Applies To:
Show Versions
BIG-IP AAM
- 15.0.0
BIG-IP APM
- 15.0.0
BIG-IP Link Controller
- 15.0.0
BIG-IP Analytics
- 15.0.0
BIG-IP LTM
- 15.0.0
BIG-IP AFM
- 15.0.0
BIG-IP PEM
- 15.0.0
BIG-IP FPS
- 15.0.0
BIG-IP DNS
- 15.0.0
BIG-IP ASM
- 15.0.0
Updated Date: 05/28/2022
BIG-IP Release Information
Version: 15.0.0
Build: 39.0
NOTE: This release includes fixes for the Spectre Variant 1 and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5754).
In some configurations, installing software containing these fixes might impact performance. You can disable these fixes to recover performance. Please see K91229003 for additional Spectre and Meltdown information.
Known Issues in BIG-IP v15.0.x
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
757025 | CVE-2018-5744 | K00040234 | BIND Update |
756774 | CVE-2019-6612 | K24401914 | Aborted DNS queries to a cache may cause a TMM crash |
750292 | CVE-2019-6592 | K54167061 | TMM may crash when processing TLS traffic |
749879-7 | CVE-2019-6611 | K47527163 | Possible interruption while processing VPN traffic |
757027 | CVE-2019-6465 | K01713115 | BIND Update |
745713 | CVE-2019-6619 | K94563344 | TMM may crash when processing HTTP/2 traffic |
745387 | CVE-2019-6618 | K07702240 | Resource-admin user roles can no longer get bash access |
745257 | CVE-2018-14634 | K20934447 | Linux kernel vulnerability: CVE-2018-14634 |
745165 | CVE-2019-6617 | K38941195 | Users without Advanced Shell Access are not allowed SFTP access |
741163 | CVE-2018-3693 | K54252492 | RHEL7: Kernel CVE-2018-3693 |
740761 | CVE-2018-3646 | K31300402 | Kernel vulnerability: CVE-2018-3646 |
740755 | CVE-2018-3620 | K95275140 | Kernel vulnerability: CVE-2018-3620 |
737910 | CVE-2019-6609 | K18535734 | Security hardening on the following platforms |
721319 | CVE-2018-3639 | K29146534 | CVE-2018-3639 |
703835 | CVE-2019-6616 | K82814400 | When using SCP into BIG-IP systems, you must specify the target filename |
702472 | CVE-2019-6615 | K87659521 | Appliance Mode Security Hardening |
698651-7 | CVE-2017-5715 | K91229003 | CVE-2017-5715 (Spectre Variant 2) |
698376 | CVE-2019-6614 | K46524395 | Non-admin users have limited bash commands and can only write to certain directories |
749324 | CVE-2012-6708 | K62532311 | jQuery Vulnerability: CVE-2012-6708 |
713806 | CVE-2018-0739 | K08044291 | CVE-2018-0739: OpenSSL Vulnerability |
699977 | CVE-2016-7055 | K43570545 | CVE-2016-7055: OpenSSL Vulnerability in NodeJS ILX |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
756789 | 2-Critical | TMM cores when receiving HTTP/2 request if mirroring is configured | |
755641 | 2-Critical | Unstable asm_config_server after upgrade, 'Event dispatcher aborted' | |
744685 | 2-Critical | BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension | |
744188-2 | 2-Critical | First successful auth iControl REST requests will now be logged in audit and secure log files | |
741869 | 2-Critical | Enable SysDb variable 'Connection.VgL2Transparent' prior to operating the BIG-IP in L2 transparent mode using VLAN groups. | |
724556 | 2-Critical | icrd_child spawns more than maximum allowed times (zombie processes) | |
753637 | 3-Major | Diameter MBLB profile does not change the hop-by-hop ID by default | |
752079 | 3-Major | In SSL forward proxy, forged untrusted server certs are no longer cached. | |
751824 | 3-Major | Restore old 'merge' functionally with new tmsh verb 'replace' | |
748851 | 3-Major | Bot Detection injection include tags which may cause faulty display of application | |
746460 | 3-Major | SCTP profiles have been modified to advertise one stream unless configured otherwise | |
745783 | 3-Major | Anti-fraud: remote logging of login attempts | |
743471 | 3-Major | PEM Gx/Sd session will support Redirect-Information AVP with URL address type and enforce HTTP Redirect | |
738108 | 3-Major | SCTP multi-homing INIT address parameter doesn't include association's primary address | |
713817 | 3-Major | BIG-IP images are available in Alibaba Cloud | |
711056 | 3-Major | License check VPE expression fails when access profile name contains dots | |
690294 | 3-Major | New DIAMETER::persist keyword to set the timeout without changing key | |
626786 | 3-Major | Provide a means to prevent QKView files from being uploaded to iHealth | |
749704 | 4-Minor | GTPv2 Serving-Network field with mixed MNC digits | |
738891 | 4-Minor | TLS 1.3: Server SSL fails to increment key exchange method statistics | |
723919 | 4-Minor | Exists selector is added to L7 traffic policies | |
511600 | 4-Minor | DTLS does not support PFS ciphers | |
478924 | 4-Minor | LTM Policy supports fallback pool | |
464934 | 4-Minor | Tcpdump enhancement for better SSL/TLS data analysis |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
774445 | 1-Blocking | K74921042 | BIG-IP VE does not pass traffic on ESXi 6.7 Update 2 |
773677 | 2-Critical | K72255850 | BIG-IP 14.1.0 system-journald write to /run/log/journal cause SWAP usage increase★ |
769809 | 2-Critical | vCMP guests 'INOPERATIVE' after upgrade | |
767689 | 2-Critical | f5optics_install using different versions of RPM★ | |
765533 | 2-Critical | K58243048 | Sensitive information logged when DEBUG logging enabled |
762453-1 | 2-Critical | Hardware cryptography acceleration may fail | |
760573 | 2-Critical | K00730586 | TPM system integrity check may return invalid status when booting into BIG-IP 14.1.0★ |
760508 | 2-Critical | K91444000 | On systems with multiple versions of BIG-IP in use, the 'invalid' System Integrity Status may persist★ |
760475 | 2-Critical | Apache spawns more processes than the configured limit, causing system low memory condition | |
760408 | 2-Critical | K23438711 | System Integrity Status: Invalid after BIOS update★ |
758667 | 2-Critical | BIG-IP VE HA actions are not invoked when offload hardware hangs | |
758604 | 2-Critical | Deleting a port from a single-port trunk does not work. | |
757455 | 2-Critical | Excessive resource consumption when processing REST requests | |
756071 | 2-Critical | MCPD crash | |
755575 | 2-Critical | In MOS, the 'image2disk' utility with the '-format' option does not function properly | |
755254 | 2-Critical | Remote auth: PAM_LDAP buffer too small errors★ | |
754541-3 | 2-Critical | Reconfiguring an iApp that uses a client SSL profile fails | |
753796 | 2-Critical | SNMP does not follow best security practices | |
753650-3 | 2-Critical | The BIG-IP system reports frequent kernel page allocation failures. | |
753642 | 2-Critical | iHealth may report false positive for Critical Malware | |
752835 | 2-Critical | Mitigate mcpd out of memory error with auto-sync enabled. | |
750586 | 2-Critical | HSL may incorrectly handle pending TCP connections with elongated handshake time. | |
750580 | 2-Critical | Installation using image2disk --format may fail after TMOS v14.1.0 is installed★ | |
749388-1 | 2-Critical | 'table delete' iRule command can cause TMM to crash | |
748205 | 2-Critical | SSD bay identification incorrect for RAID drive replacement★ | |
746424-1 | 2-Critical | Patched Cloud-Init to support AliYun Datasource | |
737731 | 2-Critical | iControl REST input sanitization | |
737574 | 2-Critical | iControl REST input sanitization★ | |
737565 | 2-Critical | iControl REST input sanitization | |
734303 | 2-Critical | "tmsh show sys hardware" shows blade part number instead of chassis part number | |
726487 | 2-Critical | MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change. | |
724680 | 2-Critical | OpenSSL Vulnerability: CVE-2018-0732 | |
707013-1 | 2-Critical | vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest | |
699515 | 2-Critical | nsm cores during update of nexthop for ECMP recursive route | |
673842 | 2-Critical | vCMP does not follow best security practices | |
648270 | 2-Critical | mcpd can crash if viewing a fast-growing log file through the GUI | |
641450-3 | 2-Critical | K30053855 | A transaction that deletes and recreates a virtual may result in an invalid configuration |
621260-1 | 2-Critical | mcpd core on iControl REST reference to non-existing pool | |
766873-1 | 3-Major | Omission of lower-layer types from sFlow packet samples | |
766293 | 3-Major | Monitor logging fails on v14.1.0.x releases | |
765969 | 3-Major | Not able to get HSB register dump from hsb_snapshot on B4450 blade | |
761933 | 3-Major | Reboot with 'tmsh reboot' does not log message in /var/log/audit | |
760950 | 3-Major | Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment | |
760597 | 3-Major | System integrity messages not logged | |
760594-1 | 3-Major | On BIG-IP VE, 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details. | |
760222-1 | 3-Major | SCP fails unexpected when FIPS mode is enabled | |
759993 | 3-Major | 'License verification failed' errors occur when changing license | |
759814 | 3-Major | Unable to view iApp component view★ | |
758879-1 | 3-Major | BIG-IP VE with ixlv devices does not reliably pass some traffic after hard-boot | |
757026 | 3-Major | BIND Update | |
756925 | 3-Major | GUI creates a policy even if there were errors | |
756820 | 3-Major | Non-UTF8 characters returned from /bin/createmanifest | |
756088 | 3-Major | The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address | |
754345 | 3-Major | WebUI does not follow best security practices | |
754132 | 3-Major | A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command | |
753564 | 3-Major | Attempt to change password using /bin/passwd fails | |
752994 | 3-Major | Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod | |
752851 | 3-Major | GUI - Provide search capability for Keys, Certificates and SSL Profile select boxes | |
751448 | 3-Major | TMM, ZebOS, and Linux routing table may lose dynamic routes on a tmm restart | |
751024 | 3-Major | i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd | |
751011 | 3-Major | ihealth.sh script and qkview locking mechanism not working | |
751009 | 3-Major | Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out | |
750661-2 | 3-Major | URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied. | |
750447 | 3-Major | GUI VLAN list page loading slowly with 50 records per screen | |
750318 | 3-Major | HTTPS monitor does not appear to be using cert from server-ssl profile | |
750298 | 3-Major | iControl REST may fail while processing requests | |
749785 | 3-Major | nsm can become unresponsive when processing recursive routes | |
749382 | 3-Major | Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater | |
748545 | 3-Major | Remove 'sys-unconfig' and 'rhel-configure' binaries and related systemd service | |
748443 | 3-Major | Higig MAC recovery mechanism may fail continuously during run time | |
748295-2 | 3-Major | TMM crashes on shutdown when using virtio NICs for dataplane | |
748187 | 3-Major | 'Transaction Not Found' Error on PATCH after Transaction has been Created | |
747799 | 3-Major | 'Unable to load the certificate file' error and configuration-load failure upgrading from 11.5.4-HF2 to a later version, due to empty cert/key in client SSL profile | |
747592 | 3-Major | PHP vulnerability CVE-2018-17082 | |
746873 | 3-Major | Non-admin users are not able to run the tmsh list command due to permissions error for LTM message-routing | |
746746 | 3-Major | syn-cookies incorrectly enabled in f5.ip_forwarding iApp template | |
746704 | 3-Major | Syslog-ng Memory Leak | |
746657 | 3-Major | tmsh help for FQDN node or pool member shows incorrect default for fqdn interval | |
746266 | 3-Major | Vcmp guest vlan mac mismatch across blades. | |
745851-1 | 3-Major | Changed Default Cloud-Init log level to INFO from DEBUG | |
745825 | 3-Major | The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading | |
745711 | 3-Major | GUI - SSL Certificate Instances section to include Monitor Instances | |
745405-1 | 3-Major | Under heavy SSL traffic, sw crypto codec queue is stuck and taken out of service without failover | |
745261 | 3-Major | The TMM process may crash in some tunnel cases | |
744773 | 3-Major | The name of the ltmPoolMemberStatCurrentConnsPerSec statistic is confusing | |
744740 | 3-Major | After upgrade, dhclient overwrites configured hostname, even when 'sys management-dhcp' does not contain the 'host-name' in the request-options.★ | |
744730 | 3-Major | Specifying a larger system disk during VE launch requires manual reboot for the increase to go into effect | |
744520 | 3-Major | virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface | |
744236 | 3-Major | SNMP MIBs and docs are included in two RPMs | |
742226 | 3-Major | TMSH platform_check utility does not follow best security practices | |
742171 | 3-Major | /32 self ip addresses display invalid mask | |
740543 | 3-Major | System hostname not display in console | |
738881 | 3-Major | Qkview does not collect any data under certain conditions that cause a timeout | |
738543 | 3-Major | Dynamic route with recursive nexthop might cause tmrouted restart | |
738330 | 3-Major | /mgmt/toc endpoint broken after configuring remote authentication | |
737536 | 3-Major | Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others. | |
727191 | 3-Major | Invalid arguments to run sys failover do not return an error | |
725791 | 3-Major | Potential HW/HSB issue detected | |
725625 | 3-Major | BIG-IP VE Cryptographic Offload updated to Intel QAT 1.7 v4.4.0 SDK | |
725022 | 3-Major | IKEv1 has unused CRL-File in GUI that does nothing at runtime | |
721967 | 3-Major | SSL key files that have world-read permission are created during device trust reset | |
721585 | 3-Major | mcpd core processing ltm monitors with deep level of inheritance | |
720110-3 | 3-Major | 0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session. | |
715548 | 3-Major | NSH context is not preseved in the SFF while traversing a non-NSH aware SF | |
707490 | 3-Major | ePVA hardware acceleration/offloading needs flow prioritization | |
702469 | 3-Major | Appliance mode hardening in scp | |
698933 | 3-Major | Setting metric-type via ospf redistribute command may not work correctly | |
683135 | 3-Major | Hardware syncookies number for virtual server stats is unrealistically high | |
680917 | 3-Major | Invalid monitor rule instance identifier | |
673018 | 3-Major | Parsed text violates expected format error encountered while upgrading or loading UCS★ | |
668041 | 3-Major | K27535157 | Config load fails when an iRule comment ends with backslash in a config where there is also a policy.★ |
665016 | 3-Major | tmsh show ltm virtual <vs-name> policies does not display policy-stats | |
657834 | 3-Major | K45005512 | Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent |
652502 | 3-Major | snmpd returns 'No Such Object available' for ltm OIDs | |
639619 | 3-Major | UCS may fail to load due to Master key decryption failure on EEPROM-less systems★ | |
581921 | 3-Major | K22327083 | Required files under /etc/ssh are not moved during a UCS restore |
555465 | 3-Major | Extremely large number of SessionDB entries may cause HA flapping | |
754500 | 4-Minor | GUI LTM Policy options disappearing | |
748940 | 4-Minor | iControl REST cert creation not working for non-Common folder | |
747952 | 4-Minor | iApp: f5.ldap fails when monitor pw contains '$' | |
746152 | 4-Minor | Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column | |
744252 | 4-Minor | BGP route map community value: either component cannot be set to 65535 | |
743815 | 4-Minor | vCMP guest observes connflow reset when a CMP state change occurs. | |
742251 | 4-Minor | Add Alibaba Cloud support to Qkview | |
741113 | 4-Minor | Removing 'Check Member Attribute in Group' option ClientCert LDAP Authentication | |
737423 | 4-Minor | Binutils vulnerabilities: CVE-2018-7569 CVE-2018-10373 CVE-2018-13033 | |
726317 | 4-Minor | Improved debugging output for mcpd | |
722647 | 4-Minor | The configuration of some of the Nokia alerts is incorrect | |
707254 | 4-Minor | If snmp disk-monitors minspace-type is percent then a 'load sys config default' fails | |
488323 | 4-Minor | Chassis fan status alert not observed on BIG-IP 2000/4000/5000/7000/10000/12000/VPR-B4300/VPR-B2100/VPR-B4450N | |
484683-1 | 4-Minor | Certificate_summary is not created at peer when the chain certificate is synced to HA peer. | |
679431 | 5-Cosmetic | In routing module the 'sh ipv6 interface <interface> brief' command may not show header |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
767653 | 2-Critical | Malformed HTTP request can result in endless loop in an iRule script | |
760078 | 2-Critical | Incorrect source MAC used when the BIG-IP in L2 transparent mode generates a TCP RST packet. | |
759723 | 2-Critical | Abnormally terminated connections on server side may cause client side streams to stall | |
758714 | 2-Critical | Virtual wire on a BIG-IP does not pass traffic when configured over two terminating link aggregation/trunk ports. | |
758465 | 2-Critical | TMM may crash or iRule processing might be incorrect | |
757441 | 2-Critical | Specific sequence of packets causes Fast Open to be effectively disabled | |
757391 | 2-Critical | Datagroup iRule command class can lead to memory corruption | |
756450 | 2-Critical | Traffic using route entry that's more specific than existing blackhole route can cause core | |
756356 | 2-Critical | External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long | |
755585 | 2-Critical | mcpd can restart on secondary blades if a policy is created, published, and attached to a vs in a single transaction | |
754143 | 2-Critical | TCP connection may hang after finished | |
754103 | 2-Critical | iRulesLX NodeJS daemon does not follow best security practices | |
753912-2 | 2-Critical | UDP flows may not be swept | |
752930-5 | 2-Critical | Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state | |
751589 | 2-Critical | In BIG-IP VE, some IP rules may not be created during the first boot up. | |
747968 | 2-Critical | DNS64 stats not increasing when requests go through dns cache resolver | |
747727 | 2-Critical | HTTP Profile Request Header Insert Tcl error | |
747617 | 2-Critical | TMM core when processing invalid timer | |
747239 | 2-Critical | TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection | |
746926 | 2-Critical | Pattern match in profile configuration may cause excessive memory and CPU usage | |
746710 | 2-Critical | Use of HTTP::cookie after HTTP:disable causes TMM core | |
745589 | 2-Critical | In very rare situations, some filters may cause data-corruption. | |
745533 | 2-Critical | NodeJS Vulnerability: CVE-2016-5325 | |
742184 | 2-Critical | TMM memory leak | |
741048 | 2-Critical | iRule execution order could change after editing the scripts | |
738945 | 2-Critical | SSL persistence does not work when there are multiple handshakes present in a single record | |
737985-3 | 2-Critical | BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode. | |
734551-2 | 2-Critical | L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server | |
726393 | 2-Critical | DHCPRELAY6 can lead to a tmm crash | |
716714 | 2-Critical | OCSP should be configured to avoid TMM crash. | |
761385 | 3-Major | Without a virtual server, responses from server to client are dropped in a BIG-IP system when the latter is deployed in L2 transparent mode using virtual wire. | |
760771 | 3-Major | FastL4-steered traffic might cause SSL resume handshake delay | |
760550-6 | 3-Major | Retransmitted TCP packet has FIN bit set | |
759480 | 3-Major | HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash | |
759056 | 3-Major | stpd memory leak on secondary blades in a multi-blade system | |
758437 | 3-Major | SYN w/ data disrupts stat collection in Fast L4 | |
758436 | 3-Major | Optimistic ACKs degrade Fast L4 statistics | |
758311 | 3-Major | Policy Compilation may cause MCPD to crash | |
757985 | 3-Major | K79562045 | TMM memory leak |
757442 | 3-Major | A missed SYN cookie check causes crash at the standby TMM in HA mirroring system | |
757084 | 3-Major | Bypassing SSL interception in SSL Orchestrator may crash TMM if virtual server is SNAT enabled | |
756538 | 3-Major | Failure to open data channel for active FTP connections mirrored across an HA pair. | |
756270 | 3-Major | SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle | |
755997 | 3-Major | Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address | |
755594 | 3-Major | peer-cert-mode set to 'always' does not work when client-ssl is enabled with session-ticket | |
754985 | 3-Major | Standby TMM my crash while processing mirrored TLS traffic | |
753805 | 3-Major | BIG-IP system failed to advertise virtual address even after the virtual address was in Available state. | |
753594 | 3-Major | In-TMM monitors may have duplicate instances or stop monitoring | |
753514 | 3-Major | Large configurations containing LTM Policies load slowly | |
753159 | 3-Major | Pool IP ToS/QoS settings are not preserved on mirrored FastL4 connections | |
752530 | 3-Major | TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput. | |
752334 | 3-Major | Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation | |
752078-1 | 3-Major | Header Field Value String Corruption | |
750473 | 3-Major | VA status change while 'disabled' are not taken into account after being 'enabled' again | |
750204 | 3-Major | Add support for P-521 curve in the X.509 chain to SSL LTM | |
750200 | 3-Major | DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode | |
749689 | 3-Major | HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart | |
749608 | 3-Major | HTTP Persistence cookies erroneously sent when cookie persistence turned off | |
749414 | 3-Major | Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects | |
749294 | 3-Major | TMM cores when query session index is out of boundary | |
748891 | 3-Major | Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system. | |
747085 | 3-Major | A blade may occasionally get stuck and never be ready due to shared_random_data not ready | |
746922 | 3-Major | When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain. | |
746131 | 3-Major | OpenSSL Vulnerability: CVE-2018-0732 | |
746078 | 3-Major | Upgrades break existing iRulesLX workspaces that use node version 6 | |
744686 | 3-Major | Wrong certificate can be chosen during SSL handshake | |
743900 | 3-Major | Custom DIAMETER monitor requests do not have their 'request' flag set | |
743257 | 3-Major | Fix block size insecurity init and assign | |
742838 | 3-Major | A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition | |
742237 | 3-Major | CPU spikes appear wider than actual in graphs | |
742078 | 3-Major | Incoming SYNs are dropped and the connection does not time out. | |
740959 | 3-Major | User with manager rights cannot delete FQDN node on non-Common partition | |
740345 | 3-Major | TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled. | |
739963 | 3-Major | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup | |
739349 | 3-Major | LRO segments might be erroneously VLAN-tagged. | |
726734 | 3-Major | DAGv2 port lookup stringent may fail | |
726232 | 3-Major | iRule drop/discard may crash tmm | |
724327 | 3-Major | Changes to a cipher rule do not immediately have an effect | |
722707 | 3-Major | mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall | |
720460 | 3-Major | Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly | |
720219-4 | 3-Major | K13109068 | HSL::log command can fail to pick new pool member if last picked member is 'checking' |
719304 | 3-Major | Inconsistent node ICMP monitor operation for IPv6 nodes | |
719300-2 | 3-Major | ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address | |
717896 | 3-Major | Monitor instances deleted in peer unit after sync | |
717100 | 3-Major | FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member | |
716936 | 3-Major | MPTCP might not process all MPTCP options when multiple are present on the same packet | |
716167 | 3-Major | The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp | |
712919 | 3-Major | Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server. | |
708068-4 | 3-Major | Tcl commands like "HTTP::path -normalize" do not return normalized path. | |
707581 | 3-Major | Enhance the GUI to handle large number of SSL profiles | |
704450 | 3-Major | bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration | |
703593 | 3-Major | TMSH tab completion for adding profiles to virtual servers is not working as expected | |
687887 | 3-Major | Unexpected result from multiple changes to a monitor-related object in a single transaction | |
671458 | 3-Major | RAM Cache uses HTTP/1.0 | |
599567-1 | 3-Major | APM assumes SNAT automap, does not use SNAT pool | |
533461 | 3-Major | Core file may be overwritten. | |
522241 | 3-Major | Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete | |
504522 | 3-Major | Trailing space present after 'tmsh ltm pool members monitor' attribute value | |
473787-1 | 3-Major | System might fail to unchunk server response when compression is enabled | |
248424 | 3-Major | Content length doesn't get updated during replacement using stream profile | |
749657 | 4-Minor | In-TMM monitor agent log message enhancement | |
748978 | 4-Minor | FastHTTP insert XFF header can be incorrect | |
746077 | 4-Minor | If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified | |
744210 | 4-Minor | DHCPv6 does not have the ability to override the hop limit from the client. | |
742080 | 4-Minor | do not count resumed connections against SSL TPS | |
726983-1 | 4-Minor | Inserting multi-line HTTP header not handled correctly | |
726327-3 | 4-Minor | NodeJS debugger accepts connections from any host | |
720314 | 4-Minor | Seamless BIG-IP upgrade with AWS cloudHSM Liquid Security | |
697403 | 4-Minor | iRule URI::encode command does not follow RFC3986 for hexadecimal digits used in percent-encoded octets |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
756094 | 2-Critical | DNS express in restart loop, 'Error writing scratch database' in ltm log | |
753776 | 2-Critical | TMM may consume excessive resources when processing UDP traffic | |
750213 | 2-Critical | K25351434 | DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records. |
759721 | 3-Major | DNS GUI does not follow best practices | |
756470 | 3-Major | Additional logging added to detect when monitoring operations in the configuration exceeds capabilities. | |
754901 | 3-Major | Frequent zone update notifications may cause TMM to restart | |
749774 | 3-Major | EDNS0 client subnet behavior inconsistent when DNS Caching is enabled | |
749675 | 3-Major | DNS cache resolver may return a malformed truncated response with multiple OPT records | |
749508 | 3-Major | LDNS and DNSSEC: Various OOM conditions need to be handled properly | |
749222 | 3-Major | dname compression offset overflow causes bad compression pointer | |
748902 | 3-Major | Incorrect handling of memory allocations while processing DNSSEC queries | |
746877 | 3-Major | Omitted check for success of memory allocation for DNSsec resource record | |
746719 | 3-Major | SERVFAIL when attempting to view or edit NS resource records in zonerunner | |
746137 | 3-Major | DNSSEC: Creating a new DNSSEC Zone can result in gtmd attempting to sync every 10 seconds | |
745859 | 3-Major | DNSSEC: gtmd leaks memory when dnssec keys on a dnssec zone are auto-rolling | |
745035 | 3-Major | gtmd crash | |
744707 | 3-Major | Fixed crash related to DNSSEC key rollover | |
701232 | 3-Major | Two-way iQuery connections fail to get established between GTM devices with the same address on different networks connected through address translation | |
752216 | 4-Minor | K33587043 | DNS queries without the RD bit set may generate responses with the RD bit set |
748177 | 4-Minor | Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character | |
740284 | 4-Minor | Virtual servers 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM' | |
745649 | 5-Cosmetic | Added comments which elaborated not to use any ACL that includes the reserved address range 127.10.x.x if multiple Views are defined. | |
711910 | 5-Cosmetic | The drops statistics in tmsh for LTM::DNS Profile Unhandled Query Action percentage column does not display the percentage |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
749136 | 1-Blocking | Disk partition /var/log is low on free disk space | |
761565 | 2-Critical | ASM BD core when custom captcha page configured size more than 45K with %ASM.captcha.support_id% placeholder is at the end | |
756108 | 2-Critical | BD crash on specific cases | |
754494 | 2-Critical | Proactive bot defense falsely detects Selenium on Firefox version 64.x | |
750922 | 2-Critical | BD crash when content profile used for login page has no parse parameters set | |
750683 | 2-Critical | REST Backwards Compatibility: Cannot modify enforcementMode of host-name | |
748321 | 2-Critical | bd crash with specific scenario | |
723790 | 2-Critical | Idle asm_config_server handlers consumes a lot of memory | |
772165 | 3-Major | Sync Failed due to Bot Defense profile not found | |
761941 | 3-Major | ASM does not remove CSRT token query parameter before forwarding a request to the backend server | |
761194 | 3-Major | param data type violation on an Integer parameter, if an integer value is sent via websocket JSON | |
760878 | 3-Major | Incorrect enforcement of explicit global parameters | |
759840 | 3-Major | False positive 'Null in request' violation or bare byte subviolations | |
759360-1 | 3-Major | Apply Policy fails due to policy corruption from previously enforced signature | |
759182 | 3-Major | Challenge loop when Single Page Application is enabled | |
757337 | 3-Major | Bot defense anomaly 'Invalid Mouse Events Sequence' false positive raised and request is blocked | |
754420 | 3-Major | Missing policy name in exported ASM request details | |
754396 | 3-Major | Security Policy's Attack Signatures put back into staging after Export/Import in Binary format | |
754066 | 3-Major | Newly added Systems are not added as part of installing a Server Technologies update file | |
753295 | 3-Major | ASM REST: All signatures being returned for policy Signatures regardless of signature sets | |
752942 | 3-Major | Live Update cannot be used by Administrator users other than 'admin' and 'root' | |
752484 | 3-Major | Firefox v52 or earlier getting CAPTCHA by Bot Defense | |
752058 | 3-Major | False positive CSRF violation for the URL with semicolon with explicit CSRF URL configuration | |
751710 | 3-Major | False positive cookie hijacking violation | |
750973 | 3-Major | Import XML policy error | |
750793 | 3-Major | Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition | |
750689 | 3-Major | Request Log: Accept Request button available when not needed | |
750686 | 3-Major | ASE user cannot create or modify a bot signature. | |
750668 | 3-Major | Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition | |
750666 | 3-Major | Impossible to create Bot Signature/Bot Category Signature in user partition different from 'Common' | |
750356 | 3-Major | Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted | |
750187 | 3-Major | ASM REST may consume excessive resources | |
749109 | 3-Major | CSRF situation on BIGIP-ASM GUI | |
748848 | 3-Major | Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers | |
748409 | 3-Major | Illegal parameter violation when json parsing a parameter on a case-insensitive policy | |
747977 | 3-Major | File manually uploaded information is not synced correctly between blades | |
747550 | 3-Major | Error 'This Logout URL already exists!' when updating logout page via GUI | |
747136 | 3-Major | CSRF fires Javascript error in IE7 or IE11 Compatibility View to IE7 | |
746750 | 3-Major | Search Engine get Device ID challenge when using the predefined profiles | |
746394 | 3-Major | With ASM CORS set to 'Disabled' it strips all CORS headers in response. | |
746298 | 3-Major | Server Technologies logos all appear as default icon | |
746146 | 3-Major | AVRD can crash with core when disconnecting/reconnecting on HTTPS connection | |
745802 | 3-Major | Brute Force CAPTCHA response page truncates last digit in the support id | |
744347 | 3-Major | Protocol Security logging profiles cause slow ASM upgrade and apply policy | |
743961-1 | 3-Major | Signature Overrides for Content Profiles do not work after signature update | |
743346 | 3-Major | External references in XML Profiles are not retrieved via defined HTTP proxy | |
742852 | 3-Major | Bot Defense protection blocks Safari browser requests while using cross site redirect protection by 'Location' header | |
742558 | 3-Major | Request Log export document fails to show some UTF-8 characters | |
741109 | 3-Major | Application Security Operations Adminstrator AuthZ role | |
739945 | 3-Major | JavaScript challenge on POST with 307 breaks application | |
738676 | 3-Major | Errors when trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests | |
737866 | 3-Major | Rare condition memory corruption | |
734797 | 3-Major | URL suggestion is still explicit though it should be *.[Jj][Ss] | |
725906 | 3-Major | ASM Support for BITW | |
712336 | 3-Major | bd daemon restart loop | |
707643 | 3-Major | ASM Single page application causes JavaScript error when cross domain request is sent | |
674256-1 | 3-Major | K60745057 | False positive cookie hijacking violation |
671214 | 3-Major | CAPTCHA requests are not logged | |
305920 | 3-Major | Added partial masking option for information leakage masking functionality | |
774941 | 4-Minor | GUI misspelling in Bot Defense logging profile | |
761921 | 4-Minor | avrd high CPU utilization due to perpetual connection attempts | |
758615 | 4-Minor | Reconstructed POST request is dropped after DID cookies are deleted | |
758459 | 4-Minor | Cross origin AJAX requests are blocked Cross-Origin Resource Sharing (CORS) protection | |
758085 | 4-Minor | CAPTCHA Custom Response fails when using certain characters | |
756567 | 4-Minor | K50500283 | Adding a tighter protection to fictive url |
756565 | 4-Minor | Browser might get stuck when SPA is enabled | |
756437 | 4-Minor | ASM XMLHTTPRequest wrapper attempts to access responseText for non text respnseType | |
756418 | 4-Minor | Live Update does not authenticate remote users | |
756005 | 4-Minor | Individual policy that cannot be deleted, can be if part of multi-policy delete | |
