart restart bigstart' command shuts down the system without displaying or informing the BIG-IP system user that this command can interrupt service. The system goes directly to the inoperative state as soon as the command is run.
Conditions:
-- Running the command bigstart restart bigstart.
-- Running 'systemctl restart systemd-bigstart' twice.
Impact:
Different versions appear to have different behavior:
-- v12.1.5: shell hangs on bigstart command, but the BIG-IP system stays Active.
-- v13.1.0.7: The BIG-IP system goes inoperative upon 'bigstart restart bigstart'.
-- 1v4.1.2.3: The 'bigstart restart bigstart' command cannot find the 'bigstart' service, but 'systemctl restart systemd-bigstart' shows this behavior.
Workaround:
None.
871457 : Cannot enable logging for management firewall with LTM only provisioned
Links to More Info: BT871457
Component: Advanced Firewall Manager
Symptoms:
You cannot enable firewall logging via tmsh or the GUI when only LTM is provisioned. AFM must be licensed and provisioned in order to configure firewall logging with tmsh or the GUI.
Conditions:
-- No AFM Provisioned
-- v14.1.0 or newer.
-- Using firewall rules to protect the management interface.
Impact:
You cannot enable firewall logging to help with tracking or to aid in troubleshooting.
Workaround:
You can run the following command to view the counters from F5 rules easily with this command (output is very verbose):
# /sbin/iptables -vL f5acl
If you want to enable logging (output is very verbose), you can run the following command:
/sbin/iptables -I f5acl -j LOG --log-prefix "IPTables-Dropped: "
This will then log to /var/log/kern.log.
To remove this change:
/sbin/iptables -D f5acl -j LOG --log-prefix "IPTables-Dropped: "
871045-3 : IP fragments are disaggregated to separate TMMs with hardware syncookies enabled
Links to More Info: BT871045
Component: Local Traffic Manager
Symptoms:
With hardware syncookies enabled, HTTP POST requests that are fragmented into separate segments are processed by different TMMs.
Connection is subsequently reset with a TCP RST cause reported as: No flow found for ACK.
Conditions:
-- Hardware syncookies triggered.
-- IP fragmented HTTP POST request.
Impact:
Connection is subsequently reset with TCP RST, cause 'No flow found for ACK'.
Workaround:
None.
869565-4 : Disabling of HTTP/2 profile on server side does not prevent h2 in ALPN
Links to More Info: BT869565
Component: Local Traffic Manager
Symptoms:
HTTP/2 protocol can be negotiated with the Application-Layer Protocol Negotiation (ALPN) on the Transport Layer Security (TLS) level of communication. When an iRule disables HTTP/2 on a server side, it is assumed that the BIG-IP system no longer offers h2 to a server as an option.
Conditions:
-- A virtual server has an HTTP/2 profile configured on both the client and server sides.
-- A server SSL profile is configured on the virtual server.
-- An iRule using the 'HTTP2::disable serverside' command is attached to the virtual server.
Impact:
The BIG-IP system offers h2 as an option in ALPN when the HTTP/2 profile is disabled on a server side. If h2 is accepted by the server, communication fails since HTTP/2 is disabled and does not decode HTTP/2 traffic.
Workaround:
None.
869553-3 : HTTP2::disable fails for server side allowing HTTP/2 traffic
Links to More Info: BT869553
Component: Local Traffic Manager
Symptoms:
The BIG-IP system provides an iRule command 'HTTP2::disable serverside' to put http2 in passthrough mode. When the command is called during the CLIENT_ACCEPTED event, it should completely disable http2 until the end of TCP connection, or until the HTTP2::enable command is executed.
Conditions:
-- A virtual server has an HTTP/2 profile configured on the server side.
-- An iRule with an the command 'HTTP2::disable serverside' command is attached to the virtual server in the CLIENT_ACCEPTED event.
Impact:
The BIG-IP system continues to send HTTP/2 traffic to a server.
Workaround:
None.
869541-1 : Series of unexpected <aborted> requests to same URL
Links to More Info: BT869541
Component: Access Policy Manager
Symptoms:
Series of unexpected <aborted> requests to same URL
Conditions:
Web-app using special code pattern in JavaScript.
For example:
loc = window.location;
obj = {}
for (i in loc) {
obj[i] = loc[i];
}
Impact:
Page load is aborted
Workaround:
Following iRule can be used with customized SPECIFIC PAGE_URL value:
when REWRITE_REQUEST_DONE {
if {
[HTTP::path] ends_with "SPECIFIC_PAGE_URL"
} {
# log "URI=([HTTP::path])"
# Found the file we wanted to modify
REWRITE::post_process 1
set do_fix 1
}
}
when REWRITE_RESPONSE_DONE {
if {[info exists do_fix]} {
unset do_fix
set strt [string first {<script>try} [REWRITE::payload]]
if {$strt > 0} {
REWRITE::payload replace $strt 0 {
<script>
(function () {
var dl = F5_Deflate_location;
F5_Deflate_location = function (o) {
if (o.F5_Location) Object.preventExtensions(o.F5_Location)
return dl(o);
}
})()
</script>
}
}
}
}
869237-3 : Management interface might become unreachable when alternating between DHCP/static address assignment.
Component: TMOS
Symptoms:
When the Management IP address assignment is changed and the IP address obtained from DHCP lease is used for static interface configuration, the management port might become unreachable after the DHCP lease expiration time, even though interface has a static IP configured.
Conditions:
-- Management IP assignment is changed from dynamic (DHCP) to static.
-- The static IP address that is configured is identical to the DHCP address that was assigned.
Impact:
Remote management access is lost after the DHCP lease expires.
Workaround:
When changing the management interface configuration from DHCP to static, first delete the old configuration, then create new configuration. This can be done with TMSH:
(tmos)# modify sys global-settings mgmt-dhcp disabled
(tmos)# del sys management-ip 10.14.30.111/24
(tmos)# create sys management-ip 10.14.30.111/24 { description configured-statically }
868033-3 : SSL option "passive-close" option is unused and should be removed
Links to More Info: BT868033
Component: Local Traffic Manager
Symptoms:
The SSL profile "passive-close" option is available in TMSH (but not the GUI), but is not actually used.
A side-effect of this issue is: when the "passive-close" option is configured in TMSH, if the profile is later modified in the GUI, the "passive-close" option will be removed from the profile.
Conditions:
-- Modifying a client or server SSL profile in TMSH.
Impact:
The "passive-close" option is not actually used.
Workaround:
Do not use the "passive-close" option.
867985-2 : LTM policy with a 'shutdown' action incorrectly allows iRule execution
Links to More Info: BT867985
Component: Local Traffic Manager
Symptoms:
BIG-IP systems provide manipulation tools over a connection with an LTM policy and/or iRule. LTM policy takes precedence over iRules and has an option to shutdown a connection based on satisfied conditions. When a connection is closing, an iRule should not be executed under the same conditions.
Conditions:
-- The BIG-IP system has a virtual server with an LTM policy and an iRule.
-- The LTM policy has action 'shutdown connection' under certain conditions.
-- The iRule has an event which is triggered under the same conditions.
Impact:
The iRule is executed before the connection is being reset.
Workaround:
None.
867777-2 : Remote syslog server cannot parse violation detail buffers as UTF-8.
Links to More Info: BT867777
Component: Application Security Manager
Symptoms:
Remote syslog server is unable to properly parse the violation detail buffers as UTF-8.
Conditions:
This occurs when the violation detail buffers contain double-byte/non-UTF characters, due to requests that contain non-ASCII UTF-8 characters.
Impact:
The syslog server cannot parse violation detail buffers as UTF-8.
Workaround:
None.
867705-2 : URL for IFRAME element may not be normalized in some cases
Links to More Info: BT867705
Component: Access Policy Manager
Symptoms:
Client JavaScript may see a non-normalized URL for the IFRAME HTML element in Portal Access.
Conditions:
- Original HTML page contains IFRAME element with relative URL
- JavaScript code reads this URL from the IFRAME element
Impact:
The URL for IFRAME element is not normalized and the web application may not work correctly in Portal Access.
Workaround:
Use an iRule to correct the returned IFRAME URL in rewritten JavaScript code. There is no generic iRule pattern; the correction depends on actual JavaScript code, but you can use the following example as a template:
when REWRITE_REQUEST_DONE {
if { [HTTP::path] ... } { # use appropriate selection for URI
set correct_location 1
}
}
when REWRITE_RESPONSE_DONE {
if {[info exists correct_location]} {
unset correct_location
# look for the piece of code to be corrected
set str2find {...} # use appropriate pattern for rewritten code
set str_len [string length $str2find]
set strt [string first $str2find [REWRITE::payload]]
# make replacement using appropriate corrected code
if {$strt > 0} {
REWRITE::payload replace $strt $str_len {...}
}
}
}
867549-4 : LCD touch panel reports "Firmware update in progress" indefinitely★
Links to More Info: BT867549
Component: TMOS
Symptoms:
After a software upgrade that includes an LCD firmware update, the LCD touch panel may remain stuck reporting an error indefinitely / for longer than 30 minutes:
Firmware update in Progress may take up to 30 minutes.
Conditions:
This issue occurs when all of the following conditions are met:
-- You have one of the following BIG-IP platforms:
* i850
* i2x00
* i4x00
* i5x00
* i7x00
* i10x00
* i11x00
* i15x00
* HRC-i2x00
* HRC-i5x00
* HRC-i10x00
-- You perform a software upgrade that updates the firmware on the LCD touch panel, e.g. upgrading from BIG-IP v13.1.x to BIG-IP v14.1.x or newer.
Impact:
The system is functional, but the LCD displays the firmware update screen indefinitely. The LCD cannot be used while it is frozen on the firmware update warning screen.
Workaround:
Important: Before attempting this workaround, check that there are no indications the system is still performing a firmware update (such as a terminal prompt), and that the following messages can be found in /var/log/ltm after the most recent boot:
notice chmand[6302]: 012a0005:5: firmware update succeeded.
notice chmand[6302]: 012a0005:5: Firmware check finished.
These messages indicates that the firmware update has finished, and the LCD is displaying the warning screen in error, so it is safe to perform the workaround.
Reboot the BIG-IP system to return the LCD to normal operation.
After a reboot of the BIG-IP operating system, the LCD touch panel should be responsive.
867321-6 : Error: Invalid self IP, the IP address already exists.
Links to More Info: BT867321
Component: Advanced Firewall Manager
Symptoms:
When loading a configuration, the config load fails with an error:
Invalid self IP, the IP address <ip_addr> already exists.
Conditions:
-- Config contains an IPv4 SelfIP
-- Config contains an IPv4-mapped IPv6 address that is assigned to the same vlan
BIG-IP does not prevent you from creating this condition and will allow you to save it.
Impact:
During configuration load will fail:
0107176c:3: Invalid self IP, the IP address <ip_addr> already exists.
Unexpected Error: Loading configuration process failed.
Workaround:
Delete one of the SelfIP addresses and load the configuration.
867253-1 : Systemd not deleting user journals
Links to More Info: BT867253
Component: TMOS
Symptoms:
When setting 'SystemMaxUse' to any value, systemd does not honor this limit, and the specified size is exceeded.
Conditions:
Using a non-TMOS user account with external authentication permission.
Note: Systemd-journald is configured to create a user journal for every remote user that logs into the BIG-IP system.
Impact:
Journald filling up the file system. These journals are allocated with a minimum size of 4MiB and are not removed when the log entries age-out.
Workaround:
Option 1:
To immediately free up space, manually remove per-user journal logs from the following location:
/var/log/journal/*/user-*
Option 2:
To prevent the system from creating these journal files going forward:
1. Edit /etc/systemd/journald.conf and add the following at the bottom of the file:
SplitMode=none
2. Restart systemd-journal service
# systemctl restart systemd-journald
3. Delete the existing user journal files from /var/log
# rm /var/log/journal/*/user-*
Note:
-- You must apply this workaround separately to each blade of a VIPRION or vCMP guest running on a VIPRION.
-- You must reapply this workaround after performing software installations.
867249-3 : New SNMP authentication type and privacy protocol algorithms not available in UI
Links to More Info: BT867249
Component: TMOS
Symptoms:
You are unable to configure the new SNMP authentication type and privacy protocol algorithms from the BIG-IP Configuration utility.
Conditions:
A BIG-IP with net-snmp libraries v5.8
Impact:
The new authentication type and privacy protocol algorithms cannot be configured via the GUI.
Workaround:
Specify the auth-protocol and privacy-protocol values using TMSH.
modify /sys snmp users add { <user> { access rw security-level auth-privacy auth-protocol sha256 auth-password defaultPassword privacy-protocol aes privacy-password defaultPassword username <user> } }
867177-1 : Outbound TFTP and Active FTP no longer work by default over the management port
Links to More Info: BT867177
Component: TMOS
Symptoms:
When attempting to use TFTP or Active FTP at the BIG-IP management port to transfer files to a remote system, the connection eventually times out and the file is not transferred.
This is expected behavior resulting from the enhancement made in BIG-IP v14.1.0:
"Support for network firewall rules on the management port" :: https://techdocs.f5.com/kb/en-us/products/BIG-IP_ltm/releasenotes/product/relnote-bigip-14-1-0.html#rn_ltm-tmos_1410_new.
When attempting to use TFTP and Active FTP via tmm interfaces will work as it has the necessary Algorithm capabilities to set up return listeners.
Conditions:
- BIG-IP v14.1.0 or greater.
- Attempt to initiate TFTP or Active FTP from the BIG-IP management port through command line.
Impact:
Unable to use TFTP or Active FTP to transfer files to/from the BIG-IP system over management port
Workaround:
Consider using encrypted transport (sftp, scp, etc.) in order to avoid the exposure of sensitive data, including passwords.
Manually load connection tracking for the necessary protocol(s) from the command line with:
modprobe nf_conntrack_ftp
modprobe nf_conntrack_tftp
866957-1 : Load balancing IPsec tunnels
Links to More Info: BT866957
Component: TMOS
Symptoms:
IPsec can experience packet loss on oversubscribed TMM instances (reaching 100% CPU transiently or consistently) and other TMM instances do not share the load.
Conditions:
-- A large number of IPsec tunnels.
-- The Security Associations (SAs) associated with IPsec tunnels are not balanced across TMMs.
-- Other TMMs are less busy.
Impact:
If random assignment of IPsec tunnels to TMM instances results in one TMM needing more than 100% CPU to handle all the traffic, packets are lost. When packets are lost, they are retransmitted, and BIG-IP network performance drops in proportion to the packet loss.
Workaround:
None
866953-2 : Portal Access: F5_Inflate_onclick wrapper functionality needs refining
Links to More Info: BT866953
Component: Access Policy Manager
Symptoms:
Event handler defined on DOM elements is not executed properly, and some events on a page like onClick() are not executed properly.
Conditions:
-- Portal access enabled.
-- Rewrite enabled.
-- New value of event handler is equal to inline handler already set for the element.
Impact:
Web application does not operate as expected.
Workaround:
Use a custom iRule, for example, an iRule that redefines F5_Inflate_onclick:
Note: In the following iRule, substitute <PATH_TO_PAGE> with the page in your web application.
when REWRITE_REQUEST_DONE {
if {
[HTTP::path] ends_with "<PATH_TO_PAGE>"
} {
# log "URI=([HTTP::path])"
# Found the file to modify
REWRITE::post_process 1
set do_it 1
}
}
when REWRITE_RESPONSE_DONE {
if {[info exists do_it]} {
unset do_it
set strt [string first {<script>try} [REWRITE::payload]]
if {$strt > 0} {
REWRITE::payload replace $strt 0 {
<script>
(function(){
var ioc = F5_Inflate_onclick;
F5_Inflate_onclick = function(o, incr, v) {
if (v === o.onclick && typeof v === 'function') {
return v;
}
return ioc.call(this,o,incr,v);
}
})();
</script>
}
}
}
}
865981-3 : ASM GUI and REST become unresponsive upon license change
Links to More Info: BT865981
Component: Application Security Manager
Symptoms:
When there is a license change at the same time as a security update (ex. Threat Campaigns or Attack Signatures), the system can reach a deadlock which blocks some operations, eventually leading to all the REST threads becoming blocked and unresponsive.
Conditions:
A license change occurs at the same time as a security update (ex. Threat Campaigns or Attack Signatures).
Impact:
ASM user interfaces are unresponsive.
Workaround:
Kill asm_config_server.pl or restart ASM
865653-4 : Wrong FDB table entries with same MAC and wrong VLAN combination
Links to More Info: BT865653
Component: TMOS
Symptoms:
Forwarding DataBase (FDB) table has duplicate MAC entries with the incorrect VLANs.
MAC entries are correct in the switch but not in the control plane.
Conditions:
Enable L2Wire.
Impact:
Duplicate MAC entries with incorrect VLANs in FDB table.
Workaround:
Restart bcm56xxd:
bigstart restart bcm56xxd
Note: You can use tmsh to see the table:
tmsh -m show net fdb
865225-4 : 100G modules may not work properly in i15000 and i15800 platforms
Links to More Info: BT865225
Component: TMOS
Symptoms:
The tuning values programmed in the switch are not correct for 100G OPT-0039 and OPT-0031 SFP modules.
Conditions:
-- Using OPT-0039 or OPT-0031 modules.
-- Running on i15000 and i15800 platforms.
Note: Use 'tmsh list net interface vendor-partnum', to identify the optic modules installed.
Impact:
You might see traffic drop.
Note: Potential issues related to incorrect tuning values come from F5-internal sources and have not been reported in production configurations.
Workaround:
None.
864897-1 : TMM may crash when using "SSL::extensions insert"
Links to More Info: BT864897
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
iRule with "SSL::extensions insert"
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
864649-1 : The client-side connection of a dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server never expires from the connection table
Links to More Info: BT864649
Component: Local Traffic Manager
Symptoms:
The client-side connection of the dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server never expires from the connection table.
Conditions:
Configure dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server.
Impact:
Even after correcting the listener to use dhcpv4 (relay) instead of dhcpv4_fwd (forwarding) profile, the client-side connection from the dhcpv4_fwd profile remains.
Workaround:
Delete the long-standing connection from the connection table.
864321-1 : Default Apache testing page is reachable at <mgmt-ip>/noindex
Links to More Info: BT864321
Component: TMOS
Symptoms:
For BIG-IP v14.1.x and later, the default testing page of the Apache web-server is accessible at <mgmt-ip>/noindex.
Conditions:
This is encountered when navigating to the /noindex page from the web browser.
Impact:
Limited information about the Apache web server and its operating system is available to users with access to the mgmt port interface.
Workaround:
None.
863601-1 : Panic in TMM due to internal mirroring interactions
Links to More Info: BT863601
Component: Wan Optimization Manager
Symptoms:
The Traffic Management Microkernel suddenly restarts due to a SIGSEGV segmentation fault.
Conditions:
-- APM is being used.
-- Connection mirroring is being used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid configuring connection mirroring when APM is being used.
863165-1 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
Links to More Info: BT863165
Component: Local Traffic Manager
Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.
Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.
Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.
Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.
862949-1 : ZoneRunner GUI is unable to display CAA records
Links to More Info: BT862949
Component: Global Traffic Manager (DNS)
Symptoms:
Attempting to manage a CAA record via the GUI shows an error:
Resolver returned no such record.
Conditions:
-- Navigate to DNS :: Zones :: ZoneRunner :: Resource Record List :: Search All Records.
-- Click on record of type CAA.
Impact:
Unable to update CAA records via the GUI.
Workaround:
You can use either of the following workarounds:
-- Manually edit the BIND configuration.
-- Delete the record and create a new one with the desired changes.
862693-2 : PAM_RHOST not set when authenticating BIG-IP using iControl REST
Links to More Info: BT862693
Component: TMOS
Symptoms:
The missing PAM_RHOST setting causes the radius packet to go out without the calling-station-id avp
Conditions:
1. Configure radius server and add it to BIG-IP
tmsh create auth radius system-auth servers add { myrad }
2. modify auth source type to radius
tmsh modify auth source { type radius }
3. try to authenticate to BIG-IP using iControl REST
Impact:
Remote authentication using iControl REST is not allowed based on calling-station-id
862525-3 : GUI Browser Cache Timeout option is not available via tmsh
Component: TMOS
Symptoms:
In BIG-IP v10.x it was possible to change the browser cache timeout from bigpipe using the command:
bigpipe httpd browsercachetimeout
In 14.1.2.1 and newer, it is still possible to change the value in the GUI using "System :: Preferences :: Time To Cache Static Files.
However there is no tmsh equivalent in any version.
Conditions:
This is encountered when you try to configure the GUI browser cache timeout setting using tmsh.
Impact:
Unable to modify browser cache timeout except from GUI
Workaround:
Using GUI to configure this field. GUI System :: Preferences :: Time To Cache Static Files.
862069-3 : Using non-standard HTTPS and SSH ports fails under certain conditions
Links to More Info: BT862069
Component: Local Traffic Manager
Symptoms:
On all versions 12.1.0 or later, if you change the HTTPS port (e.g., to 8443, as is required for '1NIC' BIG-IP Virtual Edition (VE) deployments) and then expose the management UI via a self IP in a non-zero route domain, you cannot access the system via the GUI or CLI, and the system does not pass traffic as expected.
In versions 14.1.0 and later on VE installations, attempting to manage a BIG-IP system over a self IP can fail if all these conditions are met:
-- Non-standard HTTPS port used.
-- No TMM default route configured.
-- No route to the client IP address configured.
Conditions:
-- Modify the default HTTPS and/or default SSH ports.
And either of the following:
On 12.1.0 and above:
-- Expose the management UI and/or CLI via a self IP in a non-zero route domain.
On 14.1.0 and above:
-- No TMM default route configured.
-- No route to the client IP address configured.
Impact:
-- Unable to access BIG-IP GUI on non-standard HTTPS port.
-- Unable to access BIG-IP CLI on non-standard SSH port.
Workaround:
None.
862001-3 : Improperly configured NTP server can result in an undisciplined clock stanza
Links to More Info: BT862001
Component: Local Traffic Manager
Symptoms:
There can be an undisciplined clock stanza in /etc/ntp.conf, resulting in an undisciplined clock.
NTP documentation:
http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock
Conditions:
This might occur in at least the following ways:
-- No server is specified in 'sys ntp servers {}'.
-- A server does exist, but an improper method was used to configure the NTP server.
Impact:
When the LOCAL undisciplined clock is left as a valid time-source, it delays the system synchronizing time to a real NTP server. It can also result in time being adjusted incorrectly if the the remote time-source becomes unreachable.
Workaround:
Configure a dummy server via 'ntp servers {}' that does not respond.
While this removes the undisciplined local clock, it does result in ntpd having an unreachable time source, and could be flagged in diagnostics, misdirect other troubleshooting, generate unnecessary traffic, etc.
However, if the 'dummy' source starts responding, it could become a rogue time source.
860573-2 : LTM iRule validation performance improvement by tracking procedure/event that have been validated
Links to More Info: BT860573
Component: TMOS
Symptoms:
Loading (with merge) a configuration file that references some iRules results in validating every iRule and ends up validating the same procedures multiple times for every virtual server a single iRule is associated with.
Conditions:
Configuration which has 100's of virtual servers, some iRules that are assigned to all virtual servers and a few library iRules.
Impact:
Task fails (via REST) or ends up taking a really long time when run manually.
Workaround:
None.
860277-2 : Default value of TCP Profile Proxy Buffer High Low changed in 14.1
Links to More Info: BT860277
Component: Local Traffic Manager
Symptoms:
Version: 13.1.3.1
# tmsh list ltm profile tcp tcp proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
proxy-buffer-high 49152
proxy-buffer-low 32768
}
proxy-buffer-high
Specifies the highest level at which the receive window is closed.
The default value is 49152.
proxy-buffer-low
Specifies the lowest level at which the receive window is closed.
The default value is 32768.
Version: 14.1.2.2
# list ltm profile tcp TCP proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
proxy-buffer-high 65535
proxy-buffer-low 32768
}
proxy-buffer-high
Specifies the highest level at which the receive window is closed.
The default value is 131072.
proxy-buffer-low
Specifies the lowest level at which the receive window is closed.
The default value is 98304.
Conditions:
Looking at the help for proxy-buffer-high and proxy-buffer-low in tmsh
Impact:
The default value for proxy-buffer-high is 65535 and the default value for proxy-buffer-low is 32768, but the help text indicates that the defaults are 13072 and 98304 respectively.
860245-3 : SSL Orchestrator configuration not synchronized across HA peers after upgrade from 14.1.2.x
Links to More Info: BT860245
Component: TMOS
Symptoms:
The SSL Orchestrator configuration is not synced properly across the high availability (HA) configuration.
The REST framework versions are different on the devices.
Conditions:
-- BIG-IP devices configured for HA.
-- SSL Orchestrator configured.
-- Upgrading from v14.1.2 to v15.1.x or newer.
Impact:
SSL Orchestrator configuration does not sync across BIG-IP HA peers.
Workaround:
The following steps are required on all HA, first on the active and then on the standby BIG-IP devices.
1. Open a BIG-IP terminal session with admin/root level access.
2. Run the following commands, in the order specified:
bigstart stop restjavad
rm -rf /shared/em/ssl.crt/*
bigstart start restjavad
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
restcurl -X DELETE shared/gossip-conflicts
restcurl -X DELETE shared/device-certificates
restcurl -X POST -d '{"generateKeyPair": true}' shared/device-key-pair
bigstart restart restjavad restnoded
860181-3 : After sync failure due to lack of local self-IP on the peer, adding in the self-IP does not resolve the sync error
Links to More Info: BT860181
Component: TMOS
Symptoms:
If you have BIG-IPs in a Device Service Cluster, and you attempt to sync a new floating self-IP over to a standby on a VLAN that the standby does not currently have a non-floating self-IP on, you will get an error and the sync will fail. This is the correct behavior. The issue, though, is that if you subsequently create a non-floating self-IP on the standby in order to rectify this issue, the sync will still fail.
Conditions:
-- BIG-IPs configured in a Device Service Cluster.
-- Device group is configured to use Automatic Sync or Manual with Incremental sync.
-- Attempting to sync a floating self-IP to a system that does not have a non-floating self-IP on the same VLAN.
Impact:
You are unable to sync BIG-IPs. Both devices will be out of sync and you will see an error displayed:
01070355:3: Self IP <address> is declared as a floating address but there is no non-floating address defined for this network
Even after you add a non-floating self-IP on the affected device, a subsequent config sync does not fix the error.
Workaround:
If you make any other configuration change that generates a config sync, this will correct itself after the other device has added a non-floating Self-IP.
Otherwise, this can be corrected by doing a full config sync, and can be done via the GUI or via tmsh.
In the GUI, change the Sync Type for the device group to Manual with Full Sync, and then do a config sync.
In tmsh, the command is:
run cm config-sync force-full-load-push to-group <affected_device_group>
860041-2 : Portal Access: 5_Deflate_removeEventListener wrapper need to be added
Links to More Info: BT860041
Component: Access Policy Manager
Symptoms:
Various issues are possible, for example, the drop-down menu is not clickable, etc.
Conditions:
Web application code that uses native removeEventListener() function indirectly.
Impact:
The web application does not function as expected.
Workaround:
Use a custom iRule. In the following example, replace '/PATH_TO_HTML_FILE' with the actual path of the web application:
#
# Custom workaround replace wrappers for
# addEventListener and removeEventListener with
# pass-through wrappers
#
# v1. very simple
#
when REWRITE_REQUEST_DONE {
if {
[HTTP::path] ends_with "/PATH_TO_HTML_FILE"
} {
# log "URI=([HTTP::path])"
# Found the file to modify
REWRITE::post_process 1
set do_it 1
}
}
when REWRITE_RESPONSE_DONE {
if {[info exists do_it]} {
unset do_it
set str {<script>try}
set strlen [string length $str]
set strt [string first $str [REWRITE::payload]]
if {$strt > 0} {
REWRITE::payload replace $strt 0 {
<script>
function F5_Invoke_addEventListener (o, e, h, c) {
console.log('addEventListener '+e);
var args = [];
for (var i = 1; i<arguments.length; i++) {
args[i-1] = arguments[i]
}
return o.addEventListener.apply(o,args);
}
function F5_Invoke_removeEventListener(o, e, h, c) {
console.log('removeEventListener '+e);
var args = [];
for (var i = 1; i<arguments.length; i++) {
args[i-1] = arguments[i]
}
return o.removeEventListener.apply(o,args);
}
</script>
}
}
}
}
858877-1 : SSL Orchestrator config sync issues between HA-pair devices
Links to More Info: BT858877
Component: TMOS
Symptoms:
SSL Orchestrator configuration deployment across BIG-IP devices in a high-availability (HA) group may result in inconsistent state, if during deployment the connectivity between the HA peers is lost.
Conditions:
Deploying SSL Orchestrator configuration across BIG-IP devices in an HA group.
Impact:
Inconsistent SSL Orchestrator configuration on BIG-IP devices in an HA group.
Workaround:
Run the /usr/bin/ha-sync script. See ha-sync -h for help.
858549-4 : GUI does not allow IPv4-Mapped IPv6 Address to be assigned to self IPs
Links to More Info: BT858549
Component: TMOS
Symptoms:
When you try to use an IPv4-mapped IPv6 address as the self VI via GUI you get an error: '
Some fields below contain errors. Correct them before continuing.
Invalid IP or Hostname
Conditions:
Assign IPv4-mapped IPv6 address to self IPs via GUI.
Impact:
Cannot add the self IP to the BIG-IP system.
Workaround:
None.
858309-1 : Setting a self IP with an IPv6 Address with an embedded IPv4 address causes tmm to continually restart
Links to More Info: BT858309
Component: Local Traffic Manager
Symptoms:
TMM keeps restarting after setting a self IP to an IPv6 address with an embedded IPv4 address in TMSH.
Conditions:
Set self IP to an IPv6 address with an embedded Ipv4 address using tmsh.
Impact:
Tmm restarts repeatedly. Traffic disrupted while tmm restarts.
Workaround:
Set self IP to IPv4 address.
858173-1 : SSL Orchestrator RPM not installed on HA-peer after upgrade from 14.1.2.1★
Links to More Info: BT858173
Component: TMOS
Symptoms:
With BIG-IP devices configured in high availability (HA) mode, with SSL Orchestrator configured, when upgrading from v14.1.2 to v15.1.x or newer, the SSL Orchestrator configuration is not synced properly across the high availability (HA) configuration.
This problem is caused by a REST framework sync issue between the devices in the high availability (HA) pair.
Conditions:
-- BIG-IP devices configured in high availability (HA) mode.
-- SSL Orchestrator configured.
-- Upgrading from v14.1.2 to v15.1.x or newer.
Impact:
SSL Orchestrator configuration not syncing across the BIG-IP high availability (HA) pair.
Workaround:
The following steps are required on both high availability (HA) peers, first on the active and then on the standby BIG-IP device.
1. Open a terminal session with admin/root level access.
2. Run the following commands, in the order specified:
bigstart stop restjavad
rm -rf /shared/em/ssl.crt/*
bigstart start restjavad
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
restcurl -X DELETE shared/gossip-conflicts
restcurl -X DELETE shared/device-certificates
restcurl -X POST -d '{"generateKeyPair": true}' shared/device-key-pair
bigstart restart restjavad restnoded
858005-3 : When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:"
Component: Access Policy Manager
Symptoms:
APM Access Policy evaluation failed.
Conditions:
When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces there is no configuration error but runtime evaluation results in failure with error message in /var/log/apm:
"Rule evaluation failed with error:"
Impact:
APM end user’s session cannot be established.
Workaround:
Using APM VPE remove all leading/trailing spaces from config of “IP Subnet Match” agent
857897-1 : Address and port lists are not searchable within the GUI
Links to More Info: BT857897
Component: Advanced Firewall Manager
Symptoms:
Search from shared objects of IP addresses in the address list and port numbers in the port list does not work as expected. In previous releases, it was possible to expand all address/port lists in a single operation. There is no support for that in this release.
Conditions:
Searching from shared objects of IP addresses in the address list and port numbers in the port list.
Impact:
It is no longer possible to expand all address/port lists in a single operation, and because all lists needs to be expanded to allow a search using the browser or cache the objects in the embedded search box from the GUI, the functionality does not work as expected.
Workaround:
None.
857677-1 : Security policy changes are applied automatically after asm process restart
Links to More Info: BT857677
Component: Application Security Manager
Symptoms:
Changes in security policy are applied after ASM restart. This may activate unintended enforcement.
Conditions:
Restart ASM.
Impact:
Potentially unintended activation of new security entities.
Workaround:
None.
857589-2 : On Citrix Workspace app clicking 'Refresh Apps' after signing out fails with message 'Refresh Failed'
Links to More Info: BT857589
Component: Access Policy Manager
Symptoms:
On the Citrix Workspace app, clicking 'Refresh Apps' after signing out fails with message "Refresh Failed" with v15.1.x
Conditions:
-- Running the Citrix Workspace all.
-- Clicking 'Refresh Apps' after signing out.
-- Running software v15.1.x.
Impact:
The system reports a 'Refresh failed' error, and the app must to be reset.
Workaround:
None.
857045-3 : LDAP system authentication may stop working
Links to More Info: BT857045
Component: TMOS
Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.
In /var/log/daemon.log, you may see the following:
warning systemd[1]: nslcd.service failed
Conditions:
Nslcd daemon crashed, and it fails to restart.
Impact:
System authentication stops working until nslcd is restarted.
Workaround:
Manually restart nslcd daemon:
systemctl start nslcd
nslcd can be reconfigured to restart automatically and create core files when it crashes, though these changes will be lost across software installs (and is not backed up as part of a UCS archive):
1. Run "systemctl edit nslcd", which will open a text editor (by default, nano).
2. In the text editor, add these contents:
[Service]
# Allow core files
LimitCORE=infinity
# Try to keep auth daemon running, even if it crashes
Restart=always
3. Exit the text editor and save the file
4. Check the output of "systemctl status nslcd" for any warnings/errors from systemd as a result of editing the file; there should not be any.
5. Restart nslcd:
systemctl restart nslcd
854129-4 : SSL monitor continues to send previously configured server SSL configuration after removal
Links to More Info: BT854129
Component: In-tmm monitors
Symptoms:
After an SSL profile has been removed from a monitor, a monitor instance continues to use settings from the previously-configured server SSL profile, such as client certificate or ciphers or supported TLS versions.
Conditions:
-- In-TMM monitors enabled.
-- SSL monitor configured with a server SSL profile.
-- Setting the monitor's 'SSL Profile' parameter to 'none'.
Impact:
The previously configured settings, such as certificate or cipher, continue to be used for monitoring pool members, which may result in unexpected health check behavior/pool member status.
Workaround:
An administrator can avoid this issue by ensuring the monitor's 'SSL Profile' parameter specifies a profile (i.e., is not 'none').
Note: In some software versions, changing a monitor's SSL profile from one profile to a different profile may not take effect. For information about this behavior, see https://cdn.f5.com/product/bugtracker/ID912425.html
853989-3 : DOSL7 Logs breaks CEF connector by populating strings into numeric fields
Links to More Info: BT853989
Component: Application Security Manager
Symptoms:
Dosl7 remote logger messages breaks ArcSight CEF connector when using ArcSight destination format. CEF Logs are dropped.
Conditions:
- ASM provisioned
- Dos profile attached to a virtual server
- Dos application protection enabled
- Logging profile configured with ArcSight format attached to a virtual
Impact:
ArcSight server might be broken after getting dosl7 attack detection messages from the BIG-IP.
Workaround:
BIG-IP iRule or another proxy can be used to intercept ArcSight messages and strip the a string portion from ArcSight numeric type fields.
853617-3 : Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles
Links to More Info: BT853617
Component: TMOS
Symptoms:
Validation does not prevent specific configuration, but reports errors. In newer versions:
-- err tmm1[7019]: 01010008:3: Proxy initialization failed for /Common/vs_test. Defaulting to DENY.
-- err tmm1[7019]: 01010008:3: Listener config update failed for /Common/vs_test: ERR:ERR_ARG
In older versions:
-- err tmm[23118]: 01010007:3: Config error: virtual_server_profile no suitable hudchain
-- err tmm[23118]: 01010007:3: Config error: add virtual server profile error
Conditions:
Creating a virtual server with UDP, HTTP, SSL, (and OneConnect) profiles.
Impact:
Virtual server is defined and in configuration, but does not pass traffic.
On v12.1.x and v13.0.0, attempts to recover from this configuration can leave TMM in a bad state, which can then result in a TMM crash.
Workaround:
None.
853565-1 : VCMP host primary blade reboot causes security policy loss in the VCMP guest primary blade
Links to More Info: BT853565
Component: Application Security Manager
Symptoms:
After rebooting a vCMP guest with ASM provisioned and configured, there are no asm policies. The following command returns no results:
tmsh list asm policy all-properties
Conditions:
-- vCMP host with 2+ slots
-- vCMP guest with 2+ slots
-- LTM+ASM provisioned
-- ASM security policy + virtual server configured
-- reboot primary slot of VCMP host
Impact:
There are no ASM policies on the vCMP guest.
853161-1 : Restjavad has different behavior for error responses if the body is over 2k
Links to More Info: BT853161
Component: TMOS
Symptoms:
The error Response body from iControl REST is truncated at 2048 characters. If an iControl REST response sends an error that is longer than 2048 characters, the truncated response will not contain valid JSON.
Conditions:
This occurs when iControl REST error messages are longer than 2048 characters.
Impact:
The error response body is deformed when the length of the error body is more than 2k characters
852785-1 : Exposing counters from FIPS device registers allows debugging when cards fail
Links to More Info: BT852785
Component: TMOS
Symptoms:
FIPS devices may fail due to overuse. There has been no visibility into the numbers of key generation operations performed or the times when temperature ranges have been exceeded.
Conditions:
When a FIPS device fails it can be difficult to determine if there were temperature or over use issues.
Impact:
Lack of environmental information to diagnose problems.
852577-2 : [AVR] Analytic goodput graph between different time period has big discrepancy
Links to More Info: BT852577
Component: Application Visibility and Reporting
Symptoms:
The incorrect goodput value is showing on the GUI > Analytics > TCP > Goodput.
Conditions:
AVR is provisioned
Running TCP related traffic (with the amount that can exceeds the MAX_INT value in any aggregation level).
Impact:
AVR statistics for TCP goodput may be incorrect.
Workaround:
There is no workaround at this time.
852565-3 : On Device Management::Overview GUI page, device order changes
Links to More Info: BT852565
Component: TMOS
Symptoms:
When manual device group sync is enabled, the device with the most recent change will be displayed at the top of the Device Management::Overview GUI page.
Conditions:
-- Multiple devices in a device group
-- Device group has manual config sync enabled
-- A change is made on a device
Impact:
When the list loads, the device with the most recent changes is displayed at the top. This can make the device order appear to be inconsistent, and can create confusion when doing manual config sync if you are expecting the order to be always consistent.
852325-3 : HTTP2 does not support Global SNAT
Links to More Info: BT852325
Component: Local Traffic Manager
Symptoms:
The Global SNAT feature does not work with HTTP2.
Conditions:
-- Global SNAT is used
-- HTTP2 is used.
Impact:
Traffic uses the incorrect IP addresses when sourced from the BIG-IP system.
Workaround:
Use an explicit SNAT setting: SNAT Auto-Map or a SNAT pool.
852157 : Previously deployed SSL Orchestrator topology may cause deployment failures.
Links to More Info: BT852157
Component: SSL Orchestrator
Symptoms:
SSL Orchestrator may fail to deploy or redeploy topologies with the following error:
"Error: transaction failed:01020066:3: The requested iRule (/Common/ssloGS_global.app/ssloGS_global-settings) already exists in partition Common."
Conditions:
During an SSL Orchestrator delete operation, not all of the configuration is being removed from both devices within a failover device-group.
Impact:
SSL Orchestrator will fail to deploy or re-deploy if either device in the failover device-group still has ssloGS_global-settings iRule in configuration.
Workaround:
This workaround will force rebuilding and deploying all previously associated SSL Orchestrator topologies.
Run the clear-rest-storage command line tool to remove restful shared references, and then from tmsh delete sys application service ssloGS_global.app/ssloGS_global and any associated application services. Rebuild and deploy the topologies using the SSL Orchestrator GUI.
851837-3 : Mcpd fails to start for single NIC VE devices configured in a trust domain
Links to More Info: BT851837
Component: TMOS
Symptoms:
Single NIC BIG-IP Virtual Edition (VE) devices configured in a trust domain (e.g., in high availability (HA)) cannot reload a running configuration when restarted and/or when mcpd fails to load the config, and reports a validation error:
err mcpd[25194]: 0107146f:3: Self-device config sync address cannot reference the non-existent Self IP ([IP ADDR]); Create it in the /Common folder first.
Conditions:
Single NIC VE devices configured in a trust domain (e.g., HA)
Impact:
The mcpd process fails to start, and the configuration does not load.
Workaround:
Manually copy and paste the self IP configuration snippet into the /config/bigip_base.conf file:
1. Connect to the CLI.
2. Edit bigip_base.conf, and add the following:
net self self_1nic {
address 10.0.0.1/24
allow-service {
default
}
traffic-group traffic-group-local-only
vlan internal
}
Note: replace 10.0.0.1 with the IP indicated in the error message
3. Save the changes and exit.
4. Load the configuration using the command:
tmsh load sys config
5. If APM or ASM is provisioned/configured, then also restart services with this command:
bigstart restart
851785-1 : BIG-IP 10350V-F platform reported page allocation failures in N3FIPS driver
Links to More Info: BT851785
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:
swapper/13: page allocation failure: order:2, mode:0x204020
After that, a stack trace follows. The process name in the line ('swapper/16', in this example). You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This issue is known to occur on the appliance 10350V-F D112.
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.
It is recommend to increase this to 128 MB (131072 KB).
When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID 851785' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID851785' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on the BIG-IP appliance and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the BIG-IP appliance and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
851385-4 : Failover takes too long when traffic blade failure occurs
Links to More Info: BT851385
Component: Local Traffic Manager
Symptoms:
When blades 1 and 4 are disabled on the active chassis, the failover period is between 3.4 to 4.7 seconds before the next-active device starts processing messages.
If the blades are physically pulled from the chassis,
the failure occurs within 1 second.
Conditions:
-- Multi-blade VIPRION system
-- Blades 1 and 4 are connected to the network via trunks, blades 2 and 3 are CPU-only blades
-- Blades 1 and 4 are disabled via the GUI
Impact:
Significant delay before BIG-IP delivers a web page during between-cluster failover
851121-3 : Database monitor DBDaemon debug logging not enabled consistently
Links to More Info: BT851121
Component: Local Traffic Manager
Symptoms:
Debug logging in the database monitor daemon (DBDaemon) for database health monitors (mssql, mysql, postrgresql, oracle) is enabled on a per-monitor basis.
When a ping is initiated for a particular monitor with debug logging enabled in the monitor configuration, debug logging in DBDaemon is enabled.
When a ping is initiated for a particular monitor with debug logging disabled in the monitor configuration, debug logging in DBDaemon is disabled.
When monitoring database pool members with a mix of monitors with debug logging enabled vs. disabled, the result can be that debug logging in DBDaemon is enabled and disabled at times which do not correspond to all actions related to a specific database monitor, or pool members monitored by that monitor.
In addition, debug messages logging internal DBDaemon state related to the management of the full collection of monitored objects, active threads, etc. may not be logged consistently.
Conditions:
-- Using multiple database health monitors (mssql, mysql, postrgresql, oracle)
-- Enabling debug logging on one or more database health monitors, but not all
Debug logging for database health monitors is enabled by configuring the "debug" property of the monitor with a value of "yes".
Debug logging is disabled by configuring the "debug" property with a value of "no" (default).
# tmsh list ltm monitor mysql mysql_example debug
ltm monitor mysql mysql_example {
debug yes
}
Impact:
Logging of database monitor activities by DBDaemon may be inconsistent and incomplete, impeding efforts to diagnose issues related to database health monitors.
Workaround:
When attempting to diagnose database health monitor issues with DBDaemon debug logging, enable debug logging for ALL database monitors currently in use.
Once diagnostic data collection is completed, disable debug logging for all database monitors currently configured/in use.
851101-2 : Unable to establish active FTP connection with custom FTP filter
Links to More Info: BT851101
Component: Local Traffic Manager
Symptoms:
Unable to establish active FTP connection with custom FTP filter.
Conditions:
All of the following conditions are true:
-- Virtual server using custom FTP filter.
-- FTP filter has port (port used for data channel) set to 0 (zero).
-- Virtual server has source-port set to preserve-strict.
-- Using active FTP through the virtual server.
Impact:
-- The active FTP data channel is reset.
-- Commands that require data channel in active mode fail.
Workaround:
-- Change source-port to change or preserve.
-- Set port on FTP filter to be used for data channel.
-- Use passive FTP.
851021-3 : Under certain conditions, 'load sys config verify file /config/bigip.conf' may result in a 'folder does not exist' error
Links to More Info: BT851021
Component: TMOS
Symptoms:
TMSH error example:
Configuration error: Can't associate ASM device sync (/Common/testsync/staging.example.com) folder does not exist
Conditions:
The conditions under which this occurs are unknown.
Impact:
Load of config file fails with an error that the folder does not exist.
Workaround:
Use 'tmsh load sys config verify', without specifying a specific file.
850997-3 : 'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page
Links to More Info: BT850997
Component: TMOS
Symptoms:
The SNMPD daemon no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page.
Conditions:
Viewing the page at:
System :: High Availability : Fail-safe : System
Impact:
Unable to configure the high availability (HA) settings for the snmpd high availability (HA) daemon through the GUI.
Workaround:
Use TMSH to modify the snmpd high availability (HA) settings.
850357-3 : LDAP - tmsh cannot add config to nslcd.conf
Links to More Info: BT850357
Component: TMOS
Symptoms:
nslcd comes as a dependency package for the nss-pam-ldapd and nslcd.conf file contains the configuration information for running nslcd.
tmsh does not support modification of nslcd.conf to include some options.
Conditions:
This would be encountered only if you wanted to do modify the nslcd configurations
Impact:
You are unable to modify nslcd configuration for some options.
This prevents the ability to use certain ldap-based remote authentication techniques.
Workaround:
Modify nslcd.conf file to include configuration changes manually and restart the nslcd daemon with systemctl restart nslcd
850117-1 : Autodosd crash after assigning dos profile with custom signatures to a virtual server
Links to More Info: BT850117
Component: Advanced Firewall Manager
Symptoms:
When attaching dos profile to virtual server, it will crash occasionally.
Conditions:
-- AFM is provisioned
-- Performing profile attachment
Impact:
Autodosd crashes and restarts.
849349-3 : Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db.
Links to More Info: BT849349
Component: Application Security Manager
Symptoms:
Web app flow might fail resulting in JavaScript errors related to CSP policy.
Conditions:
-- ASM provisioned.
-- Bot-Defense or DoS Application profile assigned to a virtual server.
-- The backend server sends CSP headers.
Impact:
Web application flow might fail.
Workaround:
Attach an iRule:
when HTTP_REQUEST {
set csp 0
}
when HTTP_RESPONSE {
if { [HTTP::header exists Content-Security-Policy] } {
set csp "[HTTP::header value Content-Security-Policy]"
}
}
when HTTP_RESPONSE_RELEASE {
if { $csp != 0 } {
HTTP::header replace Content-Security-Policy $csp
}
set csp 0
}
848681-5 : Disabling the LCD on a VIPRION causes blade status lights to turn amber
Links to More Info: BT848681
Component: TMOS
Symptoms:
When the LCD is disabled or turned off on a VIPRION system, the blade status lights turn amber.
Conditions:
You can cause this to occur by running the command:
tmsh modify sys db platform.chassis.lcd value disable
Impact:
Blade status lights change to amber, even if nothing is wrong with the system.
Workaround:
None.
848217-2 : Portal Access: default port encoded in rewritten url, need to be removed from host header in request to backend
Component: Access Policy Manager
Symptoms:
Bad response, or invalid response for request in which default port was used in web-application.
Conditions:
Default port is used in the url, back end application does not expect the default port in the request's Host header.
Impact:
Web-application misfunction
Workaround:
Custom workaround iRule can be used to remove default port form rewritten url.
846977-3 : TCP:collect validation changed in 12.0.0: the first argument can no longer be zero★
Links to More Info: BT846977
Component: Local Traffic Manager
Symptoms:
Validation for TCP::collect was changed in BIG-IP software v12.0.0 (with the introduction of JET specifications). Prior to 12.0.0, there were no restrictions on the values of the two arguments. As of 12.0.0, the first argument ('collect_bytes') must be a positive integer, and the second argument ('skip_bytes) must be a non-negative integer.
Occurrences of 'TCP::collect 0 0' in iRules experience issues when upgrading to a newer version, producing warnings in LTM log:
/Common/T_collect:9: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid argument 0; expected syntax spec:"136 17][TCP::collect 0 0].
Conditions:
-- Using a version of BIG-IP software earlier than 12.0.0, configure an iRule with a 'TCP::collect 0 0' command.
-- Upgrade to 12.0.0 or later.
Impact:
Warning in the LTM log file. The iRules containing 0 values do not function as expected. There is no other impact.
Workaround:
Change 'TCP::collect 0 0' to a value other than 0 (zero) in any iRules before or after upgrade.
846873-3 : Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure
Links to More Info: BT846873
Component: Local Traffic Manager
Symptoms:
Traffic fails to pass through a virtual server.
Conditions:
-- Virtual server is removed and a new one is added in a single transaction.
-- Virtual server references a plugin profile.
For example, create a CLI transaction:
- delete ltm virtual vs_http
- create ltm virtual vs_https destination 1.1.1.1:443 vlans-enabled profiles replace-all-with { http ntlm oneconnect }
- submit cli transaction
Impact:
Traffic failure on the new virtual server.
Workaround:
Create a virtual server that does not accept any traffic, but keeps the NTLM MPI plugin channel alive:
tmsh create ltm virtual workaround destination 1.1.1.1:1 profiles replace-all-with { http oneconnect ntlm } vlans-enabled vlans none && tmsh save sys config
846521-5 : Config script does not refresh management address entry properly when alternating between dynamic and static
Links to More Info: BT846521
Component: TMOS
Symptoms:
Config script does not refresh management address entry properly when alternating between dynamic (DHCP) and static configuration.
Conditions:
- Management IP assignment is changed from dynamic (DHCP) to static.
- Same IP address is configured, as previously received from DHCP server.
Impact:
Remote management access is lost after DHCP lease expires.
Workaround:
Restart BIG-IP after changing the management IP address.
846141-3 : Unable to use Rest API to manage GTM pool members that have an pipe symbol '|' in the server name.
Links to More Info: BT846141
Component: TMOS
Symptoms:
Rest API returns 404 'Object not found"' error when attempting direct access to pool member that has pipe symbol '|' in the server or virtual server name.
Conditions:
An iControl/REST call to a pool member that has a virtual server on the Server whose name contains a | character in the server or virtual server name.
Impact:
The iControl/REST call cannot manage a pool member associated with a virtual server or server whose name contains a | character.
Workaround:
Rename the server or virtual server to a name that does not contains the | character.
844925-2 : Command 'tmsh save /sys config' fails to save the configuration and hangs
Links to More Info: BT844925
Component: TMOS
Symptoms:
The 'tmsh save /sys config' command hangs and fails to save the configuration if there is a memory allocation failure when creating the reply.
Conditions:
-- A large number of iApps: in the thousands.
-- Each iApp has tens of variables.
Impact:
Because tmsh cannot save the configuration, if the BIG-IP system reboots, any changes made since the last successful save are lost.
Workaround:
Run the command:
tmsh save /sys config binary
This does not save the configuration to files in /config, but it does at least allow you to save the binary configuration.
That way, you can reboot the BIG-IP system and not lose the configuration.
Note: It is possible that a reboot will provide sufficient memory to save to configuration files. It depends on the configuration of virtual memory at the time of the save. It is possible that every time you want to save the config, you must use the binary option.
844597-2 : AVR analytics is reporting null domain name for a dns query
Links to More Info: BT844597
Component: Advanced Firewall Manager
Symptoms:
AVR analytics is reporting null domain name for a DNS query if DNS DoS profile is attached to a virtual server, but the profile does not have the matching type vector enabled to the query type.
Conditions:
-- DNS DoS profile is attached to a virtual server.
-- The query type in the DNS query does not match an enabled DNS vector on the DNS profile.
Impact:
DNS domain name is reported as NULL
Workaround:
Enable the matching type vector on the DNS DoS profile.
844573-3 : Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret.
Links to More Info: BT844573
Component: Access Policy Manager
Symptoms:
The log message when OAuth client or resource server fails to generate the secret is assigned an incorrect log level, and is incorrectly logged at the emergency level.
Conditions:
This is encountered when this message is logged by mcpd.
Impact:
Log message cannot be grouped with messages at the correct log level.
Workaround:
None.
844421 : Cipher ordering in cipher rules can be wrong
Links to More Info: BT844421
Component: Local Traffic Manager
Symptoms:
With a cipher string such as ECDHE:ECDH_RSA:NATIVE is used, the expansion is done in the wrong order.
Conditions:
Cipher rules are used, and some are expanded.
Impact:
Cipher ordering can changes, so unexpected cipher suites are used.
Workaround:
None.
844337-2 : Tcl error log improvement for node command
Links to More Info: BT844337
Component: Local Traffic Manager
Symptoms:
Because of the Tcl error, connection gets reset and reports an error:
err tmm[18774]: 01220001:3: TCL error: /Common/test2- bad port in node <addr> <port> cmdTCL error (line 43) (line 43) invoked from within "node 172.x.x.x IP [LB::server port]"
Conditions:
Using node command under pre-load-balancing iRule events.
Impact:
Unclear port values in Tcl error message.
Workaround:
None.
844169-2 : TMSH context-sensitive help for diameter session profile is missing some descriptions
Links to More Info: BT844169
Component: Service Provider
Symptoms:
The tmsh context-sensitive help content for the following diameter session attributes is missing:
-- respond-unroutable
-- retransmission-action
-- retransmission-queue-limit-high
-- retransmission-queue-limit-low
-- retransmission-queue-max-bytes
-- retransmission-queue-max-messages
Conditions:
When attempting in tmsh to list a diameter session profile followed by a question mark for context-sensitive help- for example:
list ltm message-routing diameter profile session <sess-name> ?
Impact:
The specified attributes are no described.
Workaround:
These are the missing descriptions:
-- respond-unroutable: When selected (enabled), messages that do not match any known route will be transformed into an error answer message and sent to the originator of the request. When disabled, unroutable request messages are routed back to the connection where they came from. The default value is disabled.
-- retransmission-action: Specifies the action performed when retransmission has been triggered for a request message. The options are:
1) Disabled: Retransmission is disabled. This is the default action.
2) Busy: An answer message is generated with a TOO_BUSY result code and returned to the originator of the request.
3) Unable: An answer message is generated with an UNABLE_TO_DELIVER result code and returned to the originator of the request.
4) Retransmit: The request message will be retransmitted.
-- retransmission-queue-limit-high: Specifies the high watermark for the retransmission queue (in percentage). If the retransmission queue exceeds this limit, the transport window will begin closing. A value of 0 will disable closing the transport window. Valid range from 0 to 100. The default value is 90.
-- retransmission-queue-limit-low: Specifies the low watermark for the retransmission queue (in percentage). If the retransmission queue drops below this limit, the transport window will reopen. Valid range from 0 to 100. The default value is 60.
-- retransmission-queue-max-bytes: Specifies the maximum number of bytes that can be stored in a connections retransmission queue. A value of 0 will disable this limit. The default value is 131072 bytes.
-- retransmission-queue-max-messages: Specifies the maximum number of messages that can be stored in a connections retransmission queue. A value of 0 will disable this limit. The default value is 1024 messages.
843661-3 : TMSH allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command
Links to More Info: BT843661
Component: TMOS
Symptoms:
TMSH currently allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command, but the option is not honored and the entire license is revoked.
Conditions:
-- BIG-IP license and add-on license are installed.
-- Attempt to revoke the system license with 'add-on-keys' as an option.
Impact:
Add-on-keys option is ignored, and the entire license is revoked instead.
Workaround:
None.
843317-1 : The iRules LX workspace imported with incorrect SELinux contexts
Links to More Info: BT843317
Component: Local Traffic Manager
Symptoms:
Files imported from iRules LX workspace may have incorrect SELinux contexts such as abrt_var_cache_t.
This can cause reloading the workspace to fail with errors:
01070079: failed to create workspace archive ... Return code {2}
Conditions:
Importing the iRules LX workspace.
Impact:
Workspace cannot be imported
Workaround:
As a workaround you can run the following command on the folders to restore the context:
restorecon -R -v
843293-2 : When L7 performance FPGA is loaded, "tmsh show sys fpga" shows standard-balanced-fpga.
Links to More Info: BT843293
Component: TMOS
Symptoms:
When L7 performance FPGA is loaded, "tmsh show sys fpga" shows standard-balanced-fpga. "tmsh list sys fpga" will list the expected type "l7-performance-fpga".
Conditions:
-- iSeries i5000/i7000/i10000/i11000/i15000 platform
-- Pay as you grow (PAYG) license applied
-- L7 performance FPGA is loaded
Impact:
"tmsh show sys fpga" shows standard-balanced-fpga
This is cosmetic and there is no function impact. "tmsh list sys fpga" will list the correct type "l7-performance-fpga".
Workaround:
N/A
842669-1 : Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log
Links to More Info: BT842669
Component: TMOS
Symptoms:
Systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log. Bare ')' being logged to /var/log/user.log., for example:
cat /var/log/user.log
[...]: Deleting file /shared/core/*.core.*
[...]: Deleting file /shared/core/*.core.*
[...] )
[...] )
Conditions:
This occurs when the system logs syslog messages containing embedded newlines, such as
- The cron process tries and fails to send an email because of output about a cron script.
- Modify syslog include configuration
- Apply ASM policy configuration change
- GTM.debugprobelogging output from big3d
Impact:
The logging subsystem accepts syslog messages with embedded newlines, and writes first line to the appropriate file, and remaining lines to /var/log/user.log.
Workaround:
View the logs using journalctl
842425-3 : Mirrored connections on standby are never removed in certain configurations
Links to More Info: BT842425
Component: Local Traffic Manager
Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.
Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.
Impact:
Leaking connections on the standby system.
Workaround:
You can use either of the following workarounds:
-- Use auto-lasthop with mirrored connections.
-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.
842193-3 : Scriptd coring while running f5.automated_backup script
Links to More Info: BT842193
Component: iApp Technology
Symptoms:
When the iApp, f5.automated_backup, script is terminated due to the max-script-run-time, the script still continues and finishes, sometimes with scriptd coring and posting error messages in /var/log/ltm:
-- info logger[17173]: f5.automated_backup iApp autobackup: STARTED
-- info logger[17175]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs GENERATING
-- err scriptd[13532]: 014f0004:3: script has exceeded its time to live, terminating the script <------ after 20 secs, it continues even after the scriptd core.
-- notice sod[3235]: 01140041:5: Killing /usr/bin/scriptd pid 13532.
-- warning sod[3235]: 01140029:4: high availability (HA) daemon_heartbeat scriptd fails action is restart.
-- info logger[19370]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs SAVED LOCALLY
(/var/local/ucs)
-- info logger[19372]: f5.automated_backup iApp autobackup: FINISHED
Conditions:
Configure the iApp application with f5.automated_backup template to do auto-backup at regular intervals.
Impact:
Scriptd core.
Workaround:
Increasing the sys scriptd max-script-run-time higher then the default of 300 seconds might be helpful if the higher timeout allows the script to complete.
For example, if the script is saving a UCS and the save takes 400 seconds, then increasing the max-script-run-time to 430 seconds would allow the script to finish and would work around this issue.
842137-5 : Keys cannot be created on module protected partitions when strict FIPS mode is set
Links to More Info: BT842137
Component: Local Traffic Manager
Symptoms:
When FIPS mode is set to use FIPS 140-2 Level 3 protection, new keys cannot be created in the module's protected partition
Conditions:
-- FIPS 140-2 Level 3 protection is configured on a NetHSM partition
-- You attempt to create a FIPS key using that partition
Impact:
New Keys cannot be created
Workaround:
Here are all the steps to generate a new netHSM key called "workaround" and install it into the BIG-IP config:
1.
[root@bigip1::Active:Standalone] config # fipskey.nethsm --genkey -o workaround -c module
WARNING: fipskey.nethsm will soon be deprecated for use with Thales. Please switch to using tmsh commands instead.
tmsh commands...
Generate Key:
tmsh create sys crypto key <key_name> security-type nethsm [gen-certificate|gen-csr] ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate CSR for existing key:
tmsh create sys crypto csr <csr_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate Self-Signed Certificate for existing key:
tmsh create sys crypto cert <cert_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Delete Key:
tmsh delete sys crypto key <keyname>
str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=2048 embedsavefile="workaround" plainname="workaround" digest=sha256]
key generation parameters:
operation Operation to perform generate
application Application pkcs11
protect Protected by module
verify Verify security of key yes
type Key type RSA
size Key size 2048
pubexp Public exponent for RSA key (hex)
embedsavefile Filename to write key to workaround
plainname Key name workaround
x509country Country code
x509province State or province
x509locality City or locality
x509org Organisation
x509orgunit Organisation unit
x509dnscommon Domain name
x509email Email address
nvram Blob in NVRAM (needs ACS) no
digest Digest to sign cert req with sha256
Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622
Starting synchronisation, task ID 5de83486.6e9e32d7f367eaf4
Directory listing failed: No such file or directory
2. (this is to confirm the key is present with the label "workaround"
[root@bigip1::Active:Standalone] config # nfkminfo -l
Keys with module protection:
key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622 `workaround'
Keys protected by cardsets:
...
3.
[root@bigip1::Active:Standalone] config # tmsh install sys crypto key workaround from-nethsm
4. (install public certificate)
[root@bigip1::Active:Standalone] config # tmsh install sys crypto cert workaround from-local-file /config/ssl/ssl.crt/workaround
842029-1 : Unable to create policy: Inherited values may not be changed.
Links to More Info: BT842029
Component: Application Security Manager
Symptoms:
When you create a new child policy you see the following error in the GUI:
Could not update the Policy. Inherited values may not be changed.
Conditions:
1. Parent policy created using the Fundamental Template
a. Differentiate between HTTP/WS and HTTPS/WSS URLs is Disabled
b. Auto-Added Signature Accuracy set to High.
2. Parent policy contains a custom filter-based signature.
3. Child policy is created from the parent policy assigned.
Impact:
You are unable to create a policy via the GUI.
Workaround:
Use direct REST API calls or tmsh.
841985-3 : TSUI GUI stuck for the same session during long actions
Links to More Info: BT841985
Component: Application Security Manager
Symptoms:
The GUI becomes unresponsive when you perform an operation that takes a long time (e.g., Attack Signatures update).
Conditions:
Long-running task is performed, such as export/import/update signatures.
Impact:
GUI is unresponsive for that session.
Workaround:
If you need to continue working during long task is performed, you can log in via another browser.
841721-3 : BWC::policy detach appears to run, but BWC control is still enabled
Links to More Info: BT841721
Component: TMOS
Symptoms:
The dynamic BWC policy can be attached from iRules but not detached. No error occurs when BWC::policy detach is run, but the detached policy continues to work.
Conditions:
-- Dynamic BWC policy for a HTTP request URI during session.
-- Running BWC::policy detach.
Impact:
The detached policy continues to work.
Workaround:
None.
841469-4 : Application traffic may fail after an internal interface failure on a VIPRION system.
Links to More Info: BT841469
Component: Local Traffic Manager
Symptoms:
Blades in a VIPRION system connect with one another over a data backplane and a management backplane.
For more information on the manner in which blades interconnect over the data backplane, please refer to K13306: Overview of the manner in which the VIPRION chassis and blades interconnect :: https://support.f5.com/csp/article/K13306.
Should an internal interface fail and thus block communication over the data backplane between two distinct blades, an unusual situation arises where different blades compute different CMP states.
For example, if on a 4-slot chassis, blades 2 and 3 become disconnected with one another, the following is TMM's computation of which slots are on-line:
slot1: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
slot2: slots 1, 2, and 4 on-line (cmp state 0xb / 11)
slot3: slots 1, 3, and 4 on-line (cmp state 0xd / 13)
slot4: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
As different slots are effectively operating under different assumptions of the state of the cluster, application traffic does not flow as expected. Some connections time out or are reset.
You can run the following command to inspect the CMP state of each slot:
clsh 'tmctl -d blade -s cmp_state tmm/cmp'
All slots should report the same state, for instance:
# clsh 'tmctl -d blade -s cmp_state tmm/cmp'
=== slot 2 addr 127.3.0.2 color green ===
cmp_state
---------
15
=== slot 3 addr 127.3.0.3 color green ===
cmp_state
---------
15
=== slot 4 addr 127.3.0.4 color green ===
cmp_state
---------
15
=== slot 1 addr 127.3.0.1 color green ===
cmp_state
---------
15
When this issue occurs, logs similar to the following example can be expected in the /var/log/ltm file:
-- info bcm56xxd[4276]: 012c0015:6: Link: 2/5.3 is DOWN
-- info bcm56xxd[4296]: 012c0015:6: Link: 3/5.1 is DOWN
-- info bcm56xxd[4296]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4339]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4214]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
And a CMP transition will be visible in the /var/log/tmm file similar to the following example:
-- notice CDP: PG 2 timed out
-- notice CDP: New pending state 0f -> 0b
-- notice Immediately transitioning dissaggregator to state 0xb
-- notice cmp state: 0xb
For more information on troubleshooting VIPRION backplane hardware issues, please refer to K14764: Troubleshooting possible hardware issues on the VIPRION backplane :: https://support.f5.com/csp/article/K14764.
Conditions:
This issue arises after a very specific type of hardware failure. The condition is very unlikely to occur and is impossible to predict in advance.
Impact:
Application traffic is impacted and fails sporadically due to a mismatch in CMP states between the blades. Failures are likely to manifest as timeouts or resets from the BIG-IP system.
Workaround:
F5 recommends the following to minimize the impact of this potential issue:
1) For all highly available configurations (e.g., A/S, A/A, A/A/S, etc.).
The BIG-IP system has functionality, in all software versions, to enact a fast failover when the conditions described occur.
To ensure this functionality will trigger, the following configuration requirements must be met:
a) The mirroring strategy must be set to 'between'.
b) A mirroring channel to the next-active unit must be up.
c) The min-up-members option must be set to the number of blades in the chassis (e.g., 4 if there are 4 blades in the chassis).
Note: It is not required to actually configure connection mirroring on any virtual server; simply choosing the aforementioned strategy and ensuring a channel is up to the next-active unit will suffice. However, note that some configurations will benefit by also configuring connection mirroring on some virtual servers, as that can greatly reduce the number of affected connections during a failover.
2) For 'regular' standalone units.
If a VIPRION system is truly standalone (no kind of redundancy whatsoever), there is no applicable failsafe action, as you will want to keep that chassis online even if some traffic is impaired. Ensure suitable monitoring of the system is in place (e.g., remote syslog servers, SNMP traps, etc.), so that a BIG-IP Administrator can react quickly in the unlikely event this issue does occur.
3) For a standalone chassis which belongs to a pool on an upstream load-balancer.
If the virtual servers of a standalone VIPRION system are pool members on an upstream load-balancer, it makes sense for the virtual servers to report unavailable (e.g., by resetting all new connection attempts) so that the upstream load-balancer can select different pool members.
An Engineering Hotfix can be provided which introduces an enhancement for this particular use-case. A new DB key is made available under the Engineering Hotfix: tmm.cdp.requirematchingstates, which takes values 'enable' and 'disable'.
The default is 'disable', which makes the VIPRION system behave as in versions without the enhancement. When set to 'enable', the VIPRION system attempts to detect this failure and, if it does, resets all new connections. This should trigger some monitor failures on the upstream load-balancer and allow it to select different pool members.
Please note you should only request the Engineering Hotfix and enable this DB key when this specific use-case applies: a standalone VIPRION system which belongs to a pool on an upstream load-balancer.
When the new feature is enabled, the following log messages in the /var/log/ltm file indicate when this begins and stops triggering:
-- crit tmm[13733]: 01010366:2: CMP state discrepancy between blades detected, forcing maintenance mode. Unable to relinquish maintenance mode until event clears or feature (tmm.cdp.requirematchingstates) is disabled.
-- crit tmm[13262]: 01010367:2: CMP state discrepancy between blades cleared or feature (tmm.cdp.requirematchingstates) disabled, relinquishing maintenance mode.
841369-1 : HTTP monitor GUI displays incorrect green status information
Links to More Info: BT841369
Component: Local Traffic Manager
Symptoms:
LTM HTTP monitor GUI displays incorrect green status when related pool is down.
TMSH shows correct information
Conditions:
LTM HTTP monitor destination port does not match with pool member port.
Impact:
LTM HTTP marks the node down, but the Instances tab of the monitor in the GUI reports the status as green
Workaround:
You can use either of the following workarounds:
-- Use TMSH to get correct info.
-- Ensure that LTM HTTP monitor destination port does match pool member port.
841341-4 : IP forwarding virtual server does not pick up any traffic if destination address is shared.
Links to More Info: BT841341
Component: Local Traffic Manager
Symptoms:
Virtual servers do not forward any traffic but the SNAT does.
Conditions:
-- Multiple wildcard IP forwarding virtual servers with the same destination address.
-- SNAT is configured.
Impact:
IP forwarding virtual server does not pick up any traffic.
Workaround:
Delete and then re-create virtual servers.
840785-3 : Update documented examples for REST::send to use valid REST endpoints
Links to More Info: BT840785
Component: Local Traffic Manager
Symptoms:
The documented examples for REST::send refers to REST endpoints that are not valid.
Conditions:
Viewing the documentation at https://clouddocs.f5.com/api/irules/REST__send.html.
Impact:
Invalid examples lead to potential confusion.
Workaround:
Use valid REST endpoints, documented at https://clouddocs.f5.com/api/icontrol-rest/APIRef.html.
840257-2 : Portal Access: HTML iframe sandbox attribute is not supported
Links to More Info: BT840257
Component: Access Policy Manager
Symptoms:
Issues with content displayed in iframes.
Conditions:
Using an iframe with the sandbox attribute in a web application.
Impact:
The web application does not work as expected.
Workaround:
Use an iRule as a workaround. Although the exact content of the iRule is strongly dependent on the web application, you can use the following iRule as a good example that can be customized:
when REWRITE_REQUEST_DONE {
if {
HTTP::path] ends_with "/CUSOM_PATH_TO_JS_FILE"
} {
REWRITE::post_process 1
}
}
when REWRITE_RESPONSE_DONE {
while {true} {
set str { sandbox="}
set strt [string first $str [REWRITE::payload]]
set str_len [string length $str]
if {
$strt > 0
and
$strt < [expr [REWRITE::payload length] - $str_len]
} {
REWRITE::payload replace $strt $str_len { sandbo1="}
} else {
break
}
}
}
840249-3 : With BIG-IP as a SAML IdP, important diagnostic information is not logged
Links to More Info: BT840249
Component: Access Policy Manager
Symptoms:
When the BIG-IP system is configured as a SAML IdP and processes an SAML Authentication Request, if it does not find the appropriate SAML SP connector, it does not log relevant information such as the Issuer, ACS _URL, and Protocol binding from the Authentication request.
Conditions:
This occurs when a BIG-IP system is configured as a SAML IdP and processes a SAML Authentication request, but does not find an appropriate SP configuration that matches the information provided in the SAML Authentication request.
Impact:
Troubleshooting the issue and fixing the SAML configuration is difficult since there is no relevant information in the error log.
Workaround:
Enable the log level for SSO to 'Debug', and capture the logs at the debug level to troubleshoot further.
839361-4 : iRule 'drop' command does not drop packets when used in DNS_RESPONSE
Links to More Info: BT839361
Component: Global Traffic Manager (DNS)
Symptoms:
The iRule 'drop' command may not drop a DNS response when called under DNS_RESPONSE event.
Conditions:
iRule drop is used under DNS_RESPONSE event.
Impact:
DNS response may be improperly forwarded to the client.
Workaround:
Use DNS::drop instead.
838925-5 : Rewrite URI translation profile can cause connection reset while processing malformed CSS content
Links to More Info: BT838925
Component: TMOS
Symptoms:
Malformed CSS where one of the style rules is missing a closing brace could cause LTM Rewrite profile to stop processing file or reset connection.
Conditions:
-- LTM Rewrite (URI translation) profile is attached to virtual server.
-- Content rewriting is enabled in Rewrite profile settings.
-- CSS file contains style rule with missing closing brace.
Impact:
URLs are not modified within affected files, starting from the missing closing brace. Intermittent connection resets occur.
Workaround:
Before rewriting, insert the missing symbol into CSS content either directly on the backend server or with an iRule.
838405-1 : Listener traffic-group may not be updated properly when spanning is in use.
Links to More Info: BT838405
Component: Local Traffic Manager
Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.
Conditions:
Spanning is disabled or enabled on a virtual address.
Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.
Depending on the configuration, virtual server may or may not forward the traffic when expected.
Workaround:
Enable/Disable spanning together with changing a traffic-group:
> modify ltm virtual-address 0.0.0.0 traffic-group none spanning enabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled
838337-3 : The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.
Links to More Info: BT838337
Component: TMOS
Symptoms:
In 2019, Brazil cancelled DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP system's time zone database needs to be updated to reflect this change.
Conditions:
None.
Impact:
BIG-IP systems configured to use "America/Sao_Paul" (or other applicable Brazilian localities) will still apply DST. Hence time will spring forward and backward on previously designated dates.
This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, etc. will use incorrect time.
Note: You can inspect the time changes your system is due to apply by running the following command from the BIG-IP system's advanced shell (bash):
zdump -v <timezone>
For example:
zdump -v America/Sao_Paulo
Workaround:
As a workaround, you can set the BIG-IP system's time zone to that of a different country with the same UTC offset and already not observing DST.
For example, instead of using "America/Sao_Paul", you could use "America/Buenos_Aires" to obtain the same result.
838269-1 : ASM cannot save sync file after MySQL corruption following forcible restart
Links to More Info: BT838269
Component: Application Security Manager
Symptoms:
ASM cannot save sync file after MySQL corruption following forcible restart.
Conditions:
MySQL was restarted forcibly, possibly following /var disk partition exhaustion.
Impact:
ASM cannot save sync files. This prevents saving UCS and high availability (HA) sync.
Workaround:
As a workaround, it may be possible to delete all files under /var/lib/mysql/PLC_ucs and restart MySQL.
However, in our experience, once MySQL has been corrupted by forcible restarts and/or disk exhaustion, it is more advisable to reinstall the device from scratch and load the saved configuration.
837101-1 : AVR and BIG-IQ stats show N/A bar for Source IP and domain name on DNS query packet
Links to More Info: BT837101
Component: Advanced Firewall Manager
Symptoms:
AVR and BIG-IQ stats show an N/A bar for Source IP and domain name fields on DNS query packets, while the correct IP and domain name is shown in other bars.
Conditions:
-- AFM is provisioned.
-- DNS traffic is processed.
Impact:
No functional impact, but incorrect and redundant results are shown in AVR.
Workaround:
None.
835505-2 : Tmsh crash potentially related to NGFIPS SDK
Links to More Info: BT835505
Component: Local Traffic Manager
Symptoms:
Tmsh crash occurs rarely. The NGFIPS SDK may generate a core as well.
Conditions:
The exact conditions that trigger this are unknown.
It can be encountered when running the following tmsh command:
tmsh -a show sys crypto fips key field-fmt include-public-keys all-properties
Impact:
Tmsh may crash. You are exited from tmsh if you were using it as a shell.
Workaround:
None.
834217-5 : Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.
Links to More Info: BT834217
Component: Local Traffic Manager
Symptoms:
Due to a known issue BIG-IP may advertise sub-optimal window size.
Conditions:
Result of (init-rwnd * client-mss) is greater than maximum window size (65,535).
Impact:
Degraded TCP performance.
Workaround:
Do not use init-rwnd values that might result in values higher than maximum window size (65,535).
Assuming MSS of 1480, the maximum value of init-rwnd is:
65535/1480 = 44.
833173-2 : SFP interface flap on 2xxx/4xxx platform
Links to More Info: BT833173
Component: Local Traffic Manager
Symptoms:
SFP interfaces start flapping on 2xxx/4xxx platforms, and it takes some time to go into an up/running state.
Conditions:
Happens on the following platforms using the SFP interface:
2000s/2200v
4000s/4200v
Impact:
Interfaces are unusable until it stops flapping and goes into an up/running state.
Workaround:
There is no known mitigation except to wait for the interface to go into the up/running state.
832665-2 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5
Links to More Info: BT832665
Component: TMOS
Symptoms:
Features supported in newer versions of open-vm-tools will not be available.
Conditions:
This issue may be seen when running in VMware environments.
Impact:
Features that require a later version of open-vm-tools will not be available.
Workaround:
None.
832653 : Azure scan table warnings can be ignored.
Links to More Info: BT832653
Component: TMOS
Symptoms:
When running BIG-IP Virtual Edition (VE) in the Azure cloud environment, you may see warnings in daemon and user log files:
-- warning: tm_install::DosPtable::scan_table -- identification of /dev/sdb1 failed; ID is 7.
-- warning: tm_install::DosPtable::scan_table -- identification of /dev/sdb1 failed; ID is 7.
This warning is due to installer code that expects to be running on official F5 hardware. This warning can be ignored.
Conditions:
This warning may be seen when running BIG-IP VE in the Azure cloud environment.
Impact:
These are benigh warning messages that can be safely ignored.
Workaround:
None.
832233-3 : The iRule regexp command issues an incorrect warning
Links to More Info: BT832233
Component: Local Traffic Manager
Symptoms:
At validation time, mcpd issues a warning similar to the following:
warning mcpd[7175]: 01071859:4: Warning generated : /Common/test1:2: warning: ["\1" has no meaning. Did you mean "\\1" or "1"?][{(test) (\1)}]
Conditions:
Use arguments such as "\1", "\2", "\3" etc., in command regexp.
Impact:
A warning is generated, "\1" has no meaning, even though it is valid.
Workaround:
Ignore the warning.
832133-3 : In-TMM monitors fail to match certain binary data in the response from the server.
Links to More Info: BT832133
Component: Local Traffic Manager
Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system still marks them DOWN.
Conditions:
This issue occurs when all of the following conditions are met:
-- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).
-- One (or more) of your TCP or HTTP monitors specifies a receive string using HEX encoding, in order to match binary data in the server's response.
-- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.
Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.
Workaround:
You can use either of the following workarounds:
-- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.
-- Do not monitor the application through a binary response (if the application allows it).
831161-3 : An iRule before HTTP_REQUEST calling persist none can crash tmm
Links to More Info: BT831161
Component: Local Traffic Manager
Symptoms:
During an iRule event before HTTP_RQUEST, e.g. on FLOW_INIT/CLIENT_ACCEPTED disabling persistence with 'persist none' can crash tmm.
Conditions:
An iRule event before HTTP_RQUEST, e.g., on FLOW_INIT/CLIENT_ACCEPTED disabling persistence with 'persist none'.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
831105-1 : Session timeout in diadb entry is updated to 180 on unsuccessful transaction
Links to More Info: BT831105
Component: Service Provider
Symptoms:
Diameter MRF persist records are not deleted at session timeout.
Conditions:
-- Diameter MRF in use
-- An unsuccessful CCR transaction occurs
Impact:
Unsuccessful transaction attempts do not time out and remain in the session database.
Workaround:
An iRule can be used to reset session timeout in diadb upon an unsuccessful transaction through MR_FAILED by executing DIAMETER::persist reset.
829861 : iApp UI broken when referencing to iApp profile /Common/_sys_radius_proto_imsi
Links to More Info: BT829861
Component: iApp Technology
Symptoms:
When deploying a custom iApp template, the GUI says "An error has occurred while trying to process your request"
Conditions:
A custom iApp template is deployed that is derived from _sys_radius_proto_imsi
Impact:
UI display is impacted for the affected iApp.
829661-2 : TCP connection fails to establish when an SFC policy is enabled
Links to More Info: BT829661
Component: TMOS
Symptoms:
TCP Connections fail to establish. Data transfer does not happen.
Conditions:
-- SFC chain is configured on the system.
-- The configured SFC chain contains legacy servers (non-SFC) as part of the chain.
-- A source port changes from one hop of the SFC chain to next hop.
Impact:
TCP Connections fail to establish. Data transfer does not happen.
Workaround:
None.
829657-2 : Possible TMM crash with a multi-IP PEM subscriber configured with more than 16 IP addresses
Links to More Info: BT829657
Component: Policy Enforcement Manager
Symptoms:
TMM crash.
Conditions:
PEM configured with a multi-IP subscriber with more than 16 IP addresses.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not create a PEM subscriber with more than 16 IP addresses.
829653-3 : Memory leak due to session context not freed
Links to More Info: BT829653
Component: Policy Enforcement Manager
Symptoms:
Memory increases slowly
Conditions:
A PEM iRule times out
Impact:
Memory could be exhausted depending on the frequency of the command timeouts
829029-3 : Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error
Links to More Info: BT829029
Component: Application Security Manager
Symptoms:
Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error.
Conditions:
At least two REST calls adding Attack Signatures and/or Attack Signature Sets which are sent in quick succession to the BIG-IP system.
Impact:
REST calls after the first may not be successful, resulting in failure to modify configuration as desired.
Workaround:
Retry the subsequent REST calls.
829021-4 : BIG-IP does not account a presence of http2 profile when response payload is modified
Links to More Info: BT829021
Component: Local Traffic Manager
Symptoms:
The BIG-IP system might close a connection when the HTTP response payload is modified and sent without chunking encoding. If communication goes over an HTTP connection, the BIG-IP system closes a connection to tell a client that a response is served. With HTTP/2 connections, an unsized response is marked with the END_STREAM flag. This case is not accounted for, and the BIG-IP system closes HTTP communication with a server anyway.
Conditions:
-- A virtual server has an http/2 profile configured on the client side.
-- There are other profiles configured which can modify the HTTP response payload.
Impact:
The BIG-IP system wastes resources not reusing a server side HTTP connection when an unsized response is sent over an HTTP/2 connection to a client.
Workaround:
None.
828873-2 : Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor
Links to More Info: BT828873
Component: TMOS
Symptoms:
In the deployment of BIG-IP 15.0.0 on Nutanix AHV Hypervisor, f5-label service is failing with inappropriate input device error.
Conditions:
Deployment of BIG-IP v15.0.0 on Nutanix AHV Hypervisor.
Impact:
Deployment of BIG-IP v15.0.0 is not stable to log into GUI or terminal on Nutanix AHV Hypervisor.
Workaround:
Steps:
1. Mount the drive:
mount -o rw,remount /usr
2. Add a comment below the line in the '/usr/lib/systemd/system/f5-label.service' service file:
#StandardInput=tty
3. Reload the daemon:
systemctl daemon-reload
4. Restart the service:
systemctl restart f5-label
828625-1 : User shouldn't be able to configure two identical traffic selectors
Links to More Info: BT828625
Component: TMOS
Symptoms:
Config load fails by issuing "tmsh load sys config verify"
01070734:3: Configuration error: Duplicate traffic selector is not allowed
Unexpected Error: Validating configuration process failed.
Conditions:
Duplicate IP addresses on multiple traffic-selectors attached to different ipsec-policies.