755005 | 4-Minor | Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations | |
754865 | 4-Minor | Missing indication when client fails connecting to Security Cloud Services | |
754365 | 4-Minor | Updated flags for countries that changed their flags since 2010 | |
754109 | 4-Minor | ASM content-security-policy header modification violates Content Security Policy directive | |
752797 | 4-Minor | BD is not correctly closing a shared memory segment | |
749500 | 4-Minor | Improved visibility for Accept on Microservice action in Traffic Learning | |
749203 | 4-Minor | New Application Ready Templates | |
748999 | 4-Minor | invalid inactivity timeout suggestion for cookies | |
747905-3 | 4-Minor | 'Illegal Query String Length' violation displays wrong length | |
747777 | 4-Minor | Extractions are learned in manual learning mode | |
747657 | 4-Minor | Paging controller changed | |
747560 | 4-Minor | ASM REST: Unable to download Whitehat vulnerabilities | |
745813 | 4-Minor | Requests are reported to local log even if only Bot Defense remote log is configured | |
745624 | 4-Minor | Tooltips for OWASP Bot Categories and Anomalies were added | |
745531 | 4-Minor | Puffin Browser gets blocked by Bot Defense | |
744226 | 4-Minor | DoSL7-related logs are not throttled | |
742668 | 4-Minor | Origin header is not reconstructed after Bot defense challenge | |
706445 | 4-Minor | Multiple manual incremental sync operations might cause race condition in ASMConfig | |
695878 | 4-Minor | Signature enforcement issue on specific requests | |
620301 | 4-Minor | Policy import fails due to missing signature System in associated Signature Set | |
750353 | 5-Cosmetic | Manual Device Group Put in Pending State With No Indication | |
750352 | 5-Cosmetic | Config sync status is always "Changes Pending" | |
745607 | 5-Cosmetic | Bot Defense : Bot Traffic - 3 month/last year filter not displayed correctly | |
745094 | 5-Cosmetic | ASM tsconfig log message mispellings |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
763349 | 2-Critical | AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out | |
756205 | 2-Critical | TMSTAT offbox statistics are not continuous | |
754944 | 2-Critical | AVR reporting UI does not follow best practices | |
746941-3 | 2-Critical | avrd memory leak when BIG-IQ fails to receive stats information | |
746823-1 | 2-Critical | AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members | |
764665 | 3-Major | AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change | |
763005 | 3-Major | Aggregated Domain Names in DNS statistics are shown as random domain name | |
753485 | 3-Major | AVR global settings are being overridden by HA peers | |
753446 | 3-Major | avrd process crash during shutdown if connected to BIG-IQ | |
749464-3 | 3-Major | Race condition while BIG-IQ updates common file | |
749461-3 | 3-Major | Race condition while modifying analytics global-settings | |
745027-3 | 3-Major | AVR is doing extra activity of DNS data collection even when it should not | |
744595 | 3-Major | DoS-related reports might not contain some of the activity that took place | |
744589 | 3-Major | Missing data for Firewall Events Statistics | |
738197 | 3-Major | IP address from XFF header is not taken into account when there are trailing spaces after IP address |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
779865 | 2-Critical | Network Access tunnel does not pass traffic except HTTP | |
769361 | 2-Critical | TMM may crash while processing SSLO traffic | |
760130 | 2-Critical | [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK | |
759920 | 2-Critical | WebSSO logs record the master key when in DEBUG mode | |
755628 | 2-Critical | Deleted APM cookies missing 'secure' and 'HttpOnly' flags | |
755447 | 2-Critical | SSLO does not deliver content generated/originated from inline device | |
752592 | 2-Critical | VMware Horizon PCoIP clients may fail to connect shortly after logout | |
748572 | 2-Critical | Occasionally ramcache might crash when data is sent without the corresponding event. | |
664449 | 2-Critical | PPP MRU calculation for TLS network access tunnels | |
660913 | 2-Critical | For ActiveSync client type, browscap info provided is incorrect.★ | |
760624 | 3-Major | MSIE logon page form alignment right might not get displayed correctly | |
760410 | 3-Major | Connection reset is seen when Category lookup agent is used in per-req policy | |
759937 | 3-Major | Empty audience claim added to JWT access token generated by OAuth bearer SSO | |
759868 | 3-Major | TMM crash observed while rendering internal pages (like blocked page) for per-request policy | |
759184 | 3-Major | Disassociating SP connector from SSO config (IdP) that is assigned to a SAML resource is allowed but should not | |
758806 | 3-Major | Introspect request might fail for 'refreshed' access token | |
758764 | 3-Major | APMD Core when CRLDP Auth fails to download revoked certificate | |
758680 | 3-Major | API Protection Profile requires URI Path Property to attach to virtual server | |
758542 | 3-Major | OAuth database instance appears empty after upgrade from v13.x★ | |
757992 | 3-Major | RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup | |
757822 | 3-Major | Subroutine name should use partition name and policy name | |
757782 | 3-Major | OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default | |
757360 | 3-Major | Category lookup returns wrong category on subsequent traffic following initial HTTP CONNECT traffic through SSLO | |
756777 | 3-Major | VDI plugin might crash on process shutdown during RDG connections handling | |
755507 | 3-Major | [App Tunnel] 'URI sanitization' error | |
755475 | 3-Major | Corrupted customization group on target after updating logon page agent field on source device and config sync | |
755047 | 3-Major | Category lookup returns wrong category on CONNECT traffic through SSLO | |
754542 | 3-Major | TMM may crash when using RADIUS Accounting agent | |
754346 | 3-Major | Access policy was not found while creating configuration snapshot. | |
753157 | 3-Major | Support some AAA agents relevant to oauth-resource-server type policy | |
752875 | 3-Major | tmm core while using service chaining for SSLO | |
751807 | 3-Major | SSL Orchestrator may not activate service connectors if traffic is an HTTP tunnel | |
751424 | 3-Major | HTTP Connect Category Lookup not working properly | |
751095 | 3-Major | Ability to search the active access sessions by virtual servers | |
750823 | 3-Major | Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD | |
750631 | 3-Major | There may be a latency between session termination and deletion of its associated IP address mapping | |
750498 | 3-Major | MCP validation to prevent sso config object deletion when referenced by SSO Configuration Select agent in PRP | |
750170 | 3-Major | SP Connector config changes causes BIG-IP tmm core sometimes during handling of SAML SLO request | |
749477 | 3-Major | Provisioning URLDB and SWG simultaneously produces a confusing error message if neither module was originally provisioned | |
749161 | 3-Major | Problem sync policy contains non-ASCII characters | |
749057 | 3-Major | VMware Horizon idle timeout is ignored when connecting via APM | |
749036 | 3-Major | Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM | |
748944-1 | 3-Major | Import is failing for APM SSO Config Saml object | |
748452 | 3-Major | Unable to edit Per-Request Policies logged in as a user account configured with the Manager role. | |
748451 | 3-Major | Manager users cannot perform changes in per-request policy properties | |
747735 | 3-Major | Virtual server with access profile in local traffic group is disabled after upgrade from pre-13.1 | |
747725 | 3-Major | Kerberos Auth agent may override settings that manually made to krb5.conf | |
747624 | 3-Major | RADIUS Authentication over RSA SecureID is not working in challenge mode | |
746771 | 3-Major | APMD recreates config snapshots for all access profiles every minute | |
746768 | 3-Major | APMD leaks memory if access policy policy contains variable/resource assign policy items | |
746261 | 3-Major | HA-Status changes to "Changes Pending" after Edge Client download | |
745707 | 3-Major | Portal Access Web Page does not render properly | |
745654 | 3-Major | Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server | |
745574 | 3-Major | URL is not removed from custom category when deleted | |
745262 | 3-Major | Error encountered when performing a policy sync on an access profile of SSO type | |
745127 | 3-Major | If style attribute contains HTML entities, it may not be rewritten correctly on client side. | |
744407 | 3-Major | While the client has been closed, iRule function should not try to check on a closed session | |
744183 | 3-Major | VMware Horizon HTML5 client launch results in certificate mismatch warning | |
743437 | 3-Major | Portal Access: Issue with long 'data:' URL | |
743150 | 3-Major | Increase the limit of the maximum allowed timestamp for OAuth token processing for OAuth Client | |
741967-1 | 3-Major | APM custom report with active field failed on vcmp | |
738430 | 3-Major | APM is not able to do compliance check on iOS devices running F5 Access VPN client | |
738148 | 3-Major | Misleading 'Invalid Nonce' error message | |
737766 | 3-Major | Too many branches in agents may cause request process slow down | |
723278 | 3-Major | Radius Accounting-Request (STOP) always includes AVP Framed-IP-Address=0.16.0.0 when Network Access rescource configured with IPv4 & IPv6 | |
709126 | 3-Major | Localdb authentication may fail | |
696382 | 3-Major | Max in-progress sessions per client IP does not work correctly with Redirect ending | |
695985 | 3-Major | Access HUD filter has URL length limit (4096 bytes) | |
679735 | 3-Major | Multidomain SSO infinite redirects from session ID parameters | |
670833 | 3-Major | window.fetch() should be supported | |
663819 | 3-Major | APM NTLM Authentication for RDP Client Gateway and Microsoft Exchange Proxy are incompatible with Microsoft workaround for MS17-010 (Wannacry / Eternalblue) | |
643935 | 3-Major | Rewriting may cause an infinite loop while processing some objects | |
600985 | 3-Major | Network access tunnel data stalls | |
571409 | 3-Major | Step-up auth with APM native Email OTP and SMS OTP | |
534187 | 3-Major | Passphrase protected signing keys are not supported by SAML IDP/SP | |
426963 | 3-Major | K15164 | Delay in SWG forwarding with an Expect: 100-continue |
422665 | 3-Major | APM requires external IP address to be specified for PCoIP client to connect to via NAT | |
756019 | 4-Minor | OAuth JWT Issuer claim requires URI format | |
755739 | 4-Minor | SAML metadata import (SP or IdP) fails if the metadata file has both SPSSODescriptor and IdPSSODescriptor | |
753512 | 4-Minor | Portal Access: Resource with '?' in query part of URL cannot be created. | |
753151 | 4-Minor | Kerberos SSO: Improve the logging of the error msg when Kerberos requests are not processed. | |
749142 | 4-Minor | Portal Access: rewriting for Worker.postMessage(msg,transfer) should not rewrite 2nd argument | |
748272 | 4-Minor | Portal Access: IE: not rewritten content produced by rewritten document.write() targeted to parent window. | |
748245 | 4-Minor | [PA] Client side HTML patcher does not handle the case when both newlines and HTML tags are present in attribute value | |
738259 | 4-Minor | F5_Inflate_onevent() issue when it assign value to user-defined object |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
748502 | 3-Major | TMM may crash when processing iSession traffic |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
754615 | 2-Critical | Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup. | |
745397 | 2-Critical | Virtual server configured with FIX profile can leak memory. | |
755630 | 3-Major | MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes | |
754658 | 3-Major | Improved matching of response messages uses end-to-end ID | |
752822 | 3-Major | SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type | |
751179 | 3-Major | MRF: Race condition may create to many outgoing connections to a peer | |
749603 | 3-Major | MRF SIP ALG: Potential to end wrong call when BYE received | |
749227 | 3-Major | MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE | |
749041 | 3-Major | MRSIP log of subscriber deletion outputs '(null)" for subscriber URI | |
748253 | 3-Major | Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection | |
748043 | 3-Major | MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP | |
747187 | 3-Major | SIP falsely detects media flow collision when SDP is in both 183 and 200 response | |
746825-4 | 3-Major | MRF SIP ALG with SNAT: Ephemeral listeners not created for un-subscribed outgoing calls | |
746731 | 3-Major | BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set | |
745947 | 3-Major | Add log events for MRF SIP registration/deregistration and media flow creation/deletion | |
745715 | 3-Major | MRF SIP ALG now supports reading SDP from a mime multipart payload | |
745628 | 3-Major | MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message | |
745590 | 3-Major | SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added | |
745514 | 3-Major | MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message | |
745404 | 3-Major | MRF SIP ALG does not reparse SDP payload if replaced | |
744949 | 3-Major | MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix | |
744275 | 3-Major | BIG-IP system sends Product-Name AVP in CER with Mandatory bit set | |
742829 | 3-Major | SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0 | |
741951 | 3-Major | Multiple extensions in SIP NOTIFY request cause message to be dropped. | |
727288 | 3-Major | Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC | |
747909 | 4-Minor | GTPv2 MEI and Serving-Network fields decoded incorrectly |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
747104 | 1-Blocking | K52868493 | LibSSH Vulnerability: CVE-2018-10933 |
763121 | 2-Critical | Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM. | |
761173 | 2-Critical | tmm crash after extended whitelist modification | |
757359 | 2-Critical | pccd crashes when deleting a nested Address List | |
754805-1 | 2-Critical | Possible tmm crash when AFM DoS badactor or attacked-dst or endpoint vector configured | |
752363-1 | 2-Critical | Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled | |
751869-3 | 2-Critical | Possible tmm crash when using manual mode mitigation in DoS Profile | |
749331 | 2-Critical | Global DNS DoS vector does not work in certain cases | |
747922 | 2-Critical | With AFM enabled, during bootup, there is a small possibility of a tmm crash | |
747225 | 2-Critical | PCCD may get into crash-loop after BIG-IP upgrade or after BIG-IP restart | |
603124 | 2-Critical | [FW FQDN] RFE to address lower minimum allowed refresh interval (than current min of 10 mins) | |
760393-1 | 3-Major | GARP is not sent from newly active device after failover for FW NAT policy rule's dest prefixes | |
756633 | 3-Major | Autodos daemon history file is created even there is no vector enabled in a DoS profile | |
756471 | 3-Major | AFM Flow Inspector filter doesn't indicate src-ip/dst-ip filters filters as clientside. | |
756218 | 3-Major | Improve default management port firewall | |
753893 | 3-Major | Inconsistent validation for firewall address-list's nested address-list causes load failure | |
753141 | 3-Major | Hardware returning incorrect type of entry when notifying software might cause tmm crash | |
753028 | 3-Major | AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule | |
751116 | 3-Major | DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring | |
750477 | 3-Major | LTM NAT does not forward ICMP traffic | |
749761-1 | 3-Major | AFM Policy with Send to Virtual and TMM crash in a specific scenario | |
749059 | 3-Major | TMUI does not provide option to enable BADOS TLS fingerprint signatures | |
748176-2 | 3-Major | BDoS Signature can wrongly match a DNS packet | |
748081 | 3-Major | Memory leak in BDoS module | |
747926-3 | 3-Major | Rare TMM restart due to NULL pointer access during AFM ACL logging | |
746875 | 3-Major | When the rate-limit setting is configured to a low value, sampled attack log messages are not logged | |
746260 | 3-Major | Attack status is not updated when Protected Objects Details Panel is refreshed | |
745809-1 | 3-Major | The /var partition may become 100% full requiring manual intervention to clear space | |
745371 | 3-Major | AFM GUI does not follow best security practices | |
742120 | 3-Major | MCPd crash seen during load sys config | |
742095 | 3-Major | False positive in SFTP policy enforcement | |
737035 | 3-Major | New and improved infrastructure for BDoS to share learned traffic characteristics within the device group/cluster setup. | |
703165-1 | 3-Major | shared memory leakage | |
697991 | 3-Major | Source client information not available in DOS DNS Protocol event logs | |
756457-1 | 4-Minor | tmsh command 'show security' returning a parsing error | |
746243 | 4-Minor | Usage of whitelist in DoS profile is not clear | |
632246 | 4-Minor | Configuring pvasyncookies db variable does not persist over reboots or to non-primary blades. | |
756477 | 5-Cosmetic | Drop Redirect tab incorrectly named as 'Redirect Drop' |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
760518 | 2-Critical | PEM flow filter with DSCP attribute optimizes traffic resulting in some PEM action enforcement | |
750491 | 2-Critical | PEM Once-Every content insertion action may insert more than once during an interval | |
764901 | 3-Major | PEM policy filters rules memory gets leaked if policy is deleted before deleting the rules | |
760438 | 3-Major | PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions | |
759192 | 3-Major | TMM core during display of PEM session under some specific conditions | |
756311 | 3-Major | High CPU during erroneous deletion | |
753163 | 3-Major | PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days | |
753014 | 3-Major | PEM iRule action with RULE_INIT event fails to attach to PEM policy | |
750460 | 3-Major | Subscriber management configuration GUI | |
747065 | 3-Major | PEM iRule burst of session ADDs leads to missing sessions | |
746344 | 3-Major | PEM may not re-establish diameter connection after HA switchover | |
743954 | 3-Major | QOE module is deprecated and upgrade causes QOE config to be removed★ | |
726647 | 3-Major | PEM content insertion in a compressed response may truncate some data | |
726011 | 3-Major | PEM transaction-enabled policy action lookup optimization to be controlled by a sys db | |
670994 | 3-Major | There is no validation for IP address on the ip-address-list for static subscriber |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
744516 | 2-Critical | TMM panics after a large number of LSN remote picks | |
744959 | 3-Major | SNMP OID for sysLsnPoolStatTotal not incremented in stats |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
756213 | 3-Major | No support of injection into XHTML pages | |
754024 | 3-Major | Dynamic Script Removal Detection fires false-positive alerts on Firefox add-ons and Chrome extensions | |
752782 | 3-Major | 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe' | |
750393 | 3-Major | When parameters with special characters are obfuscated they are not url-encoded | |
748649 | 3-Major | Key logging chrome extension can bypass Websafe KeyLogger | |
747682 | 3-Major | Phishing detection is loaded without being licensed | |
745912 | 3-Major | Improve WebRootKit alert details | |
742754 | 3-Major | EDI alert on autofill of multiple fields | |
741248 | 3-Major | ANTIFRAUD::disable may stall the connection | |
756849 | 4-Minor | Ajax encryption feature may cause high CPU usage | |
753441 | 4-Minor | AJAX encryption feature ignores encoded parameters names | |
749179 | 4-Minor | DataSafe: Cannot lower secure-channel-lifetime through GUI | |
741449 | 4-Minor | alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts | |
738677 | 4-Minor | Configured name of wildcard parameter is not sent in data integrity alerts | |
737094 | 4-Minor | Reduce the impact of the Dynamic Script Removal Detection loading time | |
660759 | 4-Minor | Cookie hash persistence sends alerts to application server. |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
755378 | 2-Critical | HTTPS connection error from Chrome when BADOS TLS signatures configured | |
748813 | 2-Critical | tmm cores under stress test on virtual server with DoS profile with admd enabled | |
748121 | 2-Critical | admd livelock under CPU starvation | |
653573-7 | 2-Critical | ADMd not cleaning up child rsync processes | |
756877 | 3-Major | Virtual server created with Guided Configuration is not visible in Grafana | |
727136 | 3-Major | One dataset contains large number of variations of TLS hello messages on Chrome |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
760961-1 | 2-Critical | TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts | |
757088-2 | 2-Critical | TMM clock advances and cluster failover happens during webroot db nightly updates | |
752803 | 2-Critical | CLASSIFICATION_DETECTED running reject can lead to a tmm core | |
752047 | 2-Critical | iRule running reject in CLASSIFICATION_DETECTED event can cause core | |
758536-1 | 3-Major | Traffic Intelligence IM pkg for 14.1.0 fails to install on base build version 14.1.0.x | |
754257-4 | 3-Major | URL lookup queries not working | |
744922 | 3-Major | Traffic intelligence hitless upgrade uses load sys config |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
725514 | 3-Major | management IP address change in device-groups★ | |
710857 | 3-Major | iControl requests may cause excessive resource usage |
Cumulative fix details for BIG-IP v15.0.0 that are included in this release
779865 : Network Access tunnel does not pass traffic except HTTP
Component: Access Policy Manager
Symptoms:
Traffic will not pass through Network Access tunnel, except TCP port 80. Non-TCP traffic, such as DNS and ICMP, will not go through either.
Conditions:
1. Network Access Tunnel is established
2. Any data traffic through the tunnel, except HTTP
Impact:
Applications stop working, except for HTTP requests.
Workaround:
Manually create a FastL4 virtual server with wildcard IP and wildcard port and listen on the tunnel interface.
774941 : GUI misspelling in Bot Defense logging profile
Component: Application Security Manager
Symptoms:
There is a misspelling in the logging profile for Bot Defense: Log Requests by Classificaiton.
Conditions:
Go to Security :: Event Logs : Logging Profiles :: Logging Profile :: Bot Defense :: Request Log.
Impact:
GUI shows misspelled word. There is no functional impact to this issue.
Workaround:
None needed. This is a cosmetic issue only.
Fix:
The text has been corrected: Log Requests by Classification.
774445 : BIG-IP VE does not pass traffic on ESXi 6.7 Update 2
Solution Article: K74921042
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) does not pass traffic when deployed on ESXi 6.7 Update 2 hypervisors, when the VE is using VMXNET 3 network interfaces (VMXNET 3 interfaces are the default).
Conditions:
-- BIG-IP VE running on VMware ESXi 6.7 Update 2 (build number 13006603) hypervisor.
-- VMXNET 3 NICs.
Impact:
Traffic does not pass through non-mgmt interfaces.
Workaround:
You can use the following workarounds:
-- Until this issue is fixed in a Point-Release for your software branch, you can contact F5 Networks Technical Support to obtain an Engineering Hotfix to address the issue. This workaround allows TMM to continue to use the VMXNET3 driver, which is preferable.
-- On BIG-IP version 14.1.0, you can switch to the 'sock' driver.
-- On BIG-IP versions earlier than 14.1.0, you can switch to the 'unic' driver.
Note: The workarounds that switch driver must be applied individually to devices, as they do not synchronize via ConfigSync.
To switch driver:
1. Add a line to /config/tmm_init.tcl that reads 'device driver vendor_dev 15ad:07b0 DRIVER' (replacing DRIVER with 'unic' or 'sock', as appropriate). For example:
echo "device driver vendor_dev 15ad:07b0 sock" >> /config/tmm_init.tcl
2. Restart tmm for the changes to take effect (restarting tmm disrupts traffic):
bigstart restart tmm
3. After tmm restarts, confirm the driver in use by examining the output of:
tmctl -d blade tmm/device_probed
Fix:
BIG-IP VE now passes traffic on ESXi 6.7 Update 2.
773677 : BIG-IP 14.1.0 system-journald write to /run/log/journal cause SWAP usage increase★
Solution Article: K72255850
Component: TMOS
Symptoms:
The system-journald process writes to temporary storage /run/log/journal when storage mode is set to 'auto'. The persistent directory /var/log/journal that controls where the log goes (temporary or persistent memory) is usually created during BIG-IP system reboot. In some cases, /var/log/journal is not created. In the absence of this, system-journald writes to temporary storage /run/log/journal.
Conditions:
BIG-IP upgraded from versions prior to v14.1.0 to version 14.1.0 or higher.
Impact:
As it writes to temporary memory, system SWAP memory usage increases, impacting overall system performance and may result in the kernel out-of-memory killer running and killing system processes.
Workaround:
1. Create system-journald persistent log directory manually:
mkdir /var/log/journal
chown root:systemd-journal /var/log/journal
chmod 2755 /var/log/journal
chcon system_u:object_r:var_log_t:s0 /var/log/journal
2. Reboot the system.
Fix:
The system-journald persistent directory is always created during reboot or when the system-journald storage option is set to 'persistent'.
772165 : Sync Failed due to Bot Defense profile not found
Component: Application Security Manager
Symptoms:
A sync failure might happen in a sync-failover device group after manually editing the /config/bigip.conf file and removing the Bot Defense profiles, and then performing a config sync.
The system reports a sync error message similar to this:
FODG (Sync Failed): A validation error occurred while syncing to a remote device.
- Sync error on device-b: Load failed from /Common/device-a 01020036:3: The requested profile (/Common/bot-defense-device-id-generate-before-access) was not found.
- Recommended action: Review the error message and determine corrective action on the device.
Conditions:
Manually editing the /config/bigip.conf file and removing the Bot Defense profile, then loading the config, and performing a config sync.
Impact:
Sync failure.
Workaround:
Reload the config from the receiving device, and then perform a force sync in the opposite direction, overriding the previous changes. This should bring the system back to in sync.
Fix:
Sync failures no longer happen when removing Bot Defense profiles from the config file and loading config.
769809 : vCMP guests 'INOPERATIVE' after upgrade
Component: TMOS
Symptoms:
After upgrading the host or creating new vCMP guests, the prompt in the vCMP guests report as INOPERATIVE.
Conditions:
-- The system truncates the unit key. (Note: This occurs because the unit key is designed to be a certain length, and the internally generated unit key for the guest has a NULL in it.)
-- Upgrading the host.
-- Creating new guests.
Impact:
vCMP guests are sent a truncated unit key and fail to decrypt the master key needed to load the config. vCMP Guests report 'INOPERATIVE' after upgrade.
Workaround:
None.
Fix:
The system now handles a guest unit key that has a NULL in it, so vCMP guests are no longer 'INOPERATIVE' after upgrade
769361 : TMM may crash while processing SSLO traffic
Component: Access Policy Manager
Symptoms:
Under certain conditions, TMM may crash while processing SSLO traffic.
Conditions:
SSLO enabled.
Transparent proxy traffic chaining enabled.
Impact:
TMM crash, leading to a failover event.
Workaround:
None.
Fix:
TMM now processes SSLO traffic as expected.
767689 : f5optics_install using different versions of RPM★
Component: TMOS
Symptoms:
Symptoms have only been observed in one case: A bare metal install to BIG-IP 14.1.0. In this case a messages indicating the RPM database under /shared is corrupted.
Conditions:
Bare metal installation via PXE boot or USB install.
Impact:
The /shared/lib/rpm database needs to be recreated and f5optics manually installed.
Workaround:
Recreate the /shared/lib/rpm database and manually install f5optics.
Fix:
With these changes, the corruption of the /shared/lib/rpm database is no longer observed.
767653 : Malformed HTTP request can result in endless loop in an iRule script
Component: Local Traffic Manager
Symptoms:
When BIG-IP system receives an HTTP request, its parser determines a version of used HTTP protocol. A malformed HTTP/1.1 request can be recognized as having HTTP/0.9 version but still having headers. Attempt to remove existing HTTP header can result in an endless loop.
Conditions:
The BIG-IP system has a virtual server with an HTTP profile and an iRule, removing all appearances of a specific header.
Impact:
The BIG-IP system enters into an endless loop, and SOD kills the TMM process handling the request. The BIG-IP system fails over and may cause interruption in traffic processing.
Workaround:
Stop the processing of a request when HTTP/0.9 is detected:
if {[HTTP::version] equals "0.9"} {return}
Fix:
When a malformed request is recognized as HTTP/0.9 it no longer provides inconsistent results for iRule commands and prevents endless loops due to such version transformation.
766873-1 : Omission of lower-layer types from sFlow packet samples
Component: TMOS
Symptoms:
The packet samples transmitted from BIG-IP to an sFlow receiver may contain only 'http' samples, with no 'vlan' or 'interface' FLOW samples appearing. sFlow will continue to transmit CNTR (counter) telemetry packets.
Conditions:
When the BIG-IP system is configured with one or more sFlow receivers, with non-zero sampling-rate configured for 'vlan' or 'interface' types.
Impact:
External network-monitoring or management systems, which may depend on sFlow packet samples from BIG-IP systems and from other equipment, are unable properly to characterize the flow of data throughout the network.
Workaround:
None.
Fix:
This issue no longer occurs.
766293 : Monitor logging fails on v14.1.0.x releases
Component: TMOS
Symptoms:
With a fresh install of v14.1.0.x, you attempt to enable monitor logging for a node or pool member, an error message appears in /var/log/ltm. Also the log file to be created fails to be created.
This behavior is due to SELinux changes. /var/log/auditd/audit.log show the SELinux violations logs.
System reports messages similar to the following in /var/log/ltm:
-- info bigd[12457]: Couldn't open logging file /var/log/monitors/Common_Splunk_HTTP_monitor-Common_node1-8088.log for monitor /Common/Splunk_HTTP_monitor on node /Common/node1.
Conditions:
-- Clean installation of v14.1.0.x software.
-- Enable monitor logging for a node or pool member.
Impact:
Monitor logging fails. Error messages logged.
Workaround:
None.
Fix:
Updated bigd SELinux rules to allow the monitor log file creations.
765969 : Not able to get HSB register dump from hsb_snapshot on B4450 blade
Component: TMOS
Symptoms:
Running hsb_snapshot tool fails on B4450 blades with the following message:
Too many rows in tmm/hsb_internal_pde_info table
Conditions:
When vCMP is provisioned on VIPRION B4450 blades.
Impact:
HSB register dump is not available in hsb_snapshot orQkview for diagnostic purpose.
Workaround:
None.
Fix:
hsb_snapshot tool now returns successfully on B4450 blades with vCMP provisioned.
765533 : Sensitive information logged when DEBUG logging enabled
Solution Article: K58243048
Component: TMOS
Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048
Conditions:
For more information see: https://support.f5.com/csp/article/K58243048
Impact:
For more information see: https://support.f5.com/csp/article/K58243048
Workaround:
For more information see: https://support.f5.com/csp/article/K58243048
Fix:
For more information see: https://support.f5.com/csp/article/K58243048
764901 : PEM policy filters rules memory gets leaked if policy is deleted before deleting the rules
Component: Policy Enforcement Manager
Symptoms:
There is a memory leak associated with deleting policies before rules.
Conditions:
If a policy is deleted before its rules are deleted.
Impact:
Memory leak.
Workaround:
Delete all rules in a policy prior to a policy delete operation.
Fix:
PEM policy filters rules memory no longer gets leaked if policy is deleted before deleting the rules.
764665 : AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change
Component: Application Visibility and Reporting
Symptoms:
When BIG-IP is registered on BIG-IQ system, sometimes avrd crashes with core.
Conditions:
-- BIG-IP is registered at BIG-IQ.
-- BIG-IQ sends configuration update to BIG-IP.
Impact:
Avrd cores and restarts. Functionality is not impacted, stats data are sent to BIG-IQ.
Workaround:
None.
Fix:
Corrected issue in setting value for internal flag.
763349 : AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out
Component: Application Visibility and Reporting
Symptoms:
avrd application on BIG-IP crashes; core is generated.
Conditions:
-- The BIG-IP is configured to send data to BIG-IQ DCD node via the HTTPS protocol.
-- Connection to DCD is established but response does not arrive within the timeout interval, so the connection times out.
Impact:
avrd crashes, and a core is generated.
Workaround:
None.
Fix:
avrd now reconnects to BIG-IQ DCD in a different sequence so this issue no longer occurs.
763121 : Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM.
Component: Advanced Firewall Manager
Symptoms:
TMM crashes and produces a core file. The crash is a SIGFPE accompanied by the following panic string:
Assertion "packet must already have an ethernet header" failed.
Conditions:
This issue occurs when all of the following conditions are met:
- The system is provisioned for AFM.
- A TCP Half Open attack to the system is underway.
- A BIG-IP Administrator attempts to use the AFM Packet Tester tool, and simulates sending a TCP segment with the SYN flag set.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the AFM Packet Tester tool while a TCP Half Open attack is underway.
Fix:
TMM no longer crashes when utilizing the AFM Packet Tester tool.
763005 : Aggregated Domain Names in DNS statistics are shown as random domain name
Component: Application Visibility and Reporting
Symptoms:
Many DNS queries (e.g., 50000) with different query domain names are sent and AVR aggregates data it shows aggregated names using a random name taken from the first lookup table record.
Conditions:
-- Run 50000 DNS queries, all with different domain names.
-- View Statistics :: Analytics :: DNS, and choose View By : Domain Names.
Impact:
There is one random domain name with a high counter value, other domains are shown with counter 1.
Workaround:
None.
762453-1 : Hardware cryptography acceleration may fail
Component: TMOS
Symptoms:
Host reports the following error message:
Device error: crypto codec qat-cryptoXX-Y queue is stuck.
Conditions:
Platform with access to Intel QAT cryptography hardware
Hardware cryptography acceleration enabled
Impact:
Hardware cryptography acceleration failure, leading to a failover event.
Workaround:
Disable hardware crypto acceleration for impacted device.
Fix:
Platforms with QAT accelerators now function as expected.
761941 : ASM does not remove CSRT token query parameter before forwarding a request to the backend server
Component: Application Security Manager
Symptoms:
CSRT query parameter observed in tcpdump on the BIG-IP system's server side.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- CSRF enabled in ASM policy.
Impact:
Backend app gets CSRT parameter, which might impact its business logic.
Workaround:
You can remove a CSRT query parameter using a URI modification iRule on the server side.
Fix:
The system now removes the csrt query parameter before forwarding a request to the backend server
761933 : Reboot with 'tmsh reboot' does not log message in /var/log/audit
Component: TMOS
Symptoms:
The tmsh reboot command is missing from /var/log/audit.
Conditions:
-- Reboot a system using the command 'tmsh reboot'.
-- View the /var/log/audit log.
Impact:
The system does not log the tmsh reboot operation in the /var/log/audit log. A message similar to the following should be reported:
notice tmsh[19115]: 01420002:5: AUDIT - pid=19115 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=reboot.
Workaround:
None.
761921 : avrd high CPU utilization due to perpetual connection attempts
Component: Application Security Manager
Symptoms:
avrd shows high CPU utilization. Repeated retries on auth token client failed connection attempts.
Conditions:
-- The BIG-IQ system is not available (even though it is configured).
-- Frequent connection retries.
Impact:
avrd consumes a large amount of CPU.
Workaround:
Correct BIG-IQ availability and restart avrd.
Fix:
avrd now waits between connection retries, so this issue does not occur.
761565 : ASM BD core when custom captcha page configured size more than 45K with %ASM.captcha.support_id% placeholder is at the end
Component: Application Security Manager
Symptoms:
ASM BD crash when custom captcha page configured size is 45K
Conditions:
- ASM provisioned.
- ASM policy attached to a virtual server.
- CAPTCHA page size is bigger than 45 KB.
- CAPTCHA protection is enabled via brute force or ASM::captcha iRule.
Impact:
There is an ASM BD crash that occurs upon a request protection by CAPTCHA mitigation. If configured for high availability (HA), failover occurs.
Workaround:
Define CAPTCHA page sizes smaller than 45 KB.
Fix:
ASM BD core is fixed; BD no longer crashes, even when the CAPTCHA page size is larger than 45 KM.
761385 : Without a virtual server, responses from server to client are dropped in a BIG-IP system when the latter is deployed in L2 transparent mode using virtual wire.
Component: Local Traffic Manager
Symptoms:
Responses from a server are not received by the client.
Conditions:
-- BIG-IP system deployed in L2 transparent mode using virtual wire.
-- No virtual server is configured.
Impact:
Responses from server to client are dropped. Loss of service.
Workaround:
None.
Fix:
Set the L2 transparent flag for the server-side flow if the client-side flow has this flag set.
761194 : param data type violation on an Integer parameter, if an integer value is sent via websocket JSON
Component: Application Security Manager
Symptoms:
A false positive occurs with 'Illegal parameter data type' violation on an integer parameter, on websocket messages
Conditions:
An explicit parameter with type integer is configured.
Impact:
A false positive can occur, 'Illegal parameter data type' is reported.
Workaround:
N/A
Fix:
Fixed a false positive with integer values
761173 : tmm crash after extended whitelist modification
Component: Advanced Firewall Manager
Symptoms:
tmm might crash and restart.
Conditions:
Modifying the whitelist extended entry in tmsh.
Impact:
Tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The tmm process no longer crashes when modifying the whitelist extended entry in tmsh.
760961-1 : TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts
Component: Traffic Classification Engine
Symptoms:
Webroot daemon (wr_urldbd) crashes because of a socket handler issue that occurs when sending the URI categorization request to the BrightCloud server.
Wr_urldbd daemon restarts, and during startup, it loads the downloaded database to the shared memory channel. This shared memory channel is being used by the TMM, which has no information about the wr_urldbd restart, so tmm restarts.
Conditions:
-- Wr_urldbd restarts (which occurs due to an issue in socket handler when sending URL categorization requests to the BrightCloud server).
-- During wr_urldbd startup, the daemon starts loading the downloaded webroot database to the shared memory channel set up between the wr_urldbd and TMM.
-- TMM accesses this shared memory channel to perform a URL category lookup (due to traffic).
Impact:
TMM restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes under these conditions.
760950 : Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment
Component: TMOS
Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.
Note: A previous bug had this same symptom, but was due to a different root cause.
Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.
Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.
Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.
Fix:
The advertised next-hop in BGP is now the smallest floating-IP active on the current BIG-IP system.
760878 : Incorrect enforcement of explicit global parameters
Component: Application Security Manager
Symptoms:
A false positive or false negative enforcement of explicit global parameter.
Conditions:
-- A configuration with more than 255 security policies.
-- Policies configured with an explicit parameter that is unique (for example, 'static', a disabled signature, etc.).
-- Attempt to enforce that parameter.
Impact:
Wrong blocking/violations. The parameter is not found, and the wildcard * parameter is enforced instead.
Workaround:
Make the explicit parameters a wildcard parameter.
Fix:
Explicit parameters are enforced correctly on all parameters.
760771 : FastL4-steered traffic might cause SSL resume handshake delay
Component: Local Traffic Manager
Symptoms:
When a FastL4 virtual server steers traffic to another SSL-enabled virtual server, there can be a delay on SSL session resumption because SSL is unable to identify the connection flow.
Additionally, it has been observed that if fallback persistence is configured, the BIG-IP system might fail to start the connection serverside.
Conditions:
-- FastL4 virtual server.
-- iRule is used to steer traffic to another virtual server with client SSL enabled.
-- Multiple tmm's.
Impact:
-- Potential impact to SSL performance.
-- Possible connection failure.
Workaround:
To workaround this issue:
-- Disable FastL4.
-- Enable OneConnect.
Fix:
FastL4-steered traffic no longer causes SSL resume handshake delay.
760624 : MSIE logon page form alignment right might not get displayed correctly
Component: Access Policy Manager
Symptoms:
In Microsoft Internet Explorer, the logon page form is not aligned properly.
Conditions:
This occurs when the following settings are configured:
-- In General Page Style Settings :: Page Alignment, and choose Right
-- In Layout Settings :: Page layout, choose Form Right.
-- In Form Settings :: Form alignment, choose Right.
Impact:
This is a cosmetic issue. There is no functional impact.
Workaround:
You can work around this issue by modifying the following selector in apm_full.css:
table#main_table table#interaction_table
Add following lines at the end:
<? if(($_GET['ctype'] == 'IE' || $_GET['ctype'] == '') && getCssCustiomizationVar("form_alignment") == "right" ) { ?>
float: %[form_alignment];
<? } ?>
Fix:
In Microsoft Internet Explorer, the logon page form is now aligned properly.
760597 : System integrity messages not logged
Component: TMOS
Symptoms:
On TPM-equipped platforms, log messages indicating recovery from a very rarely triggered condition, where the TPM chip needs to be cleared, are not being recorded in the logs on boot.
Conditions:
-- TPM-equipped platforms.
-- Rarely triggered condition in which the TPM chip needs to be cleared.
Impact:
No message indicating the need to clear the TPM.
Note: The need to clear the TPM does not affect the subsequent operation of system integrity checks.
Workaround:
None. The TPM is automatically cleared on boot. Once cleared, it operates normally.
Using remote attestation by submitting a QKview file to iHealth and checking the System Integrity status in the resulting report will reliably indicate any tampering in the BIOS or system startup files.
Fix:
TPM needing to be cleared message is now logged.
760594-1 : On BIG-IP VE, 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details.
Component: TMOS
Symptoms:
Executing 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details.
Conditions:
BIG-IP Virtual Edition
Impact:
The snmpwalk command shows the details of all partitions on previous versions. It now shows only the '/appdata' details.
Workaround:
No workaround exists for this issue currently.
760573 : TPM system integrity check may return invalid status when booting into BIG-IP 14.1.0★
Solution Article: K00730586
Component: TMOS
Symptoms:
The Trusted Platform Module (TPM) system integrity check may return an invalid status.
As a result of this issue, you may encounter one or more of the following symptoms:
-- While the system boots to BIG-IP 14.1.0, you observe an error message that appears similar to the following example:
tpm-status-check[5025]: System Integrity Status: Invalid
-- After rebooting the system to different volumes, you continue to observe the previous error message.
Conditions:
This issue occurs when the following condition is met:
You reboot a system running either BIG-IP 13.1.x or 14.0.0 (including their point releases) to BIG-IP 14.1.0.
Impact:
The BIG-IP system reports an invalid TPM status and TPM is non-functional.
Workaround:
To recover from this issue, you must delete the grub configuration file and reboot the system twice for an automatic repair to occur. To do so, perform the following procedure:
Impact of workaround: The system will not be available while performing multiple reboots. F5 recommends that you perform this procedure during an appropriate maintenance window.
1. Log in to the command line of the affected system.
2. Mount the boot partition by typing the following command:
mkdir -p /mnt/boot; mount /dev/mapper/$(ls /dev/mapper | grep boot) /mnt/boot
3. Delete the grub.multiboot.cfg file by typing the following command:
rm -f /mnt/boot/grub2/grub.multiboot.cfg
4. Reboot the system by typing the following command:
reboot
Note: The system software fixes the grub.multiboot.cfg file automatically upon booting.
5. When the system has completed booting, log in to the command line and reboot the system again by typing the following command:
reboot
This final step properly boots the system with TPM enabled.
Fix:
Rebooting a system no longer returns the TPM error.
760550-6 : Retransmitted TCP packet has FIN bit set
Component: Local Traffic Manager
Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.
Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.
Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.
Workaround:
Set Nagle to disabled in the TCP profile.
Fix:
The incorrect FIN bit is removed.
760518 : PEM flow filter with DSCP attribute optimizes traffic resulting in some PEM action enforcement
Component: Policy Enforcement Manager
Symptoms:
Some PEM action enforcement does not work with flow filter with PEM attribute set.
Conditions:
Flow filter has the Differentiated Services Code Point (DSCP) attribute set
Impact:
Some PEM actions such as http-redirect do not perform as expected.
Workaround:
Set the DSCP to the default value
Fix:
The operation now includes the packet DSCP value while evaluating the flow filter.
760508 : On systems with multiple versions of BIG-IP in use, the 'invalid' System Integrity Status may persist★
Solution Article: K91444000
Component: TMOS
Symptoms:
The system security state reported by the shell utility 'tpm-state' may report 'Invalid'.
Conditions:
-- The system contains a volume running BIG-IP software version that does not support Trusted Platform Module (TPM).
-- You install a version that does support TPM.
-- The system is rebooted, from the old (non-TPM-capable) BIG-IP version to the new, TPM-capable version.
Impact:
The BIG-IP system reports an invalid TPM status upon the first boot of the upgraded BIG-IP 14.1.0 slot.
Workaround:
Rebooting the system again into 14.1.0 after initially booting into 14.1.0 resolves the issue.
760475 : Apache spawns more processes than the configured limit, causing system low memory condition
Component: TMOS
Symptoms:
Apache (httpd) process count MaxClients on BIG-IP systems is set to '10' in the configuration. When more requests are received, Apache spawns more processes than 10, consuming more memory.
Conditions:
Numerous clients trying to connect simultaneously to the BIG-IP GUI.
Impact:
System low memory condition can severely impact application/system performance, and sometimes triggers Out-Of-Memory (OOM) Killer, so critical applications might be terminated.
Workaround:
Complete the following procedure:
1. Modify /etc/httpd/conf/httpd.conf to have the following configuration outside of the prefork module (global):
MaxClients 10
2. Run the following command:
bigstart restart httpd
760438 : PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions
Component: Policy Enforcement Manager
Symptoms:
tmm coredump
Conditions:
-- Using an iRule to apply a referential policy in a rigorous loop.
-- This is a rarely occurring timing issue.
Impact:
Traffic impact due to tmm coredump. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The BIG-IP system now validates session presence before applying the policy.
760410 : Connection reset is seen when Category lookup agent is used in per-req policy
Component: Access Policy Manager
Symptoms:
The BIG-IP system sends reset to client when Category Lookup agent is used in per-req policy.
Conditions:
-- APM or SSLO is licensed and provisioned.
-- URLDB and SWG are not provisioned.
-- Category Lookup agent is used in the policy to process custom categories.
Impact:
Connection reset is seen on client from APM/SSLO box.
Workaround:
Modify Category Lookup agent 'lookup-type' property to 'custom-only' via TMSH, for example, by using a command similar to the following:
modify apm policy agent category-lookup example_prp_act_category_lookup_ag lookup-type custom-only
Fix:
Category lookup agent in per-req policy now successfully processes custom categories, so the reset no longer occurs.
760408 : System Integrity Status: Invalid after BIOS update★
Solution Article: K23438711
Component: TMOS
Symptoms:
When BIG-IP system boots, it performs a System Integrity Check. The System Integrity Status may return one of three states: Valid, Unavailable, or Invalid.
This issue causes the System Integrity Status to return a value of 'Invalid'.
Conditions:
-- BIG-IP systems that have been manufactured using a earlier BIOS version.
-- Updating to a newer BIOS version.
Impact:
The System Integrity Status returns a status of Invalid, which may falsely indicate that the system BIOS or OS has been compromised.
Workaround:
Install the new BIOS, which fixes the issue that causes the 'Invalid' status to be reported, and, on systems where the BIOS and OS have not been compromised, returns a status of 'Valid'.
Fix:
The System Integrity Status check now return 'Valid' for systems that have not been compromised.
760393-1 : GARP is not sent from newly active device after failover for FW NAT policy rule's dest prefixes
Component: Advanced Firewall Manager
Symptoms:
After failover, there is no GARP from the newly active device for FW NAT policy rule's dest prefixes.
Conditions:
Configure FW NAT policy rules with proxy arp enabled for destination prefixes. After failover no GARP is sent for those destinations prefixes.
Impact:
After failover traffic can fail/degrade.
Workaround:
No workaround other than forcing the initial active HA device to be active again.
Fix:
The system now sets the high availability (HA) unit correctly for FW NAT policy.
760222-1 : SCP fails unexpected when FIPS mode is enabled
Component: TMOS
Symptoms:
Secure Copy (scp) to some locations fails with the following message:
Path not allowed.
Conditions:
-- FIPS mode is enabled.
-- Copying a file to a restricted location using SCP.
Impact:
Cannot use SCP to copy to restricted locations on the BIG-IP system.
Workaround:
None.
Fix:
This scp issue no longer occurs when FIPS cards are installed.
760130 : [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK
Component: Access Policy Manager
Symptoms:
-- Increased overall TMM memory usage, which eventually forces TMM to start closing connections to reduce memory usage.
-- connflow memory usage keeps increasing. Memory usage can be observed with this command:
# tmctl -f /var/tmstat/blade/tmm0 memory_usage_stat -w200
Conditions:
1. Using PingAccess.
2. Errors are being logged in /var/log/paa.
Impact:
-- Memory leak.
-- Eventually TMM starts closing connections randomly.
Workaround:
None.
Fix:
When PingAccess encounters an error after sending traffic data to PingAccess SDK, TMM no longer leaks memory.
760078 : Incorrect source MAC used when the BIG-IP in L2 transparent mode generates a TCP RST packet.
Component: Local Traffic Manager
Symptoms:
Packet with unexpected source MAC seen on the adjacent node to the BIG-IP.
Conditions:
- BIG-IP configured in an L2 transparent mode using virtual wires
- Traffic forwarded between client and server in an asymmetric manner across virtual wires.
Impact:
Possible impacts to services on nodes adjacent to the BIG-IP if policy decisions on those nodes are made with the source MAC of the received packet as input.
759993 : 'License verification failed' errors occur when changing license
Component: TMOS
Symptoms:
The /var/log/ltm contains license processing errors upon license validation failure whenever a significant license event happens (such as a license change). However the system 'corrects' itself if a valid license exists, so no further log messages will be produced.
Conditions:
Whenever a significant license event happens, the internal state wipes the previous license representation, which causes some modules to report the license has failed verification.
Impact:
When a license change occurs, the system logs messages similar to the following:
-- err mcpd[11745]: 01180010:3: [license processing][error]: license verification failed.
-- err mcpd[11745]: 01180010:3: [license processing][error]: invalid input for license parsing.
If you have a valid license, there is no functional impact to the product, and you can safely ignore these messages.
Workaround:
None.
Fix:
The license verification log message requires no intervention and should be taken only as a serious issue if you have a valid license and the device never goes active, with this error message going into the logs repeatedly.
759937 : Empty audience claim added to JWT access token generated by OAuth bearer SSO
Component: Access Policy Manager
Symptoms:
Even though there is no audience value configured in OAuth Bearer SSO configuration, SSO generates a JSON Web Token (JWT) access token with 'aud' claim with empty value. In this case, when another APM runs as the OAuth Resource Server (JWT config audience also set to none) JWT token validation fails with error 'Audience not found'.
Conditions:
No audience value configured in OAuth Bearer SSO configuration.
Impact:
JWT access token is generated by SSO has 'aud' claim with empty value, which results in token validation failure.
Workaround:
None.
Fix:
JWT access token generated by SSO would not include 'aud' claim when there is no audience value configured in OAuth Bearer SSO configuration.
759920 : WebSSO logs record the master key when in DEBUG mode
Component: Access Policy Manager
Symptoms:
Debug websso logs record the master key in clear text in /var/log/apm.
Conditions:
SSO debug log is enabled.
Impact:
MASTER key is exposed in /var/log/apm when SSO debug log is enabled.
Workaround:
None.
Fix:
Removed debug log message on MCP Process notification which caused spilling the master key in websso and apm_websso modules.
759868 : TMM crash observed while rendering internal pages (like blocked page) for per-request policy
Component: Access Policy Manager
Symptoms:
TMM crashes.
Conditions:
-- SSLO/SWG configured.
-- Rendering internal pages (like a blocked page).
-- Per-request policy.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores while rendering internal pages (like blocked page) for per-request policy.
759840 : False positive 'Null in request' violation or bare byte subviolations
Component: Application Security Manager
Symptoms:
'Null in request' violation or bare byte subviolations detected when there is no null in request.
Conditions:
Brute force attack mitigated by captcha or challenge.
Impact:
Traffic blocking or false positive alarm
Workaround:
None.
Fix:
False positive violations no longer happens during brute force attack.
759814 : Unable to view iApp component view★
Component: TMOS
Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:
An error has occurred while trying to process your request.
Conditions:
-- Upgrade to v14.1.x.
-- Create a new iApp with an SSL, ASM, or Traffic policy profile.
-- Or, attempt to view an iApp containing ASM information
Impact:
Unable to access the iApp Component view. Cannot reconfigure the iApp directly (iApp : Application Services : application : any app).
Workaround:
To reconfigure the iApp, do the following:
1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List.
2. Click the Application Link :: Reconfigure.
Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.
759723 : Abnormally terminated connections on server side may cause client side streams to stall
Component: Local Traffic Manager
Symptoms:
The BIG-IP system provides HTTP/2 Gateway configuration when an HTTP/2 client is served by HTTP/1.x pool members. When a server-side connection terminates abnormally, TMM may crash.
Conditions:
-- A virtual server with HTTP/2 Gateway configuration is configured on the BIG-IP system.
-- Traffic on the server side has some abnormalities, resulting in aborted or unclosed connections.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm crash when a virtual server is configured as a HTTP/2 gateway.
759721 : DNS GUI does not follow best practices
Component: Global Traffic Manager (DNS)
Symptoms:
The DNS WebUI does not follow best security practices.
Conditions:
DNS services provisioned, enabled, and configured
Impact:
The DNS WebUI does not follow best security practices.
Workaround:
None.
Fix:
The DNS WebUI now follows best security practices.
759480 : HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash
Component: Local Traffic Manager
Symptoms:
When a request is sent to the virtual server which meets the conditions specified, TMM may crash.
Conditions:
When all of the following conditions are met:
-- Virtual server configured with iRule that contains HTTP::respond or HTTP::redirect in an LB_FAILED event.
-- A command in an LB_FAILED event (does not have to be in the same iRule as the previous point, but must be attached to the same virtual server), that parks the iRule (e.g., table, session, persist, after, HSL).
-- A CLIENT_CLOSED event is present.
-- The pool member fails in some manner, triggering LB_FAILED
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Add reject command to LB_FAILED event to force the serverside of the connection closed before response is sent to the client.
759360-1 : Apply Policy fails due to policy corruption from previously enforced signature
Component: Application Security Manager
Symptoms:
Apply Policy fails due to policy corruption in PLC database from a previously enforced signature.
Conditions:
1. Export a policy containing a signature with an enforced rule.
2. Update ASM Signatures (ASU).
3. Import that previously exported policy.
4. Apply the newly imported policy.
Impact:
Apply policy fails.
Workaround:
As a workaround, run the following SQL, and then apply the policy:
----------------------------------------------------------------------
UPDATE PLC.PL_POLICY_NEGSIG_SIGNATURES SET previous_enforced_rule_md5 = '' WHERE previous_enforced_rule = '' and previous_enforced_rule_md5 != ''
----------------------------------------------------------------------
759192 : TMM core during display of PEM session under some specific conditions
Component: Policy Enforcement Manager
Symptoms:
TMM crashes during display of PEM session if the session has multiple IP addresses added under certain conditions.
Conditions:
-- Session has multiple IP addresses added.
-- When the session was created, addition of multiple IP addresses was not allowed.
Impact:
TMM restart. Traffic disrupted while tmm restarts.
Workaround:
Do not change the value of sys db variable tmm.pem.session.ip.addr.max while some sessions are already created.
Fix:
TMM core during display of PEM session no longer occurs.
759184 : Disassociating SP connector from SSO config (IdP) that is assigned to a SAML resource is allowed but should not
Component: Access Policy Manager
Symptoms:
No errors occur when disassociating the SP connector from SSO config (IdP) that is assigned to a SAML resource.
Conditions:
Disassociating the SP connector from the SSO config (IdP) that is assigned to a SAML resource.
Impact:
SP connector can be disassociated from a configuration with no error messages. This might lead to a non-working configuration.
Workaround:
None.
Fix:
Disassociating the SP connector from SSO config (IdP) that is assigned to a SAML resource is no longer allowed, and error message is given.
759182 : Challenge loop when Single Page Application is enabled
Component: Application Security Manager
Symptoms:
Challenge loop might occur when sending POST to Single Page Application (SPA) is enabled.
Conditions:
-- SPA is enabled.
-- POST request is sent.
-- PBD/Captcha/Challenge is enabled.
Impact:
The ASM end user connection goes into a challenge/captcha loop.
Workaround:
None.
Fix:
The system now handles this condition so there is no challenge/captcha loop.
759056 : stpd memory leak on secondary blades in a multi-blade system
Component: Local Traffic Manager
Symptoms:
On secondary blades in a multi-blade system, stpd shows continued increased memory usage.
Conditions:
A non passthru STP mode (STP, RSTP or MSTP) is enabled on the system.
Impact:
System performance is degraded due to needless memory usage by stpd.
Workaround:
None.
Fix:
Stpd no longer leaks memory.
758879-1 : BIG-IP VE with ixlv devices does not reliably pass some traffic after hard-boot
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) with ixlv devices (Intel X710/XL710/XXV710 family) might not reliably pass traffic after a hard boot of the host on which it runs.
The tmm log contains messages similar to the following:
ixlv[0:8.0]: Error: AQ returned error -1 to request 10!
ixlv[0:8.0]: Error: Error -1 waiting for PF to complete operation 4
ixlv[0:8.0]: Error: WARNING: Error adding VF mac filter!
ixlv[0:8.0]: Error: WARNING: Device may not receive traffic!
The host's kernel log might contain messages similar to the following:
i40e 0000:06:00.0: VF is not trusted, switch the VF to trusted to add more functionality
Conditions:
-- BIG-IP VE with one or more virtual functions that utilize the ixlv driver within tmm.
-- Hard reboot the host and observe traffic.
Note: This issue might be dependent upon the version of the PF driver in the host, and has been observed with at least 2.1.4 and 2.4.10, but this list is incomplete.
Impact:
IPv6 and other network traffic may be handled unreliably.
Workaround:
Reboot the guest. This problem has been observed only on the very first boot after a hard boot of the host.
758806 : Introspect request might fail for 'refreshed' access token
Component: Access Policy Manager
Symptoms:
If an Introspect request is made after an opaque access token has expired and the access token was refreshed with 'reuse-access-token' config option, the subsequent access token Introspect request fails.
Conditions:
The following conditions must apply for it to show up:
1. Reuse Access Token config option is enabled.
2. Access Token being issued is opaque.
3. Introspect request is made for the access token after it expired.
4. Refresh the access token.
5. Introspect requests the access token after 'refresh'.
Impact:
The Introspect request fails. The system reports a valid opaque access token as not-active.
Workaround:
This issue does not occur if any one of the following is true:
-- The opaque access token is refreshed before it has expired.
-- The 'reuse-access-token' config is disabled.
-- The Introspect request is not made for an expired access token.
Fix:
Introspect request no longer fails for 'refreshed' access token under these conditions.
758764 : APMD Core when CRLDP Auth fails to download revoked certificate
Component: Access Policy Manager
Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.
Conditions:
Empty revoked-certificate list handling.
Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.
Workaround:
None.
Fix:
The system now checks for empty revoked certificate lists (for NULL) and lets the validation OK (because there is nothing to validate against).
758714 : Virtual wire on a BIG-IP does not pass traffic when configured over two terminating link aggregation/trunk ports.
Component: Local Traffic Manager
Symptoms:
Traffic does not pass through the BIG-IP system.
Conditions:
- Configure two trunk/LAG ports on a BIG-IP system.
- Create a virtual wire across it.
Impact:
Loss of service across the virtual wire.
Workaround:
None.
Fix:
Corrected the faulty validation checks during configuration that were a result of collateral damage.
758680 : API Protection Profile requires URI Path Property to attach to virtual server
Component: Access Policy Manager
Symptoms:
Unable to attach API Protection Profile to virtual server if API Protection Profile does not have a URI defined in the Path Properties.
Conditions:
The API Protection Profile has no paths configured.
Impact:
Cannot attach an API Protection Profile to the virtual server without setting paths in that profile.
Workaround:
None. To add an API Protection Profile, there needs to be at least one path.
Fix:
The virtual server page now displays all the API Protection Profiles that the admin has configured, not only the ones that have paths configured.
758667 : BIG-IP VE HA actions are not invoked when offload hardware hangs
Component: TMOS
Symptoms:
When TMM detects a crypto or compression offload device hang it does not invoke the configured high availability (HA) action.
Conditions:
This occurs when the following conditions exist:
-- BIG-IP Virtual Edition (VE) Cryptographic Offload is licensed.
-- BIG-IP VE VM has been assigned QuickAssist Virtual Functions (VFs).
-- A QuickAssist endpoint associated with one of the VFs hangs.
-- BIG-IP VE executes crypto or compression operations.
Impact:
Client requests eventually time out.
Workaround:
None.
758615 : Reconstructed POST request is dropped after DID cookies are deleted
Component: Application Security Manager
Symptoms:
POST Request is dropped during DID challenge.
Conditions:
POST request is issued a DID challenge.
Impact:
Request is dropped.
Workaround:
None.
Fix:
Reconstructed POST request are no longer dropped after DID cookies are deleted.
758604 : Deleting a port from a single-port trunk does not work.
Component: TMOS
Symptoms:
Deleting a port from a single-port trunk does notwork.
Conditions:
1. Disable all ports for a trunk, for example by disabling them on a directly connected switch. The last port is not deleted correctly.
2. Re enable some other ports, the trunk now also uses the disabled port.
Impact:
No user connectivity depending on which port is used.
Workaround:
None.
Fix:
Fixed deleting a port from a single-port trunk.
758542 : OAuth database instance appears empty after upgrade from v13.x★
Component: Access Policy Manager
Symptoms:
The database from a prior configuration does not seem to have any tokens. The tokens are being stored in a new database with a different name.
Conditions:
Upgrade from v13.x.
-- The name of one OAuth database instance is duplicated entirely in another instance name (for example, 'oauthdb' and 'oauthdbprod').
Impact:
Old database seems to have lost tokens. In the case of these two database instances:
oauthdb
oauthdbprod
Because the name 'oauthdb' is also present in the name 'oathdbprod', the system creates a new database instance of 'oauthdb' at upgrade, so oauthdb will have an empty database.
Workaround:
Before upgrading, do the following:
1) Copy database oauth to another database with a completely different name.
2) Copy tokens in new database to the old, empty database.
Fix:
The new database instance is no longer created created, so the old database now retains tokens after upgrade.
758536-1 : Traffic Intelligence IM pkg for 14.1.0 fails to install on base build version 14.1.0.x
Component: Traffic Classification Engine
Symptoms:
Traffic Intelligence IM pkg for v14.1.0 fails to install on base build version v14.1.0.1 through v14.1.0.4. This is due to strict version check in upgrade scripts.
Conditions:
When hitless upgrade for traffic intelligence with version 14.1.0 is used on base build v14.1.0.1 through v14.1.0.4,l.
Impact:
The process it fails to load/instal. The system does not receive the latest traffic intelligence signatures.
Workaround:
There is no workaround other than requesting a purpose-built traffic intelligence IM for that particular build.
Fix:
You can now install 14.1.0 IM on any other 14.1.0.x with minor version update.
758465 : TMM may crash or iRule processing might be incorrect
Component: Local Traffic Manager
Symptoms:
After modifying an iRule:
- The iRules on one or more virtual servers might fire in the wrong order.
- The iRules on one or more virtual servers might not fire at all.
- TMM might crash if the iRule event is modified again.
- TMM might crash if a virtual server is modified.
Conditions:
This occurs when all of the following conditions are met:
- An iRule is in use on more than one virtual server.
- The iRule occupies a different position in the iRule list on various virtual servers, and one or more of the other iRules define the same event.
- The iRule event is modified.
Impact:
Traffic interruption while TMM restarts.
Incorrect iRule processing.
Workaround:
None.
758459 : Cross origin AJAX requests are blocked Cross-Origin Resource Sharing (CORS) protection
Component: Application Security Manager
Symptoms:
When enabling Single Page Application (SPA) option in ASM, cross origin AJAX requests are resulting in the following error in the browser console, and site application might not work:
Access to XMLHttpRequest at 'https://x.com' from origin 'https://www.y.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
Conditions:
-- ASM with SPA enabled
-- App is sending cross-origin requests
Impact:
App does not work as expected.
Workaround:
Using an iRule, add the following headers to the response:
-- Access-Control-Allow-Origin with originating domain.
-- Access-Control-Allow-Credentials: true.