Impact:
Config load will fail after a reboot
Workaround:
Delete duplicate traffic-selectors.
827441-1 : Changing a UDP virtual server with an immediate timeout to a TCP virtual server can cause connections to fail
Links to More Info: BT827441
Component: Local Traffic Manager
Symptoms:
The BIG-IP system sends a TCP SYN to the back-end server, but ignores the server's SYN-ACK response.
Conditions:
A virtual server that contains a UDP profile with idle-timeout immediate is modified to replace the UDP profiles with TCP profiles.
Impact:
Connections from the BIG-IP system to backend servers fails.
Workaround:
Delete and recreate the virtual server.
827293-2 : TMM may crash running remote tcpdump
Links to More Info: BT827293
Component: TMOS
Symptoms:
TMM crashes.
Conditions:
-- Tcpdump is run with the --remote-dest parameter.
-- The destination address is routed via a VLAN, whose cmp-hash setting has been changed from default to src-ip.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not route remote tcpdump operations via a VLAN with non-default cmp-hash settings.
827209-2 : HSB transmit lockup on i4600
Links to More Info: BT827209
Component: TMOS
Symptoms:
TMM shows HSB transmit lockup message and cored.
Conditions:
-- Using an i4600 platform.
-- Other conditions under which this occurs are unknown.
Impact:
Disruption to processing traffic on the BIG-IP system.
Workaround:
None.
827021-2 : MCP update message may be lost when primary blade changes in chassis
Links to More Info: BT827021
Component: TMOS
Symptoms:
In a VIPRION chassis, when the Primary blade is disabled (intentionally or due to an unexpected loss of functionality) and a new Primary blade is selected, there is a brief window of time during which status messages forwarded from MCPD on a Secondary blade to MCPD on the Primary blade might be dropped, possibly resulting in an incorrect view of the state of configured objects.
Conditions:
This problem may occur under the following conditions:
-- The state of a blade-local object/resources (such as a network interface or trunk) changes.
-- There is a high load on MCPD (for example, due to configuration reload on the new Primary blade) which delays processing of some MCPD actions.
Impact:
This problem may result in the state of blade-local objects (such as interfaces or trunks) being seen and reported incorrectly across the blades in the chassis, or on one or more specific blades (Primary, Secondary) in the chassis.
For example, if loss of the Primary blade results in one or more interfaces in a trunk being marked down by LACPD on a specific blade, resulting changes in trunk/member status may not be propagated correctly to the Primary blade, and from there to other Secondary blades.
Workaround:
None.
826437 : CSR subject fields with comma(,) are truncated during certificate renewal via the GUI.
Links to More Info: BT826437
Component: TMOS
Symptoms:
CSR subject fields getting truncated during certificate renewal via the GUI.
Conditions:
-- Certificate subject field contains comma(,)
-- Renewing the certificate via the GUI.
Impact:
Invalid certificate signing requests are created. This may not be apparent until certificate validation occurs, or when the certificate authority denies the certificate signing request.
Workaround:
TMSH command line interface can be used to create the CSR when commas are present in subject field.
826313-4 : Error: Media type is incompatible with other trunk members★
Links to More Info: BT826313
Component: TMOS
Symptoms:
Loading system configuration is failing after upgrade with an error message
01070619:3: Interface 5.0 media type is incompatible with other trunk members
Conditions:
-- Trunk interface created in BIG-IP version 12.3.4.
-- Trunk interfaces have different speeds (e.g. 100Mb interfaces and 1Gb interfaces)
-- Load the configuration after upgrading from v12.1.3.4 to v12.1.3.5.
Impact:
The system configuration is failing to load.
Workaround:
If you encounter this error, manually fix all trunks to only use interfaces of the same speed, and then load the configuration.
826297-1 : Address list as source/destination for virtual server cannot be changed from tmsh
Links to More Info: BT826297
Component: TMOS
Symptoms:
Address list as source/destination for virtual server cannot be changed from tmsh as it is applicable from GUI.
Conditions:
For an address created in tmsh:
# list security shared-objects address-list
security shared-objects address-list testAddressList {
addresses {
1.1.1.1/32 { }
2.2.2.2/32 { }
}
}
There is no Address list option shown in virtual server config:
# modify ltm virtual test source
Configuration Items:
[enter address or address/prefixlen] <==!!
Impact:
Address list as source/destination for virtual server cannot be changed from tmsh.
Workaround:
Use the GUI to make changes to the Address list as source/destination for virtual server.
826265-3 : The SNMPv3 engineBoots value restarts at 1 after an upgrade
Links to More Info: BT826265
Component: TMOS
Symptoms:
Many SNMPv3 clients pay attention to the engineBoots value as part of server authentication. When the BIG-IP system is upgraded, the engineBoots value is not retained, so it restarts at 1.
Conditions:
Upgrading a BIG-IP system whose engineBoots value is greater than 1.
Impact:
The engineBoots value is reset to 1. This may look like an error condition for the SNMPv3 client.
Workaround:
1. Run the following command (where n = the value at which you want to start the engineBoots):
tmsh modify sys snmp include 'engineBoots n'
2. Restart SNMPD.
826189-2 : The WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.
Links to More Info: BT826189
Component: TMOS
Symptoms:
The input validation performed by the BIG-IP system WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.
The WebUI should allow users to specify only a prefix (for example, 2001:db8:0:0:0:0:0:0 or 2001:db8::); however, it incorrectly allows users to specify a subnet mask too (for example, 2001:db8:0:0:0:0:0:0/96 or 2001:db8::/96).
In contrast, the TMSH utility correctly enforces values for this option.
Conditions:
The BIG-IP Administrator creates or modifies a DNS profile using the WebUI, and specifies an IP/SM value for the dns64-prefix option.
Impact:
Upon performing DNS64, TMM returns incorrect DNS answers that do not use the specified prefix. For example, if the Administrator specifies 2001:db8:0:0:0:0:0:0/96 as the prefix, and if the IPv4 address of the requested resource is 198.51.100.1, DNS64 returns ::198.51.100.1 instead of 2001:db8::c633:6401. This prevents end-user clients from reaching the intended resource.
The impact described in this section only applies to BIG-IP versions 14.1.0 and later. Previous BIG-IP versions also had this WebUI validation issue, but despite this TMM still returned the correct DNS answer.
Workaround:
When configuring this option using the WebUI, do not specify a subnet mask.
826049-1 : French language spelling error in BIG-IP Edge Client message window
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client message window contains spelling error while displaying in French language:
En cour de Réinstallation du
Conditions:
Using the BIG-IP Edge Client in a French environment.
Impact:
The message should be: En cours de Réinstallation du
Workaround:
None.
824809-4 : bcm56xxd watchdog restart
Links to More Info: BT824809
Component: TMOS
Symptoms:
During initialization of very large configurations it is possible that the watchdog timer will fire and reset the bcm56xxd driver.
Conditions:
System configuration with very large number of objects being loaded.
Impact:
The driver restarts.
824437-2 : Chaining a standard virtual server and an ipother virtual server together can crash TMM.
Links to More Info: BT824437
Component: Local Traffic Manager
Symptoms:
TMM crashes with a SIGFPE and restarts. The TMM logs contain the following panic message:
Assertion "xbuf_delete_until successful" failed.
Conditions:
This issue occurs when the following conditions are met:
-- The system has been configured with a standard virtual server and an Any IP (ipother) virtual server chained together. This can be done explicitly using an iRule that features the 'virtual' command to connect the two virtual servers, or implicitly with certain APM configurations.
-- The pool member on the server-side asks this specific virtual server configuration on the BIG-IP system to retransmit data.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure the target virtual server in the chain configuration does not use the ipother profile.
824433-1 : Added HTTP2 and HTTP3 request/response statistic fields to the HTTP profile
Links to More Info: BT824433
Component: Local Traffic Manager
Symptoms:
The HTTP/1.1 request/response statistic fields in the HTTP profile are incremented incorrectly when HTTP2 traffic is encountered.
There is not currently a way to view the HTTP2 and HTTP3 request/response stats on the HTTP profile.
Conditions:
-- Client or server sends HTTP2 request/response.
-- Using GUI, TMSH, iControl (SOAP), or SNMP.
Impact:
Incorrect HTTP/1.1 request/response statistic values are present in the HTTP profile when HTTP2 traffic is encountered.
Workaround:
None.
824205-1 : GUI displays error when a virtual server is modified if it is using an address-list
Links to More Info: BT824205
Component: TMOS
Symptoms:
When you modify a virtual server, the GUI returns an error similar to the following:
01b90011:3: Virtual Server /Common/vs2_udp's Traffic Matching Criteria /Common/vs2_udp_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs1_tcp destination address, source address, service port.
Conditions:
This occurs when either of the following occur:
-- When renaming the virtual server.
-- When changing the address-list attribute.
Impact:
Cannot update virtual configuration with new value.
Workaround:
None.
823825-5 : Renaming high availability (HA) VLAN can disrupt state-mirror connection
Links to More Info: BT823825
Component: Local Traffic Manager
Symptoms:
If the VLAN that services the state mirror connection between BIG-IP systems is renamed, it can cause a disruption of the state mirror connection. It can also lead to an eventual crash.
Conditions:
Renaming the VLAN that services the state mirror connection between BIG-IP systems in an high availability (HA) configuration.
Impact:
System might crash eventually.
Workaround:
Do not rename the VLAN that services the state mirror connection between BIG-IP systems in an high availability (HA) configuration.
822393-2 : Prober pool selected on server or data center not being displayed after selection in Internet Explorer
Links to More Info: BT822393
Component: Global Traffic Manager (DNS)
Symptoms:
Selected prober pool not visible on server or data center in Internet Explorer or Edge
Conditions:
This occurs when you have a prober pool configured for a data center or server, and you are viewing them in the GUI using Internet Explorer or Edge.
Impact:
The prober pool is not displayed.
Workaround:
Use Chrome or Firefox as browser
822253-3 : After starting up, mcpd may have defunct child "run" and "xargs" processes
Links to More Info: BT822253
Component: TMOS
Symptoms:
After starting up, mcpd may have defunct child "run" and "xargs" processes
Conditions:
Slow disk storage or large configuration files.
Impact:
Minimal; some zombie processes are created.
822249-1 : Throughput degradation while uploading when using TAP device in service chain for SSL Orchestrator
Links to More Info: BT822249
Component: SSL Orchestrator
Symptoms:
When the TAP service is configured for SSL Orchestrator, upload throughput is degraded.
Conditions:
This occurs when a TAP service is configured in the deployment.
Impact:
Upload speed through the device is degraded.
Workaround:
Modify the PUSH flag on TAP service TCP wan profile from Default to Auto...
821589-2 : DNSSEC does not insert NSEC3 records for NXDOMAIN responses
Links to More Info: BT821589
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC does not insert NSEC3 records for NXDOMAIN responses.
Conditions:
-- "process-xfr yes" is set for the dns profile associated with the listener;
And
-- There is no "Zone Transfer Clients" nameserver configured for that zone.
And
-- There is no wideip configured.
Impact:
DNSSEC does not respond NSEC3 for non-existent domain.
Workaround:
1. Change this setting for dns profile from "process-xfr yes" to "process-xfr no";
Or
2. Add a nameserver for "Zone Transfer Clients" of that zone.
Or
3. Add a wideip.
819457-3 : LTM high availability (HA) sync should not sync GTM zone configuration
Links to More Info: BT819457
Component: TMOS
Symptoms:
LTM high availability (HA) sync group are syncing GTM zone configuration changes.
Conditions:
1. BIG-IPs has both LTM and GTM provisioned.
2. The two BIG-IPs are inside one LTM sync group.
Impact:
GTM zone files are accidentally modified.
819429-3 : Unable to scp to device after upgrade: path not allowed
Links to More Info: BT819429
Component: TMOS
Symptoms:
Cannot scp copy a file to the BIG-IP system. The system reports an error:
path not allowed
Conditions:
Issue occurs when both conditions are present:
-- The BIG-IP user has 'shell tmsh' or 'shell none' access.
-- The scp destination is the real path target (not listed in the 'allow' list) of a symbolic link that is listed in the scp 'allow' list (/config/ssh/scp.whitelist).
For example:
scp to /var/tmp succeeds.
scp to /shared/tmp fails with 'path not allowed'.
Impact:
Cannot copy files to a path present under whitelist.
Workaround:
Use the explicitly listed (symlink) path as the scp destination.
819421-3 : Unable to scp/sftp to device after upgrade★
Links to More Info: BT819421
Component: TMOS
Symptoms:
Users with numeric usernames are unable to log in via scp.
Conditions:
-- Logging in via scp/sftp.
-- User account with a numeric username.
Impact:
Unable to log in via scp.
Workaround:
Include alpha characters in username.
819261-3 : Log HSB registers when parts of the device becomes unresponsive
Links to More Info: BT819261
Component: TMOS
Symptoms:
Part of the HSB becomes unresponsive, and there is no logging of additional registers to assist in diagnosing the failure.
Conditions:
It is unknown under what conditions the HSB becomes unresponsive.
Impact:
Limited visibility into the HSB state when it becomes unresponsive.
Workaround:
None.
819233-5 : Ldbutil utility ignores '--instance' option if '--list' option is specified
Links to More Info: BT819233
Component: Access Policy Manager
Symptoms:
When running ldbutil utility, if the '--list' option is specified, then the '--instance' option has no effect. All the local users will be listed.
Conditions:
When both '--list' and '--instance' options are specified.
Impact:
The output lists all the local users and not limiting to the '--instance' option given.
Workaround:
None.
818789-5 : Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile
Links to More Info: BT818789
Component: Local Traffic Manager
Symptoms:
With in-tmm monitoring enabled (or sys db bigd tmm set to enable) and with https monitor's ssl-profile set to none, the expected behavior is to send ciphers in ClientHello based on default serverssl profile as mentioned in GUI help for https monitor.
Conditions:
Configure HTTPS Monitor with ssl-profile "None".
Impact:
Ciphers are not exchanged as expected in the ClientHello Packets
Workaround:
Configure HTTPS Monitor without ssl-profile option, default serverssl profile will be used
818777-3 : MCPD error - Trouble allocating MAC address for VLAN object
Links to More Info: BT818777
Component: TMOS
Symptoms:
You see the following errors in /var/log/ltm:
err mcpd[8985]: 0107071c:3: Trouble allocating mac address for vlan object /Common/external.
Conditions:
Conditions under which this occurs are unknown.
Impact:
There is no known impact to the system as a result of this log message.
Workaround:
If this reoccurs, you can try force reloading mcpd.
For more information, see K13030: Forcing the mcpd process to reload the BIG-IP configuration, available at https://support.f5.com/csp/article/K13030.
818737-1 : Improve error message if user did not select a address-list or port list in the GUI
Links to More Info: BT818737
Component: TMOS
Symptoms:
In the GUI, the Virtual Server screen displays the available address-lists or port lists for source address, but there is no clarity on whether the options are selected or available.
Conditions:
-- Virtual server's source address section.
Impact:
If you do not make a selection and try to create the Virtual Server, an error occurs: An error has occurred while trying to process your request.
Workaround:
Click to select the address-list of port-list displayed as source address for Virtual Server.
818721-1 : Virtual address can be deleted while it is in use by an address-list.
Links to More Info: BT818721
Component: Local Traffic Manager
Symptoms:
-- The virtual-address (and virtual server) will no longer work.
-- The BIG-IP won't answer ARP requests for it.
-- Loading the config again or performing similar operations will not re-create the virtual-address.
Conditions:
-- A virtual address is deleted while it is in use by an address list and virtual server.
-- MCPD is restarted (or the unit rebooted, etc.).
Impact:
Traffic processing is disrupted
818705-2 : afm_cmi.py daemon can cause very high BIG-IP CPU utilization(>90%)
Links to More Info: BT818705
Component: Advanced Firewall Manager
Symptoms:
The AFM Auto threshold and behavioral dos historical data synchronization process consumes greater than 90% CPU. This affects TMM performance and some outages may occur.
Conditions:
This occurs in both high availability (HA) and standalone configurations. In both cases "MCPD" issues were reported. (Delay in response or the daemon crashed)
Impact:
TMM performance is affected and outages may occur.
Workaround:
Kill the AFM data synchronization process:
kill -9 afm_cmi.py
818505-3 : Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Links to More Info: BT818505
Component: TMOS
Symptoms:
Using an iControl PUT command to modify a virtual address will change that address's netmask to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
Conditions:
Modifying a virtual address using an iControl PUT command.
Impact:
An unintentional change to the virtual address's netmask.
Workaround:
Two options:
-- Use a PATCH command instead of a PUT command.
-- Always specify the netmask explicitly when making changes.
818417-2 : Flowspecd starts with message: Shm segment not found in /etc/ha_table/ha_table.conf.
Links to More Info: BT818417
Component: TMOS
Symptoms:
During system boot, the flowspecd daemon emits a message 'Shm segment not found in /etc/ha_table/ha_table.conf', and heartbeat monitoring is disabled for flowspecd.
Conditions:
Flowspecd daemon is running.
Impact:
No heartbeat monitoring for flowspecd daemon.
Workaround:
Manually edit the file /etc/ha_table/ha_table.conf and insert a line at the end:
ha segment path: /flowspecd
818297 : OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure
Links to More Info: BT818297
Component: TMOS
Symptoms:
OVSDB-server fails to make SSL connections when Selinux is enforced.
In /var/log/openvswitch/ovsdb-server.log:
...|00012|stream_ssl|ERR|/config/filestore/files_d/Common_d/certificate_d/:Common:myCert_2468_1: stat failed (Permission denied).
Conditions:
-- Navigate to System :: Configuration : OVSDB.
-- Add cert and keys.
Impact:
Permission denied, SSL connection failure.
Workaround:
Step 1: Check openvswitch SELinux denial:
# audit2allow -w -a
Example output:
type=AVC msg=audit(1566915298.607:32958): avc: denied { search } for pid=18966 comm="ovsdb-server" name="/" dev="dm-7" ino=2 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:f5config_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
Step 2: Find openvswitch components that need Linux policy additions:
# audit2allow -a
Example output:
#============= openvswitch_t ==============
allow openvswitch_t f5config_t:dir search;
allow openvswitch_t f5filestore_t:dir search;
allow openvswitch_t f5filestore_t:file { getattr open read };
Step 3: Modify the policy to allow access to the component openvswitch_t:
# audit2allow -a -M openvswitch_t
Step 4: Apply the policy:
# semodule -i openvswitch_t.pp
818097-4 : Plane CPU stats too high after primary blade failover in multi-blade chassis
Links to More Info: BT818097
Component: Local Traffic Manager
Symptoms:
The data, control, and analysis plane stats are too high as reported by tmsh show sys performance system detail.
Conditions:
The primary blade in a multi-blade chassis fails over to another blade.
Impact:
The plane CPU stats are too high.
Workaround:
Remove the /var/tmstat/blade/statsd file on the previous primary blade and restart merged on that blade.
818069-4 : GUI hangs when iApp produces error message
Links to More Info: BT818069
Component: iApp Technology
Symptoms:
If lengthy Tcl errors are displayed in the GUI while creating an iApp, the GUI can hang.
Conditions:
-- Creating an iApp that contains a syntax error.
-- A large error message is emitted.
Impact:
GUI hangs.
Workaround:
Restart the tomcat process:
tmsh restart sys service tomcat
817089-1 : Incorrect source MAC address with hardware acceleration (ePVA) and asymmetric routing
Component: TMOS
Symptoms:
Connections that are hardware accelerated and that use asymmetric routing may use the wrong MAC address for return traffic. This can be observed by looking at a packet capture.
Conditions:
Hardware acceleration is enabled (ePVA/fastL4) with asymmetric routing.
Impact:
The return traffic has the wrong source MAC address. This may affect packet forwarding depending on the configuration.
Workaround:
Disable HW acceleration.
816353-1 : Unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1
Links to More Info: BT816353
Component: TMOS
Symptoms:
During re-licensing or license reload, an unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1 may be sent.
Conditions:
Occurs during license reload or reactivation.
Impact:
After a license reload, the unknown trap can be seen like the following:
run "tcpdump -ni mgmt port 162 -vvvv &":
12:01:59.883331 IP (tos 0x0, ttl 64, id 47411, offset 0, flags [DF], proto UDP (17), length 101)
10.248.136.179.55540 > 172.28.8.68.snmptrap: [bad udp cksum 0x486e -> 0xd7b8!] { SNMPv2c { V2Trap(58) R=1205683810 .1.3.6.1.2.1.1.3.0=1775555 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.2.1.47.2.0.1.0.1 } }
816205-3 : IPsec passthrough scenario may not forward ICMP unreachable messages from the server-side
Links to More Info: BT816205
Component: Local Traffic Manager
Symptoms:
ICMP protocol 50 unreachable messages are not forwarded from the server-side to the client-side when a SNAT Virtual Server handles ESP flows that are not encapsulated in UDP port 4500 (RFC 3948). Other ICMP messages related to the server-side ESP flow may be similarly affected.
Conditions:
-- BIG-IP system is forwarding ESP (protocol 50) packets.
-- Virtual Server is configured with a SNAT pool or automap.
-- The server-side IPsec peer sends ICMP protocol errors in response to the ESP packets.
Impact:
ICMP packets arriving on the server-side are not forwarded to the client-side.
Workaround:
Option 1:
-- Enable NAT Detection (RFC 3947) on the IPsec peers.
NOTE: NAT Detection (RFC 3947) is the correct way to implement IPsec peers when network address translation occurs between the two IPsec peers.
Option 2:
-- Remove NAT from the Virtual Server.
-- Set the following sys db values:
# tmsh modify sys db ipsec.lookupip value "enable"
# tmsh modify sys db ipsec.lookupspi value "disable"
NOTE: The sys db settings in option 2 do not resolve the ICMP issue if NAT is configured on the Virtual Server.
815901-3 : Add rule to the disabled pem policy is not allowed
Links to More Info: BT815901
Component: Policy Enforcement Manager
Symptoms:
Adding rule to PEM policy is not allowed
Conditions:
A PEM policy is disabled
Impact:
You are unable to add rules to a PEM policy if it is disabled.
815753-2 : TMM leaks memory when explicit SWG is configured with Kerberos authentication
Links to More Info: BT815753
Component: Access Policy Manager
Symptoms:
Memory usage of filter keeps increasing over time and becomes one of major consumers of the TMM memory.
Conditions:
This issue happens if the following conditions are met:
1. Access profile type is SWG-explicit.
2. Access policy contains HTTP 407 Response policy item with HTTP Auth Level being Negotiate.
3. Kerberos is used to authenticate a user.
Impact:
TMM sweeper enters aggressive mode and reaps connections.
Workaround:
None.
815405-4 : GUI update of Child FastL4 profile overwrites CLI-only customized settings (options that are not available in GUI)
Links to More Info: BT815405
Component: Local Traffic Manager
Symptoms:
Child FastL4 profile is being reset after clicking Update from GUI.
Conditions:
-- Create child SSL FastL4, profile inheriting settings from a parent FastL4 profile.
-- From the command line, change any of the CLI-only visible settings in the child FastL4 profile (e.g., pva-acceleration, explicit-flow-migration, etc.), and save the changes.
-- In the GUI, click the Update button in the child FastL4 profile without making any change.
Impact:
The operation overwrites the CLI changes made in the child profile, and inherits those values from the parent settings instead.
Workaround:
None.
815089-3 : On a system with no VLANs, you can create virtual servers or SNATs that have identical address/port combinations
Links to More Info: BT815089
Component: Local Traffic Manager
Symptoms:
If you have a system with no VLANs configured, and you attempt to create virtual servers or SNATs that have the same address/port combinations, you will be able to do so without validation errors.
Conditions:
-- A BIG-IP system with no VLANs configured.
-- Creating virtual servers or SNATs that have identical address/port combinations.
Impact:
An invalid configuration is allowed.
Workaround:
None.
814941-1 : PEM drops new subscriber creation if historical aggregate creation count reaches the max limit
Links to More Info: BT814941
Component: Policy Enforcement Manager
Symptoms:
PEM subscriber create fails, usually seen across multiple high availability (HA) failover events
Conditions:
When the aggregate subscriber create reaches the maximum subscriber limit per tmm which is configured using sys db, sys db statemirror.mirrorsessions
Impact:
Unable to bringup any more subscribers
Workaround:
Restart tmm when the limits are reached
814353-3 : Pool member silently changed to user-disabled from monitor-disabled
Links to More Info: BT814353
Component: TMOS
Symptoms:
When a node (Disabled by Monitor) is updated via the member screen (no change to configuration required), the status changes from:
'Available (Disabled) pool members is available, monitor disabled'.
To:
'Available (Disabled), pool member is available, user disabled'.
Conditions:
-- A node disabled by Monitor.
-- Go to GUI LTM pool member and navigate into the monitor disabled member, then update without any configuration change.
Impact:
Pool member goes to 'user-disabled'.
Workaround:
To recover, re-enable the pool member.
814273-3 : Multicast route entries are not populating to tmm after failover
Links to More Info: BT814273
Component: TMOS
Symptoms:
Multicast route entries are not populating in tmm after failover. ZebOS has the multicast entries, but tmm does not.
Conditions:
-- High Availability (HA) configured, with multicast traffic.
-- A failover occurs.
Impact:
Multicast traffic does not pass through properly
Workaround:
Clear the multicast entries in ZebOS manually:
> clear ip mroute *
> clear ip igmp group
813969-3 : Network DoS reporting events as 'not dropped' while in fact, events are dropped
Links to More Info: BT813969
Component: Advanced Firewall Manager
Symptoms:
Logs/Tmctl shows packet dropped whereas AVR shows Action as 'Allowed' and not 'Dropped'.
Conditions:
-- AFM configured.
-- AFM passes the message to AVR for reporting.
Impact:
The operation does not update the drop flag. It appears from AVR Reporting that packets are allowed, but actually they are dropped
Workaround:
There is no workaround at this time.
813673-2 : The HTTP Explicit proxy does not work correctly with IPv6 clients connecting to IPv4 destinations over CONNECT to IPv4 targets.
Links to More Info: BT813673
Component: Local Traffic Manager
Symptoms:
A typical configuration of the HTTP Explicit Proxy includes four virtual servers:
-- Two virtual servers for the Explicit Proxy, one IPv4, one IPv6.
-- Two general-purpose virtual servers: one IPv4, one IPv6.
The general-purpose virtual servers allow handling of CONNECT tunneling over the HTTP-tunnel interface.
Unfortunately, if an IPv6 client tries to CONNECT to an IPv4 destination, it fails, returning a 503 status error.
This is due to the IPv6 general-purpose virtual server not being found when performing the destination lookup.
Conditions:
-- The HTTP explicit proxy virtual server is listening on an IPv6 address.
-- 'default-connect-handling deny' is configured on the explicit proxy HTTP profile.
-- IPv4 and IPv6 general-purpose virtual servers exist on the HTTP-tunnel interface.
-- The client connects, and uses CONNECT to proxy to an IPv4 address.
Impact:
The IPv6 client will not be able to "CONNECT" through the explicit proxy to an IPv4 address.
Workaround:
None.
813221-1 : Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync
Links to More Info: BT813221
Component: Global Traffic Manager (DNS)
Symptoms:
The virtual server for an LTM redundant peer is continually updated with its IP/Port changing back and forth between two values, leading to perpetual GTM configuration syncs.
Conditions:
The destination IP:port of the virtual server on the LTM is not in sync between the LTM devices in the device-group.
Impact:
The virtual server is flapping status between "blue" and 'green', and its destination IP:port is changing between a correct value and an incorrect one. Traffic will be impacted.
Workaround:
Perform a configsync on the LTM device-group that owns the virtual server.
813057-2 : False positive attack detection on DoS profile vectors for unbalanced traffic
Links to More Info: BT813057
Component: Advanced Firewall Manager
Symptoms:
DoS attack is detected on a profile vector when attack Packets Per Second (PPS) is lower than the threshold.
Conditions:
Unbalanced traffic between tmms for DoS profile vector.
Impact:
False positive attack detection.
Workaround:
None.
812993-1 : Monpd process consumes considerable amount of RAM on systems with many virtual servers
Links to More Info: BT812993
Component: Application Visibility and Reporting
Symptoms:
Monpd process consumes a considerable amount of RAM (several gigabytes). The RAM usage grows constantly within the first 24 hours. This occurs because of the collection of ADM (BADOS) real-time statistics in monpd memory for last 24 hours per virtual server.
Conditions:
Many virtual servers are defined in the system. The memory consumption depends on the number of virtual servers.
Impact:
Excessive memory consumption reduces available RAM for other system daemons.
Workaround:
None.
812705-1 : 'translate-address disabled' setting for LTM virtual server does not have any effect with iRules for NAT64 traffic
Links to More Info: BT812705
Component: Carrier-Grade NAT
Symptoms:
IPv4 Packets are forwarded to server-side with destination address changed to LTM pool member address even when 'translate-address disabled' is configured on a NAT64 virtual server.
Conditions:
-- Create iRules for LTM pool selection.
-- Configure the NAT64 virtual server with 'translate-address disabled'.
-- Send IPv6 client request accessing the NAT64 virtual server.
Impact:
Server-side IPv4 packets are forwarded with destination address modified. The server-side packets do not reach the intended destination, resulting in connection failures.
Workaround:
Use normal LTM pool selection instead of iRules-based, LTM pool selection.
812693-2 : Connection in FIN_WAIT_2 state may fail to be removed
Links to More Info: BT812693
Component: Local Traffic Manager
Symptoms:
If a connection that has a fully closed client-side, but a server-side still in FIN_WAIT_2, receives a SYN matching the same connflow, the idle time is reset. This can result in the fin-wait-2-timeout never being reached. The SYN will be responded to with a RST - 'TCP Closed'
Conditions:
- Client side connection has been fully closed. This may occur if a client SSL profile is in use and an 'Encrypted Alert' has been received.
- Server side has sent a FIN which has been ACK'd, but no FIN has been received from the server.
- SYN received matching the existing connflow before the FIN-WAIT-2-timeout has been reached (300 default).
Impact:
Connection may fail to be removed in a timely manner. New connection attempts are RST with 'TCP Closed'
Workaround:
You can use either of the following:
-- Ensure servers are sending FIN's so as not to leave the connection in a FIN_WAIT_2 state.
-- Mitigate the issue by lowering the FIN-WAIT-2-timeout to a smaller value, e.g., FIN-WAIT-2-timeout 10.
812497-1 : VE rate limit should not count packet that does not have a matched vlan or matched MAC address
Links to More Info: BT812497
Component: Local Traffic Manager
Symptoms:
Virtual Edition (VE) Rate limit counts packets that are not intended for BIG-IP.
Conditions:
-- Rate-limited license in BIG-IP Virtual Edition (VE)
-- Promiscuous mode is enabled
Impact:
If you do not have an unlimited license for a Virtual Edition device, you cannot use VLAN tags or MAC Masquerading without a greatly increased risk of running out of licensed bandwidth. Even if you are not using any service, BIG-IP counts all traffic seen on the interface against the license. Due to VMWare's switch design you have to expose the device to all of the traffic to use those two features.
812493-2 : When engineID is reconfigured, snmp and alert daemons must be restarted★
Links to More Info: BT812493
Component: TMOS
Symptoms:
The engineID, engineBoots, engineTime values in SNMPv3 traps are shared by both the SNMP and the Alert daemons and are included in traps raised by both daemons. When the engineID is reconfigured then both daemons must be restarted in order to resynchronize the new values.
Conditions:
Traps issued by the SNMP and Alert daemons may not have engine values that are in sync when the EngineID is first reconfigured. This can happen both with a configuration change and an upgrade.
Impact:
This may confuse the SNMP client receiving the trap.
Workaround:
Restart the snmp daemon and then the alert daemon when the engine ID is reconfigured for the first time and the first time after a software upgrade
tmsh restart sys service snmpd alertd
812481-2 : HSL may work unreliably for Management-IP firewall rules
Links to More Info: BT812481
Component: Advanced Firewall Manager
Symptoms:
High-speed logging (HSL) related to Management-IP firewall rules can periodically freeze and corresponding log messages can be lost.
Additionally, reverse DNS lookups can result in PTR requests being sent out for IP addresses in the allowed list.
Conditions:
No special conditions, this can happen intermittently on any device.
Impact:
HSL log messages related to Management-IP firewall rules are missed. Unrequired PTR requests are sent out for IP addresses in the allowed list.
Workaround:
None
812269-1 : TMM might crash with traffic while deleting a pool member
Links to More Info: BT812269
Component: Local Traffic Manager
Symptoms:
TMM might crash during an operation of deleting a pool member.
Conditions:
-- Deleting a pool member from a pool
-- The BIG-IP system is in the middle of processing a request.
One potential scenarios is running a large iRule that inserts a delay in the processing of a request. This makes it more likely to satisfy the condition.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
812237-1 : i10000 series appliances with HDVC part number 505-0030 missing name in show sys hardware and on LCD
Links to More Info: BT812237
Component: TMOS
Symptoms:
"tmsh show sys hardware" will not display a "Name" for the Platform on i100000 series appliances with part number 505-0030.
The LCD will not display the system name.
Conditions:
i10000 series appliances with part number 505-0030 with HDVC (high voltage DC) power supplies.
Impact:
Display only. No functional impact.
The LCD and "tmsh show sys hardware" will not display the product name of i10600 or i10800 as expected.
Workaround:
None
811041-5 : Out of shmem, increment amount in /etc/ha_table/ha_table.conf
Links to More Info: BT811041
Component: TMOS
Symptoms:
System logs error:
err sod[8444]: 01140003:3: Out of shmem, increment amount in /etc/ha_table/ha_table.conf.
Conditions:
-- Large number of traffic groups.
-- A number of devices in the device cluster.
-- Heavy traffic resulting in numerous configsync or config save operations.
Impact:
Memory leak. Future changes to the high availability (HA) table may fail or be ignored. This could result in HA events not being tracked correctly.
Workaround:
None.
810825 : Export, then import of pool outside of a default route domain may fail
Links to More Info: BT810825
Component: Access Policy Manager
Symptoms:
While importing a policy, you get an error:
Syntax Error:(/shared/tmp/apmom/import/abc.conf at line ###) invalid IP address: "1.1.1.1%0%1"
Conditions:
-- Importing a previously exported policy
-- The policy was from a partition with a non-zero route domain
Impact:
Importing the policy fails on syntax error.
Workaround:
You can manually edit the file and then attempt the import again. For example if a pool member was supposed to exist in route domain 1 with port 1812, the erroneous policy might look like this:
ltm pool /@partition/@name-safenet-radius-pool {
members {
prod/1.1.1.1%1:radius {
address 1.1.1.1%0%1 <=====
priority-group 1
state up
}
}
min-active-members 1
}
It can be manually fixed by removing the erroneous %0 in the string.
ltm pool /@partition/@name-safenet-radius-pool {
members {
prod/1.1.1.1%1:radius {
address 1.1.1.1%1
priority-group 1
state up
}
}
min-active-members 1
}
810613-2 : GUI Login History hides informative message about max number of lines exceeded
Links to More Info: BT810613
Component: TMOS
Symptoms:
When there are more than 10000 lines in /var/log/secure* files, visiting System :: Logins :: [History|Summary] in the GUI shows 'No Entries' instead of the actual error message about the large number of lines.
Conditions:
If there are more than 10000 lines in /var/log/secure* files.
Impact:
GUI displays 'No Entries' instead of the actual error message.
Workaround:
-- Via the CLI by specifying the number of lines:
tmsh show sys log security lines 15000 | less
-- Delete the large amount of secure files from /var/log/.
810373-1 : Errors running 'config' command
Links to More Info: BT810373
Component: TMOS
Symptoms:
Running the 'config' command reports errors:
coapi_query failed at /usr/local/lib/perl5/F5/COAPI.pm line 215, <FH> line 3.
Conditions:
This might occur under either of the following conditions:
-- The BIG-IP Virtual Edition (VE) instance has low memory.
-- Running the command occurs before mcpd is in a running state.
Impact:
Failure to configure the management IP address.
Workaround:
Wait for the VE instance to start up and fully stabilize and have mcpd in the running state before running the config command.
809509-1 : Resource Admin User unable to download UCS using Rest API.
Links to More Info: BT809509
Component: TMOS
Symptoms:
Resource Admin User cannot download UCS file using REST API. The system returns a message:
Authorization failed
Conditions:
-- BIG-IP user with Resource Administrator role.
-- Try to Download UCS file using REST API.
Impact:
Resource Administrator user cannot download UCS file using REST API.
Workaround:
The Resource Administrator user can use the GUI to download the file.
809089-2 : TMM crash after sessiondb ref_cnt overflow
Links to More Info: BT809089
Component: TMOS
Symptoms:
Log message that indicates this issue may happen:
session_reply_multi: ERROR: unable to send session reply: ERR_BOUNDS
[...] valid s_entry->ref_cnt
Conditions:
-- Specific MRF configuration where all 500 session entries are owned by a single tmm.
-- High rate of session lookups with a lot of entries returned.
Note: This issue does not affect HTTP/2 MRF configurations.
Impact:
TMM core: the program terminates with signal SIGSEGV, Segmentation fault. Traffic disrupted while tmm restarts.
Workaround:
1. Change MRF configuration to spread session lookups across multiple tmms.
2. Reduce the sub-key entries to far below 500.
808913-3 : Big3d cannot log the full XML buffer data
Links to More Info: BT808913
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d cannot log the full XML buffer data:
-- notice big3d[12212]: 012b600d:5: Probe from ::ffff:11.11.1.21:45011: len 883/buffer = <vip>.
Conditions:
The gtm.debugprobelogging variable is enabled.
Impact:
Not able to debug big3d monitoring issues efficiently.
Workaround:
None.
808801-2 : AVRD crash when configured to send data externally
Links to More Info: BT808801
Component: Application Visibility and Reporting
Symptoms:
AVRD can crash repeatedly when configured to send telemetry data externally.
Conditions:
-- AVR is configured to send telemetry data to an external source (like connection with BIG-IQ).
-- Large number of config objects in the system, such as virtual servers and pool members.
Impact:
AVRD process crashes, and telemetry data is not collected.
Workaround:
Split the configuration updates into smaller batches
808749-2 : Duplicate user-defined Signature Set based on Attack Type is created upon policy import
Links to More Info: BT808749
Component: Application Security Manager
Symptoms:
A duplicate user-defined Signature Set is created upon policy import when the Set has a filter using Attack Type.
Conditions:
A policy using a user-defined Signature Set with a filter using Attack Type is exported.
Impact:
A duplicate user-defined Signature Set is created upon policy import.
Workaround:
The policy can be modified to use the original Set, and the duplicated set can then be deleted.
808485-2 : Add 'virtual-server' argument to 'tmsh help sys connection' for version 14.x
Links to More Info: BT808485
Component: TMOS
Symptoms:
Virtual-server argument is not available in tmsh in versions prior to 14.x.
Conditions:
Running the command 'tmsh show sys connection'.
Impact:
Inability to filter for virtual server.
Workaround:
None.
808481-4 : Hertfordshire county missing from GTM Region list
Links to More Info: BT808481
Component: TMOS
Symptoms:
Hertfordshire county is missing from Regions in the United Kingdom Country/State list.
Conditions:
-- Creating a GTM region record.
-- Attempting to select Hertfordshire county for the United Kingdom.
Impact:
Cannot select Hertfordshire county from United Kingdom Country/State list.
Workaround:
None.
808277-4 : Root's crontab file may become empty
Links to More Info: BT808277
Component: TMOS
Symptoms:
Under low-disk conditions for the /var/ filesystem, BIG-IP system processes may incorrectly update root's crontab file (/var/spool/cron/root). This results in the file contents being removed; i.e., the file is empty.
Conditions:
Low disk space on the /var filesystem.
Impact:
System and user entries in root's crontab file stop executing.
Workaround:
None.
808017-2 : When using a variable as the only parameter to the iRule persist command, the iRule validation fails
Links to More Info: BT808017
Component: Local Traffic Manager
Symptoms:
When using a variable as the only parameter to the iRule persist command, for example:
when HTTP_REQUEST {
set persistence none
persist $persistence
}
The iRule validation fails with the message:
Persistence mode (Cookie) called out in rule <rule name> requires a corresponding persistence profile for virtual server
Conditions:
Using a variable as the only parameter to the iRule persist command.
Impact:
Validation fails and hence the system config cannot be loaded.
Workaround:
The first parameter is one of pre-defined action keywords, so use plain text.
807857-3 : TMM can leak memory under specific traffic and iRule configurations.
Links to More Info: BT807857
Component: Local Traffic Manager
Symptoms:
-- TMM leaks memory in the 'bigip_connection' component.
-- Depending on the specific iRule configuration, other components, such as 'tcl' and 'tclrule_pcb', may also leak.
-- A 'double flow removal Oops' message may be visible in the tmm and ltm log files.
-- 'TCL error' messages may be visible in the ltm log file.
Conditions:
This issue is known to occur only under rare circumstances in conjunction with specific traffic and iRule configurations.
Impact:
After a prolonged amount of time spent leaking memory, TMM may not be able to fulfil new memory allocations and crash. This results in a traffic interruption, a core file, and a failover on redundant units. Traffic disrupted while TMM restarts.
Workaround:
None.
807837-3 : Upgrade fails when client-ssl inherits proxy-ca-key/cert with error message: Client SSL profile (/Common/child): must have at least one set of CA type cert-key-chain.★
Links to More Info: BT807837
Component: TMOS
Symptoms:
Upgrade failure when loading configuration file or ucs from older version, with the below error message against child client-ssl profile:
Client SSL profile (/Common/child): must have at least one set of CA type cert-key-chain.
Conditions:
The issue occurs when all of the following conditions are met:
-- When upgrading from an older version (earlier than 14.0.0) to a newer version (14.1.0 or later).
-- The configuration has a child client SSL profile that inherits from a parent client SSL profile.
-- The parent SSL profile has SSL forward proxy enabled and proxy-ca-cert/proxy-ca-key configured.
Impact:
Unable to upgrade the system with old configuration.
Workaround:
You can workaround this issue using the following procedure:
1. Manually edit /config/bigip.conf to add the following lines:
proxy-ca-cert /Common/rsa.crt
proxy-ca-key /Common/rsa.key
2. Reload the configuration using the following command:
tmsh load sys config
Here is an example:
ltm profile client-ssl /Common/child {
app-service none
cert /Common/default.crt
cert-key-chain {
default {
cert /Common/default.crt
key /Common/default.key
}
}
chain none
defaults-from /Common/parent
inherit-certkeychain true
key /Common/default.key
passphrase none
proxy-ca-cert /Common/rsa.crt <===== add this line
proxy-ca-key /Common/rsa.key <===== add this line
}
807569-1 : Requests fail to load when backend server overrides request cookies and Bot Defense is used
Links to More Info: BT807569
Component: Application Security Manager
Symptoms:
When Bot Defense is used on the backend server that overrides request cookies, requests to non-HTML resources may fail, or may receive the whitepage JavaScript challenge. An example is when a back-end server responds with a Set-Cookie header containing empty values for each cookie request cookie it does not recognize.
Conditions:
-- Bot Defense is enabled.
-- Backend server is overriding the Bot Defense cookies with the TS prefix.
Impact:
Some URLs fail to load following the JavaScript challenge.
Workaround:
Use an iRule to strip the TSPD_101 cookie from the request before forwarding it to the backend:
when HTTP_REQUEST_RELEASE {
HTTP::cookie remove "TSPD_101"
}
807397-2 : IRules ending with a comment cause config verification to fail
Links to More Info: BT807397
Component: Local Traffic Manager
Symptoms:
'tmsh load sys config verify' reports error messages for a signed iRule:
-- 01071485:3: iRule (/Common/example) content does not match the signature.
-- Unexpected Error: Validating configuration process failed.
Conditions:
-- Have an iRule which ends in a comment.
-- iRule is signed.
-- Run the command:
tmsh load sys config verify
Impact:
'tmsh load sys config verify' reports an error when there should be none. Configuration validation fails.
Workaround:
Delete or move any comments that are at the end of the iRule, and validate the configuration again.
807313-1 : Encountering apmd out of memory events and process getting halted
Component: TMOS
Symptoms:
The kernel logs out-of-memory errors and halts apmd:
err kernel: : [70076.639026] Killed process 16095 (apmd) total-vm:7054192kB, anon-rss:2759164kB, file-rss:4724kB, shmem-rss:156kB.
Conditions:
This can be encountered when APM is provisioned and running.
Impact:
APM process is halted and restarted. APM traffic disrupted while apmd restarts.
Workaround:
None.
807309-2 : Incorrect Active/Standby status in CLI Prompt after failover test
Links to More Info: BT807309
Component: TMOS
Symptoms:
After running 'promptstatusd -y' to check current failover status, it displays an incorrect Active/Standby status in the CLI prompt.
Conditions:
This occurs under the following conditions:
1. Modify the db variable: bigdb failover.state.
2. Check that /var/prompt/ps1 and CLI prompt reflect the setting.
2. Reboot the BIG-IP system.
Impact:
Status shown in the prompt does not change.
Workaround:
Do not run 'promptstatusd -y' command manually.
The db variable 'failover.state is a status-reporting variable. The system does not report status manually set to something other than the actual status.
Note: 'promptstatusd' is not a BIG-IP user command, it is a daemon. It is highly unlikely that manually running this command will produce information that is useful or relevant to the status being sought.
806881-2 : Loading the configuration may not set the virtual server enabled status correctly
Links to More Info: BT806881
Component: TMOS
Symptoms:
When loading the configuration, if the virtual address is disabled but the virtual server is enabled, the virtual server may still pass traffic.
Conditions:
-- Loading the configuration.
-- A virtual server's virtual address is disabled.
Impact:
Virtual servers unexpectedly process traffic.
Workaround:
Manually re-enable and disable the virtual address.
806809-1 : JWT Claim value without quotes is invalid
Links to More Info: BT806809
Component: Access Policy Manager
Symptoms:
JSON payload is invalid since claims are generated without quotes(")
Conditions:
BIG-IP creates JWT claim value without quotes when scope is not openid.
Impact:
Token is invalid.
Workaround:
Replace claim type 'string' with 'custom' adding quotes after backslash.
apm oauth oauth-claim /Common/uid {
claim-name uid
claim-type custom
claim-value "\"%{session.custom.name:noconv}\""
}
805561-4 : Change of pool configuration in OneConnect environment can impact active traffic
Links to More Info: BT805561
Component: Local Traffic Manager
Symptoms:
In OneConnect environments, when the default pool is updated for the first time, active connections reconnect to new pool members. Further update to pool configuration has no impact on traffic.
Conditions:
-- Virtual server configured with OneConnect profile.
-- Default pool is updated when active connections are present.
Impact:
Active traffic disrupted.
Workaround:
None.
805325-2 : tmsh help text contains a reference to bigpipe, which is no longer supported
Links to More Info: BT805325
Component: TMOS
Symptoms:
The 'sys httpd ssl-certkeyfile' tmsh help text contains a reference to bigpipe, which is no longer supported.
Conditions:
Viewing tmsh help for 'sys httpd ssl-certkeyfile'.
Impact:
Incorrect reference to bigpipe.
Workaround:
You can use the following command sequence to change the key:
modify httpd { ssl-certfile [string] ssl-certkeyfile [string] }
804529-3 : REST API to /mgmt/tm/ltm/pool/members/stats will fail for some pools
Links to More Info: BT804529
Component: TMOS
Symptoms:
GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats may fail with error 404
Conditions:
This impacts pools which start with the letter 'm'. This because those endpoints contain objects with incorrect selflinks
For example
1. Query to below pool (that starts with letter 'm') will work as it contains the right selflink
- Pool: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats"
- selfLink: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats?ver=x.x.x.x"
2. Query to below pool (that does NOT start with letter 'm') may not work as it contains the wrong selflink
- Pool: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats"
- selfLink: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats?ver=x.x.x.x"
In above example you will notice the word 'members' shows up expectedly in selflink for case 2
Impact:
You may see errors with GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats
Workaround:
You may use the following workarounds
1. Use /mgmt/tm/ltm/pool/members/stats, which does return the pool member stats for every pool
2. For each pool member in /mgmt/tm/ltm/pool, issue a GET for:
/mgmt/tm/ltm/pool/<pool>/members/<member>/stats
803457-2 : SNMP custom stats cannot access iStats
Links to More Info: BT803457
Component: TMOS
Symptoms:
While doing an snmpwalk, you encounter the following error:
-- tcl callback Default return string: istats: tmstat_open_read: open: /var/tmstat/istats: Permission denied.
-- istats: tmstat_read: open: /var/tmstat/istats: Permission denied.
-- ERROR opening iStats read segment '/var/tmstat/istats': Permission denied.
Conditions:
This occurs when using SNMP to access iStats.
Impact:
iStats cannot be accessed through SNMP and generates an error.
Workaround:
None.
803157-1 : LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots
Links to More Info: BT803157
Component: TMOS
Symptoms:
In reboot case, the BIG-IP system buffers the shutdown sequence log messages and writes them to disk once the syslog service starts during the boot process. The boot_marker message is written before shutdown messages sync to disk. This leads to out-of-sequence log messages, making it difficult to determine when the service stop occurred.
Conditions:
Reboot the BIG-IP system.
Impact:
Log messages appear out of order. It is difficult to tell whether service stop happened as part of reboot, or any error during the subsequent boot process.
Workaround:
None.
802721-2 : Virtual Server iRule does not match an External Data Group key that's 128 characters long
Links to More Info: BT802721
Component: Local Traffic Manager
Symptoms:
Virtual server iRule does not match an External Data Group key that is 128 characters long.
Conditions:
-- A string type External Data Group with a key/value pair whose key is 128 characters long.
-- An iRule using [class match] to get the value from the Data Group.
Impact:
The call to [class match] returns an empty string ("").
Workaround:
None.
802449-1 : Valid GTP-C traffic may cause buffer overflow
Links to More Info: BT802449
Component: Protocol Inspection
Symptoms:
Valid GTP-C traffic may cause buffer overflow with incrementing sequence numbers.
Conditions:
Valid GTP traffic with incrementing sequence number will cause memory corruption/core when processed through IPS library.
Impact:
TMM Crash/core. Traffic disrupted while tmm restarts.
Workaround:
The only workaround is to disable protocol inspection or remove GTP service from all protocol-inspection profiles.
802189-2 : iApps: Calling 'Package Require <PKG>' in a template with a manager role is not supported
Links to More Info: BT802189
Component: iApp Technology
Symptoms:
With the Manager role, when calling 'package require <PKG>' in an iApp template, following exception occurs:
Error parsing template:can't eval proc: "script::run" invalid command name "file" while executing "file join $dir $f".
Conditions:
Users can not use Manager Role when importing iApps that contain a 'package require' call.
Impact:
Cannot use Manager Role when importing iApps that contain a 'package require' call.
Workaround:
Use the Admin role to import new templates.
801549-3 : Persist records do not expire properly if mirroring is configured incorrectly
Links to More Info: BT801549
Component: Local Traffic Manager
Symptoms:
-- TMM memory growth with improper high availability (HA) configuration.
-- New connections may be routed to the wrong pool member due to outdated persist records.
Conditions:
- The device mirror-ip is not configured properly, along with either of the following:
+ Persistence mirroring is configured.
+ Connection mirroring of a virtual server with a persistence profile.
Impact:
-- Connection limits due to memory tmm memory pressure or possible tmm out-of-memory failure.
-- New connections may be routed to the wrong pool member due to outdated persist records.
Workaround:
- Properly configure the cm device mirror-ip and/or mirror-secondary-ip. After doing this, the memory utilization should drop.
- Disable mirroring on the persistence profiles and/or virtual servers. After doing this, the memory utilization will not drop until tmm is restarted.
801541-2 : Persist records do not expire properly if HA peer is unavailable
Links to More Info: BT801541
Component: Local Traffic Manager
Symptoms:
-- TMM memory utilization growth due to persist records not expiring.
-- New connections may be routed to the wrong pool member due to outdated persist records.
Conditions:
The next-active device in the high availability (HA) configuration is down, and either of the following:
-- Persistence mirroring is configured.
-- Connection mirroring of a virtual server with a persistence profile is configured.
Impact:
-- Connection limits due to memory tmm memory pressure or possible tmm out-of-memory failure.
-- New connections may be routed to the wrong pool member due to outdated persist records.
-- If tmm out-of-memory failure occurs, traffic disrupted while tmm restarts.
Workaround:
Disable persistence and/or connection mirroring if the standby device will be down for an extended period of time.
800189-1 : Changing log level may not increase logging to the verbosity expected
Links to More Info: BT800189
Component: TMOS
Symptoms:
If you change only the log level in ipsec ike-daemon ikedaemon, for example to debug2, this may not increase the actual logging verbosity.
Conditions:
Changing log-level to control the amount of debug logging.
Impact:
Cannot see as much verbose debug logging as expected.
Workaround:
In addition to log level, you must also specify a publisher. This is as-designed operation for logging, for example:
tmsh create sys log-config publisher my_publisher { destinations add { local-syslog }}
tmsh modify net ipsec ike-daemon ikedaemon log-publisher my_publisher
tmsh modify net ipsec ike-daemon ikedaemon log-level debug2
798885-2 : SNMP response times may be long when processing requests
Links to More Info: BT798885
Component: TMOS
Symptoms:
SNMP queries to the BIG-IP system may take longer (up to 15% more time) to process on BIG-IP systems with large configurations. mcpd CPU usage increases by a small amount (up to 10%) during these queries.
Conditions:
-- Large configuration.
-- Using SNMP to query statistics on the BIG-IP system.
Impact:
A small increase in response time to SNMP requests to the BIG-IP. Some SNMP queries might fail due to timeouts. mcpd CPU usage is slightly elevated while processing these queries.
Workaround:
If the responses to SNMP queries are taking too long, MCPD and SNMPD may overburden the control plane. It may be necessary to lengthen the timeout and retry values used by the SNMP client. It may also be helpful to trim what is queried, for example, not repetitively walking large tables like the Virtual Server or LTM Pool Member tables for statistics.
797953 : Workaround for SSLo deployment failure from BigIQ to BIG-IP
Links to More Info: BT797953
Component: TMOS
Symptoms:
After discovering and importing multiple SSLo BIG-IPs into BigIQ, configure the SSLo topology on the BigIQ and deploy; some of the BIG-IPs have successful deployment, while some other might fail deployment due to invalid configuration error. It is a post deployment error where /shared/iapp/interception-rules has update error.
/shared/iapp/interception-rules is removed starting from RPM 7.0
Conditions:
BIG-IP with SSLo RPM lower than 7.0.0
Impact:
Some of the BIG-IPs might fail deployment due to Invalid Configuration error which is a result of the updating /shared/iapp/interception-rules error.
Workaround:
1. Discover and import the BIG-IP with SSLo to BigIQ (general setting deployment will be done as part of the import process)
2. On each BIG-IP, ssh to it and restart restjavad and restnoded and wait for the processes to be restarted.
3. Configure the SSLo configuration on BigIQ and deploy to BIG-IPs.
If the BIG-IP already has SSLo configuration prior to import into BigIQ and you encounter this issue, its SSLo configuration needs to be cleared first. Navigate to /Main/SSL Orchestrator/Configuration, click on the Delete Configuration button, confirm the deletion and then do the above 3 steps.
797821-1 : Logging profiles on /Common cannot be configured with publishers on other folders
Links to More Info: BT797821
Component: Application Security Manager
Symptoms:
Security logging profiles created on the /Common folder cannot be configured with publishers which exist on other folders, when creating or editing them from the GUI.
Conditions:
Attempting to create security logging profiles on a folder different from the folder of the publisher, and the logging profile is on /Common.
Note: In general, this setup is not advisable. Folders under /Common could be synced using a different device group than /Common with less devices. This might cause sync failures when receiving objects in /Common which point to objects on different folders. It is better to create the publishes on /Common, and have the security logging profiles on other folders.
Impact:
Unable to create security logging profiles with sub folder configuration from the GUI.
Workaround:
It is possible to create this configuration from TMSH or REST API to work around the problem.
797609-2 : Creating or modifying some virtual servers to use an address or port list may result in a warning message
Links to More Info: BT797609
Component: TMOS
Symptoms:
Creating or modifying a virtual server with TCP or UDP profiles to use an address or port list may result in an error similar to:
01070096:3: Virtual server /Common/vs lists profiles incompatible with its protocol.
Conditions:
-- Configure virtual server using a TCP or UDP profile.
-- Attempt to attach an address or port list to the virtual server.
Impact:
Unable to configure a virtual server to use an address or port list.
Workaround:
Create a traffic-matching-criteria object manually, and associated it with the virtual server.
Note: The protocol of the traffic-matching-criteria object must match that of the virtual server.
796985-1 : Default IPv4 IP address is assigned to Alt-Address in isolated vCMP guest; vCMP host or guest are upgraded and guest is 'Inoperative'★
Links to More Info: BT796985
Component: TMOS
Symptoms:
VCMP host or guest is upgraded, and the vCMP guest is 'Inoperative', with messages similar to the following in /var/log/ltm:
-- warning clusterd[1546]: 013a0005:4: Clusterd using /VERSION for SW specification.
-- info clusterd[1546]: 013a0023:6: Blade 1: No info received from slot: Starting up
-- err clusterd[1546]: 013a0004:3: result {
-- err clusterd[1546]: 013a0004:3: result.code 17237812
-- err clusterd[1546]: 013a0004:3: result.attribute float_mgmt2_ip
-- err clusterd[1546]: 013a0004:3: result.message 01070734:3: Configuration error: Cluster alt-address: 192.168.1.246 cannot be the same address family as cluster address: 192.168.1.246
-- err clusterd[1546]: 013a0004:3: }
-- err clusterd[1546]: 013a0004:3: Per-invocation log rate exceeded; throttling.
-- notice clusterd[1546]: 013a0006:5: Disconnecting from mcpd.
-- info clusterd[1546]: 013a0007:6: clusterd stopping...
Conditions:
-- Isolated vCMP guest.
-- Both 'Address' and 'Alt-Address' are assigned the same IPv4 address.
-- Upgrade occurs.
Impact:
Upon host/guest upgrade, vCMP guest is 'Inoperative'.
Workaround:
-- For new vCMP guests, or prior to booting the vCMP guest to an affected version for the first time, assign it a management-ip from the vCMP host. This prevents the alt-address from being assigned and the issue from occurring on subsequent upgrades.
tmsh modify vcmp <guest_name> management-ip 192.168.1.246/24
-- For existing vCMP guests already on an affected version, but not currently experiencing the issue, assign a management-ip from the vCMP host and remove the alt-address from within the vCMP guest to prevent the issue from occurring in a future upgrade or reboot:
host# tmsh modify vcmp guest <guest-name> management-ip 192.168.1.246/24
guest# tmsh modify sys cluster default alt-address none
-- When already upgraded and seeing the issue on a guest, set a management-ip from the vCMP host and run the following commands within the guest to remove the alternate address from the configuration file:
host# tmsh modify vcmp guest <guest-name> management-ip 192.168.1.246/24
guest# bigstart stop clusterd
guest# sed -i s/alt_addr=.*// -i /shared/db/cluster.conf
guest# bigstart start clusterd
795933-2 : A pool member's cur_sessions stat may incorrectly not decrease for certain configurations
Links to More Info: BT795933
Component: Local Traffic Manager
Symptoms:
Under certain conditions, a pool member's cur_sessions stat may increase, but not decrease when it should.
Conditions:
- The virtual server using the pool has an iRule attached that references global variables.
- The virtual server using the pool has an ASM security policy attached to it.
- Traffic flows to the pool member.
Impact:
Incorrect stats.
795633-3 : GUI and REST API unable to add virtual servers containing a space in the name to a pool
Links to More Info: BT795633
Component: Global Traffic Manager (DNS)
Symptoms:
The GUI and REST API are unable to add virtual servers containing a space in the name to a pool.
Conditions:
Virtual server name contains a space.
Impact:
Unable to manage pool members if the virtual server contains a space in the name.
Workaround:
Use tmsh.
795429-3 : Unrelated iControl REST transaction error message is returned when committing a transaction without any tasks.
Links to More Info: BT795429
Component: TMOS
Symptoms:
An unrelated iControl REST transaction error message is returned when committing an iControl REST transaction that does not contain any tasks:
Error: Missing transaction ID for this call.
Conditions:
-- Committing an iControl REST transaction.
-- The task does not contain any tasks within 120 seconds of creating the transaction.
Impact:
Unrelated error message can be confusing and increase troubleshooting time.
Workaround:
None.
795285 : Key creation on non-existing NetHSM partition stays in create-fail loop for CloudHSM
Links to More Info: BT795285
Component: Local Traffic Manager
Symptoms:
Using CloudHSM in AWS (BIG-IP Virtual Edition (VE)), the ltm log contains the following messages (where 'test partition' is the name of the your partition):
-- err pkcs11d[9859]: 01680040:3: netHSM: Failed to find partition with label 'testpartition' on the netHSM.
-- err pkcs11d[9859]: 01680048:3: C_CloseSession: pkcs11_rv=0x000000b3, CKR_SESSION_HANDLE_INVALID .
-- err pkcs11d[9859]: 01680040:3: netHSM: Failed to find partition with label 'testpartition' on the netHSM.
-- err pkcs11d[9859]: 01680048:3: C_CloseSession: pkcs11_rv=0x000000b3, CKR_SESSION_HANDLE_INVALID .
-- err pkcs11d[9859]: 01680040:3: netHSM: Failed to find partition with label 'testpartition' on the netHSM.
-- err pkcs11d[9859]: 01680040:3: netHSM: Failed to find partition with label 'testpartition' on the netHSM.
Conditions:
-- Use CloudHSM in AWS.
-- Create a key on a nonexistent NetHSM partition.
Impact:
pkcs11d tries to create the key and fails nonstop.
Workaround:
To recover, you must reboot VE.
Note: Restarting pkcs11d or the cloudhsm.client service does not resolve the issue.
794585-2 : User cannot log in after license reactivation on vCMP host
Links to More Info: BT794585
Component: Access Policy Manager
Symptoms:
Client connections to an APM virtual server is reset after license is reactivated on vCMP host. The following error logs showed up in vCMP guest /var/log/apm:
Jerr tmm2[2666]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_process_state_client_get_license, Line: 9627
err tmm2[2666]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 3679
Conditions:
-- APM configured
-- License is reactivated on vCMP host.
Impact:
APM clients will not be able to log in.
Workaround:
Disassociate and then re-associate the APM profile with the virtual server.
794505-3 : OSPFv3 IPv4 address family route-map filtering does not work
Links to More Info: BT794505
Component: Local Traffic Manager
Symptoms:
Filtering IPv4 routes using route-map does not work. All the IPv4 redistributed routes fail to redistribute if the route-map is attached to the OSPFv3 IPv4 address-family.
Conditions:
1. Configure two OSPF sessions, one for the IPv4 address-family and the other for the IPv6 address family.
2. Redistribute kernel routes.
3. Check routes are propagated.
4. Add a route map to allow any IPv4 kernel route matching IP address.
Impact:
All routes fail to propagate and show that the IPv6 OSPF database external is empty. All IPv4 routes are blocked to redistribute instead of the routes mentioned in the route-map/prefix-list.
Workaround:
None.
794385-2 : BGP sessions may be reset after CMP state change
Links to More Info: BT794385
Component: Local Traffic Manager
Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.
This happens in the following instances:
- Blade reset.
- Booting up or shutting down.
- Running 'bigstart restart'.
- Setting a blade state from/to primary/secondary.
During these events, there is a small chance that ingress ACK packet of previously established BGP connection is going to be disaggregated to the new processing group(TMMs) and selected TMM is ready to process traffic, but is not ready yet to process traffic for existing connection. In this case, connection isn't processed and reset instead.
Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BGP peering is configured.
-- CMP state change is occurred on one of the blades.
-- BGP ingress ACK packet is disaggregated to TMM, which either wrong TMM or not ready to process the packet of already established connection
Impact:
Affected BGP peering is reset and dynamic routes learnt by the configured protocol are withdrawn, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decisions are from networks learnt by affected routing protocols when the routing process on the BIG-IP system becomes unreachable. However, this state is short-lived, because the peering is recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
There is no workaround, but the issue was never seen with a configuration where CMP hash of affected VLAN is changed back to Default value.
793217-2 : HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation
Links to More Info: BT793217
Component: Advanced Firewall Manager
Symptoms:
Depending on traffic patterns, when HW DoS on BIG-IP i2800/i4800 is configured, HW DoS might mitigate up to 10% more aggressively. If the rate-limit configured is 1000pps, the device might allow only 900pps.
Conditions:
-- HW DoS on BIG-IP i2800/i4800 platforms.
-- Attack pattern is distributed evenly on all tmm threads.
Impact:
HW DoS mitigates more aggressively, which might result in seeing fewer packets than what is configured.
Workaround:
Configure the rate-limit to be 10% more than what is desired.
793077 : Failed SSH logins no longer log entries into the audit log file
Links to More Info: BT793077
Component: TMOS
Symptoms:
When using SSH to log into the BIG-IP systems, failed login attempts are no longer being logged in the /var/log/audit log file. Instead failed logins continue to be logged in /var/log/secure log file.
Conditions:
-- Using SSH to log into a BIG-IP system.
-- The login attempt fails (e.g., due to invalid credentials).
Impact:
Log file /var/log/audit no longer shows failed SSH login attempts.
Failed logins via GUI continue to be logged in /var/log/audit file.
Workaround:
View /var/log/secure log file for failed SSH login attempts.
792813-2 : The iRule command 'DNS::edns0 subnet address' returns an empty string when subnet info is not received
Links to More Info: BT792813
Component: Global Traffic Manager (DNS)
Symptoms:
When subnet info is not received, iRule command 'DNS::ends0 subnet address' reports a Tcl error. Because that is optional information, the command should not report an error.
Conditions:
-- iRule command 'DNS::ends0 subnet address'.
-- DNS request is received without subnet info.
Impact:
Using the iRule command 'DNS::edns0 subnet address' reports a Tcl error.
Workaround:
None.
792045-1 : Prevent WAM cache type change for small objects
Links to More Info: BT792045
Component: WebAccelerator
Symptoms:
Transfer stalls.
Conditions:
- AAM is provisioned.
- Small object cache is configured.
- Response is a few bytes less than the small object threshold.
Impact:
Transfer stalls.
Workaround:
None.
791365-2 : Bad encryption password error on UCS save
Links to More Info: BT791365
Component: TMOS
Symptoms:
When a user with the admin role attempts to save a UCS with a passphrase, the following error is encountered:
[resource-admin@inetgtm1dev:Active:Standalone] ucs # tmsh save sys ucs /var/local/ucs/test-ucs passphrase password
Saving active configuration...
Error: Bad encryption password. <=========
Operation aborted.
/var/tmp/configsync.spec: Error creating package
WARNING:There are error(s) during saving.
Not everything was saved.
Be very careful when using this saved file!
Error creating package
Error during config save.
Unexpected Error: UCS saving process failed.
Conditions:
1) Log into the BIG-IP system as a user with admin role that has Advanced Shell access.
2) Attempt to create a UCS with a passphrase.
Impact:
Unable to save UCS with a passphrase.
Workaround:
This affects users logged in with the Admin role; you will be able to create a UCS with a passphrase while logged in as either the root user or as a user with the resource-admin role.
791061-2 : Config load in /Common removes routing protocols from other partitions
Links to More Info: BT791061
Component: TMOS
Symptoms:
While loading the /Common partition, config routing protocols on other partition route-domains will be removed.
Conditions:
-- Configure route-domains on other partitions with routing-protocols.
-- Load the /Common partition config alone.
Impact:
Routing protocols config from other partitions are removed.
Workaround:
Reload the config with the command:
load sys config partitions all
790949-2 : MRF Router Profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' Do Not Match Behavior.
Links to More Info: BT790949
Component: Service Provider
Symptoms:
Default values differ between tmsh and GUI documentation, and actual behavior. The special value 0 is documented to either disable the respective limit or apply a default value. Actual behavior for 0 is to silently apply internal default values of 32768 bytes and 256 messages, regardless of the protocol. These defaults might not match the profile default values for a given MRF protocol such as Diameter, SIP, or MQTT.
For some protocols such as Diameter, there is no validation of whether the maximum pending messages value falls within the acceptable range of 1-65535, and values outside that range are silently truncated to 16-bits and then 0 is treated according to the actual behavior described above.
Some documented and actual default values have changed across releases.
Conditions:
An MRF router profile is configured with the 'Maximum Pending Bytes' or 'Maximum Pending Messages' parameter set to a non-default value or 0.
Affected MRF router profiles are: 'diameter', 'sip', 'mqtt' and 'generic'.
Impact:
Depending on the protocol, the limits might not take effect as configured.
Incorrect documentation and/or lack of validation could lead to configuring an invalid value.
Workaround:
None.
790113-2 : Cannot remove all wide IPs from GTM distributed application via iControl REST
Links to More Info: BT790113
Component: Global Traffic Manager (DNS)
Symptoms:
The following tmsh command allows you to delete all wide IPs using an 'all' specifier:
modify gtm distributed-app da1 wideips delete { all }
There is no equivalent iControl REST operation to do this.
Conditions:
This can be encountered while trying to delete all wide IPs from a distributed application via iControl REST.
Impact:
iControl REST calls that should allow you to remove all wide IPs from a GTM distribution application return an error, leaving you unable to complete the task via iControl REST.
Workaround:
You can use one of the following workarounds:
-- Use the WebUI.
-- Use the tmsh utility, for example:
tmsh modify gtm distributed-app da1 wideips delete { all }
-- Invoke tmsh from within the bash iControl REST endpoint, for exmaple:
curl -u username:password -s -H 'Content-Type: application/json' -X POST -d "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'tmsh modify gtm distributed-app da1 wideips delete { all }'\"}" https://<IP>/mgmt/tm/util/bash
789181-3 : Link Status traps are not issued on VE based BIG-IP systems
Links to More Info: BT789181
Component: TMOS
Symptoms:
The Link Status traps, both F5 proprietary and standard LinkUp/LinkDown are issued on the BIG-IP hardware but not on BIG-IP Virtual Edition (VE) configurations.
Conditions:
This occurs when interfaces on hardware-based BIG-IP systems or VE-based BIG-IP configurations experience link status events (links go up or down, or are administratively enabled or disabled).
Impact:
Log messages are issued and SNMP traps are issued if an SNMP trap destination is configured.
On a VE-based BIG-IP system, these logs and traps do not occur.
An SNMP client waiting for a Link Status trap on an administrative enable or disable then, does not receive the trap.
Workaround:
None.
788645-4 : BGP does not function on static interfaces with vlan names longer than 16 characters.
Links to More Info: BT788645
Component: TMOS
Symptoms:
If a VLAN, VLAN group, or tunnel has a name with more than 15 characters, BGP does not function properly on that interface.
Conditions:
-- BGP Dynamic routing in use.
-- Interface name greater than 15 characters.
Impact:
BGP Dynamic Routing is not working.
Workaround:
1. Rename the interface using 15 or fewer characters.
2. Remove Static Binding and Bind to all interfaces.
788473-2 : Email sent from APM is not readable in some languages
Links to More Info: BT788473
Component: Access Policy Manager
Symptoms:
Email sent from APM is not readable in some languages.
Conditions:
APM administrator has configured Email Agent in the per-session policy.
Impact:
Users receiving the email in certain languages cannot read the email.
Workaround:
None.
788257-1 : Bigd.mgmtroutecheck setting ignored by in-tmm monitors after bigstart restart
Links to More Info: BT788257
Component: In-tmm monitors
Symptoms:
The bigd.mgmtroutecheck db variable can be enabled to prevent monitor traffic from going through the management interface (for information, see K14549: Overview of the 'bigd.mgmtroutecheck' database key :: https://support.f5.com/csp/article/K14549); however, if in-tmm monitors are configured, the setting will be ignored after a bigstart restart.
Conditions:
-- bigd.mgmtroutecheck is enabled
-- bigd.tmm is enabled (i.e., in-tmm monitors are configured).
-- tmm has a route configured to the management interface.
-- A pool member exists that matches a route through the management interface.
-- bigstart restart is performed.
Impact:
In-tmm monitor traffic uses the management interface if there is a route to the pool member via the management interface, even when bigd.mgmtroutecheck indicates it is enabled.
Workaround:
None
787973-3 : Potential memory leak when software crypto request is canceled.
Links to More Info: BT787973
Component: Local Traffic Manager
Symptoms:
Memory may occasionally leak when a software crypto request is cancelled before it has completed.
Conditions:
There are a number of reasons why a software crypto request may be canceled.
Impact:
Memory may leak.
Workaround:
No workaround.
787969-1 : Validation error regarding disabling DoS Software Mode is unclear
Links to More Info: BT787969
Component: Advanced Firewall Manager
Symptoms:
You encounter an error message: This platform does not support DoS hardware capability, which is needed to disable this sys db variable.
Conditions:
-- This can be encountered during system start, or when loading a UCS file.
-- The error is logged if the DB variable Dos.ForceSWDos is set to false on a platform that does not support hardware DoS capability.
Impact:
Error is logged but it is unclear that the error means that the db variable Dos.ForceSWDos is set to false, but the device does not have hardware DoS capability.
Workaround:
None.
787905-4 : Improve initializing TCP analytics for FastL4
Links to More Info: BT787905
Component: Local Traffic Manager
Symptoms:
TCP analytics for FastL4 might stay uninitialized under specific circumstances.
Conditions:
System clock advances while initializing TCP analytics for FastL4.
Impact:
TCP analytics for FastL4 might stay uninitialized for a while and miss some analytics data.
Workaround:
N/A
786633-1 : Debug-level messages are being logged even when the system is not set up for debug logging
Links to More Info: BT786633
Component: TMOS
Symptoms:
With certain modules provisioned, the following debug apmd log events are reported to the logging server:
-- slot1/systemname debug apmd[14204]: GSSAPI client step 2.
-- err apmd[14204]: 01490107:3: ...: Local error, SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) (-2)
Conditions:
-- APM, APML, ASM, AVR, iRulesLX, LTM provisioned.
-- Configured to use Generic Security Service Application Program Interface (GSSAPI, also GSS-API).
Impact:
Debug-level messages are logged even when the BIG-IP system is not configured to use debug logging:
debug apmd[14204]: GSSAPI client step 2.
Workaround:
None.
785361-1 : In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped
Links to More Info: BT785361
Component: Local Traffic Manager
Symptoms:
If the BIG-IP system is configured in L2Wire mode, packets from srcIP 0.0.0.0 are dropped.
Conditions:
L2Wire mode.
Impact:
All srcIP 0.0.0.0 packets are dropped silently.
Workaround:
Configure the virtual server to be in L2-forward mode.
784981-1 : Modifying 'local-ip' for a remote syslog requires restarting syslog-ng
Links to More Info: BT784981
Component: TMOS
Symptoms:
Modified the local IP address takes effect only after restart of the syslog-ng.
Conditions:
-- Configure the remote syslogs and allow some time to pass.
-- Change the local IP address.
Impact:
Change does not occur until you reboot or restart syslog-ng.
Workaround:
To cause the change to occur, restart syslog-ng:
bigstart restart syslog-ng
784733-3 : GUI LTM Stats page freezes for large number of pools
Links to More Info: BT784733
Component: TMOS
Symptoms:
When a configuration has approximately 5400 pools and 40,000 pool members, navigating to the GUI page to look at stats for all or one pool, the GUI page may freeze indefinitely.
Conditions:
Configurations with large number of pools and pool members, e.g., 5400 pools and/or 40,000 pool members.
Impact:
Cannot view pool or pool member stats in GUI.
Workaround:
Use iControl REST or TMSH to retrieve stats for such a large number of pools or pool members.
784565-2 : VLAN groups are incompatible with fast-forwarded flows
Links to More Info: BT784565
Component: Local Traffic Manager
Symptoms:
Traffic flowing through VLAN groups may get fast-forwarded to another TMM, which might cause that connection to be reset with reason 'Unable to select local port'.
Conditions:
-- Using VLAN groups.
-- Flows are fast-forwarded to other TMMs.
Impact:
Some connections may fail.
Workaround:
None.
783969 : An invalid SSL close_notify might be sent in some cases.
Links to More Info: BT783969
Component: Local Traffic Manager
Symptoms:
If a clienthello is not fully received and parsed, any alert sent might be invalid (show an invalid version number).
Conditions:
-- A virtual server has a client-ssl profile.
-- The 'unclean-shutdown' option is disabled.
-- The virtual server receives an incomplete clienthello before shutting down.
Impact:
There is no functional impact, although alerts sent might show an invalid version number.
Workaround:
Enable unclean-shutdown (which is enabled by default).
783293-1 : Special chars < > & displayed incorrectly in BIG-IP GUI logon banner window
Links to More Info: BT783293
Component: TMOS
Symptoms:
If you try to enter any of these three characters: < > & (greater than, less than, ampersand) into GUI Preference page or TMSH sys global-settings configuration, they are displayed as escape chars in the GUI window correspondingly as: < > &.
Conditions:
Entering one of these three characters into GUI banner text settings: < > &.
Impact:
At GUI Logon page, the page displays with the following characters: < > & instead of the specified characters: < > &.
Workaround:
None.
783145-4 : Pool gets disabled when one of its pool member with monitor session is disabled
Links to More Info: BT783145
Component: Local Traffic Manager
Symptoms:
A pool which has at least two pool members and one of its pool members associated with a monitor is disabled, the entire pool gets marked disabled-by-parent.
Conditions:
-- Monitor assigned to a single pool member.
-- That member is manually disabled.
Impact:
The pool status for the entire pool is marked disabled-by-parent.
Workaround:
None.
782613-5 : Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp
Links to More Info: BT782613
Component: TMOS
Symptoms:
If a security firewall policy is part of an iApp inside a folder created by that iApp, then when the iApp is deleted, any config sync peer will not delete the policy when it deletes the rest of the iApp.
Conditions:
-- iApp with folder and security firewall policy is deleted.
-- High availability (HA) config sync configuration.
Impact:
The security policy is gone on the system where the iApp was initially deleted, but the peer still has that object, and it can't be deleted because it's part of an iApp.
Workaround:
None.
781985-1 : DNSSEC zone SEPS records may be wiped out from running configuration
Links to More Info: BT781985
Component: Global Traffic Manager (DNS)
Symptoms:
Under certain circumstances, DNSSEC zone SEPS records may be wiped out from running configuration.
Conditions:
This occurs only with GTM configurations loaded by the command: tmsh load sys config gtm-only.
Impact:
SEPS records may be lost after a configuration reload.
Workaround:
None.
781733-2 : SNMPv3 user name configuration allows illegal names to be entered
Links to More Info: BT781733
Component: TMOS
Symptoms:
The validation of SNMPv3 user names is not strict, and allows users of both the GUI and TMSH to enter badly formed user names. When the SNMP daemon reads these user names from the snmpd.conf file, validation rejects the names.
Conditions:
Poorly formed SNMPv3 user names can be entered into configuration, for example, names with embedded spaces.
Impact:
The user names are not accepted by the SNMP daemon when it reads the configuration from the snmpd.conf file.
Workaround:
Use alphanumeric characters for SNMPv3 user names, and do not include embedded spaces in the names.
781485-4 : PEM with traffic group can lead to local cache leaks on STANDBY if there is an ACTIVE-ACTIVE transition
Links to More Info: BT781485
Component: Policy Enforcement Manager
Symptoms:
PEM spm_local_cache could get leaked on the STANDBY chassis.
Conditions:
-- If the high availability (HA) cluster switches to ACTIVE-ACTIVE mode during its lifetime.
-- PEM running in a Traffic-group configuration.
Impact:
Memory on the STANDBY chassis get leaked.
Workaround:
None.
781113-1 : Support to enable/disable reusing serverside TIME_WAIT connections
Links to More Info: BT781113
Component: Local Traffic Manager
Symptoms:
Currently, the serverside connections in TIME_WAIT state are reused for new serverside connections (by default) before TIME_WAIT expires. A mechanism is required to disable reusing the TIME_WAIT connections if needed.
Conditions:
A new serverside connection request is made that matches an existing TIME_WAIT connection and connection is reused.
Impact:
BIG-IP system behavior on reusing TIME_WAIT connections is configurable based on the tmm.reuse.ss.timewaitconns sys db.
tmm.reuse.ss.timewaitconns: enabled (the default)
-- A new serverside connection request comes for a TIME_WAIT serverside connection.
-- Connection is reused.
tmm.reuse.ss.timewaitconns: disabled
- A new serverside connection request comes for a TIME_WAIT serverside connection
- "Port in use" error is returned
Workaround:
There is no workaround at this time.
780857-3 : HA failover network disruption when cluster management IP is not in the list of unicast addresses
Links to More Info: BT780857
Component: Local Traffic Manager
Symptoms:
If the cluster management IP address is not in the list of failover network unicast addresses, the blade management IP addresses in the unicast mesh will not be able to receive failover messages from peer devices.
Conditions:
-- VIPRION chassis or vCMP guest on a VIPRION chassis.
-- Per-blade management IP addresses listed in the failover network unicast mesh.
-- No cluster management IP address listed.
Impact:
The blade management IP addresses in the failover network unicast mesh stop functioning:
[root@VIP2200-R75-S5:/S1-green-P::Standby:In Sync] config # tmctl -w 200 -S sod_tg_conn_stat
entry_key local_failover_addr remote_device_name pkts_received transitions last_msg status
----------------------------- ------------------- ------------------------------ ------------- ----------- ---------- ------
10.200.75.8->10.10.10.1:1026 10.10.10.1:1026 VIP2200-R75-S8.sin.pslab.local 3249 3 1555399271 1
10.200.75.8->10.200.75.3:1026 10.200.75.3:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--
10.200.75.8->10.200.75.4:1026 10.200.75.4:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--
Workaround:
You can add an explicit management IP firewall rule to allow this traffic:
tmsh modify security firewall management-ip-rules rules add { accept_udp_1026 { place-before first ip-protocol udp destination { ports add { 1026 } } action accept } }
This will add a firewall policy so port 1026 is no longer locked down, and the blade management IP addresses in the unicast mesh should begin to function properly.
780745-2 : TMSH allows creation of duplicate community strings for SNMP v1/v2 access
Links to More Info: BT780745
Component: TMOS
Symptoms:
TMSH allows you to create multiple access records with the same IP protocol, same Source IP network, and same community string.
Conditions:
Duplicate access records are created in TMSH.
Impact:
Unintended permissions can be provided when an undesired access record with the correct community string is matched to a request instead of the desired access record.
Workaround:
Use the Configuration Utility to manage SNMP v1/2c access records. (The GUI properly flags the error with the message:
The specified SNMP community already exists in the database.
If you use tmsh, ensure that community strings remain unique within each Source IP Network for each IP protocol.
780437-2 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
Links to More Info: BT780437
Component: TMOS
Symptoms:
It is possible, although unlikely, for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.
As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.
The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.
Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.
Symptoms for this issue include:
-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.
-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.
-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):
qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img
qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img
-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]
Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.
-- Large configuration with many guests.
-- The VIPRION chassis is rebooted.
-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is Bug ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.
Impact:
-- Loss of entire configuration on previously working vCMP guests.
-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.
-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.
Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.
If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.
779793-2 : [LC] Error Message "Cannot modify the destination address of monitor" for destination * bigip_link monitor
Links to More Info: BT779793
Component: Global Traffic Manager (DNS)
Symptoms:
Using BIG-IP Link Controller (LC), every 10 seconds, the system logs messages similar to the following example:
-- err mcpd[5570]: 0107082c:3: Cannot modify the destination address of monitor /Common/_user_gslbMonitor_bigipLink_fast_60sec.