Fix:
This release adds the relevant CORS fields to responses.
758437 : SYN w/ data disrupts stat collection in Fast L4
Component: Local Traffic Manager
Symptoms:
Fast L4 analytics reports very large integers for goodput.
Conditions:
BIG-IP receives SYNs with attached data.
Impact:
Goodput data is unreliable.
Workaround:
None.
Fix:
Data coupled with the SYN breaks the check for a Fast L4 state change. The connection can still function normally, but statistics collection is reliant on the state change to initialize things properly. The system now ensures the correct state under these conditions, so statistics are measured correctly.
758436 : Optimistic ACKs degrade Fast L4 statistics
Component: Local Traffic Manager
Symptoms:
Fast L4 Analytics reports very large integers for goodput.
Conditions:
Endpoints send ACKs for data that has not been sent.
Impact:
Goodput statistics are not usable in certain data sets.
Workaround:
None.
Fix:
Additional checks prevent analytics from trusting optimistic ACKs.
758311 : Policy Compilation may cause MCPD to crash
Component: Local Traffic Manager
Symptoms:
If a policy has rules involving IPv6 addresses, and the addresses differ only on 32-bit boundaries, then the compilation of that policy may cause MPCD to crash.
Conditions:
-- A policy is attached to a virtual server.
-- That policy contains conditions that involve IPv6 addresses.
-- The addresses in different rules differ only on 32-bit boundaries.
Impact:
MCPD cores, and then restarts. The policy is not usable.
Workaround:
You can try either of the following:
-- It may be possible to create multiple rules from a given rule by altering the netmask.
-- Another possibility is to add a placeholder rule with no action that matches IP addresses differently.
Fix:
Policies involving matching IP addresses now compile correctly.
758085 : CAPTCHA Custom Response fails when using certain characters
Component: Application Security Manager
Symptoms:
When setting the CAPTCHA Custom Response in the Bot Defense GUI, saving the profile fails when using certain characters.
For example, using the following response will return the error: 'black' unknown property
This question is for testing whether you are a human visitor and to prevent automated spam submission.
<p style="color: black; padding-right:20px">
<br>
%BOTDEFENSE.captcha.image% %BOTDEFENSE.captcha.change%
<br>
<b>What code is in the image\?</b>
%BOTDEFENSE.captcha.solution%
<br>
%BOTDEFENSE.captcha.submit%
<br>
<br>
Your support ID is: %BOTDEFENSE.captcha.support_id%.
Conditions:
Attempting to configure custom CAPTCHA response in the Bot Defense profile GUI.
Impact:
Cannot configure custom CAPTCHA response in the Bot Defense Profile GUI.
Workaround:
Use TMSH or REST API to configure the CAPTCHA Custom Response.
Fix:
Configuring custom CAPTCHA response page in the Bot Defense Profile no longer fails when using certain characters.
757992 : RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup
Component: Access Policy Manager
Symptoms:
RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup
Conditions:
-- Configure Floating IP with route domain.
-- Configure RADIUS accounting server with Pool Setup.
-- Configure the virtual server containing the access policy to use the RADIUS Accounting server.
-- Access the virtual server.
Impact:
-- START message is being sent through proper egress floating IP address.
-- STOP message is not sent, and the system logs the following error message:
-- err tmm1[11193]: 01490586:3: (null):Common:8a505e8c: Processing radius acct stop message failed, connection failure.
-- err tmm1[11193]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_RTE. File: ../modules/hudfilter/access/access_session.c, Function: access_session_final_callback, Line: 4439.
Workaround:
This issue is present only when the floating IP address is configured with a non-default route domain. It works fine with the default route domain. Use of default route domain is recommended.
Fix:
RADIUS Acct STOP message is now sent as expected.
757985 : TMM memory leak
Solution Article: K79562045
Component: Local Traffic Manager
Symptoms:
-- TMM memory utilization baseline is slowly increasing.
-- The 'allocated' column of the 'tcl' row in the memory_usage_stat tmctl table is high and is close to the 'max_allocated' value.
Conditions:
-- The header-insert option in a custom HTTP profile is configured.
-- The profile is attached to a virtual server.
Impact:
Degraded performance, and eventual out-of-memory condition that may trigger a TMM crash. Traffic disrupted while tmm restarts.
Workaround:
Instead of the profile header-insert, use HTTP::header iRule commands.
Fix:
The header-insert option can now be configured in HTTP profiles without causing a TMM memory leak.
757822 : Subroutine name should use partition name and policy name
Component: Access Policy Manager
Symptoms:
When you create API per-request policy using the same name as a policy from another partition, BIG-IP generates an error similar to the following:
java.net.ProtocolException: status:400, body:{"code":400,"message":"transaction failed:01070734:3: Configuration error: DB validation exception, unique constraint violation on table (subroutine_properties) object ID (/TST/svc1-my_auth svc1-my_prp). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:subroutine_properties status:13)","errorStack":[],"apiError":2}.
Conditions:
-- Configure an API protection per-request policy in one partition with the same name as a policy in another partition.
-- Attempt to import or export the policy.
Impact:
Import / export functionality fails.
Workaround:
Ensure that names for API protection per-request policies are unique.
Fix:
The name generated for API protection per-request policies now uses partition name combined with the policy name, so the issue no longer occurs.
757782 : OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default
Component: Access Policy Manager
Symptoms:
Invalid 'sub' claim in JWT access token that is generated by OAuth Authorization Server.
Conditions:
-- OAuth Authorization Server is configured to return JWT access token.
-- Subject field is configured to be a session variable other than the default '%{session.assigned.uuid}'.
Impact:
Invalid value in 'sub' claim in JWT access token. If OAuth resource server depends on the value of 'sub' claim, then that functionality does not work.
Workaround:
Add Variable assign agent after OAuth Authorization agent, and assign session.assigned.oauth.authz.token.subject with the session variable name such as the following:
session.logon.last.logonname.
Fix:
OAuth Authorization Server sends valid value in 'sub' claim in the generated JWT token when subject is configured to use a session variable.
757455 : Excessive resource consumption when processing REST requests
Component: TMOS
Symptoms:
Under certain conditions, REST requests may consume excessive system resources
Conditions:
-- Advanced Shell on the BIG-IP system.
-- REST usage.
Impact:
Excessive resource consumption, potentially leading to a failover event.
Workaround:
None.
Fix:
BIG-IP now handles REST requests as expected.
757442 : A missed SYN cookie check causes crash at the standby TMM in HA mirroring system
Component: Local Traffic Manager
Symptoms:
In a high availability (HA) mirroring configuration, an L7 packet SYN cookie check may be skipped on the standby unit and eventually causes TMM to crash.
Conditions:
-- L7 traffic being passed to an HA configuration that is configured for mirroring traffic.
-- Failover occurs.
Impact:
TMM crashes on the standby device. No connections shown on the standby unit even when mirroring isenabled.
Workaround:
Do not use HA mirroring.
Fix:
The system now provides SYN cookie checks for L7 mirrored packets on the standby system.
757441 : Specific sequence of packets causes Fast Open to be effectively disabled
Component: Local Traffic Manager
Symptoms:
You see this warning in the logs:
warning tmm[21063]: 01010055:4: Syncookie embryonic connection counter -1 exceeded sys threshold 64000.
Conditions:
-- TCP Fast Open and ECN are both enabled.
-- There are multiple RST segments from the receive window received in SYN_RECEIVED state.
Impact:
TCP Fast open is disabled, as the pre_established_connections becomes very large (greater than a threshold).
Workaround:
TCP ECN option can be disabled.
Fix:
TCP Fast Open is prevented from being disabled when some conditions are met.
757391 : Datagroup iRule command class can lead to memory corruption
Component: Local Traffic Manager
Symptoms:
When using the iRule command to access datagroups within a foreach loop, memory can be corrupted and tmm can crash.
Conditions:
A [class] command used within a foreach loop.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround aside from removing that iRule.
Fix:
tmm no longer crashes under these conditions.
757360 : Category lookup returns wrong category on subsequent traffic following initial HTTP CONNECT traffic through SSLO
Component: Access Policy Manager
Symptoms:
Category lookup returns the wrong category on subsequent traffic following initial HTTP CONNECT traffic through F5 SSL Orchestrator (SSLO).
Conditions:
-- Outbound deployment configured in SSLO, where SSLO behaves as a transparent proxy.
-- A policy has a branch to lookup category using HTTP Connect.
-- An HTTPS client generates HTTPS traffic via an explicit proxy on the local network with a private address through SSLO as the gateway.
Impact:
Category Match is not performed on subsequent requests, resulting in fallback branch to be taken.
Workaround:
None.
Fix:
Category lookup now works correctly in this scenario.
757359 : pccd crashes when deleting a nested Address List
Component: Advanced Firewall Manager
Symptoms:
When removing a nested Address List or Port List, the pccd process might crash.
Conditions:
This might occur under the following conditions:
-- Removing a nested Address List or Port List using a tmsh transaction with an incorrect tmsh command order consistently results in this crash.
-- A high availability (HA) setup with config-sync enabled and there are intermittent problems with HA-connections, or out-of-memory system state, might intermittently result in this crash.
Impact:
pccd crashes with core, restarts, and correctly compiles the new configuration. There is a resulting, small delay in applying the new configuration due to the pccd restart.
Workaround:
-- If the crash occurs as a result of incorrect tmsh commands in a transaction, reorder commands to the parent list is modified or deleted before deleting the nested list.
-- If the crash is an intermittent issue due to problems with HA-connections, or an out-of-memory system state, no action is necessary; pccd correctly compiles new configuration after it restarts.
Fix:
pccd no longer crashes under these conditions, and correctly compiles the new configuration.
757337 : Bot defense anomaly 'Invalid Mouse Events Sequence' false positive raised and request is blocked
Component: Application Security Manager
Symptoms:
Request is blocked. The message 'Invalid Mouse Events Sequence' anomaly appears in the bot defense requests log.
Conditions:
-- ASM provisioned.
-- Bot defense assigned to a virtual server.
-- End user clicks on a checkbox or an HTML radio button.
Impact:
Requests are blocked.
Workaround:
Disable bot defense human detection negative checks.
For versions earlier than v14.1.0:
/usr/share/ts/bin/add_del_internal add ws_cshui_susp_event_bot_score 0
bigstart restart asm
For v14.1.0 and higher
Disable anomaly 'Invalid Mouse Events Sequence' in bot defense profile
Fix:
This release no longer checks events sequences for checkboxes and radio buttons, so the issue no longer occurs.
757088-2 : TMM clock advances and cluster failover happens during webroot db nightly updates
Component: Traffic Classification Engine
Symptoms:
Webroot database mapping and unmapping takes a very long amount of time on TMM, so you might see clock advances occur. The long interval might result in a failover/state-transition in clustered environment.
Conditions:
-- Webroot database is downloaded.
-- TMM needs to swap to the new instance.
Impact:
TMM does not process traffic because of the long delay in mapping and unmapping, and failover might happen in a clustered environment.
Workaround:
You can avoid this issue by disabling BrightCloud updates, however, your environments will miss the latest updates as a result.
#vi /etc/wr_urldbd/bcsdk.cfg
DoBcap=true
DoRtu=false
DownloadDatabase=false
Fix:
Mapping/Unmapping the database is done asynchronously and the delay is reduced so that the CDP failover doesn't happen.
757084 : Bypassing SSL interception in SSL Orchestrator may crash TMM if virtual server is SNAT enabled
Component: Local Traffic Manager
Symptoms:
TMM daemon crashes with segmentation fault signal (SIGSEGV).
Conditions:
On rare occasions specific to a certain race condition, when SSL forward proxy enforces the bypass action on a flow that's handled by a SSLO transparent virtual server that has SNAT enabled, TMM may crash.
Impact:
Failover or network outage. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when SSL forward proxy enforces the bypass action on a flow that's handled by a SSLO transparent virtual server that has SNAT enabled.
757027 : BIND Update
Solution Article: K01713115
757026 : BIND Update
Component: TMOS
Symptoms:
Upgrade BIND to 9.11.5-P4 per recommendation from ISC
Conditions:
GTM provisioned.
Impact:
BIND not up-to-date
Workaround:
None.
Fix:
Upgrade to BIND 9.11.5-P4
757025 : BIND Update
Solution Article: K00040234
756925 : GUI creates a policy even if there were errors
Component: TMOS
Symptoms:
Creating Policy in the GUI shows an error even when the Policy is created successfully.
Conditions:
This can occur while creating a Policy in the GUI.
Impact:
It might appear that the Policy is not created (even though it was) because the GUI displays an error message.
Workaround:
Refresh the Policy List page.
The created Policy displays.
Fix:
Prevent Policy creation if there are any errors.
756877 : Virtual server created with Guided Configuration is not visible in Grafana
Component: Anomaly Detection Services
Symptoms:
The traffic of Virtual Server created with the Guided Configuration is not visible with Grafana monitoring tool.
Statistics of this virtual server are not included in the admdb part of qkview.
Conditions:
-- Create virtual server using Guided Configuration.
-- Use the Grafana monitoring tool to view virtual server statistics.
-- Create a qkview.
Impact:
Cannot view virtual server using the Grafana monitoring tool. The resulting qkview contains no statistics for this virtual server. Lack of information for debugging and troubleshooting
Workaround:
Configure virtual server manually, without the Guided Configuration
Fix:
Virtual server created with Guided Configuration is visible in Grafana and its statistics present in qkview.
756849 : Ajax encryption feature may cause high CPU usage
Component: Fraud Protection Services
Symptoms:
Ajax encryption may cause high CPU usage on the client side.
Conditions:
Ajax Encryption feature is enabled.
Impact:
High CPU usage on the client side.
Workaround:
None.
Fix:
Ajax encryption logic no longer causes high CPU usage.
756820 : Non-UTF8 characters returned from /bin/createmanifest
Component: TMOS
Symptoms:
/bin/createmanifest reads from mcpd values stored for items that are obtained from firmware. These might contain non-UTF8 characters. This program is called in qkview, which then gets updated to iHealth. If any non-UTF8 character is present, the output is omitted (because XML cannot handle non-UTF8 characters).
Conditions:
Data stored in mcpd obtained from firmware contain non-UTF8 characters.
Impact:
The upload to iHealth will not contain any of the manifest data set obtained via createmanifest.
Workaround:
The values can be obtained from the qkview by reading the qkview_run.data, but the convenience of reading these in iHealth is not possible.
Fix:
The corrected program converts any non-UTF8 characters into '%xx', thus outputting compliant UTF8 strings. These do not negatively impact the XML requirement, and the modified string can be uploaded to iHealth (and the non-UTF8 characters can be examined as hexadecimal values).
756789 : TMM cores when receiving HTTP/2 request if mirroring is configured
Component: Local Traffic Manager
Symptoms:
TMM on active unit cores when it receives an HTTP/2 request when mirroring is configured.
Conditions:
-- High availability (HA) configuration.
-- Active unit received an HTTP/2 request.
-- Mirroring is enabled.
Impact:
TMM cores. Traffic disrupted while tmm restarts.
Workaround:
Disable mirroring.
Note: Connection mirroring is not supported in combination with the HTTP/2 profile. The system now checks for this combination and prevents it from being configured.
Fix:
This release adds connection mirroring validation for the HTTP/2 profile. HTTP/2 virtual server validation fails if connection mirroring is enabled, and the system posts an error similar to the following:
01070734:3: Configuration error: Error configuring Virtual Server (/Common/vs1). Connection mirroring is not supported in combination with HTTP2 profile.
Behavior Change:
Previously, TMM cored on the active system when it received an HTTP/2 request and connection mirroring was enabled.
Now, HTTP/2 Virtual Server validation fails if connection mirroring is enabled, and the system reports the following message in the LTM log:
err mcpd[25742]: 01070734:3: Configuration error: Error configuring Virtual Server (/Common/vs_http). Connection mirroring is not supported in combination with HTTP2 profile.
This is correct behavior, as connection mirroring is not supported in combination with the HTTP/2 profile.
756777 : VDI plugin might crash on process shutdown during RDG connections handling
Component: Access Policy Manager
Symptoms:
VDI plugin might crash on process shutdown if it is stopped during handling of RDG connections.
Conditions:
VDI plugin process is stopped while new RDG connection is established via APM.
Impact:
The process will be shutdown, but generated core file might cause unnecessary confusion.
Workaround:
None.
Fix:
Fixed VDI plugin crash on process shutdown during RDG connections handling.
756774 : Aborted DNS queries to a cache may cause a TMM crash
Solution Article: K24401914
756633 : Autodos daemon history file is created even there is no vector enabled in a DoS profile
Component: Advanced Firewall Manager
Symptoms:
Autodos daemon history file is created even when there is no vector enabled in a DoS profile.
Conditions:
An empty DoS profile is attached to a virtual server without enabling any vector in the profile.
Impact:
Disk space is being unnecessarily used.
Workaround:
Make sure each DoS profile attached to virtual server has at least one vector enabled.
Fix:
Attaching an empty DoS profile without an enabled vector does not create a history file for that virtual server in the autodos daemon.
756567 : Adding a tighter protection to fictive url
Solution Article: K50500283
Component: Application Security Manager
Symptoms:
fictive url are not identified tight enough
Conditions:
outdated fictive urls are sent to BIG-IP
Impact:
in some cases wrong behavior of bot-defense handling fictive outdated fictive urls
Workaround:
N/A
756565 : Browser might get stuck when SPA is enabled
Component: Application Security Manager
Symptoms:
The browser might get stuck when enabling ASM SPA feature.
Conditions:
-- ASM SPA is enabled.
-- The application page is hooking native JavaScript AJAX calls.
Impact:
The browser gets stuck. The page is not displayed.
Workaround:
None.
Fix:
Avoid infinite recursion loop for AJAX callbacks.
756538 : Failure to open data channel for active FTP connections mirrored across an HA pair.
Component: Local Traffic Manager
Symptoms:
Occasionally, attempting to actively open a data channel from an FTP session that is mirrored across a BIG-IP high availability pair will fail. This is due to aggressive port reuse on the active BIG-IP system, causing ports that are still in a TIME_WAIT state to be used for the data connection.
Conditions:
-- Have a BIG-IP HA pair configured.
-- Create an FTP virtual server with mirroring enabled.
-- Have the pool member(s) of the virtual server be either 3CDaemon or IIS servers (this issue has been confirmed only for 3CDaemon and IIS, but it could affect other servers as well).
-- Client attempts to download data through the virtual server via active FTP.
Impact:
Data connections fail to open; data transfer is unsuccessful.
Workaround:
Use passive FTP, or do not use mirroring for FTP virtual servers.
Fix:
Mirrored, active FTP connections no longer fail to open data channels, and now successfully transmit data.
756477 : Drop Redirect tab incorrectly named as 'Redirect Drop'
Component: Advanced Firewall Manager
Symptoms:
Incorrect naming on navigation tabs Security :: Debug :: Drop Redirect.
Conditions:
Navigating to Security :: Debug :: Drop Redirect.
Impact:
The page name is Drop Redirect instead of Redirect Drop.
Workaround:
None.
Fix:
Drop Redirect tab is now correctly named as 'Drop Redirect'
756471 : AFM Flow Inspector filter doesn't indicate src-ip/dst-ip filters filters as clientside.
Component: Advanced Firewall Manager
Symptoms:
In AFM debug tool, flow inspector, for IP address filtering, the GUI describes fields as 'Source' and 'Destination', and provides no indication that this means the client-side source and client-side destination.
Conditions:
Using the 'Source' and 'Destination' fields in the AFM debug tool, flow inspector, for IP address filtering.
Impact:
GUI does not indicate what sort of data it expects. Confusion determining which IP address should be used.
Workaround:
Specify 'Source' as the client-side source and 'Destination' as the client-side destination.
Fix:
Labels are added to indicate that these are client-side fields.
756470 : Additional logging added to detect when monitoring operations in the configuration exceeds capabilities.
Component: Global Traffic Manager (DNS)
Symptoms:
GTM logs 'no reply from big3d: timed out' messages when the configuration results in more runtime monitoring operations than can be supported in a given environment, but the same message also appears in the log for other reasons.
Conditions:
The GTM configuration results in more runtime monitoring operations than can be supported in a given environment.
Impact:
It is not possible to detect when there are more runtime monitoring operations than can be supported in a given environment without enabling debug logging and performing a complex analysis of the resulting log files.
Workaround:
Enable debug logging and conduct a detailed analysis to determine if monitor requests are scheduled at the configured intervals.
Fix:
There is now a warning message that provides a much clearer indication of the condition:
The list processing time (14 seconds) exceeded the interval value. There may be too many monitor instances configured with a 7 second interval.
756457-1 : tmsh command 'show security' returning a parsing error
Component: Advanced Firewall Manager
Symptoms:
Running the tmsh command 'tmsh -m show security' returns a parsing error similar to the following:
Unexpected Error: Chunked data did not start with start_message.
Conditions:
-- AFM is provisioned.
-- Running the command: 'tmsh -m show security'.
Impact:
-- the 'show security' commands return a parsing error.
-- Some show commands might not work.
Workaround:
None.
Fix:
Ensured that the system handles the 'tmsh -m show security' command without a parsing error.
756450 : Traffic using route entry that's more specific than existing blackhole route can cause core
Component: Local Traffic Manager
Symptoms:
TMM asserts with 'Attempting to free loopback interface'message.
Conditions:
- Using blackhole routes.
- Have a route entry that is more specific than the existing blackhole route.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use /32 blackhole routes.
Fix:
TMM no longer cores when using blackhole routes that are less specific than non-blackhole routes.
756437 : ASM XMLHTTPRequest wrapper attempts to access responseText for non text respnseType
Component: Application Security Manager
Symptoms:
A website that uses non-text values for XMLHTTPRequest.responseType experiences issues, and JavaScript errors are shown in the browser console.
Failed to read the 'responseText' property from 'XMLHttpRequest': The value is only accessible if the object's 'responseType' is '' or 'text' (was 'blob').
Conditions:
This occurs under either set of conditions:
1.
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- AJAX blocking page enabled in the ASM policy.
2.
-- Bot Defense or DoS Application profile attached to a virtual server.
-- Single page application enabled in the Bot Defense or DoS Application profile.
Impact:
End-user experience might be affected; website functionality might malfunction.
Workaround:
For Conditions set 1: Disable AJAX blocking page.
For Conditions set 2: Disable Single page application.
Fix:
ASM XMLHTTPRequest wrapper now avoid illegal access to XMLHTTPRequest.responseText.
756418 : Live Update does not authenticate remote users
Component: Application Security Manager
Symptoms:
Remote users with Administrator or Application Security Administrator roles cannot run Live Update.
Conditions:
-- Remote user (LDAP/RADIUS).
-- Remote user logged in.
-- New installation is available.
Impact:
-- Remote users cannot manually check for updates.
-- Remote users cannot manually upload new files.
-- Remote users cannot install new update files.
Workaround:
Log in with a local user like admin, application security editor, or application security administrator.
Fix:
Authentication is directly done from MCP. Remote users are not treated like local users, so only the role of the user determines the ability to perform operations such as Live Update.
756356 : External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long
Component: Local Traffic Manager
Symptoms:
iRules using the command 'class match' with the 'equals' operator on long entries fail to return a positive match, even if they are in the datagroup, for example:
my_datagroup:
"abcdefghijklmnopqrstuvwxyz0123456" := "value1"
class match "abcdefghijklmnopqrstuvwxyz0123456" equals my_datagroup
Conditions:
This is encountered when all of the following conditions are met:
- Using an external datagroup of type string with keys longer than 32 characters.
- Using an iRule with the 'class match' command and the 'equals' operator on the external datagroup.
- Trying to match keys that are longer than 32 characters.
Impact:
iRules will act incorrectly
Workaround:
If none of the keys in the datagroup are prefixes of each other, the 'equals' operator can be changed to 'starts_with' or 'ends_with' (if none are suffixes of each other).
Fix:
iRules using the command 'class match' with the 'equals' operator on long entries now correctly matches external datagroup string entries which are longer than 32 characters.
756311 : High CPU during erroneous deletion
Component: Policy Enforcement Manager
Symptoms:
The utilization of some CPUs in the system starts going up and remains so for a long time. Might see messages similar tot he following in tmm logs:
-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.10.10%0-4a89723e; Instance ID mismatch ERR_OK for subscriber id 310012348494 with 10.1.10.10-0-4a8987ea.
-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.18.10%0-4a8b850c; Look up returned err ERR_OK for subscriber id 3101512411557
Conditions:
The exact conditions under which this occurs are unknown. One potential trigger is CDP flap.
Impact:
TMM may need to be restarted if the CPU usage does not subside. Traffic disrupted while tmm restarts.
Workaround:
Try deleting all subscribers from the CLI.
756270 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
Component: Local Traffic Manager
Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.
Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.
Impact:
Handshake failure.
Workaround:
None.
Fix:
This has been fixed to check for the issuer among all certificates that have the same subject name as the CRL issuer.
756218 : Improve default management port firewall
Component: Advanced Firewall Manager
Symptoms:
Certain invalid packets are permitted to pass the default firewall on the management interface.
Conditions:
Invalid packets generated by adjacent hosts on the management interface.
Impact:
Invalid packets delivered to linux kernel.
Workaround:
None.
Fix:
The default management port firewall now blocks invalid packets.
756213 : No support of injection into XHTML pages
Component: Fraud Protection Services
Symptoms:
FPS does not inject the JS engine into pages with 'application/xhtml+xml' content-type.
Conditions:
The content-type of the response is 'application/xhtml+xml'.
Impact:
DataSafe features (e.g., encryption and obfuscation) are not working on XHTML pages.
Workaround:
None.
Fix:
FPS now injects JS engine into 'application/xhtml+xml' pages.
Note: JS removal detection does not work in this case (but it does work for HTML pages).
756205 : TMSTAT offbox statistics are not continuous
Component: Application Visibility and Reporting
Symptoms:
When BIG-IP systems are manged by BIG-IQ, the device health statistics have gaps (missing samples).
Conditions:
BIG-IP systems managed by BIG-IQ,
Impact:
Missing data on device health, such as CPU load and memory occupancy.
Workaround:
None.
Fix:
Functionality restored - BIG-IP systems send all the data as expected.
756108 : BD crash on specific cases
Component: Application Security Manager
Symptoms:
BD crash on specific cases.
Conditions:
Have a feature that requires Captcha/ Client side Integrity in ASM.
Impact:
No traffic to app.
Workaround:
None.
Fix:
This release fixes the specific crash scenario.
756094 : DNS express in restart loop, 'Error writing scratch database' in ltm log
Component: Global Traffic Manager (DNS)
Symptoms:
DNS express (zxfrd) daemon gets stuck in a restart loop with the messages:
-- In /var/log/ltm:
Error writing scratch database (no error information available), serving database is unchanged. zxfrd will exit and restart.
-- The system posts the following message on the command line every few seconds:
emerg logger: Re-starting zxfrd
Conditions:
An update to an SOA record (and only an SOA) is received through a incremental zone transfer update (IXFR).
Impact:
Zone updates from the DNS master servers are not processed.
Workaround:
As a partial workaround, the DNS express cache files can be removed, forcing zxfrd to pull the entire zone using an AXFR request. To do so, use the following commands, in sequence:
bigstart stop zxfrd
rm /shared/zxfrd/*
bigstart start zxfrd
Note: DNS express will not be able to service DNS responses until the zone transfers have completed. For this reason, this procedure should be carried out on the standby device, if possible.
Fix:
The system now properly handles IXFRs that contain only starting and ending SOA RRs, and no other RRs.
756088 : The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address
Component: TMOS
Symptoms:
The BIG-IP system unexpectedly responds to ICMP echo requests to a virtual-address that is unavailable, or unexpectedly does not respond to ICMP echo requests to a virtual-address that is available.
The BIG-IP system fails to remove a dynamic route for a virtual-address that is unavailable or fails to add a dynamic route for a virtual-address that is available.
Conditions:
-- There are multiple virtual servers associated with a virtual address.
-- The virtual-address icmp-echo is set to 'all' or 'any'.
-- The virtual-address route-advertisement is set to 'all' or 'any'.
Impact:
The BIG-IP might respond incorrectly to ICMP echo requests sent to a virtual-address.
-- If the virtual-address icmp-echo is set to 'all' or 'any', the BIG-IP may not respond correctly after a virtual-address availability change.
-- If the virtual-address route-advertisement is set to 'all' or 'any', the route for the virtual-address may not advertise properly after a virtual-address availability change.
The BIG-IP might fail to insert or remove a dynamic route for a virtual-address. This might cause the network to direct traffic to a down virtual-address or alternatively, not direct traffic to an up virtual-address.
Workaround:
None.
756071 : MCPD crash
Component: TMOS
Symptoms:
mcpd crashes on out of memory.
Conditions:
A memory leak occurs when the following tmsh command is run:
tmsh reset-stats ltm virtual
Impact:
MCPD can run out of memory and crash. Traffic disrupted while mcpd restarts.
Workaround:
Try to use the reset-stats tmsh command sparingly.
Fix:
A memory leak that occurred when running the command 'tmsh reset-stats ltm virtual' has been fixed.
756019 : OAuth JWT Issuer claim requires URI format
Component: Access Policy Manager
Symptoms:
APM currently expects the OAuth JSON web tokens (JWT) Issuer claim to be in the URI format:
-- JWT-Config does not allow Issuer setting unless it is in the URI format.
-- The issuer value in the incoming token is expected to be in the URI format and should match with the Issuer setting in the JWT-Config.
Conditions:
OAuth JWT Issuer claim in the URI format for JWT access token and ID token.
Impact:
As per RFC 7519, 'iss' claim value is a case-sensitive string containing a StringOrURI value. To comply with RFC 7519, basically allowing any string value in the Issuer claim, APM should ease this validation.
Workaround:
None.
Fix:
JWT config issuer Validation is removed to allow a string or URI value for the JWT issuer.
756005 : Individual policy that cannot be deleted, can be if part of multi-policy delete
Component: Application Security Manager
Symptoms:
A policy that cannot be deleted individually can be deleted in a multiple-policy delete operation.
Conditions:
-- ASM policies with dependencies that cannot be deleted (LTM dependencies, parent policies with children, etc.).
-- Attempt to delete the policies individually.
-- Attempt to delete the policies as part of a multiple-policy delete operation.
Impact:
Policies with dependencies are deleted.
Workaround:
Delete policies one at a time.
Fix:
A policy that should not be deleted individually now cannot be deleted in a multiple-policy delete operation.
755997 : Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address
Component: Local Traffic Manager
Symptoms:
When IPsec traffic is processed by a FastL4 profile, which is not related to an IPsec listener, and is send out via a gateway pool or a dynamic route, the source address of this traffic can be erroneously changed to 127.0.0.x.
Conditions:
-- IPsec traffic is processed by a FastL4 profile, which is not related to an IPSEC listener.
-- The traffic is sent out via a gateway pool or a dynamic route.
Impact:
The incorrect source address is used.
Workaround:
None.
Fix:
The IPsec traffic uses now the correct IP source-address.
755739 : SAML metadata import (SP or IdP) fails if the metadata file has both SPSSODescriptor and IdPSSODescriptor
Component: Access Policy Manager
Symptoms:
If the SAML SP or IDP metadata has both SPSSODescriptor and IdPSSODescriptor tags, the import fails with errors like this:
The metadata file '/var/tmp/1547120861955.upload' being used to create SAML IdP connector 'Kismet' is an SP metadata file.
Conditions:
-- SP or IDP metadata file has both SPSSODescriptor and IdPSSODescriptor tags and
-- Attempt to import them to create SP or IdP connector objects.
Impact:
Metadata import is not successful.