-- err mcpd[5570]: 01071488:3: Remote transaction for device group /Common/gtm to commit id 1 6681134264373087063 /Common/ELC002.kbn.mlit.go.jp 0 failed with error 0107082c:3: Cannot modify the destination address of monitor /Common/_user_gslbMonitor_bigipLink_fast_60sec..
Conditions:
-- A bigip_link monitor with destination * written in bigip_gtm.conf.
-- That monitor is associated with a link.
-- The following command is run on one of the sync group peers:
tmsh load /sys config gtm-only.
Impact:
LC system failing to load configuration.
Workaround:
Run this command on the LC system that is logging the error message:
tmsh load /sys config gtm-only
779769-2 : [LC] [GUI] destination cannot be modified for bigip-link monitors
Links to More Info: BT779769
Component: Global Traffic Manager (DNS)
Symptoms:
The 'destination' for BIG-IP Link Controller (LC) bigip_link monitor cannot be modified through GUI.
Conditions:
Using the LC bigip_link monitor in the GUI.
Impact:
Cannot change 'destination' for LC bigip_link monitor through GUI.
Workaround:
Use tmsh.
779633-1 : BIG-IP system reuses serverside TIME_WAIT connections irrespective of TMMs used
Links to More Info: BT779633
Component: Local Traffic Manager
Symptoms:
When reusing a serverside TIME_WAIT connection, the BIG-IP system:
-- Establishes the new connection if clientside/serverside connections are on the same TMM.
-- Sends a RST 'Unable to obtain local port' if clientside/serverside connections are on different TMMs.
Conditions:
This happens in two scenarios:
Scenario 1:
-- A new serverside connection is requested that matches an existing TIME_WAIT connection (e.g., by using source-port preserve-strict in the virtual server)
-- Clientside/serverside connections are on the same TMM.
Scenario 2:
-- Clientside/serverside connections are on different TMMs.
Impact:
BIG-IP system behavior is inconsistent. In one case, BIG-IP establishes the connection. In the other case, BIG-IP resets the connection.
Workaround:
None.
779185-3 : Forward zone deleted when wideip updated
Links to More Info: BT779185
Component: Global Traffic Manager (DNS)
Symptoms:
When a forward zone is configured in zonerunner, and a wideip is configured in the same zone, BIG-IP may delete the bind zone whenever the wide ip's pool members are modified.
Subsequent modifications of the same zone will then result in a new primary zone being created in bind.
Conditions:
- A forward zone is configured in bind (zonerunner)
- The pool members associated with a wideip are modified
Impact:
Queries that do not match wideips are passed to bind for processing, and are no longer forwarded to the nameserver configured in the forward zone.
Workaround:
- Recreate the zonerunner forward zone after modifying the wideip
779137-2 : Using a source address list for a virtual server does not preserve the destination address prefix
Links to More Info: BT779137
Component: Local Traffic Manager
Symptoms:
Configuring a network virtual server with a source address list causes the system to treat the virtual server as a host.
Conditions:
-- Configure a source address list on the virtual server.
-- Configure a network address for the destination of the virtual server (not an address list).
Impact:
Traffic does not flow to the virtual server as expected.
Workaround:
See K58807232
778501-1 : LB_FAILED does not fire on failure of HTTP/2 server connection establishment
Links to More Info: BT778501
Component: Local Traffic Manager
Symptoms:
When the server connection fails to be established due to server being down or actively rejecting the connection, LB_FAILED should fire and allow a new destination to be selected via iRule.
Conditions:
- iRule with LB_FAILED event
- server connection establishment fails
Impact:
Selection of a new destination via LB_FAILED is not possible, thus the client connection will be aborted.
Workaround:
No workaround available.
778333-3 : GUI/CLI max-in-progress discrepancy occurs after upgrade from v11.x to v13.x or later
Links to More Info: BT778333
Component: Access Policy Manager
Symptoms:
If there is an access profile that was created using BIG-IP v11.x or earlier, with a default value of max-in-progress(0), when the configuration is upgraded to v13.x or later, the GUI shows max-in-progress as 128, but at the CLI and in the database, the actual value is 0.
Conditions:
In versions earlier than v13.x, the field 'Max In Progress Sessions Per Client IP' was set to 0 by default; from v13.x, the value is 128.
Impact:
There is a max-in-progress discrepancy between the GUI and the CLI.
Workaround:
During upgrade validation, manually add 'Max In Progress Sessions Per Client IP' to user_spec if it was set to the default value.
The upgrade then treats the field as a customized value, so the discrepancy disappears.
778225-3 : vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host
Links to More Info: BT778225
Component: Protocol Inspection
Symptoms:
Automatic hitless upgrade for protocol inspection fails on vCMP guests. This occurs because vCMP guest don't install f5_api_com key and certificates.
Conditions:
After licensing a vCMP guest, there is no f5_api_com key or certificate (you can run key_cache_path and crt_cache_path to determine that).
Impact:
Hitless upgrade fails for protocol inspection and traffic classification on vCMP guests.
Workaround:
Install the hitless upgrade IM package manually.
778041-1 : tcpdump fails with an unclear message when the 'epva' option is used on non-epva platforms (directly or through 'all' option)
Links to More Info: BT778041
Component: TMOS
Symptoms:
When tcpdump is invoked with the epva option on a non-epva platform (BIG-IP Virtual Edition, for example), it fails with an unclear message
errbuf:DPT Provider fatal error. Provider:ePVA Provider. No valid arguments.
Conditions:
-- Using a non-epva platform such as VE.
-- Calling the epva option:
+ Directly:
tcpdump -i 0.0 --f5 epva
+ Indirectly using 'all' (which includes epva):
tcpdump -i 0.0 --f5 all
Impact:
Unclear message does not give clear indication what the issue is, or how to get tcpdump to run with the 'all' option on non-epva platforms
Workaround:
Do not use the explicit epva option on non-epva platforms (it does not work anyway, as there is no epva debug information on those platforms).
Instead of 'all', explicitly specify other, non-epva providers on such platforms, for example, specifying 'noise' and 'ssl' providers:
tcpdump -i 0.0 --f5 n,ssl
777389-1 : In rare occurrences related to PostgreSQL monitor, the mcpd process restarts
Links to More Info: BT777389
Component: TMOS
Symptoms:
Possible indications include the following:
-- Errors such as the following may appear in ltm/log:
- notice postgres[10872]: [466-1] WARNING: pgstat wait timeout.
- notice sod[27693]: 01140041:5: Killing /usr/bin/mcpd pid 7144.
- BD_CONF|ERR| ...failed to connect to mcpd after 5 retries, giving up...
- BD_CONF|ERR| ...can't read message from mcp conn, status:16908291.
- BD_MISC|CRIT| ...Received SIGABRT - terminating.
-- Errors such as the following may appear in the dwbld/log:
- Couldn't send BLOB notification - MCP err 16908291.
- Got a terminate/abort signal - terminating ...
- Terminating mcp_bridge thread.
-- Processes may restart unexpectedly, including mcpd, bd, and postgresql.
Conditions:
-- The 'mcpd' process attempts to read monitoring data from the PostgreSQL server, but no data is available.
-- A contributing factor might be that the AFM module is licensed but not configured.
Impact:
Failing to receive a monitoring response from the SQL server, MCPD goes into an infinite loop and skips the heartbeat report, resulting in its restart. While MCPD is restarting, the system is offline and does not process traffic. After restart, system operation returns to normal.
Workaround:
The chance of occurrence can be minimized by making sure that control-plane processes have sufficient memory to run efficiently.
777245-1 : DNSSEC client-facing SOA zone serial does not update when DNSSEC related RR changes
Links to More Info: BT777245
Component: Global Traffic Manager (DNS)
Symptoms:
In certain cases, a DNSSEC client-facing SOA zone serial does not always update when DNSSEC-related resource records change.
Conditions:
A DNSSEC-related resource record changes.
Impact:
A DNSSEC client-facing SOA zone serial may not always update.
Workaround:
None.
777165-1 : Occasional crash from sessiondump
Links to More Info: BT777165
Component: Access Policy Manager
Symptoms:
When displaying large binary keys, the sessiondump command can crash due to a buffer overrun.
Conditions:
-- Running the following command:
sessiondump --allkeys
-- Large binary keys exist.
Impact:
The sessiondump command crashes; requested keys are not displayed.
Workaround:
None.
776489-2 : Remote authentication attempts to resolve only LDAP host against the first three name servers configured.
Links to More Info: BT776489
Component: TMOS
Symptoms:
'Login failed' is displayed on the BIG-IP system's login screen.
Conditions:
-- Remote authentication is enabled.
-- There are more than three name servers configured.
Impact:
Admins may not be able to log into the BIG-IP GUI with their admin user account if the first 3 configured DNS name servers are not reachable.
Workaround:
None.
776117-3 : BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type
Links to More Info: BT776117
Component: TMOS
Symptoms:
The BIG-IP Virtual Edition's virtio driver is incompatible with the Q35 machine type.
Conditions:
-- BIG-IP Virtual Edition with the virtio driver.
-- Setting the machine type to Q35 on the hypervisor.
Impact:
The BIG-IP will not use the virtio driver, using the sock (or unic, in versions prior to 14.1.0) driver instead.
775845-2 : Httpd fails to start after restarting the service using the iControl REST API
Links to More Info: BT775845
Component: TMOS
Symptoms:
After restarting httpd using the iControl REST API, httpd fails to start, even with a subsequent restart of httpd at the command line.
Similar to the following example:
config # restcurl -u admin:admin /tm/sys/service -X POST -d '{"name":"httpd", "command":"restart"}'
{
"kind": "tm:sys:service:restartstate",
"name": "httpd",
"command": "restart",
"commandResult": "Stopping httpd: [ OK ]\r\nStarting httpd: [FAILED]\r\n(98)Address already in use: AH00072: make_sock: could not bind to address n.n.n.n:n\nno listening sockets available, shutting down\nAH00015: Unable to open logs\n"
}
config # tmsh restart sys service httpd
Stopping httpd: [ OK ]
Starting httpd: [FAILED]
Conditions:
Restarting httpd service using iControl REST API.
Impact:
Httpd fails to start.
Workaround:
To recover from the failed httpd state, you can kill all instances of the httpd daemon and start httpd:
killall -9 httpd
tmsh start sys service httpd
775801-2 : [GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener
Links to More Info: BT775801
Component: Global Traffic Manager (DNS)
Symptoms:
'Route Advertisement' is not enabled even if you check the checkbox.
Conditions:
Creating GTM listener using the GUI.
Impact:
'Route Advertisement' is not enabled.
Workaround:
After the listener is created, modify the listener in the GUI and check the checkbox for 'Route Advertisement', and save.
775797-2 : Previously deleted user account might get authenticated
Links to More Info: BT775797
Component: TMOS
Symptoms:
A user account which may have originally been manually configured as a local user (auth user) but may have since been removed, might still get authenticated and be able to modify the BIG-IP configuration.
Conditions:
-- User account configured as local user.
-- The user account is deleted later.
(Note: The exact steps to produce this issue are not yet known).
Impact:
The deleted user that no longer exists in the local user list and which is also not explicitly authorized by remote role groups, can get authenticated. The deleted user is also able to modify the BIG-IP configuration via iControl.
Workaround:
None.
775733-1 : /etc/qkview_obfuscate.conf not synced across blades
Links to More Info: BT775733
Component: TMOS
Symptoms:
By default, sensitive data, such as SSL keys, are excluded from QKView files. However, in some cases you may want to include sensitive information in the QKView file, so it must be obfuscated it for security purposes. (Note: For information on how to configure this feature, see K55559493: Obfuscating sensitive data in a QKView file :: https://support.f5.com/csp/article/K55559493.)
In high availability (HA) configurations, the /etc/qkview_obfuscate.conf file is not copied to secondary blades on chassis platforms during sync operations.
Conditions:
-- Run qkview.
-- Upload qkview file to iHealth.
Impact:
Potentially sensitive information could be uploaded to iHealth or F5 Support. This occurs because qkview acts differently if there is an obfuscate.conf on the active by automatically gathering the same information on the blades, but not obfuscating that sensitive data.
Workaround:
Manually copy /etc/qkview_obfuscate.conf to all blades.
Note: Do not upload sensitive data to iHealth or F5 Support. If you are obfuscating data, make sure to complete this step for every blade.
774817-2 : ICMP packets are intermittently forwarded out of both VLAN group members
Links to More Info: BT774817
Component: Local Traffic Manager
Symptoms:
ICMP packets sent out on the wrong interface.
Conditions:
BIG-IP system is configured in VLAN group-based L2 transparent mode.
Impact:
The ICMP packet sent out on the wrong VLAN is dropped by the receiving router because the destination MAC address does not match that of the router. Typically, a topology for asymmetric traffic flows across VLAN groups has VLAN asymmetry built in using routers.
Workaround:
None.
774261-1 : PVA client-side current connections stat does not decrease properly
Links to More Info: BT774261
Component: Local Traffic Manager
Symptoms:
When FTP is used with bigproto, the PVA client-side current connections stat does not decrease after connections are closed.
Conditions:
-- Use an FTP virtual server.
-- End user clients connect to the virtual server.
Impact:
An incorrect stat for client-side current connections will be reported for 'tmsh show sys pva-traffic global' and 'tmctl pva_stat'.
Example:
config # tmsh show sys pva-traffic global
-------------------------------------------------
Sys::PVA
-------------------------------------------------
PVA Traffic ClientSide ServerSide
Bits In 23.6K 219.7K
Bits Out 219.7K 23.6K
Packets In 40 335
Packets Out 335 40
Current Connections 295 0 <-----
Maximum Connections 296 8
Total Connections 335 40
Miscellaneous
Cur PVA Assist Conns 0
Tot PVA Assist Conns 335
HW Syncookies Generated 0
HW Syncookies Detected 0
config # tmsh show sys conn all-properties
Really display 1000 connections? (y/n) y
Sys::Connections
Total records returned: 0 <--------- No connections; this is the correct state.
Workaround:
This issue does not occur when 'inherit parent profile' is enabled on the FTP profile used by the virtual server.
774225-3 : mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting
Links to More Info: BT774225
Component: Global Traffic Manager (DNS)
Symptoms:
mcpd is in a restart loop after creating an internal DNSSEC FIPS key on a secondary GTM while rebooting the primary DNSSEC key generator GTM (gtm.peerinfolocalid==0).
Conditions:
New DNSSEC internal FIPS key is created and assigned to DNSSEC zone when BIG-IP system with gtm.peerinfolocalid==0 is down.
Impact:
mcpd is in a restart loop.
Workaround:
For maintenance window operations, set DNSSEC peer leader to the unit that will remain UP while rebooting the primary key generator in sync group (gtm.peerinfolocalid==0).
# tmsh modify gtm global-settings general peer-leader <gtm-server-name>
After the reboot is complete, all devices are back up, and everything looks good in the configs, clear the peer-leader setting:
# tmsh modify gtm global-settings general peer-leader none
If there are two GTM units: GTM1 (having gtm.peerinfolocalid == 0), GTM2, and you are going to reboot GTM1, then before rebooting, run the following command to configure the DNSSEC peer-leader setting:
# tmsh modify gtm global-settings general peer-leader GTM2
After reboot, clear the peer-leader setting:
# tmsh modify gtm global-settings general peer-leader none
774173-2 : WebUI - Cipher Group preview causes high availability (HA) sync state to become Changes Pending
Links to More Info: BT774173
Component: Local Traffic Manager
Symptoms:
In the GUI, editing a cipher group without submitting causes the high availability (HA) configuration sync state to become 'Changes Pending'.
Conditions:
Edit cipher group in GUI without submitting.
Impact:
HA sync state becomes 'Changes Pending' even though you have not submitted the changes.
Workaround:
Edit and preview cipher group using tmsh:
tmsh modify ltm cipher group
tmsh show ltm cipher group
773577-2 : SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted
Links to More Info: BT773577
Component: TMOS
Symptoms:
On an SNMPv3 configuration, when a security-name and a username are the same but have different passwords, traps are not properly crafted.
Conditions:
security-name is the same as an SNMPv3 username.
Impact:
SNMP traps cannot be decoded
Workaround:
Delete or rename user.
773333-2 : IPsec CLI help missing encryption algorithm descriptions
Links to More Info: BT773333
Component: TMOS
Symptoms:
Encryption algorithms against IPsec help are not listed in the CLI.
Conditions:
LTM licensed on the BIG-IP.
Impact:
Unable to view the help.
Workaround:
None. The actual command line help should be:
(/Common)(tmos)# create net ipsec ike-peer test version add { v2 } phase1-encrypt-algorithm ?
Specifies the encryption algorithm used for the isakmp phase 1 negotiation. This directive must be defined. Possible value is one of following:
3des, aes128, aes192, aes256, blowfish, camellia, cast128, des
Note: The values blowfish, cast128, and camellia are v1 only.
773229-2 : Replacing a virtual server's FastL4 profile can cause traffic to fail in specific circumstances
Links to More Info: BT773229
Component: Local Traffic Manager
Symptoms:
If a virtual server starts with a FastL4 profile with an idle_timeout of zero, and this profile is then replaced with one that has a non-zero idle_timeout, it can cause traffic to fail with a 'No flow found for ACK' error in the RST packet (if DB variable tm.rstcause.pkt is enabled) or logged (if DB variable tm.rstcause.log is enabled).
Conditions:
-- There is a virtual server configured with a FastL4 profile with an idle-timeout setting of zero ('immediate').
-- The FastL4 profile is replaced with one that has a non-zero idle-timeout setting.
Impact:
Traffic no longer passes through the virtual server properly.
Workaround:
To avoid this issue, if you need to change the FastL4 profile in this manner, delete and recreate the entire virtual server rather than replace the profile.
Impact of workaround: This results in a traffic disruption for that virtual server.
If the issue has already occurred, the only way to recover is to restart TMM
Impact of workaround: This also results in a traffic disruption, this time a general one.
773173-1 : LTM Policy GUI is not working properly
Links to More Info: BT773173
Component: TMOS
Symptoms:
The GUI, is not displaying LTM policies created with a rule in which log criteria is 'action when the traffic is matched'.
Also, some of the Actions disappear while adding multiple actions in a rule.
Using tmsh shows the polices created in the GUI.
Conditions:
From the GUI, create LTM policies with a rule in which log criteria is 'action when the traffic is matched'.
Impact:
GUI is not displaying LTM policies created with log as action in rule.
Workaround:
Use tmsh.
772497-5 : When BIG-IP is configured to use a proxy server, updatecheck fails
Links to More Info: BT772497
Component: TMOS
Symptoms:
Executing Update Check fails when run on a BIG-IP system that is behind a proxy server.
Conditions:
-- A proxy server is configured on the BIG-IP system using proxy.host db variable (and associated port, protocol, etc.).
-- You run Update Check.
Impact:
The Update Check fails to connect because the script resolves the IP address prior to sending the request to the proxy server.
Workaround:
You can use either of the following workarounds:
I
=======
Modify the /usr/bin/updatecheck script to not resolve the service ip for callhome.f5.com. To do so, remove the script text 'PeerAddr => $service_ip,' from lines 336,337:
1. Locate the following section in the script:
@LWP::Protocol::http::EXTRA_SOCK_OPTS = ( PeerAddr => $service_ip,
SSL_hostname => $service_name,
2. Update the script to remove the content 'PeerAddr => $service_ip,', so that it looks like the following example:
@LWP::Protocol::http::EXTRA_SOCK_OPTS = ( SSL_hostname => $service_name,
II
=======
As an alternative, use a sed command, as follows:
1. Remount /usr as rw.
2. Run the following command:
# sed -e "s/PeerAddr => $service_ip,//" -i /usr/bin/updatecheck
771137-2 : vCMP host reports much larger 'Virtual-disk' usage than du reports on the guest
Links to More Info: BT771137
Component: TMOS
Symptoms:
Host and guest 'used disk space' data is inconsistent.
Conditions:
-- Copy a file in the guest and check the 'Disk Use (bytes)' field using 'tmsh show vcmp virtual-disk' in the host and the du utility in the guest.
-- Delete the file and check the size again.
Impact:
vCMP host reports much larger 'Virtual-disk' usage than du reports on the guest.
Workaround:
None.
770657-2 : On hardware platforms with ePVA, some valid traffic is blocked when in L2 transparent mode and syn cookies are enabled
Links to More Info: BT770657
Component: TMOS
Symptoms:
Valid traffic gets blocked under L2 transparent mode if syn cookie protection is enabled.
Conditions:
-- In L2 transparent mode.
-- Syn cookie protection is enabled.
-- ePVA offloading is enabled.
-- BIG-IP platform contains the embedded Packet Velocity Acceleration (ePVA) chip.
-- Attack traffic in progress.
Impact:
Some valid traffic gets blocked.
Workaround:
None.
769145-2 : Syncookie threshold warning is logged when the threshold is disabled
Links to More Info: BT769145
Component: TMOS
Symptoms:
Setting connection.syncookies.threshold to zero disables the threshold, but the system still reports log messages similar to:
warning tmm3[18189]: 01010055:4: Syncookie embryonic connection counter 38 exceeded sys threshold 0
Conditions:
Setting connection.syncookies.threshold to zero.
Impact:
Warnings that do not provide valid information. If the threshold value is a non-zero value, it does indicate an issue. However, this message is benign when the end of the message reads 'exceeded sys threshold 0'.
Workaround:
None.
769029-1 : Non-admin users fail to create tmp dir under /var/system/tmp/tmsh
Links to More Info: BT769029
Component: TMOS
Symptoms:
The cron.daily/tmpwatch script deletes the /var/system/tmp/tmsh directory. After some time, the tmsh directory is created again as part of another cron job.
During the interval, if a non-admin accesses tmsh, tmsh creates the /tmp/tmsh directory with that user's permissions, which creates issues for subsequently non-admin user logons.
Conditions:
Try to access the tmsh from non-admin users when /var/system/tmp/tmsh is deleted.
Impact:
The first non-admin user can access tmsh. Other, subsequent non-admin users receive the following error:
01420006:3: Can't create temp directory, /var/system/tmp/tmsh/SKrmSB, errno 13] Permission denied.
After some time this /var/system/tmp/tmsh permission is updated automatically.
Workaround:
To prevent this issue, run the following in one of two ways:
-- As root user in bash shell.
-- As a cronjob running in a per-case frequency.
root@bigip# export TARGET=/var/system/tmp/tmsh; [ ! -d $TARGET ] && mkdir -p $TARGET; chmod 1777 $TARGET; unset TARGET
767977 : Source port unexpectedly changes on message connections
Links to More Info: BT767977
Component: Service Provider
Symptoms:
When a connection closes, the connection will close before sending any remaining pending messages.
Conditions:
This occurs when a message-based connection closes while the connection still has pending messages. The connection closes (TCP FIN) while messages are waiting to be sent.
Impact:
The unsent messages are dropped.
Workaround:
.
767305-2 : If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried
Links to More Info: BT767305
Component: TMOS
Symptoms:
Upon querying a sysTmmStat* SNMP OID (for example, sysTmmStatTmUsageRatio5s), you find your SNMP client returns an error message similar to the following example:
No Such Instance currently exists at this OID
The very next time you query that same SNMP OID (or any other sysTmmStat* SNMP OID), you find they all work as expected and return the correct result.
Conditions:
This issue occurs after restarting only the mcpd daemon, i.e., running bigstart restart mcpd.
Impact:
All sysTmmStat* SNMP OIDs do not work until one of them is queried at least once, and the query is allowed to fail. After that, all sysTmmStat* SNMP OIDs work as expected.
Workaround:
Restart all services together, i.e., running the command: bigstart restart.
Should the mcpd daemon happen to be restarted on its own, you can simply ignore the error message and allow your SNMP polling station to fail a single polling cycle.
If you want to ensure that this issue does not occur, for example, so that your SNMP polling station does not generate unnecessary alarms, do not restart the mcpd daemon on its own, but rather restart all services together by running the following command:
bigstart restart
767217-2 : Under certain conditions when deleting an iRule, an incorrect dependency error is seen
Links to More Info: BT767217
Component: Local Traffic Manager
Symptoms:
If an iRule is being referenced by another iRule, and the reference is then removed, attempts to delete the formerly referenced iRule will result in an error similar to the following:
01070265:3: The rule (/Common/irule1) cannot be deleted because it is in use by a rule (/Common/irule2).
Conditions:
-- An iRule referencing another iRule.
-- The referencing iRule is in use.
Impact:
Unable to delete the iRule.
Workaround:
Save and re-load the configuration.
766601 : SSL statistics are updated even in forward proxy bypass
Links to More Info: BT766601
Component: Local Traffic Manager
Symptoms:
The SSL statistics are updated even in the event of forward proxy bypass.
Conditions:
SSL and forward proxy bypass are configured on a virtual server.
Impact:
This is a display only issue; there is no functional or performance impact.
Workaround:
None.
766593-1 : RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20
Links to More Info: BT766593
Component: Local Traffic Manager
Symptoms:
RESOLV::lookup returns empty string.
Conditions:
Input bytes array is at length of 4, 16, or 20.
For example:
[RESOLV::lookup @dnsserveraddress -a [binary format a* $host1.d1test.com]]
Impact:
RESOLV::lookup returns empty string.
Workaround:
Use lindex 0 to get the first element of the array.
For example:
[RESOLV::lookup @dnsserveraddress -a [lindex [binary format a* $host1.d1test.com] 0]]
766321-1 : boot slots created on pre-14.x systems lack ACLs
Links to More Info: BT766321
Component: TMOS
Symptoms:
Creation of HD1.x slots from 14.1.0.2 creates filesystems with slightly different properties than on slots created from 12.1.x for example. This is allowing ACL/XATTR support by default for the former units, which can triggers errors in some 14.1.x installations.
Conditions:
- Running 14.x, which had its slot created from a system running 12.x or 14.x
- Triggering journal creation (login? tmsh commands? unclear)
Impact:
An error may be generated after creating the journal:
warning kernel: [143381.837840]: systemd-journald[658]: Failed to read ACL on /var/log/journal/sample/user-sample.journal, ignoring: Operation not supported
This instance of the error message might not be critical.
If anything else depends on the ACLs to be present right at the start of the installation, some components might behave differently.
765969-1 : HSB register dump missing from hsb_snapshot
Links to More Info: BT765969
Component: TMOS
Symptoms:
Running hsb_snapshot tool fails on B4450 blades with the following message:
Too many rows in tmm/hsb_internal_pde_info table
This issue also occurs on iSeries i15xxx.
Conditions:
When vCMP is provisioned on VIPRION B4450 blades or on the iSeries i15xxx platforms.
Impact:
HSB register dump is not available in hsb_snapshot or qkview for diagnostic purpose.
Workaround:
None.
765365-1 : ASM tries to send response cookies after response headers already forwarded - makes CSRF false positive
Links to More Info: BT765365
Component: Application Security Manager
Symptoms:
ASM blocks a legal request and fires CSRF false positive violations when csrf JavaScript code is injected into a page without an html tag.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- CSRF protection configured.
-- HTML pages learning features enabled.(BruteForce/WebScraping).
-- CSRF JavaScript code is injected into a page without an html tag.
Impact:
HTTP requests are blocked sometimes when they should not be.
Workaround:
To workaround this issue, configure asm internal and then restart asm, as follows:
/usr/share/ts/bin/add_del_internal add cs_resp_ingress_count 1
bigstart restart asm
764969-3 : ILX no longer supports symlinks in workspaces as of v14.1.0
Links to More Info: BT764969
Component: TMOS
Symptoms:
The GUI and TMSH report an error message if a symlink is present, and the workspace does not run. The error appears similar to the following:
General database error retrieving information.
General error: 01070711:3: boost::filesystem::status: Permission denied: "/var/ilx/workspaces/Common/test_links1/tmp_file" in statement [SELECT COUNT(*) FROM dev_workspace WHERE name LIKE '%'].
Conditions:
-- An ILX workspace is in the configuration.
-- The workspace contains a symlink.
-- Install the relevant rpm package with --no-bin-links (e.g., npm install <package-name> --no-bin-links).
Impact:
The ILX module is not accessible via the GUI, and the workspace with the symlink cannot be run.
Workaround:
1. Remove the symlink.
2. Copy the file into the workspace.
764901-2 : PEM policy filters rules memory gets leaked if policy is deleted before deleting the rules
Links to More Info: BT764901
Component: Policy Enforcement Manager
Symptoms:
There is a memory leak associated with deleting policies before rules.
Conditions:
If a policy is deleted before its rules are deleted.
Impact:
Memory leak.
Workaround:
Delete all rules in a policy prior to a policy delete operation.
763197-3 : Flows not mirrored on wildcard Virtual Server with opaque VLAN group
Links to More Info: BT763197
Component: Local Traffic Manager
Symptoms:
In an high availability (HA) configuration using an opaque VLAN group and a default (wildcard, 0.0.0.0/0) virtual server configured for connection mirroring, the standby device does not create the mirrored connection.
Conditions:
-- VLAN group configured and set to opaque.
-- db vlangroup.forwarding.override is set to 'disable'.
-- Default virtual server configured for all ports (destination 0.0.0.0/0 :0) with connection mirroring.
Impact:
In the event of a failover, connections that are expected to be mirrored will fail, which can cause traffic loss and client disruption.
Workaround:
None.
763145-1 : TMM Crash when using certain HTTP iRules with HTTP Security Profile
Links to More Info: BT763145
Component: Local Traffic Manager
Symptoms:
TMM could crash with core when HTTP Security Profile (Protocol Security, PSM) is on the Virtual Server, and using an iRule with either the HTTP::redirect or HTTP::respond commands, together with HTTP::disable on the same event. This is normally an incorrectly written iRule, but TMM crashes in this case.
Conditions:
-- HTTP Security Profile is used.
-- iRules contain HTTP::disable command and either HTTP::redirect or HTTP::respond on the same event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Edit the iRules to prevent calling HTTP::disable together with HTTP::respond or HTTP::redirect.
763093-3 : LRO packets are not taken into account for ifc_stats (VLAN stats)
Links to More Info: BT763093
Component: Local Traffic Manager
Symptoms:
The ifc_stats do not correctly reflect the number of incoming octets/packets. There is a discrepancy between octets/packets in/out in the ifc_stats table, which tracks per-VLAN stats.
Conditions:
LRO is enabled and used for incoming packets.
Impact:
ifc_stats are incorrect for incoming octets and packets.
Workaround:
Disable LRO using the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable
After modifying that variable, you must restart tmm for it to take effect (traffic disrupted while tmm restarts):
bigstart restart tmm
762097-1 : No swap memory available after upgrading to v14.1.0 and above★
Links to More Info: BT762097
Component: TMOS
Symptoms:
After an upgrade to v14.1.0 or higher, swap memory may not be mounted. TMM or other host processes may restart due to lack of memory.
Conditions:
-- System is upgraded to v14.1.0 or above.
-- System has RAID storage.
Impact:
May lead to low or out-of-memory condition. The Linux oom killer may terminate processes, possibly affecting service.
Typically management activities may be impacted, for example, a sluggish GUI (config utility) or tmsh sessions.
Workaround:
Mount the swap volume with correct ID representing the swap device.
Perform the following steps on the system after booting into the affected software version:
1. Get the correct ID (RAID device number (/dev/md<number>)):
blkid | grep swap
Note: If there is no RAID device number, perform the procedure detailed in the following section.
2. Check the device or UUID representing swap in /etc/fstab.
3. If swap is not represented with the correct ID, modify the /etc/fstab swap entry to point to the correct device.
4. Enable the swap:
swapon -a
5. Check swap volume size:
swapon -s
If the blkid command shows there is no UUID associated with the swap RAID device, use the following procedure:
1. Generate a random UUID:
uuidgen
2. Make sure swap is turned off:
swapoff -a
3. Recreate the swap partition with UUID generated in step 1:
mkswap -U <uuid_from_step_1> <raid_device_from_step_1>
4. Run blkid again to make sure that you now have a UUID associated with the raid device:
blkid | grep swap
5. edit fstab and find the line
<old_value> swap swap defaults 0 0
6. Replace the old value, whether it was an incorrect UUID or a device name, with the UUID generated in step 1, for example:
UUID=8b35b30b-1076-42bb-8d3f-02acd494f2c8 swap swap defaults 0 0
761981-2 : Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors
Links to More Info: BT761981
Component: TMOS
Symptoms:
During daemon startup, the snmpd daemon zeroes out sensitive data in the snmpd.conf files. This is done so that passwords are not available to be read on disk. This can cause problems when other daemons using the net-snmp shared libraries access snmpd.conf files for data that they need during startup.
If you have 'zeroed out' data under /config/net-snmp/snmpd.conf, the system reports 'Unsupported security level' errors in response to SNMP v3 query, for example:
snmpget -v 3 -u testuser -a SHA -A "testuser" -x AES -X "testuser" -l authPriv localhost sysSystemUptime.0.
snmpget: Unsupported security level (Sub-id not found: (top) -> sysSystemUptime).
Conditions:
Custom SNMP v3 users created and exist in /config/net-snmp/snmpd.conf 'zeroed out' data:
Example from /config/net-snmp/snmpd.conf where user 'testuser' has some data that is 'zeroed out' (0x 0x):
usmUser 1 3 0x80001f88808047605278d46d5b "testuser" "testuser" NULL .1.3.6.1.6.3.10.1.1.1 0x .1.3.6.1.6.3.10.1.2.1 0x 0x
Impact:
Daemons usually start in an orderly fashion and usually do not conflict with each other. However, it is possible that they might fail to load correctly due to the zeroing out of data.
For example this can cause SNMP v3 access errors for users with 'zeroed out' data under /config/net-snmp/snmpd.conf:
snmpget -v 3 -u testuser -a SHA -A "testuser" -x AES -X "f5testuser" -l authPriv localhost sysSystemUptime.0.
snmpget: Unsupported security level (Sub-id not found: (top) -> sysSystemUptime).
Workaround:
Use tmsh to configure SNMP users.
761869-3 : WMI monitor may return negative values
Links to More Info: BT761869
Component: Local Traffic Manager
Symptoms:
Incorrect or unexpected load balancing results.
If you have enabled snmp.snmpdca.log then you will see negative values logged to /shared/tmp/WMIHttpAgent.log
Conditions:
-- Load Balancing Method is set to either Dynamic Ratio (member) or Dynamic Ratio (node)
-- Metric monitored on server returns very large value
For example: when monitored server has more then 4GB memory allocated
Impact:
WMI monitor returns negative value and incorrect Dynamic Ratio score is calculated.
761621-2 : Ephemeral FQDN pool members in Partition shown as Common under Local Traffic > Pools > "Members"
Links to More Info: BT761621
Component: TMOS
Symptoms:
When Ephemeral FQDL pool members exist in non-Common partition, they are shown to be in the /Common partition on the Local Traffic : Pools : Members page. In the statistics view of the same object, they are shown appropriately with their non-Common partition.
Conditions:
-- Ephemeral FQDL pool members exist in a non-Common partition.
-- View the FQDL pool members on Local Traffic : Pools : Members page.
Impact:
No impact to configuration, however, the display is confusing and shows contradictory partition information.
Workaround:
None.
761565-1 : ASM BD core when custom captcha page configured size more than 45K with %ASM.captcha.support_id% placeholder is at the end
Links to More Info: BT761565
Component: Application Security Manager
Symptoms:
ASM BD crash when custom captcha page configured size is 45K
Conditions:
- ASM provisioned.
- ASM policy attached to a virtual server.
- CAPTCHA page size is bigger than 45 KB.
- CAPTCHA protection is enabled via brute force or ASM::captcha iRule.
Impact:
There is an ASM BD crash that occurs upon a request protection by CAPTCHA mitigation. If configured for high availability (HA), failover occurs.
Workaround:
Define CAPTCHA page sizes smaller than 45 KB.
761389-1 : Disabled Virtual Server Dropping the Virtual Wire traffic
Links to More Info: BT761389
Component: Local Traffic Manager
Symptoms:
When a virtual server is disabled, it drops the traffic on the virtual wire.
Conditions:
Virtual wire is configured and corresponding virtual server is disabled.
Impact:
Virtual wire traffic which is matching the disabled virtual wire is dropped.
761373-2 : Debug information logged to stdout
Links to More Info: BT761373
Component: Access Policy Manager
Symptoms:
There is debug information logged to stdout
-- err mcpd[6943]: 01071392:3: Background command '/usr/libexec/mdmsyncmgr -o restore' failed.
-- err mcpd[6943]: 01071703:3: Postprocess action (/usr/libexec/mdmsyncmgr -o restore) failed with exit code (9).
Conditions:
Whenever logging config is changed.
Impact:
Log messages are seen when logged in via a terminal.
Workaround:
None.
761321-2 : 'Connection Rate Limit' is hidden, but 'Connection Rate Limit Mode' is not
Links to More Info: BT761321
Component: TMOS
Symptoms:
'Connection Rate Limit' setting is hidden when it is appropriate to do so. However, the 'Connection Rate Limit Mode' setting is still visible, even when 'Connection Rate Limit' is hidden.
Conditions:
1. Create a Virtual Server with type Standard.
2. Click Configuration 'Advanced'.
3. Enter values for 'Connection Rate Limit" and "Connection Rate Limit Mode'.
4. Save the configuration.
5. Change the virtual server type to Forwarding (Layer 2).
Impact:
'Connection Rate Limit' is hidden -- which it should be, but 'Connection Rate Limit Mode' is not -- which it should be as well. Although 'Connection Rate Limit Mode' is available, the system ignores any setting specified.
Workaround:
Do not configure 'Connection Rate Limit Mode', as it has no effect.
761303-2 : Upgrade of standby BIG-IP system results in empty Local Database
Links to More Info: BT761303
Component: Access Policy Manager
Symptoms:
Upgrade of standby BIG-IP system results in empty Local Database.
Conditions:
This happens on standby device in a high availability (HA) setup.
Impact:
All previously existing local users disappear from the standby device. If a failover happens, then none of the local users will be able to login now.
Workaround:
To trigger a full database dump from the active BIG-IP system that returns the standby device's database to its original state, on the standby device, after rebooting into the volume with the upgraded installation, do the following:
1. Force stop the localdbmgr process:
bigstart stop localdbmgr
2. Wait at least 15 minutes.
3. Restart the localdbmgr:
bigstart restart localdbmgr
761084-3 : Custom monitor fields appear editable for Auditor, Operator, or Guest
Links to More Info: BT761084
Component: TMOS
Symptoms:
Mozilla Firefox browser shows custom monitor fields editable for Auditor, Operator, or Guest role users.
Conditions:
You can experience this issue by following these steps:
1. Create custom monitor (e.g., http, mysql, tcp).
2. Use FireFox browser to logon to the BIG-IP system Configuration utility with a user role that is Auditor, Operator, or Guest.
3. Access the custom monitor. Note that Send String, Receive String, and Receive Disable String are all grayed out.
4. Click the browser Back button.
5. Click the browser Forward button.
Impact:
Send String, Receive String, and Receive Disable String are now editable fields. Although the Auditor, Operator, or Guest. user can edit the fields, the Update button is still grayed out, so any entry is not saved.
Workaround:
None.
761027 : Web Browser Hang on Reading Compressed Data from BIG-IP
Links to More Info: BT761027
Component: WebAccelerator
Symptoms:
Reading an object from the BIG-IP system.
Conditions:
The virtual server has both a web acceleration profile with an active application and the HTTP compression filter on it.
When reading a compressible object from the web acceleration small object cache, the HTTP compression filter may compress the data, but not rewrite the Content-Length header.
Impact:
The client will wait for the BIG-IP to deliver the amount of data specified by the Content-Length header, but since the object was compressed, there isn't that much data to deliver.
Workaround:
You can use either of the following workarounds:
-- Remove the HTTP compression filter from the virtual server.
-- Mark objects smaller than 4,000 bytes as no-store.
760932-3 : Part of audit log messages are also in other logs when strings are long
Links to More Info: BT760932
Component: TMOS
Symptoms:
Parts of audit logs are found also in other logs like /var/log/user.log and /var/log/messages.
Conditions:
-- When audit log message strings are long.
Impact:
Log messages are duplicated. There is no indication of system functionality, and you can safely ignore them.
Workaround:
Modify the syslog-ng maximum length of incoming log messages from 8192 to 16384 bytes:
tmsh modify sys syslog include "options { log-msg-size(16384); };"
760835-1 : Static generation of rolling DNSSEC keys may be missing when the key generator is changed
Links to More Info: BT760835
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP system may lose DNSSEC keys if the key generator is changed from rolling keys to static keys
Conditions:
DNSSEC key generation is changed from rolling to static.
Impact:
DNSSEC keys may be lost.
Workaround:
None.
760833-1 : BIG-IP GTM might not always sync a generation of a DNSSEC key from its partner
Links to More Info: BT760833
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP GTM might not always sync a generation of a DNSSEC key from its partner.
Conditions:
Generating a DNSSEC key.
Note: This is an intermittent issue.
Impact:
DNSSEC keys may not be synced.
Workaround:
None.
760740-1 : Mysql error is displayed when saving UCS configuration on BIG-IP system when MySQL is not running
Links to More Info: BT760740
Component: Protocol Inspection
Symptoms:
When saving the configuration to a UCS file, the process tries save the IPS learning information stored in the MySQL database.
MySQL runs only when particular modules are provisioned. If MySQL was previously running as a result of different provisioning, but is not currently running, saving the configuration to a UCS file succeeds, but the system reports a spurious message during the operation:
Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock.
Conditions:
-- Saving the configuration to a UCS file.
-- BIG-IP system provisioning only includes modules that do not require MySQL. These modules may include:
+ LTM
+ FPS
+ GTM (DNS)
+ LC
+ SWG
+ iLX
+ SSLo
-- BIG-IP system was previously provisioned with a module that starts MySQL, which results in the creation of the file /var/db/mysqlpw. These modules may include:
+ APM
+ ASM
+ AVR
+ PEM
+ AFM
+ vCMP
Impact:
The error message is cosmetic and has no impact on the UCS save process.
Workaround:
None.
760615-2 : Virtual Server discovery may not work after a GTM device is removed from the sync group
Links to More Info: BT760615
Component: Global Traffic Manager (DNS)
Symptoms:
LTM configuration does not auto-discover GTM-configured virtual servers.
Conditions:
-- GTM is deprovisioned on one or more GTM sync group members, or the sync group is reconfigured on one or more members.
-- Those devices remain present in the GTM configuration as 'gtm server' objects.
-- iQuery is connected to those members.
Impact:
Virtual servers are not discovered or added automatically.
Workaround:
You can use either of the following workarounds:
-- Manually add the desired GTM server virtual servers.
-- Delete the 'gtm server' objects that represent the devices that are no longer part of the GTM sync group. These can then be recreated if the devices are operating as LTM-configured devices.
760590-2 : TCP Verified-Accept with proxy-mss enabled does not honor the route-metrics cache when sending the SYN to the server
Links to More Info: BT760590
Component: Local Traffic Manager
Symptoms:
TCP Verified-Accept with proxy-mss enabled does not honor the route-metrics cache when sending the SYN to the server
Conditions:
-- TCP Verified-Accept option is used.
-- The proxy-mss is enabled.
-- The route-metrics cache entry is enabled.
Impact:
Route-metrics cache entry does not get used.
Workaround:
None.
760570 : The BIG-IP installer fails to automatically detect installation media.★
Links to More Info: BT760570
Component: TMOS
Symptoms:
Image2disk command does not automatically detect repository. As a result, installation with image2disk command may not work. Here is an example of the affected image2disk command syntax.
switch_root:/# image2disk --format=volumes --nosaveconfig --nosavelicense
Conditions:
-- 14.1.0 clean install using DVD-ROM or USB thumb drive.
-- Using a command that does not specify a repository.
Impact:
Installer cannot start unless you explicitly specify the repository.
Workaround:
You can use either of the following workarounds:
-- Manually specify repository while running image2disk command. For example, the following command successfully starts installation with DVD-ROM (/cdserver) or USB thumb drive (/mnt/thumb/<ISO>):
switch_root:/# image2disk --format=volumes --nosaveconfig --nosavelicense /cdserver
switch_root:/# image2disk --format=volumes --nosaveconfig --nosavelicense /mnt/thumb/<ISO>
-- At the command line, type 'start', and the interactive software installation starts.
760518-4 : PEM flow filter with DSCP attribute optimizes traffic resulting in some PEM action enforcement
Links to More Info: BT760518
Component: Policy Enforcement Manager
Symptoms:
Some PEM action enforcement does not work with flow filter with PEM attribute set.
Conditions:
Flow filter has the Differentiated Services Code Point (DSCP) attribute set
Impact:
Some PEM actions such as http-redirect do not perform as expected.
Workaround:
Set the DSCP to the default value
760354-5 : Continual mcpd process restarts after removing big logs when /var/log is full
Links to More Info: BT760354
Component: TMOS
Symptoms:
The BIG-IP device suddenly stops passing traffic. You might see errors similar to the following:
err mcpd[15230]: 01070596:3: An unexpected failure has occurred, TAP creation failed (tmm): Permission denied - net/validation/routing.cpp, line 168, exiting...
Conditions:
This might occur when when /var/log is full and then you remove big logs.
Impact:
The mcpd process restarts continuously. This occurs because tmm blocks mcpd from restarting after /var/log fills up.
Workaround:
Empty the contents of big size log files under /var/log and reboot the BIG-IP system.
760117-1 : Duplicate error messages in log when updating a zone through ZoneRunner GUI
Links to More Info: BT760117
Component: Global Traffic Manager (DNS)
Symptoms:
Duplicate error messages in log when updating a zone through ZoneRunner GUI.
Conditions:
This occurs upon every update to a zone in the GUI.
Impact:
The BIG-IP system logs the multiple occurrences of the following error in the /var/log/daemon.log file:
err named[17053]: 18-Feb-2019 15:22:51.011 general: error: zone siterequest.com/IN/external: zone serial (2019021807) unchanged. zone may fail to transfer to slaves.
Workaround:
None.
759852-1 : SNMP configuration for trap destinations can cause a warning in the log
Links to More Info: BT759852
Component: TMOS
Symptoms:
The snmpd configuration parameters can cause net-snmp to issue a warning about deprecated syntax.
Conditions:
The use of a sys snmp command similar to the following to modify the snmpd.conf file:
sys snmp v2-traps { TRAP1 { host 1.2.3.4 community somestring } }
Impact:
net-snmp issues a warning that the syntax has been deprecated and reports a warning message in the log.
Workaround:
None.
759840-1 : False positive 'Null in request' violation or bare byte subviolations
Links to More Info: BT759840
Component: Application Security Manager
Symptoms:
'Null in request' violation or bare byte subviolations detected when there is no null in request.
Conditions:
Brute force attack mitigated by captcha or challenge.
Impact:
Traffic blocking or false positive alarm
Workaround:
None.
759799-1 : New rules cannot be compiled
Links to More Info: BT759799
Component: Advanced Firewall Manager
Symptoms:
When the number of firewall policy rules compiles to a blob sized over 2 GB, the blob size limit is exceeded and no new rules can be compiled. All traffic stops.
Conditions:
When compiled rules configured size exceeds 2 GB after a new rule is added.
Impact:
New rules cannot be compiled. Traffic stops.
Workaround:
Remove rules until the rules compile successfully.
759737-2 : Control and Analysis Plane CPU usage statistics are inaccurate for single core vCMP guests
Links to More Info: BT759737
Component: TMOS
Symptoms:
CPU usage statistics reported for Control and Analysis planes are not described properly for single-core vCMP guests.
Conditions:
A vCMP guest with a single core.
Impact:
CPU usage statistics report 0 Control Plane cores and 1 Analysis Plane core.
Workaround:
On a single core, two hyperthread vCMP guest, one hyperthread/CPU is dedicated to Data Plane while the other is dedicated to Control and Analysis Plane. All statistics attributed to the Analysis Plane in this CPU configuration are in fact the aggregate of Control Plane and Analysis Plane.
759671-1 : Unescaped slash in RE2 in user-defined signature should not be allowed
Links to More Info: BT759671
Component: Application Security Manager
Symptoms:
An unescaped slash in RE2 keyword in a user-defined signature caused a REST PATCH to the signature to have no effect.
Conditions:
A user-defined signature has an unescaped slash in RE2 keyword.
Impact:
REST PATCH to update the user-defined signature has no effect.
Workaround:
The slash in the signature keyword must be escaped by backslash.
759606-2 : REST error message is logged every five minutes on vCMP Guest
Links to More Info: BT759606
Component: TMOS
Symptoms:
Guestagentd periodically logs the following REST error message for each secondary slot in /var/log/ltm:
Rest request failed{"code":502."message":"This is a non-primary slot on the Viprion. Please access this device through the cluster address.","restOperationId":6410038,"kind":":resterrorresponse"}
Conditions:
Upgrade a vCMP guest from pre-13.1.x to a 13.1.x or later version.
Impact:
There is stale stat information for vCMP guests running on secondary slots.
Workaround:
Create a Log Filter with no publisher on the vCMP guest to discard the specific error message:
sys log-config filter Filter_RestError {
level info
message-id 01810007
source guestagentd
}
759590-4 : Creation of RADIUS authentication fails with service types other than 'authenticate only'
Links to More Info: BT759590
Component: TMOS
Symptoms:
RADIUS authentication can only have an initial service type of 'authenticate only'.
Conditions:
This is encountered when configuring RADIUS authentication via the GUI.
Impact:
If you change the Service Type to anything except Authenticate Only (default), Authentication creation fails, and the following error appears in /var/log/webui.log:
01020066:3: The requested RADIUS Authentication Configuration (/Common/system-auth) already exists in partition Common.
Workaround:
After configuring RADIUS authentication with 'authenticate only' as the service type, go back and change the service type to the desired option.
759392-2 : HTTP_REQUEST iRule event triggered for internal APM request
Links to More Info: BT759392
Component: Access Policy Manager
Symptoms:
Requests for the internal APM renderer for logo customization trigger the HTTP_REQUEST iRule event.
Conditions:
Customized logo in Access Profile
Impact:
HTTP_REQUEST event will be raised for requests for the customized logo in the Access Profile.
Workaround:
Inside the HTTP_REQUEST event, if it is necessary to not take a certain action on a customized logo, it is possible to check that the URL does not equal the URL for the logo (it should start with '/public/images/customization/' and contain the image name).
759370-2 : FIX protocol messages parsed incorrectly when fragmented between the body and the trailer.
Links to More Info: BT759370
Component: Service Provider
Symptoms:
FIX message has successfully parsed header part (iRule event FIX_HEADER triggered), but is eventually discarded as incomplete (no iRule event FIX_MESSAGE).
Conditions:
FIX message fragmented between body part and the trailer (tag 10).
Impact:
FIX protocol messages are not forwarded.
Workaround:
Assure FIX protocol packet size does not exceed MTU value.
759258-2 : Instances shows incorrect pools if the same members are used in other pools
Links to More Info: BT759258
Component: TMOS
Symptoms:
Monitor 'Instances' tab shows incorrect pools if the same members are used in other pools.
Conditions:
Steps to Reproduce:
1. Create custom monitor or use system default.
2. Assign that monitor to a test pool.
3. Navigate to Local Traffic :: Monitors, click the test monitor, then select the Instances tab.
Impact:
The test pool is displayed, as well any other pools that use the same member or members (but with other monitors assigned).
Workaround:
None.
758929-2 : Bcm56xxd MIIM bus access failure
Links to More Info: BT758929
Component: TMOS
Symptoms:
Bcm56xxd daemon running on certain BIG-IP devices might experience MIIM bus access failure. The system posts a message similar to the following in the ltm log:
info bcm56xxd: 012c0016:6: MiimTimeOut:soc_miim_write, timeout (id=0xc9 addr=0x1f data=0x0000)
Conditions:
Using one of the following platforms:
+ VIPRION B2250 Blade (A112)
+ VIPRION B2150 Blade (A113)
+ VIPRION B4300 Blade (A108)
+ BIG-IP 5250v
+ BIG-IP 7200S
+ BIG-IP i5600
+ BIG-IP i5820
+ BIG-IP i7800
Impact:
The affected BIG-IP system fails to pass traffic. If configured for high availability (HA) and the HA connection has not been disrupted, failover occurs.
Workaround:
Reboot the affected BIG-IP platform / VIPRION blade.
758706-1 : Importing a cert with an expiration time of 'Dec 31 23:59:59 9999' causes errors in the GUI
Links to More Info: BT758706
Component: TMOS
Symptoms:
General database error retrieving information when loading the SSL certificate management page:
Certificate Management : Traffic Certificate Management : SSL Certificate List.
Conditions:
Import a certificate that has an expiration date of 'Dec 31 23:59:59 9999 GMT' into the BIG-IP system.
Note: Some of these certificates are generated by Cisco Expressway.
Impact:
Error message is posted. Unable to manage certificates in the GUI.
Workaround:
Adjust the timezone to GMT and restart tomcat using the following commands:
tmsh modify sys ntp timezone GMT
bigstart restart tomcat
758704 : Excessive 'GuestInfoAddNicEntry: NIC limit (16) reached' logging
Links to More Info: BT758704
Component: Local Traffic Manager
Symptoms:
BIG-IP logs 'GuestInfoAddNicEntry: NIC limit (16) reached' messages every 30 seconds.
Conditions:
Configuring more than 16 VLANs on VMware where the VLAN limit is 16.
Impact:
BIG-IP logs 'GuestInfoAddNicEntry: NIC limit (16) reached' every 30 Seconds, and it logs one entry for every limit above the maximum (for example if you configure 20 VLANs the message will be logged 4 times).
758618 : Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned
Links to More Info: BT758618
Component: Access Policy Manager
Symptoms:
The db variable Tmm.HTTP.TCL.Validation is enabled by default. This db variable should be disabled when APM is provisioned/enabled, and when ACCESS::restrict_irule_event is disabled and HTTP_RESPONSE_RELEASE events are detected with the assigned iRules.
Conditions:
Steps to Reproduce:
1. Fresh install of APM
2. Define the following iRule in the virtual server.
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
set u [ HTTP::uri ]
log local0. "XXX: [ HTTP::uri ]"
}
when HTTP_RESPONSE_RELEASE {
log local0. "XXX: [ HTTP::status ] [ HTTP::header Location ]"
set l [ HTTP::header Location ]
if { $l starts_with {/my.policy} } {
append l {?modified_by_irule=1}
HTTP::header replace Location $l
} elseif { $l starts_with {/renderer/agent_logon_page_form.eui} } {
# Next response will be the real response to the client.
ACCESS::log "XXX: lp_seen"
set lp_seen 1
}
if { [ HTTP::status ] == 200 && [ info exists lp_seen ] && $lp_seen == 1 } {
unset lp_seen
HTTP::header insert X-MyAppSpecialHeader 1
}
}
3. Configure START :: LOGON PAGE :: ALLOW policy.
4. Access the virtual server.
Impact:
TCP reset triggered when it should not. With respect to the specific condition described, the system should post the logon page.
Workaround:
Manually disable Tmm.HTTP.TCL.Validation.
758615-1 : Reconstructed POST request is dropped after DID cookies are deleted
Links to More Info: BT758615
Component: Application Security Manager
Symptoms:
POST Request is dropped during DID challenge.
Conditions:
POST request is issued a DID challenge.
Impact:
Request is dropped.
Workaround:
None.
758596-2 : Unable to associate cipher group with long name profile
Links to More Info: BT758596
Component: Local Traffic Manager
Symptoms:
TMM reports the following error when cipher group is associated with client SSL or server SSL profiles:
cipher group: invalid profile name
Conditions:
Client SSL or server SSL has a name longer than 31 characters.
Impact:
Unable to configure cipher groups with certain profiles.
Workaround:
Shorten the profile name to be fewer than 31 characters.
758542-3 : OAuth database instance appears empty after upgrade from v13.x★
Links to More Info: BT758542
Component: Access Policy Manager
Symptoms:
The database from a prior configuration does not seem to have any tokens. The tokens are being stored in a new database with a different name.
Conditions:
Upgrade from v13.x.
-- The name of one OAuth database instance is duplicated entirely in another instance name (for example, 'oauthdb' and 'oauthdbprod').
Impact:
Old database seems to have lost tokens. In the case of these two database instances:
oauthdb
oauthdbprod
Because the name 'oauthdb' is also present in the name 'oathdbprod', the system creates a new database instance of 'oauthdb' at upgrade, so oauthdb will have an empty database.
Workaround:
Before upgrading, do the following:
1) Copy database oauth to another database with a completely different name.
2) Copy tokens in new database to the old, empty database.
758491-1 : When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys
Links to More Info: BT758491
Component: Local Traffic Manager
Symptoms:
For Thales:
The ltm/log shows SSL handshake failures with similar lines (this is for Diffie-Hellman Key Exchange):
-- warning bigip1 tmm1[28813] 01260013 SSL Handshake failed for TCP 192.0.2.1:5106 -> 192.0.2.200:5607
-- warning bigip1 tmm1[28813] 01260009 Connection error: ssl_hs_vfy_sign_srvkeyxchg:13583: sign_srvkeyxchg (80)
-- debug bigip1 tmm1[28813] 01260036 FIPS acceleration device error: fips_poll_completed_reqs: req: 4 status: 0x1 : Cancel
-- err bigip1 pkcs11d[26259] 01680002 Key table lookup failed. error.
After enabling pkcs11d debug, the pkcs11d.debug log shows:
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_CLASS
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_CLASS matches
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_ID
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_ID does not match <===
For Safenet:
-- warning tmm1[17495]: 01260009:4: Connection error: ssl_hs_vfy_sign_srvkeyxchg:13544: sign_srvkeyxchg (80)
-- warning tmm1[17495]: 01260013:4: SSL Handshake failed for TCP 10.1.1.11:6009 -> 10.1.1.201:443
-- err pkcs11d[5856]: 01680002:3: Key table lookup failed. error.
Conditions:
1. Keys were created on earlier versions of BIG-IP software, no matter if using tmsh (Safenet) or using fipskey.nethsm (Thales, Safenet) and the device was upgraded to 14.1.0 or later.
2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm (Thales). For Safenet, fipskey.nethsm was deprecated in 14.0.0.
Impact:
SSL handshake failures.
Workaround:
There are two workarounds:
-- Re-create the keys using tmsh command.
IMPORTANT: This workaround is suitable for deployments that are new and not in production.
-- Re-import the keys from nethsm using:
tmsh install sys crypto key <key_label> from-nethsm
You can find the key_label here:
-- The rightmost string in the output of the Thales command:
nfkminfo -l
-- The string after label= in the 'cmu list' command for Safenet.
758435-1 : Ordinal value in LTM policy rules sometimes do not work as expected★
Links to More Info: BT758435
Component: Local Traffic Manager
Symptoms:
Which actions trigger in a first-match policy should depend on the ordinal of their rule. Sometimes, this does not work correctly.
Conditions:
The conditions under which this occurs are not known.
Impact:
LTM policy rules do not execute in the expected order.
Workaround:
It may be possible to re-arrange the rules to avoid the incorrect action execution.
758348-1 : Cannot access GUI via hostname when it contains _ (underscore character)
Links to More Info: BT758348
Component: TMOS
Symptoms:
BIG-IP allows configuring hostname with embedded '_' (underscore). However the BIG-IP GUI is not accessible when hostname includes '_', and results in a 400 Bad Request.
Conditions:
BIG-IP hostname includes '_'
Impact:
BIG-IP GUI cannot be accessed.
Workaround:
No known work around if having '_' in hostname is a requirement.
758105-3 : Drive model WDC WD1005FBYZ-01YCBB2 must be added to pendsect drives.xml
Links to More Info: BT758105
Component: TMOS
Symptoms:
Below messages get logged to /var/log/messages
-- notice syslog-ng[15662]: Configuration reload request received, reloading configuration;
-- warning pendsect[31898]: skipping drive -- Model: WDC WD1005FBYZ-01YCBB2
-- warning pendsect[31898]: No known drives detected for pending sector check. Exiting
Conditions:
Using hardware containing drive model WDC WD1005FBYZ-01YCBB2.
Impact:
The system logs the messages because the drive model is not listed in /etc/pendsect/drives.xml.
Workaround:
Manually edit /etc/pendsect/drives.xml as follows:
1. Give write permissions to modify file:
chmod u+w /etc/pendsect/drives.xml
2. Open the file and add the following at the end of the file, before default:
<snip>
<WD1005FBYZ>
<offset firmware="RR07">0</offset>
<offset firmware="default">0</offset>
<family> "wd_Gold"</family>
<wd_name>"Gold"</wd_name>
</WD1005FBYZ>
<DEFAULT>
<firmware version="default">
<offset>0</offset>
</firmware>
<name> "UNKNOWN"</name>
<family> "UNKNOWN"</family>
<wd_name>"UNKNOWN"</wd_name>
</DEFAULT>
</model>
</drives>
3. Save and close the file.
4. Remove write permissions so that no one accidentally modifies this file:
chmod u-w /etc/pendsect/drives.xml
5. Run the following command and check /var/log/messages to verify no errors are seen:
/etc/cron.daily/pendsect
758006-1 : Thales nethsm-thales-rfs-install.sh script failing with / partition full
Links to More Info: BT758006
Component: Local Traffic Manager
Symptoms:
nethsm-thales-rfs-install.sh fails with errors
/ partition full or /shared/nfast/bin/anonkneti: No such file or directory
Conditions:
Installing Thales RFS using the script:
nethsm-thales-rfs-install.sh.
Impact:
Failed Thales RFS installation.
Workaround:
Modify nethsm-thales-rfs-install.sh script as follows.
Replace:
mkdir -p /shared/nfast
for tar_file in $nfast_agg_tar $nfast_ctls_tar $nfast_user_tar $nfast_pkcs11_tar
do
tar -C / -xvf $nfast_path$tar_file
with
mkdir -p /shared/nfast
for tar_file in $nfast_agg_tar $nfast_ctls_tar $nfast_user_tar $nfast_pkcs11_tar
do
tar -C /shared/nfast -xvf $nfast_path$tar_file --strip-components=2
757848-1 : F5 Adaptive Authentication feature has been removed
Links to More Info: BT757848
Component: Access Policy Manager
Symptoms:
F5 Adaptive Authentication feature has been removed from the product beginning with the v15.0.0 release. This version removed:
-- Adaptive auth configuration from admin UI (Authentication : F5 Adaptive Authentication (MFA)).
-- Corresponding online help.
-- Adaptive Auth agents from the list of agents in VPE (F5 MFA Device Registration, F5 MFA User Verification under Authentication tab).
-- The reports from admin UI Access :: Overview :: F5 Adaptive Auth (MFA).
Conditions:
Attempting to use the F5 Adaptive Authentication feature from BIG-IP Admin UI.
Impact:
No F5 Adaptive Authentication-related features exist in this release.
Workaround:
None.
757822-1 : Subroutine name should use partition name and policy name
Links to More Info: BT757822
Component: Access Policy Manager
Symptoms:
When you create API per-request policy using the same name as a policy from another partition, BIG-IP generates an error similar to the following:
java.net.ProtocolException: status:400, body:{"code":400,"message":"transaction failed:01070734:3: Configuration error: DB validation exception, unique constraint violation on table (subroutine_properties) object ID (/TST/svc1-my_auth svc1-my_prp). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:subroutine_properties status:13)","errorStack":[],"apiError":2}.
Conditions:
-- Configure an API protection per-request policy in one partition with the same name as a policy in another partition.
-- Attempt to import or export the policy.
Impact:
Import / export functionality fails.
Workaround:
Ensure that names for API protection per-request policies are unique.
757787-2 : Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI.
Links to More Info: BT757787
Component: TMOS
Symptoms:
When creating a new rule or modifying an existing rule in a LTM/AFM Policy policy using the WebUI, the operation fails and an error similar to the following example is returned:
Transaction failed:010715bd:3: The parent folder is owned by application service (/Common/MyPolicy.app/MyPolicy), the object ownership cannot be changed to ().
Conditions:
-- The LTM/AFM Policy belongs to an Application Service (iApp).
-- The modification is attempted via the WebUI.
Impact:
Unable to make changes to existing LTM/AFM Policies.
Workaround:
Use the tmsh utility to make the necessary modifications to the LTM/AFM Policy. For example, the following command modifies an existing rule:
tmsh modify ltm policy myapp.app/Drafts/myapp_l7policy rules modify { 0 { conditions modify { 0 { http-method equals values { GET POST } } } } }
757572 : Virtual Edition doesn't support forging MAC addresses with Mellanox ConnectX-3 virtual functions
Links to More Info: BT757572
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) does not support forging MAC addresses when using virtual functions from Mellanox ConnectX-3 adapters. Without this, features like MAC Masquerading and VLAN groups do not function.
Conditions:
-- VE with a Mellanox ConnectX-3 virtual function.
-- Configuration requiring the use of non-default MAC addresses.
Impact:
Attempts to use these features with these NICs will not succeed, and traffic that relies on this configuration will not function.
Workaround:
None.
757505-3 : peer-cert-mode set to 'always' does not work when client-ssl is enabled with session-ticket
Links to More Info: BT757505
Component: Local Traffic Manager
Symptoms:
When a session is restored using a session-ticket, the peer-cert-mode setting is not acknowledged.
Conditions:
-- Session tickets are enabled.
-- The peer-cert-mode in the client SSL profile is set to `always'.
-- A session is restored using a ticket.
Impact:
The SSL client is validated only once, instead of each time.
Workaround:
Disable session ticket.
757486-3 : Errors in IE11 console appearing with Bot Defense profile
Links to More Info: BT757486
Component: Application Security Manager
Symptoms:
When Bot Defense profile is used and has Browser Verification enabled to either Verify Before Access, or Verify After Access, Microsoft Internet Explorer v11 (IE11) Browsers may display the following errors in the browser console:
HTML1512: Unmatched end tag.
a.html (26,1)
HTML1514: Extra "<body>" tag found. Only one "<body>" tag should exist per document.
a.html (28,1)
Conditions:
-- Bot Defense profile is enabled with Browser Verification.
-- End user clients are using the IE11 browser.
Impact:
Cosmetic error messages appear in an end user's browser console.
Workaround:
In order to work around this issue, inject the scripts to the '<body>' tag instead of the '<head>' tag. This can be done using this tmsh command:
tmsh mod sys db dosl7.parse_html_inject_tags value after,body,before,/body`
757431-1 : mcpd process killed after upgrade from 12.1.3★
Links to More Info: BT757431
Component: Local Traffic Manager
Symptoms:
The BIG-IP appliance fails to become available after upgrade, and the mcpd process keeps restarting.
Conditions:
A BIG-IP system is upgraded from 12.1.3 to 14.1.0, with a very large configuration. For example, this was encountered with more than 8,000 virtual servers and more than 600 monitor instances.
Impact:
The BIG-IP system fails to become operational.
Workaround:
If you are encountering this, you can disable the mcpd heartbeat with the following command to complete the upgrade:
tmsh modify sys daemon-ha mcpd heartbeat disable
Once the upgrade is complete, enable the heartbeat:
tmsh modify sys daemon-ha mcpd heartbeat enable
757369-1 : HTTP monitor with a configured username/password fails when in-tmm monitoring is enabled
Links to More Info: BT757369
Component: Local Traffic Manager
Symptoms:
http monitor using a username/password fails to send an authorization header. If the webserver is configured for basic authentication, it may reject the request.
Conditions:
-- HTTP monitor is configured with a username and password.
-- In-tmm monitoring is enabled (bigd.tmm enabled).
Impact:
HTTP monitor is marked down.
Workaround:
There is change of behavior with in-tmm monitors:
-- In-tmm monitors treat the send string in a more strict manner:
send "GET /monitor HTTP/1.0\r\nHost: test.com\r\n\r\n"
Because the string is terminated with \r\n\r\n, the monitor treats this as the end of the HTTP request, and Authorization gets omitted.
To workaround this issue, omit the final \r\n, as follows:
send "GET /monitor HTTP/1.0\r\nHost: test.com\r\n"
757167-1 : TMM logs 'MSIX is not supported' error on vCMP guests
Links to More Info: BT757167
Component: TMOS
Symptoms:
On vCMP guests, logs of 'MSIX is not supported' messages apppear in /var/log/tmm.
Conditions:
This occurs only on vCMP guests.
Impact:
MSIX is not supported on vCMP guests, but system operation and traffic passing are not impacted otherwise.
Workaround:
None.
757029-2 : Ephemeral pool members may not be created after config load or reboot
Links to More Info: BT757029
Component: Local Traffic Manager
Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP system reboot operation.
Conditions:
This may occur on affected BIG-IP versions when:
-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
-- DNS queries to resolve these FQDN names occur almost simultaneously.
The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.
Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.
As a result, some pools may not have any active pool members, and do not pass traffic.
This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.
Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes:
tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.
756998-1 : DoSL7 Record Traffic feature is not recording traffic
Links to More Info: BT756998
Component: Application Security Manager
Symptoms:
Enabling 'Record Traffic During Attacks' in the DoS Application Profile does not record traffic during attacks: TCP Dump files are not being created in the /shared/dosl7/tcpdumps/ directory as expected.
Conditions:
-- Enabling 'Record Traffic During Attacks' in the DoS Application Profile.
-- DoSL7 Attacks are detected.
Impact:
Attack traffic is not being recorded as expected.
Workaround:
None.
756830-1 : BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'
Links to More Info: BT756830
Component: TMOS
Symptoms:
The BIG-IP system may fail source translation for connections matching a virtual server that has connection mirroring enabled and source port selection set to 'preserve strict'.
Conditions:
Connections match a virtual server that has following settings:
- Connection mirroring is enabled.
- Source Port set to 'Preserve Strict'.
In addition, CMP hash selection (DAG mode) on the corresponding VLANs is set to 'Default DAG'.
Impact:
Source translation may fail on BIG-IP system, leading to client connection failures.
Workaround:
You can try either of the following:
-- Do not use the Source Port setting of 'Preserve Strict'.
-- Disable connection mirroring on the virtual server.
756820-2 : Non-UTF8 characters returned from /bin/createmanifest
Links to More Info: BT756820
Component: TMOS
Symptoms:
/bin/createmanifest reads from mcpd values stored for items that are obtained from firmware. These might contain non-UTF8 characters. This program is called in qkview, which then gets updated to iHealth. If any non-UTF8 character is present, the output is omitted (because XML cannot handle non-UTF8 characters).
Conditions:
Data stored in mcpd obtained from firmware contain non-UTF8 characters.
Impact:
The upload to iHealth will not contain any of the manifest data set obtained via createmanifest.
Workaround:
The values can be obtained from the qkview by reading the qkview_run.data, but the convenience of reading these in iHealth is not possible.
756789-1 : TMM cores when receiving HTTP/2 request if mirroring is configured
Links to More Info: BT756789
Component: Local Traffic Manager
Symptoms:
TMM on active unit cores when it receives an HTTP/2 request when mirroring is configured.
Conditions:
-- High availability (HA) configuration.
-- Active unit received an HTTP/2 request.
-- Mirroring is enabled.
Impact:
TMM cores. Traffic disrupted while tmm restarts.
Workaround:
Disable mirroring.
Note: Connection mirroring is not supported in combination with the HTTP/2 profile. The system now checks for this combination and prevents it from being configured.
756714-2 : UIDs on /home directory are scrambled after upgrade★
Links to More Info: BT756714
Component: TMOS
Symptoms:
UIDs of /home/$USER files and /home file are scrambled after upgrade.
Conditions:
Upgrade from 12.1.3.7 to 13.1.0.8.
Impact:
Low in most cases, since the administrative user can still access most files. One exception is that SSH requires that the authorized_keys file be owned by the user ID in question. This is 0 when a user has an administrative role, so the authorized_keys file will be ignored and a password will still be required for login.
Workaround:
None.
756604-4 : iRule Command TCP::release does not work correctly with argument 0.
Links to More Info: BT756604
Component: SSL Orchestrator
Symptoms:
When using the iRule command TCP::release with argument 0, the command does not work correctly.
Conditions:
TCP::release is used with argument 0.
Impact:
BIG-IP configuration might not load correctly.
756576 : Fetching non-configured 3GPP-RAT-TYPE subscriber attribute using iRule can crash tmm.
Component: Policy Enforcement Manager
Symptoms:
A TMM crash occurs while passing traffic.
Conditions:
Fetching a non-configured 3GPP-RAT-TYPE subscriber attribute using an iRule.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Dont use an iRule to fetch 3GPP-RAT-TYPE subscriber attribute
if 3GPP-RAT-TYPE is not set.
756454-1 : Tmm crash when per-request policies are in use
Links to More Info: BT756454
Component: Access Policy Manager
Symptoms:
Per-req-policies may intermittently leak memory, leading to a tmm crash.
Conditions:
-- APM enabled
-- Per-request policy enabled and passing traffic
Impact:
Memory can leak. Traffic disrupted while tmm restarts.
Workaround:
None
756401-2 : IKEv2 debug logging often omits SPI values that would identify the SAs involved
Links to More Info: BT756401
Component: TMOS
Symptoms:
Debug logging for IPsec often has no clear identification of which SA was involved during some logged events.
Conditions:
When you examine logs in either /var/log/tmm or /var/log/ipsec.log to debug IPsec activity.
Impact:
You might have trouble analyzing what happened from logs when the SA involved in an event is not identified.
Workaround:
None.
756313-2 : SSL monitor continues to mark pool member down after restoring services
Links to More Info: BT756313
Component: Local Traffic Manager
Symptoms:
After an HTTPS monitor fails, it never resumes probing. No ClientHello is sent, just 3WHS and then 4-way closure. The pool member remains down.
Conditions:
-- The cipherlist for the monitor is not using TLSv1 (e.g., contains -TLSv1 or !TLSv1).
-- The pool member is marked down.
Impact:
Services are not automatically restored by the health monitor.
Workaround:
-- To restore the state of the member, remove it and add it back to the pool.
-- Remove !TLSv1 and -TLSv1 from the cipher string, if possible.
756177-2 : GTM marks pool members down across datacenters
Links to More Info: BT756177
Component: Global Traffic Manager (DNS)
Symptoms:
GTM pool members are marked down even though the monitored resource is available.
GTM debug logs indicate that each GTM is relying on the other GTM to conduct probing:
debug gtmd[13166]: 011ae039:7: Check probing of IP:Port in DC /Common/dc1.
debug gtmd[13166]: 011ae03a:7: Will not probe in DC /Common/dc1 because will be done by other GTM (/Common/gtm2).
---
debug gtmd[7991]: 011ae039:7: Check probing of IP:Port in DC /Common/dc2.
debug gtmd[7991]: 011ae03a:7: Will not probe in DC /Common/dc2 because will be done by other GTM (/Common/gtm1).
Conditions:
-- GTM configured in different data centers.
-- GTM pool configured with a single monitor, and the monitor uses an alias address that can be pinged from both data centers.
-- GTM pool members configured from different data centers.
Impact:
Pool members are marked down.
Workaround:
Instead of a single monitor, use a monitor created specifically for each data center.
756088-2 : The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address
Links to More Info: BT756088
Component: TMOS
Symptoms:
The BIG-IP system unexpectedly responds to ICMP echo requests to a virtual-address that is unavailable, or unexpectedly does not respond to ICMP echo requests to a virtual-address that is available.
The BIG-IP system fails to remove a dynamic route for a virtual-address that is unavailable or fails to add a dynamic route for a virtual-address that is available.
Conditions:
-- There are multiple virtual servers associated with a virtual address.
-- The virtual-address icmp-echo is set to 'all' or 'any'.
-- The virtual-address route-advertisement is set to 'all' or 'any'.
Impact:
The BIG-IP might respond incorrectly to ICMP echo requests sent to a virtual-address.
-- If the virtual-address icmp-echo is set to 'all' or 'any', the BIG-IP may not respond correctly after a virtual-address availability change.
-- If the virtual-address route-advertisement is set to 'all' or 'any', the route for the virtual-address may not advertise properly after a virtual-address availability change.
The BIG-IP might fail to insert or remove a dynamic route for a virtual-address. This might cause the network to direct traffic to a down virtual-address or alternatively, not direct traffic to an up virtual-address.
Workaround:
None.
755791-2 : UDP monitor not behaving properly on different ICMP reject codes.
Links to More Info: BT755791
Component: Local Traffic Manager
Symptoms:
Unexpected or improper pool/node member status.
Conditions:
The BIG-IP system receives the ICMP rejection code as icmp-net/host-unreachable.
Impact:
The monitor might consider a server available when some type of ICMP rejection has been received that is not port unreachable.
Workaround:
You can use either of the following workarounds:
-- Use UDP monitors configured with a receive string.
-- Do not use UDP monitors.
755739-1 : SAML metadata import (SP or IdP) fails if the metadata file has both SPSSODescriptor and IdPSSODescriptor
Links to More Info: BT755739
Component: Access Policy Manager
Symptoms:
If the SAML SP or IDP metadata has both SPSSODescriptor and IdPSSODescriptor tags, the import fails with errors like this:
The metadata file '/var/tmp/1547120861955.upload' being used to create SAML IdP connector 'Kismet' is an SP metadata file.
Conditions:
-- SP or IDP metadata file has both SPSSODescriptor and IdPSSODescriptor tags and
-- Attempt to import them to create SP or IdP connector objects.
Impact:
Metadata import is not successful.
Workaround:
Use the following workarounds, as appropriate:
-- When importing SP metadata, remove all IDPSSODescriptor tags from the metadata file, i.e., find and remove all '<IDPSSODescriptor...>...</IDPSSODescriptor>' elements, including the opening and closing tags and everything in between.
-- When importing IDP metadata, remove all SPSSODescriptor tags from the metadata file, i.e., find and remove all '<SPSSODescriptor...>...</SPSSODescriptor>' elements, including the opening and closing tags and everything in between.
Note: If the metadata file is signed, the signature within the metadata file must be removed. If it is not, you may experience an MCP error when importing the newly edited metadata file:
Signature verification failed. File contents changed.
To remove the signature from the metadata file, find and remove the signature element, including the opening and closing tags, and everything in between, e.g.:
<ds:Signature...>...</ds:Signature>
755631-1 : UDP / DNS monitor marking node down
Links to More Info: BT755631
Component: Local Traffic Manager
Symptoms:
The UDP / DNS monitor marks nodes down.
Conditions:
-- UDP or DNS monitor configured.
-- Interval is multiple of timeout.
-- The response is delayed by over one interval.
Impact:
Pool member is marked down.
Workaround:
Increase the interval to be greater than the response time of the server.
755450-1 : Memory leak when using lots of iApps
Links to More Info: BT755450
Component: TMOS
Symptoms:
Scriptd creates open files that are never closed by improperly closing sockets before exiting. This eventually results in errors that there are too many open files which can overload the system.
Conditions:
Run a large number of iApps on a system for a long period of time. You can determine if you are affected by this by using the following command:
lsof | grep scriptd |grep socket |wc -l
After it has run for a while you will notice that this number is slowly growing as scriptd processes exit without closing their sockets appropriately.
Impact:
Constantly increasing use of system resources.
Workaround:
None.
755343-2 : Phonehome_upload crashes when Automatic Phone Home is disabled
Links to More Info: BT755343
Component: TMOS
Symptoms:
When Automatic Phone Home is disabled (this is not the default), the process will crash when it is invoked by the system once-a-month.
Conditions:
-- Automatic Phone Home is disabled (the default is "enabled")
Impact:
The process crashes and generates a core file.
Workaround:
Edit root's crontab file using "crontab -e" and add a '#' at the beginning of the line for "/usr/bin/phonehome_upload"
Note that this workaround:
-- needs to be applied to each device in a device group separately
-- needs to be applied to each blade in a VIPRION (or VIPRION-based vCMP guest) separately
-- needs to be reapplied after software installations
755311-1 : No DIAMETER Disconnect-Peer-Request message sent when TMM is shutting down
Links to More Info: BT755311
Component: Service Provider
Symptoms:
When TMM is shutting down with active DIAMETER connections, it does not send out any Disconnect-Peer-Request messages to its DIAMETER pool members.
Conditions:
- DIAMETER in use.
- Active connections from the BIG-IP system to its DIAMETER pool members.
- TMM is shutting down.
Impact:
The remote server is not notified of the change in DIAMETER peer status.
Workaround:
None.
755282-1 : [GTM] bigip_add password prompt for IPv4-mapped IPv6 address
Links to More Info: BT755282
Component: Global Traffic Manager (DNS)
Symptoms:
After running the big_ip add script without a specifying a server address, the host address posted in the ssh password prompt is an IPv4-mapped IPv6 address for IPv4 servers.
For example:
Enter root password for 0000:0000:0000:0000:0000:FFFF:0A3C:010A
Conditions:
Run bigip_add without a server address, when the host address is an IPv4-mapped IPv6 address.
Impact:
There is no way to tell what the actual server name is without converting the IPv4-mapped IPv6 addresses back to an IPv4 to find which password to enter, for example: 0A3C:010A to 10.60.1.10
Workaround:
To workaround this, edit the bigip_add script.
IMPORTANT: Make sure to back up the bigip_add script before making modifications.
1. Make /usr folder writable
# mount -o rw,remount /usr
2. Backup bigip_add:
# cp /usr/local/bin/bigip_add /shared/tmp/bigip_add.backup
3. Edit bigip_add by adding different 'print' output for IPv4 servers.
Replace this:
< print "Enter $ruser password for $ip if prompted\n";
With something similar to this:
> if ($ip =~ /0000:0000:0000:0000:0000:FFFF:/) {
> my $display_ipv4 = ipv6_to_ipv4($ip);
> print "Enter $ruser password for $display_ipv4 if prompted\n";
> } else {
> print "Enter $ruser password for $ip if prompted\n";
> }
NOTE: Do not modify the actual value for $ip.
Below is an example diff:
# diff /shared/tmp/bigip_add.backup /usr/local/bin/bigip_add
18a19
>
43a45,51
> sub ipv6_to_ipv4
> {
> my $in_addr = $_[0];
> my @ipv6 = split /:/, $in_addr;
>
> my $ipv6_part1 = hex ($ipv6[6]);
> my $ipv6_part2 = hex($ipv6[7]);
44a53,60
> my $ipv4_1=scalar($ipv6_part1>>8);
> my $ipv4_2=scalar($ipv6_part1&0xff);
> my $ipv4_3=scalar($ipv6_part2>>8);
> my $ipv4_4=scalar($ipv6_part2&0xff);
>
> my $ipv4 = "${ipv4_1}.${ipv4_2}.${ipv4_3}.${ipv4_4}";
> return $ipv4;
> }
75d90
<
152c167,173
< print "Enter $ruser password for $ip if prompted\n";
---
>
> if ($ip =~ /0000:0000:0000:0000:0000:FFFF:/) {
> my $display_ipv4 = ipv6_to_ipv4($ip);
> print "Enter $ruser password for $display_ipv4 if prompted\n";
> } else {
> print "Enter $ruser password for $ip if prompted\n";
> }
179d199
<
754750-1 : Policy validation error 'All blocking flags are unset' appears even when a violation is set to block
Links to More Info: BT754750
Component: Application Security Manager
Symptoms:
The following policy validation error appears after a policy is applied if no signature sets are set to block (even when a violation is set to block):
"All blocking flags are unset while policy is in blocking enforcement mode."
Conditions:
-- A policy is applied.
-- No signature sets are set to block.
Impact:
A policy validation error occurs: 'All blocking flags are unset while policy is in blocking enforcement mode.' This is a cosmetic error and does not indicate an issue with the system.
Workaround:
None.
754604-2 : iRule : [string first] returns incorrect results when string2 contains null
Links to More Info: BT754604
Component: Local Traffic Manager
Symptoms:
In an iRule such as 'string first $string1 $string2' returns incorrect results when $string2 contains a null byte and $string1 is not found within $string2. Performing the same search in tclsh, the expected -1 (not found) result is returned.
Conditions:
-- 'string first $string1 $string2' iRule.
-- string2 in an iRule contains a null byte.
Impact:
Operation does not return the expected -1 (not found) result, but instead returns an unexpected, random result.
Workaround:
None.
753988-1 : Proactive Bot Defense : unable to modify existing allow list entry attributes in GUI - 'This whitelist item already exists' pop-up is shown
Links to More Info: BT753988
Component: Application Security Manager
Symptoms:
You are unable to modify existing bot defense allow list item.
For example, you attempt to change Mitigation Action to Enabled from Disabled or vice versa. The system posts a popup error:
This whitelist item already exists.
Conditions:
This occurs when you try to commit a change to a Mitigation Action or Browser Verification and Device ID Challenge on an existing allow list.
Note: This does not occur if you modify other parts of the allow list item (Source or Specified URL).
Impact:
Updating existing whitelist item requires additional steps.
Workaround:
If you want to update Mitigation Action of an existing item, you can change Source or Specified URL together to bypass the error.
753712-3 : Incorrect warning: Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family.
Links to More Info: BT753712
Component: TMOS
Symptoms:
An incorrect warning message is given when the inline source/dest address is changed:
-- warning mcpd[6927]: 01071859:4: Warning generated : Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family.
Conditions:
This occurs after you create a traffic-matching-criteria (port-list, address-list) with different source and destination addresses.
Impact:
An incorrect and confusing warning message is given. This warning does not affect traffic processing. It is inadvertently triggered when reading the configuration of the traffic matching profile. Virtual servers should continue to work, and the config should load as expected, despite the warning.
Workaround:
None
753526-1 : IP::addr iRule command does not allow single digit mask
Links to More Info: BT753526
Component: Local Traffic Manager
Symptoms:
When plain literal IP address and mask are used in IP::addr command, the validation fails if the mask is single digit.
Conditions:
The address mask is single digit.
Impact:
Validation fails.
Workaround:
Assign address/mask to a variable and use the variable in the command.
753512-1 : Portal Access: Resource with '?' in query part of URL cannot be created.
Links to More Info: BT753512
Component: Access Policy Manager
Symptoms:
If a Portal Access resource URL contains '?' (a question mark) inside the query part, it cannot be created. The URL is reported to be invalid.
Conditions:
Portal Access resource with URL containing a '?' inside query part, like this:
http://example.com/some/path?aaa=?&b=vvv
Impact:
Portal Access resource cannot be used.
Workaround:
Replace '?' with '%3F' inside the query part of the URL.
753501-1 : iRule commands (such as relate_server) do not work with MRP SIP
Links to More Info: BT753501
Component: Service Provider
Symptoms:
Some iRule commands (such as relate_server) fail when used in conjunction with Message Routing Protocol (MRP) SIP configurations using message routing transport.
Conditions:
-- MRP SIP configuration uses transport-config.
-- iRule command 'relate_server' is configured on the corresponding virtual server.
Impact:
iRule commands such as relate_server cannot be used with MRF SIP.
Workaround:
None.
753482-1 : Proxy initialization fails/port denied when excessively large max header size is set in the HTTP/1 profile
Links to More Info: BT753482
Component: Local Traffic Manager
Symptoms:
If the configuration has an excessively large 'Maximum Header Size' value in the HTTP/1 profile on a virtual server that also has HTTP/2, initialization fails.
The tmm log file contains messages similar to the following:
notice Proxy initialization failed for /Common/https_virtual1. Defaulting to DENY.
The ltm log file contains messages that indicate that the virtual server is not accepting traffic.
Conditions:
-- Large max_header_size (e.g., 4294967295) is configured in HTTP profile.
-- The system does not have enough free memory.
Impact:
-- As a result, the initialization fails.
-- Browsing via the virtual server does not work.
Workaround:
To prevent this issue from occurring, if a virtual server has an HTTP/2 profile on it, the max_header_size value inside the HTTP profile should be between 0 and 131072.
753462-1 : TimeoutException when filtering request logs
Links to More Info: BT753462
Component: Application Security Manager
Symptoms:
You are unable to view filtered request logs and you see a TimeoutException in /var/log/restjavad.0.log.
Conditions:
This can occur while viewing filtered request log entries.
Impact:
After 30 seconds, a restjavad timeout occurs.
753423-6 : Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation
Links to More Info: BT753423
Component: TMOS
Symptoms:
Working-mbr-count not showing correct number of interfaces.
Conditions:
Slot got disabled and re-enabled immediately.
Impact:
Interfaces may be removed from an aggregation permanently.
Workaround:
Disable and re-enable the slot with time gap of one second.
753159-1 : Pool IP ToS/QoS settings are not preserved on mirrored FastL4 connections
Links to More Info: BT753159
Component: Local Traffic Manager
Symptoms:
Mirrored serverside FastL4 connections do not inherit the IP ToS/QoS values from the selected pool or values set via iRule IP::tos/LINK::qos commands.
Conditions:
-- FastL4 virtual server with mirroring.
-- Pool with non-zero IP ToS/QoS values.
or
-- iRule with IP::tos/LINK::qos serverside commands
Impact:
IP ToS/QoS values are not set on mirrored connection after failover.
Workaround:
Configure desired IP ToS/QoS values in FastL4 profile
753001-1 : mcpd can be killed if the configuration contains a very high number of nested references
Component: TMOS
Symptoms:
mcpd can be killed by sod if the configuration contains a very high number of nested references. This results in a core file due to a SIGABRT signal.
Conditions:
A very high number of nested configuration references (such as SSL certificate file objects).
Impact:
Failover or outage (if not HA). The system sends no traffic or status while mcpd restarts.
Workaround:
None.
752994-1 : Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod
Links to More Info: BT752994
Component: TMOS
Symptoms:
With a large number of client SSL profiles, combined with shallow nesting of these profiles, all referring to a single SSL certificate file object, mcpd can take a lot of time to process an update to that certificate. It is possible this amount of time will be longer than sod's threshold, and cause it to kill mcpd.
Conditions:
- A large number (hundreds or thousands) of client SSL profiles that have a shallow nesting structure and all point back to a single SSL certificate file object.
- Happens when the SSL certificate is updated.
Impact:
sod kills mcpd, which causes a failover (when high availability (HA) is configured) or an outage (when there is no high availability (HA) configured).
Workaround:
None.
752858-1 : HTTP commands do not return an error when called from an invalid state
Links to More Info: BT752858
Component: Local Traffic Manager
Symptoms:
HTTP commands do not return an error when called from an invalid state, such as after HTTP::disable has been called, or from an 'after' script. TMM might crash and report a message in one of the TMM logs:
notice panic: ../modules/hudfilter/http/http_cookie.c:489: Assertion "cookie name exists" failed.
Conditions:
Executing HTTP commands in an iRule from an invalid state.
Impact:
TMM might restart. Traffic disrupted while tmm restarts.
Workaround:
Change iRule so that it is not calling HTTP commands from an invalid state.
752797-1 : BD is not correctly closing a shared memory segment
Links to More Info: BT752797
Component: Application Security Manager
Symptoms:
Number shared memory segments is increasing.
Conditions:
There are many ASM restarts.
Impact:
Memory increases on the system.
Workaround:
None.
752766-1 : The BIG-IP system might fail to read SFPs after a reboot
Links to More Info: BT752766
Component: Local Traffic Manager
Symptoms:
SFP interfaces are reported as missing:
# tmsh show net interface 2.0
--------------------------------------------------------
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
In Out In Out
--------------------------------------------------------
2.0 miss 0 0 0 0 0 0 none
sys ha-status will report tmm ready-for-world as failed:
# tmsh show sys ha-status
-------------------------------------------------------------------------
Sys::HA Status
Feature Key Action Fail
-------------------------------------------------------------------------
ready-for-world tmm none yes
ready-for-world tmm1 none yes
ready-for-world tmm2 none yes
ready-for-world tmm3 none yes
ready-for-world tmm4 none yes
ready-for-world tmm5 none yes
Conditions:
This has been seen on the i15800 and i11000 series BIG-IP platforms immediately after the system boots.
Impact:
The BIG-IP system does not become ready after a reboot.
Workaround:
Mitigation if the system is in this state, restart tmm:
# tmsh restart sys service tmm
752217-1 : Invalid Bot Defense Cookie might be raised when browser is open for too long
Links to More Info: BT752217
Component: Application Security Manager
Symptoms:
When using Bot Defense profile, if a browser page remains open too long (more then 24 hours) without surfing the webserver, BIG-IP raises an Anomaly "Invalid Bot Defense Cookie" and mitigate the request.
Conditions:
-- Bot Defense Profile is attached to VS.
-- Browser remains open for more then 24 hours without surfing the site (after first surfing to the site)
Impact:
Clients are mitigated by this anomaly.
Workaround:
Add Exception for "Invalid Bot Defense Cookie" to "Captcha" - clients will have to solve captcha, but cookies will renew and issue would be solved (no more Captchas)
752216-6 : DNS queries without the RD bit set may generate responses with the RD bit set
Links to More Info: K33587043, BT752216
Component: Global Traffic Manager (DNS)
Symptoms:
If the BIG-IP system is configured to use forward zones, responses to DNS queries may include the RD bit, even if RD bit is not set on the query.
Conditions:
-- Forward zone is configured.
-- Processing a query without the RD bit.
Impact:
Some responses to DNS queries may include the RD bit, even thought the RD bit is not set on the query. This is cosmetic, but some DNS tools may report this as an RFC violation.
Workaround:
None.
752163-1 : PEM::session info cannot set subscriber type and ID
Links to More Info: BT752163
Component: Policy Enforcement Manager
Symptoms:
Cannot set the subscriber type and ID with iRule PEM::session info <subs-id | subs-type | subscriber-type | subscriber-id > <value>.
Conditions:
Trying to set a subscriber type and ID attributes using the following iRules returns error.
PEM::session info <ip> subscriber-id <value>
PEM::session info <ip> subscriber-type <value>
PEM::session info <ip> subs-id <value>
PEM::session info <ip> subs-type <value>
Impact:
Cannot set subscriber type and ID using PEM:session info iRule.
Workaround:
Set the subscriber type and ID together using the following iRule.
PEM::session info <ip addr> subscriber subscriber-id> <subscriber-type>
752077-2 : Kerberos replay cache leaks file descriptors
Links to More Info: BT752077
Component: Access Policy Manager
Symptoms:
APMD reports 'too many open files' error when reading HTTP requests:
-- err apmd[15293]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 113 Msg: epoll_create() failed [Too many open files].
-- err apmd[15293]: 01490000:3: ApmD.cpp func: "process_apd_request()" line: 1801 Msg: Error 3 reading/parsing response from socket 1498. strerror: Too many open files, queue size 0, time since accept
There are file descriptor dumps in /var/log/apm showing many deleted files with name krb5_RCXXXXXX:
-- err apmd[15293]: 01490264:3: 1492 (/shared/tmp/krb5_RCx8EN5y (deleted)) : cloexec, Fflags[0x8002], read-write
-- err apmd[15293]: 01490264:3: 1493 (/shared/tmp/krb5_RCnHclFz (deleted)) : cloexec, Fflags[0x8002], read-write
-- err apmd[15293]: 01490264:3: 1494 (/shared/tmp/krb5_RCKGW8ia (deleted)) : cloexec, Fflags[0x8002], read-write
Conditions:
This failure may happen if the access policy uses Kerberos authentication, Active Directory authentication, or Active Directory query. The conditions under which the Kerberos replay cache leaks is unknown.
Impact:
APM end users experience intermittent log on issues.
Workaround:
None.
751924-2 : TSO packet bit fails IPsec during ESP encryption
Links to More Info: BT751924
Component: TMOS
Symptoms:
Internal error when an unexpected packet bit for TCP segment offload manages to reach crypto code for ESP in IPsec, when this is not expected.
Conditions:
Traffic passing through ESP encapsulation for an IPsec tunnel when the TSO bit (for TcpSegmentationOffload) is set on the packet involved.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
751719-1 : UDP::hold/UDP::release does not work correctly
Links to More Info: BT751719
Component: Carrier-Grade NAT
Symptoms:
UDP::hold/UDP::release do not work properly. Connections cannot be deleted and tmm logs an error:
crit tmm14[38818]: 01010289:2: Oops @ 0x2b6b31b:7903: Flow already has peer. Tried to overwrite.
Conditions:
iRule with UDP::hold/UDP::release
Impact:
UDP::hold/UDP::release does not work correctly
751581-3 : REST API Timeout while queriying large number of persistence profiles
Links to More Info: BT751581
Component: TMOS
Symptoms:
When you have a large number of collections in BIG-IP, REST API seems to be timed out without any response from BIG-IP
Conditions:
When BIG-IP has large number of persistence profiles.
Impact:
REST API gets timed out when REST API queries the BIG-IP for persistence profiles. There is no response sent for given REST API.
Workaround:
When you have a large number of collections, you are recommended to use paging mechanism.
Please refer https://devcentral.f5.com/d/icontrol-rest-user-guide-version-131-246.
"iControl ® REST supports pagination options for large collections.
751540-3 : GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server
Links to More Info: BT751540
Component: Global Traffic Manager (DNS)
Symptoms:
GTM changes in some devices are not synced to other GTM-configured devices in the same syncgroup.
Conditions:
-- There are multiple self IP addresses configured on one VLAN.
-- Some, but not all, self IP addresses are configured for GTM server.
Impact:
GTM Sync group not syncing properly.
Workaround:
Configure all self IP addresses in the syncgroup for GTM server.
751538-1 : Incorrect eps rate for ICMP fragmented DoS vector
Links to More Info: BT751538
Component: Advanced Firewall Manager
Symptoms:
Incorrect pps (eps) rate in the GUI interface (and tmctl dos_stats) for ICMP fragmented DoS vector.
Conditions:
-- AFM deployed.
-- ICMP fragments received by the BIG-IP system.
Impact:
Incorrect statistics for ICMP fragmented DoS vector
Workaround:
None.
751451-3 : When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles
Links to More Info: BT751451
Component: Local Traffic Manager
Symptoms:
If there are HTTPS monitor objects that were created using BIG-IP software v12.x, when the BIG-IP is upgraded directly to v14.0.0 or later, the operation automatically creates server SSL profiles for the HTTPS monitors as needed. Those server SSL profile objects do not have 'no-tlsv1.3' included in their 'options' configuration.
Conditions:
-- Having HTTPS monitors configured in v12.x before upgrading.
-- Directly upgrading from v12.x to v14.0.0 or later
Impact:
TLSv1.3 gets enabled on the server SSL profiles.
Workaround:
-- To avoid this issue, upgrade from v12.x to v13.x, and then upgrade to v14.0.0 or later
-- To mitigate this issue, modify the affected profile to disable TLSv1.3.
751409-1 : MCP Validation does not detect when virtual servers differ only by overlapping VLANs
Links to More Info: BT751409
Component: TMOS
Symptoms:
It is possible to configure two virtual servers with the same address, port, and route domain, and have them overlap only in VLANs. MCP does not detect the overlap.
Errors like this may be seen in the ltm log:
err tmm1[29243]: 01010009:3: Failed to bind to address
Conditions:
Two (or more) virtual servers with the same address, port, and route domain, and have them overlap only in VLANs
Impact:
Traffic does not get routed properly.
Workaround:
There is no workaround other than ensuring that virtual servers that have the same address, port, and route domain have no overlap of VLANs.
751383-1 : Invalidation trigger parameter values are limited to 256 bytes
Links to More Info: BT751383
Component: WebAccelerator
Symptoms:
Invalidation trigger parameter values are limited to a internal representation of 256 bytes. The values are escaped for regex matching, so the effective value size from the user perspective can be somewhat smaller than 256 bytes. Oversize values result in invalidation of all content on the target policy node.
Conditions:
-- AAM policy with invalidation trigger.
-- Invalidation trigger request with parameter value larger than 256 bytes.
Impact:
All content on target policy node is invalidated rather than the specific content targeted.
Workaround:
None.
751024-4 : i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd
Links to More Info: BT751024
Component: TMOS
Symptoms:
Messages similar to the following appear in /var/log/ltm:
info bcm56xxd: 012c0012:6: I2C muxes are not cleared. Problem with mux 224:
Conditions:
-- i5000/i7000/i10000 platforms.
-- May be caused by a defective optic, rebooting/upgrading BIG-IP, removing and reinserting optics.
Impact:
Changes in optic state may be ignored while I2C bus is unavailable.
Workaround:
For each SFP, perform the following procedure:
1. Unplug the optic.
2. Wait 10 seconds.
3. Plug optic back in.
Note: This message might be caused by a defective optic. If error messages stop when one optic is removed, and error messages resume when the optic is inserted, replace that optic.
750705-2 : LTM logs are filled with error messages while creating/deleting virtual wire configuration
Links to More Info: BT750705
Component: Local Traffic Manager
Symptoms:
LTM logs are filled with error messages when creating/deleting virtual wire config.
Conditions:
Virtual wire is created and then deleted.
Impact:
Error messages are getting logged to ltm.
750588-1 : While loading large configurations on BIG-IP systems, some daemons may core intermittently.
Links to More Info: BT750588
Component: TMOS
Symptoms:
When manually copying a large config file and running 'tmsh load sys config' on specific hardware BIG-IP platforms, multiple cores may be observed from different daemons.
Conditions:
This has been observed on i4800 platforms when the 'management' provisioning (corresponding to the provision.extramb DB key) is set to 500 MB or less.
Impact:
The mcp daemon may core and all daemons on the BIG-IP system may be restarted.
Workaround:
Set db key 'provision.extramb' to 1024 or greater.
750491-4 : PEM Once-Every content insertion action may insert more than once during an interval
Links to More Info: BT750491
Component: Policy Enforcement Manager
Symptoms:
Successful PEM content insertion accounting is lost during re-evaluation, resulting in more insertions per insertion interval.
Conditions:
During re-evaluation to update the existing flow.
Impact:
More than expected Insert content action with Once-Every method of insert content action
Workaround:
None.
750353-1 : Manual Device Group Put in Pending State With No Indication
Links to More Info: BT750353
Component: Application Security Manager
Symptoms:
When Session Tracking is enabled on devices in a Manual Sync ASM-enabled device group, the device group can be put into 'Pending' state with no indication as to what changed in the system. This is because Audit Log Messages are not written for changes due to Session Tracking.
Conditions:
-- ASM Sync is enabled on a Manual Sync Device Group.
-- Session Tracking is enabled on an ASM Security Policy.
Impact:
It is unclear why the device group is in Pending State and what the impact is if the configuration is pushed to a peer.
Workaround:
None.
750204-3 : Add support for P-521 curve in the X.509 chain to SSL LTM
Links to More Info: BT750204
Component: Local Traffic Manager
Symptoms:
SSL is unable to verify certificate signed with EC P-521 key.
Conditions:
N/A
Impact:
Client/server authentication (X.509 signature verification) will failed when using certificate signed with EC P-521 key.
Workaround:
Client/server has to use certificate signed with supported EC curve (P-256/P-384).
750170-2 : SP Connector config changes causes BIG-IP tmm core sometimes during handling of SAML SLO request
Links to More Info: BT750170
Component: Access Policy Manager
Symptoms:
tmm crashes.
Conditions:
This occurs when BIG-IP handles SAML SLO requests, and SP Configuration is changed by the admin around the same time.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
749761-3 : AFM Policy with Send to Virtual and TMM crash in a specific scenario
Links to More Info: BT749761
Component: Advanced Firewall Manager
Symptoms:
TMM restart in a specific scenario when AFM Policy is configured in multiple contexts (Global, Route Domain, Virtual Server), with Log Translations enabled, and Send-To-VS feature configured in at least one of the rules in the Security Policy.
Conditions:
-- When using Firewall ACL Policy in more than one context, i.e., more than one of the following context has ACL Security Policy applied:
+ Global Context
+ Route Domain
+ Virtual Server Context
-- Send To Virtual Server is configured on any Rule on the Security policy.
-- Traffic matching a Rule (with logging enabled) in more than one context.
-- AFM Security Logging Profile has log Translation Field Enabled.
Impact:
TMM restart causes service disruption. Traffic disrupted while tmm restarts.
Workaround:
Disable Logging of Translation Fields in Security Logging Profile.
749757-2 : -s option in qkview help does not indicate maximum size
Links to More Info: BT749757
Component: TMOS
Symptoms:
When running qkview with the -h option to obtain help, the -s (size) option is incorrectly rendered.
It should read:
[ -s <max file size> range:0-104857600 Bytes ]
Conditions:
-- Running qkview -h.
-- Viewing the -s (size) option help.
Impact:
The measurement size, bytes, is missing, which might result in confusion.
Workaround:
Use the -s option as normal, but be advised that the number should be in bytes, and that the maximum number is 104857600.
749680-1 : Install All Updates button is active when it should not be
Links to More Info: BT749680
Component: Application Security Manager
Symptoms:
The Install All Updates button is active when there are updates only for non-licensed/non-provisioned sections.
Conditions:
-- Viewing the Live Updates page.
-- There is an update in the non-licensed/non-provisioned section, and nowhere else.
Impact:
The Install All Updates button is active and can be clicked, but nothing happens and there are no warnings.
Workaround:
None.
749528-1 : IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap
Links to More Info: BT749528
Component: Service Provider
Symptoms:
Under certain conditions the wrong self-IP can be selected as a source address for connections from an Internal Virtual Server to remote servers.
Conditions:
- Using an Internal Virtual Server (IVS).
- The VLAN being used to connect from the IVS to the server does not have a floating self-IP configured.
- At least one other VLAN has a floating self-IP configured.
- The primary virtual server that connects to the IVS is using SNAT automap.
Impact:
IVS traffic might not be routed properly.
Workaround:
- Configure a floating self-IP on the IVS server side VLAN.
or
- Use a SNAT pool instead of automap.
749519-1 : Error messages seen while running "run sys crypto nethsm-test" tool
Links to More Info: BT749519
Component: Local Traffic Manager
Symptoms:
Error messages seen while running nethsm-test tool with command "run sys crypto nethsm-test"
Invalid req_id 1073741841 actual 1073741842 in Message Header: Ignoring the Message
Conditions:
Install and Configure AWS cloudHSM as BIG-IP netHSM.
Run command "tmsh run sys crypto nethsm-test.
Impact:
Error messages seen while running "tmsh run sys crypto nethsm-test" with AWS cloudHSM.
Workaround:
You may use aws cloudhsm client 1.0.18 or 1.1.0 to work around this issue.
749477-1 : Provisioning URLDB and SWG simultaneously produces a confusing error message if neither module was originally provisioned
Links to More Info: BT749477
Component: Access Policy Manager
Symptoms:
If you have URLDB or SWG provisioned and try to provision the other, you will get an error message:
The requested provision module (%s) is not compatible with already provisioned module (%s).
This same error message is displayed if neither module was provisioned to start with, and can be confusing.
Conditions:
Attempt to provision SWG and URLDB without either module being originally provisioned
Impact:
You can safely ignore the benign error message.
Workaround:
None.
749041-2 : MRSIP log of subscriber deletion outputs '(null)" for subscriber URI
Links to More Info: BT749041
Component: Service Provider
Symptoms:
New logging was added for SIP subscriber registration and deletion. The deletion log MRSIPERR_SUBSCRIBER_DELETION_LOG() fails to show the subscriber URI, and instead, /var/log/ltm shows messages similar to the following:
MR_SIP: Subscriber registration deleted (xxx.xxx.xxx.xxx:5060 -> yyy.yyy.yyy.yyy:5060) subscriber URI: (null)
Conditions:
-- A SIP subscriber registration is deleted.
-- The log level DB variable log.mrsip.level is 'notice' or above.
Impact:
Prevents correlation of the deletion with the corresponding registration of the subscriber URI.
Workaround:
None.
749011-1 : Datasync may start background tasks during high disk IO utilization
Links to More Info: BT749011
Component: TMOS
Symptoms:
Datasync daemon runs background tasks only when CPU and RAM resources are available. However, there is no check for when the disk IO is busy. When the disk IO is heavily used but CPU and RAM are available, the background tasks may start causing the disk IO to be used even heavier, affecting performance.
Conditions:
- Client-side ASM/FPS features are enabled.
- Other conditions causing high disk IO usage on the device.
Impact:
- High disk IO causing occasional performance degradation
- On extreme cases, datasyncd may miss its heartbeat and cause a failover
Workaround:
None
748886-2 : Virtual server stops passing traffic after modification
Links to More Info: BT748886
Component: Local Traffic Manager
Symptoms:
A virtual server stops passing traffic after changes are made to it.
Conditions:
-- Virtual server is using a port-list or address-list
-- High availability (HA) environment with multiple traffic groups
-- A change is made to the virtual server
Impact:
Every time you make changes to the virtual server, the traffic-group for the virtual address is changed, and traffic goes down.
748851-3 : Bot Detection injection include tags which may cause faulty display of application
Links to More Info: BT748851
Component: Application Security Manager
Symptoms:
The Bot Detection feature / Bot Defense profile includes JavaScript which is injected within <APM_DO_NOT_TOUCH> tags. Some web applications may be displayed incorrectly due to these tags.
Conditions:
- Your application includes JavaScript which dynamically adds HTML elements and expects a certain set of tags in the <head> section of the HTML.
- Bot Detection / Bot Defense are enabled.
Impact:
Some web applications may be displayed incorrectly.
Workaround:
None
748558-1 : Under unlikely circumstances, TMM hangs and is terminated by the failover daemon
Links to More Info: BT748558
Component: Local Traffic Manager
Symptoms:
TMM hangs and subsequently is terminated by sod.
Conditions:
-- Payload manager is used.
-- Another profile (e.g., rewrite) on an HTTP virtual server needs unchunked payload for processing.
Note: Although this is an unlikely set of conditions, it can occur, depending on the traffic you have.
Impact:
Failover occurs. TMM goes into a loop, and after 10 seconds, it's killed by sod. After it restarts, the system comes back online and can pass traffic. However, if the same conditions recur, the failover happens again. The frequency of the failover recurrence depends on the traffic.
Workaround:
None.
748529-1 : BIG-IP Virtual Edition with cloudhsm integration needs to restart tmm after a fresh install
Links to More Info: BT748529
Component: Local Traffic Manager
Symptoms:
Right after a fresh BIG-IP install to a BIG-IP VE with cloudhsm integration, a nethsm key/cert enabled SSL client profile cannot be applied to a virtual server. A warning will be generated:
warning tmm1[19027]: 01260009:4: Connection error: hud_ssl_handler:1149: invalid profile (40)
Conditions:
Apply an SSL client profile with cloudHSM key/cert at AWS cloud.
Impact:
Virtual server enabled with cloudHSM key/cert can't be configured.
Workaround:
"bigstart restart tmm" after the fresh install.
748451-3 : Manager users cannot perform changes in per-request policy properties
Links to More Info: BT748451
Component: Access Policy Manager
Symptoms:
Users with Admin role can edit and administer per-request policy properties. Users with Manager role, which can manage most APM objects, cannot manage this specific one.
Conditions:
User with Manager role tries to modify or change per-request policies properties.
Impact:
Cannot manage per-request policy properties if user role is Manager.
Workaround:
There is no workaround other than having an Admin user manage these objects.
748355-2 : MRF SIP curr_pending_calls statistic can show negative values.
Links to More Info: BT748355
Component: Service Provider
Symptoms:
Certain irregular SIP message patterns may produce an erroneous curr_pending_calls value that can drop below zero and underflow.
Conditions:
Uncommon message flows like re-transmitted INVITE or OK responses can trigger the issue, which may be brought about at times by lost packets when using UDP.
Impact:
SIP curr_pending_calls may show incorrect values.
748295-1 : TMM crashes on shutdown when using virtio NICs for dataplane
Links to More Info: BT748295
Component: TMOS
Symptoms:
TMM crash on stop or restart.
Conditions:
1. Put the virtio NIC in a bad state while TMM is running (for example, detach the NIC from the host).
2. Run the following command: bigstart stop tmm
Impact:
TMM crash generates a core file. However, there is no impact on traffic as the device is already in a bad state before the crash.
Workaround:
None.
748070 : API Protection feature inadvertently allows editing of associated access policy
Links to More Info: BT748070
Component: Access Policy Manager
Symptoms:
This release contains a feature called API Protection. API Protection access policies are hidden from the user interface in most areas except the log settings area.
Conditions:
Modifying API Protection access policy from Access :: Overview :: Event Logs :: Settings.
Impact:
If the API protection policy / profile is modified outside of API Protection GUI, the 'Apply Access Policy' may become activated with no way to deactivate it.
Workaround:
Navigate to the API Protection area and modify any part of the API Protection profile. This causes it to re-deploy, at which time the system clears the 'Apply Access Policy' prompt.
748052-1 : pkcs11 test utility is failing when running nethsm-test on BIG-IP systems configured for AWS CloudHSM
Links to More Info: BT748052
Component: Local Traffic Manager
Symptoms:
When using the nethsm-test tool to validate netHSM installation and configuration on the BIG-IP system, running the command 'tmsh run sys crypto nethsm-test' fails.
Conditions:
-- AWS CloudHSM installed and configured as BIG-IP netHSM.
-- Running nethsm-test.
Impact:
Failure to run command: tmsh run sys crypto nethsm-test. pkcs11 test utility fails.
Workaround:
None.
748044 : RAID status in tmsh is not updated when disk is removed or rebuild finishes
Links to More Info: BT748044
Component: TMOS
Symptoms:
'tmsh show sys raid' shows stale information
When the RAID status changes because a disk fails, is pulled without being removed from the RAID, or when RAID rebuild completes, the new status is not updated to be visible in tmsh.
Log messages, SNMP traps and alerts associated with the change in RAID status do not appear.
Conditions:
-- Platforms that support RAID running 14.0.0 or later.
-- Running the command: tmsh show sys raid.
Impact:
'tmsh show sys raid' output might show disk as ok when it has actually failed, or may show the disk as rebuilding when it is actually ok.
Workaround:
From a bash shell run the command 'array' to see the correct state of the RAID.
If a disk has failed or been removed, the following tmsh commands remove the disk from the RAID:
tmsh mod sys raid array <arrayName> remove <DiskName>
748031-1 : Invalidation trigger parameter containing reserved XML characters does not create invalidation rule
Links to More Info: BT748031
Component: WebAccelerator
Symptoms:
If a parameter value for an invalidation trigger contains reserved XML characters, compilation of the resulting invalidation rule fails due to the reserved characters not being escaped.
Conditions:
- AAM policy with invalidation trigger defined
- trigger request with parameter value(s) containing reserved XML characters
Impact:
The invalidation rule requested by the trigger request is not created. Content is not invalidated as expected.
Workaround:
No workaround exists.
747960-2 : BIG-IP VE with 1nic does not handle fragmented traffic to webui or ssh properly
Links to More Info: BT747960
Component: Performance
Symptoms:
Attempts to send fragmented packets destined for SSH or the webui of BIG-IP VE running with 1 NIC will fail. This is a rare situation generally, but one noted area where we have seen it is when BIG-IQ attempts to discover the BIG-IP.
Conditions:
BIG-IP VE configured with 1 network interface. Send IP fragmented traffic to either SSH or the web interface (TCP/8443 for 1nic).
Impact:
The IP fragments will not be properly reassembled and the connection will ultimately fail. This is only an issue for IP fragmented traffic sent with 1nic destined for SSH or the webui.
Workaround:
Prevent IP fragmentation, or configure multiple network interfaces.
747905-4 : 'Illegal Query String Length' violation displays wrong length
Links to More Info: BT747905
Component: Application Security Manager
Symptoms:
When the system decodes a query string that exceeds the allowed query string length, the system reports the incorrect 'Illegal Query String Length' violation string length.
Conditions:
-- 'Illegal Query String Length' violation is encountered.
-- The query string is decoded and reported.
Impact:
The system reports the decoded character count rather than bytes. For example, for a Detected Query String Length = 3391, the system posts a Detected Query String Length = 1995.
Workaround:
None.
747676-3 : Remote logging needs 'localip' to set source IP properly
Links to More Info: BT747676
Component: TMOS
Symptoms:
The source ip of log entries sometimes uses the system's self IP address.
Conditions:
This occurs during system start-up if syslog-ng starts before the management IP and route are up.
This issue can also occur in a high availability (HA) environment.
Impact:
Remote log entry has the wrong source IP address.
Workaround:
Use tmsh to set the local-ip parameter as per:
https://support.f5.com/csp/article/K13080#localip
For example, to configure the BIG-IP syslog to bind to 10.10.10.10 when sending logs to the remote syslog server mysyslogB, enter the following command:
modify /sys syslog remote-servers modify { mysyslogB { local-ip 10.10.10.10 }}
Note: For BIG-IP systems in a HA configuration, the non-floating self IP address is recommended if using a TMM-based IP address.
Note: In case a nonexistent localip is configured in include option, configure a unique persist-name per https://cdn.f5.com/product/bugtracker/ID740589.html.
747657-1 : Paging controller changed
Links to More Info: BT747657
Component: Application Security Manager
Symptoms:
Old paging controller allowed you jump to the last page or to any custom page you wanted.
This could result in really long load time.
Conditions:
Lots of entries in split view pages (e.g. Request Log)
Impact:
Very long load time or event timeout.
Workaround:
instead of going to the last page - you can just change sorting order.
jump to specific page out of the first 3-5 - is not a common scenario and can be replaced by applying filter.
747203-2 : Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding
Links to More Info: BT747203
Component: TMOS
Symptoms:
-- SYN/ACK packets arriving on a tunnel fail to be matched to an existing flow followed by a RST issued by the BIG-IP system.
-- The BIG-IP system reports 'no flow found'.
-- MAC addresses can contain random values, or fe:fe:fe:fe:fe:fe.
Conditions:
-- Using IKEv2 with both NAT-T and interface mode.
-- The BIG-IP is configured to use several tmm instances.
-- The combination of IP addresses and port numbers result in distributing legs of processing one flow across several tmm instances.
Impact:
NATT/ESP tunnel flows can end with a RST reset.
Workaround:
None.
747065-2 : PEM iRule burst of session ADDs leads to missing sessions
Links to More Info: BT747065
Component: Policy Enforcement Manager
Symptoms:
Some PEM sessions that were originally added, later disappear and cannot be added back.
Conditions:
-- Subscriber addition is done by iRule on UDP virtual servers.
-- The sessions are added in a burst.
-- A small fraction of such sessions cannot be added back after delete.
Impact:
Policies available in the missing session cannot be accessed.
Workaround:
Add a delay of at least a few milliseconds between adding multiple session with same subscriber-id and IP address.
746984-4 : False positive evasion violation
Links to More Info: BT746984
Component: Application Security Manager
Symptoms:
When Referer header contains a backslash character ('\') in query string portion, 'IIS backslashes' evasion technique violation is raised.
Conditions:
-- 'Url Normalization' is turned on and 'Evasion Techniques Violations' is enabled.
-- Referer header contains a backslash character ('\') in query string part.
Impact:
False positive evasion technique violation is raised for Referer header.
Workaround:
Turn off 'Url Normalization' on the 'Normalization Settings' section of the 'referer' property on the HTTP Header Properties screen.
746837-2 : AVR JS injection can cause error on page if the JS was not injected
Links to More Info: BT746837
Component: Application Visibility and Reporting
Symptoms:
If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR 'promises' to the client a JS injection in the response by adding the expected length of the JS to the Content-length header.
If later, it is identified that the response contains no HTML tag, AVR does not inject the JS; instead it wraps the response with spaces.
This can lead to errors in cases where the change in response size is not supported.
Conditions:
AVR is configured to collect 'Page Load Time' and the response from the web server has these conditions:
-- The response is uncompressed.
-- The context-type header is text/html.
-- The response is not chunked (Context-length header exists).
-- The payload does not include the HTML head tag.
Impact:
White Spaces at the end of the page can cause it to be invalid for some applications.
Workaround:
To avoid trying to inject to pages where the JS does not fit, use iRules to control which pages should get the JS injection.
For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.
746758-3 : Qkview produces core file if interrupted while exiting
Links to More Info: BT746758
Component: TMOS
Symptoms:
If, during qkview operation's exit stage, it is interrupted (with Ctrl-C for example), it produces a core file.
Conditions:
-- Qkview is exiting.
-- The qkview operation receives an interrupt.
Impact:
A core file is produced.
Workaround:
When closing qkview, or if it is closing, do not interrupt it; wait for it to exit.
746464-1 : MCPD sync errors and restart after multiple modifications to file object in chassis
Links to More Info: BT746464
Component: TMOS
Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:
1. Errors are logged to /var/log/ltm similar to the following:
-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..
2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.
Conditions:
This can be encountered when rapidly making changes to files such as creating and then deleting them while the config sync of the file creation is still in progress.
Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.
Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.
746152-1 : Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column
Links to More Info: BT746152
Component: TMOS
Symptoms:
The DMA drop packet and bytes registers (rqm_dma_drp_pkts and rqm_dma_drp_bytes in tmm/hsbe2_internal_pde_ring
table) can have huge numbers, which appear to be close to multiples of 4G (2^32). The count reported in the register from hsb_snapshot shows very small number:
from tmm/hsbe2_internal_pde_ring
name active bus rqm_dma_drp_pkts rqm_dma_drp_bytes
---------------- ------ --- ---------------- -----------------
lbb0_pde1_ring2 1 2 17179869185 4398046511186
lbb0_pde1_ring3 1 2 8589934597 2199023256108
lbb0_pde2_ring0 1 2 0 0
lbb0_pde2_ring1 1 2 0 0
lbb0_pde2_ring2 1 2 8589934592 2199023255552
lbb0_pde2_ring3 1 2 0 0
lbb0_pde3_ring0 1 2 0 0
lbb0_pde3_ring1 1 2 0 0
lbb0_pde3_ring2 1 2 8589934592 2199023255552
lbb0_pde3_ring3 1 2 0 0
lbb0_pde4_ring0 1 2 0 0
lbb0_pde4_ring1 1 2 0 0
lbb0_pde4_ring2 1 2 8589934592 2199023255552
lbb0_pde4_ring3 1 2 0 0
lbb1_pde1_ring1 1 3 0 0
lbb1_pde1_ring2 1 3 4294967298 1099511627952
From hsb_snapshot for pde1's ring 0 to ring 3:
50430: 00000000 rqm_dma_drp_pkt_cnt_4
50530: 00000000 rqm_dma_drp_pkt_cnt_5
50630: 00000001 rqm_dma_drp_pkt_cnt_6
50730: 00000005 rqm_dma_drp_pkt_cnt_7
Conditions:
The register reads sometimes return a 0 value.
Impact:
The DMA drop stats are not accurate
Workaround:
Restart tmm can reset the stats, but it will disrupt traffic.
746137-1 : DNSSEC: Creating a new DNSSEC Zone can result in gtmd attempting to sync every 10 seconds
Links to More Info: BT746137
Component: Global Traffic Manager (DNS)
Symptoms:
Creating a new DNSSEC Zone can result in gtmd attempting to sync every 10 seconds even though the configuration appears to be the same on each GTM in the sync group. This will last until another change is committed to the database (for example: create a new un-related object like a gtm wideip)
Conditions:
The user creates a new DNSSEC Zone.
Impact:
gtmd may attempt to sync every 10 seconds until another configuration change is made.
Workaround:
If the user makes another un-realted configuration change, like creating a gtm datacenter or wideip, the attempt to sync every 10 seconds will stop.
746122-1 : 'load sys config verify' resets the active master key to the on-disk master key value
Links to More Info: BT746122
Component: TMOS
Symptoms:
Master key is reset to an older value which may differ from the 'active' value.
Conditions:
Configuration is validated via 'tmsh load sys config verify'.
Impact:
Configuration elements may be encrypted with a different key leading to a corrupt configuration state. If the configuration is saved, future loads will fail.
Workaround:
None.
745859-1 : DNSSEC: gtmd leaks memory when dnssec keys on a dnssec zone are auto-rolling
Links to More Info: BT745859
Component: Global Traffic Manager (DNS)
Symptoms:
gtmd leaks memory every time an auto-rolling DNSSEC Key on a DNSSEC Zone expires or rolls-over.
Conditions:
Auto-rolling DNSSEC Keys are associated with a DNSSEC Zone.
Impact:
gtmd leaks memory every time an auto-rolling DNSSEC Key on a DNSSEC Zone expires or rolls-over.
Workaround:
The user can modify their DNSSEC Keys to be non-rolling/static dnssec keys. Also gtmd can be restarted to temporarily correct the memory leak. But this workaround is not recommended except during a scheduled maintenance window or unless traffic processing seems to be impacted by gtmd memory usage (unlikely scenario).
745545-1 : CMP forwarded LRO host packets do not restore LRO flag
Links to More Info: BT745545
Component: Local Traffic Manager
Symptoms:
When packets are being CMP forwarded for the host (e.g., related connection), the LRO flag is not being restored. As a result, these packets do not go through TSO which results in PMTU response and the connection hangs.
Conditions:
This issue is particular to CMP forwarded host connections which are going over the TMM interface due to explicit LRO and large MTU.
Impact:
The connection hangs.
Workaround:
There is no workaround.
745291-2 : The BIG-IP HTTP2 filter makes inappropriate assumptions about requests and responses without content lengths
Links to More Info: BT745291
Component: Local Traffic Manager
Symptoms:
HTTP2 differs from HTTP1 in that it is possible to have a request or response without a Content-Length header, and have the connection remain open afterwards. The HTTP2 framing allows the end of such a request or response to be detected.
This difference can cause the HTTP framework within the BIG-IP system to become confused in certain HTTP2 scenarios. This can lead to inappropriate traffic handling of HTTP2 requests and responses.
Conditions:
-- An HTTP2 request or response is seen without a Content-Length header.
-- The HTTP2 request is either sent in multiple frames, or single frame + followed by one or more Data frames.
-- That request or response would require a Content-Length (or Transfer-Encoding: Chunked) in HTTP 1.x.
Impact:
-- HTTP2 traffic handling can fail if no Content-Length header exists, and one is expected in HTTP 1.x.
-- The Data Frames are not sent to the HTTP1 server side.
-- In certain scenarios, the HTTP1 side sends the pool member response back to the pool member .
That will result in RST of the backend side connection with the following message in /var/log/ltm "
[F5RST(peer): HTTP2 internal error (bad state transition in egress_complete)]
Workaround:
None.
745035-2 : gtmd crash
Links to More Info: BT745035
Component: Global Traffic Manager (DNS)
Symptoms:
gtmd crashes
Conditions:
This rarely occurs when an iQuery connection is abnormally terminated.
Impact:
Under rare circumstances, gtmd may crash and restart.
Workaround:
None
744924-1 : Bladed unit goes offline after UCS install
Links to More Info: BT744924
Component: TMOS
Symptoms:
Unit goes offline after UCS install. Secondary blades go offline. This lasts about a minute, and then the system goes back online.
Conditions:
After UCS install.
Impact:
-- Limited high availability (HA) capabilities (failover, sync, mirroring, etc.).
-- Cluster reduced to a single blade immediately after UCS install, which might impact performance.
Workaround:
None.
744787-4 : Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias
Links to More Info: K04201069, BT744787
Component: Global Traffic Manager (DNS)
Symptoms:
WideIP alias will be replaced.
Conditions:
There is an existing alias for a WideIP and adding the same alias for another WideIP.
Impact:
The previous WideIP will be replaced.
Workaround:
Avoid adding existing WideIP for other WideIP.
744740-1 : After upgrade, dhclient overwrites configured hostname, even when 'sys management-dhcp' does not contain the 'host-name' in the request-options.★
Links to More Info: BT744740
Component: TMOS
Symptoms:
The configured hostname is overwritten by dhclient after upgrade.
Conditions:
-- DHCP enabled.
-- Custom hostname configured using the procedure described in K45728203: AWS generates the BIG-IP VE instance host name to include the host name's private IP address :: https://support.f5.com/csp/article/K45728203, instead of using the one provided by the DHCP server.
Impact:
Incorrect hostname assigned to the BIG-IP system.
Workaround:
Change the DHCP settings, and issue the following command to correct the name without losing connectivity to management:
# tmsh modify sys global-settings mgmt-dhcp disabled; tmsh modify sys global-settings mgmt-dhcp enabled
744730-1 : After increasing the disk size on a VE or VCMP guest a manual reboot is required for the increase to go into effect.
Links to More Info: BT744730
Component: TMOS
Symptoms:
When the disk on a BIG-IP Virtual Edition (VE) or VCMP guest is increased the larger disk will be allocated, but VE or VCMP guest will not be able to use the extra space initially.
A Manual reboot will allow the system to use the extra space.
The Desired behavior for BIG-IP is to reboot by itself.
Conditions:
This occurs when you launch BIG-IP Virtual Edition or VCMP guest with a larger system disk than was provisioned initially.
Impact:
BIG-IP cannot use the extra space.
Workaround:
Manually reboot the affected system.
744520-1 : virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface
Links to More Info: BT744520
Component: TMOS
Symptoms:
virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface.
Conditions:
Virtual server with pem profile and Vxlan-GRE tunnel interface.
Impact:
Traffic drop.
Workaround:
There is no workaround.
744316-4 : Config sync of APM policy fails with Cannot update_indexes validation error.
Links to More Info: BT744316
Component: Access Policy Manager
Symptoms:
Config sync operation fails for APM policy when policy item of same name points to different agent on source and target
The system posts errors similar to the following:
Sync error on rfang-vemgmt.lab.labnet.com: Load failed from /Common/rfang-ve-3mgmt.lab.labnet.com 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (access_policy_item_agent) object ID (/Common/resm_act_message_box_1 /Common/resm_act_message_box_ag_1). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:access_policy_item_agent status:13)"
Conditions:
This occurs in the following scenario:
1. Configure a failover device group containing two BIG-IP systems.
2. Create an APM access profile on one unit.
+ Launch VPE for the policy.
+ Add a macro.
+ In macro add an agent, e.g., Message box.
+ Add macro to the main policy.
3. Initiate config sync to another device.
4. On one BIG-IP system, add another Message box agent using the same macro. On the other BIG-IP system, make a copy of the access profile.
5. On either BIG-IP system, initiate another config sync operation.
Impact:
Unable to sync configuration in a failover device group.
Workaround:
You can work around this using the following procedure:
1. On the device receiving the config sync, delete the APM policies that contain the referenced APM policy items.
2. Perform an overwrite-config-sync operation from the sending device to this device.
744226-1 : DoSL7-related logs are not throttled
Links to More Info: BT744226
Component: Application Security Manager
Symptoms:
The tmm log has lots of DoSL7-related messages.
Conditions:
The system encounters a condition that may lead to notice messages.
Impact:
tmm log is flooding with messages.
Workaround:
None.
743946-2 : Tmsh loads schema versions 12.x and earlier which are no longer supported★
Links to More Info: BT743946
Component: TMOS
Symptoms:
BIG-IP systems support directly upgrading to a new version from the previous two major BIG-IP versions.
Thus, upgrading to BIG-IP version 15.x from BIG-IP version 13.x, 14.x or 15.x is supported.
Similarly, tmsh and iControl REST interfaces allow a previous version to be specified, to interpret commands and format responses according to the specified schema versions.
Thus, schema versions 13.x, 14.x and 15.x are supported by tmsh and iControlREST.
However:
Affected versions of BIG-IP version 15.x still load unsupported 12.x and 11.x tmsh schema versions.
Affected versions of BIG-IP version 14.x still load unsupported 11.x tmsh schema versions.
Conditions:
This occurs on affected versions of BIG-IP.
Impact:
Instances of tmsh consume more memory (averaging approximately 16MB per instance on BIG-IP version 15.1.0) due to loading unsupported 12.x and 11.x schemas.
If a large number of tmsh instances are loaded (due to a large number of users logged in, and particularly a large number of remotely-authenticated users), tmsh memory consumption can contribute to out-of-memory conditions.
Workaround:
None.
743234-4 : Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons
Links to More Info: BT743234
Component: TMOS
Symptoms:
Configuring EngineID for SNMPv3 does not take effect until
the SNMP and Alert daemons are restarted.
Conditions:
Configure the EngineID for SNMPv3 using the tmsh command:
modify sys snmp include 'EngineType n'
Impact:
The SNMPv3 value does not take effect.
Workaround:
Restart the daemons after changing the EngineID:
restart /sys service snmpd
restart /sys service alertd
Note: The SNMP daemon should be restarted before the Alert daemon.
743132-6 : mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile
Links to More Info: BT743132
Component: TMOS
Symptoms:
On a chassis platform, if 'tmsh modify sys httpd ssl-certificate' is run immediately after creating a new certificate file, it's possible for mcpd to restart on the secondary blades. This happens when it takes longer for csyncd to copy the new certificate file to the other blades than it takes mcpd to send the modify message to the other blades.
Conditions:
Chassis platform with multiple blades.
Setting the httpd ssl-certificate to a new file.
Impact:
mcpd stops on secondary blades, causing those blades to go offline for a short time while mcpd and other daemons restart.
Workaround:
When setting the httpd ssl-certificate to a new file, wait a few seconds after creating the file before issuing the tmsh modify command.
742838-1 : A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition
Links to More Info: BT742838
Component: Local Traffic Manager
Symptoms:
If you have a published policy in /Common that is in use by a virtual server in a different partition, if you try to create and modify a draft of the existing policy, you will get an error like this:
"01070726:3: Policy /Common/Drafts/test-policy in partition Common cannot reference policy reference /Common/Drafts/test-policy /test/test-vs in partition test"
This happens in both the GUI and TMSH.
Conditions:
-- A published policy exists in /Common.
-- The published policy is attached to a virtual server in a different partition.
-- Attempt to create and modify a draft of the policy.
Impact:
Inability to edit the published policy.
Workaround:
None.
742764-3 : If two racoon daemon are spawned on startup, one fails and cores.
Links to More Info: BT742764
Component: TMOS
Symptoms:
When a BIG-IP system becomes Active, tmipsecd starts a racoon daemon for each route domain, including the default RD 0.
If for any reason racoon fails to fully start, tmipsecd will start another instance of racoon.
When this occurs, one or both of them may crash and create a core file.
Conditions:
-- BIG-IP becomes Active or racoon is (re)started.
-- IPsec does not have to be configured for this failure to occur.
Impact:
IPsec IKEv1 tunnels might delay starting while racoon restarts.
Workaround:
N/A
742753-4 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail
Links to More Info: BT742753
Component: TMOS
Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.
Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:
- Remove the Referer header.
- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.
Impact:
Users cannot log on to the BIG-IP system's WebUI.
Workaround:
As a workaround, you can do any of the following things:
- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).
- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).
- Modify the proxy solution so that it inserts compatible Referer and Host headers.
742603-1 : WebSocket Statistics are updated to differentiate between client and server sides
Links to More Info: BT742603
Component: Local Traffic Manager
Symptoms:
The WebSocket feature has statistics that records the number of each type of frame seen. These statistics do not differentiate between client and server sides.
Conditions:
The WebSocket profile is used to add WebSocket protocol parsing.
Impact:
WebSocket Traffic Statistics may be misleading
Workaround:
None.
742419-5 : BIG-IP NIC teaming of SR-IOV interfaces does not work under VMware ESXi
Links to More Info: BT742419
Component: TMOS
Symptoms:
Configuring multiple SR-IOV interfaces into a trunk does not function correctly when running BIG-IP as a guest under VMware ESXi. The interface will show as uninitialized.
Conditions:
A system that passes SR-IOV virtual functions directly to a BIG-IP guest when running on VMware ESXi.
Impact:
The trunk will fail to initialize.
Workaround:
None.
742170-2 : REST PUT command fails for data-group internal
Links to More Info: BT742170
Component: TMOS
Symptoms:
Cannot change content of existing data-group internal using REST PUT command.
Conditions:
-- Using REST API.
-- Creating and updating data-group in a single transaction.
Impact:
Cannot modify data-group internal via the REST API.
Workaround:
Add 'type' in the content.
Note: This change in behavior occurred as the result of a different change in the software. Previously, you could not create and update data-group in a single transaction. Now you can, but you must also specify 'type'.
742120-1 : MCPd crash seen during load sys config
Links to More Info: BT742120
Component: Advanced Firewall Manager
Symptoms:
If the system is gathering IP intelligence category stats (e.g., by issuing the following command: show security ip-intelligence global-policy ip-intelligence-categories) and simultaneously you issue the command 'load sys config', MCPd might crash while fetching the stats.
Conditions:
-- IP intelligence category stats are being fetched.
-- The command 'load sys config' is executed.
Impact:
MCPd restarts.Traffic disrupted while the daemon restarts.
Workaround:
There is no workaround other than not gathering IP intelligence category stats while the load sys config operation is being performed.
742105-2 : Displaying network map with virtual servers is slow
Links to More Info: BT742105
Component: TMOS
Symptoms:
The network map loads slowly when it contains lots of objects.
Conditions:
Load the network map in a configuration that contains 1000 or more objects.
Impact:
The network map loads very slowly.
Workaround:
None.
740977-1 : Tracert and traceroute from client does not display route path
Links to More Info: BT740977
Component: Local Traffic Manager
Symptoms:
When performing a traceroute or tracert from the client side, the route path that is taken is not displayed.
Conditions:
-- On any Microsoft Windows or Linux client that is connected to a BIG-IP system running software v14.1.x.
-- Clients connecting through APM Network Access are also impacted.
Impact:
The traceroute path is not shown.
Workaround:
None.
740324-1 : [NAT UNI][UI]: Need logic to extract virtual servers with NAT policy attached/inherited to be shown in CGNAT Virtuals
Component: Advanced Firewall Manager
Symptoms:
The GUI only displays virtual servers with lsn-pool attached, but not with only NAT policies attached.
Conditions:
1. Virtual server when creating under CGNAT has 'Source Address Translation' and Mandatory 'LSN pool' is removed
2. Filter for virtual servers under 'Carrier Grade NAT ›› Virtual Servers : Virtual Server List'
Impact:
Not all virtual servers are listed.
Workaround:
None
739820-1 : Validation does not reject IPv6 address for TACACS auth configuration
Links to More Info: BT739820
Component: TMOS
Symptoms:
TACACS authentication does not support IPv6 address for the authentication server, but both GUI and TMSH allow IPv6 addresses to be configured for TACACS. Such configurations may result in failed logins with messages in /var/log/secure like
Aug 8 10:47:39 gtm-13108-174 err httpd[5948]: pam_tacplus: skip invalid server: 2001::1001:1001 (invalid port: no digits)
Conditions:
Use the GUI or TMSH to create or modify a TACACS server
Impact:
Remote authentication will fail unless a second server is configured with IPv4 address.
Workaround:
Do not configure IPv6 address for TACACS server
739553-1 : Setting large number for Wide IP Persistence TTL breaks Wide IP persistence
Links to More Info: BT739553
Component: Global Traffic Manager (DNS)
Symptoms:
Wide IP persistence is not working. Previous Wide IP persistence records are cleared.
Conditions:
This occurs when the Wide IP Persistence TTL plus the persist-record creation time is greater than 4294967295.
Impact:
Wide IP persistence does not work.
Workaround:
There is no workaround other than not setting Wide IP Persistence TTL to a number greater than 4294967295.
739475-4 : Site-Local IPv6 Unicast Addresses support.
Links to More Info: BT739475
Component: Local Traffic Manager
Symptoms:
No reply to Neighbor Advertisement packets.
Conditions:
Using FE80::/10 addresses in network.
Impact:
Cannot use FE80::/10 addressees in network.
Workaround:
N/A
739118-1 : Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
Links to More Info: BT739118
Component: TMOS
Symptoms:
Changing existing self IP addresses in bigip_base.conf file directly. After uploading the changed configuration file, BIG-IP routing service provides out of date Self IP route information to dependent services.
Conditions:
- Self IP address is configured on the BIG-IP system.
- Manually change the IP address of a self IP in bigip_base.conf file.
- Load changed configuration via tmsh.
Impact:
Different services have different route information:
-- tmsh table - has the old route.
-- Dynamic routing - hHas the old and new routes.
-- Kernel table - has the new route.
Workaround:
There are two workarounds, preventive and corrective.
Preventive:
Do not manually change self IP addresses in bigip_base.conf file. It is not recommended way to add/change BIG-IP configuration. Use GUI or tmsh instead.
Corrective:
If changed configuration is uploaded. In GUI or tmsh, delete changed self IP address, and then create a self IP address with old IP address and delete it as well. Now, all affected routes are removed.
738881-3 : Qkview does not collect any data under certain conditions that cause a timeout
Links to More Info: BT738881
Component: TMOS
Symptoms:
Qkview enforces a timeout mechanism in various locations for its submodules. In certain conditions, when a timeout occurs, Qkview should still be able to collect what data it can before doing this check.
Conditions:
A particular timeout is encountered during a Qkview operation.
Impact:
Data that might have been collected is not, which might result in missing helpful diagnostic information.
Workaround:
Work around the issue by increasing the qkview timeout, for example:
qkview -t 720
738547-3 : SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII
Links to More Info: BT738547
Component: Access Policy Manager
Symptoms:
When SAML metadata file that contains certain UTF-8 characters other than ASCII is imported, SAML SAX Parser returns error
Conditions:
When SAML metadata file contains certain UTF-8 characters other than the ASCII set,
Impact:
SAML metadata file is not imported, and the system reports an error. SAML configuration on BIG-IP systems is impacted.
Workaround:
Remove the non-ASCII UTF-8 characters, and try the import operation again.
738450-1 : Parsing pool members as variables with IP tuple syntax
Links to More Info: BT738450
Component: Local Traffic Manager
Symptoms:
There is a config loading warning at tmsh similar to the following: unexpected end of arguments;expected argument spec:PORT.
Conditions:
Tcl variable is used for the IP tuple instead of a plain value.
Impact:
iRule LB::reselect command may not recognize an IP tuple when it is a variable. tmsh warning shows.
Note: There is no warning in the GUI.
Workaround:
Use plain value instead of variable.
738045-5 : HTTP filter complains about invalid action in the LTM log file.
Links to More Info: BT738045
Component: Local Traffic Manager
Symptoms:
Payload data is collected at the HTTP_REQUEST event and finishes collecting (HTTP::release) when the NAME_RESOLVED event occurs. On releasing, data is forwarded to the serverside, triggering the HTTP_REQUEST_SEND event.
When trying to raise HTTP_REQUEST_SEND, the iRule queues it and returns IN_PROGRESS, because the system is already in the process of running TCLRULE_NAME_RESOLVED. (Nested iRules: TCLRULE_NAME_RESOLVED -> TCLRULE_HTTP_REQUEST_SEND)
Due to the IN_PROGRESS status, tcp_proxy skips forwarding HUDCTL_REQUEST to the serverside, but not the subsequent payload. So the HTTP filter considers this an invalid action.
Conditions:
-- Standard virtual server with iRules attached (for example, using the following configuration for a virtual server):
when HTTP_REQUEST {
HTTP::collect
NAME::lookup @10.0.66.222 'f5.com'
}
when NAME_RESOLVED {
HTTP::release
}
when HTTP_REQUEST_SEND {
log local0. "Entering HTTP_REQUEST_SEND"
}
-- Client sends two HTTP Post requests.
-- After the first request, the second connection is kept alive (for example, by using HTTP header Connection) so that the second request can reuse the same connection.
Impact:
The second request gets reset, and the system logs errors in the LTM log file.
Workaround:
To avoid nested iRules in this instance, simply remove the HTTP_REQUEST_SEND from the iRule.
737739-1 : Bash shell still accessible for admin even if disabled
Links to More Info: BT737739
Component: TMOS
Symptoms:
With the administrator role, you have an option in TMUI to disable or restrict terminal access. If you disable or restrict access, the corresponding REST endpoint is neither disabled nor restricted.
Conditions:
Use TMUI as the admin, or as a user with the administrator role, and either of the following:
-- Disable terminal access.
-- Restrict access to TMSH.
Impact:
Users with the Administrator role can obtain shell access via REST.
With terminal access disabled:
-- If you attempt to login using SSH, you will not be to do so.
-- If you make a POST request to the /mgmt/tm/util/bash endpoint with a body that includes a command to run, that command will be run.
With access to TMSH restricted:
-- A POST request to the /mgmt/tm/util/bash endpoint that includes a body with a command to run will be run.
Workaround:
None.
737692-3 : Handle x520 PF DOWN/UP sequence automatically by VE
Links to More Info: BT737692
Component: TMOS
Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that is passed to the BIG-IP-VE). If an x520 device's PF is set down and then up, tmm does not recover traffic on that interface.
Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.
Impact:
VE does not process any traffic on that VF.
Workaround:
Reboot VE.
737346-1 : After entering username and before password, the logging on user's failure count is incremented.
Links to More Info: BT737346
Component: TMOS
Symptoms:
Listing login failures (i.e., using the following command: 'tmsh show auth login-failures') shows a failed login for the user who is currently logging in via console or SSH.
Conditions:
-- A user is logging in via console or SSH.
-- Between the time the system presents the password prompt and the user enters the password.
Note: This does not apply to GUI or iControl REST logins.
Impact:
If many logins for the same user get to this state simultaneously, it may be enough to exceed a specified lockout threshold, locking the user out.
Workaround:
There is no workaround other than using the GUI or iControl REST to log in to the system.
727191-1 : Invalid arguments to run sys failover do not return an error
Links to More Info: BT727191
Component: TMOS
Symptoms:
If an invalid device name is used in the sys failover command, the device name reject is logged in /var/log/ltm and failover does not occur. No error or failure message is displayed on the command line.
Note: In prior versions, the system incorrectly performed a force-to-standby operation (no 'device' specified), rather than a directed failover operation (failover to specified 'device'). Although this resulted in the active device becoming standby, it did not cause the system to choose the (nonexistent) device specified.
Conditions:
Run a tmsh command similar to the following:
sys failover standby traffic-group traffic-group-1 device invalid_name
Impact:
Since no failover occurs and no error/warning is returned, this may result in some confusion.
Workaround:
There is no workaround.
726900-1 : Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters
Links to More Info: BT726900
Component: Local Traffic Manager
Symptoms:
Virtual server may attempt to use syncookies on first SYN packet rather than allowing the connection to pass through to the real server.
Conditions:
Modifying a virtual server (CLI/iControl/GUI) to switch from FastL4 or TCP profiles to an 'ip-other' profile.
Impact:
The configured 'ip-other' virtual server will fail to accept all traffic. For example, a TCP or a UDP flow which should have been accepted and processed by the 'ip-other' virtual server will be dropped incorrectly, trying to enforce 'Syn Cookie' validation.
Workaround:
When switching a virtual server profile from FastL4/TCP to the 'ip-other' profile, delete the virtual server and then re-add it with the 'ip-other' profile.
726164-1 : Rolling DNSSEC Keys can stop regenerating after a length of time on the standby system
Links to More Info: BT726164
Component: Global Traffic Manager (DNS)
Symptoms:
Rolling DNSSEC Keys may stop generating when a BIG-IP system is on standby for a length of time
Conditions:
BIG-IP system is on standby for a length of time, in general, longer than twelve hours.
Impact:
Rolling DNSSEC keys can stop regenerating.
Workaround:
None.
726011-4 : PEM transaction-enabled policy action lookup optimization to be controlled by a sys db
Links to More Info: BT726011
Component: Policy Enforcement Manager
Symptoms:
There is no way to disable optimization if time-based actions are enabled in the PEM policy and a statistical transaction-based action enforcement is desired.
Conditions:
If the PEM classification tokens do not change.
Impact:
Time-based actions such as insert content may not get applied to such flows.
Workaround:
None.
725646-4 : The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly
Links to More Info: BT725646
Component: TMOS
Symptoms:
A tmsh core occurs when multiple tmsh instances are spawned and terminated quickly
/var/log/kern.log:
info kernel: tmsh[19017]: segfault ...
system messages in /var/log/messages:
notice logger: Started writing core file: /var/core/-tmsh ...
/var/log/audit:
notice -tmsh[19010]: 01420002:5: AUDIT - pid=19010 ...
Conditions:
This issue occurs intermittently in the following scenario:
1. Open multiple instances of tmsh using the following command pattern:
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
...
2. Quickly terminate them using Ctrl-D or by closing terminal.
Impact:
The tmsh utility crashes and produces a core file in the /shared/core directory. The BIG-IP system remains operational.
Workaround:
Restart tmsh if the problem occurs.
To prevent the issue from occurring: Do not quickly terminate tmsh instances using Ctrl-D.
725591-1 : Changing the management IP of an Active device in Device Service Cluster will cause Active/Active
Links to More Info: BT725591
Component: TMOS
Symptoms:
The Device Service Clustering software uses the management IP as the primary key to identify the nodes in the cluster.
When the Active device begins using a new management IP, the Next-Active device cannot reach the Active device, and becomes Active. Once the configuration change has propagated to all devices, a new Active device is chosen.
Conditions:
Changing the Management IP of an Active device in Device Service Cluster.
Impact:
Device Service Cluster has multiple Active devices for several seconds.
Workaround:
Do not change the management IP of the Active device. Force the device to Standby, and then change the IP.
724994-4 : API requests with 'expandSubcollections=true' are very slow
Component: TMOS
Symptoms:
Submitting an iControl REST query using the option 'expandedSubcollections=true' takes significantly longer to return than one without that option. For example, the command 'https://localhost/mgmt/tm/ltm/virtual?expandSubcollections=true' takes significantly longer than the command 'https://localhost/mgmt/tm/ltm/virtual'.
Conditions:
Submitting a query using expandedSubcollections=true.
Impact:
The response takes significantly longer to return
Workaround:
The additional processing time occurs because the 'expandedSubCollections' parameter fetches all the related associated elements. You can use the following alternative to retrieve the virtual configuration:
1. Run the following query:
GET mgmt/tm/ltm/virtual
2. Obtain the list of virtual servers by:
2a. parsing either the selfLink or the fullPath properties in the response items array, where the response is from step 1.
2b. writing an iControlLX worker that does this.
Note: Writing a worker abstracts the parsing logic into a user-defined endpoint. It provides API access to the data.
3. Iterate over the virtual servers querying each with the option 'expandSubcollections=true'.
724653-2 : In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync.
Links to More Info: BT724653
Component: TMOS
Symptoms:
In a device-group configuration, a BIG-IP administrator can add a non-synced object to a partition on one device, then delete that partition on a peer device, syncing the delete (this is assuming the partition is empty on the peer).
Although the config-sync operation will report as having completed successfully on both devices, and no errors will be visible in the /var/log/ltm file of either device, a number of issues can manifest at a later time.
For instance, assuming the non-synced object was a VLAN, listing all VLANs across all partitions will return the following error:
root@(bigip-ntr-d)(cfg-sync In Sync)(Active)(/)(tmos)# list net vlan recursive
01070712:3: Internal error, can't load folder or nested folder for: /test/my_vlan
And reloading the config will return the following error (as the partition has been deleted, including its flat config files):
root@(bigip-ntr-d)(cfg-sync In Sync)(Active)(/Common)(tmos)# load sys config
Loading system configuration...
/defaults/asm_base.conf
/defaults/config_base.conf
/defaults/ipfix_ie_base.conf
/defaults/ipfix_ie_f5base.conf
/defaults/low_profile_base.conf
/defaults/low_security_base.conf
/defaults/policy_base.conf
/defaults/wam_base.conf
/defaults/analytics_base.conf
/defaults/apm_base.conf
/defaults/apm_saml_base.conf
/defaults/app_template_base.conf
/defaults/classification_base.conf
/var/libdata/dpi/conf/classification_update.conf
/defaults/urlcat_base.conf
/defaults/daemon.conf
/defaults/pem_base.conf
/defaults/profile_base.conf
/defaults/sandbox_base.conf
/defaults/security_base.conf
/defaults/urldb_base.conf
/usr/share/monitors/base_monitors.conf
Loading configuration...
/config/bigip_base.conf
/config/bigip_user.conf
/config/bigip.conf
01070523:3: No Vlan association for STP Interface Member 1.2.
Unexpected Error: Loading configuration process failed.
These are just examples, and the exact failures will depend on the type of non-synced object and its use within your configuration.
Conditions:
-- Two or more devices in a device-group configuration.
-- Using partitions that contain non-synced objects.
-- Deleting the partition on a device and syncing the changes to the other devices.
Impact:
The partition is deleted on the peer device, even though it still contains non-synced objects. A number of config issues can arise at a later time as a result of this.
Workaround:
In some cases, if you need to define non-synced objects, you can do so in partitions or folders that are associated with 'device-group none' and 'traffic-group none'. This would prevent the partition or folder from synchronizing to other devices in the first place.
723306-1 : Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
Links to More Info: BT723306
Component: Local Traffic Manager
Symptoms:
Loading correct configuration with 'tmsh load /sys config' fails. The error message appears similar to the following:
01070726:3: Virtual Address /test/0.0.0.0 in partition test cannot be referenced by Virtual Server /Common/test-internal in partition Common.
Unexpected Error: Loading configuration process failed.
Conditions:
Creating internal virtual server, when 0.0.0.0 address exists on another partition.
Impact:
Inability to load config, with created internal virtual server.
Workaround:
Create internal virtual server first; then create the 0.0.0.0 address on a different partition.
722741-1 : Damaged tmm dns db file causes zxfrd/tmm core
Links to More Info: BT722741
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd/tmm cores on startup.
Conditions:
Damaged tmm dns db file.
Impact:
System remains in a tmm-restart loop caused by tmm opening a corrupted tmmdns.bin on startup and segfaulting. Traffic disrupted while tmm restarts.
Workaround:
Delete the damaged db files.
722647-4 : The configuration of some of the Nokia alerts is incorrect
Links to More Info: BT722647
Component: TMOS
Symptoms:
The categories for perceived severity in the alert_nokia.conf file are 0-4, 10-11, but there is an entry in the file with a value of 6.
Conditions:
-- Traps are enabled to support SNMP alerts in the Nokia NetAct format, e.g., using the following command:
tmsh modify sys db alertd.nokia.alarm value enable
-- The values in the alert_nokia.conf file are applied.
Impact:
Some of the values are incorrect. Handling of the trap/clear for the mislabeled trap is incorrect.
Workaround:
Edit the alert_nokia.conf file and restart the alert daemon.
722534-1 : load sys config merge not supported for iRulesLX
Links to More Info: BT722534
Component: Local Traffic Manager
Symptoms:
iRulesLX configurations are (for the most part) contained in the file system, rather than the 'traditional' BIG-IP config files. An attempt to merge configurations containing iRulesLX using the tmsh command 'load sys config merge' options fails with an error similar to the following:
# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ilx plugin test-plugin {
from-workspace test-ws
}
Validating configuration...
Unexpected Error: "basic_string::at"
Conditions:
The configuration being merged contains iRulesLX.
Impact:
The merge will fail with the error: Unexpected Error: "basic_string::at". The previous configuration will continue to work.
Workaround:
There is no workaround at this time for merging iRulesLX configuration. If the iRulesLX configuration is removed from the configuration to be merged, the merge will work.
721020-1 : Changes to the master key are reverted after full sync
Links to More Info: BT721020
Component: TMOS
Symptoms:
Changing the master key on a device that is in a device cluster are reverted when performing a full sync of any device-group. The master key is reset to its previous value.
Conditions:
-- The BIG-IP system is in a device cluster.
-- You change the master key from within TMSH.
Impact:
Subsequent configuration loads fail on the device.
Workaround:
There is no workaround.
720434-3 : Multi-blade Chassis iAppLX Package upgrade sync is incomplete across blades
Links to More Info: BT720434
Component: Device Management
Symptoms:
Some iAppLX package files on primary blade do not exist on secondary blades.
Conditions:
After installing an iAppLX package on a multi-blade chassis the package files are synced to other blades. This process is not instantaneous and may take several minutes.
During this time if the same iAppLX package is upgraded, not all of the files will be synced across blades, and an incomplete iAppLX package will exist on secondary blades.
Impact:
When a failover occurs to a blade with an incomplete iAppLX package, parts of the iAppLX GUI may not work.
Workaround:
To trigger a resync of files from primary to secondary blades run the following command:
bigstart restart csyncd
720045-3 : IP fragmented UDP DNS request and response packets dropped as DNS Malformed
Links to More Info: BT720045
Component: Advanced Firewall Manager
Symptoms:
AFM/DHD treats the IP fragmented UDP DNS packet (request or response) as DNS Malformed packet and drops these packets.
Conditions:
-- AFM/DHD is enabled (provisioned and licensed).
-- DNS Malformed vector is enabled at Device context (by default, it's always enabled).
-- AFM/DHD receives fragmented IP packet for UDP DNS request or response.
Impact:
AFM/DHD incorrectly treats such packets as DNS malformed and drops them.
If AFM/DHD receives any DNS request/response UDP packet that is fragmented at the IP layer, the system drops the packet, interrupting DNS service between client/servers through BIG-IP systems.
Workaround:
None.
719030-1 : IPv6 address is not set in the GUI if IPv4 is set to automatic (dhcp)
Links to More Info: BT719030
Component: TMOS
Symptoms:
When IPv6 is set to manual and IPv4 is set to automatic (dhcp) address allocation, a static IPv6 address triggers an error in the GUI:
"The format for the address at Mgmt Port IPV6 is invalid. To change the format of an existing IP address, edit the field and click Update"
Conditions:
IPv4 management config is set to automatic (dhcp) while IPv6 is set to manual.
Impact:
The GUI throws an error if you manually set the IPv6 address.
Workaround:
Configure through tmsh.
718291-2 : iHealth upload error does not clear
Links to More Info: BT718291
Component: TMOS
Symptoms:
If an error occurs that sets the iHealth error string, then this string is never cleared.
Conditions:
Setting an invalid hostname for db variable proxy.host.
Impact:
The system reports the following error string: curl: (56) Recv failure: Connection reset by peer. This error message is never cleared, despite running a successful upload. The bogus error message could result in unnecessary confusion after a successful upload.
Workaround:
To clear the error message, run the following command:
/usr/bin/guishell -c "update diags_ihealth_request set error_str='';"
718288-2 : MCPD might crash on secondary blades when DNSSEC client-facing SOA zone serial not updated
Links to More Info: BT718288
Component: Local Traffic Manager
Symptoms:
In certain cases, a DNSSEC client-facing SOA zone serial does not always update when DNSSEC-related resource records change. That might cause MCPD to crash on secondary blade.
Conditions:
A DNSSEC-related resource record changes.
Impact:
A DNSSEC client-facing SOA zone serial may not always update. That might cause MCPD crash on secondary blade. Traffic disrupted while MCPD restarts.
Workaround:
None.
718230-1 : Attaching a BIG-IP monitor type to a server with already defined virtual servers is not prevented
Links to More Info: BT718230
Component: Global Traffic Manager (DNS)
Symptoms:
In certain circumstances, attaching a BIG-IP monitor type to a non-BIG-IP server with already defined virtual servers is allowed by the system when it should not be allowed.
Conditions:
Attempting to attach a BIG-IP monitor type to a non-BIG-IP server.
Impact:
The BIG-IP monitor can be added to a non-BIG-IP server without error. This causes a configuration load error, such as after a reboot, tmm restart, or tmsh load sys config, and results in an error message such as:
-- localhost emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all gtm-only" - failed. -- Loading schema version: 12.1.3 Loading schema version: 12.1.5.1 01071033:3: Server (/Common/generic_server_object) contains monitor (/Common/bigiptest) which is an invalid type. Unexpected Error: Loading configuration process failed.
Workaround:
None.
718108-3 : It is not possible to core the icrd_child process if iControl REST requests were sent to the BIG-IP system using non-admin accounts
Links to More Info: BT718108
Component: TMOS
Symptoms:
When trying to create a diagnostic core file of the icrd_child process (for example, using the command: kill -6 <PID>), the process restarts but does not create a core file.
Conditions:
iControl REST requests are sent to the BIG-IP system using non-administrative (or resource admin) user accounts.
Impact:
This issue may hinder F5 Support efforts to diagnose memory leaks or other issues affecting the icrd_child process.
Workaround:
There are two workarounds for this issue.
Workaround #1:
The problem can be avoided by making calls to iControl REST using only User IDs that have the 'Admin' or 'Resource Admin' roles.
Note: If iControl REST calls have already been made with User IDs that have a role other than 'Admin' or 'Resource Admin', the 'restjavad' process must be restarted before core files can be created for icrd_child processes.
Workaround #2:
If iControl REST calls have already been made with User IDs that have a role other than 'Admin' or 'Resource Admin', and a core file is needed for a currently running icrd_child process, running the following two commands in the Advanced Shell (aka bash) creates the core file.
1: "echo 2 > /proc/sys/fs/suid_dumpable"
2: "pkill -6 icrd_child"
Note: The commands are shown inside quotation marks but do not include the quotations marks.
717785-2 : Interface-cos shows no egress stats for CoS configurations
Links to More Info: BT717785
Component: TMOS
Symptoms:
No egress packet counts per CoS queue are reported on B21x0 and 5x00/7x00 platforms. The issue affects the egress packet statistics reporting per CoS queue only. The operation of the CoS feature is not affected and the egress packets statistics reporting per external interface is also not affected.
Conditions:
-- Valid 8 HW CoS feature configuration has been enabled and passing traffic.
-- BIG-IP 5x00/7x00 platforms and VIPRION 21x0 blades.
-- Running the show net interface-cos command.
Impact:
Egress packet statistics reported per CoS queue shows no counts.
Workaround:
None.
717174-1 : WebUI shows error: Error getting auth token from login provider★
Links to More Info: BT717174
Component: Device Management
Symptoms:
Occasionally, the BIG-IP Admin Utility TMUI fails to function correctly and produces the following error:
Error getting auth token from login provider.
This occurs when the BIG-IP REST Daemon restjavad fails to start up properly.
Conditions:
This error most often occurs on the first or second boot after upgrade, and more often on Virtual Edition BIG-IP platforms running on oversubscribed or slow hypervisors.
Impact:
TMUI and any other BIG-IP system components that rely on REST Workers such as: OpenID Connect key rotation discovery, portions of the TMOS Web Configuration Utility, and Guided Configuration (AGC and WGC) fail to function properly.
Workaround:
Restarting the BIG-IP REST daemons restjavad and restnoded will usually correct the problem. To do so, connect to the SSH console and issue the following two commands:
bigstart restart restjavad
bigstart restart restnoded
716701-3 : In iControl REST: Unable to create Topology when STATE name contains space
Links to More Info: BT716701
Component: Global Traffic Manager (DNS)
Symptoms:
Cannot use iControl REST to create topology records when whitespace exist in a STATE name.
Conditions:
STATE name contains a space (e.g., New Mexico).
Impact:
Unable to create a topology record using iControl REST.
Workaround:
Use TMSH with quotes or escaping to create topology records for a STATE with whitespace in the name.
715379-3 : IKEv2 accepts asn1dn for peers-id only as file path of certificate file
Links to More Info: BT715379
Component: TMOS
Symptoms:
IKEv2 only has a very inconvenient way to specify ID for an ike-peer when using peers-id-type asn1dn. The string value of peers-id-value was understood only as a file path, and not as a representation of the asn1dn value itself. The file had to be a certificate, whose subject happened to be the ID of the remote peer as a distinguished name (DN), so this could be extracted as binary DER for asn1dn. This was both awkward and error prone, requiring what amounts to a copy of a peer's certificate before it is sent during negotiation.
Conditions:
-- Using certificate based authentication in IPsec IKEv2.
-- Configuring an ike-peer with peers-id-type as asn1dn.
Impact:
Very difficult to use asn1dn as the ID of a peer, impeding inter-operation with other vendors.
Workaround:
If you can install a local copy of the peer's certificate, with an asn1dn value inside matching what that peer will actually send in an IKE_AUTH exchange, IKEv2 can extract the asn1dn provided the value of peers-id-value is an absolute file system path to this local certificate copy.
714705-4 : Excessive "The Service Check Date check was skipped" log messages.
Links to More Info: BT714705
Component: TMOS
Symptoms:
Large numbers of these warnings are logged into the "ltm" file:
warning httpd[12345]: 0118000a:4: The Service Check Date check was skipped.
The message appears whenever a new "httpd" instance is launched.
Conditions:
The BIG-IP instance has been installed with a "no service check" license. These licenses are sometimes provided with cloud pre-licensed VE software images.
Impact:
Log files are saturated with many useless warnings. This can hide actual problems and impede their diagnosis.
Workaround:
During manual troubleshooting, commands such as the following may be used to filter the excess warnings:
# grep -v 'Service Check Date check was skipped' ltm | less
The syslog-ng 'include' filter mechanism is another possibility, but this should be attempted only with assistance of the F5 Support team.
713183-3 : Malformed JSON files may be present on vCMP host
Links to More Info: BT713183
Component: TMOS
Symptoms:
Malformed JSON files may be present on vCMP host.
Conditions:
All needed conditions are not yet defined.
- vCMP is provisioned.
- Guests are deployed.
- Software versions later than 11.6.0 for both guest/host may be affected.
Impact:
Some vCMP guests may not show up in the output of the command:
tmsh show vcmp health
In addition, there might be files present named using the following structure:
/var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.
There is no functional impact to the guests or to the host, other than these lost tables, which are provided as a convenience to the vCMP host administrator.
Workaround:
None.
712926-1 : GTM server device 'replace-all-with' reports error with specific server config
Links to More Info: BT712926
Component: Global Traffic Manager (DNS)
Symptoms:
Attempting to use a 'replace-all-with' action to replace the devices associated with a GTM/DNS server may fail with the message 'Server (<server_name>) must have at least one device.', if the new devices have the same names as the devices being replaced.
Conditions:
-- A 'replace-all-with' command is used to replace the devices associated with a GTM/DNS server.
-- The names of all of the new devices match the names of existing devices.
Impact:
The 'replace-all-with' command fails. No changes are applied to the configuration.
Workaround:
When performing a 'replace-all-with' on the devices associated with a server, first run a 'replace-all-with' command with a placeholder device whose name does not match any of the devices being replaced or being applied. After this device is created, the intended command can be run.
712542-3 : Network Access client caches the response for /pre/config.php
Links to More Info: BT712542
Component: Access Policy Manager
Symptoms:
The Network Access client caches the response for /pre/config.php.
Conditions:
-- APM is provisioned.
-- Network Access is configured.
Impact:
Caching the response for /pre/config.php might reveal configuration information. However, a URL is public information by definition. The only sensitive information revealed are server names, which have to be revealed in order for the client to know where to connect.
Workaround:
None.
712534 : DNSSEC keys are not generated when configured to use an external FIPS device
Links to More Info: BT712534
Component: Local Traffic Manager
Symptoms:
DNSSEC keys that use an external FIPS device are not generated, and an SELinux denial is reported in /var/log/auditd/audit.log. The logged permission denial should indicate that a process running under the 'mcpd_t' SELinux context was denied the 'execmem' permission.
Conditions:
-- A device is configured with one or more DNSSEC keys that are configured to be generated by an external FIPS device (indicated by the 'use-fips' option being set to 'external').
-- An unpatched version of the Thales client software be in use on the device.
Impact:
DNSSEC keys will not be generated when configured to use the external FIPS device.
Workaround:
Update the version of the Thales client software that is in use on the device.