Workaround:
Use the following workarounds, as appropriate:
-- When importing SP metadata, remove all IDPSSODescriptor tags from the metadata file.
-- When importing IDP metadata, remove all SPSSODescriptor tags from the metadata file.
Fix:
Metadata import is now successful when both SPSSODescriptor and IdPSSODescriptor tags are present, and the connector object is created.
755641 : Unstable asm_config_server after upgrade, 'Event dispatcher aborted'
Component: Application Security Manager
Symptoms:
Ignored suggestions for Multiple decoding or HTTP Protocol Settings present after upgrading a unit to 14.1.0 can cause the asm_config_server and pabnagd processes to enter restart loops.
Conditions:
1) On a 13.1.x system send traffic that will generate suggestions for Max Decoding Passes, Maximum Headers, and/or Maximum Parameters.
2) Set those Suggestions to be Ignored.
3) Upgrade to 14.1.0.
Impact:
-- Multiple asm_config_server restarts.
-- System instability, including inability to manage ASM settings or use traffic learning.
-- No local logging.
Workaround:
You can use either of the following workarounds:
A) Delete any such ignored suggestions using the following SQL command:
> DELETE FROM PL_SUGGESTIONS WHERE element_type IN (7,193,75);
B) Delete any such ignored suggestions before upgrade using the GUI/REST/SQL.
Fix:
The system now handles removed Entity types during upgrade for Ignored Suggestions: Ignored suggestions for Multiple decoding or HTTP Protocol Settings are removed during upgrade. You must reconfigure the Ignore settings after upgrade.
Behavior Change:
Refactoring in 14.1.0 modified the functionality of the following Entity types: Max Decoding Passes, Maximum Headers, and/or Maximum Parameters. Ignored suggestions for Multiple decoding or HTTP Protocol Settings are removed during upgrade, so you must reconfigure the Ignore settings after upgrade.
755630 : MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes
Component: Service Provider
Symptoms:
The media flows get terminated after the UDP idle timeout expires on a Standby device.
Conditions:
-- High availability (HA) configuration.
-- SIP media calls on a SIP-ALG with SNAT feature enabled.
Impact:
SIP calls fail to deliver media when HA failover occurs.
Workaround:
Partial mitigation is to set the UDP idle timeout to a higher value.
Fix:
Properly set SIP ALG media pinhole connection flags so that to not time out due to inactivity on the next active device.
755628 : Deleted APM cookies missing 'secure' and 'HttpOnly' flags
Component: Access Policy Manager
Symptoms:
Returned deleted cookies are missing 'secure' and/or 'HttpOnly' flags.
Conditions:
When APM cookies with 'secure' and 'HttpOnly' flags are deleted, those flags are missing in response Set-Cookie: headers.
Impact:
Some vulnerability scanners may detect that as security issue.
Workaround:
iRule like the next:
when HTTP_RESPONSE_RELEASE {
foreach mycookie [HTTP::cookie names] {
HTTP::cookie secure $mycookie enable
HTTP::cookie httponly $mycookie enable
}
}
Fix:
Preserved the flags 'secure' and 'HttpOnly' for deleted APM cookies
755594 : peer-cert-mode set to 'always' does not work when client-ssl is enabled with session-ticket
Component: Local Traffic Manager
Symptoms:
When a session is restored using a session-ticket, the peer-cert-mode setting is not acknowledged.
Conditions:
-- Session tickets are enabled.
-- The peer-cert-mode in the client SSL profile is set to 'always'.
-- A session is restored using a ticket.
Impact:
The SSL client is validated only once, instead of each time.
Workaround:
Disable session ticket.
Fix:
If peer-cert-mode is set to always, session tickets are not issued. This is the same behavior as is seen with session ID resumption.
755585 : mcpd can restart on secondary blades if a policy is created, published, and attached to a vs in a single transaction
Component: Local Traffic Manager
Symptoms:
On a VIPRION cluster, if a single transaction creates a policy with the name Drafts/NAME, publishes the policy, and attaches the policy to a virtual server, mcpd restarts on the secondary blades.
Conditions:
-- VIPRION chassis with more than one blade.
-- Single mcp transaction that:
* Creates a policy with 'Drafts/' as part of the policy name.
* Publishes that policy.
* Attaches that policy to a virtual server, either in the same transaction or a later transaction.
Impact:
mcpd restarts on all secondary blades of a cluster.
Workaround:
You can use either of the following workarounds:
-- Do not create policies with 'Drafts/' in the name.
-- Do not create and publish a policy in the same transaction.
755575 : In MOS, the 'image2disk' utility with the '-format' option does not function properly
Component: TMOS
Symptoms:
When the BIG-IP system boots, mcpd continually restarts.
Conditions:
This occurs if you issue the 'image2disk' command with the '-format' option in the MOS (Maintenance Operating System) shell.
Impact:
When the system boots, it cannot become active.
Workaround:
In the MOS shell, do not issue the 'image2disk' utility with the '-format' option. You can achieve the same result by following the shell guidance. To begin, type 'start<enter>'.
If the system is already in the defective state, use this shell command, and then reboot:
touch /.tmos.platform.init
The problem should be resolved.
Fix:
In MOS, running 'image2disk' with the '-format' option no longer causes continuous mcpd restarts.
755507 : [App Tunnel] 'URI sanitization' error
Component: Access Policy Manager
Symptoms:
URI sanitization error with app tunnel (application tunnel). The system posts messages similar to the following:
-- APM log: warning tmm[19703]: 01490586:4: /Common/AP-AD:Common:ff776e4a: Invalid Resource Access For RESOURCENAME. RST due to URI sanitization
-- LTM log: err tmm[19703]: 01230140:3: RST sent from 10.0.0.1:80 to 10.0.0.1:228, [0x2263e2c:7382] Unrecognized resource access (RESOURCENAME)
Conditions:
Access Policy that includes a 'Logon Page' and 'Advanced Resource Assign' (full webtop and app tunnel).
Impact:
APM does not send a response after receiving a request to 'GET /vdesk/resource_app_tunnels_info.xml'.
Workaround:
None.
755475 : Corrupted customization group on target after updating logon page agent field on source device and config sync
Component: Access Policy Manager
Symptoms:
After making changes to the logon page agent field, performing config sync to another device and opening the logon agent in VPE on the sync target device encounters an error.
Conditions:
1. Form a failover device group with two devices.
2. On one device, create an access policy with logon page agent. Initiate config sync to sync the policy to other devices. Verify everything is correct on target device (specifically: open VPE for the policy, Logon Page is in the policy, click on the agent, and edit box appears without issue).
3. On source device, launch VPE for the policy, click on Logon Page agent, make changes to Agent (e.g., choose 'password' type for field3. Save the change and make a config sync again.
4. Go to target device, open VPE for the policy, and click on Logon Page is in the policy.
Impact:
Config is not synced properly to another device in the device group.
Workaround:
In addition to changing the logon page field, also make a change in the 'Customization' section (e.g., update the text for Logon Page Input Field).
Fix:
Target device receives identical configuration as source one after config sync after user updates logon page field in logon agent editing dialog.
755447 : SSLO does not deliver content generated/originated from inline device
Component: Access Policy Manager
Symptoms:
If any inline service acting as a proxy generates content for the client while resetting the server side connection, then the client might not see the content, and will instead see a reset.
Conditions:
-- F5 SSL Orchestrator (SSLO) with inline services intercepting requests and replying without letting the content go to back-end server.
-- Inline services resetting the back-end connection
Impact:
Client receives a reset instead of a redirect or error page.
Workaround:
None.
Fix:
Clients now receive the content that the inline device generates.
755378 : HTTPS connection error from Chrome when BADOS TLS signatures configured
Component: Anomaly Detection Services
Symptoms:
HTTPS connection error occurs. The system posts the following ltm.log warnings:
-- warning tmm1[25112]: 01260009:4: Connection error: ssl_basic_crypto_cb:694: Decryption error (20)
-- warning tmm1[25112]: 01260009:4: Connection error: hud_ssl_handler:1941: codec alert (20)
Conditions:
-- BADOS TLS signatures configured.
-- DoS profile is attached to a virtual server.
-- Using Google Chrome browser.
Impact:
HTTPS virtual server is not responsive.
Workaround:
Turn off TLS signatures flag.
Fix:
HTTPS connection error no longer occurs when connecting from Chrome to virtual server with TLS signature BADOS protection.
755254 : Remote auth: PAM_LDAP buffer too small errors★
Component: TMOS
Symptoms:
You are unable to log into the BIG-IP system using an LDAP account.
The system might log the following message in /var/log/secure:
-- crit httpd[28010]: pam_ldap(httpd:account): buffer 'buffer_size' too small.
Note: This message might not be logged for all occurrences of this issue.
Conditions:
This occurs when the following conditions are met:
-- Remote-LDAP authentication is configured.
-- There is a user account with attributes longer than 255 characters in length.
-- That user attempts a logon to the BIG-IP system.
Impact:
LDAP authentication not working properly.
Workaround:
Configure user accounts with attributes shorter than 255 characters.
Fix:
LDAP authentication and authorization now succeeds for users under these conditions.
755047 : Category lookup returns wrong category on CONNECT traffic through SSLO
Component: Access Policy Manager
Symptoms:
Category lookup returns wrong category on CONNECT traffic through F5 SSL Orchestrator (SSLO).
Conditions:
-- Outbound deployment configured in SSLO, where SSLO behaves as a transparent proxy.
-- A policy has a branch to lookup category using HTTP Connect.
-- An HTTPS client generates HTTPS traffic via an explicit proxy on local network with private address through SSLO as the gateway.
Impact:
Category Match is not performed, resulting in fallback branch to be taken.
Workaround:
None
Fix:
Category lookup now works correctly in this scenario.
755005 : Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations
Component: Application Security Manager
Symptoms:
Illegal Request Length uses Illegal Query String Length template and vice versa, so the incorrect titles are shown in violation details.
Conditions:
Open details of Illegal Request Length or Illegal Query String Length violation in request log.
Impact:
Illegal Request Length uses Illegal Query String Length template and vice versa. Only the titles are wrong. The actual requests are recorded correctly.
Workaround:
None.
Fix:
Correct templates are now used for Illegal Request Length and Illegal Query String Length violations, so the correct titles show.
754985 : Standby TMM my crash while processing mirrored TLS traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, the standby TMM may crash while processing mirrored TLS traffic.
Conditions:
-- Virtual server with server-side SSL
-- Connection mirroring enabled.
Impact:
High availability (HA) connection mirroring fails. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM now processes TLS traffic as expected.
754944 : AVR reporting UI does not follow best practices
Component: Application Visibility and Reporting
Symptoms:
The AVR reporting UI does not follow best practices.
Conditions:
Administrative access to the AVR reporting web UI.
Impact:
Unexpected HTML output.
Workaround:
The AVR reporting UI does not follow best practices.
Fix:
The AVR reporting UI now follows best practices.
754901 : Frequent zone update notifications may cause TMM to restart
Component: Global Traffic Manager (DNS)
Symptoms:
When there are frequent zone update notifications, the watchdog for TMM may trip and TMM crash/restarts. There may also be 'clock advanced' messages in /var/log/ltm.
Conditions:
- Using DNS express.
- DNS zone with allow notify.
- Frequent zone NOTIFY messages resulting in zone transfers.
Impact:
TMM restart potentially resulting in failing or impacting services. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Frequent zone update notifications no longer cause TMM to restart.
754865 : Missing indication when client fails connecting to Security Cloud Services
Component: Application Security Manager
Symptoms:
When Security Cloud Services and Centralized Device ID are enabled, the clients may be blocked from accessing the site if there is no connectivity to the Cloud Services. There is no indication of these failures.
Conditions:
-- Security Cloud Services are enabled.
-- Centralized Device ID is enabled.
-- Device ID is enabled on a Bot Defense profile.
-- There is no connectivity between clients and the Cloud Services.
Impact:
Connectivity fails with no indication of the failure. Administrators cannot monitor users getting blocked due to connectivity failures with the Cloud Services.
Workaround:
None.
Fix:
There is now an indication in the Bot Defense Request Log when clients are blocked due to 'Cloud connectivity failure'. This appears in the 'Challenge Failure Reason' field.
754805-1 : Possible tmm crash when AFM DoS badactor or attacked-dst or endpoint vector configured
Component: Advanced Firewall Manager
Symptoms:
tmm might crash and restart.
Conditions:
When AFM DoS badactor or attacked dst is configured on a vector, there is a race condition which can cause tmm to crash. The same race condition is present when single endpoint vectors are configured.
Impact:
Tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The race condition is now fixed.
754658 : Improved matching of response messages uses end-to-end ID
Component: Service Provider
Symptoms:
Some responses incorrectly match requests when their hop-by-hop IDs match. This causes the response to be dropped.
Conditions:
Matching hop-by-hop ID.
Impact:
Responses rarely match the wrong request, but when they do, they will be dropped.
Workaround:
None.
Fix:
Responses are now matched to requests using end-to-end ID as well as hop-by-hop ID. There should be no more incorrect matches.
754615 : Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup.
Component: Service Provider
Symptoms:
tmm crashes.
Conditions:
-- SIP calls under load.
-- MRF-SIP-ALG setup.
-- Most of the calls re-use the conn flow.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fix:
If connections reach a threshold value of 64500, the connection is dropped, drop stats are updated, and a log message is reported: Message handling threshold reached on flow.
754542 : TMM may crash when using RADIUS Accounting agent
Component: Access Policy Manager
Symptoms:
TMM may crash when using RADIUS Accounting agent in either per-session or per-request policy.
Conditions:
- APM is provisioned and licensed.
- RADIUS Accounting agent is used in either per-session or per-request policy.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when RADIUS Accounting agent is used in the access policy.
754541-3 : Reconfiguring an iApp that uses a client SSL profile fails
Component: TMOS
Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:
-- A virtual server is created but no client SSL profile is applied.
-- In the /var/log/ltm file, the system logs messages similar to the following example:
err mcpd[6434]: 01b4002b:3: Client SSL profile (/Common/Example.app/Example_client-ssl): the profile has no RSA cert/key pair that can be modified. To add RSA cert/key, please use [cert-key-chain add]
Conditions:
This issue occurs when the following conditions are met:
-- Attempting to reconfigure an iApp.
-- The iApp contains a client SSL profile.
Impact:
The system fails to create and apply the client SSL profile to the virtual server.
Workaround:
To work around this issue, you can temporarily disable SSL in the iApp, and then enable it again.
Impact of workaround:
Reconfiguring your iApp reconfigures all BIG-IP objects associated with the iApp. This might cause service disruptions to the application the iApp has been deployed for.
1. Navigate to the impacted iApp in GUI:
iApps :: Application Services : Applications :: Example.
2. Find the setting associated with the client SSL profile, often titled "How should the BIG-IP system handle SSL traffic?"
3. Change the associated setting to one that does not imply the use of SSL, for example: "Plain text to and from both clients and servers."
4. Press the Reconfigure button.
5. Return to the same question and change the field back to its original setting.
6. Press the Reconfigure button once more.
Fix:
Reconfiguring an iApp that uses a client SSL profile now succeeds as expected.
754500 : GUI LTM Policy options disappearing
Component: TMOS
Symptoms:
Listed policies disappear under 'Do the following when traffic is matched' in Local Traffic :: Policies : Policy List :: {Rule Name} when pressing Cancel or Save and opening the list again.
Conditions:
Click the Cancel or Save button on the Local Traffic :: Policies : Policy List :: /Common/policy1:rule1 properties page.
Here are some specific steps to reproduce this issue (this procedure assumes you have at least one policy with at least one rule defined):
1. Navigate to Local Traffic :: Policies : Policy List :: /Common/policy1:rule1 to open the rule1 properties page.
2. In the section 'Do the following when the traffic is matched', click to open the first dropdown menu.
- The system lists all of the items.
3. Click Cancel.
4. Click to reopen the properties page, and click the first dropdown menu.
- The system lists fewer of the options.
5. Repeat steps 3 and 4.
Impact:
Options disappear from the list each time you click Cancel or Save. Cannot select options because they are no longer visible in the list.
Workaround:
To return all options to the list, use the refresh button in the browser.
You can also use the following the tmsh command:
modify ltm policy Drafts/<policy name> modify { <rule name> { actions add { ...
Fix:
Policies no longer disappear under these conditions.
754494 : Proactive bot defense falsely detects Selenium on Firefox version 64.x
Component: Application Security Manager
Symptoms:
Proactive bot defense falsely detects Selenium on FireFox version 64.x.
ASM end users first have to solve captcha before reaching the website.
Conditions:
-- Proactive bot defense is enabled.
-- Detect suspicious browsers is configured.
Impact:
End users need to solve captcha before reaching the website.
Workaround:
Use an iRule that overrides proactive action for Firefox version 64.x.
Fix:
The system no longer detects Firefox 64.x as if it driven by Selenium.
754420 : Missing policy name in exported ASM request details
Component: Application Security Manager
Symptoms:
No Policy name in exported ASM Request details.
Conditions:
This is encountered when viewing the Security Events Report.
Impact:
Missing policy name in request details.
Workaround:
None.
Fix:
Policy name is now displayed in exported ASM request details.
754396 : Security Policy's Attack Signatures put back into staging after Export/Import in Binary format
Component: Application Security Manager
Symptoms:
Exporting an ASM Security Policy in binary format retains the last updated time of each Attack Signature in the Security Policy.
If the Security Policy is then imported into a system where the Attack Signatures have been subsequently updated, any signature that was updated is put back into staging for that Policy.
Conditions:
1) An ASM Security Policy has Attack Signatures that have been removed from staging (enforced).
2) The Policy is exported in binary format.
3) The Policy is imported to a system where the enforced Attack Signatures have been updated by a subsequent ASM Attack Signatures update..
Impact:
Any attack signature that has been updated since the policy was exported is be put back into staging.
Workaround:
A) Export in XML format instead of binary
or
B) Re-enforce any staged signatures after import.
(The GUI might show signatures as not in staging, but the actual signatures' status are in staging after import of binary.)
Fix:
Signatures retain the same enforcement state they had when they were exported even if they were updated on the system.
754365 : Updated flags for countries that changed their flags since 2010
Component: Application Security Manager
Symptoms:
Old flags for countries that changed their flags since 2010.
Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya
Impact:
Old flag is shown.
Workaround:
None.
Fix:
The three flags are now updated in ASM.
754346 : Access policy was not found while creating configuration snapshot.
Component: Access Policy Manager
Symptoms:
APMD fails to create configuration snapshot with the following error:
--err apmd[16675]: 01490000:3: AccessPolicyProcessor/AccessPolicyProcessor.cpp func: "dispatchEvent()" line: 1195 Msg: EXCEPTION AccessPolicyProcessor/ProfileAccess.cpp line:234 function: snapshotConfigVariables - AccessPolicy ("/Common/myPolicy") not found while creating configuration snapshot!!!!
If you attempt to modify the policy in question, the system reports a second error:
-- err apmd[16675]: 01490089:3: 00000000: Configuration change notification received for an unknown access profile: /Common/myPolicy
Conditions:
If TMM restarts and new access policy is added before TMM is fully up and running.
Impact:
Configuration snapshot is not created, and users cannot log on.
Workaround:
Recreate the access profile when TMM is stable.
754345 : WebUI does not follow best security practices
Component: TMOS
Symptoms:
WebUI does not follow best security practices.
Conditions:
Authenticated administrative user access to WebUI.
Impact:
WebUI does not follow best security practices.
Workaround:
None.
Fix:
WebUI now follows best security practices.
754257-4 : URL lookup queries not working
Component: Traffic Classification Engine
Symptoms:
Occasionally, there is no response to a url-categorization query.
Conditions:
This might occur under the following conditions:
-- When there are duplicate requests using tmsh.
-- When the connection is partially closed by the server.
Impact:
URL does not get classified. Cannot take any actions against those URLs.
Workaround:
None.
754143 : TCP connection may hang after finished
Component: Local Traffic Manager
Symptoms:
TCP connections hang. Memory usage increases. TMM restarts.
Numerous hanging connections reported similar to the following:
-- config # tmsh show sys conn protocol tcp
Sys::Connections
165.160.21.1:5854 195.245.21.252:443 any6.any any6.any tcp 449 (tmm: 0) none none
165.160.21.1:5847 195.245.21.252:443 any6.any any6.any tcp 449 (tmm: 0) none none
165.160.21.1:5890 195.245.21.252:443 any6.any any6.any tcp 449 (tmm: 0) none none
165.160.21.1:5855 195.245.21.252:443 any6.any any6.any tcp 449 (tmm: 0) none none
165.160.21.1:5891 195.245.21.252:443 any6.any any6.any tcp 449 (tmm: 0) none none
Conditions:
Pool member fails to respond with an ACK to BIG-IP system serverside FIN. The BIG-IP system serverside connection eventually times out, and the clientside connection is orphaned.
Impact:
Those connections hang indefinitely (even past the idle timeout). Memory increases, eventually leading to a possible TMM out-of-memory condition, requiring a TMM restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TCP connections no longer hang under these conditions.
754132 : A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command
Component: TMOS
Symptoms:
A default route is not propagated in Network Layer Reachability Information (NLRI) by a routing framework on a command: 'clear ip bgp <neighbor router-id> soft out'.
-- Enter to imi(Integrated Management Interface) shell.
[root@hostname:Active:Standalone] config # imish
hostname[0]>
-- Issue a command inside imish. 10.0.0.4 is neighbor BGP router-id.
hostname[0]>clear ip bgp 10.0.0.4 soft out
Conditions:
-- There is a BIG-IP system with the following routing configuration:
imish output:
hostname[0]#sh run
!
no service password-encryption
!
interface lo
!
... <skip other default information, like interfaces.>
!
router bgp 1
bgp router-id 10.17.0.3
bgp graceful-restart restart-time 120
neighbor 10.17.0.4 remote-as 1
!
-- There is a default route, which is advertised by this BGP configuration. Here is one way to check it:
hostname[0]:sh ip ospf database
... <skip less important info>
AS External Link States
Link ID ADV Router Age Seq# CkSum Route Tag
0.0.0.0 10.17.0.3 273 0x80000002 0x5c4e E2 0.0.0.0/0 0
The 'clear ip bgp 10.17.0.4 soft out' command is issued, and there is no NLRI with a default route generated. You can confirm that by running tcpdump and reading what is in the generated Link-state advertisement (LSA), messages or by watching OSPF debug logs.
Note: The source from which you gather the default route and advertise it to the neighbors does not matter. It might be the usual BGP route learned from another router, a locally created route, or it might be configured by 'neighbor <neighbor router-id> default-originate'.
Impact:
A default-route is not propagated in NLRI by 'soft out' request, even with default-originate configured.
Workaround:
There is no specific workaround for 'clear ip bgp <neighbor router-id> soft out' command, but if you want to make routing protocol propagate a NLRI with a default route, you can do either of the following:
-- Remove the default route from advertised routes. This workaround is configuration-specific, so there there are no common steps.
+ If you have default-originate configured for your neighbor, then delete that part of the configuration and re-add it.
+ If you create a default route as a static route, recreate it.
+ And so on.
The idea is to remove a root of default route generation and then add it back.
-- Run a 'soft in' command from your neighbor. If a neighbor you want to propagate a NLRI is a BIG-IP device, or is capable of running this type of command, you can issue a imish command on the neighbor:
# neighbor-hostname[0]: clear ip bgp <neighbor router-id> soft in
Note: This time, the 'soft in' command requests the NLRIs.
Fix:
A NLRI with default route information is successfully propagated on 'clear ip bgp <neighbor router-id> soft out' command.
754109 : ASM content-security-policy header modification violates Content Security Policy directive
Component: Application Security Manager
Symptoms:
When the backend server sends a content-security-policy header where source-src and default-src directives are missing, ASM will modify the header when it does its own JavaScript injection, which might cause a csp policy violation for inline JavaScript code.
Conditions:
-- ASM provisioned.
-- ASM policy attached on a virtual server.
-- ASM policy has CSRF or AJAX Blocking page enabled.
Impact:
Inline JavaScript does not run. The Browser reports a content-security-policy violation.
Workaround:
Disable csp in ASM by running the following commands:
-- /usr/share/ts/bin/add_del_internal add csp_enabled 0
-- bigstart restart asm
Fix:
ASM no longer modifies the csp header when both source-src and default-src directives are missing.
754103 : iRulesLX NodeJS daemon does not follow best security practices
Component: Local Traffic Manager
Symptoms:
The iRulesLX NodeJS daemon, if explicitly launched with the --debug command-line option, does not follow best security practices.
Conditions:
Launch an iRulesLX plugin:extension with debug command line option (--debug).
Impact:
NodeJS daemon does not follow best security practices.
Workaround:
None.
Fix:
NodeJS daemon now follows best security practices.
754066 : Newly added Systems are not added as part of installing a Server Technologies update file
Component: Application Security Manager
Symptoms:
Newly added Systems are not added as part of installing a Server Technologies update file, which prevents acceptance of Server Technology suggestion.
Conditions:
A Server Technology update file contained newly added Systems is installed.
Impact:
A suggestion to add a Server Technology using a newly added System cannot be accepted.
Workaround:
The corresponding ASM Signature update file must be loaded first.
Fix:
Newly added Systems are added correctly after installing Server Technology update file.
754024 : Dynamic Script Removal Detection fires false-positive alerts on Firefox add-ons and Chrome extensions
Component: Fraud Protection Services
Symptoms:
In some Firefox add-ons and Chrome extensions there are Dynamic Script Removal Detection false-positive alerts when this feature is enabled.
Conditions:
-- Dynamic Script Removal Detection enabled.
-- Using Firefox with add-ons or Chrome with extensions.
Impact:
Dynamic Script Removal Detection false-positive alerts.
Workaround:
None.
Fix:
Dynamic Script Removal Detection being enabled no longer causes false-positive alerts on Firefox add-ons and Chrome extensions
753912-2 : UDP flows may not be swept
Component: Local Traffic Manager
Symptoms:
Some UDP connection flows do not show in connection table but do show up in stats. This might occur with datagram_lb mode is enabled on the UDP profile under heavy load.
Conditions:
-- UDP profile with datagram_lb mode enabled.
-- System under heavy load.
Impact:
Increased memory utilization of TMM.
Workaround:
None.
Fix:
The system now correctly manages all expired flows.
753893 : Inconsistent validation for firewall address-list's nested address-list causes load failure
Component: Advanced Firewall Manager
Symptoms:
Inconsistent validation for firewall address-list's nested address-lists causes load failure. The operation validates 'addresses' in the address-list but misses the case of modifying the address-list nested in the address-list. The system posts a message similar to the following:
01071a5a:3: Cannot configure mix of IPv4 and IPv6 address(es) in this object.
Unexpected Error: Loading configuration process failed.
Conditions:
-- Modify an address-list's address-lists to contain mixed IPv4 and IPv6 addresses.
-- Save the configuration.
-- Load the configuration.
Impact:
Missing validation for nested address-list modification allows an invalid configuration to be specified and saved into bigip*.conf, which causes load failure.
Note: This might cause upgrade from v12.1.x to fail when the configuration contains a mix of IPv4 and IPv6 within an address-list.
Workaround:
Edit the bigip*.conf file to remove the mix of IPv4 and IPv6 addresses in the nested address-lists.
Fix:
This release contains validation to nested address-lists to check for overlapping IP addresses in the same address family.
753805 : BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.
Component: Local Traffic Manager
Symptoms:
After failover, a longer time than expected for the virtual server to become available.
Conditions:
-- There is a configuration difference in the pool members before and after the configuration synchronization.
-- Probe status is also different.
Impact:
Virtual server takes longer than expected to become available.
Workaround:
Run full sync (force-full-load-push) from the active BIG-IP system to solve this issue.
753796 : SNMP does not follow best security practices
Component: TMOS
Symptoms:
Under certain conditions, SNMP does not follow best security practices when responding with specific MIBs.
Conditions:
SNMP access granted (no remote SNMP access is allowed in the default configuration).
Impact:
SNMP does not follow best security practices.
Workaround:
Restrict access to SNMP via IP and/or SNMPv3 authentication.
Fix:
SNMP now follows best security practices for all MIBs.
753776 : TMM may consume excessive resources when processing UDP traffic
Component: Global Traffic Manager (DNS)
Symptoms:
Under certain conditions, TMM may consume excessive resources while processing UDP traffic.
Conditions:
Enabled virtual server with a UDP profile.
datagram_lb mode enabled.
Impact:
Excessive resource consumption, potentially leading to a failover event.
Workaround:
None.
Fix:
TMM now processes UDP traffic as expected.
753650-3 : The BIG-IP system reports frequent kernel page allocation failures.
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:
swapper/16: page allocation failure: order:2, mode:0x104020
After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This issue is known to occur on the following VIPRION blade models:
- B2250 (A112)
- B4450 (A114)
Please note the issue is known to occur regardless of whether the system is running in vCMP mode or not, and regardless of whether the system is Active or Standby.
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.
It is recommend to increase this to either 64 MB (65536 KB) or 128 MB (131072 KB). You must do this on all blades installed in the system.
When instantiating this workaround, you must consider whether you want the workaround to only survive reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the primary blade only and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
Fix:
The BIG-IP system no longer experiences kernel page allocation failures.
753642 : iHealth may report false positive for Critical Malware
Component: TMOS
Symptoms:
A minor change in the way qkview reports executable filenames may cause iHealth to interpret the presence of malware.
Conditions:
qkview files produced by 14.1.0 when uploaded to ihealth.f5.com
Impact:
iHealth may report a false positive for malware.
Workaround:
Ignore critical errors for malware reported by iHealth for version 14.1.0 only.
Fix:
This is fixed in 14.1.0.1
753637 : Diameter MBLB profile does not change the hop-by-hop ID by default
Component: Service Provider
Symptoms:
The Diameter MBLB profile does not change the hop-by-hop ID.
Conditions:
Diameter MBLB virtual server.
Impact:
The hop-by-hop ID is not changed.
Workaround:
None.
Fix:
The Diameter MBLB profile can now change the hop-by-hop id when enabled by the db key Diameter.mblb.hopid_replace to enable.
Behavior Change:
There is a new db key 'Diameter.mblb.hopid_replace' that you can enable to automatically set the hop-by-hop ID.
753594 : In-TMM monitors may have duplicate instances or stop monitoring
Component: Local Traffic Manager
Symptoms:
Most monitored resources (such as pools) report messages similar to the following:
Availability : unknown
Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet.
A fraction of the monitored resources report the correct status based on the state of the resource.
Enabling bigdlog may show instances of messaging containing 'tmm_mid=x:0' (where x can be values like 0, 1, 2 etc.), for example, it is tmm_mid=1:0 in the following example:
[0][11288] 2019-03-08 10:03:04.608: ID 10859 :(_do_ping): post ping, status=UNKNOWN [ tmm?=true td=true tr=false tmm_mid=1:0 addr=::ffff:1.2.37.44:443 mon=/Common/https fd=-1 pend=0 #conn=0 up_intvl=5 dn_intvl=5 timeout=16 time_until_up=0 immed=0 next_ping=[1552068189.684126][2019-03-08 10:03:09] last_ping=[1552068184.684909][2019-03-08 10:03:04] deadline=[1552067610.048558][2019-03-08 09:53:30] on_service_list=True snd_cnt=119 rcv_cnt=0 ]
The following error might appear in /var/log/ltm:
-- failed to handle TMA_MSG_DELETE message: MID 0, error TMA_ERR_INVALID_MID(Monitor ID is invalid or unused)
Conditions:
-- Configure In-TMM monitoring with a sufficiently large number of monitored objects.
-- Modify monitors while pool members are in an offline state or perform rapid modification of In-TMM monitors.
Impact:
Some monitors may be executed multiple times per configured interval on a resource, and some monitors may not be executed at all against resources.