712241-2 : A vCMP guest may not provide guest health stats to the vCMP host
Links to More Info: BT712241
Component: TMOS
Symptoms:
A vCMP guest usually provides the vCMP host with some guest health statistics as a convenience to the vCMP host administrator. These stats are:
-- mgmt/tm/sys/ha-status
-- mgmt/tm/sys/software/status
-- mgmt/tm/sys/software/provision
These tables are created by the host when host vcmpd queries the guest over the vmchannel using REST.
These RESTful queries may sometimes fail, causing the queried vCMP guest to be omitted in the display of the output of the following command: $ tmsh show vcmp guest
Conditions:
-- vCMP provisioned.
-- Guests are deployed.
-- Host vcmpd queries the guest over the vmchannel using REST.
Impact:
There is no functional impact to the guests or to the host, other than these lost tables.
-- Some vCMP guests may not show up in the output of the following command: tmsh show vcmp health
-- Some guests may appear with the wrong status in the GUI. Such as being grey when it should be green.
-- Files containing guest information, kept in:
/var/run/vcmpd/<guestname>/json/(sys-ha-status.json|sys-provision.json|sys-software.json) may be missing from that directory.
-- There might be files present there named using the following structure:
/var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.
Workaround:
There is no workaround at this time.
711747-1 : Vcmp_pde_state_memcpy core during http traffic and pfmand resets.
Links to More Info: BT711747
Component: TMOS
Symptoms:
TMM restarts with core file available.
Conditions:
The issue occurs intermittently under the following conditions:
-- System uses pfmand.
-- pfmand health monitoring enabled (sys db pfmand.healthstatus value enable, this is the default).
-- The system is passing http traffic.
-- pfmand is reset (tmsh modify sys pfman device 0/00:0c.5 status reset).
Impact:
Traffic disrupted while TMM restarts.
Workaround:
N/A
711056-1 : License check VPE expression fails when access profile name contains dots
Links to More Info: BT711056
Component: Access Policy Manager
Symptoms:
License Check Agent always flows down fallback branch. Logs show the following pattern:
-- err apmd[13738]: 01490190:3: /Common/my.profile.name:Common:2a392ccd: Key 'tmm.profilelicense./Common/my.profile.name#' was not found in MEMCACHED.
-- err apmd[13738]: 01490086:3: /Common/my.profile.name:Common:2a392ccd: Rule evaluation failed with error: can't use empty string as operand of "-"
Conditions:
-- Access profile contains '.' (dot) characters in its name.
-- License Check agent is used in the VPE to check against profile license.
Impact:
License check always fails, resulting in denied logon.
Workaround:
Use a different policy name without '.' characters.
709952-2 : Disallow DHCP relay traffic to traverse between route domains
Links to More Info: BT709952
Component: Local Traffic Manager
Symptoms:
DHCP traffic can traverse between route domains, e.g., when working with a route domain with a parent. Under certain circumstances, this is not desired.
Conditions:
DHCP relay in use on a route domain with a parent relationship or strict isolation disabled.
Impact:
The DHCP server side flow might get established to the parent route domain, and will persist even after the route in its own route domain becomes available again.
Workaround:
There is no workaround at this time.
709381-2 : iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out.
Links to More Info: BT709381
Component: Local Traffic Manager
Symptoms:
An iRules LX plugin does not properly run and messages similar to the following example are logged to the /var/log/ltm file:
err tmm[17616]: 01220001:3: TCL error: /Common/my-plugin/my-rule <HTTP_REQUEST> - ILX timeout. invoked from within "ILX::call $ilx_handle -timeout 3000 my-function"
Conditions:
An iRules LX workspace archive is imported to BIG-IP version 13.1.0 or later from a previous software version.
It should be noted this is what happens during a regular software upgrade. Therefore, you might encounter this issue when upgrading a system to BIG-IP version 13.1.0 or later.
Impact:
The affected iRules LX are not functional under the new software version, and the virtual servers utilizing them will experience various failures.
Workaround:
Change the node version from 0.12.15 to 6.9.1 and back.
708991-2 : Newly entered password is not remembered.
Links to More Info: BT708991
Component: TMOS
Symptoms:
- Upon enabling password remember feature and running 'tmsh load sys config default', the password history fails to verify and save the newly entered password.
- Upon installing a BIG-IP image for the first time, the default password is not updated.
Conditions:
- Installing first time BIG-IP image.
- Resetting the configuration using 'tmsh load sys config default'.
Impact:
The password is not remembered.
Workaround:
N/A
708680-1 : TMUI is unable to change the Alias Address of DNS/GTM Monitors
Links to More Info: BT708680
Component: Global Traffic Manager (DNS)
Symptoms:
TMUI (the GUI) is unable to change the Alias Address of DNS/GTM Monitors.
Conditions:
-- Using the GUI.
-- DNS/GTM monitors with alias address.
-- Attempting to change the Alias Address.
Impact:
Cannot change the Alias Address.
Workaround:
Use tmsh.
708421-3 : DNS::question 'set' options are applied to packet, but not to already parsed dns_msg
Links to More Info: K52142743, BT708421
Component: Global Traffic Manager (DNS)
Symptoms:
For certain types of iRules, using the DNS command DNS::question for type AAAA, when the DNS transparent cache is involved in the filter, the type can be reverted.
Conditions:
-- DNS transparent cache.
-- Using an iRule similar to the following:
when DNS_REQUEST {
DNS::question type AAAA
}
Impact:
When the packet goes to the pool, the type is reverted.
Workaround:
Enable gslb or dnsx on the profile.
707643-2 : ASM Single page application causes JavaScript error when cross domain request is sent
Links to More Info: BT707643
Component: Application Security Manager
Symptoms:
JavaScript error is reported to the browser developer's console: 'Refused to get unsafe header X-Security-Action', 'Refused to get unsafe header 'X-Security-Token'
Conditions:
-- ASM provisioned.
-- Bot defense/DoS Application/ASM policy attached to a virtual server.
-- Single page application enabled.
Impact:
Cross domain requests might be not handled properly.
Workaround:
Disable single page application using one of the following workarounds:
-- Go to the bot defense profile in the GUI and disable single page application.
-- Run the following tmsh command:
tmsh modify security bot-defense profile all { single-page-application disabled }
-- Go to DoS application profile in the GUI and disable single page application.
-- Run the following tmsh command:
tmsh modify security dos profile all { application modify { all { single-page-application disabled } } }
-- To disable single page application for an ASM policy, run the following shell command:
/usr/share/ts/bin/add_del_internal del single_page_application
707294-2 : When BIG-IP as OAuth AS has missing OAuth Profile in the Access profile, the error log is not clear
Links to More Info: BT707294
Component: Access Policy Manager
Symptoms:
When the BIG-IP system configured as OAuth AS has a missing OAuth Profile in the Access profile, the error log is not clear. It shows an error indicating 'OAuth mode is not set' instead of showing 'OAuth Profile is not configured'. In this case, the error 'OAuth mode is not set' means that the OAuth Profile is not associated in the Access profile of the virtual server acting as BIG-IP OAuth Authentication server.
Conditions:
-- The BIG-IP system is configured as OAuth AS.
-- The Access profile is not configured with OAuth profile.
Impact:
Confusing error message that leads to delay in troubleshooting the OAuth configuration.
Workaround:
Configure an OAuth Profile in the Access profile of the virtual server acting as BIG-IP OAuth AS.
705869-4 : TMM crashes as a result of repeated loads of the GEOIP database
Links to More Info: BT705869
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes.
Conditions:
Repeatedly loading the GeoIP database in rapid succession.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Don't do repeated load of GeoIP Database.
703678-2 : Cannot add 'secure' attributes to several ASM cookies
Links to More Info: BT703678
Component: Application Security Manager
Symptoms:
There is an option to add 'secure' attribute to ASM cookies.
There are some specific cookies which this option does not apply on.
Conditions:
-- ASM policy is attached to the virtual server.
-- Internal parameter 'cookie_secure_attr' flag is enabled, along with either of the following:
+ Using HTTPS traffic.
+ The 'assume https' internal parameter is also enabled.
-- Along with one of the following:
+ Web Scraping' feature is enabled.
+ 'Bot Detection' feature is enabled.
+ The 'brute force' feature is enabled using CATPCHA.
Impact:
Some cookies do not have the 'secure' attributes.
Workaround:
None.
703226-1 : Failure when using transactions to create and publish policies
Links to More Info: BT703226
Component: TMOS
Symptoms:
Use batch mode transactions to create Virtual Servers with Policies containing rules.
Conditions:
Create and publish in the same transaction a Policy containing rules.
Impact:
Operation fails.
This occurs because the system is trying to look up a policy that does not exist because the 'create' operation is not yet complete. This might happen when the create and publish operations occur simultaneously, which might happen in response to scripts from iApps, batch mode creation of policies, UCS load, upgrade operation--all try to create domain trust, and all might include the policy create in the same operation.
Workaround:
Separate the create Policy and publish Policy operations into two transactions when the Policy contains rules.
703090-5 : With many iApps configured, scriptd may fail to start
Links to More Info: BT703090
Component: TMOS
Symptoms:
If many iApp instances are installed, scriptd may have issues starting up, including the log message:
"script has exceeded its time to live, terminating the script"
Conditions:
This occurs when many iApp instances exist. F5's internal testing has been able to show that it occurs with 70 instances.
Impact:
The error message will show up, and some instances of the script will not run.
Workaround:
Restarting scriptd will resolve the issue.
701341-4 : If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts
Links to More Info: K52941103, BT701341
Component: TMOS
Symptoms:
If an issue causes /config/BigDB.dat to be empty or its contents become corrupted, mcpd fails to start up.
System commands report errors about being unable to read DB keys. 'bigstart' outputs errors:
--dbval: Unable to find variable: [security.commoncriteria]
Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.
Impact:
The system fails to start up, and mcpd continually restarts. The BIG-IP system fails to process traffic while the mcpd process is restarting.
Workaround:
To work around this issue, you can remove the empty or corrupted BigDB.dat file. To do so, perform the following procedure:
Impact of workaround: Performing the following procedure should not have a negative impact on your system.
1. Log in to bash.
2. To remove the zero-byte or corrupted BigDB.dat file, type the following command:
rm /config/BigDB.dat
700639-4 : The default value for the syncookie threshold is not set to the correct value
Links to More Info: BT700639
Component: Local Traffic Manager
Symptoms:
The default value for connection.syncookies.threshold should be set to 64000. Instead, this value defaults to 16384.
Conditions:
This issue may be encountered when a virtual server uses syncookies.
Impact:
The connection.syncookies.threshold value will be lower than intended, possibly resulting in lower performance.
Workaround:
Use tmsh to manually set the threshold value:
# tmsh modify sys db connection.syncookies.threshold value 64000
698933-6 : Setting metric-type via ospf redistribute command may not work correctly
Links to More Info: BT698933
Component: TMOS
Symptoms:
When using a dynamic routing configuration, where an OSPF process redistributes routes setting a metric-type from another OSPF process the metric type is not changed.
Conditions:
Dynamic routing configuration with 2 or more OSPF processes redistributing routes using the "redistribute ospf <other process number> metric-type <type>"
Impact:
Metric type is not changed.
Workaround:
Change metric-type using a route-map applied to the redistribute command.
698931-1 : Corrupted SessionDB messages causes TMM to crash
Links to More Info: BT698931
Component: TMOS
Symptoms:
TMM SegFaults and restarts
Conditions:
This was reported once during normal tmm operation.
Impact:
Traffic disrupted while tmm restarts.
697329-1 : Warning message: get_db failed for is_provisioned wam - returning not-provisioned.
Links to More Info: BT697329
Component: TMOS
Symptoms:
There is a warning messages logged in ltm log:
warning bigstart: get_db failed for is_provisioned wam - returning not-provisioned.
Conditions:
This occurs any time the BIG-IP system is started or services are restarted.
Impact:
This has no impact and is cosmetic. You can safely ignore these messages.
Workaround:
None
696363-2 : Unable to create SNMP trap in the GUI
Links to More Info: BT696363
Component: TMOS
Symptoms:
Trying to create a SNMP trap may fail in the GUI with the following error message: An error has occurred while trying to process your request.
Conditions:
-- Trap destinations are configured using the GUI: When trap destinations are configured in the GUI, the trap name is generated using the destination IP address.
-- Traps of the same destination address were previously created and deleted.
Impact:
GUI parameter checking does not work as expected. BIG-IP Administrator is unable to create a SNMP trap session.
Workaround:
To work around this issue when using the GUI, remove all traps that have the same destination address as the new one that failed. Then re-add your destination.
Tip: You can use tmsh to create/delete/modify SNMP traps, which enables viewing of the generated names, making it easier to understand what error has occurred.
694765-2 : Changing the system's admin user causes vCMP host guest health info to be unavailable
Links to More Info: BT694765
Component: TMOS
Symptoms:
On the host, 'tmsh show vcmp health' does not display guest info.
The iControl REST log at /var/log/icrd contains entries similar to the following:
notice icrd_child[32206]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
Conditions:
Change the default admin user.
Note: You change the default admin user by following the steps in the Article K15632: Disabling the admin and root accounts using the BIG-IP Configuration utility or the Traffic Management Shell: https://support.f5.com/csp/article/K15632.
Impact:
Many REST APIs do not function, and functionality such as vCMP guest health that depend on REST fails.
Workaround:
Rename the default system admin to 'admin'.
Note: If you are using the default 'admin' account, make sure you change the password as well.
694595-1 : Some process names may have last character truncated when viewing in iHealth
Links to More Info: BT694595
Component: TMOS
Symptoms:
qkview reads the contents of the /proc directory to obtain details about running processes on a BIG-IP system. Occasionally, it will drop the last character of the process name. This is observable when displaying process information on the iHealth service after uploading a qkview.
Conditions:
Always
Impact:
Minimal
Workaround:
Don't assume that every process name is complete.
691219-1 : Hardware syncookie mode is used when global auto last hop is disabled.
Links to More Info: BT691219
Component: TMOS
Symptoms:
When global auto last hop is disabled, for iSeries platforms (excluding i2xxx/i4xxx) and B4450 blades, hardware syncookie mode is used on SYN attack.
Conditions:
Global autohop is disabled. This setting is controlled by the following DB variable:
# tmsh list sys db connection.autolasthop
sys db connection.autolasthop {
value "enable"
}
The default setting is enable.
Impact:
The virtual server can enter hardware syncookie mode, at which point responses will be routed using the incoming packet route. This can break configurations that are using asymmetric routing.
Workaround:
Disable hardware syncookies using the following DB variable:
# tmsh list sys db pvasyncookies.enabled
sys db pvasyncookies.enabled {
value "true"
}
The default setting is true.
690928-1 : System posts error message: 01010054:3: tmrouted connection closed
Links to More Info: BT690928
Component: TMOS
Symptoms:
Beginning in BIG-IP 12.0.0, the tmrouted process pushes dynamic routes directly to the Traffic Management Microkernel (TMM). This message indicates the system is shutting down and is expected behavior during the reboot or shutdown process. The appearance of this message on a stable running system may indicate an issue with tmrouted functionality.
System posts the following message in /var/log/ltm: 01010054:3: tmrouted connection closed
Conditions:
This message occurs when all of the following conditions are met:
-- You have configured the BIG-IP system to use dynamic routing.
-- The BIG-IP system is in the process of shutting down or rebooting.
Impact:
This message is benign, unless you view the message on a stable running system. In this case, the message may indicate an issue with the tmrouted process.
Workaround:
None.
689147-2 : Confusing log messages on certain user/role/partition misconfiguration when using remote role groups
Links to More Info: BT689147
Component: TMOS
Symptoms:
When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful.
Errors similar to the following appear in /var/log/ltm:
-- User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition.
-- Input error: invalid remote user credentials, partition does not exist, broken-partition
Errors similar to the following appear in /var/log/secure:
tac_authen_pap_read: invalid reply content, incorrect key?
Conditions:
Using remote role groups to set user/role/partition information for remote users, and either of the following:
-- A remote user is configured with the role of administrator, resource administrator, auditor, or web application security administrator, with access to a particular partition, rather than all. (These roles require access to all partitions.)
-- A remote user is configured with partition access set to a partition that does not exist on the BIG-IP system.
Impact:
The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure.
Workaround:
Check /var/log/ltm for more specific error messages.
688627-2 : OPT-0043 40G optical transceiver cannot be unbundled into 4x10G
Links to More Info: BT688627
Component: TMOS
Symptoms:
OPT-0043 is a Bi-Directional optical transceiver made up of 2 20G channels. It must not be allowed to unbundle into 4x10G channels.
Conditions:
OPT-0043 transceiver inserted into a 40G interface
Impact:
Unbunding of OPT-0043 will be rejected. The OPT-0043 can only be used as a 40G interface, not as 4x10G.
tmsh error when bundling requested:
The requested bundle state of disabled for interface X.0 is invalid. Unbundling not allowed for this optic.
When OPT-0043 is inserted into interface X already configured as unbundled into 4x10G the interface will display as "disable". The following messages will be in /var/log/ltm
err bcm56xxd[21440]: 012c0010:3: Unbundled interfaces found. Bundle state 'disabled' for optic OPT-0043 is invalid.
err bcm56xxd[21440]: 012c0024:3: Invalid Bundle Config for optic OPT-0043
err bcm56xxd[21440]: 012c0010:3: Unsupported module in use on interface X.1
info bcm56xxd[21440]: 012c0015:6: Link: X.1 is DISABLED
err bcm56xxd[21440]: 012c0010:3: Unsupported module in use on interface X.2
info bcm56xxd[21440]: 012c0015:6: Link: X.2 is DISABLED
err bcm56xxd[21440]: 012c0010:3: Unsupported module in use on interface X.3
info bcm56xxd[21440]: 012c0015:6: Link: X.3 is DISABLED
err bcm56xxd[21440]: 012c0010:3: Unsupported module in use on interface X.4
info bcm56xxd[21440]: 012c0015:6: Link: X.4 is DISABLED
Workaround:
Do not unbundle OPT-0043 - that is an unsupported configuration.
688397-1 : Reset causes for HTTP/2 streams are not recorded
Links to More Info: BT688397
Component: Local Traffic Manager
Symptoms:
The reset causes for HTTP2 streams are not recorded in statistics.
Conditions:
An HTTP/2 stream is reset for some reason.
Impact:
It may be difficult to debug HTTP/2 issues.
Workaround:
None.
688231-4 : Unable to set VET, AZOT, and AZOST timezones
Links to More Info: BT688231
Component: TMOS
Symptoms:
Unable to set VET, AZOT, and AZOST timezones
Conditions:
This occurs under normal operation.
Impact:
Cannot set these timezones.
Workaround:
Use the following zones with the same offset:
The AZOT timezone is the same offset as
N – November Time Zone.
The AZOST timezone is the same offset as
Z – Zulu Time Zone,
GMT – Greenwich Mean Time,
WET – Western European Time.
The VET timezone is the same offset as
AST – Atlantic Standard Time,
CDT – Cuba Daylight Time, CLT – Chile Standard Time,
EDT – Eastern Daylight Time,
FKT – Falkland Island Time,
Q – Quebec Time Zone.
686395-2 : With DTLS version1, when client hello uses version1.2, handshake shall proceed
Links to More Info: BT686395
Component: Local Traffic Manager
Symptoms:
With DTLS version1, when client hello uses version1.2, handshake fails with error of :unsupported version".
Conditions:
DTLS version1 handshake:
Handshake version 1.0 . (0xfeff)
Client hello version 1.2(0xfefd)
Impact:
DTLS functionalities.
Workaround:
N/A
683534-4 : 'tmsh show sys connection' command prompt displaying 4 billion connections is misleading
Links to More Info: BT683534
Component: Local Traffic Manager
Symptoms:
The 'tmsh show sys connection' may present a prompt asking you to confirm you want to display ~4 billion (4,294,967,295) connections:
# show sys connection max-result-limit infinite
Really display 4294967295 connections? (y/n)
Conditions:
-- The 'tmsh show sys connection' command is executed with max-result-limit option set to infinite.
Impact:
The value shown in the prompt (4294967295) is misleading, and does not reflect the actual number of connections being handled by the system. The 4294967295 number represents the maximum value the field can hold, not the number of actual connections.
Workaround:
None
680855-3 : Safari 11 sometimes start more than one session
Links to More Info: BT680855
Component: Access Policy Manager
Symptoms:
In Safari 11 after session is finished and being restarted by "Click here to establish a new session" more than one session appears. It looks like Safari 11 beta and release bug.
Conditions:
Safari 11 beta and official release
Policy with webtop
Several passes from start to finish
Impact:
At certain point browser is reaching max sessions per IP and hangs on webtop.
Workaround:
Don't use Safari 11 for now
679431-4 : In routing module the 'sh ipv6 interface <interface> brief' command may not show header
Links to More Info: BT679431
Component: TMOS
Symptoms:
In the BIG-IP Advanced Routing module the 'sh ipv6 interface <interface> brief' command does not show header
Conditions:
- Advanced Routing module licensed and configured
- From within imish shell, run the command 'sh ipv6 interface <interface> brief'.
Impact:
The header is not shown.
Workaround:
Run the equivalent command without indicating the interface:
sh ipv6 interface brief
679316-7 : iQuery connections reset during SSL renegotiation
Links to More Info: BT679316
Component: Global Traffic Manager (DNS)
Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
Conditions:
This occurs when a system tries to send data over the iQuery connection while the two endpoints are performing SSL renegotiation.
Note: iQuery connections automatically perform SSL renegotiation every 24 hours.
Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.
Note: This is a subtly different issue from the one (with a very similar error, 140940F5 virtual server 140940E5) described in Bug ID 477240: iQuery connection resets every 24 hours :: https://cdn.f5.com/product/bugtracker/ID477240.html (K16185: BIG-IP GTM iQuery connections may be reset during SSL key renegotiation :: https://support.f5.com/csp/article/K16185).
This issue occurs even in versions where ID 477240 is fixed. There is no fix for this specific trigger of the same message.
Note: The iQuery communication issue is fixed through Bug ID 760471: GTM iQuery connections may be reset during SSL key renegotiation :: https://cdn.f5.com/product/bugtracker/ID760471.html.
Workaround:
There is no workaround at this time, but the problem is fixed via changes made in ID760471
675772-1 : IPsec tunnels fail when traffic-selectors share one IPsec interface mode policy
Links to More Info: BT675772
Component: TMOS
Symptoms:
When IPsec tunnels to several different peers are configured using a single ipsec-policy in interface mode, the tunnels will be unreliable or may not start.
Conditions:
Several traffic-selectors that are associated with different tunnels reference the same interface mode IPsec policy.
Note: It is not possible to create this configuration when the IPsec policy is tunnel or transport mode.
Impact:
IPsec tunnels may start but fail after a period of time. In other cases, IPsec tunnels may not start at all.
Workaround:
(1) Create a unique ipsec-policy configuration object for each remote peer and traffic-selector.
(2) Use tunnel mode. It is not possible to create this configuration when the IPsec policy is tunnel or transport mode.
674026-3 : iSeries AOM web UI update fails to complete.★
Links to More Info: BT674026
Component: TMOS
Symptoms:
Upon upgrading a BIG-IP version, AOM web UI updates can sometimes fail.
Conditions:
This occurs when upgrading a BIG-IP system's software version on iSeries platforms.
Impact:
After booting to a new version, the AOM web UI update fails with an error message in /var/log/ltm similar to the following:
err bmcuiupdate[20824]: Failed updated AOM web UI with return code 2
Workaround:
At the bash prompt run:
/etc/lcdui/bmcuiupdate
This triggers another upgrade attempt, and the result is logged in /var/log/ltm. This should not be service-affecting.
673952-4 : 1NIC VE in high availability (HA) device-group shows 'Changes Pending' after reboot
Links to More Info: BT673952
Component: TMOS
Symptoms:
When Virtual Edition (VE) is configured for 1NIC, you will see the following logs on reboot indicating that configuration has been loaded from file:
notice tmsh[12232]: 01420002:5: AUDIT - pid=12232 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all base
notice tmsh[12392]: 01420002:5: AUDIT - pid=12392 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all
Conditions:
- VE configured in 1NIC mode.
- Unit booted either through reboot or power on.
Impact:
This is unlikely to have any impact if the VE is in standalone mode but could result in an unexpected config if the configuration files differ.
If the VE is part of a device-group, then this will result in a commit id update and the units will show 'Changes pending'.
Workaround:
None.
673573-3 : tmsh logs boost assertion when running child process and reaches idle-timeout
Links to More Info: BT673573
Component: TMOS
Symptoms:
An idle-timeout occurs while running a sub-process in interactive mode, resulting in a log message. tmsh logs a benign but ominous-looking critical error to the console and to /var/log/ltm if a tmsh command reaches idle timeout and a spawned sub-process is still running.
The errors in /var/log/ltm begin with the following text:
'boost assertion failed'
Conditions:
-- tmsh command reaches idle timeout.
-- Spawned sub-process is still running.
Impact:
Although the wording indicates a failure, the message is benign and you can safely ignore it.
Workaround:
None.
671372-5 : When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.
Links to More Info: K01930721, BT671372
Component: TMOS
Symptoms:
When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.
Conditions:
-- Creating a pool.
-- Modifying all of its members in a single tmsh transaction.
Impact:
The pool will be created but the members will not be modified.
Workaround:
Create a pool in one transaction; followed by modifying members in another transaction.
670994-5 : There is no validation for IP address on the ip-address-list for static subscriber
Links to More Info: BT670994
Component: Policy Enforcement Manager
Symptoms:
You can add IP address for a static subscriber with a subnet mask, and the system creates a subscriber by discarding the subnet mask without any error message.
Conditions:
This occurs when you add a ip address with a subnet mask to the ip address list for a static subscriber.
Impact:
An invalid ip address is added without warning or error.
669046-4 : Handling large replies to MCP audit_request messages
Links to More Info: BT669046
Component: TMOS
Symptoms:
When receiving very large replies to MCP messages (e.g., when viewing audit logs from the GUI), MCP can run out of memory and produce a core file. This is due in part to the amount of data returned, and also due in part to memory handling.
In a production environment, fragmentation naturally occurs over the lifetime of MCP, thus increasing the odds of this happening. In addition, larger configurations cause more space to be consumed in MCPD and might more easily lead to the fragmentation, resulting in this issue.
Conditions:
Receiving very large replies to MCP messages (e.g., from audit_request messages, which occurs when you view audit logs from the GUI).
Memory usage is already high.
Impact:
Allocation of memory for viewing the audit logs fails. MCP can run out of memory and produce a core file.
Workaround:
Use tmsh/bash to view the audit logs instead of the GUI when audit logs are extremely large and memory usage is already high.
668459-3 : Asymmetric transparent nexthop traffic only updates ingress interface
Links to More Info: BT668459
Component: Local Traffic Manager
Symptoms:
When transparent nexthop traffic from server to client uses a different VLAN group than client-to-server traffic, the server-to-client traffic is sent out the VLAN group that handles the client-to-server traffic. The destination MAC address on the server-to-client traffic is preserved even though the VLAN group is not.
Conditions:
-- Transparent nexthop virtual server configured.
-- VLAN-keyed connections disabled.
-- Asymmetric traffic between two VLAN groups.
Impact:
Return traffic may be transmitted on a VLAN group with a destination MAC that does not match any host on that group.
Workaround:
None.
666845-2 : Rewrite plugin can accumulate memory used for patching very large files
Links to More Info: K08684622, BT666845
Component: Access Policy Manager
Symptoms:
Rewrite plugin memory usage is significantly higher than normal (up to 200 MB RSS) and does not decrease.
Conditions:
This happens because the plugin caches and reuses already allocated chunks of memory instead of releasing them to the operating system.
Impact:
Out-of-memory crashes on systems with low amounts of memory.
Workaround:
Use one or both of the following workarounds:
-- Restart rewrite when memory usage is too high.
-- Disable patching for large (15-20 MB uncompressed) files.
665117-7 : DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping
Links to More Info: K33318158, BT665117
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Server status flapping from red-green-red.
Conditions:
-- Two generic hosts in two different DataCenters;
-- Two generic hosts are not available through DNS;
-- Same monitor with available alias IP/port configured.
Impact:
Server status flaps from red to green and back.
Workaround:
Check Transparent for these monitors.
663946-6 : The vCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments
Links to More Info: BT663946
Component: Advanced Firewall Manager
Symptoms:
On a vCMP platform with host and guest using different BIG-IP versions, when DNS is under load greater than the AFM-configured rate limit, certain IPv4 packets are categorized as IPv6 atomic fragments and may be dropped due to rate limits.
Conditions:
-- vCMP platform with host and guest using different BIG-IP versions.
-- AFM enabled.
-- DNS load greater than AFM-configured rate limit for IPv6 atomic fragments (default 10 KB).
Impact:
May result in lower than expected DNS load test results.
Workaround:
You can use any of the following workarounds:
-- Disable AFM.
-- Increase detection limit for IPv6 atomic fragments under AFM.
-- Disable hardware offload with sys db Dos.VcmpHWdos.
Note: For AFM HW DoS protection, the host and vCMP guest must be the same version, disable hardware DoS checking on the vCMP guest to prevent this issue. To do so, set sys db dos.forceswdos to 'true'.
663925-3 : Virtual server state not updated with pool- or node-based connection limiting
Links to More Info: BT663925
Component: Local Traffic Manager
Symptoms:
Rate- or connection-limited pool members and nodes do not immediately affect virtual server status.
Conditions:
The connection count reaches the configured connection limit.
Impact:
Virtual server is automatically disabled when connection limit is reached and returns from the unavailable state after connections decrease.
The actual functionality of connection-limiting is occurring at the tmm level (you can see connections rejection after reaching the max limit in logs). The system is just not logging status in mcp as update_status is not being called automatically.
Workaround:
None.
663754-3 : Modifying the default management port can break internal functionality
Links to More Info: BT663754
Component: Device Management
Symptoms:
Modifying the default management port for httpd 443 (ssl-port) to anything else via tmsh, will break the below functionality :
1. Gossip Framework : REST high availability (HA) sync framework will not work.
2. Licensing via BIG-IQ
3. selfLinks will be wrong
Conditions:
Changing the default management port of BIG-IP for httpd from 443 to anything else.
Impact:
BIG-IP will be unable to provide below functionality :
1. Gossip Framework : REST high availability (HA) sync framework will not work.
2. Licensing via BIG-IQ
3. selfLinks will be wrong
4. iAppLx, SSL Orchestrator, Access Guided Configuration, AS3 will be affected as these modules depends on Gossip
Workaround:
NA
662301-4 : 'Unlicensed objects' error message appears despite there being no unlicensed config
Links to More Info: BT662301
Component: TMOS
Symptoms:
An error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.
Examination of the configuration and license shows that there are no configuration errors or unlicensed configuration objects. The device is operational.
Conditions:
The BIG-IP system is licensed and the configuration loaded.
Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.
Workaround:
On an appliance, restart mcpd by running the following command:
bigstart restart mcpd
On a VIPRION or vCMP guest running on a VIPRION, restart MCPD on all blades by running the following command:
clsh bigstart restart mcpd
Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.
660759-1 : Cookie hash persistence sends alerts to application server.
Links to More Info: BT660759
Component: Fraud Protection Services
Symptoms:
When Persistence cookie insert is enabled with a non-default cookie name, the cookie might be overwritten after an alert is handled.
Conditions:
-- Persistence profile in their virtual server.
-- Profile relies on cookie hash persistence.
-- Non-default Cookie name used for cookie persistence.
(Default cookie naming strategy appends Pool Name, which results in two cookies set with different names and different values, leaving the application pool persistence cookie unmodified.)
Impact:
Sends alerts to application server. Traffic might be sent to wrong pool member.
Workaround:
Use an iRule similar to the following to remove persistence cookie in case of alerts:
ltm rule /Common/cookie_persist_exclude_alerts {
when HTTP_REQUEST {
#enable the usual persistence cookie profile.
if { [HTTP::path] eq "/<alert-path>/" } {
persist none
}
}
}
659579-3 : Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time
Links to More Info: BT659579
Component: TMOS
Symptoms:
Logs on icrd, restnoded, and restjavad are in the UTC time zone and are not aligned to the system time, which makes it difficult to determine the time during troubleshooting operations.
Conditions:
Checking the icrd, restnoded, and restjavad logs timestamps.
Impact:
Difficult to troubleshoot as the logs are not aligned with system time.
Workaround:
None
658850-2 : Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP
Links to More Info: BT658850
Component: TMOS
Symptoms:
When you load a UCS file using the platform-migrate parameter, the mgmt-dhcp value (enabled, disabled, or unset) will overwrite the value on the destination. Depending on the effect, this could change the destination's management IP and default management route.
If the UCS does not have mgmt-dhcp explicitly written out, note that its value is treated as the default for the local system, which varies by the type of system. On Virtual Edition (VE) platforms, the default is to enable DHCP. On all other platforms, the default is to disable DHCP.
Conditions:
This occurs when loading a UCS using the platform-migrate parameter:
tmsh load sys ucs <ucs_file_from_another_system> platform-migrate
Impact:
Changing the mgmt-dhcp value on the destination can result in management changing from statically configured to DHCP or DHCP to statically configured. This can result in loss of management access to the device, requiring in-band or console access.
Workaround:
There are a few ways to avoid this issue:
1. Specify the "keep-current-management-ip" parameter to the "load sys ucs" command, for instance:
tmsh load sys ucs <ucs_file_from_another_system> platform-migrate keep-current-management-ip
Note: The "keep-current-management-ip" parameter is undocumented and will not appear in context help or tab completion.
2. If you want to reset the target device to use a static IP, run the following commands after loading the UCS with the platform-migrate command:
tmsh modify sys global-settings mgmt-dhcp disabled
tmsh create sys management-ip <ip>/<mask>
tmsh delete sys management-route default
tmsh create sys management-route default gateway <ip>
657834-5 : Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent
Links to More Info: K45005512, BT657834
Component: TMOS
Symptoms:
When using OSPF with high load and network recalculation there is a possibility of a race condition that can lead to additional OSPF retransmissions being sent out. This might also cause SNMP traps to be sent, if configured on the system.
Conditions:
-- OSPF routing protocol configured.
-- System configured to send SNMP traps.
-- OSPF instability/networking flaps.
Note: The greater the number of routes flapping, the more likely to see the condition.
Impact:
There is no impact on the OSPF processing itself. The additional traffic does not cause failing adjacencies or loss of routing information.
However, this might cause many additional OSPF related traps to be sent, which might cause additional load on the external network monitoring system.
Workaround:
While this does not have a direct workaround, you may want to investigate the cause of the network/OSPF instability that causes the additional retransmissions.
646768-2 : VCMP Guest CM device name not set to hostname when deployed
Links to More Info: K71255118, BT646768
Component: TMOS
Symptoms:
When you access the vCMP guest instance after you deploy the system, the instance uses the hostname bigip1.
Conditions:
This issue occurs when all of the following conditions are met:
-- The BIG-IP system is running v11.6.0 or earlier.
-- You configure a vCMP guest instance that is running BIG-IP v11.6.0 or later.
-- You have configured the vCMP guest instance with a hostname other than bigip1.
-- You deploy the vCMP guest instance.
Impact:
The vCMP guest does not use the configured hostname.
Workaround:
-- In tmsh, run the following commands, in sequence:
mv cm device bigip1 HOSTNAME
save sys config
-- Rename the device name in the GUI.
640374-1 : DHCP statistics are incorrect
Links to More Info: BT640374
Component: Local Traffic Manager
Symptoms:
DHCP statistics are incorrect if DHCP server is down while a new virtual server is created. And when the DHCP server comes back up, the current pending transactions are incorrect.
Conditions:
-- DHCP relay configured.
-- DHCP server is down while the virtual server is created.
Impact:
The 'current pending transactions' for the DHCP server is incorrect if the DHCP server is down while a new virtual server is created.
Workaround:
None.
632553-4 : DHCP: OFFER packets from server are intermittently dropped
Links to More Info: K14947100, BT632553
Component: Local Traffic Manager
Symptoms:
With a DHCP relay virtual server, OFFER packets from DHCP server are intermittently not forwarded to the client and dropped on BIG-IP.
Conditions:
It is not known exactly what triggers this condition, but it occurs intermittently when the DHCP relay virtual server is in use.
Impact:
Client machines joining the network do not receive DHCP OFFER messages.
Workaround:
Enforce that the serverside flow is getting deleted, e.g. if dhcp server 10.0.66.222 is broken, issue the following tmsh command:
tmsh delete sys connection ss-server-addr 10.0.66.222 cs-server-port 67
631083-4 : Some files in home directory are overwritten on password change
Links to More Info: BT631083
Component: TMOS
Symptoms:
The files
.bash_logout
.bash_profile
.bashrc
in a user's home directory are overwritten when that user's password is changed.
Conditions:
Change a user's password.
Impact:
Customizations to these files would be lost on password change. This only applies to users with advanced shell access.
Workaround:
Back up the files to a different location before making a password change.
627760-6 : Gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card
Links to More Info: BT627760
Component: TMOS
Symptoms:
When running gtm_add from one BIG-IP system to another, if the system being added already has the same DNSSEC key (dictated by DNSSEC key name), and you synchronize the FIPS card, then the FIPS card is wiped out (as expected), but the key is not re-added.
Conditions:
-- There is an existing DNSSEC key on one system.
-- A second system has a DNSSEC key of the same name.
-- Run gtm_add, with instructions to synchronize FIPS cards.
Impact:
No DNSSEC key of that name is present on FIPS card.
Workaround:
None.
625807-1 : Tmm cores in bigproto_cookie_buffer_to_server
Links to More Info: BT625807
Component: Local Traffic Manager
Symptoms:
TMM cores on SIGSEGV during normal operation.
Although the exact triggering conditions are unknown, it might that when a connection is aborted in a client-side iRule, the reported log signature may indicate its occurrence:
tmm3[11663]: 01220009:6: Pending rule <irule_name> <HTTP_REQUEST> aborted for <ip> -> <ip>.
Conditions:
Specific conditions that trigger this issue are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
606032-5 : Network Failover-based high availability (HA) in AWS may fail
Links to More Info: BT606032
Component: TMOS
Symptoms:
MCPD posts an error that network failover is not configurable:
01071ac2:3: Device-group (/Common/autoscale-group): network-failover property must be disabled in VE-1NIC.
Conditions:
Attempting to setup high availability (HA) in Amazon Web Services (AWS) with only 1 network interface.
Impact:
Configuration of high availability (HA) in AWS cannot be completed.
Workaround:
The current workaround is to configure high availability (HA) in AWS with at least 2 network interfaces.
603693-3 : Brace matching in switch statement of iRules can fail if literal strings use braces
Links to More Info: K52239932, BT603693
Component: TMOS
Symptoms:
In the TMUI on any iRule editing page, brace matching within a switch statement can fail if a literal string is surrounded with braces.
Conditions:
Use a literal string surrounded with curly braces for a case/pattern within a switch statement.
Impact:
Incorrect brace matching.
Workaround:
Instead of surrounding the literal string with braces, use double quotes.
603124-2 : Minimum allowed refresh interval is 10 minutes
Links to More Info: BT603124
Component: Advanced Firewall Manager
Symptoms:
The minimum refresh interval for firewall FQDN is 10 minutes; however, FQDN-to-IP mappings may change more frequently.
This can cause a mismatch between the actual FQDN-to-IP mappings and the mappings in AFM/Firewall.
Conditions:
-- Firewall rules have been configured with FQDNs as one of the match dimensions (source or destination, or both).
-- AFM DNS resolver refresh interval set to smallest possible allowed value of 10 minutes.
-- FQDN-to-IP mappings change more frequently than 10 minutes.
Impact:
Mismatch between the actual FQDN-to-IP mappings and the mappings AFM/Firewall has learnt/cached.
Workaround:
None.
598707-6 : Path MTU does not work in self-IP flows
Links to More Info: BT598707
Component: Local Traffic Manager
Symptoms:
While performing an Update Check, the network connection fails. Path MTU is not working in self-IP initiated flows.
Conditions:
Network flows initiated by the Self IP address (in this case it was encountered while running Update Check)
Impact:
If the downstream router sends ICMP Path MTU messages back to the Self IP, the messages will be ignored and MTU will not be adjusted.
597955-2 : APM can generate seemingly spurious error log messages
Links to More Info: BT597955
Component: Access Policy Manager
Symptoms:
Internally detected issues can trigger a series of error log messages. The logs look alarming, but can be considered diagnostic in the case there is an actual behavioral issue that needs to be analyzed.
The system reports the following messages in /var/log/apm:
-- err tmm1[11197]: 01490514:3: 00000000: Access encountered error: ERR_VAL. File: ../modules/hudfilter/access/access.c, Function: access_slowpath_security_check, Line: 6648
-- err tmm8[18022]: 01490514:3: 00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_sanitize_uri, Line: 16406
-- err tmm8[18022]: 01490514:3: 00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_check_uri_type, Line: 11219
-- err tmm8[18022]: 01490514:3: 00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_process_state_client_classify_req, Line: 3308
-- err tmm8[18022]: 01490514:3: 00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 2311
Conditions:
An internal software API call triggers an unexpected result.
Impact:
Logs might give the appearance of many issues, even if there are no behavioral anomalies.
Workaround:
None.
591305-3 : Audit log messages with "user unknown" appear on install
Links to More Info: BT591305
Component: TMOS
Symptoms:
Multiple log entries in /var/log/audit similar to
May 4 11:37:35 localhost notice mcpd[5488]: 01070417:5: AUDIT - client Unknown, user Unknown - transaction #33-1 - object 0 - create_if { db_variable { db_variable_name "version.edition" db_variable_value "<none>" db_variable_sync_type "private_internal" db_variable_data_type "string" db_variable_display_name "Version.Edition" } } [Status=Command OK]
Conditions:
This happens on initial install, it is not yet known what triggers it.
Impact:
This is the result of a daemon on the system not properly identifying itself to mcpd. The log messages can be safely ignored.
587821-8 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
Links to More Info: BT587821
Component: TMOS
Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.
In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.
Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.
Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.
Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.
Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.
574762-1 : Forwarding flows leak when a routing update changes the egress vlan
Component: Local Traffic Manager
Symptoms:
Forwarding flow doesn’t expire and leaks a connflow object.
Conditions:
Conditions to hit this are a route change on forwarded flows.
Impact:
Memory leak.
Workaround:
None
567503-6 : ACCESS:session remove can result in confusing ERR_NOT_FOUND logs
Links to More Info: K03293396, BT567503
Component: Access Policy Manager
Symptoms:
When using the iRule command ACCESS:session remove, ERR_NOT_FOUND messages may appear in /var/log/apm. Theses are not real errors. ACCESS is trying to insert a session variable, but it is not able to find the session because the iRule already deleted the session.
The logs in /var/log/apm look something like this:
err tmm1[15932]: 01490514:3: 00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_save_init_req_to_sessiondb, Line: 14823.
Conditions:
An iRule using the command ACCESS:session remove, and the end-user does a POST.
Impact:
No functional impact, the iRule correctly deletes the session, and BIG-IP does not send a reset. But the log messages can be alarming or confusing.
Workaround:
None.
566995-1 : bgpd might crash in rare circumstances.
Links to More Info: BT566995
Component: TMOS
Symptoms:
Under unspecified conditions and in rare cases, bgpd might crash. Although bgpd restarts right away, routing table might be impacted.
Conditions:
The conditions under which this occurs are not known.
Impact:
This might impact routing table and reachability.
Workaround:
None known.
566235-3 : Profile License May Be Missing After Failover or Blade Configuration Change In Chassis HA
Links to More Info: BT566235
Component: Access Policy Manager
Symptoms:
Some or all profile licenses may be missing after failover or, in a chassis high availability (HA) setup, if some blades in the standby chassis are removed, followed by failover. As a result, sessions cannot be established and the following error message will show up in the APM log.
-- err tmm8[16609]: 01490514:3: 00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_process_state_client_get_license, Line: 7135.
-- err tmm8[16609]: 01490514:3: 00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 2487.
Conditions:
This failure may happen in a HA setup when
1. Failover happens, or
2. Changing multi-blade chassis HA blade configuration as follows:
2.1. Set mirroring to 'between'.
2.2. Leave the primary blade up and shut down the secondary blades in the standby chassis.
2.3 Change 'minimum numbers of blades up' to 1.
2.3. Force failover. The 1-blade chassis becomes active.
Impact:
Session will be terminated due to ERR_NOT_FOUND error when acquiring profile license.
Workaround:
For failover case:
-- Disassociate and then re-associate the APM profile with the virtual server after failover.
For blade configuration change, there are two options:
1. After failover, disassociate and then re-associate the APM profile with the virtual server after the 1-blade chassis becomes active
2.
2.1. Change mirroring to 'within'.
2.2. Shut down the secondary blades one by one, waiting a few minutes in between each shutdown (waiting is important because SessionDB needs some time to create backup copies).
2.3. Force failover.
2.4. Change mirroring back to 'between'.
562808-2 : TMM might core when renaming an existing pool containing pool members
Links to More Info: K08689048, BT562808
Component: Local Traffic Manager
Symptoms:
TMM might produce a core dump if a pool containing poolmembers is renamed.
Conditions:
- Pool with pool members.
- Move operation is enabled via sys db key.
- Pool is renamed.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use move operation; fully delete and then recreate pools if renaming is needed.
554506-2 : PMTU discovery from management does not work
Links to More Info: K47835034, BT554506
Component: TMOS
Symptoms:
You encounter connectivity issues to management interface.
Conditions:
MTU on the intermediate route is less than the management interface's MTU and the response packets have the DF flag set.
Impact:
Connectivity issues to management interface.
Workaround:
None.
Note: Although there is no workaround for this module, you can disable auto last hop and configure a default gateway to avoid this issue.
For more information see K52592992: Overview of the Auto Last Hop feature on the management interface, available at
https://support.f5.com/csp/article/K52592992.
552444-4 : Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD
Links to More Info: BT552444
Component: Access Policy Manager
Symptoms:
Dynamic drive mapping in network access may not work if
mapping is configured to use session variable, and session variable is received from LDAP/AD.
Conditions:
Drive mapping is received from LDAP/AD and contains double slash in the path, e.g. "\\server\path"
Impact:
Dynamic drive mapping may not function.
Workaround:
For example using session.ad.last.attr.homeDirectory attribute value to drive map. Assign variable and escape the textra backslashes added by APM.
homeDirectory = return [regsub -all {\\\\} [mcget {session.ad.last.attr.homeDirectory}] {\\}]
550526-6 : Some time zones prevent configuring trust with a peer device using the GUI.
Links to More Info: K84370515, BT550526
Component: TMOS
Symptoms:
AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, and AWDT time zones prevent configuring trust with a peer device using the GUI.
Conditions:
-- Setting a BIG-IP system timezone to AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, or AWDT.
-- Using the GUI to add a peer device to a trust configuration.
Impact:
Adding a peer device using the GUI fails.
Workaround:
You can use either of the following workarounds (you might find the first one easier):
-- Temporarily set the device timezone to a non-affected timezone (e.g.; UTC), establish trust, and set it back:
1. Navigate to System :: Platform.
2. Under 'Time Zone', select 'UTC', and click 'Update'
3. Repeat steps one and two to change all devices that are to be part of the trust domain.
4. Establish device trust by navigating to Device Management :: Device Trust :: Add all peers to be part of the trust domain.
5. Once trust is established, navigate to System :: Platform, and change Time Zone back to preferred time zone.
-- Use tmsh to add a peer device in these timezones: AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, or AWDT.
547947-3 : Feeding empty username and password to the Logon Page followed by RadiusAuthAgent shows the session as Logged out
Links to More Info: BT547947
Component: Access Policy Manager
Symptoms:
Session logs out. No error messages or retry logon page.
---------------------------------------------
Your session is finished.
Logged out successfully.
Thank you for using BIG-IP.
To open a new session, please click here.
----------------------------------------------
Conditions:
Your environment has an access policy like the following
Success
Start -> Logon Page -> Radius Auth ----> Advanced resource assign (webtop) -> allow.
|
| failure
-----------------------------------------------> Deny.
If you connect to the virtual server with this access policy and provide an empty username and password, you are logged out of the session and asked to open a new session page.
Impact:
Without providing proper username and password, user is shown the error "Logged out successfully.", which is improper.
Workaround:
No mitigation observed.
547692-5 : Firewall-blocked KPASSWD service does not cause domain join operation to fail
Links to More Info: BT547692
Component: Access Policy Manager
Symptoms:
KPASSWD service runs on tcp/464 and udp/464. If both of these ports were blocked, BIG-IP would not be able to properly set the machine account password for the created machine account. However, there is a bug on BIG-IP as well, which fails to report this failure back to the administrator.
As the machine account itself was successfully created on ActiveDirectory side without the correct password, and BIG-IP's failure to report the KPASSWD failure problem, the domain join operation seems had worked perfectly.
However, since the password information is never set on ActiveDirectory side, this causes this machine account effectively unusable because BIG-IP would never be able to establish a working SCHANNEL with ActiveDirectory server because of this password mismatch.
creation is LDAP (+ Kerberos GSS-API with SASL binding), the machine account itself is generated. Furthermore, as password setting for machine account is not allowed to be performed by administrator, this situation obfuscate the fact the KPASSWD was failing as AD server never receives thus AD never logged any failure on this matter, while BIG-IP fails to detect the KPASSWD failure, and so as administrator's user experience goes, everything seems perfectly worked for domain join.
Conditions:
Out of DNS, LDAP, KERBEROS, KPASSWD services which are required for domain join operation, only KPASSWD is blocked.
Impact:
Created machine account is effectively unusable due to password mismatch, and BIG-IP would never be able to establish a working SCHANNEL, this renders NTLM authentication feature to be not working.
Workaround:
Allow KPASSWD to reach ActiveDirectory server
547428-1 : Unexpected storage-format string causes asm restart
Links to More Info: BT547428
Component: Application Security Manager
Symptoms:
ASM restarts and bd generates a core.
Conditions:
Logging Format : Comma-Separated Values
Storage Format : User-Defined
And give format string like what is mentioned in Splunk document - https://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup
"f5_asm=Splunk-F5-ASM,attack_type=%attack_type%,blocking_exception_reason=%blocking_exception_reason%,client_type=%client_type%,credential_stuffing_lookup_result=%credential_stuffing_lookup_result%,date_time=%date_time%,dest_ip=%dest_ip%,dest_port=%dest_port%,device_id=%device_id%,enforced_by=%enforced_by%,enforcement_action=%enforcement_action%,epoch_time=%epoch_time%,geo_info=%geo_location%,headers=%headers%,http_class=%http_class_name%,ip_addr_intelli=%ip_address_intelligence%,ip_client=%ip_client%,ip_route_domain=%ip_with_route_domain%,is_trunct=%is_truncated%,login_result=%login_result%,manage_ip_addr=%management_ip_address%,method=%method%,mobile_application_name=%mobile_application_name%,mobile_application_version=%mobile_application_version%,policy_apply_date=%policy_apply_date%,policy_name=%policy_name%,protocol=%protocol%,protocol_info=%protocol_info%,query_str=%query_string%,req=%request%,req_status=%request_status% ...snip..."
Once the virtual server receives a request and bd tries to generate remote log message, bd crashes.
Impact:
ASM traffic disrupted while bd restarts.
Workaround:
Use items available in "Available Items" only.
544958-1 : Monitors packets are sent even when pool member is 'Forced Offline'.
Links to More Info: BT544958
Component: Local Traffic Manager
Symptoms:
If you have a pool member associated with more than one virtual server and the pool member is marked Forced-Offline, the pool monitor will continue to function if the monitor is assigned to both pools.
Conditions:
-- Pools containing identical members.
-- Pool monitoring configured.
-- Pool members are Forced Offline.
Impact:
Monitors packets are sent even when pool member is 'Forced Offline'.
Workaround:
None.
539648-2 : Disabled db var Watchdog.State prevents vCMP guest activation.
Links to More Info: K45138318, BT539648
Component: TMOS
Symptoms:
If a vCMP guest user disables the watchdog using the db variable Watchdog.State, then the vCMP guest does not reach a running state as reported by the vCMP host.
Conditions:
This occurs when the user sets sys db Watchdog.State value disable.
Impact:
vCMP guest fails to be operational.
Workaround:
Do not change the Watchdog.State db variable. The vCMP host requires the watchdog to monitor the guest health.
538283-3 : iControl REST asynchronous tasks may block other tasks from running
Links to More Info: BT538283
Component: TMOS
Symptoms:
If an iControl REST asynchronous task is running, other iControl REST queries (synchronous or asynchronous) will wait until the asynchronous task completes before executing. If the asynchronous task is long-running, subsequent requests will block for a long time.
Conditions:
-- Executing an iControl REST task asynchronously.
-- Performing further iControl REST tasks (synchronous or asynchronous) while the asynchronous task is still running.
Impact:
Potential (and unexpected) long wait times while running a task asynchronously.
Workaround:
None.
534187-5 : Passphrase protected signing keys are not supported by SAML IDP/SP
Links to More Info: BT534187
Component: Access Policy Manager
Symptoms:
Signing operation may fail if the BIG-IP system is used as a SAML Identity Provider or Service Provider and is configured to use passphrase-protected signing keys.
Conditions:
Private key used to perform digital signing operations is passphrase protected.
Impact:
SAML protocol will not function properly due to inability to sign messages.
Workaround:
To work around the problem, remove the passphrase from the signing key.
527119-7 : An iframe document body might be null after iframe creation in rewritten document.
Links to More Info: BT527119
Component: Access Policy Manager
Symptoms:
Cannot use certain page elements (such as the Portal Access menu) in Google Chrome, and it appears that JavaScript has not properly initialized, and results in JavaScript errors on the following kinds of code:
iframe.contentDocument.write(html)
iframe.contentDocument.close()
<any operation with iframe.contentDocument.body>
Conditions:
-- The body of a dynamically created iframe document might be initialized asynchronously after APM rewriting.
-- Using the Chrome browser.
Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access. For example, one of applications known to contain such code and fail after APM rewriting is TinyMCE editor.
Workaround:
Revert rewriting of the document.write call with a post-processing iRule.
The workaround iRule will be unique for each affected application.
523313-2 : aced daemon might crash on exit
Links to More Info: K17574, BT523313
Component: Access Policy Manager
Symptoms:
When the aced process is going to exit (daemon shutdown/restart), it might generate a core file intermittently.
Conditions:
This issue occurs when aced daemon shuts down.
Impact:
This causes a core file to be generated.
Workaround:
This issue has no workaround at this time.
512490-12 : Increased latency during connection setup when using FastL4 profile and connection mirroring.
Links to More Info: BT512490
Component: Local Traffic Manager
Symptoms:
Connection setup when using FastL4 profile and connection mirroring takes longer than previous versions.
Conditions:
FastL4 profile with connection mirroring.
Impact:
Slight delay during connection setup.
Workaround:
Disable tm.fastl4_ack_mirror. Optionally, enable tm.fastl4_mirroring_taciturn for signal to noise ratio improvements. This helps resolve connection setup latency.
508302-5 : Auto-sync groups may revert to full sync
Links to More Info: BT508302
Component: TMOS
Symptoms:
If a large number of configuration changes in the same device group are being applied rapidly, device sync may start to generate full loads instead of incremental patches.
Conditions:
This only affects auto-sync device groups.
Impact:
The system may spuriously start to generate full loads instead of incremental changes.
Workaround:
You can use any of the following workarounds:
-- If a large series of syncs are expected, temporarily disable auto-sync for the device group in question.
-- Wrap all of the changes into a single transaction.
-- Add a short pause in between changes.
505037-5 : Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop
Links to More Info: K01993279, BT505037
Component: Local Traffic Manager
Symptoms:
Modifying a monitored pool with a gateway failsafe device might put secondary into restart loop.
Conditions:
Only occurs in clustered environments, when modifying a monitored pool to set the gateway failsafe device while the secondary is down. Symptom occurs when the secondary comes back up and attempts to update the health status of a pool.
Impact:
Secondary in a restart loop.
Workaround:
Remove the gateway failsafe device. Re-apply when the blade is up.
499348-9 : System statistics may fail to update, or report negative deltas due to delayed stats merging.
Links to More Info: BT499348
Component: TMOS
Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.
The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.
Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This might occur under the following conditions:
-- The system is spawning/reaping processes on a frequent basis (e.g., when there is a large number of external monitors).
-- iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server (this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis).
Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.
Workaround:
This issue has two workarounds:
1. Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following:
-- Reduce the frequency of configuration changes.
-- Reduce the use of 'SSL::profile' in iRules.
-- Reduce the number/frequency of processes being spawned by the system.
2. The second workaround has two parts:
a) Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command:
tmsh modify sys db merged.method value slow_merge
b) Change the merge-interval value to 2 to reduce CPU usage when merge-method is slow-merge.
tmsh modify /sys db merged.merge.interval {value "2"}
Note: Performing the second workaround has the side-effect of disabling tmstat snapshots on the device. The tmstat snapshots are intended for F5-internal use only: the lack of snapshots will have no bearing on the functionality of your system; however, F5 Support might be impacted in their ability to troubleshoot issues on your system.
498926 : Client can fail to start a new session in multi-domain SSO.
Links to More Info: BT498926
Component: Access Policy Manager
Symptoms:
A client cannot start a new session from the session expired page if the session expires on the primary auth domain before the policy completes.
Conditions:
-- Configure multi-domain SSO.
-- Client attempts to access an application (www.site.com) and is then redirected to the auth domain (www.primaryauth.com).
-- The auth policy is allowed to expire without completing.
Impact:
The 'start a new session' prompt cannot send the client back to the application to restart the policy, since that information was lost when the session expired. The client must use the back button to return to the application to start a new session.
Workaround:
As a workaround, in Customization, modify the HREF for the Session Expired Message so that it redirects to www.site.com.
In the customization text for the Session Expired Message, replace [SESSION_RESTART_URL] with the session variable %{session.server.network.name}.
493740-2 : tmsh allows cipher group creation with non-existent "require" or "exclude" cipher rule.
Links to More Info: BT493740
Component: TMOS
Symptoms:
Using tmsh it is possible to create a cipher group referencing a non-existent cipher rule with tmsh even if this configuration is invalid.
Conditions:
Use tmsh to create a cipher group referencing a non-existent cipher rule using a command like this, where the 'require' or the 'exclude' directive comes after the 'allow' directive.
The non-existent cipher rule is "no-exist" in these examples:
tmsh create ltm cipher group test-group { allow add { f5-default } require add { no-exist } }
tmsh create ltm cipher group test-group { allow add { f5-default } exclude add { no-exist } }
Impact:
The result is an invalid configuration that can break configuration synchronisation between BIG-IP peers in some cases (after upgrades, or full configuration reload, for example).
Also, when navigating to the cipher group the GUI does not show it.
The GUI may also show this error:
"An error has occurred while trying to process your request. "
Workaround:
Use the GUI to create a new cipher groups.
When using tmsh, don't create a cipher group referencing a non-existent cipher rule.
489960-4 : Memory type stats is incorrect
Links to More Info: BT489960
Component: WebAccelerator
Symptoms:
When tmm allocates memory, it adds up stats per memory type allocated. AAM is not properly marking memory type for strings objects, affecting other types of memory stats depending on configuration and release.
Conditions:
AAM is provisioned and there are virtuals in BIG-IP configuration which have web acceleration profiles associated with one or more AAM policies.
Impact:
Stats for some types of memory can be skewed causing troubleshooting issues.
Workaround:
None.
486712-5 : GUI PVA connection maximum statistic is always zero
Links to More Info: BT486712
Component: TMOS
Symptoms:
The GUI PVA connection maximum statistic is always zero, regardless of the number of PVA connections established.
Conditions:
This occurs when fastL4 connections are used.
Impact:
The customer cannot determine the maximum number of PVA connections because the stat is always zero.
474797-4 : Nitrox crypto hardware may attempt soft reset while currently resetting
Links to More Info: BT474797
Component: Local Traffic Manager
Symptoms:
Nitrox crypto hardware may attempt soft reset to clear a stuck condition while already engaged in a soft reset attempt.
Conditions:
Soft reset is needed to clear a stuck condition occurring in the timeframe during which another soft reset is occurring.
Impact:
The initial soft reset attempt does not complete as the process is restarted by the new attempt.
Workaround:
Correct the condition resulting in the need for the soft reset to clear the stuck condition or disable hardware-based crypto acceleration by setting db variable 'tmm.ssl.cn.shunt' to disable.
To disable hardware-based crypto acceleration issue the following command:
tmsh modify sys db tmm.ssl.cn.shunt value disable
Note: Disabling hardware-based crypto acceleration results in all crypto actions being processed in software, which might result in higher CPU and memory usage based on traffic patterns.
472645-1 : Memory issues when there is a lot of data in /var/annotate (annotations for dashboard)
Links to More Info: BT472645
Component: TMOS
Symptoms:
When there is a large number annotations in /var/annotate, tomcat might run out of memory when the dashboard requests the annotations.
The tomcat process logs an out-of-memory error, and the dashboard reports an error:
-- SEVERE: Servlet.service() for servlet org.apache.jsp.dashboard.annotations_jsp threw exception
java.lang.OutOfMemoryError: Java heap space.
-- Unrecoverable Communications Error. Please close this window and log in via the BIG-IP Configuration Utility.
Conditions:
-- Large number of configuration events, i.e., too many annotations in /var/annotate.
-- Click anything other than the default '5 minutes' tab.
Impact:
The the dashboard attempts to load all annotations into memory, but cannot. Dashboard must be restarted and can only be used at the 5-minute zoom level.
Workaround:
-- Delete the files in /var/annotate.
-- Increase the tomcat memory:
provision.tomcat.extramb = 320
470916-4 : Using native View clients, cannot launch desktops and applications from multiple VMware back-ends
Links to More Info: BT470916
Component: Access Policy Manager
Symptoms:
If APM is configured to protect multiple VMware resources (VCS servers), you can launch desktops and applications only from the first resource. Attempts to launch desktop or applications from other resources result in error.
Conditions:
-- APM is configured to protect multiple VMware resources (VCS servers).
-- You attempt to launch a desktop or application using the native VMware client.
Impact:
Cannot access desktops and applications from multiple VMware back-ends.
Workaround:
Use HTML5 client instead.
469724-2 : When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire
Links to More Info: BT469724
Component: TMOS
Symptoms:
Evaluation features cause perpetual features to expire when the evaluation license expires.
Conditions:
-- Perpetual license with an evaluation/demonstration add-on feature.
-- The add-on license expires or is expired.
Impact:
When an evaluation/demonstration add-on license expires, features included in both the evaluation add-on as well as the regular, perpetual license stop working.
This behavior is covered in F5 article K4679: BIG-IP evaluation and demonstration licenses do expire :: https://support.f5.com/csp/article/K4679.
Workaround:
To work around this issue, activate the license from the command line:
When reactivating an existing license, and deactivating an expired evaluation license key, specify the base registration key and add-on (if any), and use the -i option for the expired evaluation license key in the get_dossier command.
For example, if the expired evaluation license key is ABCDEFG-ZZZZZZZ, use the following command:
get_dossier -b ABCDE-ABCDE-ABCDE-ABCDE-ABCDEFG -a ABCDEFG-ABCDEFG -i ABCDEFG-ZZZZZZZ
You can find these steps detailed in K2595: Activating and installing a license file from the command line :: https://support.f5.com/csp/article/K2595. This part in particular is required to work around this issue
464708-1 : DNS logging does not support Splunk format log
Links to More Info: BT464708
Component: Global Traffic Manager (DNS)
Symptoms:
DNS logging does not support Splunk format logging. It fails to log the events, instead logging err messages:
hostname="XXXXXXXXXXXXX.XX",errdefs_msgno="01230140:3:
Conditions:
DNS logging configured for Splunk format.
Impact:
DNS logging does not log Splunk format to HSL.
Workaround:
Use an iRule to send Splunk-formatted messages to the Splunk server.
For example:
ltm rule dns_logging_to_splunk {
when DNS_REQUEST {
set ldns [IP::client_addr]
set vs_name [virtual name]
set q_name [DNS::question name]
set q_type [DNS::question type]
set hsl [HSL::open -proto UDP -pool splunk-servers]
HSL::send $hsl "<190>,f5-dns-event=DNS_REQUEST,ldns=$ldns,virtual=$vs_name,query_name=$q_name,query_type=$q_type"
}
when DNS_RESPONSE {
set ldns [IP::client_addr]
set vs_name [virtual name]
set q_name [DNS::question name]
set q_type [DNS::question type]
set answer [DNS::answer]
set hsl [HSL::open -proto UDP -pool splunk-servers]
HSL::send $hsl "<190>,f5-dns-event=DNS_RESPONSE,ldns=$ldns,virtual=$vs_name,query_name=$q_name,query_type=$q_type,answer=\"$answer\""
}
}
447522-3 : GUI: SNMPV3 Incorrectly requires "OID" when creating an SNMP user.
Links to More Info: BT447522
Component: TMOS
Symptoms:
The BIG-IP GUI incorrectly requires an OID to be specified when creating an SNMPv3 user.
Conditions:
Creating an SNMPv3 user via the BIG-IP GUI.
Impact:
An OID can be used to restrict the view that the user has to a particular branch of the tree, but should not be a required attribute.
Workaround:
- Enter a value of ".1" (with a leading dot) to allow access to all OIDs
(or)
- Create the user using tmsh instead of the GUI, where the oid-subset attribute is not mandatory.
409062-1 : ArcSight HSL is not supported for most system daemons
Links to More Info: K20008325
Component: TMOS
Symptoms:
If a HSL configuration is defined that tries to publish logs from core system daemons (chmand, TMM, fpdd, merged, etc.) to an ArcSight destination, this will not work properly, and instead, all log messages at debug level and higher (from that daemon) will be captured in the local system log files.
For instance, configuring a wide-open filter that captures all traffic, such as the following, will result in many core daemons logging debug logs to /var/log/ltm on the BIG-IP system:
sys log-config filter remote-log-filter {
publisher publisher
}
sys log-config publisher publisher {
destinations {
arcsight { }
}
}
sys log-config destination remote-high-speed-log hsl {
pool-name pool_arcsight
}
sys log-config destination arcsight arcsight {
forward-to hsl
}
Conditions:
This occurs when a high-speed logger is configured with the ArcSight remote log servers as the destination.
Impact:
As a result of this, the system will log excessively to the local log files.
Workaround:
Only configure log filters that publish logs to ArcSight for supported (AFM, ASM, and SWG) components.
398683-3 : Use of a # in a TACACS secret causes remote auth to fail
Links to More Info: K12304
Component: TMOS
Symptoms:
TACACS remote auth fails when the TACACS secret contains the '#' character.
Conditions:
TACACS secret contains the '#' character.
Impact:
TACACS remote auth fails.
Workaround:
Do not use the '#' character in the TACACS secret.
385013-4 : Certain user roles do not trigger a sync for a 'modify auth password' command
Component: TMOS
Symptoms:
If users with the certain roles change their password, the BIG-IP system does not detect that it is out-of-sync with its peer and does not trigger an automatic sync:
Conditions:
-- Multiple BIG-IP devices in a Device Service Cluster that sync configurations with each other.
-- A user with one of the following roles logs in and changes their password:
+ guest
+ operator
+ application-editor
+ manager
+ certificate-manager
+ irule-manager
+ resource-admin
+ auditor
Impact:
The system does not detect that it is out of sync with its peer, and does not report this condition. If automatic sync is enabled, a sync does not automatically occur.
Workaround:
Force a full sync to the peer systems.
382363-5 : min-up-members and using gateway-failsafe-device on the same pool.
Links to More Info: K30588577
Component: TMOS
Symptoms:
The system does not require setting a pool's min-up-members greater than 0 (zero) when also using gateway-failsafe-device on the same pool.
Conditions:
A pool's min-up-members is 0 when gateway-failsafe-device is set.
Impact:
Failure to set min-up-members greater than 0 when using gateway-failsafe-device might cause errors. The tmm might crash.
Workaround:
Set min-up-members greater than 0 when using gateway-failsafe-device.
369640-5 : iRules might return incorrect data when multiple partitions and/or folders contain objects with the same name
Links to More Info: K17195
Component: Local Traffic Manager
Symptoms:
iRules might return incorrect data when the BIG-IP configuration has folders or multiple administrative partitions that contain objects with the same name.
As a result of this issue, you may encounter one or more of the following symptoms:
-- Client connections receive incorrect data.
-- The BIG-IP system incorrectly load balances client connections.
Conditions:
This issue occurs when all of the following conditions are met:
-- The configuration includes objects of the same name in different folders or administrative partitions
-- An iRule references the object without using the fully-qualified path, e.g. "pool example_pool" instead of "pool /Common/folder1/example_pool"
Impact:
Client connections receive incorrect data, or are load balanced incorrectly.
Workaround:
To work around this issue, always specify full paths to objects referenced in iRules, e.g. instead of:
pool example_pool
use:
pool /Common/example_pool
349706-1 : NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN
Component: Access Policy Manager
Symptoms:
Network access sends 1.1.1.1 as X-VPN-serer-IP and Edge client reserves this IP for PPP communication with APM server.
Conditions:
-- VPN is configured on BIG-IP.
-- Edge Client/webtop is used to connect to VPN.
Impact:
If VPN is connected:
1. The user may not access the 1.1.1.1 address from the client machine.
2. if 1.1.1.1 is used as a dns server ip in Network Access configuration, DNS resolution may fail on the client machine.
Workaround:
NA
342319-3 : BIND forwarder server list and the recursion and forward options.
Component: TMOS
Symptoms:
When you add a Domain Name System (DNS) server to the BIND forwarder server list from the Configuration utility, the recursion option is set to no and the forward option is not set.
Conditions:
The parameters 'recursion yes' and 'forward only' are not being updated in named.conf when creating entries in the BIND Forwarder Server List from the GUI.
Impact:
This issue may cause some DNS queries that are sent to the BIG-IP system to fail.
Workaround:
You can work around this issue by setting the recursion and forward options. For more information, see SOL12224: Configuring the BIND forwarder server list does not correctly set additional options for the named.conf file, available here: http://support.f5.com/kb/en-us/solutions/public/12000/200/sol12224.html.
315765-3 : The BIG-IP system erroneously performs a SNAT translation after the SNAT translation address has been disabled.
Links to More Info: BT315765
Component: Local Traffic Manager
Symptoms:
The BIG-IP system erroneously performs a SNAT translation after the SNAT translation address has been disabled. As a result of this issue, you may encounter the following symptom:
A network trace capturing the affected traffic on a BIG-IP system shows traffic continues to egress the BIG-IP system using the disabled SNAT translation address.
Conditions:
This issue occurs when the following condition is met: A SNAT translation address is configured, but disabled.
Impact:
Traffic egresses the BIG-IP system with the disabled SNAT translation address.
Workaround:
To work around this issue, you must delete the affected SNAT configuration instead of disabling it. To do so, perform the following procedure:
Impact of workaround: Deleting the affected SNAT configuration removes it entirely from the BIG-IP configuration. If you require the SNAT configuration later, you must recreate it manually.
BIG-IP 11.x/12.x
1. Log in to the tmsh utility.
2. Delete the affected SNAT configuration by entering the following command: delete /ltm snat <affected SNAT name>.
For example, to delete the test-315765 SNAT configuration, you would enter the following command: delete /ltm snat test-315765.
3. Save the modified configuration by entering the following command:
save /sys config
BIG-IP 9.x through 10.x
1. Log in to the command line.
2. Delete the affected SNAT configuration by entering the following command: bigpipe snat <affected SNAT name> delete.
For example, to delete the test-315765 SNAT configuration, you would enter the following command: bigpipe snat test-315765 delete.
3. Save the modified configuration by entering the following command: bigpipe save all.
291256-2 : Changing 'Minimum Length' and 'Required Characters' might result in an error
Component: TMOS
Symptoms:
When setting a value for the password policy attribute 'Minimum Length', and setting 'Required Characters' 'Numeric', 'Uppercase', 'Lowercase', and 'Other' to values whose sum is greater than 'Minimum Length' the system does not save changes, and instead reports an error:
err mcpd[1647]: 01070903:3: Constraint 'min length must be greater than or equal to the sum of all "required" types of characters' failed for 'password_policy'
Conditions:
-- Change the value of 'Minimum Length'.
-- Change the values in 'Required Characters' ('Numeric', 'Uppercase', 'Lowercase', and 'Other').
-- The sum of the values from 'Required Characters' is a greater than 'Minimum Length' value before you changed it.
Here is an example:
1. From the default of '6', change 'Minimum Length' to 10.
2. At the same time, change each of the 'Required Characters' options ('Numeric', 'Uppercase', 'Lowercase', and 'Other') to '2', for a total of 8.
3. Click Update.
(These values should be work because the value in 'Minimum Length' (10) is greater than the sum of the values in 'Required Characters' (8).)
Impact:
The changes are not saved, and an error is posted:
Constraint 'min length must be greater than or equal to the sum of all "required" types of characters' failed for 'password_policy'.
Workaround:
You can use either of the following workarounds:
-- To workaround this using the GUI, set 'Minimum Length' and 'Required Characters' separately (i.e., specify 'Minimum Length' and click Update, and then specify 'Required Characters' and click Update).
-- Use tmsh instead of the GUI.
264701-3 : GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608)
Links to More Info: K10066
Component: Global Traffic Manager (DNS)
Symptoms:
The zrd process exits and cannot be restarted.
Conditions:
This occurs when the journal is out-of-sync with the zone.
Impact:
The zrd process cannot be restarted.
Workaround:
Before beginning, ensure that no one else is making config changes (i.e., consider making changes during a maintenance window).
I) On a working system, perform the following:
1. # rndc freeze $z
(Do this for all nonworking zones. Do not perform the thaw until you finish copying all needed files to the nonworking system.)
2. # tar zcvf /tmp/named.zone.files namedb/db.[nonworking zones].
3. # rndc thaw $z
II) On each nonworking system, perform the following:
1. # bigstart stop zrd; bigstart stop named
2. Copy the nonworking /tmp/named.zone.files from a working GTM system.
3. # bigstart start named; bigstart start zrd.
(Before continuing, review /var/log/daemon.log for named errors, and review /var/log/gtm for zrd errors0.)
Repeat part II until all previously nonworking systems are working.
III) On a working GTM system, run the following command:
# touch /var/named/config/named.conf.
222220-4 : Distributed application statistics are not passed correctly.
Links to More Info: K11931
Component: Global Traffic Manager (DNS)
Symptoms:
Distributed application statistics include only requests passed to its first wide IP.
For BIG-IP versions 12.0.0 and later, distributed application statistics are always zero.
Conditions:
Viewing distributed application statistics on configurations with multiple wide-IP members.
Impact:
The system does not pass statistics for requests to all wide-IP members in the distributed application.
Note: For BIG-IP versions 12.0.0 and later, the system does not pass statistics for requests to any wide-IP-members in the distributed application.
Workaround:
None
1095145-1 : Virtual server responding with ICMP unreachable after using /Common/service
Links to More Info: BT1095145
Component: SSL Orchestrator
Symptoms:
After adding /Common/service profile and removing it from the virtual server, the virtual server starts dropping traffic with ICMP unreachable.
This profile is normally only needed in SSLo deployments.
Conditions:
/Common/service was attached and removed from a virtual server.
Impact:
Traffic is dropped on a virtual server.
Workaround:
Restart TMM after making the configuration change.
1093973-4 : Tmm may core when BFD peers select a new active device.
Links to More Info: BT1093973
Component: TMOS
Symptoms:
Tmm cores.
Conditions:
-- BFD is in use
-- the active/owner BFD device changes
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1093545-2 : Attempts to create illegal virtual-server may lead to mcpd crash.
Links to More Info: BT1093545
Component: Local Traffic Manager
Symptoms:
Mcpd crashes after the creation of virtual server with incorrect or duplicate configuration is attempted.
Conditions:
-- One or more attempts to create a virtual server with an illegal configuration are performed (i.e. attempts to create a virtual server that shares a configuration with an existing virtual server or has an incorrect configuration)
Impact:
Mcpd crashes with __GI_abort. Traffic disrupted while mcpd restarts.
Workaround:
None
1091969-1 : iRule 'virtual' command does not work for connections over virtual-wire.
Links to More Info: BT1091969
Component: Local Traffic Manager
Symptoms:
iRule 'virtual' command does not work for connections over virtual-wire.
Conditions:
- Connection over a virtual-wire.
- Redirecting traffic to another virtual-server (for example, using an iRule 'virtual' command)
Impact:
Connection stalls on the first virtual-server and never completes.
1091785-4 : DBDaemon restarts unexpectedly and/or fails to restart under heavy load
Links to More Info: BT1091785
Component: Local Traffic Manager
Symptoms:
While under heavy load, the Database monitor daemon (DBDaemon) may:
- Restart for no apparent reason
- Restart repeatedly in rapid succession
- Log the following error while attempting to restart:
java.net.BindException: Address already in use (Bind failed)
- Fail to start (remain down) after several attempts, leaving database monitors disabled and marking monitored resources Down
Conditions:
- Configure one or more GTM database monitors with short probe-timeout, interval and timeout values (e.g., 2, 5, 16 respectively)
- Configure a large number (e.g., 2,000) of GTM [or perhaps LTM?] database monitor instances (combinations of above monitor + pool
member)
- Optionally: configure GTM database monitors with debug yes and count 0 (for easier diagnosis, and assumption that count = 0 will
generate more stress/concurrency to aid repro; vary as needed)
- Watch for DBDaemon restarts (either through changes in the PID returned by ps, or watching for "Starting" messages in DBDaemon logs)
Impact:
Restart for no apparent reason
Fail to start (remain down) after several attempts, leaving database monitors disabled and marking monitored resources Down
Workaround:
None
1091725-2 : Memory leak in IPsec
Links to More Info: BT1091725
Component: TMOS
Symptoms:
Slow memory growth of tmm over time.
This leak affects both the active and standby BIG-IPs.
Conditions:
IPsec is in use.
Security associations are being created or recreated.
Impact:
Over time, tmm may exhaust its memory causing a tmm crash.
1091345-4 : The /root/.bash_history file is not carried forward by default during installations.
Links to More Info: BT1091345
Component: TMOS
Symptoms:
By default, the /root/.bash_history file is not included in the UCS archives. As such, this file is not rolled forward during a software installation.
Conditions:
Performing a BIG-IP software installation.
Impact:
This issue may hinder the efforts of F5 Support should the need to determine what was done prior to a software installation arise.
Workaround:
None
1091249-4 : BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address.
Links to More Info: BT1091249
Component: Global Traffic Manager (DNS)
Symptoms:
As BIG-IP DNS and Link Controller systems connect with one another (or with monitored BIG-IP systems) over iQuery, you may notice:
-- Log messages that specify IPv6 translation addresses non-existent in your configuration and often meaningless (as in not pertaining to some of the more common IPv6 address spaces). For example:
debug gtmd[24229]: 011ae01e:7: Creating new socket to connect to 2001::1 (a06d:3d70:fd7f:0:109c:7000::)
-- If you restart the gtmd daemon, the IPv6 translation address mentioned above between parenthesis changes to a new, random meaningless value.
-- The GTM portion of the configuration fails to synchronize.
Conditions:
IPv6 translation addresses are in use in relevant objects.
Impact:
The logs are misleading and the GTM portion of the configuration may fail to synchronize.
Workaround:
If possible, do not use IPv6 translation addresses.
1091021-4 : The BIG-IP system may take no fail-safe action when the bigd daemon becomes unresponsive.
Links to More Info: BT1091021
Component: Local Traffic Manager
Symptoms:
You may observe LTM monitors are malfunctioning on your system. For instance, you may notice some probes are not sent out on the network, and some monitored objects are showing the wrong status.
Conditions:
-- The bigd daemon consists of multiple processes (which you can determine by running "ps aux | grep bigd").
-- One or more of the processes (but not all of them) becomes disrupted for some reason, and stops serving heartbeats to the sod daemon.
Under these conditions, sod will not take any fail-safe action and the affected bigd processes will continue running impaired, potentially indefinitely.
Impact:
LTM monitoring is impacted.
Workaround:
If you have determined, or if you suspect, this issue is present on your system, you can resolve it by killing all bigd processes using the following command:
pgrep -f 'bigd\.[0-9]+' | xargs kill -9
However, this does not prevent the issue from manifesting again in the future if the cause for bigd's disruption occurs again.
Monitoring may become further disrupted as bigd restarts, and a failover may occur depending on your specific configuration.
1090313-1 : Virtual server may remain in hardware SYN cookie mode longer than expected
Links to More Info: BT1090313
Component: TMOS
Symptoms:
A virtual server may remain in hardware SYN cookie mode longer than expected after the SYN flood attack has stopped. The TMSH 'show ltm virtual' command shows that the virtual has already exited SYN Cookie mode, but the SYN packets are still responded from hardware for a few minutes longer.
Conditions:
The problem is a result of a race condition in TMM, so the issue might show up intermittently.
Impact:
Discrepancy between the actual SYN Cookie mode and the reported SYN Cookie mode for a short period of time after a SYN flood attack.
Workaround:
Disable hardware SYN Cookie mode.
1089829-2 : PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers
Links to More Info: BT1089829
Component: Policy Enforcement Manager
Symptoms:
SIGSEGV tmm cores with back trace in PEM area.
"pem_sessiondump --list" command will show session with custom attribute name as empty/NULL.
Conditions:
Setting pem session custom attribute value with length more than (1024- attribute name length).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
In the iRule, make sure the custom attribute value size + custom attribute name length is not more than 1024.
1089005-2 : Dynamic routes might be missing in the kernel on secondary blades.
Links to More Info: BT1089005
Component: TMOS
Symptoms:
Dynamic routes might be missing in the kernel on secondary blades.
Conditions:
- Long VLAN names (16+).
- MCPD unable to load cached configuration (software update/forceload was performed).
Impact:
Kernel routes are missing on secondary blades.
Workaround:
Restart tmrouted on the affected secondary blade. Note, this will also briefly affect TMM dynamic routes.
<bigstart restart tmrouted>
1088597-4 : TCP keepalive timer can be immediately re-scheduled in rare circumstances
Links to More Info: BT1088597
Component: Local Traffic Manager
Symptoms:
In rare circumstances, the TCP timer is rescheduled immediately due to the utilization of the interval encompassing also the idle_timeout.
Conditions:
Virtual Server with:
- TCP Profile
- SSL Profile with alert timeout configured
Another way this can occur is by manually deleting connections, which effectively only sets the idle timeout to 0.
Impact:
High CPU utilization potentially leading to reduced performance.
Workaround:
If the alert timeout is not re-enabled in the SSL Profile that should be sufficient.
1088173-1 : With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile
Links to More Info: BT1088173
Component: Local Traffic Manager
Symptoms:
Log files indicate that the client certificate is retained when it should not be.
Conditions:
Enable TLS 1.3 and disable retain-certificate parameter in SSL profile
Impact:
Storage of client certificates will increase memory utilization.