Workaround:
Switch to traditional bigd monitoring instead of In-TMM:
tmsh modify sys db bigd.tmm value disable
Fix:
Rapid modification of in-TMM monitors no longer leaves old monitor instances behind.
753564 : Attempt to change password using /bin/passwd fails
Component: TMOS
Symptoms:
When we run /bin/passwd as root:
passwd.bin: unable to start pam: Critical error - immediate abort
Failed to change user's password. Exiting.
If we then do /bin/ausearch -m avc -ts recent, we see a lot of selinux denials for passwd.bin.
Conditions:
No special conditions needed
Impact:
Root/admin user cannot change password using the standard /bin/passwd executable.
Workaround:
The workaround would be to disable selinux, change the password and re-enable selinux:
# setenforce Permissive
# passwd
# setenforce Enforcing
Alternatively, one can use the tmsh commands to change the passwords: tmsh modify auth password root
Lastly, if one wishes to modify the selinux policy, there is the standard way of doing this
# ausearch -c passwd.bin --raw | audit2allow -M mypasswd
# semoduile -i mypasswd.pp
Fix:
With fix, we have no issues with /bin/passwd.bin being denied by selinux and /bin/passwd works as expected.
753514 : Large configurations containing LTM Policies load slowly
Component: Local Traffic Manager
Symptoms:
Very slow performance when loading a configuration, for example, at system start up. During this time, the tmsh process shows high CPU usage.
Conditions:
Big IP 13.1.x, 14.x. Large configuration (1 MB or larger) and at least one, but more likely tens or hundreds of LTM policies defined in the configuration.
Impact:
Slow configuration loading, or in cases with very large configurations, full config load may fail after a long wait. Slowness increases with overall configuration size and number of LTM policies defined.
Workaround:
None.
Fix:
Large configurations containing LTM Policies load normally.
753512 : Portal Access: Resource with '?' in query part of URL cannot be created.
Component: Access Policy Manager
Symptoms:
If a Portal Access resource URL contains '?' (a question mark) inside the query part, it cannot be created. The URL is reported to be invalid.
Conditions:
Portal Access resource with URL containing a '?' inside query part, like this:
http://example.com/some/path?aaa=?&b=vvv
Impact:
Portal Access resource cannot be used.
Workaround:
Replace '?' with '%3F' inside the query part of the URL.
Fix:
Now Portal Access resource URL can contain '?' inside query part.
753485 : AVR global settings are being overridden by HA peers
Component: Application Visibility and Reporting
Symptoms:
Configuration of AVR global settings is being overridden by high availability (HA) peers, and thus report incorrectly to BIG-IQ Data Collection Devices (DCDs).
Conditions:
Configuring HA for systems connected to BIG-IQ.
Impact:
Configuration of BIG-IP systems in HA configuration can override each other. This might result in the following behavior:
-- They incorrectly identify themselves to BIG-IQ.
-- They report to the wrong DCD.
-- They report to DCD even if they are not configured to report at all.
-- The do not report at all even if they are configured to report.
Workaround:
None.
Fix:
Synchronization of relevant fields on AVR global settings are disabled, so this issue no longer occurs.
753446 : avrd process crash during shutdown if connected to BIG-IQ
Component: Application Visibility and Reporting
Symptoms:
During shutdown of BIG-IP, if it is connected to BIG-IQ then avrd might crash.
Conditions:
BIG-IP is set to shutdown and configured to send statistics to BIG-IQ.
Impact:
No serious impact, since the BIG-IP is already instructed to shutdown, so the process crash is not causing any damage.
Workaround:
N/A
Fix:
Issue is fixed, avrd does not crash during shutdown
753441 : AJAX encryption feature ignores encoded parameters names
Component: Fraud Protection Services
Symptoms:
AJAX encryption feature does not encrypt parameters configured with encryption enabled in the application AJAX request. This is done in case the parameters are sent with encoded names.
Conditions:
-- Parameter is configured with encryption enabled.
-- AJAX encryption feature is enabled and the application sends the configured parameter using AJAX.
-- The application sends the configured name encoded.
-- The parameter-encoded name and the parameter-unencoded name are different.
Impact:
The configured parameter is sent as plain text.
Workaround:
You v14.0.x and later, once the parameter is configured, configure the 'Name in request' option to the parameter encoded name.
For example, if you have a field called 'password', and you want to send an AJAX request using '%24password', you must configure AJAX Mapping like this:
password -> %24password
Fix:
In v14.0.x and later, continue to use the solution suggested in the Workaround section.
In 13.1.x versions, the encrypt AJAX feature now encrypts parameters with encoded names as well.
753295 : ASM REST: All signatures being returned for policy Signatures regardless of signature sets
Component: Application Security Manager
Symptoms:
By default, only signatures that are included in the Security Policy enforcement via the Policy's Signature Sets are included in the response to /tm/asm/policies/<ID>/signatures.
Additionally, there should be the capability to $filter for either signatures that are in the policy or not in the policy.
These filters are not working
Conditions:
ASM REST/GUI is used to determine the number of signatures enabled on a Security Policy
Impact:
More data that expected will be returned to REST clients which may cause confusion.
Learning statistics/graphs may have confusing/incorrect numbers.
Workaround:
None
Fix:
inPolicy $filter works again, and the default behavior only returns the signatures that are in the policy.
753163 : PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days
Component: Policy Enforcement Manager
Symptoms:
No connection request with PCRF/OCS if high availability (HA) failover occurs after 26 days. tmm crash
Conditions:
-- Using PEM.
-- HA failover occurs after 26 days.
Impact:
PEM does send the reconnect request within the configured reconnect, so there is no connection initiated with PCRF/OCS.
Workaround:
To restart the connection, restart tmm restart using the following command:
tmm restart
Note: Traffic disrupted while tmm restarts.
Fix:
PEM now initiates the connection with PCRF/OCS under these conditions.
753159 : Pool IP ToS/QoS settings are not preserved on mirrored FastL4 connections
Component: Local Traffic Manager
Symptoms:
Mirrored serverside FastL4 connections do not inherit the IP ToS/QoS values from the selected pool or values set via iRule IP::tos/LINK::qos commands.
Conditions:
-- FastL4 virtual server with mirroring.
-- Pool with non-zero IP ToS/QoS values.
or
-- iRule with IP::tos/LINK::qos serverside commands
Impact:
IP ToS/QoS values are not set on mirrored connection after failover.
Workaround:
Configure desired IP ToS/QoS values in FastL4 profile
Fix:
Mirrored FastL4 serverside connections now inherit the IP ToS/QoS values specified in the associated pool configuration or values set via iRule IP::tos/LINK::qos commands.
753157 : Support some AAA agents relevant to oauth-resource-server type policy
Component: Access Policy Manager
Symptoms:
AD query, LDAP query, RADIUS Auth, RADIUS Acct, TACACS+ Auth and TACACS+ Acct cannot be used in an access policy of type oauth-resource-server.
Conditions:
Access policy is of type oauth-resource-server.
Impact:
The agents cannot be used.
Workaround:
None.
Fix:
These agents have now been made visible for access policy of type oauth-resource-server.
753151 : Kerberos SSO: Improve the logging of the error msg when Kerberos requests are not processed.
Component: Access Policy Manager
Symptoms:
Currently, when the client system closes the TCP connection, associated Kerberos requests are not processed. The error msg logged is generic, and does not include the reason Kerberos requests were not processed.
err websso.3[25121]: 014d0048:3: /Common/test_access_sso:Common:074d1914: failure occurred when processing the work item: Kerberos failed
Conditions:
This occurs when Kerberos requests are not processed because the client closed the TCP connection.
Impact:
The error msg logged is generic and does not indicate the reason for the failure, which makes it difficult to debug scenarios in which the BIG-IP system handles a large number of Kerberos SSO requests that lead to system instability.
Workaround:
None.
Fix:
When Kerberos SSO requests are not processed due to client or server-side issues, the system logs an error msg containing the corresponding reason.
753141 : Hardware returning incorrect type of entry when notifying software might cause tmm crash
Component: Advanced Firewall Manager
Symptoms:
Potential tmm crash when hardware returns incorrect type of entry when notifying software.
Conditions:
-- sPVA is not programmed with blacklist or greylist entries.
-- Hardware returns an incorrect blacklist or greylist entry to the software.
Impact:
tmm crashes and restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release provides a defensive check in software to not crash, and to dump the hardware registers when this happens. This will help to debug the hardware better in the future.
753028 : AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule
Component: Advanced Firewall Manager
Symptoms:
When Proxy ARP is enabled for destination addresses in an FW NAT rule performing destination NAT (static-nat/static-pat), forwarding ICMP traffic matching that rule is incorrectly dropped by AFM instead of being forwarded through the BIG-IP system.
Conditions:
-- Proxy ARP is enabled for destination addresses in an FW NAT rule.
-- The BIG-IP system (AFM) receives forwarding ICMP traffic for these (untranslated) destination addresses.
Impact:
Forwarding ICMP traffic is dropped by the BIG-IP system.
Workaround:
You can disable Proxy ARP functionality for FW NAT rules to cause the BIG-IP system (AFM) to handle forwarding ICMP traffic correctly and pass it through the system to the backend.
However, this causes the BIG-IP system to not respond to ARP requests anymore for destination addresses in such rules. As a further mitigation action, you can configure static ARP entries to handle this.
Fix:
The BIG-IP system (AFM) now correctly forwards ICMP traffic through to the backend when Proxy ARP is enabled on destination addresses in the matching FW NAT rule.
753014 : PEM iRule action with RULE_INIT event fails to attach to PEM policy
Component: Policy Enforcement Manager
Symptoms:
PEM iRule action with RULE_INIT event fails to attach to PEM policy.
Conditions:
Attaching PEM policy with PEM iRule action that contains a RULE_INIT event.
Impact:
PEM fails to update the new iRule action.
Workaround:
Force mcpd to reload the BIG-IP configuration.
To do so, follow the steps in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.
Fix:
The system now continues processing PEM iRule actions if RULE_INIT event is present, so this issue no longer occurs.
752994 : Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod
Component: TMOS
Symptoms:
With a large number of client SSL profiles, combined with shallow nesting of these profiles, all referring to a single SSL certificate file object, mcpd can take a lot of time to process an update to that certificate. It is possible this amount of time will be longer than sod's threshold, and cause it to kill mcpd.
Conditions:
- A large number (hundreds or thousands) of client SSL profiles that have a shallow nesting structure and all point back to a single SSL certificate file object.
- Happens when the SSL certificate is updated.
Impact:
sod kills mcpd, which causes a failover (when high availability (HA) is configured) or an outage (when there is no HA configured).
Workaround:
None.
Fix:
Prevented sod from killing mcpd in this scenario.
752942 : Live Update cannot be used by Administrator users other than 'admin' and 'root'
Component: Application Security Manager
Symptoms:
When users configured with the Administrator role log into the system, they are not allowed to install security update files on the new live-update page:
System :: Software Management : Live Update
Conditions:
Logged in BIG-IP user is not 'admin' (the built-in Administrator account for the TMUI) or 'root' (the built-in Administrator account for the TMSH).
Impact:
Cannot apply security updates.
Workaround:
To install the security updates, log in as 'admin' or a BIG-IP user configured as a web-application-security-administrator or web-application-security-editor (role must be configured on all partitions or at least on the Common partition).
Fix:
Any BIG-IP user configured as Administrator can now apply security updates.
752930-5 : Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
Component: Local Traffic Manager
Symptoms:
Virtual Servers left in unknown state. Blade keeps restarting.
Conditions:
Change default route domain (RD) of partition with wildcard Virtual Servers.
Impact:
-- Cannot persist the wildcard virtual server RD configuration.
-- Changing virtual server description after moving route-domain fails.
-- Secondary blade in constant reboot loop.
Workaround:
1. Delete wildcard virtual servers before changing default route-domain on partition.
2. Execute the following commands, in sequence, substituting your values for the configuration-specific ones in this example:
# ssh slot2 bigstart stop
# modify auth partition pa-1098-blkbbsi0000csa21ad1142 default-route-domain 109
# save sys config
# clsh rm -f /var/db/mcpdb.bin
# ssh slot2 bigstart start
Note: This recovery method might have to be executed multiple times to restore a working setup.
752875 : tmm core while using service chaining for SSLO
Component: Access Policy Manager
Symptoms:
tmm cores when using security services (service connect agent in per-request policies) for SSLO deployment.
Conditions:
-- Service connect agent in per-request policy.
-- SSLO deployment.
Impact:
tmm cores. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm no longer cores when using security services (service connect agent in per-request policies) for SSLO deployment.
752851 : GUI - Provide search capability for Keys, Certificates and SSL Profile select boxes
Component: TMOS
Symptoms:
It is hard to select options when there are a large number of options in select boxes for Keys, Certificates, and SSL Profiles.
Conditions:
Have large number of Keys, Certificates, and SSL Profiles, which is common in case of virtual hosting.
Impact:
It is hard to search and select required options when there are large number of options in select boxes. In addition, the GUI may restart due to java.lang.OutOfMemoryError: Java heap space when a large number of SSL key/cert/profiles. This applies to all GUI screens with large number of SSL key/cert/profiles.
Workaround:
To work around the out-of memory issue,
1. Allocate appropriate extramb to tomcat using the following command:
tmsh modify sys db provision.tomcat.extramb value 256
2. Restart tomcat:
bigstart restart tomcat
Fix:
Improved selection experience when there are number of options in select boxes for Keys, Certificates, and SSL Profiles. GUI no longer restarts.
752835 : Mitigate mcpd out of memory error with auto-sync enabled.
Component: TMOS
Symptoms:
If auto-sync is enabled and many configuration changes are sent quickly, it is possible for a peer system to fall behind in syncs. Once it does, it will exponentially get further behind due to extra sync data, leading to the sending mcpd running out of memory and core dumping.
Conditions:
-- Auto-sync enabled in an HA pair.
-- High volume of configuration changes made in rapid succession. Typically, this requires hundreds or thousands of changes per minute for several minutes to encounter this condition.
Impact:
mcpd crashes.
Workaround:
There are no workarounds other than not using auto-sync, or reducing the frequency of system configuration changes.
Fix:
This is not a complete fix. It is still possible for mcpd to run out of memory due to a peer not processing sync messages quickly enough. It does, however, make it more difficult for this scenario to happen, so configuration changes with auto-sync on can be sent somewhat more quickly without crashing mcpd as often.
752822 : SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type
Component: Service Provider
Symptoms:
SIP ALG calls that fail translation during ingress are not cleaned up by the system, which might result in memory being leaked inside the TMM processes.
Conditions:
SIP ALG calls that fail translation during ingress.
Impact:
TMM leaks memory, which can slow down performance and eventually cause TMM to run out of memory and restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now cleans up SIP ALG calls that fail translation during ingress, so this issue no longer occurs.
752803 : CLASSIFICATION_DETECTED running reject can lead to a tmm core
Component: Traffic Classification Engine
Symptoms:
When the CLASSIFICATION_DETECTED event is run on a serverside flow, and then an iRule command (e.g., to reject a flow) is run, tmm crashes.
Conditions:
-- CLASSIFICATION_DETECTED event runs on a serverside flow.
-- An iRule command runs (e.g., reject a flow).
Impact:
tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm no longer crashes under these conditions.
752797 : BD is not correctly closing a shared memory segment
Component: Application Security Manager
Symptoms:
Number shared memory segments is increasing.
Conditions:
There are many ASM restarts.
Impact:
Memory increases on the system.
Workaround:
None.
Fix:
Fixed a possible shared memory leak issue.
752782 : 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'
Component: Fraud Protection Services
Symptoms:
The 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.
Conditions:
FPS Provisioning and a DataSafe license.
Impact:
The menu name has changed in this release.
Workaround:
None.
Fix:
'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.
752592 : VMware Horizon PCoIP clients may fail to connect shortly after logout
Component: Access Policy Manager
Symptoms:
Sometimes if user closes opened PCoIP desktop and logs out and then logs in again, he can't launch the same desktop anymore.
Conditions:
PCoIP UDP VS has "vdi" profile assigned.
Impact:
User can't open PCoIP remote desktop during short time period (1 minute).
Workaround:
Remove "vdi" profile and assign "remotedesktop" profile to the PCoIP UDP VS:
# tmsh modify ltm virtual <PCoIP UDP VS> profiles delete { vdi }
# tmsh modify ltm virtual <PCoIP UDP VS> profiles add { remotedesktop }
In admin UI the assignment of "remotedesktop" profile can be controlled via "Application Tunnels (Java & Per-App VPN)" checkbox (right under "VDI Profile" dropdown).
Fix:
Assignment of "vdi" profile to PCoIP UDP VS does not cause intermittent connection problems anymore.
752530 : TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.
Component: Local Traffic Manager
Symptoms:
Fast L4 TCP Analytics reports incorrect goodput when server sequence number and the TMM generated sequence number are different.
Conditions:
This occurs when either of the following conditions are met:
-- tcp-generate-isn is set in the Fast L4 profile.
-- SYN cookie is active.
Impact:
The GUI page Statistics :: Analytics :: TCP :: Goodput page displays incorrect goodput values.
Workaround:
None.
Fix:
Fast L4 TCP Analytics now shows correct goodput values when server sequence number and the TMM generated sequence number are different.
752484 : Firefox v52 or earlier getting CAPTCHA by Bot Defense
Component: Application Security Manager
Symptoms:
ASM end users connecting using Firefox v52 or earlier might get the CAPTCHA challenge by Bot Defense when the browser is running on virtual machine or Remote Desktop.
Conditions:
-- Bot Defense is enabled.
-- Detect Suspicious Browsers is turned on.
-- Using a pre-v52 version of Firefox.
-- Running Firefox on a virtual machine or Remote Desktop.
Impact:
Firefox users can access the page only after passing the CAPTCHA challenge.
Workaround:
Run the following command to work around the issue:
tmsh modify sys db dosl7.browser_legit_min_score_captcha value 70
Fix:
The system no longer presents a CAPTCHA challenge CAPTCHA by Bot Defense for ASM users connecting using Firefox v52 or earlier.
752363-1 : Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled
Component: Advanced Firewall Manager
Symptoms:
Client request fails, due to being dropped on the BIG-IP system.
Conditions:
-- The BIG-IP AFM L4 BDoS feature is enabled.
-- Virtual server setup is such that the client-facing virtual server's destination is forwarded through another virtual server, which is an internally forwarded flow.
Impact:
Client request gets dropped due to BIG-IP AFM dropping the flow.
Workaround:
Disable BDoS feature. The feature can be disabled using the following commands:
-- To disable BDoS globally, run the following command:
modify security dos device-config dos-device-config dynamic-signatures { network { detection disabled mitigation none }}
To disable BDoS globally per-profile, run the following command:
modify security dos profile <profile-name> dos-network modify { test { dynamic-signatures { detection disabled mitigation none } } }
modify security dos profile test protocol-dns modify { test { dynamic-signatures { detection disabled mitigation none } } }
Fix:
The system now handles the looped flows properly, so the BDoS module does not incorrectly cause the packet to be dropped.
752334 : Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation
Component: Local Traffic Manager
Symptoms:
When Fast L4 receives out of order TCP packets, TCP analytics may compute wrong goodput value.
Conditions:
When FAST L4 receives out-of-order packets.
Impact:
Fast L4 reports an incorrect goodput value for the connection.
Workaround:
None.
Fix:
Out-of-order packet arrival no longer causes incorrect Fast L4 goodput calculation
752216 : DNS queries without the RD bit set may generate responses with the RD bit set
Solution Article: K33587043
Component: Global Traffic Manager (DNS)
Symptoms:
If the BIG-IP system is configured to use forward zones, responses to DNS queries may include the RD bit, even if RD bit is not set on the query.
Conditions:
-- Forward zone is configured.
-- Processing a query without the RD bit.
Impact:
Some responses to DNS queries may include the RD bit, even thought the RD bit is not set on the query. This is cosmetic, but some DNS tools may report this as an RFC violation.
Workaround:
None.
Fix:
If a query does not have the RD bit set and is forwarded, the system now clears the RD bit on the response from the forward, if it is set.
752079 : In SSL forward proxy, forged untrusted server certs are no longer cached.
Component: Local Traffic Manager
Symptoms:
Previously, SSL forward proxy cached forged server certs on the client side even if the server cert was untrusted. Now, SSL forward proxy does not cache the forged cert if the server cert is untrusted.
Conditions:
SSL forward proxy is enabled and server cert is untrusted.
Impact:
You might notice a performance impact compared with previous releases.
Workaround:
None.
Fix:
There is a behavior change: the system does not cache forged server certs if the cert is not trusted.
Behavior Change:
Previously, SSL forward proxy cached forged server certs on the client side even if the server cert was untrusted. Now, SSL forward proxy does not cache the forged cert if the server cert is untrusted. As a result, you might notice slower performance in this release under these conditions.
752078-1 : Header Field Value String Corruption
Component: Local Traffic Manager
Symptoms:
This is specific to HTTP/2.
In some rare cases, the header field value string can have one or more of its prefix characters removed by the BIG-IP.
Conditions:
If the header field value string is exceptionally long, and has embedded white space characters, this bug may occur.
Impact:
A header such as:
x-info: very_long_string that has white space characters
may be sent to the client thus:
x-info: ery_long_string that has white space characters
Fix:
Fixed.
752058 : False positive CSRF violation for the URL with semicolon with explicit CSRF URL configuration
Component: Application Security Manager
Symptoms:
Requests containing semicolon ';' characters are blocked by an ASM policy that has explicit CSRF URL configured. An ASM blocking page listing a support ID is presented to the ASM end user.
Conditions:
- ASM provisioned.
- ASM configured on a virtual server.
- ASM CSRF enabled and explicit URL configured.
Impact:
Web application do not work as expected.
Workaround:
Use a wildcard CSRF URL.
Fix:
CSRF JavaScript code now handles the semicolon ';' character, as a path parameter separator, when it is at the end of the request URL.
752047 : iRule running reject in CLASSIFICATION_DETECTED event can cause core
Component: Traffic Classification Engine
Symptoms:
The CLASSIFICATION_DETECTED iRule event can run very early when classification happens in the classification database (srdb). If the iRule then issues a reject command, tmm cores.
Conditions:
CLASSIFICATION_DETECTED on L4 executing reject command.
Impact:
tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
iRule running reject in CLASSIFICATION_DETECTED event no longer causes tmm core.
751869-3 : Possible tmm crash when using manual mode mitigation in DoS Profile
Component: Advanced Firewall Manager
Symptoms:
tmm crash and restart is possible when using manual mode mitigation in DoS Profile.
Conditions:
When manual mode mitigation is used for any vector that is enabled in the DoS Profile that is attached to a Protected Object.
Impact:
tmm crash and restart is possible. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm crash and restart no longer occurs when using manual mode mitigation in DoS Profile.
751824 : Restore old 'merge' functionally with new tmsh verb 'replace'
Component: TMOS
Symptoms:
Prior to v12.1.3.4, the 'merge' command merged a specified config with the existing config, replacing certain conflicting values. In this release, the merge command operates differently, so there is a new command, 'replace', to now perform the operation previously accomplished with 'merge'.
Conditions:
Running the following command:
tmsh load /sys config file <scf-filename> merge
Impact:
Operation does not work like it did in previous releases.
Workaround:
None.
Fix:
This release restores the merge functionally from v12.x and earlier with a new tmsh verb: replace. The new TMSH command is as follows:
tmsh load sys config file <filepath> replace
Behavior Change:
This release restores the merge functionally from v12.x and earlier with a new tmsh verb: replace. The new TMSH command is as follows:
tmsh load sys config file <filepath> replace
The merge command now operates as follows:
-- Previously: if a top-level object (virtual server) existed in the config and also in the merge file, the top-level object was replaced.
-- Now: if a top-level object (virtual server) exists in both, the top-level object is recursively merged. (Pool members are merged together. LTM virtual server profiles are merged together (appended vs. replace-all-with)).
751807 : SSL Orchestrator may not activate service connectors if traffic is an HTTP tunnel
Component: Access Policy Manager
Symptoms:
Decrypted traffic is not forwarded to services despite even though a matching rule action in security policy selects a service chain.
Conditions:
-- Matching rule action in security policy selects a service chain.
-- Traffic is an HTTP tunnel (CONNECT method) is accepted by an outbound transparent proxy created by SSL Orchestrator.
Impact:
No visibility to decrypted traffic if it is an HTTP tunnel through SSL Orchestrator.
Workaround:
None.
Fix:
Decrypted traffic is forwarded as expected to services, when matching rule action in security policy selects a service chain, for HTTP tunnel traffic sent through SSL Orchestrator.
751710 : False positive cookie hijacking violation
Component: Application Security Manager
Symptoms:
A false positive cookie hijacking violation.
Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.
Impact:
False positive violation / blocking.
Workaround:
N/A
751589 : In BIG-IP VE, some IP rules may not be created during the first boot up.
Component: Local Traffic Manager
Symptoms:
The BIG-IP Virtual Edition (VE) system might not be able to install some IP rules in the host during the first boot up. As a result, some types of traffic (e.g., ssh) destined for the BIG-IP system via the data path (not via the management interface) might not be able to respond back to a sender. This issue exists only during the first boot into a new BIG-IP partition after installation.
Conditions:
This issue exists if the following conditions are met:
-- The BIG-IP system is VE.
-- Before installing a new BIG-IP image, the sys db variables 'liveinstall.saveconfig' and 'liveinstall.moveconfig' are both set to 'disable'. By default, both variables are set to 'enable'.
-- First boot into a new BIG-IP partition after installation.
Impact:
Some types of traffic (e.g., ssh) destined for the BIG-IP system via the data path (not via the management interface) might not be able to respond back to a sender.
Workaround:
You can use either of the following workarounds:
-- Restart mcpd using the following command:
bigstart restart mcpd
-- After the first boot into a new BIG-IP partition, you can simply reboot the BIG-IP system again, and then the necessary IP rules are created correctly.
Fix:
The necessary IP rules are created correctly in the first boot into a new BIG-IP partition after installation.
751448 : TMM, ZebOS, and Linux routing table may lose dynamic routes on a tmm restart
Component: TMOS
Symptoms:
There are three major routing participants on a BIG-IP system: TMM, ZebOS, and Linux routing tables. Each of them replicates routes between the other. The 'bigstart restart tmm' command restarts tmm, and a part of the restart process is to mark VLAN interfaces DOWN and later UP. Another part the same process is to restart the ZebOS daemons.
There is a race condition between these two events, so the following might happen:
1) tmm marks interface named vlan1 as DOWN, and a bit later marks as UP, but not UP and RUNNING.
2) The ZebOS daemons are restarted and ready to update interface status. They request a current status and mark interface UP, not UP and RUNNING.
3) tmm is fully restarted and marks vlan1 UP and RUNNING.
4) The ZebOS daemons reject dynamic routes because interface vlan1 is UP, but not RUNNING.
Conditions:
- BIG-IP Virtual Edition (VE).
- Dynamic routing is configured and there is a decide with some dynamic routes.
- You run the 'bigstart restart tmm' command.
Impact:
Traffic which relays on dynamic routes is interrupted. Because this is a race condition, it depends on configuration and timing.
Workaround:
Restart tmrouted daemon using the following command:
bigstart restart tmrouted
Fix:
Dynamic routes are not rejected and are successfully inserted into routing tables.
751424 : HTTP Connect Category Lookup not working properly
Component: Access Policy Manager
Symptoms:
1. HTTP Connect Category Lookup does not return the correct category.
2. HTTP Connect Category Lookup cannot attach the service chain correctly.
Conditions:
-- Using SSLO iApp to configure a security policy.
-- Choose conditions 'Category Lookup (All)' and '"Category Lookup (HTTP Connect)'.
Impact:
Service chain is not correctly triggered based on the SSLO iApp policy selection when HTTP Connect traffic is passed.
Workaround:
There is no workaround at this time.
Fix:
1. The Access Per-request Policy HTTP Connect Category Lookup agent now returns the correct category ID.
2. Service connector is now inserted correctly, which ensures the correct behavior when dealing with HTTP Connect tunnel traffic.
751179 : MRF: Race condition may create to many outgoing connections to a peer
Component: Service Provider
Symptoms:
If two different connections attempt to create an outgoing connection to a peer at the same time, multiple connections may be created, even if the peer object is configured for one connection per peer. This is due to a race condition in message routing framework during connection creation.
Conditions:
-- Two different connections attempt to create an outgoing connection to a peer at the same time.
-- The peer is configured for one connection per peer.
Impact:
More than one connection to a peer is created.
Workaround:
None.
Fix:
Only one connection is created under these conditions.
751116 : DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring
Component: Advanced Firewall Manager
Symptoms:
The DoS visibility screens (Monitoring :: Security :: Reporting : DoS) may display DNS and Network protocol DoS attacks with the incorrect mitigation details.
Conditions:
An attacked object assigned to a DoS profile with either DNS or Network security protocols that are configured to have detect-only or learn-only states for DoS attacks.
Impact:
Network or DNS DoS attacks, detected by a DoS profile with detect-only or learn-only protection, display mitigation as Blocking instead of the configured Transparent protection. This does not affect the reported traffic data found in the DoS visibility dimensions and charts.
Workaround:
None.
751095 : Ability to search the active access sessions by virtual servers
Component: Access Policy Manager
Symptoms:
There is no ability to search access session by virtual servers.
Conditions:
Find/search of active sessions per virtual server
Impact:
Cannot complete the operation.
Workaround:
None.
Fix:
This release supports the searching active access sessions by virtual servers.
751024 : i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd
Component: TMOS
Symptoms:
Messages similar to the following appear in /var/log/ltm:
info bcm56xxd: 012c0012:6: I2C muxes are not cleared. Problem with mux 224:
Conditions:
-- i5000/i7000/i10000 platforms.
-- May be caused by a defective optic, rebooting/upgrading BIG-IP, removing and reinserting optics.
Impact:
Changes in optic state may be ignored while I2C bus is unavailable.
Workaround:
For each SFP, perform the following procedure:
1. Unplug the optic.
2. Wait 10 seconds.
3. Plug optic back in.
Note: This message might be caused by a defective optic. If error messages stop when one optic is removed, and error messages resume when the optic is inserted, replace that optic.
Fix:
The I2C bus on i5000/i7000/i10000 platforms now resets the Mux controlling the I2C bus connected to the front panel optics.
751011 : ihealth.sh script and qkview locking mechanism not working
Component: TMOS
Symptoms:
Two qkviews can be started up on a system at the same time, which results in conflicts for each.
Conditions:
Running qkview on one terminal and then ihealth.sh in another.
Impact:
Running of two qkviews at the same time breaks both qkviews since they compete for the same files.
Workaround:
Run either qkview or ihealth.sh, not both simultaneously.
Fix:
Starting a qkview and then running ihealth.sh halts immediately as the system detects that qkview is running.
751009 : Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out
Component: TMOS
Symptoms:
After generating a Qkview or collecting a tcpdump via the BIG-IP GUI, or using the 'tmsh run util ihealth' command to do the equivalent, the /var/tmp/mcpd.out file is missing.
Conditions:
-- Generating a Qkview or collecting a tcpdump via the BIG-IP GUI.
-- Using the 'tmsh run util ihealth' command to do the equivalent operation.
Impact:
The file /var/tmp/mpcd.out is a debug file used by mcpd, primarily for collecting debug-level log information from MCPD.
The file being deleted causes challenges with trying to collect diagnostic information from a BIG-IP system (turning on mcpd debug logging), because it now requires a service impact (restarting mcpd).
Additionally, may cause challenges in managing disk space on /shared filesystem, as mcpd keeps writing to a deleted file, and it cannot be truncated.