Workaround:
None
1087569-2 : Changing max header table size according HTTP2 profile value may cause stream/connection to terminate
Links to More Info: BT1087569
Component: Local Traffic Manager
Symptoms:
BIG-IP initializes HEADER_TABLE_SIZE to the profile value and thus when it exceeds 4K (RFC default), the receiver's header table size is still at the default value. Therefore, upon receiving header indexes which has been removed from its table, receiver sends GOAWAY (COMPRESSION_ERROR)
Conditions:
-- HTTP2 profile used in a virtual server
-- In the HTTP2 profile, 'Header Table Size' is set to a value greater than 4096
Impact:
Stream/connection is terminated with GOAWAY (COMPRESSION_ERROR)
Workaround:
Issue can be avoided by restoring the header-table-size value to the default of 4096
1086677-2 : TMM Crashes in xvprintf() because of NULL Flow Key
Component: Local Traffic Manager
Symptoms:
TMM crashes while passing traffic
Conditions:
This was observed during internal testing and occurred while making configuration changes while passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1086473-1 : BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake
Links to More Info: BT1086473
Component: Local Traffic Manager
Symptoms:
When a client attempts to resume the TLS session using the Session-ID in its Client Hello from a previous session, the BIG-IP agrees by using the same Session-ID in its Server Hello, but then proceeds to perform a full handshake (Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done) instead of an abbreviated handshake (Server Hello, Change Cipher Spec, Server Hello Done).
This is a violation of the TLS RFC.
Conditions:
- High availability (HA) pair of two BIG-IP units.
- LTM virtual server with a client-ssl profile.
- Mirroring enabled on the virtual server
Impact:
Client-side TLS session resumption not working.
Workaround:
Disable mirroring on the virtual server
1085837-4 : Virtual server may not exit from hardware SYN cookie mode
Links to More Info: BT1085837
Component: TMOS
Symptoms:
Once a virtual server enters hardware SYN cookie mode it may not exit until a TMM restart.
Conditions:
-- On B2250 and B4450 platforms.
-- A condition triggers SYN cookie mode and then goes back to normal.
Impact:
-- Virtual servers in hardware SYN cookie mode do not receive TCP SYN packets.
-- The limited number of possible TCP MSS values may have a light performance impact.
Workaround:
Disable hardware SYN cookie mode on the affected objects.
1085661-4 : Standby system saves config and changes status after sync from peer
Links to More Info: BT1085661
Component: Application Security Manager
Symptoms:
After running config sync from an Active to a Standby device, the sync status is in SYNC for a short period time.
After a while, it automatically goes to Changes Pending status.
The same symptom was reported via ID698757 and fixed in earlier versions, but the same can happen via different scenario.
Conditions:
Create an ASM policy and let the system determining language encoding from traffic.
Impact:
The high availability (HA) configuration goes out of SYNC.
Workaround:
To prevent the issue from happening, you can manually configure language encoding
1084993-3 : [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching
Links to More Info: BT1084993
Component: Policy Enforcement Manager
Symptoms:
E2e id and h2h id in Re-Authorisation Answer from PEM to OCS is not matching with Re-Authorisation Request from OCS to PEM.
Conditions:
Diameter-endpoint configuration. PCEF(PEM) communicating over gy interface with OCS for quota information.
Impact:
OCS will not be able to determine for which RAR it got RAA. This is catastrophic for billing.
Workaround:
None
1084857-4 : ASM::support_id iRule command does not display the 20th digit
Links to More Info: BT1084857
Component: Application Security Manager
Symptoms:
ASM::support_id iRule command does not display the 20th digit.
A support id seen in REST/TMUI that has 20 digits, e.g 13412620314886537617 is displayed as 1341262031488653761 with the iRule command ( the last digit '7' is stripped ).
Conditions:
ASM::support_id iRule command
Impact:
Inability to trace request events using the support id
1084673-4 : GTM Monitor "require M from N" status change log message does not print pool name
Links to More Info: BT1084673
Component: Global Traffic Manager (DNS)
Symptoms:
The number of probes that are succeeding is changing in between different windows in which the "N" number of probes were sent.
Conditions:
- GTM/DNS is provisioned
- A "require M from N" monitor rule is assigned to a gtm pool or an individual gtm pool member.
Impact:
The log written to provide information on the changing number of successful probes does not contain information about the pool member.
Workaround:
None
1083989-3 : TMM may restart if abort arrives during MBLB iRule execution
Links to More Info: BT1083989
Component: Local Traffic Manager
Symptoms:
"Unallocated flow while polling for rule work. Skipping." is logged in /var/log/ltm.
*or*
"flow in use" assert fails causing TMM to restart.
Conditions:
- Virtual using MBLB proxy.
- iRule with LB_SELECTED, CLIENT_CLOSED, and SERVER_CLOSED events.
- client connection is aborted while LB_SELECTED is queued for execution.
Impact:
TMM may restart unexpectedly.
Workaround:
Remove LB_SELECTED event from the iRule, if feasible.
1083913-3 : Missing error check in ICAP handling
Links to More Info: BT1083913
Component: Application Security Manager
Symptoms:
Bd crashes.
Conditions:
Asm policy is configured for ICAP integration
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
1083621-3 : The virtio driver uses an incorrect packet length
Links to More Info: BT1083621
Component: Local Traffic Manager
Symptoms:
In some cases, tmm might drop network packets.
In rare circumstances, this might trigger tmm to crash.
Conditions:
BIG-IP Virtual Edition using the virtio driver. You can see this in /var/log/tmm ("indir" is zero):
notice virtio[0:5.0]: cso: 1 tso: 0 lro: 1 mrg: 1 event: 0 indir: 0 mq: 0 s: 1
Impact:
Tmm might drop packets.
In rare circumstances, this might trigger tmm to crash. Traffic disrupted while tmm restarts.
Workaround:
None
1083589-1 : Some connections are dropped on chained IPv6 to IPv4 virtual servers.
Links to More Info: BT1083589
Component: Local Traffic Manager
Symptoms:
IPv6 virtual servers targeting IPv4 virtual servers (for example, using the 'virtual' iRule command) might drop traffic coming from some clients unexpectedly.
Note: See also ID1002945 (https://cdn.f5.com/product/bugtracker/ID1002945.html), which is a closely related issue.
Conditions:
- IPv6 to IPv4 virtual server chaining.
Impact:
Traffic is dropped.
Workaround:
Apply a SNAT with an IPv4 address to the IPv6 virtual server.
1083405-1 : "Error connecting to named socket" from zrd
Links to More Info: BT1083405
Component: Global Traffic Manager (DNS)
Symptoms:
After an mcpd restart, zrd may not be able to re-establish a connection to named. This shows up in the /var/log/gtm file or in the GUI with a message similar to the following:
err zrd[27809]: 01150306:3: Error connecting to named socket 'Connection refused'.
(or)
err zrd[16198]: 01150306:3: Error connecting to named socket 'Connection timed out'.
Conditions:
After an mcpd restart
Impact:
Looking up or modifying zone records may fail.
Workaround:
Restart zrd and named
tmsh restart sys service zrd named
1082885-3 : MR::message route virtual asserts when configuration changes during ongoing traffic
Links to More Info: BT1082885
Component: Service Provider
Symptoms:
MR::message route virtual causes TMM to crash / panic when the configuration changes during ongoing traffic. This is due to
an invalid validation of the TYPEIDs when mis-matched virtual servers / proxies are identified because of the configuration change.
Conditions:
A BIG-IP configuration change is made while passing traffic.
Impact:
Traffic disrupted while tmm restarts.
1082461-4 : The enforcer cores during a call to 'ASM::raise' from an active iRule
Links to More Info: BT1082461
Component: Application Security Manager
Symptoms:
In the case of 'ASM::raise' call execution from an iRule that contains a list length greater than 100, the enforcer (bd) will core.
Conditions:
A call to 'ASM::raise' with a list length greater than 100 from an iRule.
Impact:
Traffic disrupted while bd restarts.
Workaround:
While constructing the iRule, make sure that the list passed into 'ASM::raise' contains fewer than 100 elements.
1082225-2 : Tmm may core while Adding/modifying traffic-class attached to a virtual server.
Links to More Info: BT1082225
Component: Local Traffic Manager
Symptoms:
Tmm may core with 'tmm SIGSEGV' while performing addition/updating of traffic class attached to a virtual server.
Conditions:
-- Some Traffic classes have been removed from the virtual server.
-- A new traffic class is attached to the virtual server, or modification of the existing traffic class is triggered.
Impact:
Traffic disrupted while tmm restarts.
The traffic class might not be applied as expected.
Workaround:
None
1082197-3 : RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response
Links to More Info: BT1082197
Component: Global Traffic Manager (DNS)
Symptoms:
Synthetic SOA returned by BIG-IP has the MNAME and RNAME fields reversed, resulting in the wrong values being noted as the primary name server and mailbox of administrator, respectively.
Conditions:
-- Set the failure-rcode-response enabled and failure-rcode-ttl on a down WIP.
-- Perform a DNS query.
-- Observe the SOA.
Impact:
Per RFC (rfc1035) the order of the fields is significant and MNAME must come before RNAME. When reversed, consumers of the synthetic SOA will associate the wrong values with the wrong fields.
1082193-1 : TMSH: Need to update the version info for SERVER_INIT in help page
Links to More Info: BT1082193
Component: TMOS
Symptoms:
The SERVER_INIT iRule event was introduced in version 14.0.0. But in tmsh help it is showing as version 13.1.0.
Conditions:
-- Using tmsh to configure an iRule event
-- The BIG-IP version is 13.1.0 and you use tab complete for 'tmsh help ltm rule event SERVER_INIT'
Impact:
The tmsh help makes it appear as if SERVER_INIT is supported in version 13.1.0 when it is not.
Workaround:
None
1080985-3 : Route Domain ID specified in Address list does not take effect on virtual server IP via TMC.
Component: Local Traffic Manager
Symptoms:
An incorrect virtual server is created because of a non-existent virtual address.
Conditions:
-- Address list is created with an IP addresses on a non-default route domain.
-- Traffic matching criteria is created by assigning the above address list without specifying a route domain.
-- Assign the above traffic matching criteria (TMC) object to the virtual server.
Impact:
The virtual server that is created does not function properly due to the incorrect virtual address.
Workaround:
Set the route-domain of the traffic-matching criteria to an appropriate route-domain value.
(tmos)# modify ltm traffic-matching-criteria <TMC_name> route-domain <route_domain_name>.
1080925-1 : Changed 'ssh-session-limit' value is not reflected after restarting mcpd
Links to More Info: BT1080925
Component: TMOS
Symptoms:
Change 'ssh-session-limit' field from 'disabled' to 'enable'. Save the config . Restart the mcpd and check the value of the field 'ssh-session-limit'. It appears to be the same 'disabled'.
Conditions:
The issue occurs when MCPD restores the configuration from its binary database file.
Impact:
Enabling and disabling "ssh-session-limit" will have an undesirable effect when creating ssh sessions, and you will not be able to edit the field.
Workaround:
None
1080613-3 : "Installation of Automatically Downloaded Updates" configuration in LiveUpdate is lost during the first tomcat restart, after upgrading to versions having the fix of ID907025.★
Links to More Info: BT1080613
Component: Application Security Manager
Symptoms:
"Installation of Automatically Downloaded Updates" configuration in LiveUpdate during the first tomcat restart after upgrading.
Conditions:
This occurs during the first tomcat restart, after upgrading to versions that have the fix for ID907025.
Impact:
The live update configuration is reverted to the default.
Workaround:
After upgrade, restart tomcat and re-configure. After this the issue won't occur and the configuration is retained.
1080341-2 : Changing an L2-forward virtual to any other virtual type might not update the configuration.
Links to More Info: BT1080341
Component: Local Traffic Manager
Symptoms:
Changing an L2-forward virtual-server to any other virtual-server type might not update the saved configuration.
Conditions:
Changing an L2-forward virtual-server to any other virtual-server type.
Impact:
Traffic still behaves as if L2-forward virtual-server is configured.
Workaround:
Remove and re-create the affected virtual-server.
1080317-1 : Logged hostname not consistent when hostname contains "."
Links to More Info: BT1080317
Component: TMOS
Symptoms:
Messages which are logged to journald use the configured hostname while sylog-ng uses the hostname (machine name) and truncates it starting at the first '.'. As we're using a mix of logging directly to syslog-ng (e.g., /var/run/tmm.pipe) and from journald, this results in hostnames being inconsistent when it contains '.'; i.e., "my.hostname" is logged as "my" by syslog-ng and "my.hostname" by journald. This can make it difficult for log analysis tools to work with the log files.
Conditions:
When hostname contains '.'
Impact:
Not in readable state as some logs contains truncated hostname and some contain full hostname
1080297-3 : ZebOS does not show "log syslog" in the running configuration
Links to More Info: BT1080297
Component: TMOS
Symptoms:
ZebOS does not show the "log syslog" or "no log syslog" in the running configuration.
There is no way to know if the 'log syslog' is configured or not by checking the configuration.
Conditions:
-- Under Configure log syslog.
-- Check the show running-config.
Impact:
There is no way to know if the 'log syslog' is configured or not by checking the configuration.
1079985 : int_drops_rate shows an incorrect value
Links to More Info: BT1079985
Component: Advanced Firewall Manager
Symptoms:
int_drops_rate shows an incorrect value, it shows a cumulative value instead of an avg value, same as int_drops and syncookies.hw_syncookies.
Conditions:
A tcp-halfOpen attack or similar SYN attack where SYNs are flooded into the BIG-IP system.
Impact:
It is difficult to figure out the drop rate per second
Workaround:
None
1079769-3 : Tmm utilizing the virtio driver might crash after modifying several IPv6 virtual servers
Links to More Info: BT1079769
Component: Local Traffic Manager
Symptoms:
Tmm crash
There might be entries similar to the following in the tmm log:
notice virtio[0:7.0]: MAC filter[27]: 33:33:ff:00:10:01 - deleted
notice virtio[0:7.0]: MAC filter[27]: 33:33:ff:00:10:01 - added
Conditions:
-- The tmm is utilizing the virtio driver for network communications.
-- Several changes are made to IPv6 listeners. Several changes would be on the order of at least 1,900.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
A work-around would be to utilize the sock driver. However, that will not perform as well.
1079441-3 : APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries
Links to More Info: BT1079441
Component: Access Policy Manager
Symptoms:
APMD memory can grow over a period of time
Conditions:
-- A BIG-IP system with the patched cyrus-sasl/krb5 libraries
Impact:
APMD memory can grow over a period of time
Workaround:
None
1079237-3 : After certain configuration tasks are performed, TMM may run with stale SNAT translation parameters.
Links to More Info: BT1079237
Component: Local Traffic Manager
Symptoms:
A SNAT translation object instantiated by performing specific configuration tasks (see Conditions) does not work.
For example:
- Connections might be reset with cause "No available SNAT addr".
- An unexpected IP address might be used to SNAT the outgoing traffic.
Conditions:
This issue is known to occur when one of the following operations is performed:
- Restoring a UCS or SCF archive in which a SNAT translation with a specific name specifies a different IP address or route domain.
- Performing a config-sync between redundant units in which the sender changes a SNAT translation with a specific name to use a different IP address or route domain.
- Performing specific tmsh CLI transactions involving SNAT translation modifications.
Impact:
The system does not use the configured SNAT translation address. Traffic will be impacted as a result (for example, reset connections or incorrect source IP address in outgoing traffic).
Workaround:
Restart TMM (bigstart restart tmm) on affected units.
1078765-3 : Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer.
Links to More Info: BT1078765
Component: Application Security Manager
Symptoms:
A BD core may occur due to enforcement of 200004390 200004389 signatures with the combination of Arcsight remote logger enabled.
Conditions:
The request must contain 200004390 200004389 signatures with the combination of Arcsight remote logger attached to the virtual server.
Impact:
The enforcer may crash.
Workaround:
Disable 200004390 200004389 signatures.
1077789-2 : System might become unresponsive after upgrading.★
Links to More Info: BT1077789
Component: TMOS
Symptoms:
After upgrading, the system encounters numerous issues:
-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.
Conditions:
-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.
Exact conditions that trigger this issue are unknown and could be varied. In the environment in which it occurs, a datagroup is deleted, but an iRule still references it.
Impact:
-- System down, too busy to process traffic.
-- Difficulty logging in over SSH might require serial console access.
Workaround:
Reboot to an unaffected, pre-upgrade volume.
-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.
-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.
Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.
For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.
1077701-3 : GTM "require M from N" monitor rules do not report when the number of "up" responses change
Links to More Info: BT1077701
Component: Global Traffic Manager (DNS)
Symptoms:
The number of probes that are succeeding is changing in between different windows in which the "N" number of probes were sent.
Conditions:
- GTM/DNS is provisioned.
- A "require M from N" monitor rule is assigned to a gtm resource.
Impact:
The change in the number of successful monitor probes isn't available which is useful for troubleshooting.
Workaround:
None
1077553-1 : Traffic matches the wrong virtual server after modifying the port matching configuration
Links to More Info: BT1077553
Component: Local Traffic Manager
Symptoms:
Traffic matches the wrong virtual server.
Conditions:
A virtual server configured to match any port is modified to matching a specific port. Alternatively, a virtual server matching a specific port is modified to match any port.
Impact:
Traffic may be directed to the wrong backend server.
Workaround:
Restart the TMM after the config change.
1077533-2 : BIG-IP fails to restart services after mprov runs during boot.
Links to More Info: BT1077533
Component: TMOS
Symptoms:
Very occasionally, after mprov runs after a reboot the BIG-IP may fail to start with logs similar to the following:
bigip1 info mprov:7459:[7459]: 'admd failed to stop.'
bigip1 err mprov:7459:[7459]: 'admd failed to stop, provisioning may fail.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
...
bigip1 err mcpd[5584]: 01071392:3: Background command '/usr/bin/mprov.pl --quiet --commit asm avr host tmos ui ' failed. The command was signaled.
Conditions:
Occurs rarely after a reboot.
Impact:
The BIG-IP is unable to finish booting.
Workaround:
Reboot the BIG-IP again.
1077405-4 : Ephemeral pool members may not be created with autopopulate enabled.
Links to More Info: BT1077405
Component: TMOS
Symptoms:
Ephemeral pool members might not be added to a pool with an FQDN pool member "autopopulate enabled".
When this issue occurs:
-- Some or all of the expected Ephemeral Pool Members will not be created for the affected pool.
-- A message will be logged in the LTM log similar to the following:
err mcpd[####]: 01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (/Common/_auto_<IP address>) has autopopulate set to disabled.
(Note that the node name here is an Ephemeral Node.)
Also note that if you attempt to create an FQDN Pool Member with autopopulate enabled while the corresponding FQDN Node has autopopulate disabled, you will see a similar error message:
01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (/Common/fred) has autopopulate set to disabled.
Conditions:
This issue can occur under the following conditions:
-- Two or more FQDN Nodes have FQDN names that resolve to the same IP address(es).
-- That is, some Ephemeral Nodes have addresses resolved by more than one FQDN name defined in FQDN Nodes.
-- At least one of these FQDN Nodes has "autopopulate enabled."
-- At least one of these FQDN Nodes does not have "autopopulate enabled."
-- That is, autopopulate is disabled for one or more of these FQDN Nodes.
-- The FQDN Pool Member(s) in the affected pool(s) has "autopopulate enabled."
Impact:
The affected LTM pool(s) are not populated with expected (or any) ephemeral pool members.
Workaround:
To allow some LTM pools to use FQDN pool members with autopopulate enabled (allowing multiple ephemeral pool members to be created) while other LTM pools use FQDN pool members with autopopulate (allowing only one ephemeral pool member to be created), configure the following:
-- Create all FQDN Nodes with FQDN names that might resolve to a common/overlapping set of IP addresses with "autopopulate enabled".
-- Create FQDN Pool Members with autopopulate enabled or disabled depending on the desired membership for each pool.
1076921-3 : Log hostname should be consistent when it contains ' . '
Links to More Info: BT1076921
Component: TMOS
Symptoms:
Messages that are logged to journald use the configured hostname, while sylog-ng uses the hostname (machine name) and truncates it starting at the first '.' (period). This results in hostnames being inconsistent when it contains '.'; e.g., 'my.hostname' is logged as 'my' by syslog-ng, and 'my.hostname' by journald. This can make it difficult for log analysis tools to work with the log files.
Conditions:
-- Hostname contains a period.
-- Viewing log files emitted from journald and from syslog-ng.
Impact:
The full hostname is logged for system logs while logs that go directly to syslog-ng use a truncated hostname.
Workaround:
N/A
1076801-1 : Loaded system increases CPU usage when using CS features
Links to More Info: BT1076801
Component: TMOS
Symptoms:
When the BIG-IP system is under heavy load, datasyncd might create multiple java obfuscator processes running at the same time, which increases load even more.
Conditions:
-- CPU utilization on the BIG-IP system is high.
And one or more of the following conditions:
-- Bot Defense profile is attached to a virtual server
-- DoS profile with CS/Captcha mitigation is attached to the virtual server
-- ASM policy with brute force configuration is attached to the virtual server
Impact:
System load is increased.
Workaround:
None.
1076785-1 : Virtual server may not properly exit from hardware SYN Cookie mode
Links to More Info: BT1076785
Component: TMOS
Symptoms:
Virtual servers do not exit hardware SYN Cookie mode even after the SYN flood attack stops. The TMSH 'show ltm virtual' output shows 'full hardware' mode.
Conditions:
Selected HSB platforms where TMM is attached to multiple HSB modules. This depends on platform, BIG-IP version and selected Turboflex profile where applicable.
Impact:
The affected virtual server would not receive the TCP SYN packets until a TMM restart. The limited range of MSS values in SYN Cookie mode may slightly affect performance.
Workaround:
Disable hardware SYN Cookie mode on all virtual servers.
1076577-1 : iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg'
Links to More Info: BT1076577
Component: Local Traffic Manager
Symptoms:
The 'connect' iRule command fails to resume, causing processing of traffic to halt due to 'irule_scope_msg', which causes iRule processing to proceed in a way that 'connect' does not expect.
Conditions:
- iRule using 'connect' command
- Diameter/Generic-message 'irule_scope_msg' enabled
Impact:
Traffic processing halts (no crash)
1076477 : AFM allows deletion of a firewall policy even if it's being used in a route domain.
Links to More Info: BT1076477
Component: Advanced Firewall Manager
Symptoms:
AFM allows you to delete a firewall policy that is still applied to a route domain.
Conditions:
A firewall policy is created and assigned to a route domain.
Impact:
The firewall policy can be deleted without warning or error.
Workaround:
Before deleting a firewall policy check to make sure it is not being used in any route domain.
1076401-2 : Memory leak in TMM (ldns) when exceeding dnssec.maxnsec3persec.
Links to More Info: BT1076401
Component: Global Traffic Manager (DNS)
Symptoms:
Memory leak leading to TMM running out of free memory.
Conditions:
-- Dnssec.maxnsec3persec set to non-default value (default 0 - unlimited).
-- Number of DNS requests leading to NSEC3 responses goes above the limit of dnssec.maxnsec3persec.
Impact:
TMM runs out of memory.
Workaround:
Set dnssec.maxnsec3persec to 0.
1076377-1 : OSPF path calculation for IA and E routes is incorrect.
Links to More Info: BT1076377
Component: TMOS
Symptoms:
--OSPF path calculation for IA and E routes is incorrect.
--E2 route might be preferred over E1 route.
--Cost calculation for IA routes is incorrect.
Conditions:
Mixing E2/E1 routes and IA routes with different cost.
Impact:
Wrong route is installed.
Workaround:
N/A
1076253-4 : IKE library memory leak
Links to More Info: BT1076253
Component: TMOS
Symptoms:
After the tunnel is established there is continuous increase in memory is seen in the IKE library (memory_usage_stat)
Conditions:
-- IPSEC tunnels are established.
-- DPD delay = 30 sec
Impact:
Continuous memory increase on the BIG-IP system.
Workaround:
None
1075905 : TCP connections may fail when hardware SYN Cookie is active
Links to More Info: BT1075905
Component: TMOS
Symptoms:
When an object is in hardware SYN Cookie mode, some of the valid connections are also rejected with "No flow found for ACK" reset cause.
Conditions:
VELOS and rSeries platforms.
Impact:
Service degradation.
Workaround:
Disable hardware SYN Cookie on all objects (virtual server, VLAN, etc.).
1075729 : Virtual server may not properly exit from hardware SYN Cookie mode
Links to More Info: BT1075729
Component: TMOS
Symptoms:
Virtual servers do not exit hardware SYN Cookie mode even after the SYN flood attack stops. The TMSH 'show ltm virtual' output shows 'full hardware' mode.
Conditions:
-- VELOS and rSeries platforms.
-- SYN cookie mode is triggered.
Impact:
The affected virtual server will not receive TCP SYN packets until TMM is restarted. The limited range of MSS values in SYN Cookie mode may slightly affect performance.
Workaround:
Disable HW SYN Cookie mode on all virtual servers.
1075469-3 : DNS GUI: Refreshing a DNS Express record sometimes fails to populate the server.
Links to More Info: BT1075469
Component: Global Traffic Manager (DNS)
Symptoms:
Although there are name servers for the non-common partition, the Server field populates as "None".
Conditions:
-- Updating the DNS express record by performing enable/disable operations.
Impact:
DNS express Server is shown as None for a DNS zone record.
Workaround:
Refresh the page and it will display the correct value.
1075045-3 : Proxy initialization failed, Defaulting to DENY, after applying additional profile to a virtual server
Links to More Info: BT1075045
Component: Local Traffic Manager
Symptoms:
Connections are reset when accessing a virtual server, with an F5 reset cause of "Port denied".
Messages in /var/log/ltm:
err tmm[<PID>]: 01010008:3: Proxy initialization failed for <virtual server>. Defaulting to DENY.
err tmm[<PID>]: 01010008:3: Listener config update failed for <virtual server>: ERR:ERR_MEM
Conditions:
-- Virtual server configured with many profiles
-- Adding an additional profile to the virtual server
Impact:
All connections to the virtual server are immediately reset.
Workaround:
Reduce the number of profiles applied to the virtual server.
1074841-3 : Invalid syslog configuration kills syslog-ng after restarting syslog-ng.
Links to More Info: BT1074841
Component: TMOS
Symptoms:
Syslog-ng is stopped after restarting syslog-ng with an invalid syslog configuration.
Conditions:
--Invalid syslog-ng configuration.
--bigstart restart syslog-ng
Impact:
Syslog-ng is stopped.
Workaround:
N/A
1074517-3 : Tmm may core while adding/modifying traffic-class attached to a virtual server
Links to More Info: BT1074517
Component: Local Traffic Manager
Symptoms:
Tmm may core while adding/modifying traffic-class attached to a virtual server
Conditions:
-- Traffic class is attached to a virtual server.
-- Add an existing traffic class to a virtual server.
-- Afterwards, a new traffic class is attached to the virtual server, or modification of the existing traffic class is triggered.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1074505-3 : Traffic classes are not attached to virtual server at TMM start
Links to More Info: BT1074505
Component: Local Traffic Manager
Symptoms:
When tmm starts, an error message is logged in the TMM log:
"MCP message handling failed in 0xXXXX (XXXXXXXX)"
Conditions:
Virtual server with traffic class attached is being used.
Impact:
A traffic class is not being attached to the virtual server so traffic matching the traffic classes does not work.
1074285 : Apmd crashes while handling JWT tokens.
Links to More Info: BT1074285
Component: Access Policy Manager
Symptoms:
An apmd crash mightoccur while handling JWT tokens.
Conditions:
The payload has invalid JSON during authentication.
Impact:
BIG-IP authorization disrupted while apmd restarts.
Workaround:
N/A
1074053-3 : Delay in displaying the "Now Halting..." message while performing halt from LCD.
Links to More Info: BT1074053
Component: TMOS
Symptoms:
While halting the system from LCD panel, the "Now Halting..." message takes 90 seconds to appear.
Conditions:
Perform the system halt operation from the LCD front panel.
Impact:
Delay in processing the halt operation.
Workaround:
N/A
1073897-4 : TMM core due to memory corruption
Links to More Info: BT1073897
Component: Local Traffic Manager
Symptoms:
Tmm restarts
Conditions:
Unknown
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1073625-4 : Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled.
Links to More Info: BT1073625
Component: Application Security Manager
Symptoms:
ASM policy import is successful on Active unit and it syncs to standby device, but "Apply changes" is displayed on the standby device policies page.
Conditions:
1. XML policy with learning enabled imported via TMSH.
2. Autosync with incremental sync enabled on device-group with ASM sync enabled.
Impact:
The peer (standby) unit needs to have the policies applied manually even though everything is set to auto-sync
Workaround:
N/A
1073609-2 : Tmm may core while using reject iRule command in LB_SELECTED event.
Links to More Info: BT1073609
Component: Local Traffic Manager
Symptoms:
Tmm cores with SIGFPE "packet is locked by a driver"
Conditions:
-- Fastl4 virtual server
-- iRule attached that uses reject iRule command in LB_SELECTED event
Impact:
Traffic disrupted while tmm restarts.
1073429-3 : Auth partition definition is incorrectly synchronized to peer and then altered.
Links to More Info: BT1073429
Component: TMOS
Symptoms:
An auth partition definition with "device-group none" and "traffic-group none" is incorrectly synchronized to other devices during a full config-sync.
Specifically, the partition is incorrectly synchronized to all other devices that belong to the device-group to which the /Common partition is associated.
Furthermore, the receiving devices incorrectly alter the definition of said partition, in such a way that the definition no longer specifies "device-group none" and "traffic-group none". Instead, this partition will now have inheritance (from the root folder) enabled for both the device-group and traffic-group properties.
Conditions:
Creating an auth partition (for example /Example) which specifies "device-group none" and "traffic-group none" on redundant units, and then issuing a full config sync to the device-group.
Note that even if your device-group is configured to perform incremental syncs, sometimes performing a full sync between devices is a natural and unavoidable event.
Impact:
The definition of an auth partition that was meant to remain local to a given BIG-IP system is incorrectly synchronized to peer devices. Additionally, its device-group and traffic-group properties are altered so that inheritance from the root folder is now enabled.
Initially, this has no other negative consequences, as the configuration objects contained in the "local partition" of the source device are not synchronized. However, a further config sync from the initial receiving device to the initial source device will overwrite the device-group and traffic-group properties there. Once in this state, the unit that contains configuration objects in the "local partition" will synchronize them to the peers during the next config-sync. This can impact the application traffic based on the objects synchronized.
Workaround:
You cannot work around this issue.
However, you may be able to achieve your goal of having a repository for local-only objects by creating a subfolder to the /Common partition rather than creating a new partition.
For example:
tmsh create sys folder /Common/local device-group none traffic-group none
1072953-1 : Memory leak in traffic management interface.
Links to More Info: BT1072953
Component: Local Traffic Manager
Symptoms:
When configuration objects that use a traffic management interface are modified, they leave behind orphaned objects. The memory leak can become significant over time if there are frequent config changes.
Conditions:
Request logging profile attached to a VIP.
Impact:
TMM uses more memory than it should.
Workaround:
Restart tmm to free the memory, avoid making frequent configuration changes to virtual servers that contain request logging profiles.
1072237-3 : Retrieval of policy action stats causes row handle leak
Links to More Info: BT1072237
Component: TMOS
Symptoms:
With every request for stats (tmsh show ltm policy) when a virtual server with an L7 policy is present, umem_alloc_16 cur_allocs increases and does not return to the prior level, causing memory leak.
Conditions:
The tmsh show ltm policy command is executed when a virtual server with an L7 policy attached is present.
Impact:
Memory leak for umem_alloc_16 cur_allocs for each request for
each request of tmsh show ltm policy
Workaround:
None
1072165-4 : Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format
Links to More Info: BT1072165
Component: Application Security Manager
Symptoms:
Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format
Conditions:
ASM remote logging in ArcSight format
Impact:
Due to the missing fields, the remote message does not tell name of threat campaign name(s) that was detected.
Workaround:
Use other message format.
1072081-3 : Imish segmentation fault when running 'ip pim sparse-mode ?' on interface config.
Links to More Info: BT1072081
Component: TMOS
Symptoms:
Imish crahses and produces a core file.
Conditions:
-- Add PIM to a route-domain
-- Run 'ip pim sparse-mode ?' while on imish configuration mode on interface level
Impact:
No real impact.
Workaround:
N/A
1071449-2 : Statsd memory leak on platforms with license disabled processors.
Links to More Info: BT1071449
Component: Local Traffic Manager
Symptoms:
Memory usage in statsd will continue to grow until the control-plane is out of memory.
Conditions:
This issue occurs when the license on the BIG-IP disables some of the processors.
Impact:
Statsd may consume excessive memory causing OOM killer activity.
Workaround:
Restart statsd periodically.
1071385-1 : SSL session resumption using session tickets is incorrectly logging handshake failure messages
Links to More Info: BT1071385
Component: Local Traffic Manager
Symptoms:
Handshake failure messages are logged when the handshake was successful.
Conditions:
-- Enable session-ticket in SSL profile.
-- Client establishes connection with session resumption option
Impact:
Inaccurate information in log.
Workaround:
None
1071301-3 : GTM server does not get updated even when the virtual server status changes.
Links to More Info: BT1071301
Component: Global Traffic Manager (DNS)
Symptoms:
GTM Server is in an Unknown state even though the single virtual server is green.
Conditions:
-- Three-member sync group.
-- Create a large number of virtual servers.
-- Virtual servers are disabled and enabled.
Impact:
The server status does not reflect the virtual server status, and there is no obvious way to recover.
Workaround:
N/A
1071233-3 : GTM Pool Members may not be updated accurately when multiple identical database monitors are configured
Links to More Info: BT1071233
Component: Global Traffic Manager (DNS)
Symptoms:
When two or more GTM database monitors (MSSQL, MySQL, PostgreSQL, and Oracle) with identical 'send' and 'recv' strings are configured and applied to different GTM pools (with at least one pool member in each), the monitor status of some GTM pool members may not be updated accurately.
Other parameters of the affected monitors that differ (such as 'recv row' or 'recv column' indicating where the specified 'recv' string should be found in the result set) may cause GTM pool members using one of the affected monitors to connect to the same database to be marked UP, while GTM pool members using another affected monitor may be marked DOWN.
As a result of this issue, GTM pool members that should be marked UP or DOWN by the configured GTM monitor may instead be marked according to another affected monitor's configuration, resulting in the affected GTM pool members being intermittently marked with an incorrect state.
After the next monitor ping interval, affected GTM pool members members may be marked with the correct state.
Conditions:
This may occur when multiple GTM database monitors (MSSQL, MySQL, PostgreSQL, and Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different pools/members which share the same IP address and Port values.
For example:
gtm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
gtm monitor mysql mysql_monitor2 {
...
recv none
send "select version();"
...
}
Impact:
Monitored GTM pool members using a database monitor (MSSQL, MySQL, PostgreSQL, and Oracle) randomly go offline/online.
Workaround:
To avoid this issue, configure each GTM database monitor with values that make the combined parameters unique by changing either the 'send' or the 'recv' parameters, or both.
For example:
gtm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
gtm monitor mysql mysql_monitor2 {
...
recv 5.7
send "select version();"
...
}
1071181 : Improving Signature Detection Accuracy
Component: Anomaly Detection Services
Symptoms:
BADOS generates signatures have up to 20% false positive if the signature covers 100% of bad traffic.
Conditions:
The attack signature generated covers all bad traffic.
Impact:
BADOS generates false positives
Workaround:
None
1070957-3 : Database monitor log file backups cannot be rotated normally.
Links to More Info: BT1070957
Component: Local Traffic Manager
Symptoms:
Debug log files used by the BIG-IP database monitor daemon (DBDaemon) do not exhibit the log-rotation behavior of other BIG-IP log files.
- The active DBDaemon log file is /var/log/DBDaemon-0.log
- DBDaemon log file size is limited to approximately 5MB. DBDaemon log files are backed up/rotated upon reaching this size.
- Exactly 9 (nine) DBDaemon log file backups are retained (/var/log/DBDaemon-0.log.[1-9])
- DBDaemon log file backups are not compressed.
- DBDaemon log file backup/rotation behavior is not user-configurable.
Conditions:
This issue applies when using BIG-IP database monitors:
-- mssql
-- mysql
-- oracle
-- postrgresql
Impact:
-- DBDaemon log file backups may consume more space under /var/log than desired.
-- When troubleshooting database monitor issues, DBDaemon log file rotation may occur so rapidly that older DBDaemon events may be lost, limiting the ability to capture meaningful diagnostic data.
Workaround:
It may be possible to work around this issue by periodically archiving DBDaemon log files, such as in a script with the following core functionality:
pushd /var/log;tar -czf DBDaemon_$(date +%Y%m%d%H%M).tgz DBDaemon-0.log*;popd
1070953-2 : Dnssec zone transfer could cause numerous gtm sync events.
Links to More Info: BT1070953
Component: Global Traffic Manager (DNS)
Symptoms:
GTM syncs for zone transfers that happen on other GTMs.
Conditions:
Dnssec zone transfer to client on peer GTM in the same GTM sync group.
Impact:
Numerous GTM sync and possible sync storm.
Workaround:
N/A
1070677-2 : Learning phase does not take traffic into account - dropping all.
Component: Protocol Inspection
Symptoms:
Suggestions are generated every suggestion interval and every suggestion interval suggestions are overriding, so the last suggestion is considered after the staging period is completed.
Conditions:
Once the start of staging period, suggestions will override every time until the staging period completes.
Impact:
IPS learning phase, which lasts the default 7 days, sees a ton of traffic from websites hitting against signatures, but at the end of the 7 days it blocks all signatures and causes an outage.
Workaround:
N/A
1070181-1 : Secondary MCPD crashes with Configuration error
Links to More Info: BT1070181
Component: Local Traffic Manager
Symptoms:
MCPD crashes with an error:
Configuration error: In Virtual Server (/Common/vip-test) an http2 profile with enforce-tls-requirements enabled is incompatible with client ssl profile '/Common/test-reneg-2'; renegotiation must be disabled
Conditions:
Virtual server with
-> http2 profile - 'enfore-tls-requirements' enabled
-> client-ssl profile 1 - 'renegotiation' disabled
-> client-ssl profile 2 - 'renegotiation' enabled
Impact:
MCPD crashes on the non-active device.
Workaround:
Disable 'enforce-tls-requirements' of http2 profile
1070073-1 : ASM Signature Set accuracy filter is wrong on GUI.
Component: Application Security Manager
Symptoms:
For High/Medium Accuracy Signatures (These are Signatures Sets), The GUI shows signatures with an Accuracy Level that is different from the Signature Set.
Conditions:
1. Go to Security ›› Options : Application Security : Attack Signatures : Attack Signature Sets.
2. Choose High Accuracy Signatures (a "built-in" signature set).
3. You will see Non-High accuracy signatures included in the set such as Zimbra Collaboration ProxyServlet SSRF.
Impact:
Unintended Signatures could be included in the poliy.
Workaround:
Create a custom filter-based Signature Set with setting their accuracy to High Accuracy signatures.
1069977 : Repeated TMM SIGABRT during ips_flow_process_data
Component: Protocol Inspection
Symptoms:
IPS consumes excessive CPU time processing GTP related context entries and this causes the tmm clock not to be updated, because of which SOD tries to restart the TMM.
Conditions:
-- Heavy GTP traffic, and request creation messages are sent without sending the response messages.
Impact:
Traffic disrupted while tmm restarts.
1069729-1 : TMM might crash after a configuration change.
Links to More Info: BT1069729
Component: Application Security Manager
Symptoms:
After modifying a dosl7 profile, on rare cases TMM might crash.
Conditions:
Modifying DoSl7 profile attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
1069321 : High iowait and pgstat wait warnings every hours due to excessive logging in autodosd.out
Links to More Info: BT1069321
Component: Advanced Firewall Manager
Symptoms:
Undesirable log messages are logged:
Dec 06 15:48:04|mcp_process_aggregate_period|2607| Before sorting ctx[device-global]:dosid[62] tmmid[9] agg[11] proto[0] top1[1451] top2[1634] top3[1449] top4[1652] mean[1393] bump[16] ba_max[0] bd_max[0]
Dec 06 15:48:04|mcp_process_aggregate_period|2615| After sorting ctx[device-global]:dosid[62] tmmid[9] agg[11] proto[0] top1[1652] top2[1634] top3[1451] top4[1449] mean[1393] bump[16] ba_max[0] bd_max[0]
F55 coming to inside query stress
F55 coming to inside query stress
Conditions:
AFM provisioned
Impact:
System may hang or have high memory and cpu utilization
Workaround:
Delete the /shared/tmp/autodosd*.out file and restart
1069137-4 : Missing AWAF sync diagnostics
Links to More Info: BT1069137
Component: Application Security Manager
Symptoms:
Complex issues related to Policy Synchronization over Device Sync Groups and chassis are difficult to diagnose.
More detailed logging is needed if errors occur.
Conditions:
Device Group Sync is enabled on a chassis device.
Impact:
Root cause analysis is lengthy and difficult.
Workaround:
Enable debug logs in the environment:
> tmsh modify sys db log.asm.asmconfiglevel value debug
> tmsh modify sys db log.asm.asmconfigvent.level value debug
> tmsh modify sys db log.asm.asmconfigverbose.level value debug
1069133-2 : ASMConfig memory leak.
Links to More Info: BT1069133
Component: Application Security Manager
Symptoms:
A slow leak exists for long-lived asm_config_handler processes that handle configuration updates.
Conditions:
Configuration updates are being regularly made.
Impact:
Processes slowly grow in size until they reach a limit and restart themselves.
Workaround:
N/A
1069113-3 : ASM process watchdog should be less aggressive.
Links to More Info: BT1069113
Component: Application Security Manager
Symptoms:
During standard operation a process is expected to exit and be restarted once it has exceeded a certain memory limit. As a failsafe, the watchdog forcefully kills the process if it exceeds a higher threshold. But if the handler was running close to the memory limit before a resource-intensive event like a full sync load, this operation could push it over both limits.
Conditions:
An ASM Config handler is running close to the memory limit before a resource intensive event, like a full sync load.
Impact:
A process may be killed in the middle of a data-integrity sensitive action, like a device-group sync, which can leave the system in a corrupt state.
Workaround:
Modify the memory limits in nwd.cfg to raise it by 100MB.
1068673-1 : SSL forward Proxy triggers CLIENTSSL_DATA event on bypass.
Links to More Info: BT1068673
Component: Local Traffic Manager
Symptoms:
The CLIENTSSL_DATA iRule event is triggered unexpectedly during SSL forward proxy bypass.
Conditions:
This issue is seen when SSL forward proxy with bypass is enabled on client & server SSL profiles.
Impact:
This can cause unexpected failure of existing iRules which only expect CLIENTSSL_DATA on intercepted (and decrypted) data.
Workaround:
N/A
1068445-3 : TCP duplicate acks are observed in speed tests for larger requests
Links to More Info: BT1068445
Component: Local Traffic Manager
Symptoms:
- A lot of TCP duplicate acks are observed in speed tests for larger requests
Conditions:
Below conditions are met
- Large request
- fastL4 profile with PVA acceleration set
- Below sys db variables are enabled
tm.tcpsegmentationoffload
tm.tcplargereceiveoffload
- Softpva is used
Impact:
- Reduced throughput because of duplicate ACKs and retransmissions
Workaround:
Either one of the conditions
- fastL4 profile with PVA acceleration set to NONE
- Disable below sys db variables
tm.tcpsegmentationoffload
tm.tcplargereceiveoffload
1068237-3 : Some attack signatures added to policies are not used.
Links to More Info: BT1068237
Component: Application Security Manager
Symptoms:
Some attack signatures added to an existing signature set may not be utilized by Policies associated with the signature set, despite the attack signatures being reported as now present in the Policies.
Conditions:
1. Have one or more policies utilizing a manual attack signature set.
2. Update the attack signature database by installing an ASU or creating a custom attack signature.
3. Update the previously created manual attack signature set with one or more attack signatures which were not updated by the ASU (if ASU installed) or are not the newly created custom attack signature (if new custom signature created).
Impact:
The additional attack signatures added to the attack signature set will show up in the Policies utilizing the signature set however the Policies will not actually use those additional attack signatures.
Workaround:
There are two workarounds:
1. When adding additional attack signatures to a Policy, place them in a new attack signature set rather than re-using an existing signature set.
2. If adding signatures to an existing set, afterwards create a new custom attack signature, add it to a new manual attack signature set, add the set to any active policy and then remove the set from the policy (the set and signature can then be deleted if desired).
Both workarounds will result in all attack signatures listed as present in all Policies being fully and properly utilized by the Policies.
1067917-3 : Attaching iRule DOSL7::enable when mitigation is not enabled at dosl7 profile, it is not showing warning in GUI.
Links to More Info: BT1067917
Component: Application Security Manager
Symptoms:
Attaching iRule DOSL7::enable to virtual server when same virtual server attached to dosl7 profile without mitigation enables. It is able to attach iRule the successful but same steps is giving error in 13.1.3.6
"1070151:3: Rule [/Common/<iRulename>] error: Unable to find profile_dos (<dos profile name>) referenced at line 3: [DOSL7::enable <dosl7 profile name>]"
Conditions:
Create dosl7 profile without any mitigation enabled and have iRule
when HTTP_REQUEST {
DOSL7::enable test
}
Attach iRule to virtual server.
Impact:
No warning is shown, but the rule causes an error in the logs and does not apply.
Workaround:
Enable the mitigation in order to attach this DOSL7::enable method.
1067821-4 : Stats allocated_used for region inside zxfrd is overflowed
Links to More Info: BT1067821
Component: Global Traffic Manager (DNS)
Symptoms:
No visible symptoms.
Conditions:
Large resource record addition and deletion for dns express zones.
Impact:
Internal zxfrd stats are incorrect.
1067797-3 : Trunked interfaces that share a MAC address may be assigned in the incorrect order.
Links to More Info: BT1067797
Component: TMOS
Symptoms:
Interfaces that are trunked together and use the same MAC address may end up in an incorrect order when the system is restarted.
Conditions:
Trunked interfaces that use the same MAC address. On reboot the f5-swap-eth script will incorrectly reorder the affected interfaces.
Impact:
Incorrect ordering could result in a failover or outage.
Workaround:
N/A
1067669-3 : TCP/UDP virtual servers drop all incoming traffic.
Links to More Info: BT1067669
Component: Local Traffic Manager
Symptoms:
-- Incoming TCP/UDP traffic is not processed by virtual servers on the BIG-IP system. Instead, legitimate traffic appears to be dropped by the BIG-IP system.
-- A tcpdump taken on the BIG-IP system shows the traffic arriving on VLAN 0 instead of the actual VLAN.
-- Inspection of the dns_rapid_response_global tmstat table shows many entries in the failed_ifc column.
Conditions:
-- Using a BIG-IP 2000, 4000, or VE device.
-- Using a trunk with an untagged VLAN.
-- Using a virtual server with a dns profile configured for rapid-response.
Impact:
All TCP/UDP virtual servers fail to process incoming traffic.
Workaround:
You can work around this issue by performing any one of the following actions:
-- Avoid using an untagged VLAN with your trunks.
-- Avoid using a trunk if you cannot avoid using untagged VLANs.
-- Disable rapid-response in all dns profiles (this option is disabled by default).
1067617-2 : BGP default route not advertised after mid-session OPEN.
Links to More Info: BT1067617
Component: TMOS
Symptoms:
After BGP peer opens a new session with BIG-IP in the middle of the existing session and the session is dropped, BIG-IP does not send default route NLRI to the peer when the new session is established.
Conditions:
Mid-session OPEN (Event 16 or Event 17 per RFC spec).
Impact:
Default route is missing on a BGP peer.
Workaround:
Clear the BGP session manually.
1067469-2 : Discrepancy in virtual server stats with LRO enabled.
Links to More Info: BT1067469
Component: Local Traffic Manager
Symptoms:
The virtual_server_stat table has a discrepancy in clientside.bytes_out and serverside.bytes_in with LRO enabled.
Conditions:
LRO is enabled (sys db tm.tcplargereceiveoffload value "enable").
Impact:
The virtual_server_stat table shows a difference in clientside.bytes_out and serverside_bytes_in when LRO is enabled.
Workaround:
Disable LRO using the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable
After modifying that variable, the virtual server stats need to be reset in order to clear historical stats using the following command: tmsh reset-stats ltm virtual
Otherwise TMM can be restarted to clear the stats.
1067405-2 : TMM crash while offloading / programming bad actor connections to hardware.
Links to More Info: BT1067405
Component: Advanced Firewall Manager
Symptoms:
TMM crashes while passing traffic. From the core analysis, this issue looks specific to some platforms(i4800 c115).
Conditions:
This might occur when bad actor detection is enabled in BI-IP iSeries platforms.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue is platform specific and seen only when BA actor detection is enabled.
1067309-3 : GTMD cored followed by TMM core SIGSEGV due to illegal GTM server reference.
Links to More Info: BT1067309
Component: Global Traffic Manager (DNS)
Symptoms:
TMM, gtmd cores while passing traffic.
Conditions:
A rare race condition between TMM and GTMD occurs while passing traffic.
Impact:
Traffic disrupted while tmm and gtmd restarts.
Workaround:
N/A
1067025-2 : Rate-shaping + immediate timeout causing connection to stall.
Links to More Info: BT1067025
Component: Local Traffic Manager
Symptoms:
Server-side connection stalls if rate-limit is reached for a connection that has a timeout value set to immediate.
Conditions:
-- Rate-limit configured and reached.
-- Profile has immediate timeout configured.
Impact:
No packets are sent to the server.
Workaround:
Configure a timeout value on a protocol profile.
1066397-3 : GTM persists to last resort pool members even when primary pool members become available.
Links to More Info: BT1066397
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Queries are persisted to the last resort pool members after the primary pool comes back.
Conditions:
-- WideIP with persistence enabled
-- Disable primary pool members with the queries answered from the last resort pool
-- Now re-enable the primary pool members
Impact:
DNS Queries are persisted to the last resort pool members after the primary pool comes back.
Workaround:
N/A
1065821-2 : Cannot create an iRule with a newline between event and opening brace.
Links to More Info: BT1065821
Component: TMOS
Symptoms:
POST-ing to the BIG-IP REST API fails when creating an iRule.
Conditions:
iRule body has a newline after the event name.
For example:
"apiAnonymous": "when HTTP_REQUEST\n {...}"
Working:
"apiAnonymous": "when HTTP_REQUEST {...}"
Impact:
The iRule fails to create and you receive a warning about an unknown property.
{
"code": 400,
"message": "\"{\" unknown property",
"errorStack": [],
"apiError": 26214401
}
Workaround:
Format the iRule to not use newlines between the event name and opening brace.
Change from:
"apiAnonymous": "when HTTP_REQUEST\n {...}"
To:
"apiAnonymous": "when HTTP_REQUEST {...}"
1065757 : Virtual servers may not receive TCP SYN packets when another virtual server is in SYN Cookie mode
Component: TMOS
Symptoms:
When a wildcard or subnet virtual server that listens on a specific VLAN or list of VLANs enter HW SYN Cookie mode its Neuron rule jumps to the top of the priority list and therefore catches the SYN packets of other virtual servers that have an overlapping destination address and are configured to listen on all VLANs.
Conditions:
- On platforms with Neuron support (BIG-IP iSeries).
- Wildcard or subnet virtual server that listens on a list of VLANs and other overlapping virtual servers that listen on all VLANs.
Impact:
Virtual servers that are not in SYN Cookie mode, perhaps even have SYN Cookie disabled, do not receive the TCP SYN packets. The limited number of possible MSS values may cause a slight performance degradation.
Workaround:
Disable HW SYN Cookie on the wildcard virtual server.
1065549 : BIG-IP does not fail gracefully when a TX error is detected in the kernel ixgbevf driver.
Links to More Info: BT1065549
Component: TMOS
Symptoms:
The BIG-IP can get into an endless loop when a transmission error is detected in the kernel ixgbevf driver.
Conditions:
A BIG-IP Virtual Edition system is using the ixvf driver.
Impact:
The BIG-IP system will not process traffic and will need to be restarted. This could result in a failover or outage.
Workaround:
Use the sock driver. See K10142141: Configure the BIG-IP VE system to use the SOCK network driver, available at https://support.f5.com/csp/article/K10142141.
1065429-1 : LACP trunks flap continuously when used in virtual-wire configuration
Links to More Info: BT1065429
Component: Local Traffic Manager
Symptoms:
When a virtual wire is configured with two LACP trunks and the "vwire-propagate-linkstatus" option is enabled, the trunks flap continuously and are unable to pass any traffic.
Conditions:
-- A virtual wire is configured with 2 trunks
-- The "vwire-propagate-linkstatus" option is enabled on the virtual wire
Impact:
The virtual wire is unable to pass any traffic
Workaround:
Disable the "vwire-propagate-linkstatus" option of the virtual wire.
1065041-2 : Web Application shows 'Not Found' in GUI.
Links to More Info: BT1065041
Component: TMOS
Symptoms:
Clicking 'Web Application' under GUI :: Acceleration results in errors:
Not found
The requested URL was not found on this server.
Conditions:
With AAM provisioned, upgrade to BIG-IP v15.1.4.
Impact:
Web acceleration configuration cannot be accessed from the GUI.
Workaround:
There are two workarounds:
-- Use tmsh for managing acceleration.
-- Follow this procedure:
1. In /etc/rc.d/init.d/httpd, add the following content after line '[ -d /var/avr/avrui ] && OPTIONS="${OPTIONS} -DAVRUI"'
# Check if WA package is installed (by checking the existence of
# /usr/local/www/waui/WEB-INF/web.xml
[ -f /usr/local/www/waui/WEB-INF/web.xml ] && OPTIONS="${OPTIONS} -DWebAccelerator"
2. In /config/httpd/conf/httpd.conf, in the following location:
<Directory "/var/run/config/htdocs">
Options None
AllowOverride None
</Directory>
Add the following content:
<IfDefine WebAccelerator>
<Location /waui>
<RequireAll>
AuthType Basic
AuthName "BIG-IP"
AuthPAM_Enabled on
AuthPAM_IdleTimeout 1200
require valid-user
</RequireAll>
</Location>
<Location "/waui/WEB-INF">
Require all denied
</Location>
</IfDefine>
3. Go to end of /config/httpd/conf.d/proxy_ajp.conf, and add the following content
<IfDefine WebAccelerator>
ProxyPassMatch ^/waui/(.*)$ ajp://localhost:8009/waui/$1 retry=5
</IfDefine>
4. Restart httpd:
bigstart restart httpd
1065013-2 : Tmm crash with iRuleLX plugin in use
Links to More Info: BT1065013
Component: Local Traffic Manager
Symptoms:
Tmm runs out of memory and crashes.
Conditions:
Exact conditions that trigger this are unknown:
-- iRuleLX provisioned and configured in one or more virtual servers
-- Network traffic is passing
Impact:
Traffic disrupted while tmm restarts.
1064893-3 : Keymgmtd memory leak occurrs while configuring ca-bundle-manager.
Links to More Info: BT1064893
Component: TMOS
Symptoms:
Keymgmtd leaks memory and the RES/RSS value increases over time.
Same issue can be observed using top -p `pidof keymgmtd` or tmctl proc_pid_stat proc_name=keymgmtd -s proc_name,vsize,rss monitor keymgmtd resident memory size.
Conditions:
Configure sys crypto ca-bundle-manager to periodically update the ca bundle on the system.
Impact:
If keymgmtd causes a system wide out of memory condition, this could cause a traffic disruption, if mcpd is chosen to be killed.
Workaround:
N/A
1064753-2 : OSPF LSAs are dropped/rate limited incorrectly.
Links to More Info: BT1064753
Component: TMOS
Symptoms:
Some LSAs are dropped on BIG-IP with a log similar to:
"LSA is received recently".
Conditions:
Tuning OSPF min LSA arrival has no effect on some LSA handling.
Impact:
OSPF LSAs are dropped/rate limited incorrectly.
Workaround:
N/A
1064725-2 : False alarm log message on ltm as CHMAN request for tag:19 as failed.
Links to More Info: BT1064725
Component: Local Traffic Manager
Symptoms:
The following log is seen in /var/log/ltm when a qkview is generated:
warning chmand[6307]: 012a0004:4: CHMAN request (from qkview) for tag:19 failed.
or when a tcpdump capture is started:
warning chmand[792]: 012a0004:4: CHMAN request (from bigpcapq33E5-24) for tag:19 failed
Conditions:
Generate a qkview file from the GUI/CLI or start a tcpdump command from the CLI.
Impact:
No functional impact.
Workaround:
None
1064669-3 : Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash.
Links to More Info: BT1064669
Component: Local Traffic Manager
Symptoms:
TMM crashes if an iRule is configured that has HTTP::enable in the RULE_INIT event.
Conditions:
iRule that uses HTTP:enable command in RULE_INIT event, for example:
ltm rule example_rule {
when RULE_INIT {
# Don't do this!
HTTP::enable
}
}
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Do not use the HTTP::enable iRule command in the RULE_INIT event.
1064461-2 : PIM-SM will not complete RP registration over tunnel interface when floating IP address is used.
Links to More Info: BT1064461
Component: TMOS
Symptoms:
PIM-SM will not complete rendezvous point (RP) registration over the tunnel interface when a floating IP address is used (ip pim use-floating-address). Join/prune from RP gets dropped on BIG-IP when doing local-address validation.
BIG-IP never completes registration successfully.
Conditions:
RP registration over tunnel interface when floating IP address is used.
Impact:
BIG-IP never completes registration and outgoing packets are register-encapsulated.
Workaround:
N/A
1064217-3 : Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T.
Links to More Info: BT1064217
Component: Carrier-Grade NAT
Symptoms:
Port bits are not set as expected in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T.
Conditions:
This occurs in a MAP-T configuration.
Impact:
MAP-T port translation does not work as expected.
Workaround:
N/A
1064205-3 : GSLB virtual server's status can't be changed from the drop-down selection box on its properties page.
Component: Global Traffic Manager (DNS)
Symptoms:
The status of the GSLB virtual server associated with the GSLB server does not get changed through selection in the drop-down box in front of "Status".
Conditions:
1. Open the properties page of one GSLB virtual server after reaching from DNS ›› GSLB : Servers : Server List ›› Virtual Servers.
2. Change the value in the drop-down box in front of the "Status" field and click the "Update" button.
Impact:
The status of the GSLB virtual server can't be changed from its own properties page.
Workaround:
The status of one or multiple virtual servers can be changed on page DNS ›› GSLB : Servers : Server List ›› Virtual Servers by selecting the desired ones and selecting "Enable" or "Disable" buttons.
1063977-1 : Tmsh load sys config merge fails with "basic_string::substr" for non-existing key.
Links to More Info: BT1063977
Component: Local Traffic Manager
Symptoms:
"tmsh load sys config merge" fails with the following error.
Loading configuration...
/var/tmp/repro.txt
01070711:3: basic_string::substr
Unexpected Error: Loading configuration process failed.
Conditions:
The key referenced in the configuration of the SSL profile does not exist in the BIG-IP.
Impact:
"tmsh load sys config merge" fails which is expected, but the error is not meaningful.
Workaround:
Identify the missing SSL key used in the configuration and correct it.
1063865-4 : Blade remains in an INOPERATIVE state after being moved to new chassis.
Links to More Info: BT1063865
Component: Local Traffic Manager
Symptoms:
When moving a blade to a new chassis, it can remain in an INOPERATIVE state upon startup. The following errors can be found in /var/log/ltm:
slot2 notice mcpd[7042]: 01071029:5: Master Key not present.
slot2 err csyncd[8163]: 013b0004:3: Unable to subscribe to mcpd, disconnecting...
Conditions:
- Multi-bladed BIG-IP systems
- Move a blade from one chassis to an open slot in the other chassis
Impact:
The moved blade will not properly sync up with the rest of the system, and remain INOPERATIVE.
Workaround:
This occurs due to the master key not being propagated to the moved blade. You can manually circumvent this by doing the following (this assumes slot 1 is primary and slot 2 has the moved blade):
Back up the master keys first (optional):
1. On the primary slot:
cp /config/bigip/kstore/master /var/tmp/master_slot1
2. On the moved slot:
cp /config/bigip/kstore/master /var/tmp/master_slot2
Copy the master key to the moved slot:
1. On the primary slot:
scp /config/bigip/kstore/master root@slot2:/config/bigip/kstore/master
2. On the moved slot:
bigstart restart mcpd
1063829-4 : Zxfrd could run out of memory because zone db files are not efficiently recycled.
Links to More Info: BT1063829
Component: Global Traffic Manager (DNS)
Symptoms:
Zxfrd is killed because of "Out of memory".
Conditions:
Dns express zones are updated continuously.
Impact:
Zxfrd keeps restarting.
Workaround:
Delete zxfrd files and restart zxfrd.
If sys db dnsexpress.hugepages is 0, run:
# rm -rf /shared/zxfrd/*
# bigstart restart zxfrd
If sys db dnsexpress.hugepages is 1, run:
# rm -rf /dev/mprov/zxfrd/*
# bigstart restart zxfrd
1063473-3 : While establishing a high availability (HA) connection, the number of npus in DAG context may be overwritten incorrectly
Links to More Info: BT1063473
Component: TMOS
Symptoms:
Even though the platform is distributing packets to the TMM's SEPs evenly, virtual server connections are balanced unevenly.
Conditions:
Migrate vCMP guests to the VELOS chassis.
Impact:
Traffic is not distributed evenly across TMMs. LTM log shows a lot of RST packets and pool members go down and up continuously.
Workaround:
None
1063453-3 : FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets.
Links to More Info: BT1063453
Component: Local Traffic Manager
Symptoms:
Tmm crashes while passing IPv4-to-IPv6 traffic over FastL4.
Conditions:
-- A FastL4 virtual server translates between IPv4 and IPv6.
-- Fragment reassembly is not enabled in the FastL4 profile.
-- A feature requiring asynchronous completion is configured including: asynchronous irules on LB events (LB_SELECTED, LB_FAILED, LB_PERSIST_DOWN, LB_QUEUED, SA_PICKED), persistence, sessiondb operations, HA, virtual rate limiting.
Impact:
All traffic is disrupted while the TMM restarts.
Workaround:
Configure the FastL4 profile to always reassemble fragments.
1063345-2 : Urldbmgrd may crash while downloading the database.
Component: Access Policy Manager
Symptoms:
Urldbmgrd may crash while downloading the database.
Conditions:
SWG or URLDB is provisioned.
Impact:
User traffic will be impacted when urldbmgrd is down.
Workaround:
N/A
1063261-3 : TMM crash is seen due to sso_config objects.
Links to More Info: BT1063261
Component: Access Policy Manager
Symptoms:
Observed a TMM crash once which is due to unfreed sso_config objects in SAML.
Conditions:
Conditions are unknown, this was only seen once.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
1063237-2 : Stats are incorrect when the management interface is not eth0
Links to More Info: BT1063237
Component: TMOS
Symptoms:
The provision.managementeth db variable can be used to change which interface the management interface is bridged to:
https://clouddocs.f5.com/cloud/public/v1/shared/change_mgmt_nic_google.html
If this is changed to something other than eth0, the management interface stats will continue to be read from eth0 and thus be incorrect.
Conditions:
When provision.managementeth is changed to something other than eth0.
Impact:
Management interface stats are incorrect.
Workaround:
Reconfigure the management interface to use eth0
1062953-3 : Unable to save configuration via tmsh or the GUI.
Links to More Info: BT1062953
Component: TMOS
Symptoms:
If there are hundreds of partitions and changes to the configuration are made via the GUI, the configuration save can hang. When the configuration save hangs, all subsequent configuration saves will not complete.
Conditions:
-- Hundreds of partitions with objects contained in them.
-- Changing config via the GUI.
Impact:
Subsequent attempts to save the configuration will not complete.
Workaround:
For this scenario, syscalld is the process that created
the tmsh process to save the config where the tmsh process hangs. A restart of syscalld using bigstart restart syscalld will kill the hung syscalld and tmsh processes and restore services.
1062901-3 : The 'trap-source' and 'network' SNMP properties are ineffective, and SNMP traps may be sent from an unintended interface.
Links to More Info: BT1062901
Component: TMOS
Symptoms:
The BIG-IP system sends SNMP traps from an unintended interface (likely a TMM VLAN instead of the management port).
Conditions:
This issue occurs when the configuration:
- Includes a 'trap-source' property which matches the BIG-IP system's management IP address.
- Includes a SNMP trap destination which specifies 'mgmt' as the 'network' property.
- Includes routes to the aforementioned SNMP trap destination via both tmm and the management port (and the routes are such that the tmm one wins).
Impact:
Outgoing snmp traps fail to bind to the management IP address and to leave from the management port. Instead, they will bind to a self-ip matching TMM's route to the destination and leave from a TMM VLAN.
This can cause issues (or not work at all) depending on the configuration of the host system meant to receive the traps and/or of the surrounding network devices.
Workaround:
N/A
1062857-1 : Non-tmm source logs stop populating after a system time change.
Links to More Info: BT1062857
Component: TMOS
Symptoms:
Syslog-ng service functionality leads to failures like no daemon logs being captured in files like
- /var/log/ltm and
- /var/log/messages.
Conditions:
Change the system date and time to future or past, and then reboot the system.
Impact:
Expected TMM logs rest all daemons logs are not captured at /var/log/ltm, due to syslog-ng failure.
Workaround:
None
1062493-3 : BD crash close to it's startup
Links to More Info: BT1062493
Component: Application Security Manager
Symptoms:
BD crashes shortly after startup.
Conditions:
FTP or SMTP are in use. Other causes are unknown.
Impact:
Traffic disrupted while bd restarts.
Workaround:
No workaround except removal of the FTP/SMTP protection.
1062385-2 : BIG-IP has an incorrect limit on the number of monitored HA-group entries.
Links to More Info: BT1062385
Component: TMOS
Symptoms:
BIG-IP has an incorrect limit on the number of monitored HA-group entries.
Conditions:
Large amount of traffic groups (over 50) with high availability (HA) Group monitoring attached.
Impact:
Not all traffic groups are properly monitored. Some traffic groups might not fail-over properly.
Workaround:
N/A
1061905-1 : Adding peer unit into device trust changes the failover address family.
Links to More Info: BT1061905
Component: TMOS
Symptoms:
In Device Management >> Devices >> [self device] > Failover Network.
Address Family Mode resets back to "IPv4 & IPv6" instead of already set configuration i.e. IPv4 when a new peer unit is added.
Conditions:
-- Add a new device into the device trust.
-- Set both devices to "IPv4".
-- Join the devices in device trust.
Impact:
Inconsistent configuration
Workaround:
Modify the address family to IPv4 manually after adding the peer.
1061617-2 : Some of the URL Attack signatures are not detected in the URL if "Handle Path Parameters" is configured "As Parameters".
Component: Application Security Manager
Symptoms:
The following Attack Signatures are not identified if "Handle Path Parameters" = "As Parameters".
200001660, 200001663, 200007032, 200101543, 200101632, 200101635, 200101638, 200101641, 200101644
Conditions:
- Configure "Handle Path Parameters" = "As Parameters"
- Enable URL attack signatures 200001660, 200001663, 200007032, 200101543, 200101632, 200101635, 200101638, 200101641, 200101644
Impact:
Some URL attack signatures are not detected by ASM.
1061469-3 : High levels of Pause frames from HSB to Switch can impact monitors and high availability (HA) connectivity
Links to More Info: BT1061469
Component: TMOS
Symptoms:
/var/log/ltm shows messages of pool state flapping, high availability (HA) connection lost and CMI heartbeat timer expired. Looking at the tmstat table, there is a high number of pause frames from HSB.
Conditions:
The exact condition is not identified yet.
Impact:
System stability is impacted.
Workaround:
None
1060769-3 : The /mgmt/tm/sys/performance/all-stats and /mgmt/tm/sys/performance/throughput iControl REST endpoints cannot be successfully parsed by common JSON libraries.
Links to More Info: BT1060769
Component: TMOS
Symptoms:
Because of identically-named key/value pairs in the "entries" object returned by the /mgmt/tm/sys/performance/all-stats and /mgmt/tm/sys/performance/throughput iControl REST endpoints, the output of these endpoints cannot be successfully parsed by common JSON-parsing libraries.
Only the key/value pair appearing last for a given name is returned by common JSON-parsing libraries.
As a result, the In/Out/Service sections of the output, which should show both Throughput(bit) and Throughput(packets) only shows Throughput(packets).
Conditions:
Querying the /mgmt/tm/sys/performance/all-stats or /mgmt/tm/sys/performance/throughput iControl REST endpoints.
Impact:
Common JSON-parsing libraries are unable to extract all of the information contained in the JSON blob (only a subset of the information is returned).
Workaround:
If possible, use the TMSH utility from the CLI of the BIG-IP system to display the complete information.
1060349 : VCMP Guest 14.1.4.4: java cores.
Links to More Info: BT1060349
Component: TMOS
Symptoms:
Java generates a core file.
Conditions:
This is a random crash and there are no known conditions for reproducing it.
Impact:
Temporary restart of java.
Workaround:
N/A
1060181-2 : SSL handshakes fail when using CRL certificate validator.
Links to More Info: BT1060181
Component: TMOS
Symptoms:
Some SSL handshakes are reset with "SSL Handshake timeout exceeded" reset.
Conditions:
Client SSL profile with CRL certificate validator.
Client SSL certificate authentication enabled.
Impact:
SSL handshakes fail.
Workaround:
None
1060145-3 : Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2.
Links to More Info: BT1060145
Component: TMOS
Symptoms:
When secondary slot reboots and it gets the configuration from the primary blade, the secondary throws a validation error and enters into a restart loop.
The following error is logged:
Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/Common/bbt-generic-bigip 10.1.10.12 80 gtm-vs) was not found.... failed validation with error 16908342.
Conditions:
-- Change the virtual server address on the LTM (manual edit of bigip.conf and load).
-- Reboot the secondary slot.
Impact:
Mcpd enters a restart loop on the secondary slot.
Workaround:
N/A
1059573-2 : Variation in a case insensitive value of an operand in LTM policy may fail in some rules.
Links to More Info: BT1059573
Component: Local Traffic Manager
Symptoms:
LTM policy engine compiles a policy into a state machine. If there is a variation of the same case insensitive value for an operand, the state machine may fail to properly build all rules, using this value. An example of a variation is a list of words like "Myself", "myself", "MYself", "mySElf", "MYSELF".
Conditions:
-- LTM policy is configured and attached to a virtual server.
-- The policy has variation in a case insensitive value of an operand.
Impact:
An expected rule does not apply: either a wrong rule is applied, or no rule is applied, causing incorrect traffic processing.
Workaround:
Eliminate variation in any case insensitive value of any operand. For example, replace all variations in the mentioned list with "myself".
1059441 : Upgrading with a configuration that contains objects with properties that override the TCP profile can result in incorrect property values being used.★
Links to More Info: BT1059441
Component: TMOS
Symptoms:
1. Displayed TCP profiles properties (for example, 'tmsh list ltm profile tcp') indicate they are using property values of the main TCP profile, even though they are marked as defaulting from the 'tcp-legacy' profile.
2. tmsh and the BIG-IP GUI display different values for TCP profiles.
Conditions:
This issue usually results after an upgrade from an older version (for example, 12.x to 13.x) where the configuration contains customized tcp profiles that use default values from the main tcp profile (these profiles are modified to use default values from the tcp-legacy profile during the upgrade process).
Impact:
TCP traffic-processing objects might start using invalid property values.
Workaround:
If this problem is observed after an upgrade, use the following command sequence to reload the configuration:
1. tmsh save sys config
2. tmsh load sys config
1059421-1 : Bot Signature is not updated when the signature rule is updated.
Component: Application Security Manager
Symptoms:
In some cases, when you update a user-defined Bot Signature rule, the new rule is not applied.
Conditions:
-- Bot Defense profile is attached to virtual server
-- A user-define bot signature is updated
Impact:
Updated signature is not enforced.
Workaround:
-Delete the Bot Signature rule
-Add another Bot Signature rule
-Check to see that all changes are applied
1058789-4 : Virtual addresses are not created from an address list that includes an IP address range.
Links to More Info: BT1058789
Component: TMOS
Symptoms:
The virtual address is listed as offline regardless of the status of the virtual server. This makes understanding virtual-address status very difficult.
Conditions:
Create virtual server using a traffic-matching-criteria (TMC) address list.
Impact:
The virtual addresses are created but the BIG-IP system shows all of them as offline enabled regardless of the status of the virtual server.
Workaround:
None
1058765-4 : Virtual Addresses created from an address list with prefix all say Offline (enabled)
Links to More Info: BT1058765
Component: TMOS
Symptoms:
Virtual Addresses created from an address list with prefix all say Offline (enabled)
Conditions:
Using the prefix in the address-list which is used for virtual server configuration.
Impact:
Improper status of the virtual address.
1058665-3 : Bot signature with a semicolon followed by a space is not detected.
Links to More Info: BT1058665
Component: Application Security Manager
Symptoms:
When creating a user-defined Bot Signature, semicolon followed by space cannot be used.
Conditions:
-- Using a user-defined Bot Signature in Simple mode.
-- There is a semicolon followed by a space in the User-Agent or URL sections.
Impact:
The signature is not detected.
Workaround:
Escaping the semicolon in the signature created as "|3B|".
1058597-2 : Bd crash on first request after system recovery.
Links to More Info: BT1058597
Component: Application Security Manager
Symptoms:
Bd crashes on the first request.
Conditions:
The system is out of disk space while creating the ASM policy.
Impact:
The security configuration is incomplete with missing data.
Workaround:
-- Remove the ASM policy from the virtual server to avoid the bd crash.
-- Go to the cookie protection screen and reconfigure the secure and fast algorithm.
-- Re-attach the security policy to the virtual server.
1058349 : Requirement of new signatures to detect IMO and Google Duo service.
Links to More Info: BT1058349
Component: Traffic Classification Engine
Symptoms:
Google Duo voice call and IMO applications are not blocking.
Conditions:
On Latest IM with PEM policy and TC policy.
Impact:
Traffic throttling will not work on IMO and DUO app.
Workaround:
N/A
1057925-2 : GTP iRule generates a warning.
Links to More Info: BT1057925
Component: TMOS
Symptoms:
Merging GTP config generates a warning.
cat ltm rule GTP_Rate_Limmit {
when CLIENT_DATA {
set gtp_message [GTP::parse [UDP::payload]]
set ie_list [GTP::ie get list -message $gtp_message -type 87]
#set ie_list [GTP::ie get list -type 97 -message $gtp_message]
foreach ie $ie_list {
set fteid_value [lindex $ie 5]
set interface_type [lindex $fteid_value 2]
set ipv4_addr [lindex $fteid_value 4]
log local0. "$fteid_value,$interface_type,$ipv4_addr"
}
}
}
ltm rule GTP_Rate_Limmit {
when CLIENT_DATA {
set gtp_message [GTP::parse [UDP::payload]]
set ie_list [GTP::ie get list -type 87 -message $gtp_message]
foreach ie $ie_list {
set fteid_value [lindex $ie 5]
set interface_type [lindex $fteid_value 2]
set ipv4_addr [lindex $fteid_value 4]
log local0. "$fteid_value,$interface_type,$ipv4_addr"
}
}
}
root@(sr)(cfg-sync Standalone)(Active)(/Common)(tmos)# load sys config merge file gtprule.conf
Merging GTP rule config generates warning.
/var/local/scf/gtprule.conf
There were warnings:
/Common/GTP_Rate_Limmit:4: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid '-type'; expected:-message"93 47][GTP::ie get list -type 87 -message $gtp_message]
Conditions:
This error occurs every the time the GTP config is merged.
Impact:
Config merge shows a warning.
Workaround:
Change
set ie_list [GTP::ie get list -type 87 -message $gtp_message]
to
set ie_list [GTP::ie get list -message $gtp_message -type 87]
1057913 : Fix traffic flow when using SR-IOV and trunking with xnet-mlxv5.
Links to More Info: BT1057913
Component: TMOS
Symptoms:
TMM does not process incoming traffic due to dropped packets.
Conditions:
- Mellanox
- ESXi VE
- SR-IOV
- Trunking w/ Cisco ACI
- xnet-mlxv5 driver in use
Impact:
Packets are not processed, which results in no work being done.
Workaround:
Use the TMM's native mlxv5 driver instead of xnet-mlxv5
1057713-5 : "South Sudan" is missing from the ASM Geolocation Enforcement list.
Component: Application Security Manager
Symptoms:
South Sudan is not available as a selection in ASM's Geolocation Enforcement configuration.
Conditions:
South Sudan was not added into ASM database.
Impact:
There is no way to set the country code for "South Sudan" under 'Allowed Geolocations.'
Workaround:
N/A
1057709-2 : Invalid Certificate for all BIG-IP VE OVA images on vCenter 7.0U2.
Links to More Info: BT1057709
Component: TMOS
Symptoms:
When deploying all BIG-IP VE OVA/OVF images, vCenter 7.0U2 will display an invalid certificate (not trusted) warning message. This is due to enhanced signing certificate verifications for expiry, and other validity checks for the entire chain of the signing certificate against the VECS store (known vCenter issue https://kb.vmware.com/s/article/84240).
Conditions:
Login to vCenter 7.0U2, deploy a BIG-IP VE using an OVF template, select the Local File option, upload the OVA template from your local directory, and then follow the prompts to complete the deployment. In the review details section, "The certificate is not trusted" warning message appears.
Impact:
You can ignore the message and continue with the deployment, or add the missing signing certificate(s) to the VECS store.
Workaround:
To avoid this warning, do the following to add the signing certificate to the VECS store:
1. Get the OVF/OVA signing certificate's chain (root CA and intermediate certificates, if any). You can use any certificate chain resolver to find the missing certificates from the chain.
2. To add the intermediate and root certificates to VECS store:
a. login to vCenter as administrator.
b. From drop-down menu select administration -> Certificates -> Certificate Management.
c. Click ADD next to Trusted Roots Certificates.
d. Browse and select the certificate(s) found in step 1.
1057557-3 : Exported policy has greater-than sign '>' not escaped to '>' with response_html_code tag.
Links to More Info: BT1057557
Component: Application Security Manager
Symptoms:
The greater-than sign '>' is not escaped/converted to '>' with response_html_code tag.
Having an un-escaped greater-than sign can cause issues when re-importing the policy, if the greater-than sign appears in a specific sequence, ']]>'. In other words, if the greater-than sign does not appear in the specific sequence, you can successfully re-import the policy without problem.
The specific sequence can be possible with a custom response page configuration. If you modify the custom response page in the way it has a sequence of characters ']]>', as the greater-than sing won't be escaped due to this bug, the exported policy has the sequence of characters ']]>' as is. Note: what it should be is ']]>'
']]>' in xml is CDATA End delimiter and not allowed. The exported policy causes parser error and can not be re-imported.
Conditions:
This issue occurs if you modify the default custom response page where this specific character sequence is observed ']]>'.
Impact:
The exported policy cannot be re-imported.
Workaround:
This workaround forces the greater-than sing to be escaped to '>' so that that policy can be re-imported without problem.
- make /usr writable
# mount -o remount,rw /usr
- backup
# cp /usr/local/share/perl5/F5/ExportPolicy/XML.pm /usr/local/share/perl5/F5/ExportPolicy/XML.pm.orig
- see this line exists
# grep "gt;" /usr/local/share/perl5/F5/ExportPolicy/XML.pm
$xml =~ s/>/>/g;
- delete the line and verify
# sed -i '/$xml =~ s\/>.*/d' /usr/local/share/perl5/F5/ExportPolicy/XML.pm
- should not see the line
# grep "gt;" /usr/local/share/perl5/F5/ExportPolicy/XML.pm
- move /usr read-only
mount -o remount,ro /usr
- make the change in effect
# pkill -f asm_config_server
1057501-2 : Expired DST Root CA X3 resulting in http agent request failing.
Links to More Info: BT1057501
Component: TMOS
Symptoms:
When the DST Root CA X3 is expired, any HTTP agent request fails with the error:
err tmm2[19302]: Rule /Common/my_rule <HTTP_REQUEST>: Client - <address>, failure :proxyInterstitialPage: FetchError: request to <url> failed, reason: certificate has expired.
Conditions:
The DST Root CA X3 certificate is expired, see
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/.
Impact:
ILX plugins that reply on outbound HTTP client/agent requests to remote servers fail.
Workaround:
Create a /var/tmp/isrgrootx1.pem with contents of https://letsencrypt.org/certs/isrgrootx1.pem.txt.
The Node.js script:
# cat /var/tmp/CustomCA-2.js
var fs = require('fs');
var https = require('https');
var options = {
hostname: 'letsencrypt.org',
port: 443,
path: '/',
method: 'GET',
ca: fs.readFileSync('/var/tmp/isrgrootx1.pem') <<<<<<<<<<<<<<< incorporated CA thus bypassing the CA embedded in the EOL version of Node.js
};
var req = https.request(options, function(res) {
res.on('data', function(data) {
console.log("PASS");
});
});
req.end();
1056957-4 : An attack signature can be bypassed under some scenarios.
Links to More Info: BT1056957
Component: Application Security Manager
Symptoms:
An attack signature is not detected.
Conditions:
A specific condition.
Impact:
False negative - attack is not detected.
Workaround:
N/A
1056669 : Clicking the ActiveX RDP Resources icon does not display the ActiveX RDP web page.
Links to More Info: BT1056669
Component: Access Policy Manager
Symptoms:
When you click the ActiveX RDP icon on the webtop, the system displays the error message "This page cannot be displayed".
Conditions:
ActiveX RDP is configured using the remote desktop setting.
Impact:
Unable to open the ActiveX RDP web page.
Workaround:
Create the following iRule and apply to virtual server
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/vdesk/resource_all_info.eui" && [HTTP::uri] contains "remote_desktop" } {
#strip out %230 in URI
HTTP::uri [string map {"%230" ""} [HTTP::uri]]
}
}
1056401-2 : Valid clients connecting under active syncookie mode might experience latency.
Links to More Info: BT1056401
Component: Local Traffic Manager
Symptoms:
Valid clients that connect using active syncookie mode might experience latency.
Conditions:
- SYN Cookie (Hardware or Software) is enabled.
- SYN Cookies are activated (TCP Half Open) for the virtual server.
- Fastl4 tcp-generate-isn option or SYN-ACK vector 'suspicious event count' options are enabled.
- SYN Cookie issue and validation with client is correct.
- SSL Client Hello packet sent by client reaches DHD right after TCP SYN packet is sent to backend server.
Impact:
Random connections could be disrupted.
1055361-3 : Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a tmm crash.
Links to More Info: BT1055361
Component: SSL Orchestrator
Symptoms:
Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a TMM crash.
Conditions:
Suspending iRule command in L7CHECK_CLIENT_DATA
Example:
ltm rule /Common/rule-a {
when L7CHECK_CLIENT_DATA {
after 10000
}
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use Suspending iRule command in L7CHECK_CLIENT_DATA.
1055077-4 : Modifying the datacenter does not check GTM server configuration for prober-pool.
Links to More Info: BT1055077
Component: Global Traffic Manager (DNS)
Symptoms:
If GTM is in a bad configuration state, the reload can fail with an error similar to this:
01071b63:3: The prober fallback value for server /Common/server1 cannot be the same as the inherited prober preference value.
Unexpected Error: Validating configuration process failed.
or
01071b62:3: The prober preference value for server /Common/server2 cannot be the same as the inherited prober fallback value.
Unexpected Error: Validating configuration process failed.
Conditions:
1. GSLB server has a prober-pool and inherits the datacenter selected for prober preference or prober fallback (it does not matter which prober configuration has which value).
2. GSLB datacenter is modified such that the prober configuration inherited by the constituent GSLB server is changed from a non-pool method to prober-pool.
This results in the GSLB server having a prober-pool probe configuration manually configured and another prober-pool probe configuration inherited from the GSLB datacenter.
Impact:
Two prober-pool configurations for a GSLB server is a prohibited state. Once this state is reached, any action that tries to validate the configuration (like a configuration load) will fail. This can cause the BIG-IP to fail to load configuration or cause a UCS restore to fail.