Workaround:
Generating Qkviews by invoking the 'qkview' command directly avoids this issue.
Edit the /usr/bin/ihealth.sh script to remove the corresponding line.
From a bash shell:
1. mount -o remount,rw /usr
2. /bin/cp /usr/bin/ihealth.sh{,751009.bak}
3. sed -i '/\/bin\/rm -f \/var\/tmp\/mcpd.out/d' /usr/bin/ihealth.sh
4. mount -o remount,ro /usr
Note: This workaround does not persist across software installs/upgrades, nor does it ConfigSync or replicate across blades in a VIPRION chassis.
Fix:
The problem line has been removed from the script, so this mcpd debug file is left alone (not deleted) after running ihealth.sh. Note that the GUI version of running qkview uses ihealth.sh script.
750973 : Import XML policy error
Component: Application Security Manager
Symptoms:
Import XML policy fails with errors:
--------
The security policy file does not conform to the schema and cannot be imported
element attack_type: Schemas validity error : Element
'attack_type': 'Web Scraping' is not a valid value
--------
Conditions:
-- A user-defined Signature Set having Attack Type 'Web Scraping' defined.
-- This Signature Set is included in an exported XML policy.
Impact:
Schema validation on XML policy import fails. Import XML policy fails with errors.
Workaround:
Use binary policy export/import.
Fix:
This release fixes the XML policy export/import process to not fail or produce Attack Type 'Web Scraping'-related errors.
750922 : BD crash when content profile used for login page has no parse parameters set
Component: Application Security Manager
Symptoms:
Bd crashes. No traffic goes through ASM.
Conditions:
-- A Json Login page is configured.
-- The content profile used for the login page does not have parse parameters set.
Impact:
No traffic goes through ASM. Bd crashes.
Workaround:
Set the parse parameters setting.
Fix:
BD no longer crashes when the content profile used for login page has no parse parameters set.
750823 : Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD
Component: Access Policy Manager
Symptoms:
Memory usage in TMM keeps going up.
Conditions:
Access::policy evaluate command fails with error message in /var/log/ltm:
TCL error: ... - Failed to forward request to apmd.
Impact:
Memory leaks in TMM, which cause a TMM crash eventually.
Workaround:
Limit the amount of data that will be forwarded to APMD.
750793 : Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition
Component: Application Security Manager
Symptoms:
Removing Bot/Logging/Security Service profiles that were created in a user-defined partition fails via GUI.
Conditions:
Attempting to delete Bot/Logging/Security Service profiles that were created in a user-defined partition.
Impact:
The Bot/Logging/Security Service Profile cannot be deleted via GUI.
Workaround:
Remove Bot/Logging/Cloud Security Service profiles via TMSH.
Fix:
You can now remove Bot profiles, Logging profiles, and Cloud Security Service profiles from user-defined partition.
750689 : Request Log: Accept Request button available when not needed
Component: Application Security Manager
Symptoms:
There are several violations that make request unlearnable, but the Accept Request Button is still enabled.
Conditions:
Request log has requests with following violations that make requests unlearnable:
- Threat Campaign detected
- Null character found in WebSocket text message
- Access from disallowed User/Session/IP/Device ID
- Failed to convert character
+ 2 subviolations of HTTP protocol compliance failed violation:
- Unparsable request content
- Null in request
- Bad HTTP version
or only following violations were detected:
- Access from malicious IP address
- IP is blacklisted
- CSRF attack detected
- Brute Force: Maximum login attempts are exceeded
Impact:
Accept Request button is available, but pressing it doesn't change the policy
Fix:
Button is disabled when there is nothing to be learned from request
750686 : ASE user cannot create or modify a bot signature.
Component: Application Security Manager
Symptoms:
Application Security Editor user role gets a validation exception while trying to create or modify bot defense signature either via GUI, tmsh, or REST.
Conditions:
The logged on user account is configured with an Application Security Editor role.
Impact:
Application Security Editor unable to define user-defined signatures for bot defense module.
Workaround:
Change user role to Administrator or Web Application Security Administrator to create or modify bot defense signatures.
Fix:
User accounts configured for Application Security Editor can now create/modify bot defense signatures.
750683 : REST Backwards Compatibility: Cannot modify enforcementMode of host-name
Component: Application Security Manager
Symptoms:
Modifying the enforcementMode value fails with the following message: Valid Host Name already exists in this policy.
In 14.1.0, the capability to treat specific domains as Transparent while the rest of the policy is in Blocking moved from Host Names to the new Microservices feature. The REST endpoint for Host Names (/mgmt/tm/asm/policies/<ID>/host-names) is meant to still support setting and modifying this attribute. However, this is not happening successfully.
Conditions:
-- Running version 14.1.0 software.
-- Using a pre-14.1.0 REST API to modify the enforcementMode of a host name (/mgmt/tm/asm/policies/<ID>/host-names).
Impact:
The value change fails.
Workaround:
You can use either workaround:
-- Change the value using the GUI.
-- Use the newer endpoint: (/mgmt/tm/asm/policies/<ID>/microservices).
Fix:
Using the backwards compatible REST to update the enforcementMode of a host name now succeeds.
750668 : Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition
Component: Application Security Manager
Symptoms:
Removing Bot/Logging/Security Service profiles that were created in a user-defined partition fails via GUI.
Conditions:
Attempting to delete Bot/Logging/Security Service profiles that were created in a user-defined partition.
Impact:
The Bot/Logging/Security Service Profile cannot be deleted via GUI.
Workaround:
Remove Bot/Logging/Cloud Security Service profiles via TMSH.
Fix:
You can now remove Bot profiles, Logging profiles, and Cloud Security Service profiles from user-defined partition.
750666 : Impossible to create Bot Signature/Bot Category Signature in user partition different from 'Common'
Component: Application Security Manager
Symptoms:
For any partition other than 'Common'(i.e., a user-defined partition), cannot create a new Bot Signature or Bot Category Signature via GUI, because the form fields and buttons are disabled (grayed out).
Conditions:
-- Creating Bot Signature/Bot Category Signature.
-- The partition is set to a user-defined partition.
Impact:
No creation of Bot Signature/Bot Category Signature can be completed through GUI in a user-defined partition.
Workaround:
Create Bot Signature/Bot Category Signature in TMSH.
Fix:
Can now create Bot Signature/Bot Category Signature in user partition different from 'Common'.
750661-2 : URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied.
Component: TMOS
Symptoms:
A regression in configuration processing causes LTM Rewrite profile to ignore configured URI translation rules.
Conditions:
Using LTM Rewrite profiles to ignore configured URI translation rules.
Impact:
URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied.
Workaround:
None.
Fix:
Restored functionality of LTM Rewrite URI translation rules.
750631 : There may be a latency between session termination and deletion of its associated IP address mapping
Component: Access Policy Manager
Symptoms:
In SWG, if a new request from a client executes iRule command "ACCESS::session exists" when the session has expired previously, the command will return false. However, if command "ACCESS::session create" is executed following the exist command, the session ID of the previous session may be returned.
Conditions:
In SWG, if a new request from a client IP comes into the system right after its previous session has expired.
Impact:
The Access filter will determine that the session ID is stale and, therefore, will redirect the client to /my.policy
Fix:
N/A
750586 : HSL may incorrectly handle pending TCP connections with elongated handshake time.
Component: TMOS
Symptoms:
HSL may incorrectly handle TCP connections that are pending 3-way handshake completion that exceed default handshake timeout.
Conditions:
-- HSL or ReqLog configured to send logging data to pool via TCP protocol.
-- TCP 3-way handshake takes longer than 20 seconds (the default handshake timeout) to complete.
Impact:
-- Service interruption while TMM restarts.
-- Failover event.
Workaround:
None.
Fix:
HSL handles unusually long pending TCP handshakes gracefully and does not cause outage.
750580 : Installation using image2disk --format may fail after TMOS v14.1.0 is installed★
Component: TMOS
Symptoms:
When v14.1.0 is installed, subsequent installations of software performed using image2disk with the --format=volumes option from within a TMOS installation slot.
The failure occurs after the disks have been formatted, but before the TMOS installation slot is bootable, and the system is left without a TMOS installation slot.
While performing the installation, the system posts messages similar to the following in the serial console:
-- info: tm_install::RPM::rpm_db_find_by_namearch -- not found : MySQL-shared/i686
...
-- info: tm_install::VolumeSet::VolumeSet_install_packages -- installing package MySQL-shared (i686)
-- info: tm_install::RPM::rpm_db_find_by_namearch -- not found : openssl/x86_64
...
-- info: tm_install::VolumeSet::VolumeSet_install_packages -- installing package openssl (x86_64)
-- info: capture: status 32512 returned by command: chroot /mnt/tm_install/1258.DHwcwN rpm --rebuilddb
...
-- info: chroot: failed to run command 'rpm': No such file or directory
Conditions:
This issue occurs when all of the following conditions are met:
-- Version 14.1.0 is installed on the system, even if the system never boots into the 14.1.0 installation slot.
-- Using image2disk with the --format=volumes option specified from TMOS.
-- Installing another version of the software.
In particular, this issue affects MOS version 2.12.0-140.0, which can be checked by running this command from a bash shell on the BIG-IP system:
grub_default -d | grep -A6 'TMOS maintenance' | grep 'TIC_STATIC_VERSION'
Impact:
The installation fails, and the system is left in a state where it is not accessible on the network and has no configuration. You must use the console to access the system.
Workaround:
You can use the following workarounds:
-- Use the Software Management screens in the GUI to perform installations
-- Use the tmsh 'sys software' commands to perform software installations.
-- Do not use the image2disk --format command to install software.
750498 : MCP validation to prevent sso config object deletion when referenced by SSO Configuration Select agent in PRP
Component: Access Policy Manager
Symptoms:
SSO config object can be deleted even when it is referenced by SSO configuration select agent in PRP.
Conditions:
Create a basic SSO item.
Create a PRP that has the SSO Assign in it and select the basic SSO item.
Create a PSP that is Start->Allow
Create a VS that uses the PRP, PSP, and an pool.
Delete the SSO item in the UI.
Impact:
Traffic flow for SSO configuration select agent fails since the sso config object is deleted.
Workaround:
None.
Fix:
MCP validation needs to be added in sso config object deletion validation. When an sso object is deleted, we need to make sure it is not referenced by V2 policy agent.
750491 : PEM Once-Every content insertion action may insert more than once during an interval
Component: Policy Enforcement Manager
Symptoms:
Successful PEM content insertion accounting is lost during re-evaluation, resulting in more insertions per insertion interval.
Conditions:
During re-evaluation to update the existing flow.
Impact:
More than expected Insert content action with Once-Every method of insert content action
Workaround:
None.
Fix:
Update the insertion content accounting data during re-evaluation.
750477 : LTM NAT does not forward ICMP traffic
Component: Advanced Firewall Manager
Symptoms:
ICMP traffic that matches LTM NAT object on a BIG-IP system, is not forwarded through but instead is dropped on the BIG-IP system.
Conditions:
-- LTM NAT object is configured on the BIG-IP system.
-- The BIG-IP system receives ICMP traffic matching the LTM NAT object.
Impact:
Client ICMP traffic (matching LTM NAT) is not forwarded to the destination causing traffic disruption.
Workaround:
None.
Fix:
ICMP traffic matching an LTM NAT object is now forwarded to the destination as expected.
750473 : VA status change while 'disabled' are not taken into account after being 'enabled' again
Component: Local Traffic Manager
Symptoms:
The virtual-address network is not advertised with route-advertisement enabled.
Conditions:
1. Using a virtual-address with route advertisement enabled.
2. Disable virtual-address while state is down.
3. Enable virtual-address after state comes up.
Impact:
No route-advertisement of the virtual-address.
Workaround:
Toggle the route-advertisement for virtual-address.
Fix:
The virtual-address now operations as expected when disabled.
750460 : Subscriber management configuration GUI
Component: Policy Enforcement Manager
Symptoms:
Subscriber management configuration GUI does not follow best security practices.
Conditions:
PEM provisioned
Authenticated user accesses Subscriber Management->Activity Log->Log Configuration page.
Impact:
Subscriber management configuration GUI does not follow best security practices.
Workaround:
None
Fix:
Subscriber management configuration GUI now follows best security practices.
750447 : GUI VLAN list page loading slowly with 50 records per screen
Component: TMOS
Symptoms:
GUI VLAN list page is loading slowly with there are 3200+ VLANs with the Records Per Screen Preference set to 50.
Conditions:
-- Using a VIPRION system.
-- Configuration containing 3200 or more VLANs.
-- System Preferences Records Per Screen set to 50.
Impact:
Cannot use the page.
Workaround:
Use tmsh or guishell tool to see the VLANs.
You can also try using a smaller value for the Records Per Screen option in System :: Preferences.
Fix:
Improved data retrieval and rendering for the VLAN list page.
750393 : When parameters with special characters are obfuscated they are not url-encoded
Component: Fraud Protection Services
Symptoms:
Applying obfuscation on parameters with special characters, like "$", are not URL-encoded. Hence, they are delivered incorrectly.
Conditions:
Obfuscated parameter includes special characters
Impact:
These paramters are sent incorrectly (not URL-encoded)
Workaround:
N/A
Fix:
Code fixed to resolve this issue
750356 : Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted
Component: Application Security Manager
Symptoms:
In any Split View page (Request Log, Learning, etc.): All user-defined filters are removed if you delete a newly created filter without reloading the page first.
Conditions:
-- Create a new filter.
-- Remove the new filter.
Impact:
The system removes all user-defined filters.
Workaround:
Before you delete a newly created filter, reload the page.
Fix:
Filter removal now completes successfully for all scenarios.
750353 : Manual Device Group Put in Pending State With No Indication
Component: Application Security Manager
Symptoms:
When Session Tracking is enabled on devices in a Manual Sync ASM-enabled device group, the device group can be put into 'Pending' state with no indication as to what changed in the system. This is because Audit Log Messages are not written for changes due to Session Tracking.
Conditions:
-- ASM Sync is enabled on a Manual Sync Device Group.
-- Session Tracking is enabled on an ASM Security Policy.
Impact:
It is unclear why the device group is in Pending State and what the impact is if the configuration is pushed to a peer.
Workaround:
None.
Fix:
When in a high availability (HA) environment, changes to Session Tracking are now written to the Audit log as batched events, similar to the following example:
x Sessions were set to 'Block All'
750352 : Config sync status is always "Changes Pending"
Component: Application Security Manager
Symptoms:
You see constant or nearly constant "Changes Pending" config sync status for a sync group
Conditions:
ASM configured in a sync group with manual sync.
Session Tracking is configured, and is configured to Block All Thresholds.
Impact:
Config sync status of the sync group is almost always at "Changes Pending".
Fix:
If you attempt to enable Block All Thresholds, the GUI will report a warning: Manual Sync Group is configured for this device. Enabling any of the Block All Thresholds may result in constant "Changes Pending" state for the group
750318 : HTTPS monitor does not appear to be using cert from server-ssl profile
Component: TMOS
Symptoms:
An HTTPS monitor using a client certificate configured in the server-ssl profile fails to send the certificate during the SSL handshake.
A tcpdump shows a 0-byte certificate being sent.
Conditions:
-- In-tmm monitoring is disabled (default).
-- The server-ssl profile has been modified but without changing the configured certificate or key.
The resulting message passed from mcpd to bigd will contain only the incremental modification to the profile, which bigd treats as a complete profile, meaning that it is possible for the certificate and key parameters to be lost.
Impact:
SSL handshake might fail to complete and the HTTPS monitor fails.
Workaround:
Restart bigd process by running the following command:
bigstart restart bigd
Fix:
mcpd now sends the full profile configuration to bigd upon modification.
750298 : iControl REST may fail while processing requests
Component: TMOS
Symptoms:
Under certain conditions, iControl REST may stop processing requests.
Conditions:
AVR provisioned.
Authenticated REST user.
Impact:
iControl REST stops responding.
Workaround:
None.
Fix:
iControl REST now processes requests as expected.
750292 : TMM may crash when processing TLS traffic
Solution Article: K54167061
750213 : DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.
Solution Article: K25351434
Component: Global Traffic Manager (DNS)
Symptoms:
FPGA hardware-accelerated DNS Cache can respond improperly to DNS queries that contain EDNS OPT Records. This improper response can take several forms, ranging from not responding with an OPT record, to a query timeout, to a badvers response.
Conditions:
-- Using VIPRION B2250 blades.
-- This may occur if a client sends a query with an EDNS OPT record that has an unknown version or other values that the Hardware-accelerated Cache does not understand. These errors only occur when matching the query to a hardware cached response.
Note: If the response is not in the hardware cache, then the query should be properly handled.
Impact:
Hardware-accelerated DNS Cache drops the request. Clients will experience a timeout for that query.
This is occurring now because of the changes coming to software from certain DNS software vendors that remove specific workarounds on February 1st, 2019. This is known as DNS Flag Day.
Workaround:
None.
750204 : Add support for P-521 curve in the X.509 chain to SSL LTM
Component: Local Traffic Manager
Symptoms:
SSL is unable to verify certificate signed with EC P-521 key.
Conditions:
N/A
Impact:
Client/server authentication (X.509 signature verification) will failed when using certificate signed with EC P-521 key.
Workaround:
Client/server has to use certificate signed with supported EC curve (P-256/P-384).
Fix:
Add P-521 curve support in X.509 chain verification.
750200 : DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode
Component: Local Traffic Manager
Symptoms:
DHCP requests from the client are sent only to the first member in the DHCP server pool.
Conditions:
- BIG-IP system configured as a DHCP Relay.
- DHCP server pool contains more than one DHCP server.
Impact:
- DHCP server load balancing is not achieved.
- If the first DHCP server in the DHCP server pool does not respond or is unreachable, the DHCP client will not be assigned an IP address.
Workaround:
None.
750187 : ASM REST may consume excessive resources
Component: Application Security Manager
Symptoms:
While processing ASM REST calls from authorized users ASM may consume excessive resources.
Conditions:
ASM provisioned and licensed
REST calls from an authorized user
Impact:
Excessive resource consumption potentially leading to a failover event.
Workaround:
None.
Fix:
ASM REST now consumes resources as expected.
750170 : SP Connector config changes causes BIG-IP tmm core sometimes during handling of SAML SLO request
Component: Access Policy Manager
Symptoms:
tmm crashes.
Conditions:
This occurs when BIG-IP handles SAML SLO requests, and SP Configuration is changed by the admin around the same time.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fix:
When SP configuration is changed by the admin, and when BIG-IP handles SLO requests correctly without any BIG-IP tmm core.
749879-7 : Possible interruption while processing VPN traffic
Solution Article: K47527163
749785 : nsm can become unresponsive when processing recursive routes
Component: TMOS
Symptoms:
imish hangs, and the BIG-IP Network Services Module (nsm) daemon consuming 100% CPU.
Conditions:
-- Dynamic routing enabled
-- Processing recursive routes from a BGP peer with different prefixlen values.
Impact:
Dynamic routing, and services using dynamic routes do not operate. nsm does not recover and must be restarted.
Workaround:
None.
Fix:
nsm now processes recursive route without issues.
749774 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
Component: Global Traffic Manager (DNS)
Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.
Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.
Impact:
Inconsistent behavior.
Workaround:
None.
Fix:
In this release, responses are now consistent when caching is enabled.
749761-1 : AFM Policy with Send to Virtual and TMM crash in a specific scenario
Component: Advanced Firewall Manager
Symptoms:
TMM restart in a specific scenario when AFM Policy is configured in multiple contexts (Global, Route Domain, Virtual Server), with Log Translations enabled, and Send-To-VS feature configured in at least one of the rules in the Security Policy.
Conditions:
-- When using Firewall ACL Policy in more than one context, i.e., more than one of the following context has ACL Security Policy applied:
+ Global Context
+ Route Domain
+ Virtual Server Context
-- Send To Virtual Server is configured on any Rule on the Security policy.
-- Traffic matching a Rule (with logging enabled) in more than one context.
-- AFM Security Logging Profile has log Translation Field Enabled.
Impact:
TMM restart causes service disruption. Traffic disrupted while tmm restarts.
Workaround:
Disable Logging of Translation Fields in Security Logging Profile.
Fix:
Invalid memory access when ACL classification is done second time, to support Send to Virtual feature in a specific scenario.
749704 : GTPv2 Serving-Network field with mixed MNC digits
Component: Service Provider
Symptoms:
iRules command 'GTP::ie get value' incorrectly decodes Serving-Network field, putting the least significant digit of mobile network codes (MNC) value before the other two.
Conditions:
Using the iRule command 'GTP::ie get value' to retrieve the Serving-Network field from a GTP message (the iRule construction: GTP::ie get value -message $gtp_message 83).
Impact:
The operation returns results in which the least significant digit is inserted before the other two, resulting in incorrect data being returned.
Workaround:
None.
Fix:
The iRule command 'GTP::ie get -message $gtp_message 83' that retrieves the Serving-Network now returns the correctly ordered, three-digit values for mobile country codes (MCC) and mobile network codes (MNC) as a two-element list: {{<MCC> <MNC>} <optional data>}, where the first element is another list containing actual MCC and MNC values, while the second element is optional binary data which follows MCC and MNC. It is the same format as used for ULI field decoding.
Behavior Change:
The iRule command 'GTP::ie get -message $gtp_message 83' that retrieves the Serving-Network now returns the correctly ordered, three-digit values for mobile country codes (MCC) and mobile network codes (MNC) as a two-element list: {{<MCC> <MNC>} <optional data>}, where the first element is another list containing actual MCC and MNC values, while the second element is optional binary data which follows MCC and MNC. It is the same format as used for ULI field decoding.
749689 : HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart
Component: Local Traffic Manager
Symptoms:
HTTPS monitor sends different amount of cipher suites in client hello during SSL handshake and sometimes back end server fails to find a desired cipher suite from client hello. As a result, sometimes SSL handshake fails and monitor wrongly marks pool member down.
Conditions:
-- Have an SSL profile to be used by an HTTPS monitor.
-- Load the same config more than once.
Impact:
HTTPS monitor might incorrectly mark pool member down because of a failed SSL handshake.
Workaround:
Restart bigd using the following command:
bigstart restart bigd
Fix:
HTTPS monitor now sends a consistent number of cipher suites in the client hello message during the SSL handshake.
749675 : DNS cache resolver may return a malformed truncated response with multiple OPT records
Component: Global Traffic Manager (DNS)
Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.
Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).
Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.
Workaround:
A second query will return the cached record, which will only have one OPT record.
Fix:
DNS cache resolver now returns the correct response under these conditions.
749657 : In-TMM monitor agent log message enhancement
Component: Local Traffic Manager
Symptoms:
Log message TMALOG_PROBE_SEND_FAIL reports only the TMM and MID of the monitoring activity, but gives no information on the monitor configuration to help track down the monitor that is failing. At the default TMA log level there is no way to correlate that with the monitor configuration.
Conditions:
-- In-TMM monitoring is enabled (the db variable bigd.tmm is set to 'enable').
-- A monitor of a protocol for which in-TMM monitoring is supported is active.
Impact:
Difficult to determine which configured monitor is failing to send probes.
Workaround:
None.
Fix:
Log message TMALOG_PROBE_SEND_FAIL reports the monitor name from the BIG-IP configuration in addition to the MID. Log message TMALOG_ACTY_CREATE reports the MID in addition to the monitor name and other information. TMALOG_ACTY_DELETE reports the MID in addition to the monitor name. At log levels 'notice' and above the MID can be used along with the information from TMALOG_ACTY_CREATE to correlate other TMALOG messages by the reported TMM and MID.
749608 : HTTP Persistence cookies erroneously sent when cookie persistence turned off
Component: Local Traffic Manager
Symptoms:
Traffic may appear to not be load balancing among a pool correctly.
Because clients are receiving persistence cookies when they should not be, a client can be routed back to the same pool member for subsequent requests when this is not necessary, instead of being assigned a pool member through load balancing.
Conditions:
To encounter this bug, two conditions must be met
1) - The always_send option must be on with HTTP persistence cookies
or
- Cookies are configured with an expiry
2) Later, persistence is change to 'persist none' (by an iRule, for example).
Impact:
The system erroneously sends persistence cookies with responses. Undesired routing might occur, where a client is not load balanced, and instead is always directed back to the same pool member.
Workaround:
Turn off the always-send option, and disable the HTTP persistence cookie expiry.
If you need the expiry function, use an iRule to re-add it after the cookie has been inserted.
749603 : MRF SIP ALG: Potential to end wrong call when BYE received
Component: Service Provider
Symptoms:
When a BYE is received, the media flows for a different call might be closed in error.
Conditions:
If the hash of the call-id (masked to 12 bits) matches the hash of another's call-id.
Impact:
The media flows for both calls will be closed when one receives a BYE command. A call may be incorrectly terminated early.
Workaround:
None.
Fix:
Entire call-id checked before terminating media flows.
749508 : LDNS and DNSSEC: Various OOM conditions need to be handled properly
Component: Global Traffic Manager (DNS)
Symptoms:
Some LDNS and DNSSEC out-of-memory (OOM) conditions are not handled properly.
Conditions:
LDNS and DNSSEC OOM conditions.
Impact:
Various traffic-processing issue, for example, TMM panic during processing of DNSSEC activity.
Workaround:
None.
Fix:
The system contains improvements for handling OOM conditions properly.
749500 : Improved visibility for Accept on Microservice action in Traffic Learning
Component: Application Security Manager
Symptoms:
Low visibility for accepted on microservice action.
Conditions:
There are suggestions that can be accepted on microservice.
Impact:
The system does not show Accept on Microservice in a suggestion.
Workaround:
None.
Fix:
Improved visibility for Accept on Microservice action and microservice-related details of suggestions.
749477 : Provisioning URLDB and SWG simultaneously produces a confusing error message if neither module was originally provisioned
Component: Access Policy Manager
Symptoms:
If you have URLDB or SWG provisioned and try to provision the other, you will get an error message:
The requested provision module (%s) is not compatible with already provisioned module (%s).
This same error message is displayed if neither module was provisioned to start with, and can be confusing.
Conditions:
Attempt to provision SWG and URLDB without either module being originally provisioned
Impact:
You can safely ignore the benign error message.
Workaround:
None.
Fix:
New message makes sense regardless of the starting state (i.e. SWG or URLB or neither originally provisioned):
Module (%s) is not compatible with module (%s). These modules can't be provisioned simultaneously.
749464-3 : Race condition while BIG-IQ updates common file
Component: Application Visibility and Reporting
Symptoms:
The file /var/config/rest/downloads/app_mapping.json is being used by two processes: BIG-IQ and avrd.
This can cause a race-condition between the two and in some rare cases can cause avrd to crash.
Conditions:
BIG-IQ updating /var/config/rest/downloads/app_mapping.json while avrd is reading it.
Impact:
avrd might read incomplete data, and can even core in some rare cases.
Workaround:
None.
Fix:
This race condition no longer occurs.
749461-3 : Race condition while modifying analytics global-settings
Component: Application Visibility and Reporting
Symptoms:
Updating the analytics global-settings might cause a core for avrd.
The avrd.log contains the following record:
AVRD_CONFIG|NOTICE... 13931|lib/avrpublisher/infrastructure/avr_mcp_msg_parser.cpp:2985| Modified Analytics Global Settings, added "0" offbox TCP addresses
Conditions:
Analytics global-settings are updated either explicitly, using a tmsh command, or implicitly, by internal process script.
Impact:
Might cause a core for avrd. After coring once, avrd is expected to start normally without any additional cores. The configuration change is expected to be applied correctly after restart is complete.
Workaround:
None.
Fix:
Race condition no longer occurs while modifying analytics global-settings.
749414 : Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects
Component: Local Traffic Manager
Symptoms:
There are two symptoms:
-- Modifying the monitor for a node or pool-member might remove monitor rule instances and monitor instances for other nodes/pool-members.
-- After those unrelated monitor rule instances and monitor instances are removed, if you try to alter the state of the pool-member/node, the system posts the following message: Invalid monitor rule instance identifier.
Conditions:
-- BIG-IP system is configured with nodes, pool-members, and pools with monitors.
-- Modify one of the nodes that is not in a pool.
-- Run the following command: tmsh load /sys config
-- Loading ucs/scf file can trigger the issue also.
Impact:
The system might delete monitor rule instances for unrelated nodes/pool-members. Pool members are incorrectly marked down.
Workaround:
Failover or failback traffic to the affected device.
749388-1 : 'table delete' iRule command can cause TMM to crash
Component: TMOS
Symptoms:
TMM SegFaults and restarts.
Conditions:
'table delete' gets called after another iRule command.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
Call 'table lookup' on any key before performing a 'table delete'.
Whether or not the key was added into the database beforehand does not matter.
Fix:
Fixed code to prevent invalid use of internal data structure.
749382 : Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater
Component: TMOS
Symptoms:
Running a bare-metal installation via image2disk (IE, 'image2disk --format=volumes <ISO>') may fail due to a missing command in the maintenance OS.
Conditions:
The version of MOS installed on the system is from a v14.1.0 or newer ISO, and a user attempts a bare-metal installation via the 'image2disk' command.
Impact:
Unable to perform bare-metal installations/installations from MOS in affected versions.
Workaround:
The installed version of MOS can be removed with the command '/usr/lib/bpdiag -a mos'. After doing this, installing a version older than 14.1.0 will re-install an older version of MOS without this issue. You can then reboot to MOS and manually run the installation using 'image2disk' from there.
Fix:
Fix issues with bare-metal installations via 'image2disk' failing.
749331 : Global DNS DoS vector does not work in certain cases
Component: Advanced Firewall Manager
Symptoms:
Global DNS DoS vector stops working under certain conditions.
Conditions:
Packets are not made to go through its entirety.
Impact:
Global DNS data structures are overwritten by subsequent incoming packets. Global DNS DoS vector does not rate-limit the packets.
Workaround:
None.
Fix:
Global DNS DoS vector checks now prevent this issue, so rate-limiting works as expected.
749324 : jQuery Vulnerability: CVE-2012-6708
Solution Article: K62532311
749294 : TMM cores when query session index is out of boundary
Component: Local Traffic Manager
Symptoms:
TMM cores when the queried session index is out of boundary. This is not a usual case. It is most likely caused by the memory corrupted issue.
Conditions:
When session index equals the size of session caches.
Impact:
TMM cores. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The index boundary check now operates correctly in this situation, so tmm no longer cores.
749227 : MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE
Component: Service Provider
Symptoms:
INVITE message being processed operation creates a temporary registration entry for a unregistered subscriber, this registration entry is not extended if a subsequent invite occurs. This could cause the registration to expire during a call, thus allowing the reserved translated addresses to be provided to a different subscriber.
Conditions:
An INVITE message is received when unregistered-subscriber-callout attribute in the siprouter-alg profile
Impact:
The system adds a temporary registration entry to the registration table. The lifetime for this entry is the max-session-timeout value from the siprouter-alg profile. Subsequent INVITES will not extend the lifetime.
This could cause the registration to expire during a call, allowing the reserved translated addresses to be provided to a different subscriber.
Workaround:
None.
Fix:
Subsequent INVITEs now extend the lifetime by another max-session-timeout value.
749222 : dname compression offset overflow causes bad compression pointer
Component: Global Traffic Manager (DNS)
Symptoms:
DNS requests receive error response:
- Got bad packet: bad compression pointer
- Got bad packet: bad label type
Conditions:
When dns response is large enough so that dname redirect to an offset larger than 0x3f ff.
Impact:
DNS response is malformed.
749203 : New Application Ready Templates
Component: Application Security Manager
Symptoms:
Application Ready Templates do not support current versions of their applications.
Conditions:
Using Application Ready Templates.
Impact:
F5-tuned templates are not available to fully secure the latest version of some applications.