Workaround:
Review the configured and inherited prober configuration state of all GSLB servers whose parent GSLB datacenter has a prober-pool configured for it's prober preference or prober fallback. If any GSLB servers are affected, change their prober configuration so that only a single prober-pool configuration exists; or, you can change the parent GSLB server to no longer use the prober-pool method.
1055053-2 : "tmsh load sys config default" does not clear Zebos config files.
Links to More Info: BT1055053
Component: TMOS
Symptoms:
Typing the command: "tmsh load sys config default" does not clear Zebos config files.
Conditions:
- Dynamic routing in use.
- Loading default configuration with "tmsh load sys config default"
Impact:
Zebos configuration files still contain configuration after restoring default config.
Workaround:
Manually delete the Zebos configuration before running "tmsh load sys config default".
1054677-3 : Ng_export fails for users with the 'pager' option enabled in their 'cli preference' configuration.
Links to More Info: BT1054677
Component: Access Policy Manager
Symptoms:
For users with pager enabled, some lines are missing in the ng-export.conf file.
Conditions:
For your CLI preference, the 'pager' option is set to enabled.
Impact:
When 'pager' is set to enabled, you will be unable to export Access policies.
Workaround:
Disable the 'pager' option in 'cli preference' config for the affected user.
1054041-2 : Neuron-based platforms may activate SYN Cookies for the wrong virtual server
Links to More Info: BT1054041
Component: TMOS
Symptoms:
Virtual servers that are not expected to be in SYN Cookie mode are indeed SYN Cookie checked by the HW.
A wildcard Virtual Server that listens on any IP address and any port, enters correctly in full-hardware SYN Cookie mode.
At the same time, another virtual server that listens on any IP address and a specific port enters incorrectly in SYN Cookie mode.
The incorrect SYN Cookie activation on the more specific virtual server can be observed by looking at the output of 'tmsh show ltm virtual <virtual_name>', where the SYN Cookie status is 'not-activated', but the 'Total Hardware Accepted' counter keeps increasing:
SYN Cookies
Status not-activated
Hardware SYN Cookie Instances 0
Software SYN Cookie Instances 0
Current SYN Cache 0
SYN Cache Overflow 0
Total Software 0
Total Software Accepted 0
Total Software Rejected 0
Total Hardware 0
Total Hardware Accepted 1827
Conditions:
- Platforms with Neuron support (BIG-IP iSeries)
- Overlapping virtual servers that only differ in destination port, such that one has a specific port and the other has 'any'
- SYN Cookies are activated on the less-specific virtual server, that listens on port 'any'
Impact:
- SYN Cookies are incorrectly activated also on the more specific virtual server, that listens on a specific port;
- Unreliable SYN Cookie statistics on the more specific virtual server.
1053741-2 : Bigd may exit and restart abnormally without logging a reason
Links to More Info: BT1053741
Component: Local Traffic Manager
Symptoms:
Certain fatal errors may cause the bigd daemon to exit abnormally and restart to recover.
For many such fatal errors, bigd logs a message in the LTM log (/var/log/ltm) indicating the fatal error that occurred.
For some causes, no message is logged to indicate what error occurred to cause big to exit abnormally and restart
Conditions:
This may occur when bigd encounters a fatal error when monitoring LTM pool members, particularly (although not exclusively) when using In-TMM monitor functionality (sys db bigd.tmm = enable).
Impact:
It may be difficult to diagnose the reason that caused bigd to exit abnormally and restart.
Workaround:
To enable logging of all fatal errors that cause bigd to exit abnormally and restart, enable bigd debug logging:
tmsh modify sys db bigd.debug value enable
With bigd debug logging enabled, bigd messages (including such fatal errors) will be logged to /var/log/bigdlog
1053617 : Some of the ePVA flow status descriptors may be incorrectly dropped
Links to More Info: BT1053617
Component: TMOS
Symptoms:
Eviction flow status descriptors sent due to collision or aging are dropped. This results in incorrect epva_flowstat and PVA traffic counters.
Conditions:
-- BIG-IP tenant 14.1.x running on F5OS version 1.0.0 or 1.1.x.
-- PVA offload enabled for fastL4 profiles (default).
Impact:
Statistics are incorrect.
1053309-3 : Localdbmgr leaks memory while syncing data to sessiondb and mysql.
Component: Access Policy Manager
Symptoms:
Top output shows that localdbmgr memory increases steadily.
Conditions:
Localdb auth is enabled or localdb is used for storing APM-related information like for MDM intune.
Impact:
Localdbmgr is killed by oom killer and is restarted, thereby affecting the execution of access policies.
Workaround:
N/A
1053149-3 : A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received.
Links to More Info: BT1053149
Component: Local Traffic Manager
Symptoms:
Depending on the software version running on the BIG-IP system, this issue can manifest in one of two ways:
- Versions with the fix for ID1008077 will fail to forward the client's final ACK (from the TCP 3-way handshake) to the server. Eventually, once the TCP handshake timeout expires, the BIG-IP system will reset both sides of the connection.
- Versions without the fix for ID1008077 will forward the traffic correctly, but will not advance the internal FastL4 state for the connection. Given enough traffic for the same 4-tuple, the connection may never expire. Traffic for subsequent connections will appear to be forwarded correctly, but no load-balancing will occur due to the original connection not having expired yet.
Conditions:
A FastL4 TCP connection not completing the TCP handshake correctly, and the client retrying with a new (different SEQ number) SYN.
Impact:
Traffic failures (intended as either connections failing to establish, or improper load-balancing occurring).
1053037-4 : MCP error on loading a UCS archive with a global flow eviction policy
Links to More Info: BT1053037
Component: TMOS
Symptoms:
Attempting to load a UCS archive with a global flow eviction policy results in an error like the following.
loaddb[3609]: 01080023:3: Error return while getting reply from mcpd: 0x1070911, 01070911:3: The requested flow_eviction_policy object (/Common/otters) does not exist for global_flow_eviction_policy in ltm (/Common/ltm)
Error 0x1070911 occurred: 01070911:3: The requested flow_eviction_policy object (/Common/otters) does not exist for global_flow_eviction_policy in ltm (/Common/ltm)
Despite this error, restoring the UCS archive continues on, and may succeed.
Conditions:
-- Loading a UCS archive with a non-default global-flow-eviction-policy configured.
-- The existing configuration on the BIG-IP system does not define the same eviction policy.
Impact:
The above mentioned error message is printed to the logs.
It should be safe to ignore the error if the UCS otherwise loads successfully.
Workaround:
Ignore the error message.
1052893-1 : Configuration option to delay reboot if dataplane becomes inoperable
Component: TMOS
Symptoms:
When certain system failures occur and the dataplane cannot continue to handle network traffic, the BIG-IP system will automatically reboot. This behavior may restore traffic management, but it may prevent diagnosis of the failure.
Conditions:
Low-level system failure, possibly in HSB SRAM or other hardware
Impact:
Diagnosis of the dataplane failure is hindered.
Workaround:
None
1051589-3 : Missing configuration after upgrade★
Component: Application Security Manager
Symptoms:
After a successful UCS load, some parts of the security configuration are missing.
Conditions:
-- ASM provisioned
-- Limited disk space in /shared
-- Upgrade or create and then install a UCS
Impact:
A device after upgrade or UCS install is missing some of the security configuration.
Workaround:
Clear out disk space in /shared before attempting an upgrade or creating a UCS
1051153-2 : DHCP fails intermittently when the connection is through BIG-IP.
Links to More Info: BT1051153
Component: Local Traffic Manager
Symptoms:
DHCP DISCOVER packets are received, load balanced to the back end DHCP server, a DHCP OFFER reply is received from the server to BIG-IP, but this packet is dropped.
Conditions:
A BIG-IP system is between the DHCP client and DHCP server.
Impact:
DHCP OFFER is never passed on to the client, and as such, the client keeps sending DHCP DISCOVER packets, which are all dropped the same way.
1050969-4 : After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid
Links to More Info: BT1050969
Component: TMOS
Symptoms:
Running clear-rest-storage removes all the available tokens as well as cookie files from /var/run/pamchache.
Conditions:
Run the clear-rest-storage command.
Impact:
All users are logged out of the GUI.
Workaround:
Re-login.
1050413-2 : Drive model HGST HUS722T1TALA604 must be added to pendsect drives.xml.
Links to More Info: BT1050413
Component: TMOS
Symptoms:
When using the hard drive model HGST HUS722T1TALA604, pendsect does not recognize the hard drive and skips during sector checks.
Conditions:
- Using a HGST HUS722T1TALA604 hard drive on a BIG-IP system.
- Pendsect runs a sector check.
Impact:
Warning messages like the following will be logged to /var/log/messages:
-- warning pendsect[31898]: skipping drive -- Model: HDC WD1005FBYZ-01YCBB2
-- warning pendsect[31898]: No known drives detected for pending sector check. Exiting
Pendsect can't properly check the hard drive.
Workaround:
Give write permissions to modify file:
chmod u+w /etc/pendsect/drives.xml
Open the file and add the following at the end of the file, before default:
<snip>
<HUS722T1TA>
<offset firmware="RAGNWA09">0</offset>
<offset firmware="default">0</offset>
<family> "HA210"</family>
<wd_name>"Ultrastar"</wd_name>
</HUS722T1TA>
<DEFAULT>
<firmware version="default">
<offset>0</offset>
</firmware>
<name> "UNKNOWN"</name>
<family> "UNKNOWN"</family>
<wd_name>"UNKNOWN"</wd_name>
</DEFAULT>
</model>
</drives>
Save and close the file.
Remove write permissions so that no one accidentally modifies this file:
chmod u-w /etc/pendsect/drives.xml
Run the following command and check /var/log/messages to verify no errors are seen:
/etc/cron.daily/pendsect
1050089-2 : TMM crash in certain cases
Component: Application Security Manager
Symptoms:
TMM crash in certain cases
Conditions:
Bot defense profile is used in TMM
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1049237-3 : Restjavad may fail to cleanup ucs file handles even with ID767613 fix
Links to More Info: BT1049237
Component: Device Management
Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client (such as a BIG-IQ which is out of disk space) does not complete the download.
Since these files remain open, you may see low disk space even after deleting the associated files, and you may see items listed with '(deleted)' in lsof output.
Additionally, on a software version with ID767613 fix, you may see restjavad NullPointerException errors on /var/log/restjavad.*.log.
[SEVERE][1837][23 Sep 2021 10:18:16 UTC][RestServer] java.lang.NullPointerException
at com.f5.rest.workers.FileTransferWorker$3.run(FileTransferWorker.java:230)
at com.f5.rest.common.ScheduleTaskManager$1$1.run(ScheduleTaskManager.java:68)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:473)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1152)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:622)
at java.lang.Thread.run(Thread.java:748)
Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.
Impact:
Low disk space, items listed with '(deleted)' when listed using lsof.
Workaround:
To free the file handles, restart restjavad:
# tmsh restart sys service restjavad
Files that were deleted now have their space reclaimed.
1049085-1 : Booting into a newly installed hotfix volume may stall on RAID-capable platforms★
Links to More Info: BT1049085
Component: TMOS
Symptoms:
Upon booting into a RAID volume containing a newly installed instance of BIG-IP system software which is an Engineering Hotfix, the following messages may appear, after which the boot process stalls:
[...]
[ 11.705219] dracut-initqueue[324]: mdadm: Duplicate MD device names in conf file were found.
[ 133.844644] dracut-initqueue[324]: Warning: dracut-initqueue timeout - starting timeout scripts
[ 133.932885] dracut-initqueue[324]: mdadm: Devices UUID-012345678:9abcdef0:12345678:9abcdef0 and UUID-abcdef01:23456789:abcdef01:23456789 have the same name: /dev/md4
[...]
[ *** ] A start job is running for dev-disk...
Conditions:
1) a hardware platform is configured to use RAID for redundancy
2) duplicate RAID array declarations are introduced into /etc/mdadm.conf
3) a hotfix installation is performed to one of the RAID volumes
Impact:
Impossible to boot into the volume of the new installation, it is necessary to physically reboot the device and revert to a previously working volume to rectify the problem.
Workaround:
Instead of installing the hotfix directly, first install the plain base version on which the hotfix is based and boot into it - this will resolve the problem with the duplicate entries in /etc/mdadm.conf.
Then install the hotfix as normal.
1048949-4 : TMM xdata leak on websocket connection with asm policy without websocket profile
Links to More Info: BT1048949
Component: Application Security Manager
Symptoms:
Excessive memory consumption, tmm core.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Websocket profile isn't attached to the virtual server
- Long lived websocket connection with messages
Impact:
Excessive memory consumption, tmm crash. Traffic disrupted while tmm restarts.
Workaround:
Attach the websocket profile to the virtual server
1048853-4 : "IKE VBUF" memory leak debug.
Links to More Info: BT1048853
Component: TMOS
Symptoms:
The memory increase is seen through tmctl memory_usage_stat when ipsec-sa are deleted and new ipsec-sa are created.
Conditions:
A tunnel connection exists between the BIG-IP initiator and responder.
Impact:
Memory consumption increases after every ipsec-sa delete operation when the new ipsec-sa is created.
Workaround:
N/A
1048685-1 : Rare TMM crash when using Bot Defense Challenge
Links to More Info: BT1048685
Component: Application Security Manager
Symptoms:
When using the Bot Defense Profile on Blocking mode, TMM could crash on rare cases with a core dump.
Conditions:
Using the Bot Defense profile on blocking mode.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1048425-2 : Packet tester crashes TMM when vlan external source-checking is enabled
Links to More Info: BT1048425
Component: Advanced Firewall Manager
Symptoms:
TMM SIGFPE Core Assertion "packet must already have an ethernet header".
Conditions:
Run the AFM Packet Tracer when external source-checking is enabled on the VLAN.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable source checking on the vlan.
1048169 : Panic and silent reboots on High Availability (HA) pair
Links to More Info: BT1048169
Component: TMOS
Symptoms:
High Availability (HA) pair is reporting failovers intermittently which are caused by a kernel panic.
Conditions:
Not known
Impact:
Results in failover which effects HA.
Workaround:
None
1048097-1 : Under certain conditions, using the HTTP::retry iRule command causes TMM to crash.
Links to More Info: BT1048097
Component: Local Traffic Manager
Symptoms:
TMM crashes with segfault.
Conditions:
- HTTP virtual server
- iRule with HTTP::retry command
- certain traffic conditions
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
Do not use HTTP::retry command; or, use it with fewer arguments.
1047933-3 : Virtual server security policy - An error has occurred while trying to process your request
Links to More Info: BT1047933
Component: Advanced Firewall Manager
Symptoms:
While loading the security tab page in the virtual server configuration page, you see an error: "An error has occurred while trying to process your request"
Conditions:
This is encountered when clicking the security tab in the virtual server configuration page, when there are a large number of virtual servers on the BIG-IP system (~2500).
Impact:
Delay in security tab page loading times and possible page timeout.
Workaround:
None
1047581-1 : Ramcache can crash when serving files from the hot cache
Links to More Info: BT1047581
Component: Local Traffic Manager
Symptoms:
Under certain circumstances, TMM may crash when processing traffic for a virtual server that uses RAM Cache.
Conditions:
- RAM Cache configured
- Document served not out of the hotcache
- The server served with must-revalidate.
- The server 304 contains a 0 byte gzip payload
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1046917-2 : In-TMM monitors do not work after TMM crashes
Links to More Info: BT1046917
Component: In-tmm monitors
Symptoms:
After TMM crashes and restarts, in-TMM monitors do not run. Monitored pool members are down.
Conditions:
-- In-TMM monitors are enabled.
-- TMM exits abnormally, as a result of one of the following:
+ TMM crashing and restarting
+ TMM being sent a termination signal (i.e. using 'pkill' to kill TMM)
Note: This issue does not occur if TMM is restarted using 'bigstart' or 'tmsh sys service'.
Impact:
Monitored pool members are offline.
Workaround:
One of the following:
1. Do not use in-TMM monitors.
2. After TMM restarts, manually restart bigd:
tmsh restart sys service bigd
3. Add an entry to /config/user_alert.conf such as the following, so that the system restarts bigd when TMM starts up.
alert id1046917 "Tmm ready - links up." {
exec command="bigstart restart bigd"
}
Note: This change must be made separately on each device in a ConfigSync device group.
1046785-4 : Missing GTM probes when max synchronous probes are exceeded.
Links to More Info: BT1046785
Component: Global Traffic Manager (DNS)
Symptoms:
GTM probes are missing, resources are marked down.
When instances fail and BIG-IP is not aware of the failure, some virtual servers/pool members are marked as available and some objects are marked down on part of the sync group members.
Conditions:
Max synchronous probes are exceeded. This value is controlled by the GTM global variable max-synchronous-monitor-requests.
Impact:
-- Resources are marked down.
-- Inconsistent monitor statuses across BIG-IP DNS systems in a single sync group
-- Because some monitor instances don't have monitor traffic, if an instance fails, the BIG-IP DNS systems may not be aware of the failure.
Workaround:
Increase the value of Max Synchronous Monitor Requests:
tmsh modify gtm global-settings metrics max-synchronous-monitor-requests value <value - default is 20>
1046717-1 : Tmm crash when utilizing one-connect with inband monitors and ECMP or pool routes.
Links to More Info: BT1046717
Component: Local Traffic Manager
Symptoms:
Tmm crashes and restarts.
Conditions:
A virtual server that utilizes one-connect and a pool with an inband monitor and the pool members are reachable via a route. If the route changes back and forth between a gateway route and an ECMP or pool route, tmm could crash.
Impact:
Traffic disrupted while tmm restarts.
1046317-3 : Violation details are not populated with staged URLs for some violation types
Component: Application Security Manager
Symptoms:
The "Triggered Violations" field in the event log screen and corresponding data in remote logging is not populated.
Conditions:
- The URL is in staging
- The triggered violation is one of the following violations
VIOL_MANDATORY_REQUEST_BODY
VIOL_URL_CONTENT_TYPE
VIOL_METHOD
Impact:
Lack of details in the request log event.
Workaround:
None
1046261-3 : Asynchronous REST task IDs do not persist across process restarts
Links to More Info: BT1046261
Component: TMOS
Symptoms:
If an asynchronous task is started via REST and the iControl REST process(es) restart, the task ID is lost and queries regarding its state will result in "Task not found" responses.
Conditions:
-- Starting an asynchronous process via REST.
-- The iControl REST process(es) restart.
Impact:
Unable to get the status of an asynchronous task. If you are using iControl REST to load a UCS, you will be unable to determine the status of the UCS load.
1045277-1 : The /var partition may become 100% full requiring manual intervention to clear space
Links to More Info: BT1045277
Component: TMOS
Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.
Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.
Conditions:
Process traffic while DoS Dashboard is open
Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.
Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.
Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.
Run the following commands, in sequence:
bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad
Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.
1044893-2 : Kernel warnings from NIC driver Realtek 8139
Links to More Info: BT1044893
Component: TMOS
Symptoms:
Excessive kernel logs occur from the NIC driver Realtek 8139
Conditions:
-- Realtek 8139 driver is used
-- Packets with partial checksum and protocol IPPROTO_TCP/IPPROTO_UDP arrives
Impact:
The Realtek 8139 driver logs excessive kernel warnings.
1044873-3 : Deleted GTM link is not removed from virtual server object and causes load failure.
Links to More Info: BT1044873
Component: Global Traffic Manager (DNS)
Symptoms:
The configuration fails to load with an error:
01070712:3: Values (/Common/Link_to_delete) specified for Virtual Server (/Common/vs1 /Common/HTTPP): foreign key index (explicit_link_FK) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.
Conditions:
-- Create GTM link
-- Assign specific link to any virtual server object
-- Delete link object
-- Run tmsh load sys config gtm-only (or create a sync group and the sync will fail)
Impact:
GTM config fails to load or config sync.
Workaround:
Remove any assigned virtual servers from the link prior to deleting it.
1044577-3 : TMM crash on BIG-IP Virtual Edition using DPDK and xnet drivers
Links to More Info: BT1044577
Component: TMOS
Symptoms:
TMM crashes
Conditions:
-- BIG-IP Virtual Edition using DPDK and xnet drivers
-- More than one tmm
Impact:
Traffic disrupted while tmm restarts.
Workaround:
- Use only 1 TMM
- Use some other driver combination other than DPDK-xnet
1044281-3 : In some cases, cpcfg does not trigger selinux relabel, leaving files unlabeled
Links to More Info: BT1044281
Component: TMOS
Symptoms:
Under certain circumstances, if a configuration is copied to a boot location that has has already been booted into, files restored by the UCS archive remain unlabeled. After booting to the target volume, the BIG-IP will not function and will have the status "INOPERATIVE".
Conditions:
-- APM is provisioned.
-- Performing a cpcfg copy to another volume.
Impact:
-- APM localdbmgr restarts, and fails to restore configuration from UCS archive
-- Spurious system permissions failures as a result of SELinux
Workaround:
After booting into the affected boot location, force an SELinux relabeling:
# touch /.autorelabel && reboot
1044089 : ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI.
Links to More Info: BT1044089
Component: TMOS
Symptoms:
Virtual address is reachable even when the virtual server is offline.
Conditions:
The virtual server status is updated to offline by modifying the virtual server and adding an iRule via the GUI.
Impact:
ICMP echo requests are still handled by the virtual address even though the virtual server is marked offline.
Workaround:
Use tmsh to attach the iRule to the virtual server:
tmsh modify ltm virtual <virtual_server_name> rules {<rule_name> }
1043985-3 : After editing an iRule, the execution order might change.
Links to More Info: BT1043985
Component: Local Traffic Manager
Symptoms:
After modification, the iRule execution order may change for events with the same priority.
Conditions:
Virtual server has an iRule that contains multiple events with the same priority.
Impact:
Unexpected behavior can cause virtual server malfunction.
Workaround:
Add desired priorities for iRules that contain the same event.
For example: when <event_name> priority nnn
1043805-1 : ICMP traffic over NAT does not work properly.
Links to More Info: BT1043805
Component: Local Traffic Manager
Symptoms:
ICMP traffic hitting a NAT translation address is dropped and not sent further to the originating address.
Conditions:
-- An LTM NAT is configured.
-- ICMP traffic arrives.
Impact:
ICMP traffic fails to be forwarded over the NAT.
1043525 : TMM crash produces error message "spmdb_session_get_ip_stat_ref."
Links to More Info: BT1043525
Component: Policy Enforcement Manager
Symptoms:
The standby TMM appears to crash after failover.
Conditions:
After a high availability (HA) failover, the standby TMM appears to crash.
Impact:
TMM crashes after failover.
Workaround:
None
1043009-2 : TMM dump capture for compression engine hang
Links to More Info: BT1043009
Component: Local Traffic Manager
Symptoms:
TMM crashes
Conditions:
The system detects a Nitrox hang and attempts to reset it.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Set Nitrox3.Compression.HangReset db variable to reset
1042913-1 : Pkcs11d CPU utilization jumps to 100%
Links to More Info: BT1042913
Component: Local Traffic Manager
Symptoms:
CPU utilization of pkcs11d increases to 100%.
Conditions:
This occurs when pkcs11d is disconnected from the external HSM.
Impact:
As the pkcs11d consumes most of the CPU, other processes are starved for CPU.
Workaround:
None.
1042737-2 : BGP sending malformed update missing Tot-attr-len of '0.
Links to More Info: BT1042737
Component: TMOS
Symptoms:
BIG-IP might send a malformed BGP update missing Tot-attr-len of '0 when performing a soft reset out.
Conditions:
-- Multiple traffic groups configured.
-- A BGP soft reset occurs.
Impact:
BGP peering resets.
1042589-3 : Wrong trunk_id is associated in bcm56xxd.
Links to More Info: BT1042589
Component: TMOS
Symptoms:
When a set of interfaces are moved from one trunk to another, the now empty trunk is left with a valid association in bcm56xxd, and deleting that trunk can cause a valid trunk to be removed in the BCM hardware.
'tmsh show net trunk MY_TRUNK' shows the trunk is UP, but in fact the trunk is unconfigured in hardware.
Conditions:
Moving the interfaces across trunks.
i.e.
tmsh modify net trunk MY_OLD_TRUNK interfaces none
tmsh modify net trunk MY_NEW_TRUNK interfaces add { 1.1 1.2 }
tmsh delete net trunk MY_OLD_TRUNK
Impact:
May cause an L2 traffic loop.
1042505-3 : Session variable "session.user.agent" does not get populated for edge clients
Links to More Info: BT1042505
Component: Access Policy Manager
Symptoms:
Access policy agents and iRules that depend on "session.user.agent" session variable fail to execute properly.
Conditions:
Access polices have agents that depend on the value of session variable "session.user.agent" for its execution.
Impact:
Any access policy agents that depend on this session variable will not be able to follow the rules.
Workaround:
An iRule can be used to generate a session variable. For example:
# This event fires once per session
when ACCESS_SESSION_STARTED {
log local0. "Setting User-Agent based on HTTP data - [HTTP::header User-Agent]"
ACCESS::session data set session.custom.client.useragent [HTTP::header User-Agent]
#Use this variable in the VPE to make some decision
}
1041989-2 : APM Portal Access does not add automatically the / after the URL encoded (after the '$$'), Redirect breaks
Links to More Info: BT1041989
Component: Access Policy Manager
Symptoms:
If the Location header does not end with '/' in direct case, the rewritten URL misses the forward slash character '/'.
APM does not add automatically the / after the URL encoded(after $$)?
e.g https://website Is rewritten as https://apm/f5-w-<hex encoded scheme,host,port>$$ instead of https://apm/f5-w-<hex encoded scheme,host,port>$$/.
If the caption URI is https://website without / at the end, APM will rewrite it as https://apm/f5-w-<hex encoded scheme,host,port>$$/
Conditions:
-- APM Portal Access
-- Redirect response Location header does not end with '/' - after the {scheme://host:port}
Impact:
Missing / after redirection - Page does not load
Workaround:
Add '/' through iRule in redirect response header.
1041889-4 : RRSIG missing for CNAME with RDATA in different zone
Links to More Info: BT1041889
Component: Global Traffic Manager (DNS)
Symptoms:
RRSIG missing for CNAME.
Conditions:
-- CNAME record with RDATA in different zone.
-- One zone dynamically signed.
-- The other zone in local BIND (ZoneRunner) with static DNSSEC records.
Impact:
DNSSEC validation failure.
1041865-2 : Correctable machine check errors [mce] should be suppressed
Links to More Info: BT1041865
Component: TMOS
Symptoms:
Log emerg in kern.log similar to:
emerg kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 10: cc003009000800c1
Conditions:
Correctable errors can be identified by analyzing the 16‐bit value shown in bits [31:16] of the 64‐bit error from the /var/log/kern.log message. When bits [31:16] = 0008 this is a correctable error and not failing hardware.
An example is shown below.
Log error matches this pattern:
Machine Check: 0 [bank number]: [cc003009][0008][00c1]
bits [31:16] = 0008
Impact:
Correctable errors are logged in kern.log and to the console. There is no functional impact.
Workaround:
None
1041801-3 : TMM crashes when handling Network DNS resolver Traffic.
Links to More Info: BT1041801
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes and produces a core file.
Conditions:
-- The configuration involves a Network DNS resolver object and it receives traffic.
Impact:
Traffic disrupted while tmm restarts.
1041765-3 : Racoon may crash in rare cases
Links to More Info: BT1041765
Component: TMOS
Symptoms:
Racoon may crash when NAT Traversal is on and passing IPsec traffic in IKEv1.
Conditions:
-- IKEv1 IPsec tunnel configured
-- NAT Traversal is on in ike-peer configuration.
Impact:
Racoon will crash and any IKEv1 tunnels will restart
Workaround:
Use IKEv2 only.
1041625-2 : Virtual server flapping when the active and standby devices have different configuration.
Links to More Info: BT1041625
Component: Global Traffic Manager (DNS)
Symptoms:
The virtual server status flaps.
Conditions:
1. Virtual server auto discovery enabled.
2. Configured GTM server is configured for high availability (HA).
3. The active and standby devices have different IP addresses for the same virtual server.
Impact:
The virtual server status flaps and traffic might be interrupted.
Workaround:
Make the active and standby devices have the same configuration.
1041317-3 : MCPD delay in processing a query_all message if the update_status bit is set
Links to More Info: BT1041317
Component: TMOS
Symptoms:
When there are a significant number of virtual servers or pools, mcpd can take a several seconds to respond to query_all messages, if the update_status is set to 1 in the message.
Conditions:
Update_status is set to 1 in the message. This could occur, for example, with the following snmp command
snmpget -v2c -c public localhost ltmVsStatusNumber.0
Impact:
While mcpd is busy updating the status for each virtual server or pool, mcpd will not able to to respond to any messages. Control plane operations might timeout.
1041137-1 : Windows Defender blocks edge client.
Component: Access Policy Manager
Symptoms:
Windows Defender prevents Edge Client from running, and Windows users cannot connect.
Conditions:
-- Microsoft Edge browser
-- Windows Defender enabled
Impact:
Windows users are unable to connect via the Edge Client.
Workaround:
N/A
1040957-3 : The ipother profile can be used with incompatible profiles in a virtual server
Links to More Info: BT1040957
Component: Local Traffic Manager
Symptoms:
The BIG-IP system does not prevent the ipother profile from being used with incompatible profiles in a virtual server.
-- Log messages such as the following in the LTM log file:
err tmm[28670]: 01010008:3: Proxy initialization failed for /Common/example_vs. Defaulting to DENY.
err tmm[28670]: 01010008:3: Listener config update failed for /Common/example_vs: ERR:ERR_ARG
-- Log messages such as the following in TMM's log file:
notice hudchain contains precluded clientside filter: IPOTHER
Conditions:
Creating or modifying a virtual server to use the ipother profile with an incompatible profile.
Impact:
Invalid configuration. TMM traffic passing does not behave the way virtual server configuration dictates it should.
Workaround:
Remove the incompatible profile(s) from the virtual server.
1040829-2 : Errno=(Invalid cross-device link) after SCF merge
Links to More Info: BT1040829
Component: Access Policy Manager
Symptoms:
A single config file (SCF) merge fails with the following error:
01070712:3: failed in syscall link(/var/system/tmp/tmsh/IHxlie/files_d/Common_d/customization_group_d/:Common:otters-connectivity_1_secure_access_client_customization_62552_1, /config/filestore/.trash_bin_d/.current_d/Common_d/customization_group_d/:Common:otters-connectivity_1_secure_access_client_customization_62552_1) errno=(Invalid cross-device link)
Conditions:
A customization group with the same name is present in both the SCF file and the BIG-IP device.
Impact:
SCF merge fails
Workaround:
None
1040817 : Users are shown the prompt to change their password even though the corresponding PSO object fetch from Active Directory fails.
Links to More Info: BT1040817
Component: Access Policy Manager
Symptoms:
Users are prompted to change their password when they should not be.
The following errors are logged into /var/log/apm:
Can't get PSO for domain 'TESTDOMAIN.LOCAL'
Failed to get maximum password age from domain 'R4.RHA-RRS.CA' for user 'testuser@TESTDOMAIN.LOCAL'
Conditions:
-- An Active Directory AAA server object with an admin account that does not have permissions to the active directory password policy.
-- An Active Directory query object configured to warn the user about password expiration
-- Attempt to logon to the virtual server with this access policy.
Impact:
Users are shown a prompt to change their password.
Workaround:
Disable the warning configuration from the Active Directory query object in the visual policy editor.
1040685 : Core file on blade slot2 after reboot (TMM SIGSEGV in pktclass_classifier)
Links to More Info: BT1040685
Component: Advanced Firewall Manager
Symptoms:
Tmm crashes after reboot.
Conditions:
This is encountered intermittently after rebooting a blade.
Impact:
Slot usable until manual intervention. Traffic disrupted while tmm restarts.
Note: this issue happened only once and no further occurrence was reported.
1040573-1 : REST operation takes a long time when two different users perform tasks in parallel
Links to More Info: BT1040573
Component: TMOS
Symptoms:
It takes excessive time to execute multiple REST(icr) requests in parallel by different users.
Conditions:
Multiple iControl REST operations are performed by different users in parallel.
Impact:
BIG-IP system performance is impacted.
Workaround:
Use only one user to process the multiple requests.
OR
Use an iControl REST transaction containing multiple requests.
1040513-2 : The counter for "FTP commands" is always 0.
Links to More Info: BT1040513
Component: Application Security Manager
Symptoms:
On the FTP Statistics page, the "FTP Commands" value is always zero.
Conditions:
FTP security is applied and "FTP commands violations" is enforced.
Impact:
The FTP security does not show violations statistics regarding the FTP commands.
Workaround:
None
1040277-1 : Syslog-ng issue may cause logging to stop and possible reboot of a system
Links to More Info: BT1040277
Component: TMOS
Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to logging via syslog-ng to stop.
For software version 13.1 only it may lead to BIG-IP unexpectedly rebooting due to host watchdog timeout, typically within hours to day or two after syslog-ng gets hung up.
The cessation of logging happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.
At this time syslog-ng typically spins, using near 100% CPU.
Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.
A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.
Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
The final log will of a broken connection only, usually one minute after the last established/broken pair in the very rare event that syslog-ng hangs.
Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.
Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable. If a remote server is not reachable remove it from the BIG-IP syslog configuration.
1040045-1 : Unable to delete trunk member on a VCMP guest
Links to More Info: BT1040045
Component: Local Traffic Manager
Symptoms:
After deleting a trunk member on a VCMP hypervisor, the change may not propagate to the guest.
Conditions:
-- VCMP guest
-- A trunk member that is UP
-- The trunk member is deleted on the hypervisor
Impact:
The guest does not have the current trunk information
Workaround:
Down the interface on the VCMP hypervisor before removing it (tmos)# modify net interface 2/3.1 disabled
(tmos)# modify net trunk trunk_1 interfaces del { 2/3.1 }
1040017-2 : Final ACK validation during flow accept might fail with hardware SYN Cookie
Links to More Info: BT1040017
Component: Local Traffic Manager
Symptoms:
With hardware SYN cookie mode enabled, final ACK validation during flow accept fails and ACK packets are dropped. Such error messages are being logged in LTM logs :
"An Enforced Device DOS attack start was detected for vector TCP half-open"
Conditions:
-- Hardware SYN Cookie is enabled
-- BIG-IP is under TCP half-open attack and packet hits a CMP forwarding flow
Impact:
ACK packets are wrongly dropped, causing traffic interruption.
Workaround:
Disable hardware SYN Cookie
1039993-1 : AFM NAT Excessive number of logs "Port Block Updated" and "LSN_PB_UPDATE"
Component: Advanced Firewall Manager
Symptoms:
Although Subscriber ID is not changed, "Port Block Updated","10.10.10.29","0","10.20.20.64","0","1025","1275","","unknown" is being written in the log
Conditions:
If "Log subscriber ID" field is selected in the log profile, this log will be printed.
Impact:
Excessive log messages occur.
Workaround:
If you deselect "Log subscriber ID" field in log profile, this message will not be written. Note that this workaround may impact other messages related to subscriber ID.
1039941-1 : [WIN]Webtop offers to download f5vpn when it is already installed
Links to More Info: BT1039941
Component: Access Policy Manager
Symptoms:
A pop-up window shows up and requests to download the client component.
Conditions:
Either of these conditions can trigger it:
#1
-- Network Access configured and webtop type to "Network Access"
-- VPE configured
[Machine Info (or Anti Virus Check)] -- [Resource Assignment (NA + Webtop)]
#2
-- Network Access (auto launch) and webtop configured
-- VPE configured
[Machine Info (or Anti Virus Check)] -- [Resource Assignment (NA + Webtop)]
Impact:
End users are unable to use the browser-based VPN.
Workaround:
Any of these workarounds will work:
-- Use Internet Explorer
-- Do not configure Network Access auto launch or "Network Access" for the webtop type
-- Insert the message box between Client Inspection (Machine info, etc.) and "Resource Assignment" on the VPE
-- Ignore the message (click "Click here"), and it allows you to move on to the next step
1039633 : A signature match is not highlighted correctly under certain conditions
Links to More Info: BT1039633
Component: Application Security Manager
Symptoms:
A signature match is not highlighted correctly under certain conditions in the request log
Conditions:
A long signature match
Impact:
Some confusion and misunderstanding.
Workaround:
N/A
1039277-2 : TMM core
Links to More Info: BT1039277
Component: Local Traffic Manager
Symptoms:
Tmm crashes while passing traffic
Conditions:
- http virtual server
- httprouter
- http2 profile
Impact:
Traffic disrupted while tmm restarts.
1039145-5 : Tenant mirroring channel disconnects with peer and never reconnects after failover.
Links to More Info: BT1039145
Component: Local Traffic Manager
Symptoms:
`tmctl -d blade ha_stat` shows missing mirroring connections.
Conditions:
This occurs with high availability (HA) pair. This is a VELOS hardware-specific issue.
Impact:
High availability (HA) mirroring does not function correctly.
Workaround:
N/A
1038449-1 : Crash is observed on MCP due to SIGABRT on process_free
Links to More Info: BT1038449
Component: TMOS
Symptoms:
Mcpd crashes.
Conditions:
LTM Virtual Edition (ESX) running 14.1.4 w/ EHF 0.188.11
Impact:
Traffic disrupted while mcpd restarts.
Workaround:
None
1038057-3 : Unable to add a serverssl profile into a virtual server containing a FIX profile
Links to More Info: BT1038057
Component: Service Provider
Symptoms:
You are unable to configure a virtual server to use server SSL encryption with FIX protocol messages.
Conditions:
This is encountered when serverssl needs to be configured for FIX profiles
Impact:
You are unable to assign a server-ssl profile to the virtual server.
Workaround:
None
1037877-1 : OAuth Claim display order incorrect in VPE
Links to More Info: BT1037877
Component: Access Policy Manager
Symptoms:
In the visual policy editor (VPE), it is difficult to re-order custom previously created Claims in the oAuth Authorization agent.
The following error is thrown in the developer tools screen of the client browser:
common.js?m=st&ver=15.1.2.1-0.0.10.0:902 Uncaught TypeError: Cannot read property 'row' of undefined
at Object.common_class.swap (common.js?m=st&ver=15.1.2.1-0.0.10.0:902)
at multipleObjectsSelectionCBDialogue_class.swapEntries (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263)
at HTMLAnchorElement.<anonymous> (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185)
common_class.swap @ common.js?m=st&ver=15.1.2.1-0.0.10.0:902
multipleObjectsSelectionCBDialogue_class.swapEntries @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263
(anonymous) @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185
Conditions:
-- There are at least two claims in Access :: Federation : OAuth Authorization Server : Claim
-- You are attempting to reorder the claims in the visual policy editor
Impact:
It is not possible to re-order the claims
Workaround:
None
1037645-3 : TMM may crash under memory pressure when using iRule 'AES::key' command
Links to More Info: BT1037645
Component: Local Traffic Manager
Symptoms:
TMM crashes and generates core file.
Conditions:
-- TMM is under memory pressure
-- iRule using 'AES::key' command
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1037153-4 : iRule "log" command to remote destinations may cause TMM to leak memory
Links to More Info: BT1037153
Component: Local Traffic Manager
Symptoms:
TMM leaks memory in the errdefs component.
TMM may leak memory in the xdata and xhead components if the system does not have routes to the specified syslog servers.
Conditions:
-- iRule that uses "log" to target a remote destination, e.g.: "log 192.0.2.1 'log message'"
Impact:
TMM leaks memory.
Eventually, TMM may disrupt legitimate connections as a result of memory pressure, or even crash and restart.
Workaround:
One of the following:
1. Log to local syslog, and configure syslog-ng to log to remote servers.
2. Use High-Speed Logging (https://clouddocs.f5.com/api/irules/HSL.html), instead of the "log" command.
1036969-4 : Chrome sometimes ignores cross-site bot-defense cookies
Links to More Info: BT1036969
Component: Application Security Manager
Symptoms:
Chrome ignores cross-site bot-defense cookies when bot-defense is sending 307 redirect.
Conditions:
A site is using another site/domain resources that are also protected by bot-defense
Impact:
The other site/domain resource will not display correctly on Chrome
Workaround:
iRule work-around based on:https://devcentral.f5.com/s/articles/iRule-to-set-SameSite-for-compatible-clients-and-remove-it-for-incompatible-clients-LTM-ASM-APM.
Or, disabling simple redicret via TMSH:
tmsh modify sys db dosl7.proactive_defense_simple_redirect { value "disable" }
tmsh modify sys db dosl7.proactive_defense_simple_redirect_on_grace { value "disable" }
1036613-4 : Client flow might not get offloaded to PVA in embryonic state
Links to More Info: BT1036613
Component: TMOS
Symptoms:
The client flow is not offloaded in embryonic state, but only is only offloaded once the flow transitions to an established state.
Conditions:
-- FastL4 profile configured to offload TCP connections in embryonic state (this is the default)
-- Clientside and serverside ingress traffic is handled by different TMMs
-- Running on a platform with multiple HSB modules per TMM, i.e.:
--+ BIG-IP i11600 Series
--+ BIG-IP i15600 Series
Impact:
- minor performance degradation;
- PVA traffic counters show unexpectedly high values;
1036557-4 : Monitor information not seen in GUI
Links to More Info: BT1036557
Component: TMOS
Symptoms:
GUI displays "An error has occurred while trying to process your request" when deleting/creating a monitor with the same name under the same transaction.
Conditions:
(a) Create a TCP monitor, then in a single transaction delete the TCP monitor + create an HTTP monitor with same name as the TCP monitor. Example below:
# tmsh create ltm monitor tcp <Name of the monitor>
# echo 'create cli transaction; delete ltm monitor tcp <Name of the monitor> ; create ltm monitor http <Name of the monitor>; submit cli transaction' | tmsh
# tmsh save sys config
This could also occur when reconfiguring an iApp, or changing a configuration via AS3.
(b) Login to the GUI and click on the monitor (GUI > Local Traffic > Monitors > (Monitor created)) you'll see "An error has occurred while trying to process your request"
Impact:
Unable to view monitor parameters in GUI.
Workaround:
Any one of the following workarounds help:
- do not use the same monitor name
- do not perform the delete+create actions on a single transaction
- save and load the configuration:
tmsh save sys config && tmsh load sys config
1036541-2 : Inherited-traffic-group setting of floating IP does not sync on incremental sync
Links to More Info: BT1036541
Component: TMOS
Symptoms:
When a floating IP object is created, and its inherited-traffic-group property is set, this property does not sync to other devices.
Conditions:
This is relevant for any setup with multiple devices in a sync/failover device group.
Impact:
This will impact incremental syncing to other peers in the device group.
Workaround:
Do a full config sync if possible.
1036461-2 : icrd_child may core with high numbers of open file descriptors.
Links to More Info: BT1036461
Component: TMOS
Symptoms:
icrd_child core generated.
Conditions:
Have over 1024 open file descriptors.
Impact:
REST API usage for BIG-IP configuration will be impacted.
Workaround:
N/A
1036265-2 : Overlapping summary routes might not be advertised after ospf process restart.
Links to More Info: BT1036265
Component: TMOS
Symptoms:
Overlapping summary routes might not be advertised after ospf process restarts.
Conditions:
Add an overlapping /32 entry for a summary route and restart ospf process.
Impact:
Summary routes are not advertised.
1036169-2 : VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500".
Links to More Info: BT1036169
Component: Local Traffic Manager
Symptoms:
Guestagentd will log the message "Exit flags for PID <PID>:0x500" in guest ltm log, if vcmp host rsync server current active connection is more than 4.
Conditions:
-- vCMP guest.
-- Rsync transfer frequency is 10 seconds between vCMP guest to vCMP host.
-- more than 4 vCMP guests.
Impact:
Guest LTM logs fill with "Exit flags for PID <PID>: 0x500".
Workaround:
N/A
1036097-2 : VLAN failsafe does not trigger on guest
Links to More Info: BT1036097
Component: TMOS
Symptoms:
VCMP guest VLAN failsafe does not trigger as expected.
Conditions:
-- VCMP host configured
-- VLAN failsafe enabled on a VLAN
-- One or more VCMP guests enabled that use that VLAN.
-- A trunk member of a trunk connected to the vCMP guest is flapping.
Impact:
Since the neighbor messages for the IPv6 link-local addresses continue to be successfully passed from host to guest upon a trunk member change, VLAN failsafe does not trigger even if the upstream switch goes down that's connected to the VLAN.
Workaround:
None
1036093-2 : Tmm sends out neighbor advertisements for the link local addresses even if IPv6 is disabled
Links to More Info: BT1036093
Component: Local Traffic Manager
Symptoms:
When a trunk member state changes and IPv6 is disabled, BIG-IP still sends neighbor advertisements for the link-local addresses on each VLAN
Conditions:
- IPv6 is disabled (ipv6.enabled=false)
- change in a trunk member state occurs
Impact:
Link-local addresses are still in the vaddr hash even after ipv6 is disabled.
1036057-3 : Add support for line folding in multipart parser.
Links to More Info: BT1036057
Component: Application Security Manager
Symptoms:
RFC 2616 allowed HTTP header field values to be extended over multiple lines by preceding each extra line with at least one space or horizontal tab. This was then deprecated by RFC 7230.
The multipart parser of ASM does not support the multiple line header, so these requests cause false positives.
Conditions:
Multiline header in multipart request
Impact:
False positives.
Workaround:
None
1036013-1 : BIG-IP systems may terminate connections prematurely when a TLS close-notify alert is received
Links to More Info: BT1036013
Component: Local Traffic Manager
Symptoms:
When a backend server sends a TLS close-notify alert, BIG-IP may terminate the connection prematurely without forwarding the HTTP response.
Conditions:
ServerSSL receives a TLS Close-notify alert after a TLSv1.3 session is established.
Impact:
Server responses may be dropped.
Workaround:
Use TLSv1.2.
1036009-1 : Fix DPDK RSS configuration settings
Component: TMOS
Symptoms:
When using DPDK driver and multiqueue, only TCP traffic will get hashed and distributed between different TMMs
Conditions:
- DPDK driver is being used
- Multiqueue is enabled and in use
For a list of NICs that use dpdk see K17204: BIG-IP VE NIC adapters that support SR-IOV, available at https://support.f5.com/csp/article/K17204
Impact:
UDP traffic will get funneled to only a single TMM causing excess CPU usage on that TMM
Workaround:
Disable multiqueue
1035757-2 : iRulesLX restart leaves stale files in /var/tmstat/blade/tmplugin_ilx_*
Links to More Info: BT1035757
Component: Local Traffic Manager
Symptoms:
After restarting the ilx plugin, new tmplugin_ilx_rpc_* stat files are being created, but old files are not being deleted.
Conditions:
- ilx configured
- ilx plugin restarted
Impact:
The presence of too many of these leftover files might prevent merged from rolling up stats and providing graphs and cause such errors:
err merged[8523]: 011b0900:3: TMSTAT error tmstat_remerge: Cannot allocate memory.
Workaround:
Delete stale tmplugin_ilx_* files manually
1035661-1 : REST Requests return 401 Unauthorized when using Basic Auth
Links to More Info: BT1035661
Component: TMOS
Symptoms:
REST Requests are intermittently failing with a 401 error.
The restjavad-audit.*.log shows these requests are closely preceded by a 503 response from /mgmt/tm/auth/source.
Conditions:
Triggered when a REST request comes in using Basic Auth while an asynchronous task is executing on the BIG-IP.
An example of an asynchronous task is the BIG-IP processing an AS3 declaration.
Impact:
REST requests will fail with a misleading response code and for no readily apparent reason.
Workaround:
Use token based authentication for REST requests.
1035361-5 : Illegal cross-origin after successful CAPTCHA
Component: Application Security Manager
Symptoms:
After enabling CAPTCHA locally on BIG-IP with brute force, after configured login attempts, CAPTCHA appears, but after bypassing the CAPTCHA successfully the user receives a support ID with cross-origin violation.
Conditions:
- brute force with CAPTCHA mitigation enforced on login page.
- cross-origin violation is enforced on the login page.
- user fails to login until CAPTCHA appears
- user inserts the CAPTCHA correctly
Impact:
- blocking page appears.
- on the event log cross-origin violation is triggered.
Workaround:
- disable cross-origin violation enforcement.
1035121-1 : Configsync syncs the node's monitor status
Links to More Info: BT1035121
Component: TMOS
Symptoms:
After config sync, nodes may be marked marked down when they are up, even if the monitor determines that the node is up.
The logs will show something similar to :
notice mcpd[8091]: 010714a0:5: Sync of device group /Common/device_trust_group to commit id 1 6986973310536375596 /Common/xxxxxxxx 1 from device /Common/yyyyyyyy
notice mcpd[8091]: 01070640:5: Node /Common/node1 address 10.10.100.1 monitor status down. [ /Common/icmp: up ] [ was up for 0hr:3mins:15sec ]
notice mcpd[8091]: 01070640:5: Node /Common/node2 address 10.10.100.2 monitor status down. [ /Common/icmp: up ] [ was up for 0hr:3mins:15sec ]
The node/pool member/pool/virtual server will be marked down.
Checking the actual monitor it will be up, tcpdump will show successful monitor transactions.
Conditions:
1. Two or more devices in a sync/failover device group
2. The config sync from-device has marked nodes down
3. A config sync occurs
This can occur on both incremental and full config sync.
Impact:
The node's monitor status is synced to the peer device. If the from-device's monitor was unable to reach the nodes and was marking the nodes as DOWN, then the node status will be set to DOWN on the other device, even if the monitor is successfully connecting to the node. This can cause a traffic disruption.
Note: the opposite can occur, where a "node up" status is sent to a device whose monitor is failing to connect to the nodes due to a network issue.
Workaround:
If a device is in this state, you can work around this issue by doing one of the following:
-- Save and reload the configuration on the device with the bad state
tmsh save sys config && tmsh load sys config
-- Perform a full-load sync from the peer device to the affected device:
(On the peer) tmsh run cm config-sync force-full-load-push to-group group-name
1035017-3 : Remove unused CA-bundles
Component: TMOS
Symptoms:
Some of the certificate bundles shipped on BIG-IP devices are not used and aren't updated. In particular, there are legacy bundles which aren't needed.
Conditions:
This affects certain internal certificate bundles on the BIG-IP file system:
Impact:
There is a chance that there might be failures when "internal certificates" expires.
Workaround:
None
1034953-1 : In explicit proxy, HTTP_STATCODE missing from syslog
Links to More Info: BT1034953
Component: Local Traffic Manager
Symptoms:
HTTP_STATCODE missing from logs captured using request logging profile when HTTP request is made to explicit proxy virtual server.
Conditions:
- Configure explicit proxy virtual server
- Apply request logging on the same virtual server
- Send HTTP request to connect to a Host via the explicit virtual server
Impact:
HTTP_STATCODE not found in the logs captured from request logging
1034865-4 : CACHE::enable failed on private/no-store content
Links to More Info: BT1034865
Component: Local Traffic Manager
Symptoms:
BIG-IP provides a possibility to cache HTTP responses with RAMCACHE feature. When a response has either "Cache-Control: private" or "Cache-Control: no-store", the CACHE::enable setting allows the content to be cached. This option was removed when a fix to ID 360047 was introduced.
Conditions:
-- A virtual server has a web-acceleration profile without a policy.
-- An iRule has CACHE::enable command, overwriting Cache-Control header's values "no-store" and/or "private".
Impact:
BIG-IP always requests for a response from the origin web server even when a response is cacheable, putting extra load on the origin web server.
1034509-3 : Sensor read errors on VIPRION C2200 chassis
Links to More Info: BT1034509
Component: TMOS
Symptoms:
Due to LOP sensor read errors, the command 'tmsh show sys hardware' can list an RPM of 0 for some chassis fans.
Conditions:
- Running a C2200 VIPRION chassis
- Other conditions unknown
Impact:
Messages such as the following appear in /var/log/ltm:
warning chmand[7629]: 012a0004:4: hal_if_media_poll: media SVC exception: media: getLopReg error
err chmand[7629]: 012a0003:3: getSensorData: sensor read fault for Chassis fan 1, LOP return code -1 : File sensor/LopSensSvc.cpp Line 2315
err chmand[7629]: 012a0003:3: getSensorData: sensor read fault for Chassis fan 2, LOP return code -1 : File sensor/LopSensSvc.cpp Line 2315
err chmand[7629]: 012a0003:3: getSensorData: sensor read fault for Chassis fan 3, LOP return code -1 : File sensor/LopSensSvc.cpp Line 2315
err chmand[7629]: 012a0003:3: getSensorData: sensor read fault for Chassis fan 4, LOP return code -1 : File sensor/LopSensSvc.cpp Line 2315
warning chmand[7629]: 012a0004:4: getLopReg Sock error: send to lopd failed [lopd addr:/var/run/lopdsvr] [client addr:/var/run/hwctl.hal.sock] (errno:2) No such file or directory
warning chmand[7629]: 012a0004:4: GET_STAT failure (status=0xc) page=0x21 reg=0x50
err chmand[7629]: 012a0003:3: getSensorData: sensor read fault for Chassis 3.3V main voltage, LOP return code -1 : File sensor/LopSensSvc.cpp Line 2315
notice chmand[7629]: 012a0005:5: Tmstat::updateSensorTbls: HAL SenSvc error: send to lopd failed [lopd addr:/var/run/lopdsvr] [client addr:/var/run/hwctl.hal.sock] (errno:2) No such file or directory
warning chmand[7629]: 012a0004:4: getChassisPwrSup err: send to lopd failed [lopd addr:/var/run/lopdsvr] [client addr:/var/run/hwctl.hal.sock] (errno:2) No such file or directory
warning chmand[7629]: 012a0004:4: getChassisPwrSup err: send to lopd failed [lopd addr:/var/run/lopdsvr] [client addr:/var/run/hwctl.hal.sock] (errno:2) No such file or directory
Tmsh show sys hardware will list an RPM of 0 for chassis fans affected by the sensor read errors
Workaround:
No workaround currently known.
1034009-2 : CGNAT+Subscriber Discovery - NAT IP with wrong route domain on the CGNAT Log
Links to More Info: BT1034009
Component: Carrier-Grade NAT
Symptoms:
The route domain ID for the translated IP is incorrect in the log message.
Conditions:
This issue will be seen when the different route domain are configured for incoming and outgoing traffic.
Impact:
Log messages will have an incorrect domain-id.
Workaround:
None
1033969-1 : MPLS label stripping needs next protocol indicator
Links to More Info: BT1033969
Component: TMOS
Symptoms:
MPLS label stripping does not participate in the MPLS control-plane, and MPLS does not have a next protocol indicator.
Conditions:
This is encountered when attempting to pass IPv6 packets to GRE-encapsulated MPLS on BIG-IP systems.
Impact:
GRE/MPLS packets with IPv6 traffic encapsulated are not forwarded to the egress VLAN.
Workaround:
None
1033897-2 : DNSSEC keys generated independently are still in use after GTM sync
Links to More Info: BT1033897
Component: Global Traffic Manager (DNS)
Symptoms:
If GTM sync is broken around DNSSEC key rollover time and two devices generate a DNSSEC key independently, the key is still used for generating a DNSSEC signature after DNS config sync resumes.
Conditions:
-- iQuery connection broken between BIG-IP DNS devices during DNSSEC key rollover
-- A DNSSEC key is generated independently on the two affected devices
-- iQuery connection re-established, config sync resumes, and the DNSSEC key is overwritten on one device
Impact:
-- TMM continues using the old key for DNSSEC signatures
-- Different key in the running config than what is used for generating DNSSEC signatures.
-- Possibly invalid DNSSEC data in DNS caching resolvers.
Workaround:
Restart tmm on the affected device:
tmsh restart sys service tmm
1033689-3 : BGP route map community value cannot be set to the required range when using AA::NN notation
Links to More Info: BT1033689
Component: TMOS
Symptoms:
The community value for BGP route map entries should allow values of 1-65535 for both components, but it is not allowing 65535 for either component when using AA::NN notation.
Conditions:
-- Using BGP route map community values.
-- Attempting to set one or both components to 65535 with
using AA::NN notation
Impact:
Unable to use the full range of BGP route map community values.
Workaround:
None
1033537-2 : Cookie persistence profile only examines the first cookie.
Links to More Info: BT1033537
Component: Local Traffic Manager
Symptoms:
The cookie persistence profile does not process multiple cookies with the same name. If that cookie is not valid for the selected pool or if it fails to decrypt, if encryption is enabled, it stops - even if there are other cookies of the same name.
Conditions:
-- Virtual server with an HTTP profile and a cookie persistence profile.
-- Multiple cookies with the same name arrive from the client.
They can appear in a single Cookie header or two separate headers.
-- This can occur with cookie encryption enabled or disabled.
Impact:
Only the first cookie is evaluated.
Workaround:
Do not use cookie persistence profile.
1033333-2 : FIPS: importing a stub SSL key file results in 2 keys that share the same FIPS device
Links to More Info: BT1033333
Component: TMOS
Symptoms:
The 'tmsh list sys crypto key' command lists multiple keys with the same FIPS ID.
Conditions:
-- BIG-IP using a FIPS HSM
-- Import the stub FIPS key file contents (the filestore certificate_key file object) into the system as a new file object.
Impact:
Two object points to same key stored in the FIPS HSM. If one of the two objects are deleted, the key stored in the HSM will be deleted. This will result in traffic failures, i.e. TLS handshake failures.
Workaround:
Do not create a second MCP SSL key object by importing the stub key file content from the filestore.
1033025-3 : TMM might crash when unsupported bot iRule is used
Links to More Info: BT1033025
Component: Application Security Manager
Symptoms:
TMM crashes.
Conditions:
Bot defense iRule with async commands is attached to virtual server, for example:
when BOTDEFENSE_ACTION
{
after 7000 {
if { ([BOTDEFENSE::device_id] eq "0") }
{
log local0. "Violations Names: [BOTDEFENSE::device_id];"
BOTDEFENSE::action browser_challenge
}
}
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1033017-5 : Policy changes learning mode to automatic after upload and sync
Links to More Info: BT1033017
Component: Application Security Manager
Symptoms:
When newly created policies are synchronized, the learning states of the policies are different.
Conditions:
-- Active/Active high availability (HA) setup in sync-failover device group with ASM enabled.
-- Sync a new policy configured with disabled/manual learning mode.
Impact:
Learning mode changes from disabled to automatic on peer device after sync, so learning modes differ on the peer devices.
Workaround:
1. On the peer device, change the learning mode to disabled.
2. Push sync from the originator device.
Both devices are then in sync and policies have the same learning mode (disabled), so operations complete as expected.
1032921-2 : VCMP Guest CPU usage shows abnormal values at the Host
Links to More Info: BT1032921
Component: TMOS
Symptoms:
CPU usage is represented as 100% for each CPU core, so for instance top may report CPU usage above 100%
for a two CPU system, given that in that case 200% would actually represent the full CPU capacity.
Here for vCMP with 'n' CPUs reporting more than n*100% for CPU utilization.
Conditions:
VCMP provisioned on BIG-IP
Impact:
CPU utilization is incorrectly shown.
Workaround:
NA
1032821-4 : Syslog: invalid level/facility from /usr/libexec/smart_parse.pl
Links to More Info: BT1032821
Component: TMOS
Symptoms:
When the smart_parse.pl script is run and finds a disk error, it attempts to log an error with an incorrect syslog level.
Conditions:
Run smart_parse.pl on a BIG-IP platform with a disk error.
Impact:
When this script is run (usually as a cron job) the following message occurs:
syslog: invalid level/facility: error at /etc/cron.daily/pendsect line 194.
Workaround:
None.
1032761-1 : HA mirroring may not function correctly.
Links to More Info: BT1032761
Component: TMOS
Symptoms:
-- High availability (HA) mirroring might not function correctly.
-- Health monitors might fail intermittently (though this symptom is not always seen).
-- Application response latency might increase slightly.
-- Running 'tmctl -d blade tmm/sdaglib_hash_table' on the BIG-IP tenant shows a different sequence of values in the hash table when compared to the output of "show dag-states" in the F5OS Partition CLI. (Though the former renders the values using zero-based indexing, while the latter uses one-based indexing.)
Conditions:
-- VELOS chassis in use.
-- High availability (HA) pair is formed using BIG-IP tenants.
-- 'tmsh list cm device mirror-ip' shows a mirror-ip set for each BIG-IP.
-- sys db statemirror.clustermirroring is set to 'between'.
Impact:
High availability (HA) mirroring might not function correctly.
Degraded application traffic.
Workaround:
None.
To recover, set sys db statemirror.clustermirroring to 'within' and restart tmm on all slots of the affected tenant.
1032257-3 : Forwarded PVA offload requests fail on platforms with multiple PDE/TMM
Links to More Info: BT1032257
Component: TMOS
Symptoms:
Forwarded PVA requests use a static bigip_connection that does not have its pva_pde_info initialized, which results in offload failure on platforms that have multiple PDEs per TMM.
Conditions:
Pva_pde_info is not initialized and Forwarded PVA requests occur.
Impact:
Hardware offload does not occur.
1032013-1 : Traffic source port is changing on egress
Component: Local Traffic Manager
Symptoms:
Unidirectional gre/tb traffic with port info (tcp & sctp) is being processed using GRE round robin (sys db dag.roundrobin.gre enabled). Traffic is processed by all tmms. Egress traffic from all but one tmm has a modified source port and the pool member does not recognize the traffic.
Conditions:
Gre/tb ingress to BIG-IP configured for gre dag roundrobin.
Impact:
Unable to implement gre/tb.
Workaround:
Either of the following resolve the immediate issue but would badly impact performance
- disable rr-dag on the ingress vlans and disable both sys db iptunnel.ether_nodag and dag.roundrobin.gre.
- configure preserve strict on the virtual server and immediate timeout on the fastl4 profile
1031945-2 : DNS cache configured and tmm stuck in 'not ready' state indefinitely after TMM restart or reboot★
Links to More Info: BT1031945
Component: Global Traffic Manager (DNS)
Symptoms:
Clusterd reports "TMM not ready" right after "Active"
Jun 23 18:21:14 slot2 notice sod[10084]: 010c0019:5: Active
Jun 23 18:21:14 slot2 notice clusterd[10920]: 013a0019:5: Blade 2 turned Yellow: TMM not ready
All blades are showing 'unavailable'
Conditions:
1. Multiple dns cache-resolver and/or net dns-resolver objects configured with names that only differ in letter case, e.g. /Common/example-dns-cache and /Common/Example-DNS-cache
2. Occurs after rebooting/upgrading
Impact:
The system remains inoperative.
1031673 : TLS 1.3 cipher suites listed in the wrong order on GUI and TMSH.
Links to More Info: BT1031673
Component: Local Traffic Manager
Symptoms:
Some TLS 1.3 cipher suites are at the end of the list when they should be at the beginning.
Conditions:
Configure Cipher rules with TLS1.3 cipher suites.
Impact:
TLS 1.3 cipher suites are listed in the wrong order.
1031585 : Failover due to TMM crash
Links to More Info: BT1031585
Component: Application Visibility and Reporting
Symptoms:
TMM crashed.
Conditions:
This occurs while passing traffic.
Impact:
Traffic disrupted while tmm restarts.
1031461-5 : Session awareness entries aren't mirrored to both sides of an active-active deployment.
Component: Application Security Manager
Symptoms:
Session awareness entries aren't mirrored to both sides of an active-active deployment.
session db entries remain in bd (ASM) daemon until manually removed
Conditions:
- ASM provisioned
- Security policy attached to a virtual server
- Session tracking and Login Page enabled in the policy
Impact:
ASM session tracking feature isn't properly functioning on active-active deployment.
1031117-3 : The mcpd error for virtual server profiles incompatible needs to have more details
Links to More Info: BT1031117
Component: TMOS
Symptoms:
The mcpd error message MCPDERR_VIRTUAL_SERVER_INCOMPAT_PROFILE_PROTO currently has text which does not provide detail information.
-The error text should also list which profile is problematic, and the protocol that the virtual server is using. This will help Support pinpoint the issue much faster.
Conditions:
- Configure a virtual server with a profile that is invalid for its protocol.
Impact:
The error text not listing which profile is problematic, and the protocol that the virtual server is using.
Workaround:
None.
1031025-1 : Nitrox 3 FIPS: Upgrade from v12.1.x to v14.1.x results in new .key.exp files for the FIPS keys created before upgrade.★
Links to More Info: BT1031025
Component: TMOS
Symptoms:
During upgrade from v12.1.x to v14.1.x, New ".key.exp" export file is created for the FIPS keys present in the card.
Conditions:
This happens during the upgrade from v12.1.x to v14.1.x for the existing keys with ".key" extension to it in the label.
It occurs only if the key is deleted/not present in the FIPS card (e.g. a faulty card), and BIG-IP has the configuration / metadata for the missing keys.
Impact:
The upgrade fails while loading the configuration.
Workaround:
Delete the missing key's configuration from config file, then perform the upgrade.
1030533-3 : The BIG-IP system may reject valid HTTP responses from OCSP servers.
Links to More Info: BT1030533
Component: Local Traffic Manager
Symptoms:
When this happens, the BIG-IP system can be seen closing the TCP connection to the OCSP server prematurely (for instance, as soon as the HTTP response headers are received, before the response body is transmitted).
If log.keymgmtd.level is set to debug, an error similar to the following example will be logged to the /var/log/ltm file:
Jun 22 14:40:08 bigip1.local debug tmm[9921]: 01a40004:7: OCSP validation result of certificate(/config/filestore/files_d/Common_d/certificate_d/:Common:endpoint-intermediate_69993_1): OCSP response - (connection - HTTP error), certificate status - (error), lifetime - 10.
Conditions:
The server uses a Content-Type HTTP header in its response that isn't just "application/ocsp-response" (for instance, it may include a charset specification after that string, or the string may use a mix of uppercase and lowercase letters).
Impact:
Valid HTTP responses from OCSP servers are rejected. OCSP stapling and OCSP validation are not available on the BIG-IP system.
Workaround:
If you control the OCSP server and are able to customize its HTTP response headers, setting the Content-Type to simply "application/ocsp-response" (all lowercase) is a workaround for this issue.
Otherwise, no workaround exists.
1030237-3 : Zxfrd core and continual restart when out of configured space
Links to More Info: BT1030237
Component: Global Traffic Manager (DNS)
Symptoms:
Zxfrd is in restart loop and occasionally cores.
Conditions:
Zxfrd is out of the configured space.
Impact:
Dns express and rpz does not work properly.
Workaround:
1. locate any zone that is suspiciously large and delete that zone from dns zones if unexpected;
2. Allocate more space for zxfrd using dnsexpress huge pages.
tmsh modify sys db dnsexpress.hugepages { value "8000" }
8000 should be adjusted accordingly.
1030185-2 : TMM may crash when looking up a persistence record using "persist lookup" iRule commands
Links to More Info: BT1030185
Component: Local Traffic Manager
Symptoms:
Tmm may crash with a SIGSEGV when looking up a persistence record in an iRule when using the "any" flag
Conditions:
-- The persistence entry exists on a virtual server other than the virtual server the iRule is configured on.
-- The iRule contains [persist lookup source_addr "[IP::client_addr] any"]
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Discontinue the use of the "any" flag in the persist lookup iRule.
1030133-4 : BD core on XML out of memory
Links to More Info: BT1030133
Component: Application Security Manager
Symptoms:
Missing error handling in lib xml parser.
Conditions:
XML parser going out of memory.
Impact:
ASM traffic disrupted while bd restarts.
Workaround:
None
1029989-3 : CORS : default port of origin header is set 80, even when the protocol in the header is https
Component: Application Security Manager
Symptoms:
Destination port is set to 80, instead of 443, for Origin header value that has https in the schema field.
This causes unexpected "Illegal cross-origin request" violation.
Conditions:
- Using CORS enforcement where you allow HTTPS and port 443 for an origin name
- The Origin header value has https in the schema
- The Origin header value does not specify non default port number
Impact:
Unexpected "Illegal cross-origin request" violation.
Workaround:
Allow port 80 or use 'any' for the given origin name.
1029869-4 : Use of ha-sync script may cause gossip communications to fail
Links to More Info: BT1029869
Component: SSL Orchestrator
Symptoms:
Using the ha-sync script on platforms in a sync-failover device group may cause gossip communications to fail.
Conditions:
This issue occurs after using the ha-sync script on devices that are in a sync-failover device-group.
Impact:
When the gossip communications fail, SSL Orchestrator will be unable to communicate iAppLX configuration from one device to the other. This can lead to deployment failures upon redeployment of SSL Orchestrator topologies.
Workaround:
None
1029689-4 : Incosnsitent username "SYSTEM" in Audit Log
Links to More Info: BT1029689
Component: Application Security Manager
Symptoms:
The Security Policy Auto Log in ASM displays the system component that triggered the event. The component name is sometimes shown as 'SYSTEM', other times shown as 'System'
Conditions:
The value is "SYSTEM" when Apply Policy was initiated locally.
The value is "System" when Apply Policy was initiated by the peer unit
Impact:
Component name inconsistency causing confusion
Workaround:
None
1029585-4 : Use of ha-sync script may cause platforms in a sync-failover device group to fall out of sync
Links to More Info: BT1029585
Component: SSL Orchestrator
Symptoms:
Following the use of the ha-sync script on platforms in a sync-failover device group to become out of sync.
Conditions:
This can occur following the use of the ha-sync script.
Impact:
Both platforms in the sync-failover device group to fall out of sync. Forcing the admin to perform a device-group sync operation.
Workaround:
None
1029373-6 : Firefox 88+ raising Suspicious browser violations with bot defense
Links to More Info: BT1029373
Component: Application Security Manager
Symptoms:
Bot-defense might block legal traffic arriving from Firefox version 88
Conditions:
- ASM provisioned
- bot-defense profile assigned on a virtual server
Impact:
Legal traffic is blocked
Workaround:
Tmsh modify sys db botdefense.suspicious_js_score value 60
1029173-2 : MCP daemon does not log an error message upon connection failure to PostgreSQL server.
Links to More Info: BT1029173
Component: TMOS
Symptoms:
When mcpd fails to connect to PostgreSQL, the PostgreSQL error code and message is not logged. A very generic exception is thrown when the connection is lost.
Conditions:
- AFM is provisioned.
- Mcpd fails to connect pgsql.
Impact:
The failed connection is not logged, which makes the problem more difficult to troubleshoot.
1029069-3 : Non-ASCII characters are not displayed correctly.
Component: Local Traffic Manager
Symptoms:
Add new address ip with value that includes non ASCII characters in data group list.
Then go back GUI->Local Traffic ›› iRules : Data Group List and click it.
The value field does not display entered values.
Conditions:
Adding non ASCII characters to value field in data group lists.
Impact:
Impact the functioning of the address record, when the datagroup is called by an iRule for example.
Workaround:
Do not add non ASCII characters to value field.
1028473-3 : URL sent with trailing slash might not be matched in ASM policy
Component: Application Security Manager
Symptoms:
Request sent to a specific URL with added trailing slash may not be handled according to expected policy.
Conditions:
-- Request is sent with URL containing trailing slash.
-- Security policy contains the same URL, but without slash.
Impact:
URL enforcement is not done according to expected rules.
Workaround:
Add configuration for same URL with added trailing slash.
1027805-2 : DHCP flows crossing route-domain boundaries might fail.
Links to More Info: BT1027805
Component: Local Traffic Manager
Symptoms:
DHCP flows crossing route-domain boundaries might fail.
Conditions:
Example of a configuration leading to the problem:
- route-domain RD%2 with parent defined as route-domain RD%1.
- Virtual-server in route-domain RD%2.
- Pool member configured in RD%2 (sharing IP addressing with RD1)
- DHCP client connects to the virtual-server in route-domain RD%2.
- Route lookup for a pool member ends up with connection in route-domain RD%1
Impact:
The second and subsequent DHCP clients requests will not be forwarded to the DHCP pool members.
Workaround:
When configuring a DHCP pool member, use the ID of the parent route-domain (the one that will be returned by a route-lookup for the pool member's IP address).
1027657-2 : Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules.
Links to More Info: BT1027657
Component: Global Traffic Manager (DNS)
Symptoms:
Inconsistent monitor intervals for resource monitoring.
Conditions:
"require M from N" monitor rules configured.
Impact:
Monitor status flapping.
Workaround:
Do not use "require M from N" monitor rules.
1027637-2 : System controller failover may cause dropped requests
Links to More Info: BT1027637
Component: TMOS
Symptoms:
A system controller failover may cause dropped requests to a change in the CMP hash algorithm.
Conditions:
1. The system controller fails over
2. The CMP hash algorithm changes
Impact:
Incorrect CMP hash settings
Workaround:
Change the CMP hash to another setting and back
1027481-1 : 'error: /bin/haloptns unexpected error -- 768' log messages generated on A110 and D112 platforms
Links to More Info: BT1027481
Component: TMOS
Symptoms:
'error: /bin/haloptns unexpected error -- 768' message logged by system commands, including some startup scripts and the software installation process.
Running /bin/haloptns manually displays this output:
'Expected 32 bit OPTN field, found field "" instead.'
Conditions:
-- One of the following platforms:
- D112 (B10350v-F (FIPS) or B10150s-N (NEBS))
- A110 (VIPRION B4340N (NEBS) blades)
-- The system does not use RAID.
Impact:
Excessive "error: /bin/haloptns unexpected error -- 768" error messages in log files, and command output (e.g. "cpcfg").
There is no other impact, and the messages can be ignored.
Workaround:
Ignore the error messages.
1027477-1 : Virtual server created with address-list in custom partition non-RD0 does not create listener
Links to More Info: BT1027477
Component: TMOS
Symptoms:
After creating a virtual-server in a partition with a non RD0 route-domain attached, the virtual address listener does not get associated with the virtual server and the virtual address stays offline.
Conditions:
-- An address list (traffic matching criteria) is used when creating the virtual server in the GUI.
-- The virtual server is created with a route domain other than the default route domain.
Impact:
The virtual address remains in an offline state.
Workaround:
None.
1027237-4 : Cannot edit virtual server in GUI after loading config with traffic-matching-criteria
Links to More Info: BT1027237
Component: TMOS
Symptoms:
After creating a virtual server with a traffic-matching-criteria and then loading the configuration, you are unable to make changes to it in the GUI. Attempting to do so results in an error similar to:
0107028f:3: The destination (0.0.0.0) address and mask (::) for virtual server (/Common/test-vs) must be be the same type (IPv4 or IPv6).
Conditions:
-- A virtual server that has traffic-matching-criteria (i.e., address and/or port lists).
-- The configuration has been saved at least once.
-- Attempting to edit the virtual server in the GUI.
Impact:
Unable to use the GUI to edit the virtual server.
Workaround:
Use TMSH to modify the virtual server.
1026989-3 : More specific dynamic or static routes created for application traffic processing can erroneously replace the route to the management subnet.
Links to More Info: BT1026989
Component: TMOS
Symptoms:
When a dynamic or static route is instantiated for application traffic processing, protection exists at configuration-validation time to ensure that the new route does not overwrite how the management port's subnet is accessed.
To do so, the destination of the new route is compared to the management port's subnet. If the two match, the new route is only instantiated in TMM, but not in the Linux host's routing table.
The issue is this logic fails when the new route is a subset of the management port's subnet. For example, if the new route is to destination 10.215.50.0/25, and the management port's subnet is 10.215.50.0/24, the new route will be added to both TMM and the Linux host, bypassing the aforementioned protection.
Instead, the logic should check for overlapping subnets, not just strict equality.
Conditions:
- A dynamic or static route whose destination partially overlaps with the management port's subnet is added to or learnt by the system.
Impact:
A new and more specific route for part of the management port's subnet is added to the Linus host's routing table.
Part of the management port traffic can fail or be misrouted via a TMM interface.
If multiple routes of this kind are instantiated (e.g. 10.215.50.0/25 + 10.215.50.128/25), the whole management port's subnet can be overtaken.
Workaround:
Redesign your network and then reconfigure the BIG-IP system so that TMM does not need access to the management port's subnet or part of it (thus negating the need to create a route to that destination in the first place).
If this is not possible, you can temporarily resolve the issue by using the `route` or `ip` utility on the Linux host subsystem to manually fix the routing table. However, the issue will occur again the next time the problematic route is loaded or learnt by the system.
1026973-3 : Static routes created for application traffic processing can erroneously replace the route to the management subnet.
Links to More Info: BT1026973
Component: TMOS
Symptoms:
If a static route is added via "tmsh create net route" (or equivalent configuration ingestion system), and this route's destination matches the management port's subnet, the protection that prevents the new route from being propagated to the Linux kernel will initially work, but will fail after mcpd is restarted or the system is rebooted.
Conditions:
- A static route whose destination matches the management port's subnet is added to the system.
- The system is rebooted or mcpd is restarted.
Impact:
The directly-connected route for the management port's subnet appearing in the Linux host's routing table is replaced, or complemented, by a new and unnecessary route.
In either case, management port traffic can fail or be misrouted via a TMM interface.
Workaround:
Align your network and the BIG-IP system so that TMM does not need access to the management port's subnet (thus negating the need to create a route to that destination in the first place).
If this is not possible, you can temporarily resolve the issue by using the `route` or `ip` utility on the Linux host subsystem to manually fix the routing table. However, the issue will occur again the next time mcpd or the system restarts.
1026861-1 : Live Update of Browser Challenges and Anti-Fraud are not cleaned up
Links to More Info: BT1026861
Component: TMOS
Symptoms:
When installing live updates of either Browser Challenges (ASM) or Anti-Fraud (FPS), the update file remains in the system, taking up disk space and increasing config sync size.
Conditions:
Installing Live Update files of either Browser Challenges (part of ASM) or Anti-Fraud (part of FPS).
Impact:
Increased disk size, config size, and config-sync size.
Workaround:
It is possible to manually clean up old, unused Live Update files using TMSH or REST:
tmsh delete security datasync update-file datasync-global/<file>
Important: Use caution, as deleting update-files that are in use could cause the system to go offline or get out of sync. The in-use update files can be observed under the GENERATION PROFILES section of the /var/log/datasyncd.log file.
Note: There is no auto-completion on the 'update-file' keyword.
1026813-4 : LCD IP address is missing from /etc/hosts on iSeries
Links to More Info: BT1026813
Component: Global Traffic Manager (DNS)
Symptoms:
On iSeries platforms, /etc/hosts is missing an entry for the LCD IP address, 127.4.2.2.
Conditions:
Run any iSeries appliance.
Impact:
- BIG-IP generates reverse DNS requests for the LCD.
- /var/log/touchscreen_lcd lists the IP address "127.4.2.2" as the hostname
Workaround:
Add an entry for the LCD to /etc/hosts by modifying the 'remote-host' global settings, by running the following tmsh command:
tmsh modify sys global-settings remote-host add { lcd { addr 127.4.2.2 hostname lcd } }
tmsh save sys config
Or, in the BIG-IP GUI, System >> Configuration : Device : Hosts
1026581-3 : NETFLOW/IPFIX observationTimeMilliseconds Information Element value is not populated correctly.
Links to More Info: BT1026581
Component: TMOS
Symptoms:
When logging Carrier Grade NAT Port Port Block Allocation (CGNAT PBA) events using NetFlow/IPFIX log destinations,
if the AFM module is not enabled, the observationTimeMilliseconds Information Element value is incorrectly reported as zero in reported events.
Conditions:
Using CGNAT PBA, logging to a NetFlow/IPFIX log destination, and AFM is not enabled.
Impact:
CGNAT PBA events containing the observationTimeMilliseconds Information Element will report incorrect values for this field.
Workaround:
1) Enable AFM module, or
2) Enable lsn-legacy-mode in the log profile
1026457-1 : "Security ›› Event Logs : Protocol : FTP, SMTP" page returns a "500 Internal Server" error
Component: Application Security Manager
Symptoms:
An attempt to navigate to the "Security ›› Event Logs : Protocol : FTP, SMTP" page, results in "500 Internal Server" error
Conditions:
Attempt to navigate to the "Security ›› Event Logs : Protocol : FTP, SMTP" page
Impact:
The GUI returns a "500 Internal Server" error
and /var/log/httpd shows the following error:
"PHP Fatal error: Call to undefined function hsl_get_hsl_stats() in /var/ts/dms/policy/hsl_statistics.php on line 93"
Workaround:
Please ask the client to run the following commands:
perl /usr/share/ts/bin/asm_php_ini_munge.pl off
/etc/init.d/httpd reconfig
and then run the following command and report the output of those commands:
php -m
we expect to not find hsl in the output.
afterwards
run the following commands:
perl /usr/share/ts/bin/asm_php_ini_munge.pl on
/etc/init.d/httpd reconfig
and then run the following command and report the output of those commands:
cat /etc/php.ini.d/asm.php.extensions.ini
php -m
1026277-3 : Apply Policy can get ignored in auto-sync setup, while importing/replacing several existing policies with policies that have Policy Builder enabled
Component: Application Security Manager
Symptoms:
With auto-sync enabled, replacing multiple policies on Unit-A with policies having Policy Builder enabled, "Apply Policy" initiated by Policy Builder can be ignored at Unit-B that results all the policy on Unit-A appear as not-edited while a few policies on Unit-B appear as edited.
Conditions:
-- Using auto-sync
-- Multiple policies are replaced (imported as replacing method) at the same time
Note : bulk import/replace is only possible via Ansible (also, maybe scripting that utilizes REST API)
-- Those imported policies have Policy Builder enabled
Impact:
Inconsistent policy state in auto-sync members
Workaround:
Make a minor update on those affected policies, then "Apply Policy" will fix the inconsistent state.
1026273-3 : HA failover connectivity using the cluster management address does not work on VIPRION platforms★
Links to More Info: BT1026273
Component: TMOS
Symptoms:
Upon upgrade to an affected version, failover communication via the management port does not work. You may still see packets passing back and forth, but the listener on the receiving end is not configured, and therefore the channel is not up.
Here are a few symptoms you may see:
-- Running 'tmsh show cm failover-status' shows a status of 'Error' on the management network.
-- Running 'tmctl' commands reports the disconnected state:
Example:
$ tmctl -l sod_tg_conn_stat -s entry_key,last_msg,status
entry_key last_msg status
----------------------------- ---------- ------
10.76.7.8->10.76.7.9:1026 0 0 <--- Notice there is no 'last message' and 'status' is 0, which means disconnected.
10.76.7.8->17.1.90.2:1026 1623681404 1
-- Looking at 'netstat -pan | grep 1026 command output, you do not see the management port listening on port 1026:
Example (notice that the management IP from the above example of 10.76.7.9 is not listed):
# netstat -pan | grep 1026
udp 0 0 10.10.10.10:1026 0.0.0.0:* 6035/sod
-- Listing /var/run/ contents shows that the chmand.pid file is missing:
# ls /var/run/chmand.pid
ls: cannot access /var/run/chmand.pid: No such file or directory
Conditions:
-- Running on VIPRION platforms
-- Only cluster management IP address is configured: No cluster member IP addresses are configured
-- Install a software version where ID810821 is fixed (see https://cdn.f5.com/product/bugtracker/ID810821.html)
-- Management IP is configured in the failover configuration
Impact:
If only the management is configured for failover or there are communication issues over the self IP (such as misconfigured port lockdown settings), then the devices may appear to have unusual behavior such as both going active.
Workaround:
-- Configure a cluster member IP address on each individual blade in addition to the Cluster management IP address.
1025965-4 : Audit role users cannot see folder properties under sys-folder
Links to More Info: BT1025965
Component: TMOS
Symptoms:
Users with auditor role cannot create, modify, or delete any data, nor can they view SSL keys or user passwords. Users with the Auditor role have access to all partitions on the system, and this partition access cannot be changed.
Conditions:
Run tmsh command to check the access under sys folder
Impact:
Tmsh does not allow sys folder component for auditor.
no-ref-check, traffic-group, device-group
1025513-3 : PAM Authenticator can cause authorization failure if it fails to lock /var/log/tallylog
Links to More Info: BT1025513
Component: TMOS
Symptoms:
The following JSON content can be seen in the HTTP 401 response. (By looking at the capture or RESTful client)
{"code":401,"message":"Authorization failed: no user authentication header or token detected. Uri:http://localhost:8100/mgmt/tm/ltm/pool/?expandSubcollections=true Referrer:<ip_address> Sender:<ip_address>,"referer":<ip_address>,"restOperationId":12338804,"kind":":resterrorresponse"}
Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message:
PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.
Conditions:
High concurrent authentication attempts may trigger this issue. For example, opening a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), and then closing the connection. If done frequently enough, there is an occasional authentication failure.
Impact:
This intermittent auth issue results in failure of some auth request.
Workaround:
Since this is an intermittent authentication failure, wait a few seconds and then attempt to rerun auth request.
For automation tools, please use token-based authentication.
1025261-1 : When restjavad.useextramb is set, java immediately uses more resident memory in linux
Links to More Info: BT1025261
Component: TMOS
Symptoms:
When restjavad.useextramb is set, java immediately reserves more memory and the process size (RSS) increases.
Conditions:
When restjavad.useextramb and when provision.extramb is set to a non-default value.
Impact:
The restjavad process size will use more RSS.
Workaround:
Revert the restjavad.useextramb value or set provision.extramb higher to compensate.
1025089-4 : Pool members marked down by database monitor due to stale cached connection
Links to More Info: BT1025089
Component: Local Traffic Manager
Symptoms:
By default, BIG-IP database monitors (mssql, mysql, oracle, postgresql) are configured to keep a connection to the database server open between monitor probes to avoid the overhead of establishing the network connection to the database server for each query operation.
If this cached network connection times out or is dropped by the database server, it is marked as "stale" when the next probe occurs, and a new connection is made during the next scheduled monitor probe.
In the meantime, due to the lost connection, the monitored pool member may be marked DOWN until the next scheduled monitor probe. This is more likely to occur when a database monitor is used to monitor a GTM pool member instead of an LTM pool member, due to differences between how monitors are configured for GTM versus LTM.
Conditions:
This may occur under the following conditions:
-- GTM or LTM pool members are monitored by a database monitor, configured such that a single probe failure will mark the member DOWN. (Such configuration may be more common for GTM monitors.)
-- Either the database server times out or drops the connection for some reason, or no database monitor probes are sent to the database server within a 5 minute interval.
Impact:
-- GTM or LTM pool members monitored by a database monitor may be marked DOWN temporarily if the network connection to the database server is dropped or times out.
-- High CPU utilization is observed on control plane cores.
Workaround:
To work around this issue, perform one of the following actions:
-- Configure the database (mssql, mysql, oracle, postgresql) monitor with a "count" value of "1". This prevents the caching/reuse of network connections to the database server between probes. Thus there is no cached connection to time out/get dropped. However, the overhead of establishing the network connection to the database server will be incurred for each probe.
-- Configure the database monitor "interval" and "timeout" values (for an LTM monitor), or the "interval", "timeout", "probe-attempts", "probe-interval" and "probe-timeout" values (for a GTM monitor) such that multiple failed monitor probes are required before the monitored member is marked DOWN.
1024905-3 : GTM monitor times out if monitoring a virtual server with translation address
Links to More Info: BT1024905
Component: Global Traffic Manager (DNS)
Symptoms:
GTM monitor flaps between UP and DOWN.
Conditions:
1. GTM configured with two type of IP addresses, one IPv4 with translated address and IPv6 without translated address, or the other way around.
2. The monitored resource is with the translated address of the other type. If step 1, IPV4 translated, then step with IPV4 translated address.
Impact:
Monitor flaps.
Workaround:
Configure both with translated address.
1024757 : Adding more than three disabled log-settings to access profile causes apmd to restart
Links to More Info: BT1024757
Component: Access Policy Manager
Symptoms:
Apmd repeatedly restarts and disrupts traffic.
Conditions:
This occurs if there are four or more disabled log-settings elements assigned to an access profile.
Impact:
Apmd keeps restarting and traffic is disrupted.
Workaround:
Assign access profiles a maximum of 3 log-settings which have both "Enable Access System Logs" and "Enable URL Request Logs" options unchecked.
1024661-1 : SCTP forwarding flows based on VTAG for bigproto
Component: TMOS
Symptoms:
Sometimes SCTP traffic is unidirectionally dropped on one link after an SCTP link down occurs.
Conditions:
-- SCTP configured and BIG-IP is passing traffic
-- A link goes down
Impact:
Flow creation on the wrong TMM and some traffic is dropped.
Workaround:
Disable SCTP flow redirection.
tmm.sctp.redirect_packets == disable
1024437-4 : Urldb index building fails to open index temp file
Links to More Info: BT1024437
Component: Access Policy Manager
Symptoms:
The following error message shows up in /var/log/urldbmgr-trace.log:
THREAD: 2CDD4700; ERROR; WsFileOpen: Could not open file /var/urldb/staging/current/host.6417.byte.dat.003
THREAD: 2CDD4700; ERROR; WsIndexBuilderOpenFile: Failed to open index file /var/urldb/staging/current/host.6417.byte.dat.003.
THREAD: 2CDD4700; ERROR; WsHostIndexV7OpenFile: Failed to open Host index file /var/urldb/staging/current/host.6417.byte.dat.003.
THREAD: 2CDD4700; ERROR; WsHostIndexV7BuildProcessTempFiles: Failed to open host index temp file
As a result of this error, some requested URL category lookups return "Uncategorized".
Conditions:
The error can happen during index building after a new primary URLDB is downloaded.
Impact:
Some websites are categorized as "Uncategorized"
Workaround:
1) Stop urldbmgrd:
bigstart stop urldb urldbmgrd
2) Delete databases:
rm -rf /var/urldb/master/
rm -rf /var/urldb/rtu/
3) Start urldbmgrd:
bigstart start urldb urldbmgrd
4) Force database download:
- tmsh command: "modify sys url-db download-schedule urldb download-now true", or
- Admin GUI: Access >> Secure Web Gateway >> Database Settings >> Database Download >> Download Now
Databases will re-download and index.
1024421-3 : At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log
Links to More Info: BT1024421
Component: TMOS
Symptoms:
TMM log shows clock advancing and MPI timeout messages:
notice slot1 MPI stream: connection to node aborted for reason: TCP RST from remote system (tcp.c:5201)
notice slot1 tmm[42900]: 01010029:5: Clock advanced by 6320 ticks
Conditions:
-- pva.standby.flush DB key set to 1 (enabled). The default is 0.
-- Processing high traffic volume for some time
Impact:
Upstream switch could receive flow response from both active and standby units and cause a traffic disturbance.
1024301-3 : Missing required logs for "tmsh modify disk directory" command
Links to More Info: BT1024301
Component: TMOS
Symptoms:
In case of failure of "tmsh modify disk directory" command, log which help to find reason for failure are getting missed.
Conditions:
Attempt to resize some volumes via the "tmsh modify disk directory" command
Impact:
Not able to find failure reason for resize of volumes.
Workaround:
Manually running the resize2fs command, can give the reason for failure.
1024269-3 : Forcing a file system check on the next system reboot does not check all filesystems.
Links to More Info: BT1024269
Component: TMOS
Symptoms:
Forcing a file system check on the next system reboot, as described in K73827442, does not check all filesystems. This should not be the case and is a regression compared to previous BIG-IP versions.
After the reboot, you can inspect which filesystems were checked by running the following command:
journalctl --all --no-pager | grep -i fsck
Conditions:
A BIG-IP Administrator follows the procedure to force a file system check on the next system reboot.
Impact:
Some filesystems will not be fixed, and will continue to be corrupted. This can have a number of negative consequences. For instance, enlarging a filesystem (via the 'tmsh modify sys disk directory' command) can fail when a filesystem is dirty.
Workaround:
You can boot the system from the Maintenance Operating System (MOS), and perform all needed file system check operations from there. To boot the system into MOS, simply type 'mosreboot'. Note that once the system reboots into MOS, you will need video console access (for VE systems) or serial console access (for hardware systems) to be able to run fsck and the reboot the system into a regular BIG-IP boot location.
For more information on MOS, please refer to K14245.
1024241-3 : NULL TLS records from client to BIG-IP results in SSL session termination
Links to More Info: BT1024241
Component: Local Traffic Manager
Symptoms:
After client completes TLS handshake with BIG-IP, when it sends a NULL TLS record, the client BIG-IP SSL connection is terminated.
Conditions:
This is reported on i7800 which has Intel QAT crypto device
The issue was not reported on Nitrox crypto based BIG-IP platforms. Issue is not seen when hardware crypto is disabled
Impact:
SSL connection termination is seen in TLS clients
Workaround:
Disable hardware crypto acceleration
1024225-2 : BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request
Links to More Info: BT1024225
Component: Local Traffic Manager
Symptoms:
BIG-IP proxying http2 -> http1.1. In response to a HEAD request, pool member sends response with "Transfer-Encoding: chunked" header without chunked payload. BIG-IP sends "Transfer-Encoding: chunked" header back to http2 client which generates RST_STREAM, PROTOCOL_ERROR. According to RFC 7450 a proxy SHOULD remove such headers.
Conditions:
1) H2 <-> H1 is configured on virtual server
2) HEAD request over http2->http1.1 gateway getting chunked response.
Impact:
Http2 connection is reset
Workaround:
iRule to remove "Transfer-Encoding: Chunked" header from response.
1023889-1 : HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message
Links to More Info: BT1023889
Component: Application Security Manager
Symptoms:
Protocol filter does not suppress WS/WSS server->client message.
Conditions:
- protocol filter is set to HTTP, HTTPS or HTTP/HTTPS
- response logging is set to For All Requests
Impact:
Remote log server receives unexpected messages
Workaround:
None
1023529-3 : FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory.
Links to More Info: BT1023529
Component: Local Traffic Manager
Symptoms:
Command "tmsh show sys tmm-traffic" reports non-zero number of current connections but "tmsh show sys connection" shows nothing.
Conditions:
-- A virtual sever with fastL4 profile with infinite timeout enabled and an iRule containing "after" command. Having "-periodic" argument makes the problem more prominent.
-- Aggressive sweeper activated due to low memory conditions.
Impact:
Connections that were supposed to be removed by aggressive sweeper but were waiting for completion of an iRule may end up in a state where they are not reported by "tmsh show sys connection." Because of this issue, these connections cannot be deleted manually using 'tmsh del sys connection", but remain in memory. Their presence can be confirmed by non-zero number of current connections shown by "tmsh show sys tmm-traffic". Because of the infinite timeout setting, they will not timeout by themselves either.
Workaround:
N/A
1022997-4 : TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC)
Links to More Info: BT1022997
Component: TMOS
Symptoms:
Deployments on AWS that use the sock driver (1NIC, for example) transmit packets with bad checksums when TSO/GSO is required. This causes significant delays as TMM re-segments the packets with correct checksums for retransmission, and may cause some operations to time out (such as configsyncs of large configurations).
Conditions:
-- BIG-IP Virtual Edition (VE) using the sock driver on AWS (all 1NIC deployments use this)
-- TSO/GSO required due to MTU limitations on one or more VLANs
Impact:
-- Delayed packets.
-- Possible timeouts for some operations (configsyncs, for example).
Workaround:
Modify (or create, if not present) the file /config/tmm_init.tcl on the affected BIG-IP systems, and add the following line to it:
ndal force_sw_tcs off 1d0f:ec20
Then restart TMM:
bigstart restart tmm
Note: Restarting TMM will cause a failover (or an outage if there is no high availability (HA) peer available).
1022973-3 : Sessiondb entries related to Oauth module not cleaned up in certain conditions
Links to More Info: BT1022973
Component: Access Policy Manager
Symptoms:
When an OAuth AS is configured with a refresh lifetime of '0', this implies that the refresh token lifetime is infinite. This leads to all sessiondb entries related to this refresh token (including associated access token entries in sessiondb) to have infinite lifetime.
Conditions:
Refresh token lifetime is set to '0'.
Impact:
User will see consistent and persistent increase in memory consumption by TMM, potentially leading to out-of-memory situation.
Workaround:
Do not set refresh token lifetime to '0'.
1022877-1 : Ping missing from list of Types for OAuth Client
Component: Access Policy Manager
Symptoms:
Ping is missing from the 'Type' dropdown menu in Access ›› Federation : OAuth Client / Resource Server : OAuth Server ›› New OAuth Server Configuration...
Conditions:
-- Affected BIG-IP version
-- Add new Oauth server configuration from Access :: Federation : OAuth Client / Resource Server : OAuth Server :: New OAuth Server Configuration...
Impact:
Oauth client configuration for the server of type 'Ping' cannot be created via GUI
Workaround:
Use tmsh to create the configuration, e.g.:
tmsh create apm aaa oauth-server <server name> provider-name Ping dns-resolver-name <dns-resolver-name>
1022493-1 : Slow file descriptor leak in urldbmgrd (sockets open over time)
Links to More Info: BT1022493
Component: Access Policy Manager
Symptoms:
Unix domain sockets are opened and never closed in urldbmgrd. This is a very slow leak over time.
Conditions:
SWG or URLDB is provisioned.
Impact:
Urldbmgrd may hit a limit of open file descriptors, and may eventually core and restart. When urldbmgrd restarts, urldb also restarts. This may result in a momentary instant where URL categorization is not available.
Workaround:
Restarting urldbmgrd will clear the open file descriptors. Performing a forced restart during a time of no traffic will mitigate the risk of urldbmgrd restarting at an inconvenient time if there are too many sockets open.
"bigstart restart urldbmgrd" will restart the daemon.
1022453-1 : IPv6 fragments are dropped when packet filtering is enabled.
Links to More Info: BT1022453
Component: Local Traffic Manager
Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.
Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.
Impact:
Some or all of the fragments of an IPv6 packet are lost.
Workaround:
Disable packet filtering
1022429 : Unexpected tmm core
Links to More Info: BT1022429
Component: Local Traffic Manager
Symptoms:
A tmm core occurs unexpectedly and causes a failover event.
Conditions:
This can occur while tmm is in normal operation.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
1022421-2 : Pendsec utility incorrectly starts on i2x00/i4x00 platform with NON WD disk
Links to More Info: BT1022421
Component: TMOS
Symptoms:
The pendsec utility recognizes that the disk is a HDD and attempts to run a smart check against it but it does not recognize or support the disk type that is in the system and therefore you will see log messages like this in /var/log/messages when the cron job attempts to run:
May 14 15:34:04 fqdn.device.com notice pendsect[11461]: skipping drive --
May 14 15:34:04 fqdn.device.com notice pendsect[11461]: No known drives detected for pending sector check. Exiting
Conditions:
- i2x00 or i4x00 platform with the Seagate brand HDD
Impact:
Cosmetic
Workaround:
You can mitigate the cosmetic log issue by suppressing the pendsec utility.
Login to BIG-IP using SSH
Navigate to /etc/cron.daily
# cd /etc/cron.daily
Create new directory called suppress
# mkdir suppress
Move the pendsect cron job to suppres
# mv pendsect suppress
1022297-2 : In BIG-IP GUI using "Select All" with filters is not working appropriately for policies
Links to More Info: BT1022297
Component: TMOS
Symptoms:
In BIG-IP GUI using "Select All" with filters is not working appropriately for policies. When you attempt to delete policies after using filtering, all policies are deleted.
Conditions:
In BIG-IP GUI policies page, apply filter and using select all, for an action is selecting all objects and filter not applied.
Impact:
All policies objects are affected for an action, and filter is not applied
1022213-2 : DDOS: BDOS: Warning messages related to high availability (HA) watchdog seen on system bring up
Links to More Info: BT1022213
Component: Advanced Firewall Manager
Symptoms:
When the BDoS log message level is set to "Warning", some high availability (HA) watchdog messages are logged:
info bdosd[14184]: BDoS: May 27 03:51:40|loadState|460|HA Watchdog was not found <DNS_CLASS_L>
Conditions:
-- DDoS is used.
-- Dynamic signature is enabled on vectors
-- Default BDoS log level is changed to Warning.
Impact:
Unwanted log messages displayed. They can be safely ignored.
1021925-2 : During bootup AWS BIG-IP endpoint was not licensed when custom gateway configured over management interface
Links to More Info: BT1021925
Component: TMOS
Symptoms:
AWS-based BIG-IP instance with a static IP assigned to the mgmt interface and a custom gateway configured, the box fails to load its license during startup.
Conditions:
BIG-IP configured with static IP address and customize gateway for default route.
Impact:
BIG-IP fails to load license.
Workaround:
Once BIG-IP boots up, execute reloadlic command which installs the license.
1021873-3 : TMM crash in IPIP tunnel creation with a pool route
Links to More Info: BT1021873
Component: TMOS
Symptoms:
In rare circumstances, the Traffic Management Microkernel (TMM) process may produce a core file in the /shared/core directory while processing traffic.
Conditions:
1)Virtual server attached with an ipip encapsulation enabled pool
2)Multiple paths to pool members
(pool route to pool member)
Impact:
Traffic disrupted while tmm restarts.
1021837-1 : When a virtual server has an inline service profile configured, connections will be reset with cause "No server selected"
Links to More Info: BT1021837
Component: Local Traffic Manager
Symptoms:
Connections are reset with "No server selected" cause.
Conditions:
-- An inline service profile ("ltm profile service") attached to a normal virtual server
Impact:
TCP connections are reset
Workaround:
Delete and recreate the virtual server without the inline service profile associated with it.
Simply removing the service profile from the virtual server is not sufficient.
1021609-3 : Improve matching of URLs with specific characters to a policy.
Links to More Info: BT1021609
Component: Application Security Manager
Symptoms:
Request with a URL containing specific characters is not matched to the correct policy.
Conditions:
URL of request contains specific percent-encoded characters.
Impact:
The request will not be matched by an expected policy rule.
Workaround:
Add an additional rule with explicit decoded characters.
1021109-2 : The cmp-hash VLAN setting does not apply to trunked interfaces.
Links to More Info: BT1021109
Component: TMOS
Symptoms:
-- CPU usage is increased.
-- Throughput is reduced.
-- Packet redirections occur (visible when using 'tmctl -d blade tmm/flow_redir_stats')
Conditions:
-- Traffic is received on trunked interfaces.
-- The cmp-hash setting has a non-default value.
-- The platform is BIG-IP Virtual Edition (VE).
Impact:
Performance is reduced. Output from 'tmctl -d blade tmm/flow_redir_stats' shows redirections.
Workaround:
-- Use the default cmp-hash setting.
-- Do not trunk interfaces.
1020645-3 : When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered
Links to More Info: BT1020645
Component: Local Traffic Manager
Symptoms:
In an explicit proxy configuration when an HTTP request is sent to an HTTPS destination server via proxy, the HTTP CONNECT method is sent, but the iRule event HTTP_RESPONSE_RELEASE is not fired.
Conditions:
- Simple HTTP explicit proxy virtual server
- An HTTP request from the client is sent to an 'https://' destination server
Impact:
iRule event HTTP_RESPONSE_RELEASE does not get triggered.
Workaround:
None
1020377-4 : Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon
Links to More Info: BT1020377
Component: TMOS
Symptoms:
If an IKEv2 tunnel terminates with an error condition, afterward it is possible for IKE packets to be received by the IKEv1 racoon daemon, which is listening to local host (i.e 127.0.0.1) on ports 500 and 4500.
Conditions:
To get the problem to occur, you may need these details:
-- an IKEv2 config where traffic selector narrowing happens
-- termination of an IKEv2 tunnel with an error condition
-- some other BIG-IP service using the same local self IP
Packets can reach the IKEv1 racoon daemon only when some BIG-IP service uses bigself as the proxy, which forwards packets to localhost (127.0.0.1) with the same port number. So even if no IKEv1 config is present for a local self IP, if some other BIG-IP service also uses bigself as a proxy, this can forward IKE packets to localhost as well.
Impact:
The IKEv2 tunnel does not get renegotiated, because IKE packets reach the IKEv1 daemon, which ignores them, because the proper listener to handle IKEv2 is missing. As a result, tunnel service is interrupted.
Workaround:
Deleting and re-adding the problematic ike-peer and traffic-selector should bring back IPsec support for that tunnel.
If the initiating and responding sides of the tunnel have identical traffic-selector proposals, then narrowing should not happen, and this would also prevent the problem in the first place.
1020277-3 : Mcpd may run out of memory when build image is missing★
Links to More Info: BT1020277
Component: TMOS
Symptoms:
After installing a new blade, if the BIG-IP does not have the appropriate images to install all volumes onto the new blade, it can get stuck waiting to install. This may cause mcpd to eventually run out of memory.
Running "tmsh show sys software" shows a message similar to this for a prolonged period of time:
HD1.2 3 BIG-IP 12.1.3.5 0.0.10 no waiting for product image (BIG-IP 12.1.3)
Conditions:
-- Installing a new blade into a chassis-based system.
-- Missing BIG-IP image(s) necessary to update all volumes on the new blade.
Impact:
Mcpd eventually runs out of memory and cores.
Workaround:
Either delete the affected volume if it is no longer necessary, or copy the appropriate BIG-IP image to /shared/images.
1020149-1 : Bot Defense does not support iOS's WKWebView framework
Links to More Info: BT1020149
Component: Application Security Manager
Symptoms:
When using the Bot Defense Profile, mobile apps which use iOS's WKWebView framework may get blocked from accessing the website.
Conditions:
-- Using the Bot Defense Profile
-- Mobile apps which use iOS's WKWebView framework try to access the website
Impact:
Mobile apps which use iOS's WKWebView framework may get blocked from accessing the website.
Workaround:
None
1020109-3 : Subnet mask property of virtual addresses not displayed in management GUI
Links to More Info: BT1020109
Component: TMOS
Symptoms:
You cannot determine the subnet mask for a displayed virtual address using only the BIG-IP management GUI.
Conditions:
-- A virtual address (automatically created by any virtual server) exists in the configuration.
-- Using the management GUI.
Impact:
Potential difficulty in troubleshooting and verifying config due to having to use other methods (accessing the CLI) to check a virtual address's netmask.
Workaround:
Use tmsh to determine the subnet mask.
1020089-3 : MCP validation should prevent defining multiple virtual servers with the same virtual address but with different subnet masks
Links to More Info: BT1020089
Component: TMOS
Symptoms:
Multiple virtual servers with the same virtual address but with different subnet masks are allowed.
Conditions:
Creation of multiple virtual servers with the same virtual address but with different subnet masks.
Impact:
Latest virtual server instantiation implicitly and silently modifies the subnet mask of the virtual address, making the system not behave as the user thinks or intended.
Workaround:
None.
1020069-3 : Equinix SmartKey HSM is not working with nethsm-partition 'fortanix'
Links to More Info: BT1020069
Component: Local Traffic Manager
Symptoms:
Setting up the Equinix SmartKey HSM with nethsm-partition 'fortanix' (or anything other than 'auto') pkcs11d logs an error:
err pkcs11d[21535]: 01680040:3: netHSM: Failed to find partition with label 'fortanix' on the netHSM.
Conditions:
Configuring a nethsm-partition other than 'auto'.
Impact:
BIG-IP does not connect to the HSM and SSL traffic is disrupted.
Workaround:
Use the nethsm-partition 'auto'
tmsh create sys crypto fips nethsm-partition 'auto'
1020061-2 : Nested address lists can increase configuration load time
Links to More Info: BT1020061
Component: Advanced Firewall Manager
Symptoms:
Whenever there are a number of nested address lists configured, the 'load sys config' command takes a long time to complete.
Conditions:
-- Several nested Address Lists are configured.
-- The 'load sys config' command is run.
Impact:
Upgrading (load sys config) takes a lot of time of time to complete, which sometimes causes Packet Correlation Classification Daemon (pccd) to fail.
If pccd fails, the system is unable to detect and compile firewall configuration changes, meaning that changes made to the firewall configuration are not enforced.
Note: The firewall configuration that was running before pccd goes down continues to be enforced; only changes are not enforced.
Workaround:
None
1020041-1 : "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs
Component: Policy Enforcement Manager
Symptoms:
The following message may be logged to /var/log/tmm*
Can't process event 16, err: ERR_NOT_FOUND
Conditions:
Applying a PEM policy to an existing session that already has that policy (eg, through an irule using 'PEM::subscriber config policy referential set xxxx'
Impact:
Since the PEM policy is already applied to the session, the failure message is essentially cosmetic, but it can cause the tmm logs to grow in size if this is happening frequently.
Workaround:
--
1019793-1 : Image2disk does not work on F5OS BIG-IP tenant.★
Links to More Info: BT1019793
Component: TMOS
Symptoms:
Image2disk fails to recognize the correct disk to install and installation fails.
Conditions:
This occurs with BIG-IP tenants that are running in F5OS partitions.
Impact:
Installation fails.
Workaround:
None
1019641-2 : SCTP INIT_ACK not forwarded
Links to More Info: BT1019641
Component: Local Traffic Manager
Symptoms:
After SCTP link down/up (not physical IF link down up), SCTP session can't be established.
Conditions:
-- CMP forwarding enabled (source-port preserve-strict)
-- The BIG-IP system is encountering heavy traffic load
-- A connection is deleted from the connection table
Impact:
Flow state can become out of sync between TMMs
Workaround:
Once the problem occurs, execute "tmsh delete sys connection", and the SCTP session will be re-established.
1019557-3 : Bdosd does not create /var/bdosd/*.json
Links to More Info: BT1019557
Component: Advanced Firewall Manager
Symptoms:
JSON files for historical data are not created for each virtual server in /var/bdosd.
BDOS for DDoS works on current data in memory but cannot to depend on the historical data for all virtual servers
Conditions:
BDOS is configured for any virtual server
Impact:
Custom signature or BDDoS-generated signature for the virtual server does not work correctly.
Workaround:
None
1019453-4 : Core generated for autodosd daemon when synchronization process is terminated
Links to More Info: BT1019453
Component: Advanced Firewall Manager
Symptoms:
Autodosd cores on SIGSEGV.
Conditions:
-- AFM DoS vectors configured
-- This can occur during normal operation but the specific conditions that trigger it are unknown
Impact:
Autodosd is restarted, but up to 15 seconds of history may be lost.
Workaround:
None
1019285-4 : Systemd hangs and is unresponsive
Links to More Info: BT1019285
Component: TMOS
Symptoms:
When memory is exhausted on the system and systemd tries to fork to start or stop a service, systemd fails and enters "freeze" mode.
Conditions:
Following log messages can be seen in the daemon.log log file:
err systemd[1]: Failed to fork: Cannot allocate memory
crit systemd[1]: Assertion 'pid >= 1' failed at src/core/unit.c:1997, function unit_watch_pid(). Aborting.
emerg systemd[1]: Caught <ABRT>, cannot fork for core dump: Cannot allocate memory
emerg systemd[1]: Freezing execution.
Impact:
Systemd does not provide service anymore.
Workaround:
Reboot the system to restore the systemd services.
1019261-3 : In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile.
Links to More Info: BT1019261
Component: Local Traffic Manager
Symptoms:
HTTPS monitors with SSL profile set to None (default) will not use the default ServerSSL profile of "serverssl" when In-TMM monitoring is enabled. Instead, another internal ServerSSL profile is used which has different values from "serverssl".
Conditions:
-- In-TMM monitoring is enabled
-- HTTPS monitor(s) with SSL profile field is set to the default of "None"
Impact:
The TLS settings for the HTTPS monitor monitor probes will not match those of the ServerSSL "serverssl" profile and may cause unexpected behavior such as utilizing TLS 1.3 (disabled by default in the "serverssl" profile) or random session IDs.
Workaround:
Specify a ServerSSL profile in every HTTPS monitor when using In-TMM monitoring.
Attaching the profile "serverssl" will result in the same behavior that SSL Profile "none" should provide, given that the "serverssl" profile should be the default.
1019141 : REST endpoint /mgmt/tm/ltm/pool does not set ratio-value to default when session value is updated to user-disabled
Links to More Info: BT1019141
Component: TMOS
Symptoms:
BIG-IP LTM on v13.1.1.5/v14.1.2.8 does not update the ratio-value to default value of 1 for LTM pool members, when the pool member's session value is updated to user-disabled by the REST endpoint /mgmt/ltm/pool.
Conditions:
BIG-IP LTM version : v13.1.1.5/v14.1.2.8 where the LTM pool member attributes are being updated via REST API.
Impact:
LTM pool member attribute ratio-value is not updated to the default value of 1, when session-value set to user-disabled when updated via REST endpoint /mgmt/ltm/pool
Workaround:
None
1019129-2 : Changing syslog remote port requires syslog-ng restart to take effect
Links to More Info: BT1019129
Component: TMOS
Symptoms:
Modified remote port in syslog configuration takes effect only after restart of the syslog-ng.
Conditions:
-- Configure the remote syslogs and allow some time to pass.
-- Change the local IP or remote port in syslog config.
Impact:
Change does not occur until you reboot or restart syslog-ng.
Workaround:
To cause the change to occur, restart syslog-ng:
bigstart restart syslog-ng
1018877-4 : Subsession variable values mixing between sessions
Links to More Info: BT1018877
Component: Access Policy Manager
Symptoms:
Subsession variable lookup internally assumes that a complete session DB lookup name (Session ID + Subsession key) is used. However, when using the lookup table, only the subsession key is passed in.
Conditions:
Subsession variables are referenced in the Per-Request Policy outside of the Subsession without the Session ID.
Impact:
A Per-Request Policy execution may get the value of the subsession variable from a different APM session.
Workaround:
Add the session ID to the reference to the subsession variables used in Per-Request Policies.
1018765-3 : Changing the sshd port breaks some BIG-IP utilities on a multi-bladed system
Links to More Info: BT1018765
Component: Local Traffic Manager
Symptoms:
After using "sys sshd port" to change the default port for sshd, some utilities may no longer work properly on the BIG-IP, such as:
"tmsh reboot slot ..."
or
qkview
or
any command using clsh
or
ssh slot<slot number>
Conditions:
-- Chassis system with multiple blades.
-- Default sshd port was modified.
Impact:
Unable to run commands on secondary blades.
Workaround:
-- Reconfigure SSHD to run on the default port, 22.
or
-- Specify an explicit port when using ssh and log in to each blade to run the desired commands, e.g. "ssh -p 40222 slot2"
1018673-3 : Virtual Edition systems replicate host traffic to all TMMs when a multicast MAC address is the traffic's nexthop
Links to More Info: BT1018673
Component: TMOS
Symptoms:
When BIG-IP Virtual Edition receives a host packet that has a multicast MAC address as its nexthop, it will disaggregate this by forwarding it to all TMMs. This results in all TMMs egressing the packet.
Conditions:
-- BIG-IP Virtual Edition
-- A route is configured to a multicast MAC address
-- Host traffic (e.g. non-TMM monitors, ping, etc.) is routed to the multicast MAC address
Impact:
Extraneous packets are egressed from the BIG-IP.
Workaround:
Partial workaround for the case of monitors: use in-TMM monitors where possible. Otherwise, there is no workaround for this.
1018309-2 : Loading config file with imish removes the last character
Links to More Info: BT1018309
Component: TMOS
Symptoms:
While loading a configuration from the file with IMISH ('imish -f <f_name>'),truncating the last line.
printf 'log file /var/log/zebos.log1' >/shared/tmp/new.cfg
Running imish -r 0 -f /shared/tmp/new.cfg have the last character missing like below:
log file /var/log/zebos.log
Conditions:
Loading a config with 'imish -f <f_name>' commands.
Note: This command is used with the bigip_imish_config Ansible module.
Impact:
Configuration commands cannot be created properly.
Workaround:
For CLI, use extra control char at the end or \n.
1018165-3 : GUI display of DHCPv6 profile not correct for virtual server in non-default route-domain
Links to More Info: BT1018165
Component: TMOS
Symptoms:
A virtual server created in a non-default route-domain with a DHCPv6 profile shows as using a DHCPv4 profile 'None' in the GUI.
Conditions:
-- Virtual server using a DHCPv6 profile.
-- Virtual server must be in a non-default route-domain.
-- Using the GUI to view the virtual server.
Impact:
Incorrect view of the configuration.
Workaround:
None
1017897-3 : Self IP address creation fails with 'ioctl failed: No such device'
Links to More Info: BT1017897
Component: TMOS
Symptoms:
Creating a self IP address after a route-domain using TMSH reports an error:
01070712:3: Cannot get device index for Backend in rd2 - ioctl failed: No such device.
Conditions:
Using tmsh, create a Trunk, create a VLAN on the trunk, create a route-domain, then create a self IP address.
Impact:
Self IP address creation fails after route-domain creation.
Unable to run declarative-onboarding declaration.
Workaround:
Add a short delay after modifying/creating the route domain before creating the self IP address.
Note: Self IP address should be created after route-domain creation.
1017885-3 : Wildcard server-name does not match multiple labels in FQDN
Links to More Info: BT1017885
Component: Local Traffic Manager
Symptoms:
Wildcard server-name does not match multiple labels in FQDN
for example: *.domain.com matches a.domain.com or a.bc.domain.com, but it does not match domain.com but here multiple labels(a.bc.domain.com) are not matched to the wildcard (*.domain.com).
Conditions:
Client-ssl is configured with a wildcard server-name with the virtual server configured with multiple client-ssl profiles. The correct ssl profile (and therefore certificate) is chosen based on SNI from the client Hello.
Impact:
Generates default profile/certificate when trying to match with multiple labels using wildcard, when it should generate correct certificate matched to the wildcard in server name.
Workaround:
N/A
1017857-4 : Restore of UCS leads to incorrect UID on authorized_keys★
Links to More Info: BT1017857
Component: TMOS
Symptoms:
After restoring a UCS from a different BIG-IP device, the admin user is unable to log in via SSH using SSH public key authentication.
Conditions:
-- Create a UCS on one BIG-IP system where a UCS archive has been restored in the past (including by an upgrade)
-- Import the UCS to a different BIG-IP system and load it
Impact:
You are unable to log in as the admin user via SSH using key-based authentication.
NOTE: Password authentication works without any issues.
Workaround:
Change the owner of /home/admin/.ssh/authorized_keys to 'root', by running the following command:
chown root /home/admin/.ssh/authorized_keys
This command can also be run via iControl REST using the /mgmt/tm/util/bash endpoint.
1017801-4 : Internal listeners (cgc, ftp data, etc) all share the same listener_key stats
Links to More Info: BT1017801
Component: Local Traffic Manager
Symptoms:
Internal stats are not accurate because they are shared across multiple listener types
Conditions:
This can occur when multiple virtual server types are in use and passing traffic.
Impact:
Internal listener stats are not accurate.
1017721-2 : WebSocket does not close cleanly when SSL enabled.
Links to More Info: BT1017721
Component: Local Traffic Manager
Symptoms:
After sending a close frame to the WebSocket server, the WebSocket client receives 1006 response.
Conditions:
Virtual server with the following profiles:
-- WebSocket
-- HTTP over SSL (at least server side SSL)
and connection closure is initiated by the client.
Impact:
Client side applications experience errors in the form of WebSocket abnormally closing connections with error code 1006.
Workaround:
Avoid using SSL on WebSocket server context.
1017557-4 : ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN
Links to More Info: BT1017557
Component: Application Security Manager
Symptoms:
ASM BD sends a reset back to the client when the backend server sends a response without proper terminating 0 chunk followed by FIN.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Backed server sends a bad chunked response
Impact:
Valid requests can be reset.
Workaround:
Any one of the following workarounds can be applied.
-- Fix backed server behavior.
-- Fix bad response using iRule, appending proper terminating 0 chunk
-- Change ASM internal /usr/share/ts/bin/add_del_internal update bypass_upon_load 1
1017421-2 : SASP Monitor does not log significant error conditions at default logging level
Links to More Info: BT1017421
Component: Local Traffic Manager
Symptoms:
Most error conditions encountered by the SASP monitor are not logged at the default logging level ("error"). Most of the meaningful error conditions, including Exceptions, are logged at "info" or "debug" levels. Obtaining details to diagnose the SASP monitor issues requires reconfiguring sys db saspd.loglevel for a value of "info" or "debug".
Conditions:
-- Using the SASP monitor to monitor LTM pool members
-- Leaving the saspd.loglevel system DB variable configured at the default value of "error"
Impact:
Errors which occur intermittently or once while monitoring LTM pool members using the SASP monitor may not be diagnosable.
Workaround:
Configure the saspd.loglevel system DB variable with a value of "info" (for normal operations) or "debug" (if problems are occurring repeatedly).
1017261-4 : Configuraton update triggers from MCP to ASM are ignored
Links to More Info: BT1017261
Component: Application Security Manager
Symptoms:
If a stale/incorrect but running PID is present in /var/ts/var/install/ucs_install.pid, then ASMConfig will think it is in the middle of a UCS or Sync load event and ignore updates from MCP.
Conditions:
A UCS load event such as an upgrade or a config sync is interrupted and ASM is not restarted until another process reuses the process id from the upgrade.
Impact:
Updates from MCP are ignored which can cause:
* Missed sync events
* Missed updates for logging or pool configuration
* Missing security policies
Workaround:
Delete /var/ts/var/install/ucs_install.pid
1017149-4 : User-defined bot sigs that are created in tmsh don't overlap staged factory bot sigs
Component: Application Security Manager
Symptoms:
User-defined bot signatures that are created in tmsh are not enforced if there are similar factory bot signatures even when they are staged.
Conditions:
User-defined bot signature is created in tmsh and is matched also by staged factory bot signature.
Impact:
User-defined signature is not enforced correctly
Workaround:
Define user-defined bot signature using the GUI and if signature domain are needed but can't be configured by the GUI, define the domain in tmsh after the signature is created with:
tmsh mod security bot-defense signature <sig_name> domains replace-all-with { domains }
1017029-2 : SASP monitor does not identify specific cause of failed SASP Registration attempt
Links to More Info: BT1017029
Component: Local Traffic Manager
Symptoms:
On affected BIG-IP versions, upon startup, the SASP monitor sends a single Registration Request to the SASP GWM (Group Workload Manager) to initiate monitoring of configured LTM pool members. This Registration Request contains all configured LTM pools (SASP Groups) and members (SASP Group Members).
If an error is encountered by the SASP GWM with one of the SASP Groups in the request, the registration of all groups fails.
However, the GWM does not provide any indication of *which* Group or member does not match the GWM configuration, hindering troubleshooting efforts.
The current BIG-IP behavior does not allow identification of the specific pool/member or monitor that is misconfigured and thus responsible for the failed SASP Registration attempt.
Conditions:
This behavior occurs on affected BIG-IP versions when the LTM SASP monitor is configured to monitor members of multiple LTM pools, and when BIG-IP start/restarts/reboots or the configuration is loaded.
Impact:
If a single Registration Request fails, the GWM terminates the connection with the Load Balancer (BIG-IP SASP monitor). This behavior is defined by the SASP protocol and SASP GWM implementation.
As a result, the SASP monitor will mark all pool members DOWN that are monitored by the SASP monitor, halting traffic from flowing to all pools monitored by the SASP monitor.
When an error occurs during registration of the LTM pools (SASP Groups), the GWM does not provide any indication of *which* Group or member does not match the GWM configuration.
Since a single error message is returned by the SASP GWM for the entire Registration Request (for all SASP Groups), the SASP monitor cannot indicate which Group (pool/member) or monitor caused the error.
This hinders efforts to troubleshoot the cause of the failure, while all traffic has stopped flowing to the SASP-monitored pools.
Workaround:
To diagnose this issue, first enable saspd debug logging:
tmsh mod sys db saspd.loglevel value debug_msg
(Optional alternative values include deep_debug and debug, but provide less detail.)
With saspd debug logging enabled, a message like the following in /var/log/monitors/saspd.log confirms that an error occurred during the Registration step:
SASPProcessor::processRegistrationReply: received error registering workloads with GWM ##.##.##.###:3860: 69 'InvalidGroup'
If the above message is found to confirm this issue, the primary path to resolution should be for the BIG-IP administrator to very carefully compare the BIG-IP pool/member and sasp monitor configuration with the SASP GWM configuration, to identify any mismatches or inconsistencies between the configurations.
On the BIG-IP system, to help isolate the misconfigured LTM pool(s)/member(s) causing the SASP Registration failure:
1. Remove the sasp monitor from configured LTM pools/members one at a time, and observe whether any pool members still monitored by the sasp monitor are marked UP.
2. Add the sasp monitor back to configured LTM pools/members one at a time, in the same order as removed, except for the last LTM pool/member from which it was removed.
3. Save and reload the configuration, and check whether the LTM pools/members monitored by the sasp monitor are still marked UP.
4. Repeat as necessary if there appear to be multiple LTM pools/members causing a SASP Registration failure.
Alternately, it may be possible to choose a different monitor (using a more fault-tolerant protocol) to monitor the status of affected pool members.
1016921-1 : SSL Connection mirroring - session resumption does not occur on standby when the session ticket is enabled
Links to More Info: BT1016921
Component: Local Traffic Manager
Symptoms:
Eight-second delays occur on traffic through an SSL connection mirroring virtual server, and errors occur on the standby device:
crit tmm7[11598]: 01010025:2: Device error: crypto codec Couldn't create an OpenSSL EC group object OpenSSL error:0906D06C:PEM
err tmm7[11598]: 01010282:3: Crypto codec error: sw_crypto-7 Couldn't initialize the elliptic curve parameters.
crit tmm7[11598]: 01010025:2: Device error: crypto codec No codec available to initialize request context.
Conditions:
All of these conditions:
-- SSL connection mirroring enabled
-- Session tickets are enabled
-- High availability (HA) environment
and one of the following:
-- Running BIG-IP v14.1.4.1 or above (in the v14.1.x branch)
or
-- Engineering hotfix applied to v14.x/v15.x that has the ID760406 fix (see https://cdn.f5.com/product/bugtracker/ID760406.html)
Impact:
SSL traffic is significantly delayed and errors are thrown on the standby device.
Workaround:
Any one of the following could prevent the problem.
-- client-ssl profile cache-size 0.
-- client-ssl profile session-ticket disabled (default).
-- disable SSL connection mirror on virtual server.
1016909-3 : BIG-IP iRule commands FLOW::this or FLOW::peer can create zombie flows.
Links to More Info: BT1016909
Component: Local Traffic Manager
Symptoms:
Keeping a variable reference to FLOW::this or FLOW::peer in iRules can result in zombie connection flows that are never removed.
TMM memory use for 'connflow' and 'tclrule_pcb' are high, and do not match the number of current connections reported by the system.
Conditions:
-- iRule that uses FLOW::this or FLOW::peer, and stores the result of one of those commands into a variable.
Impact:
Increased memory use in TMM, which can eventually result in a TMM crash or traffic disruption while connections are removed using the connection sweeper.
Workaround:
Do not retain the result of 'FLOW::this' or 'FLOW::peer' in a variable in an iRule. Instead, either:
1. Use the variable directly, i.e.:
log local0.warning: "The flow is [FLOW::this]"
2. Unset the variable when done, i.e.:
set flow [FLOW::this]
log local0.warning: "The flow is $flow"
unset flow
If a system is already affected by this issue, the only way to free that memory is to restart TMM.
1016589-4 : Incorrect expression in STREAM::expression might cause a tmm crash
Links to More Info: BT1016589
Component: Local Traffic Manager
Symptoms:
Tmm restarts and generates a core file
Conditions:
An iRule uses STREAM::expression that contains certain strings or is malformed.
Stream expressions use a string representing a series of search/replace or search components. If there is more than one search-only component, this might cause tmm to crash.
The delimiter character used is the first character of each component search/replace pair. This example uses the '@' character as the delimiter, but it is malformed.
Given
STREAM::expression "@dog@dot@cat@car@uvw@xyz@"
This would be interpreted as three items:
search for "dog" replace with "dot"
search for "at@"
search for "r@uvw@xyz@"
This string should likely be:
STREAM::expression "@dog@dot@@cat@car@@uvw@xyz@"
Which would be interpreted as
search for "dog" replace with "dot"
search for "cat" replace with "car"
search for "uvw" replace with "xyz"
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure that strings in STREAM::expression iRule statements do not have more than one search-only component and are well formed.
1016045-2 : OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows.
Links to More Info: BT1016045
Component: Local Traffic Manager
Symptoms:
OOPS logging may appear in /var/log/ltm and /var/log/tmm
Conditions:
1. Active ftp connection.
2. Sending the port command immediately followed by a quit.
Impact:
Log pollution and potential for performance degradation.
Workaround:
N/A
1015881-1 : TMM might crash after configuration failure
Links to More Info: BT1015881
Component: Application Security Manager
Symptoms:
TMM crashes after DoSL7 application configuration failure
Conditions:
DoSL7 configuration is changed, and the configuration change fails in TMM.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
1015817-4 : Flows rejected due to no return route do not increment rejection stats
Links to More Info: BT1015817
Component: Local Traffic Manager
Symptoms:
When flows are rejected due to no return route being present, the BIG-IP does not increment the appropriate statistics to indicated this.
Conditions:
Flows are rejected due to no return route.
Impact:
There is no indication of the real problem when viewing the statistics.
1015793-3 : Length value returned by TCP::payload is signed and can appear negative
Links to More Info: BT1015793
Component: Local Traffic Manager
Symptoms:
When an iRule uses TCP::collect, if the amount of received data being buffered exceeds 2147483647 octets, the value returned from [TCP::payload length] will appear as a negative integer.
Conditions:
An iRule has been written to use TCP::collect with a very high-volume input stream.
Impact:
The unanticipated negative value may confuse the iRule's logic, with unpredictable effects. In extreme cases, a disruption of the TMM could occur.
Workaround:
Convert the result of "TCL::payload length" to an unsigned integer before using it, e.g.:
set curlen [expr { 0xffffffff & [TCP::payload length] }]
Note: the amount of accumulated payload still must not exceed 4,294,967,295 bytes (2^32-1).
1015501-1 : Changes to DHCP Profile are not used by tmm
Links to More Info: BT1015501
Component: Policy Enforcement Manager
Symptoms:
After changing the authentication settings of a DHCP profile, the old authentication settings are still used.
Conditions:
Modify ltm profile dhcpv4 Discovery_DHCPv4_profile authentication { enabled true virtual RadiusAAA }
Impact:
New connections use existing listeners.
Workaround:
Restart tmm.
Impact of workaround: traffic disrupted while tmm restarts.
1015453-4 : Under some circumstances, the "Local Traffic" menu in System -> Configuration is inaccessible in the GUI
Links to More Info: BT1015453
Component: TMOS
Symptoms:
The "Local Traffic" menu in System -> Configuration is inaccessible in the GUI.
Conditions:
-- LTM is licensed but not provisioned.
-- AFM, DNS, and DoS are not provisioned.
-- Other modules (such as APM) are provisioned
Impact:
Unable to configure SYN cookies.
Workaround:
Use TMSH to configure SYN cookies.
1015117-2 : Headers are corrupted during modification/insertion if a mix of end-of-line markers <CRLF> and <LF> are used
Links to More Info: BT1015117
Component: Local Traffic Manager
Symptoms:
HTTP header corruption occurs after insertion/modification using an iRule in HTTP Headers which contain mixed end-of-line markers <CRLF> and <LF>.
Conditions:
- HTTP virtual server
- An iRule, policy or profile inserts an HTTP Request header - Such as x-forwarded-for
- An HTTP request contains some lines that end with <CRLF> and some that end with <LF>
Impact:
Inserted headers get concatenated in such a way that the HTTP request header gets corrupted.
Workaround:
Use HTTP headers with proper end-of-line markers in compliance with HTTP RFC
1014973-2 : ASM changed cookie value.
Links to More Info: BT1014973
Component: Application Security Manager
Symptoms:
ASM changes the value of a cookie going to the server.
Conditions:
Specific conditions.
Impact:
Domain cookie will reach the server with a wrong value. Can cause different malfunctions depending on the application.
Workaround:
Change the following db variable:
tmsh modify sys db asm.strip_asm_cookies (https://support.f5.com/csp/article/K30023210) value false.
There is no need to restart asm.
Add an iRule without the use of strip_asm_cookies:
https://support.f5.com/csp/article/K13693.
1014761-4 : [DNS][GUI] Not able to enable/disable pool member from pool member property page
Links to More Info: BT1014761
Component: Global Traffic Manager (DNS)
Symptoms:
You are unable to enable/disable DNS pool members from the pool member property page.
Conditions:
Making changes via the DNS pool member property page.
Impact:
You can submit the changes but the changes do not persist.
Workaround:
1. tmsh
or
2. enable/disable pool member from list of pool members instead of 'general properties' page
1014633-2 : Transparent / gateway monitors may fail if there is no route to a node
Links to More Info: BT1014633
Component: Local Traffic Manager
Symptoms:
Transparent or gateway monitors may fail.
Conditions:
-- Transparent or gateway monitor configured.
-- Route does not exist to destination.
Impact:
The monitor fails and the node / pool member is marked unavailable.
Workaround:
Add a route to the destination.
1014573-3 : Several large arrays/objects in JSON payload may core the enforcer
Links to More Info: BT1014573
Component: Application Security Manager
Symptoms:
Requests with JSON payload that consists of more than one object with elements, such as a couple of large arrays, may cause the enforcer to crash.
Conditions:
Each of the objects/arrays in JSON payload has to consist lesser amount of elements than defined in the "Maximum Array Length" JSON profile attribute.
Impact:
Large enough arrays may cause performance decrease, in addition, the enforcer may crash.
Workaround:
Set "Maximum Array Length" to a lower value than the requests array length.
1014285-2 : Set auto-failback-enabled moved to false after upgrade★
Links to More Info: BT1014285
Component: TMOS
Symptoms:
In a traffic group, auto-failback-enabled is changed from true to false after config save and upgrade.
During the upgrade, the following log can be observed:
info: Warning: Invalid configuration - Traffic Group has high availability (HA) Group "test_HA_Group" assigned and auto-failback-enabled set to true. Resetting auto-failback-enabled to false.
Conditions:
-- auto-failback-enabled is set to true and high availability (HA) groups are configured and assigned to traffic-group
-- The device is upgraded.
Impact:
Auto-failback-enabled is set from true to false and auto failback is disabled.
Workaround:
After upgrade, set the auto-failback-enabled to true.
1014073 : SSL Orchestrator iApp block out of sync in high availability (HA) environment
Links to More Info: BT1014073
Component: TMOS
Symptoms:
The SSL Orchestrator iApp gossip block is out of sync and it won't automatically synchronize.
Conditions:
-- SSL Orchestrator installed
-- High availability (HA) environment
Impact:
SSL Orchestrator iApp block fails to sync.
Workaround:
Clear-rest-storage on one of the BIG-IP device and copy the storage and index files from the other BIG-IP device.
Note: The procedure is not reversible; consider carefully before proceeding.
On one system # clear-rest-storage
On other system:
#scp -rB /var/config/rest/storage root@<ha_PeerIPaddress>:/var/config/rest/
#scp -rB /var/config/rest/index root@<ha_PeerIPaddress>:/var/config/rest/
This can also be done with:
Run ha-sync in force mode:
ha-sync -f
1013937-3 : In-TMM HTTP and HTTPS monitors require RFC-compliant send strings to work.
Links to More Info: BT1013937
Component: Local Traffic Manager
Symptoms:
Pool members that should be marked UP are incorrectly marked DOWN. No monitor traffic is seen on the wire.
If pool member monitor logging is enabled, an entry similar to the following example can be seen in the logs:
[0][1399] 2021-02-11 11:11:34.709360: ID 44 :TMM::handle_message(TMA_Message<tma_msg_args_notify>*): tmm monitor failed to connect [ tmm?=true td=true tr=false tmm_mid=0:1 addr=::ffff:192.168.10.100:80 srcaddr=none ]
If tma debug logging is enabled, an entry similar to the following example can be seen in the logs:
Feb 11 11:12:14 bigip1.local debug tmm[2259]: 01ad0019:7: Monitor Agent TMM 0: received probe response: MID 1, reason TMA_RESULT_FAIL(Probe response lost due to transient failure), info 0
Conditions:
- In-tmm monitoring is enabled (the bigd.tmm db key is set to enable).
- A HTTP or HTTPS monitor has been configured with a send string which is not RFC-compliant. For instance, the following string incorrectly includes a space before the Host header:
"GET / HTTP/1.1\r\n Host: example.com\r\nConnection: Close\r\n\r\n"
Impact:
Pool member monitoring is impacted and unreliable.
Workaround:
Ensure that you specify a send string which is fully RFC-compliant (for instance, in the example above, remove the space before the Host header).
1013777-1 : An error is encountered when enabling reset-learning to all the signatures of a protocol inspection profile in the GUI.
Component: Protocol Inspection
Symptoms:
An error is displayed in the GUI when reset-learning is applied to all the signatures of a protocol inspection profile in the GUI.
The actual error is “414 Request-URI Too Long” because the HTTP request URI length generated in this case exceeds the system limit.
Conditions:
-- "Reset-learning" action is applied to all signatures and compliances of a protocol inspection profile.
-- Once a certain number of signatures are selected, The GUI throws a “414 Request-URI Too Long” error.
Impact:
- Bulk "reset-learning" action can't be applied from the GUI when the "414 Request-URI Too Long" is returned.
Workaround:
- The TMSH command "delete security protocol-inspection learning-stats <profile-name>" can be used to apply reset-learning to all the signatures of a protocol inspection profile.
1013649-3 : Leftover files in /var/run/key_mgmt after key export
Links to More Info: BT1013649
Component: TMOS
Symptoms:
Files accumulate in /var/run/key_mgmt
qkview grows too large to be processed by iHealth
Conditions:
iControl SOAP used for key export
Impact:
Thousands of files can eventually accumulate in /var/run/key_mgmt, impacting ability to process qkviews
it takes long time to process.
Workaround:
Delete files in /var/run/key_mgmt manually
1013629-2 : URLCAT: Vulnerability Scan finds many Group/User Read/Write (666/664/662) files
Links to More Info: BT1013629
Component: Traffic Classification Engine
Symptoms:
Shared memory files in relation with URLCAT have file permissions set to (-rwxrwxrwx), which is not necessary and needs to be restricted to (-rw-rw-r--).
Conditions:
Performing a Vulnerability Scan on shared memory files in relation with URLCAT.
Impact:
Full permission can result in unintentional/unauthorized access, which could result in unexpected behavior of the URLCAT feature.
Workaround:
Manually change permissions from (-rwxrwxrwx) to (-rw-rw-r--) using the chmod command.
1013209-3 : BIG-IP components relying on ca-bundle.crt may stop working after upgrade★
Links to More Info: BT1013209
Component: Local Traffic Manager
Symptoms:
After upgrading, the BIG-IP system components may stop working due to missing CA certificates in ca-bundle.crt.
Conditions:
CA cert which is expired/will expire in 6 months (or 182 days) after upgrade is removed from ca-bundle.crt.
Impact:
The BIG-IP components such as TMM, APM etc. may stop working due to missing CA certificates in ca-bundle.crt.
Workaround:
Download the blended-bundle.crt from the F5 download site. It is located at
https://downloads.f5.com/esd/product.jsp?sw=Certificate-Authority-Bundle&pro=Certificate-Authority-Bundle
1012813-4 : Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file"
Links to More Info: BT1012813
Component: Local Traffic Manager
Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.
You may see errors similar to:
-- err statsd[4908]: 011b0600:3: Error ''/var/rrd/access' is not an RRD file' during rrd_update for rrd file '/var/rrd/access'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/access'.
Conditions:
Corruption of a binary file in /var/rrd.
Impact:
Stats are no longer collected. Statsd and rrdshim deadlock, resulting in the issues noted in the Symptoms section.
Workaround:
Remove the corrupted file and restart statsd:
bigstart restart statsd
1012601-1 : Alarm LED and LCD alert cleared prematurely on startup for missing PSU input
Links to More Info: BT1012601
Component: TMOS
Symptoms:
Occasionally when starting up a BIG-IP system, if one PSU is connected but not supplying power, the corresponding amber alarm LED and "PSU status input lost" alert in the LCD menu can be incorrectly cleared after selecting System -> Power On from the LCD menu.
Conditions:
-- iSeries platforms
-- The BIG-IP device is powered on with one PSU connected and not supplying power
Impact:
The alarm LED is incorrectly turned off, and navigating to alerts on the LCD menu no longer shows a "PSU status input lost" alert after powering on.
Workaround:
Before powering on the BIG-IP device, check the alarm LED and navigate to alerts on the LCD screen. If there is a "PSU status input lost" alert, the corresponding power LED should be amber.
If the power LED is still amber after powering the system on but the alarm LED and LCD alert are cleared, please disregard the alarm LED and LCD in this case. The amber power LED is correct, and the PSU is still not supplying power.
Additionally, if you are logged into the console, running "bigstart restart chmand" will force a new "PSU status input lost" alert to be generated on the LCD and should also correct the alarm LED color to amber.
1012581-4 : Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered
Links to More Info: BT1012581
Component: Advanced Firewall Manager
Symptoms:
As soon as global syncookie enabled stats counts starts decrementing and when attack_detection_common callback function calls, the stats range is always under the configured packets per-second threshold, resulting in some tmms not being able to detect the attack but syncookies are already enabled on these tmms, and no statistics are gathered.
Conditions:
A SYN flood attack or similar SYN attack where SYNs are flooded into the BIG-IP system.
Impact:
SYN cookies may still be sent after traffic goes below the attack detection threshold.
Workaround:
Restart tmm
1012493-3 : Systemauth.primaryadminuser set to anything but 'admin' causes internal error for mcp-state check
Links to More Info: BT1012493
Component: TMOS
Symptoms:
When polling the endpoint /mgmt/tm/sys/mcp-state you get an error:
{
"code": 500,
"message": "MCP Session terminated",
"errorStack": [],
"apiError": 32768003
}
Conditions:
-- A user other than 'admin' polls /mgmt/tm/sys/mcp-state
Impact:
An error is returned for users that are not the admin user. Systems which are subject to special security rules that require disabling the admin user may lose functionality in iControl/REST.
Workaround:
You can use either of these workarounds:
-- Make the API call as user "admin"
-- Use tmsh
tmsh show sys mcp-state
1012449-4 : Unable to edit custom inband monitor in the GUI
Links to More Info: BT1012449
Component: TMOS
Symptoms:
Attempting to edit a custom inband monitor in the GUI results in an error:
An error has occurred while trying to process your request.
Conditions:
Editing a custom inband monitor in the GUI.
Impact:
Unable to make changes to inband monitors in the GUI.
Workaround:
Use TMSH to modify the monitor, for example:
tmsh modify ltm monitor inband <monitor name> ...
1012049-4 : Incorrect virtual server list returned in response to status request
Links to More Info: BT1012049
Component: TMOS
Symptoms:
Returned list of virtual servers shows all virtual servers rather than no servers, or a specific list of servers.
Conditions:
-- Navigate through the GUI to Local Traffic :: Virtual Servers : Virtual Server List page.
-- Click the 'Status' drop down and select a status that returns no virtual servers or a specific subset of the virtual servers.
-- Modify the resulting request to insert ' --' url-encoded.
Impact:
The returned list shows all virtual servers instead of the ones specifically queried.
Workaround:
None
1012009-2 : MQTT Message Routing virtual may result in TMM crash
Links to More Info: BT1012009
Component: Local Traffic Manager
Symptoms:
The BIG-IP system provides an option to use Message Routing virtual servers for MQTT traffic. It uses a different approach to associate a client side and a server side than a standard virtual server. In some instances, a server side is incorrectly handled.
Conditions:
-- A Message Routing virtual with MQTT protocol.
-- A client attempts to reconnect.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1011889-3 : The BIG-IP system does not handle DHCPv6 fragmented traffic properly
Links to More Info: BT1011889
Component: Local Traffic Manager
Symptoms:
In the following two scenarios, packets may get dropped by the BIG-IP device.
- [client MTU 1500]<--->(vlan1)<--->[MTU 1500BIG-IP MTU 9000]<--->(vlan2)<--->[MTU 1500server]
If the response from the server is large enough to be fragmented, the BIG-IP system is not able to process the packets.
- [client MTU 1500]<--->(vlan1)<--->[MTU 1500BIG-IP MTU 9000]<--->(vlan2)<--->[MTU 9000server]
Large response coming in a single packet is not fragmented properly on the client-side, then packets may be dropped.
Conditions:
DHCPv6 MTU size is greater than or equal to 1500.
Impact:
Packets are dropped, traffic is disrupted.
1011445-4 : Recovery after DoS attack uses SYN cookies inefficiently.
Component: Advanced Firewall Manager
Symptoms:
The SYN cookie mechanism recovers inefficiently from a Denial-of_Service attack.
Conditions:
A virtual server is configured with a DoS profile that employs SYN cookies.
Impact:
New legitimate connections not made efficiently.
Workaround:
N/A
1011265 : Failover script cannot read /config/partitions/ after upgrade★
Links to More Info: BT1011265
Component: TMOS
Symptoms:
After upgrading, failover does not work correctly. An error is encountered in /var/log/audit/log:
type=AVC msg=audit(1617263442.711:206): avc: denied { read } for pid=17187 comm="active" name="partitions" dev="dm-11" ino=259 scontext=system_u:system_r:f5config_failover_t:s0 tcontext=system_u:object_r:f5config_t:s0 tclass=dir
Conditions:
-- High availability (HA) environment configured
-- Devices are upgraded to version 14.1.4
-- A failover occurs
Impact:
Failover does not complete. Floating IP addresses do not move to the active device.
Workaround:
Tmsh modify sys db failover.selinuxallowscripts enable
1011217-2 : TurboFlex Profile setting reverts to turboflex-base after upgrade★
Links to More Info: BT1011217
Component: TMOS
Symptoms:
Custom TurboFlex Profile settings revert to the default turboflex-base profile after an upgrade.
Conditions:
-- iSeries platform with ix800 performance license
-- A non-default TurboFlex Profile is applied
-- The BIG-IP device is upgraded
Impact:
Some features of the previously selected TurboFlex Profile that are not part of the turboflex-base profile, are missing after upgrade. The TurboFlex Profile must be reconfigured after upgrade.
Workaround:
Reconfigure the TurboFlex Profile after upgrade.
1011093-2 : Remote log messages are separated into 2 lines if max_request_size limit falls exactly on \n char.
Links to More Info: BT1011093
Component: Application Security Manager
Symptoms:
Remote log messages are separated into 2 lines instead of one line when \n (newline) falls exactly on the last char of max_request_size.
Conditions:
-- A remote log profile is defined with maximum request size and a field list that contains 'request', and is attached to a virtual server.
-- A request is sent and newline falls exactly on the last byte of the maximum request size limit.
Impact:
Remote log messages are separated into 2 lines
Workaround:
Increase the maximum request size limit.
1011081-1 : Connection lost to the Postgres client during the BIG-IP bootup process
Links to More Info: BT1011081
Component: TMOS
Symptoms:
During the boot process of BIG-IP, mcpd loses the connection to the Postgres with FATAL error with a "Broken Pipe" error.
Conditions:
-- BIG-IP devices are configured in high availability (HA).
-- BIG-IP configuration has the keys configured in Postgres Database.
Impact:
Mcpd loses the connection to the Postgres with FATAL error with a "Broken Pipe" error
1010717-4 : Default DoS profile creation from tmsh is incorrectly interpreted by DoS profile GUI
Links to More Info: BT1010717
Component: Anomaly Detection Services
Symptoms:
Creating a DoS profile from tmsh makes the Bados feature appear to be enabled in the GUI, which is incorrect.
Conditions:
Create DoS profile from tmsh, and not from GUI.
Impact:
Inconsistency between the DoS profile and what you see in the GUI.
Workaround:
Disable BADOS in the GUI after creating a DoS profile from tmsh.
1010597-3 : Traffic disruption when virtual server is assigned to a non-default route domain★
Links to More Info: BT1010597
Component: Access Policy Manager
Symptoms:
Assigning a virtual server to a non-default route domain might cause a traffic disruption.
Conditions:
-- An APM virtual server is assigned to a route domain other than 0 (zero, the default).
-- An access policy has an agent that results in tmm communicating to the renderer (e.g., Logon agent, HTTP 401 Response agent, and others).
Impact:
Access policy fails.
Workaround:
1. Log in to the Configuration utility.
2. Go to Network > Route Domains > affected route domain.
3. In the section Parent Name select '0 (Partition Default Route Domain)'.
4. Select Update.
1010341-1 : Slower REST calls after update for CVE-2021-22986
Links to More Info: BT1010341
Component: TMOS
Symptoms:
As a result of changes were introduced to increase security around the REST API, REST calls that use HTTP basic authentication may take longer to execute that they did previously.
Conditions:
- REST API calls
- HTTP basic authentication used for the REST calls
Impact:
- Degraded performance of the REST API
Workaround:
Update automation scripting to use token based authentication, which is both faster and more secure than HTTP basic authentication
1010209-4 : BIG-IP configuration allows literal CR and LF characters in LTM monitor send and recv strings
Links to More Info: BT1010209
Component: Local Traffic Manager
Symptoms:
It is possible, using REST or tmsh (vi the 'tmsh edit' command) to embed literal carriage return (CR) or line feed (LF) characters in an mcpd object's parameters, rather than the two-byte sequence \r or \n. This can be done with a monitor send or receive string. When the configuration is loaded, the CR characters are stripped off of the strings, resulting in invalid HTTP in the monitor strings.
Conditions:
-- Using HTTP monitors.
-- Embedding literal CR/LF characters in the monitor's send or receive string.
Impact:
Monitors stop working; pool members being monitored are considered inaccessible.
Workaround:
Do not use embedded unprintable characters in monitor send or receive strings.
1008233-4 : The gtm_add command fails but reports no error
Links to More Info: BT1008233
Component: Global Traffic Manager (DNS)
Symptoms:
Running the command 'gtm_add' does not add the local GTM to the remote GTM sync group, and it does not display an error message.
Conditions:
The remote GTM has a GTM iRule that references an LTM datagroup that does not exist on the local GTM.
Impact:
The gtm_add command fails silently.
Workaround:
Add the remote LTM datagroup to the local LTM.
1008169-4 : BIG-IP systems disconnect the DIAMETER transport connection if it receives an answer message without a Result-Code AVP
Links to More Info: BT1008169
Component: Service Provider
Symptoms:
If the BIG-IP system receives a DIAMETER answer message without a Result-Code AVP (and/or Experimental-Result-Code AVP), it terminates the connection at the transport (L4) level.
Conditions:
-- Using DIAMETER.
-- Processing an answer message that is missing both Result-Code and Experimental-Result-Code AVPs.
Impact:
The connection is terminated without properly notifying the DIAMETER peer.
Workaround:
None
1007909-4 : Tcpdump with :p (peer flow) flag does not capture forwarded between TMMs
Links to More Info: BT1007909
Component: TMOS
Symptoms:
When using tcpdump with the :p flag, it does not capture all packets that are processed by multiple TMMs.
Conditions:
Traffic flows are handled by multiple TMMs, e.g., one of the following:
-- 'preserve strict' set on virtual servers
-- a CMP-demoted virtual server
-- Service Provider (SP) DAG configured, but using custom mappings for some client IP addresses, or some traffic flows using VLANs without SPDAG configured.
Impact:
Causes confusion since there will be packets missing from tcpdump captures.
Workaround:
Use a packet capture filter to capture clientside and serverside flows directly, without relying on the peer flow flag (":p").
1007677-3 : Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector'
Links to More Info: BT1007677
Component: Access Policy Manager
Symptoms:
SAML fails on APM SAML IdP after receiving the SAML ArtifactResolve Request, and needs to extract Artifact data from sessionDB to build the assertion. An error is logged:
-- err tmm[24421]: 014d1211:3: ::ee23458f:SAML SSO: Cannot find SP connector (/Common/example_idp)
-- err tmm[24421]: 014d0002:3: SSOv2 plugin error(12) in sso/saml.c:11864
Conditions:
The 'session-key' in the sessiondb includes a colon ':' in its value.
Impact:
SAML may fail on APM SAML IdP using artifact binding.
1006345-2 : Static mac entry on trunk is not programmed on CPU-only blades
Links to More Info: BT1006345
Component: TMOS
Symptoms:
More traffic egressing out from primary link of lacp when there is DLFs (destination lookup failures) since static mac is not present on CPU-only blades
Conditions:
Static mac configured on trunk on all platforms except i4000, i850/i2000, 2000/2200, 4000/4200,4100
Impact:
DLFs (destination lookup failures) will cause the first interface in the trunk to egress all DLF'd traffic
1006181-1 : ASM fails to start if different ASM policies use login pages with the same name★
Links to More Info: BT1006181
Component: Application Security Manager
Symptoms:
ASM fails to start with error message in asm_config_server.log:
Failed on insert to DCC.ACCOUNT_LOGIN_OBJECT_ATTRIBUTES (DBD::mysql::db do failed: Column 'object_crc' cannot be null
Conditions:
Upgrade system where two or more ASM policies have a login page with the same name.
Impact:
ASM fails to start
Workaround:
Delete the login page that has a name used by multiple ASM policies and create it again.
1006157-5 : FQDN nodes not repopulated immediately after 'load sys config'
Links to More Info: BT1006157
Component: Local Traffic Manager
Symptoms:
A DNS query is not sent for configured FQDN nodes until the TTL value expires.
Conditions:
This occurs when 'load sys config' is executed.
Impact:
Name addresses do not resolve to IP addresses until the TTL expires.
Workaround:
You can use either of the following workarounds:
-- Change the default TTL value to be fewer than 300 seconds (the default value is 300 seconds).
-- Restart dynconfd daemon:
tmsh restart sys service dynconfd
1005309-1 : Additional Tcl variables showing information from the AntiBot Mobile SDK
Links to More Info: BT1005309
Component: Application Security Manager
Symptoms:
When using the Bot Defense iRules together with the AntiBot Mobile SDK, there are several variables missing. These missing variables would be useful for correct troubleshooting and pattern matching.
Conditions:
Using the AntiBot Mobile SDK together with Bot Defense iRules
Impact:
Some variables that are required for troubleshooting and pattern matching of the AntiBot Mobile SDK are missing.
Workaround:
None
1005181-1 : Bot Defense Logs indicate the mobile debugger is used even when it is not
Links to More Info: BT1005181
Component: Application Security Manager
Symptoms:
When using the AntiBot Mobile SDK, the Bot Defense Request Log may indicate that the mobile debugger is enabled, even when it is not.
Conditions:
Using the AntiBot Mobile SDK with the Bot Defense Profile
Impact:
Request log is showing an incorrect value.
Workaround:
None
1004953-2 : HTTP does not fall back to HTTP/1.1★
Links to More Info: BT1004953
Component: Local Traffic Manager
Symptoms:
After upgrading, the BIG-IP system's HTTP profile no longer falls back to HTTP/1.1 if a client sends a corrupted URI.
Conditions:
-- Client sends a corrupted URI (for example a URI containing a space).
Impact:
The BIG-IP system treats the URI as an HTTP/0.9 request (as per RFC) and forwards only the first request line. In previous releases, the BIG-IP system treated the URI as a HTTP/1.1 request.
Workaround:
None.
1004697-1 : Saving UCS files can fail if /var runs out of space
Links to More Info: BT1004697
Component: iApp Technology
Symptoms:
When saving a UCS, /var can fill up leading to UCS failure and the following log message:
err diskmonitor[1441]: 011d0004:3: Disk partition /var has only 0% free
Conditions:
-- iApps LX installed.
-- Multiple iApps LX applications.
-- A /var partition of 1.5 GB.
Impact:
UCS archives can not be created.
Workaround:
You can use either of the following Workarounds:
-- Manually remove the /var/config/rest/node/tmp/BUILD and /var/config/rest/node/tmp/BUILDROOT directories.
-- Increase the size of /var/. For information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952
1004689-2 : TMM might crash when pool routes with recursive nexthops and reselect option are used.
Links to More Info: BT1004689
Component: Local Traffic Manager
Symptoms:
When re-selecting to the non-directly-connected pool route member for which the route was withdrawn, TMM might experience a crash.
Conditions:
- Pool routes with non-directly-connected or recursive nexthops (pool members).
- Reselect option enabled.
- Pool members go down/up so that the re-select is triggered.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Do not use non-directly-connected/recursive nexthops (pool members) in pool routes.
1004633-4 : Performance degradation on KVM and VMware platforms.
Links to More Info: BT1004633
Component: Performance
Symptoms:
CPU utilization is increased.
Conditions:
-- KVM or VMware platforms are deployed.
-- FastHTTP or L7 HTTP virtual servers are configured.
Impact:
A 3-13% increase in CPU utilization which may degrade throughput with higher volumes of traffic.
1004609-3 : SSL forward proxy virtual server may set empty SSL session_id in server hello.
Component: Local Traffic Manager
Symptoms:
End user clients are unable to establish a TLS connection. Further investigation indicates that the Session ID length field is set to 0, but there is no session ID.
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 59
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 55
Version: Version: TLS 1.2 (0x0303)
Random: aa957f92a5de4cedcf9750b60b3efab6b345da6c32189e93…
Session ID Length: 0 <=== !!!
.....
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
.....
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
.....
Conditions:
-- SSL forward proxy virtual server.
-- This can occur intermittently with normal HTTPS traffic. It occurs more frequently if the session cache's cache-timeout value is set to a low value.
Impact:
After receiving the invalid server hello message from the BIG-IP system, the client may generate unexpected_message (10) TLS alerts and the client may terminate SSL connection.
Workaround:
None
1004469-3 : SNMP OID ltmSipsessionProfileStatVsName and ltmSiprouterProfileStatVsName returns empty string
Links to More Info: BT1004469
Component: TMOS
Symptoms:
SNMP polling fails for ltmSipsessionProfileStatVsName and ltmSiprouterProfileStatVsName.
Conditions:
Run the snmpwalk for ltmSipsessionProfileStatVsName :
[root@d1:Active:Standalone] tmp # snmpwalk -c public localhost ltmSipsessionProfileStatVsName
F5-BIGIP-LOCAL-MIB::ltmSipsessionProfileStatVsName."/Common/test-sip"."" = STRING:
F5-BIGIP-LOCAL-MIB::ltmSipsessionProfileStatVsName."/Common/sipsession"."" = STRING:
F5-BIGIP-LOCAL-MIB::ltmSipsessionProfileStatVsName."/Common/sipsession-alg"."" = STRING:
----------
Run the snmpwalk for ltmSiprouterProfileStatTable
[root@ltm1:Active:Standalone] config # snmpwalk -c public localhost ltmSiprouterProfileStatTable
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatName."/Common/siprouter"."" = STRING: /Common/siprouter
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatName."/Common/siprouter-alg"."" = STRING: /Common/siprouter-alg
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatVsName."/Common/siprouter"."" = STRING:
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatVsName."/Common/siprouter-alg"."" = STRING:
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatTotMessgesIn."/Common/siprouter"."" = Counter64: 0
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatTotMessgesIn."/Common/siprouter-alg"."" = Counter64: 0
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatTotMessagesInRetry."/Common/siprouter"."" = Counter64: 0
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatTotMessagesInRetry."/Common/siprouter-alg"."" = Counter64: 0
Impact:
Returns empty. Cannot extract the virtual server name of a SIP session and SIP router profile through SNMP.
Workaround:
None
1004445-3 : Warning not generated when maximum prefix limit is exceeded.
Links to More Info: BT1004445
Component: Local Traffic Manager
Symptoms:
No warnings are given when the maximum prefix limit is exceeded.
Conditions:
BGP neighbor has a maximum-prefix warning configured
Impact:
If the limit is exceeded, no warnings are given. This can cause unexpected behavior.
Workaround:
None
1004413 : DB variables for provisioning the modules are not loaded during BIG-IP upgrade★
Links to More Info: BT1004413
Component: TMOS
Symptoms:
DB variable loading errors are encountered during a BIG-IP system upgrade from 12.1.3.7 to 14.1.4:
"Could not retrieve DB variable for (provision.datastor): status 0xff00 - during boot."
The error is observed in log messages during upgrade.
Conditions:
-- Upgrade from 12.1.3.7 to 14.1.4.
Impact:
Module provisioning is not preserved during the upgrade.
1004077-1 : When configuring from VPE, audit logs from mcp records the user as admin, even if done by another user
Links to More Info: BT1004077
Component: Access Policy Manager
Symptoms:
When making changes via the visual policy editor (VPE), audit logs from mcp records the user as admin, even if the change was made by a non-admin user.
Conditions:
Non-admin users make changes from VPE.
Impact:
Audit logs records user as admin for some transactions VPE to mcp transactions.
Workaround:
None
1003469-3 : The BIG-IP GUI fails to reset the statistics for an IPv6 pool member and returns an error.
Links to More Info: BT1003469
Component: TMOS
Symptoms:
When trying to reset the statistics for an IPv6 pool member using the GUI, the operation fails and the system returns one of the following errors (depending on the software version in use):
01030010:3: eXtremeDB - search operation failed
Unable to complete request
Conditions:
This issue occurs when you attempt to use the BIG-IP GUI to:
-- Reset the statistics of one or more IPv6 pool members you have selected individually.
-- Reset the statistics of all pools by using the 'Select All' checkbox (provided the system contains IPv6 pool members).
Impact:
Inability to reset the statistics using the GUI.
Workaround:
You can use the tmsh utility to reset the pool member's statistics from the CLI. Example command:
tmsh reset-stats ltm pool my-pool members { 2001:DB8::1.80 }
1003233-1 : SNMP Polling can cause inconsistencies in gtm link stats.
Links to More Info: BT1003233
Component: Global Traffic Manager (DNS)
Symptoms:
If the uplink router does not allow SNMP polling, and snmp_link monitor is applied, then GTM stats becomes inconsistent.
Conditions:
The router is not being probed using SNMP.
Impact:
Status values will be inconsistent.
Workaround:
N/A
1003081-1 : GRE/TB-encapsulated fragments are not forwarded.
Links to More Info: BT1003081
Component: TMOS
Symptoms:
IP fragments that arrive over a GRE/TB tunnel are not reassembled, and are not forwarded through the BIG-IP system.
Conditions:
This occurs if all of the following conditions are true:
-- BIG-IP system with more than one TMM instance running.
-- Running a version or Engineering Hotfix that contains a fix for ID997541 (https://cdn.f5.com/product/bugtracker/ID997541.html).
-- GRE Round Robin DAG (the DB variable dag.roundrobin.gre) is enabled.
-- IP fragments arrive over GRE tunnel.
Impact:
BIG-IP system fails to process fragmented IP datagrams.
Workaround:
None
1002345-1 : Transparent DNS monitor does not work after upgrade★
Links to More Info: BT1002345
Component: In-tmm monitors
Symptoms:
DNS Pool state changes from up to down following an upgrade.
Conditions:
A transparent DNS monitor is configured to use the loopback address.
Impact:
The DNS pool is marked down.
Workaround:
None
1001101-4 : Cannot update/display GTM/DNS listener route advertisement correctly
Links to More Info: BT1001101
Component: Global Traffic Manager (DNS)
Symptoms:
Not able to update/display GTM/DNS listener route advertisement correctly.
Conditions:
Operating from the GUI GTM/DNS listener page.
Impact:
Not able to manage route advertisement from GUI GTM listener page.
Workaround:
Instead of GTM/DNS GUI, use LTM virtual address operations to manage GTM/DNS listener route advertisement.
1001069 : VE CPU higher after upgrade, given same throughput
Links to More Info: BT1001069
Component: TMOS
Symptoms:
Significant increase in CPU usage post-upgrade.
Conditions:
-- Upgrading from v13.x to a later version.
-- Configured BIG-IP Virtual Edition (VE) that uses the sock driver.
Impact:
Significant increase in CPU usage, leading to potential degradation or disruption of traffic.
Workaround:
Create the following overrides:
-- In '/config/tmm_init.tcl' add or append the following:
ndal mtu 1500 1137:0043
device driver vendor_dev 1137:0043 xnet
-- In '/config/xnet_init.tcl' add or append the following
device driver vendor_dev 1137:0043 dpdk
Note: These overrides must be re-applied every time an upgrade is done.
1000789-3 : ASM-related iRule keywords may not work as expected
Links to More Info: BT1000789
Component: Application Security Manager
Symptoms:
Some ASM-related iRule keywords may not work as expected when DoSL7 is used.
Conditions:
ASM iRule keywords are used in a bot defense- or DoSL7-related event, and DoSL7 is used.
Impact:
ASM-related iRule keywords may not work as expected.
Workaround:
None
1000669-1 : Tmm memory leak 'string cache' leading to SIGFPE
Links to More Info: BT1000669
Component: Access Policy Manager
Symptoms:
SIGFPE core on tmm. The tmm string cache leaks aggressively and memory reaches 100% and triggers a core.
In /var/log/tmm you see an error:
Access encountered error: ERR_OK. File: ../modules/hudfilter/access/access_session.c, Function: access_session_delete_callback, Line: 2123
Conditions:
This can be encountered while APM is configured and passing traffic. Specific conditions are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1000561-2 : Chunk size incorrectly passed to client-side
Links to More Info: BT1000561
Component: Local Traffic Manager
Symptoms:
HTTP/2 Virtual Servers pass the chunk size bytes from the server-side (HTTP/1.1) to the client-side (HTTP/2) when OneConnect and request-logging profiles are applied.
Conditions:
-- BIG-IP hardware platform
-- BIG-IP configured with a HTTP/2 virtual server - context client-side with OneConnect and request-logging profile
-- The server sends a chunked response
Impact:
The server-side response is chunked but the chunk size header is passed to the client-side when it should not be.
Workaround:
Change HTTP response-chunking to 'unchunk'.
1000325-3 : UCS load with 'reset-trust' may not work properly if base configuration fails to load★
Links to More Info: BT1000325
Component: TMOS
Symptoms:
When loading a UCS archive using the 'reset-trust' option, if the system fails to load the base configuration from the UCS archive, the system may fail to regenerate new device trust certificates and keys.
This can result in subsequent issues, including configuration load failures after an upgrade, such as:
01070712:3: Values (/Common/dtca.key) specified for trust domain (/Common/Root): foreign key index (key_fk) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.
Conditions:
-- Loading a UCS file using the 'reset-trust' option.
-- The system fails to load the base configuration (bigip_base.conf) in the UCS archive for any reason.
-- The base configuration is corrected, and subsequently loaded (e.g., with 'tmsh load sys config').
Impact:
-- The system does not regenerate critical device trust keys and certificates.
-- After a subsequent upgrade, the BIG-IP system goes to INOPERATIVE state, and reports this error:
01070712:3: Values (/Common/dtca.key) specified for trust domain (/Common/Root): foreign key index (key_fk) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.
Workaround:
Remove trust-domain from the bigip_base.conf file and reload the configuration.
1000069-4 : Virtual server does not create the listener
Links to More Info: BT1000069
Component: Local Traffic Manager
Symptoms:
A virtual-address is in an offline state.
Conditions:
An address-list is used on a virtual server in a non-default route domain.
Impact:
The virtual IP address remains in an offline state.
Workaround:
Using tmsh, create the traffic-matching-criteria. Specify the route domain, and attach it to the virtual server.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/