Workaround:
None.
Fix:
The following Application Ready Templates have been updated to newer versions:
- Drupal 8
- OWA 2016
- Sharepoint 2016
- Wordpress 4
Reference: F5DevCentral/f5-asm-policy-template-v13 :: https://github.com/f5devcentral/f5-asm-policy-template-v13/tree/master/application_ready_template_v13
749179 : DataSafe: Cannot lower secure-channel-lifetime through GUI
Component: Fraud Protection Services
Symptoms:
A secure channel cookie lifetime must be greater than or equal to other cookies lifetime. The BIG-IP system GUI does not show non-DataSafe cookies, so there is no way to change their lifetime setting, if needed.
Conditions:
-- In tmsh, specify a secure-channel cookie lifetime value.
-- In the GUI, set the non-DataSafe cookie lifetime to a value that is greater than the secure-channel cookie lifetime.
-- Save the configuration.
Impact:
The save operation fails with the error message: Results in an error: Save Failed: 01071a07:3: The lifetime of Malware forensics cookie should be less than or equal to the lifetime of Secure channel cookie in the Anti-Fraud profile '/Common/test'.
The secure-channel cookie lifetime cannot be lowered using the GUI; you must use tmsh to do so.
Workaround:
Use tmsh to change the cookie's lifetime value.
749161 : Problem sync policy contains non-ASCII characters
Component: Access Policy Manager
Symptoms:
When access policy contain non-ASCII characters, policy sync either fails or the characters are not sync'ed properly on the target.
Conditions:
-- Using an access profile.
-- Access profile contains non-ASCII characters (code point greater than 0x7f), e.g.,in VPE, add an 'Advanced Resource Assign' agent and specify an expression similar to the following in addition to the resource:
expr { [string tolower [mcget -decode {session.ad.last.attr.memberOf}]] contains [string tolower "CN=Suporte_TransmissãČo,"] || [string tolower [mcget -decodde {session.ad.last.attr.memberOf}]] contains [string tolower "CN=suporte_tx,"]}
-- Start policy sync on the profile.
Impact:
Policy sync fails or does not complete properly for the non-ASCII characters.
Workaround:
None.
Fix:
Policy sync now works properly when the policy contains non-ASCII characters.
749142 : Portal Access: rewriting for Worker.postMessage(msg,transfer) should not rewrite 2nd argument
Component: Access Policy Manager
Symptoms:
Using Portal AQccess the browser posts an error message in it's console similar to the following:
Failed to execute 'postMessage' on 'Worker': No function was found that matched the signature provided.
Conditions:
Web-application contains javascript code which in turn contains postMessage() to worker with second argument which is array.
Impact:
Web-application misfunction
Workaround:
Custom iRule workaround is possible. For example:
# custom workaround for BZs 749142 for specific page
when REWRITE_REQUEST_DONE {
# path to html page where postMessage is used:
if { [HTTP::path] ends_with "/custom_path" } {
REWRITE::post_process 1
set sw 2222
}
}
when REWRITE_RESPONSE_DONE {
if {[info exists sw] && $sw == 2222} {
unset sw
set strt [string first {</head>} [REWRITE::payload]]
if {$strt > 0} {
REWRITE::payload replace $strt 0 {
<script>
(function(){
var old_f5_ipm = F5_Invoke_postMessage;
// BZ 749142: fix F5_Invoke_postMessage
F5_Invoke_postMessage = function () {
if ('string' === typeof arguments[2]) {
return old_f5_ipm.apply(this, arguments)
}else{
return Function.prototype.call.apply(arguments[0].postMessage,arguments); // call source function
}
}
// just a hack to enable unzipped content of Worker for iRule processing (this is impossible for F5CH=I)
F5_Invoke_Worker = function () {
arguments[1] = F5_WrapURL(arguments[1],"h");
return new Worker(arguments[1])
}
})();
</script>
}
}
}
}
Fix:
The issue is fixed.
749136 : Disk partition /var/log is low on free disk space
Component: Application Security Manager
Symptoms:
Warning messages, such as these on system CLI:
--------------
Broadcast message from root@bigip1.test.net (Wed Nov 7 09:01:01 2018):
011d0004:3: Disk partition /var/log (slot 1) has only 0% free
--------------
Conditions:
ASM or DoS is provisioned.
Impact:
Disk partition /var/log is low on free disk space.
Workaround:
Manually delete nsyncd logs from /var/log.
Fix:
There is now stricter log rotation for nsyncd.
749109 : CSRF situation on BIGIP-ASM GUI
Component: Application Security Manager
Symptoms:
CSRF situation on the BIG-IP ASM GUI that might potentially lead to resource exhaustion on the device for the moment it is being run.
Conditions:
The following URL accepts a wildcard in the parameter id, making it a heavy URL:
https://BIG-IP/dms/policy/pl_negsig.php?id=*
Impact:
Once multiple requests are sent to the target GUI, it is possible to see httpd process spiking even in core 0 (VMWare).
Workaround:
None.
Fix:
If the query string parameter has a string value the query is not executed.
749059 : TMUI does not provide option to enable BADOS TLS fingerprint signatures
Component: Advanced Firewall Manager
Symptoms:
TMUI does not provide option to enable BADOS TLS fingerprint signatures.
Conditions:
ASM licensed
Impact:
You can't enable BADOS TLS fingerprint signatures via TMUI.
Workaround:
tmsh is available to enable TLS fingerprint BADOS signatures.
749057 : VMware Horizon idle timeout is ignored when connecting via APM
Component: Access Policy Manager
Symptoms:
VMware Horizon has an option to set idle timeout under "View Configuration\Global Settings\General\Client-dependent settings\For clients that support applications". When there is no keyboard or mouse activity for the given time, application sessions should be disconnected (desktop sessions are staying, though).
This settings has no effect when connecting via APM.
Conditions:
VMware Horizon idle timeout setting for applications is configured and remote application is launched via APM.
Impact:
VMware Horizon idle timeout setting for applications has no effect.
Workaround:
None.
Fix:
VMware Horizon idle timeout "For clients that support applications" is now honored when connecting via APM.
749041 : MRSIP log of subscriber deletion outputs '(null)" for subscriber URI
Component: Service Provider
Symptoms:
New logging was added for SIP subscriber registration and deletion. The deletion log MRSIPERR_SUBSCRIBER_DELETION_LOG() fails to show the subscriber URI, and instead, /var/log/ltm shows messages similar to the following:
MR_SIP: Subscriber registration deleted (xxx.xxx.xxx.xxx:5060 -> yyy.yyy.yyy.yyy:5060) subscriber URI: (null)
Conditions:
-- A SIP subscriber registration is deleted.
-- The log level DB variable log.mrsip.level is 'notice' or above.
Impact:
Prevents correlation of the deletion with the corresponding registration of the subscriber URI.
Workaround:
None.
Fix:
The /var/log/ltm shows the subscriber URI, (for example):
MR_SIP: Subscriber registration deleted (xxx.xxx.xxx.xxx:5060 -> yyy.yyy.yyy.yyy:5060) subscriber URI: 100028@example.com
749036 : Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM
Component: Access Policy Manager
Symptoms:
Some tmsh list commands may fail while SSLO is provisioned but no urldb or APM modules are provisioned with the following message: 'Password could not be retrieved'.
Conditions:
-- SSLO is provisioned.
-- Neither APM or URLDB are provisioned.
-- Run the generic tmsh list command.
Impact:
tmsh command fails and posts the error: Unexpected Error: Password could not be retrieved.
Note: Some 'tmsh list' commands with arguments do run. For example, 'tmsh list net vlan' provides correct output, but 'tmsh list' does not.
Workaround:
There is no workaround other than provisioning APM or URLDB.
Note: You can provision APM or URLDB even if they are not licensed. Although the full feature set is not available without a license, provisioning loads the daemons needed to support the generic 'tmsh list' command.
Fix:
We hide the oath options when only SSLO is provisioned so that we do not require SQL to be up with SSLO. Oauth is not needed under SSLO.
748999 : invalid inactivity timeout suggestion for cookies
Component: Application Security Manager
Symptoms:
ASM will report "invalid inactivity timeout" suggestions to delete a cookie, even though the cookies are being sent and are valid.
Conditions:
- Inactivity timeout feature is configured in Policy Builder
- Cookie entity is configured in the policy
- Valid, non-violating traffic containing cookies is passed
Impact:
Since non-violating traffic is not sent to the policy engine, the inactivity timeout timer is never reset, which will eventually lead to suggestions to delete the inactive cookie entities. These suggestions are erroneous because valid cookies are being sent in the traffic.
Workaround:
Ignore the inactive entity suggestions for cookies
Fix:
Inactivity learning for cookies has been deprecated, the feature does not cover cookies anymore.
748978 : FastHTTP insert XFF header can be incorrect
Component: Local Traffic Manager
Symptoms:
When using the FastHTTP profile to insert an XFF header, the value can be incorrect.
Conditions:
FastHTTP profile to insert a XFF header
Impact:
The value can be incorrect.
Workaround:
None.
Fix:
Fixed an issue with XFF header insertion in the FastHTTP profile.
748944-1 : Import is failing for APM SSO Config Saml object
Component: Access Policy Manager
Symptoms:
Import of policy is failing with Syntax Error:
'[api-status-warning]' unexpected argument.
Conditions:
Imported policy has APM SSO Config Saml object.
Impact:
Unable to import policy.
Workaround:
To workaround this issue, follow this procedure:
1. Unpack conf.tar.gz.
2. Edit the ng-export.conf file to find and remove the line containing [api-status-warning].
3. Packup conf.tar.gz again.
Fix:
[api-status-warning] are being handled so this issue no longer occurs.
748940 : iControl REST cert creation not working for non-Common folder
Component: TMOS
Symptoms:
Certificate creation under a non-Common folder using iControl REST doesn't work.
For example, the user sends the iControl REST message and gets the error message return:
curl -sk -u admin:f5site02 https://10.192.84.16/mgmt/tm/sys/crypto/cert/ -H 'Content-Type: application/json' -X POST -d '{"name":"/my_dir/mmmmm", "common-name":"cn","key":"/my_dir/mmmmm"}' | ~/bin/json-parser-linux64
{
"code": 400,
"message": "Unable to extract key information from \"/config/filestore/files_d/my_dir_d/certificate_key_d/:my_dir:mmmmm_166121_1\"to \"/var/system/tmp/tmsh/87bOS1/ssl.key//my_dir/mmmmm\"",
"errorStack": [],
"apiError": 26214401
}
Conditions:
The user attempts to create an SSL certificate under a non-Common folder using iControl REST.
Impact:
Unable to create an SSL certificate in non-Common folder.
Workaround:
Create the SSL certificate using tmsh.
Fix:
With the fix, certificate can be created under non-Common folder using iControl REST.
748902 : Incorrect handling of memory allocations while processing DNSSEC queries
Component: Global Traffic Manager (DNS)
Symptoms:
tmm crashes.
Conditions:
-- Heavy DNS traffic using DNS security signatures.
-- Use of external HSM may aggravate the problem.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release corrects the handling of memory allocations while processing DNSSEC queries.
748891 : Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system.
Component: Local Traffic Manager
Symptoms:
Potential MAC relearning at the switches the BIG-IP system is connected to.
Conditions:
-- DB variable connection.vlankeyed set to disabled.
-- Multiple virtual-wires configured on the BIG-IP system.
-- Client to server and server to client traffic using different virtual wires on the BIG-IP system.
Impact:
Packets reach their L3 destination using an unexpected L2 path.
Workaround:
None.
Fix:
Connflow next hop and previous hop updates are now done in the correct order for virtual wires.
748851 : Bot Detection injection include tags which may cause faulty display of application
Component: Application Security Manager
Symptoms:
The Bot Detection feature / Bot Defense profile includes JavaScript which is injected within <APM_DO_NOT_TOUCH> tags. Some web applications may be displayed incorrectly due to these tags.
Conditions:
- Your application includes JavaScript which dynamically adds HTML elements and expects a certain set of tags in the <head> section of the HTML.
- Bot Detection / Bot Defense are enabled.
Impact:
Some web applications may be displayed incorrectly.
Workaround:
None
Fix:
There is now an ASM Internal Parameter 'inject_apm_do_not_touch' and a db variable 'asm.inject_apm_do_not_touch', which can be disabled (modify sys db asm.inject_apm_do_not_touch value false) to prevent the <APM_DO_NOT_TOUCH> tag from being injected, thus allowing the application to be displayed correctly.
Behavior Change:
This release provides an ASM Internal Parameter 'inject_apm_do_not_touch', and a db variable 'asm.inject_apm_do_not_touch', which can be disabled (the default is enabled) to prevent the <APM_DO_NOT_TOUCH> tag from being injected, thus allowing the application to be displayed correctly.
To disable db variable, run the following command:
modify sys db asm.inject_apm_do_not_touch value false
748848 : Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers
Component: Application Security Manager
Symptoms:
Multiple virtual servers are each using different cookie names for cookies 72, 74, and 76. This occurred because these cookie names are dependent on virtual server properties.
Conditions:
-- Multiple subdomains are configured to resolve to different virtual servers with different ASM policies.
-- Anti-Bot Mobile SDK attempts to connect to these virtual servers.
Impact:
Anti-Bot Mobile SDK is not able to connect to multiple virtual servers using the same cookie.
Workaround:
None.
Fix:
The relevant cookie names were changed.
The format TS00000000_7x (prefix/suffix may change according to configuration) is now used for cookies 72, 74, and 76, which results in identical cookie names for all configured virtual servers.
This will allow Anti-Bot Mobile SDK to connect to multiple virtual servers using the same cookie.
748813 : tmm cores under stress test on virtual server with DoS profile with admd enabled
Component: Anomaly Detection Services
Symptoms:
tmm cores
Conditions:
-- Systems under stress testing.
-- Virtual server with DoS profile with admd enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Turn off Behavioral DOS.
Fix:
This tmm core no longer occurs under these conditions.
748649 : Key logging chrome extension can bypass Websafe KeyLogger
Component: Fraud Protection Services
Symptoms:
When installed, JSLogger extension can bypass password field protection and get the real password input
Conditions:
JSLogger extension installed
Impact:
Password value is captured
Workaround:
N/A
Fix:
Code adjustment for better event faking
748572 : Occasionally ramcache might crash when data is sent without the corresponding event.
Component: Access Policy Manager
Symptoms:
Ramcache filter causes crash when sending data without HUDCTL_RESPONSE while in CACHE_COLLECT event.
Conditions:
When the access_policy_trace db variable is enabled, failure in insertion of policy path cookie in the header while sending a redirect to the client might cause the ramcache filter to SIGSEGV.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Turn off the access_policy_trace db variable.
Fix:
The system now handles this scenario, so there is no longer a ramcache crash.
748545 : Remove 'sys-unconfig' and 'rhel-configure' binaries and related systemd service
Component: TMOS
Symptoms:
The RHEL-related binaries 'sys-unconfig' and 'rhel-configure' are shipped with BIG-IP when they are not relevant.
Conditions:
Running a BIG-IP v14.1.x release
Impact:
Binaries with RHEL branding are installed on system which are not used in BIG-IP and generate superfluous files.
Workaround:
N/A
Fix:
Removed 'sys-unconfig' and 'rhel-configure' binaries and related systemd service
748502 : TMM may crash when processing iSession traffic
Component: Wan Optimization Manager
Symptoms:
The TMM process may crash when processing traffic with an iSession virtual server.
Conditions:
iSession virtual server enabled
Impact:
TMM may crash, leading to failover event.
Workaround:
None.
Fix:
TMM now processes iSession traffic as expected.
748452 : Unable to edit Per-Request Policies logged in as a user account configured with the Manager role.
Component: Access Policy Manager
Symptoms:
If you navigate in the GUI to Access :: Profiles :: Policies :: Per-Request Policies and try to edit a per request policy logged in with a user with the role of Manager, you get an error message as follows:
An error has occurred while trying to process your request.
Conditions:
-- Logged in as a user whose role is Manager.
-- Trying to edit per-request policy.
Impact:
Cannot edit per-request policies with user accounts whose role is Manager.
Workaround:
Log in with a user configured with the Admin role to edit in this case.
Fix:
You can now edit per-request policies from the GUI and tmsh while logged in as a user configured with a Manager role.
748451 : Manager users cannot perform changes in per-request policy properties
Component: Access Policy Manager
Symptoms:
Users with Admin role can edit and administer per-request policy properties. Users with Manager role, which can manage most APM objects, cannot manage this specific one.
Conditions:
User with Manager role tries to modify or change per-request policies properties.
Impact:
Cannot manage per-request policy properties if user role is Manager.
Workaround:
There is no workaround other than having an Admin user manage these objects.
Fix:
Added per-request policy objects to the list of objects that can be managed by users with Manager role/
748443 : Higig MAC recovery mechanism may fail continuously during run time
Component: TMOS
Symptoms:
At runtime, the Higig MAC recovery mechanism might be triggered due to FCS errors. Normally, the recovery mechanism will recover from the issue. However, if it does not recover, the mechanism will continue to run over and over again.
Conditions:
May related to the traffic pattern the blade is processing.
Impact:
The blade will stay at Inoperative state and not able to pass traffic
Workaround:
Manually reboot the blade.
Fix:
The blade will now reboot if fcs recovery is not able to fix the link. The reboot can be disabled by DB variable tmm.hsb.hgmfcsresetaction
748409 : Illegal parameter violation when json parsing a parameter on a case-insensitive policy
Component: Application Security Manager
Symptoms:
An illegal parameter violation is raised although the parameter is configured
Conditions:
The policy is configured as case insensitive, and a parameter is configured with capital letters
Impact:
False positive illegal parameter violation
Workaround:
Configure violation as case sensitive
748321 : bd crash with specific scenario
Component: Application Security Manager
Symptoms:
BD crash
Conditions:
A specific scenario may cause bd crash.
Impact:
Failover, traffic disturbance.
Workaround:
N/A
748295-2 : TMM crashes on shutdown when using virtio NICs for dataplane
Component: TMOS
Symptoms:
TMM crash on stop or restart.
Conditions:
1. Put the virtio NIC in a bad state while TMM is running (for example, detach the NIC from the host).
2. Run the following command: bigstart stop tmm
Impact:
TMM crash generates a core file. However, there is no impact on traffic as the device is already in a bad state before the crash.
Workaround:
None.
Fix:
TMM does not crash on stop/restart regardless of NICs state.
748272 : Portal Access: IE: not rewritten content produced by rewritten document.write() targeted to parent window.
Component: Access Policy Manager
Symptoms:
With Portal Access and the Microsoft Internet Explorer (IE) browser, all links are not rewritten on the page of a web application.
Conditions:
-- Portal Access and IE browser.
-- On content not rewritten dynamically, created by JavaScript, which uses document.write() targeted to the parent window.
Impact:
Web-application does not work as expected.
Workaround:
You can use a custom iRule to work around this issue.
Fix:
With Portal Access and the Microsoft Internet Explorer (IE) browser, all links are now rewritten on the page of a web application.
748253 : Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection
Component: Service Provider
Symptoms:
Depending on the DIAMETER settings of the BIG-IP system, there can be a race condition in a mirrored device cluster where the standby BIG-IP system resets its mirror connection to the active device.
Conditions:
-- MRF DIAMETER in use.
-- The DIAMETER session profile on the BIG-IP system is configured to use a non-zero watchdog timeout.
-- The DIAMETER session profile on the BIG-IP system is configured to use Reset on Timeout.
-- This is more likely to happen if (in the DIAMETER session profile) the Maximum Watchdog Failures is set to 1, and the Watchdog Timeout is configured to be the same value as the remote DIAMETER system.
Impact:
The standby is no longer mirroring the active system, and gets out of sync with it. There may be connections lost if a failover occurs.
Workaround:
To mitigate this issue:
1. Configure the Maximum Watchdog Failures to a value greater than 1.
2. Configure the Watchdog Timeout as something different from the same timeout on the remote peer, preferably to something that will have little overlap (i.e., the two timers should fire at the exact same time very infrequently).
Fix:
Prevented the standby from sending DWR packets to the active device, so that it no longer expects DWA responses that never arrive.
748245 : [PA] Client side HTML patcher does not handle the case when both newlines and HTML tags are present in attribute value
Component: Access Policy Manager
Symptoms:
Broken HTML on the page. This occurs because of there are both both newlines and HTML tags specified in the attribute value definition.
Conditions:
document.write with newlines in attribute value.
For example:
document.write("<a id=atag2 title='<br>\n<br>' href=http://www.us></a>");
Impact:
Web-application misfunction.
Workaround:
There is no workaround other than not using this construction.
Fix:
You can now use both newlines and HTML tags specified in the attribute value definition.
748205 : SSD bay identification incorrect for RAID drive replacement★
Component: TMOS
Symptoms:
On iSeries platforms with dual SSDs, the 'bay' of a given SSD indicated in the 'tmsh show sys raid' command may be incorrect. If a drive fails, or for some other reason it is intended to be replaced, and you are using the bay number listed from the tmsh command, the wrong drive could be removed from the system resulting in system failure to operate or boot.
Conditions:
iSeries platform with dual SSDs.
Impact:
Removal of the one working drive could result in system failure and subsequent failure to boot
Workaround:
If you discover that you removed the incorrect drive, you can attempt to recover by re-inserting the drive into the bay that it was in, and powering on the device.
The following steps will help to avoid inadvertently removing the wrong drive:
As a rule for systems with this issue:
-- Power should be off when you remove a drive. This makes it possible to safely check the serial number of the removed drive.
-- Power should be on, and the system should be completely 'up' before you add a new drive.
Here are some steps to follow to prevent this issue from occurring.
1. Identify the failed drive, taking careful note of its serial number (SN). You can use any of the following commands to get the serial number:
• tmsh show sys raid
• tmsh show sys raid array
• array
2. Logically remove the failed drive using the following command: tmsh modify sys raid array MD1 remove HD<>
3. Power down the unit.
4. Remove the fan tray and physically remove the failed drive.
5. Manually inspect the SN on the failed drive to ensure that the correct drive was removed.
6. Replace the fan tray.
7. Power on the unit with the remaining, single drive.
8. Once booted, wait for the system to identify the remaining (good) drive. You can confirm that this has happened when it appears in the 'array' command output.
9. Remove fan tray again (with the system running).
10. Install the new drive.
11. Use the 'array' command to determine that the new drive is recognized (Note: the tmsh commands do not show new drive at this stage.)
12. Logically add the new drive using the command command: tmsh modify sys raid array MD1 add HD<>
13. Monitor the rebuild using any of the commands shown in step 1.
Note: You must follow these steps exactly. If you insert the new drive while the system is off, and you then boot the system with the previously existing working drive and the new blank drive present, the system recognizes the blank drive as the working Array member, and you cannot add it to the array. That means system responds and replicates as if 'HD already exists'.
748187 : 'Transaction Not Found' Error on PATCH after Transaction has been Created
Component: TMOS
Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.
Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.
Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.
Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.
Fix:
Erroneous 'Transaction Not Found' messages no longer occur under these conditions.
748177 : Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character
Component: Global Traffic Manager (DNS)
Symptoms:
Multiple wildcards not matched to the most specific WideIP.
Conditions:
Two wildcard WideIPs differ on a '?' and a non-wildcard character.
Impact:
DNS request will get wrong answer.
Workaround:
There is no workaround at this time.
748176-2 : BDoS Signature can wrongly match a DNS packet
Component: Advanced Firewall Manager
Symptoms:
When using BDoS feature for DNS protocol, and when there are auto-generated DNS Signatures or if Custom DNS signatures are configured manually, it is found that at times, a valid DNS request is dropped because it wrongly matches the configured/dynamically generated DNS Signature when the box is under load, and BDoS mitigation is ongoing.
Conditions:
Configured DNS Signature (Or) there exists a Dynamically generated DNS Signature.
Such a DNS signature is found to match a DNS packet wrongly, even though the signature match criteria is different from the matched DNS packet.
Impact:
When box is under load, the configured DNS signature gets into Attack Mitigation mode (which is normal), but may wrongly drop a DNS packet that does not match the signature.
Workaround:
Disable BDoS for protocol DNS. Also, do not use Manually configured DNS Signatures.
Fix:
The parsed DNS information is cached and re-used wrongly as a performance optimization, which is corrected.
748121 : admd livelock under CPU starvation
Component: Anomaly Detection Services
Symptoms:
Due to the resources starvation the worker thread of admd does not get CPU for more than two minutes. At the same time, the configuration thread does get CPU.
The admd heartbeat failure occurs at 120 seconds. The SOD daemon kills admd.
The system posts messages similar to the following:
-- notice sod[6783]: 01140041:5: Killing /usr/bin/admd pid 6732
-- warning sod[6783]: 01140029:4: HA daemon_heartbeat ADMD.Anomaly0 fails action is restart.
-- warning sod[6783]: 01140029:4: HA daemon_heartbeat ADMD.Publisher0 fails action is restart.
Conditions:
-- High CPU / memory utilization,
-- Very large configuration.
Note: There are no known special configuration requirements to have this occur.
Impact:
admd restarts.
Behavioral DoS does not work.
Workaround:
Reboot the BIG-IP system.
Fix:
admd livelock event no longer occurs in response to CPU starvation in very large configurations.
748081 : Memory leak in BDoS module
Component: Advanced Firewall Manager
Symptoms:
TMM runs out of memory and restarts.
The memory usage as shown in "tmctl memory_usage_stat", under module line tag "session" is noticed to be high, and keeps growing.
Conditions:
The issue is seen when BDoS feature is configured, and if there exits Custom or Auto Generated BDoS Signatures. When such signatures exist, the BDoS one second timer callback leaks memory.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable BDoS feature.
Disable all configured and auto generated BDoS signatures using TMSH command:
modify security dos dos-signature all { state disabled }
748043 : MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP
Component: Service Provider
Symptoms:
SIP Server sends SIP Request to the client.
The SIP Server inserts a different port, so that response are received on a different port.
The Client sends the response on the new requested port.
BIG-IP drops the packet
Conditions:
SIP Server wants the SIP Response to be coming on a different port.
Impact:
SIP Request will not receive the SIP Response
Workaround:
There is no workaround.
Fix:
Fix BIG-IP to process the SIP Response and send it to the SIP Server
747977 : File manually uploaded information is not synced correctly between blades
Component: Application Security Manager
Symptoms:
When you upload a file, the file is marked internally as manually uploaded. When the system downloads a file, it is marked as not being manually uploaded. This information is not passed and handled correctly on chassis.
Conditions:
-- Configuration is deployed on multiple blades
-- Fail over has occurred.
-- New update file is downloaded from ESDM on the primary blade.
Impact:
Security updates are not automatically installed on the new primary blade after failover.
Workaround:
Manually install security updates on new primary blade.
Fix:
Corrected sync/handle information about file files, whether they are manually uploaded or downloaded from ESDM.
747968 : DNS64 stats not increasing when requests go through dns cache resolver
Component: Local Traffic Manager
Symptoms:
DNS64 stats are not incrementing when running the tmsh show ltm profile dns or in tmctl profile_dns_stat commands if responses are coming from dns cache resolver.
Conditions:
DNS responses are coming from dns cache resolver.
Impact:
DNS64 stats not correct.
Workaround:
There is no workaround at this time.
747952 : iApp: f5.ldap fails when monitor pw contains '$'
Component: TMOS
Symptoms:
The f5.ldap iApp posts an error and fails to deploy when the user enters a monitor password containing the '$' (dollar/peso currency) character.
Conditions:
LDAP monitor password contains '$'.
Impact:
iApp does not deploy.
Workaround:
There are two workaround:
-- Create the monitor prior to deploying the iApp, and then select it from a dropdown list in the iApp to deploy.
-- The iApp deploys normally for passwords that do not contain $ characters.
Fix:
This version supports the use of monitor passwords containing '$' in the f5.ldap iApp template.
747926-3 : Rare TMM restart due to NULL pointer access during AFM ACL logging
Component: Advanced Firewall Manager
Symptoms:
Tmm crashes while performing log ACL match logging.
Conditions:
The problem can happen only with the following configuration:
1) AFM Logging for ACLs enabled.
2) Security Network Logging profile has the property "log-translation-fields enabled"
The problem happens under extremely rare circumstances.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Defensive error handling to avoid the scenario of NULL pointer access.
747922 : With AFM enabled, during bootup, there is a small possibility of a tmm crash
Component: Advanced Firewall Manager
Symptoms:
During bootup, with AFM enabled, there is a small possibility of a tmm crash. The tmm process generates a core file and then automatically restart.
Conditions:
-- AFM enabled.
-- sPVA-capable hardware platform.
-- Boot up the system.
Impact:
tmm crashes, coredumps, and then restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The race-condition has been fixed, so this issue no longer occurs.
747909 : GTPv2 MEI and Serving-Network fields decoded incorrectly
Component: Service Provider
Symptoms:
MEI and Serving-Network vales obtained with GTP::ie get iRule command contains digits swapped in pairs, first digit missing and a random digit added at the back.
Conditions:
Processing GTP traffic with iRules.
Impact:
It is impossible to obtain correct value of MEI and Serving-Network fields of the GTPv2 packets when processing with iRules.
Workaround:
No workaround.
Fix:
Decoding of GTPv2 MEI and Serving-Network fields corrected.
747905-3 : 'Illegal Query String Length' violation displays wrong length
Component: Application Security Manager
Symptoms:
When the system decodes a query string that exceeds the allowed query string length, the system reports the incorrect 'Illegal Query String Length' violation string length.
Conditions:
-- 'Illegal Query String Length' violation is encountered.
-- The query string is decoded and reported.
Impact:
The system reports the decoded character count rather than bytes. For example, for a Detected Query String Length = 3391, the system posts a Detected Query String Length = 1995.
Workaround:
None.
747799 : 'Unable to load the certificate file' error and configuration-load failure upgrading from 11.5.4-HF2 to a later version, due to empty cert/key in client SSL profile
Component: TMOS
Symptoms:
During upgrade, the configuration fails to load due to an invalid client SSL profile cert/key configuration. The system posts an error: Unable to load the certificate file.
This occurs as a result of an invalid configuration that can be created as a result of a bug (614675) that exists in 11.5.4-HF2 (and only in 11.5.4-HF2). Because of the bug, it is possible to create a client SSL profile with an empty cert-key-chain, as shown in the following example:
ltm profile client-ssl /Common/cssl {
app-service none
cert none
cert-key-chain {
"" { } <=============== empty cert-key-chain
defualt_rsa_ckc { <==== typo: 'defualt'
cert /Common/default.crt
key /Common/default.key
}
}
key none
}
Note: This upgrade failure has an unique symptom: the typo 'defualt_rsa_ckc'. However, the name has no specific negative impact; the issue is with the empty cert-key-chain.
After upgrading such a configuration from 11.5.4-HF2 to any later version of the software, the system posts a validation error, and the configuration fails to load.
Conditions:
The issue occurs when all the following conditions are met:
-- You are using 11.5.4-HF2.
-- The 11.5.4-HF2 configuration contains an invalid client SSL profile (i.e., a client SSL profile containing an empty cert-key-chain).
-- You upgrade to any software version later than 11.5.4-HF2.
Impact:
After upgrade, the configuration fails to load. The system posts an error message similar to the following:
-- "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- Loading schema version: 11.5.4 Loading schema version: 13.1.0.8 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file. Unexpected Error: Loading configuration process failed.
Workaround:
You can fix the profile configuration in /config/bigip.conf either before the upgrade (in 11.5.4-HF2), or after the upgrade failure.
To do so:
1. Replace 'cert none' with a cert name, such as /Common/default.crt.
2. Replace 'key none' with a key name, such as /Common/default.key.
3. Remove the entire line containing the following: "" { }.
4. Correct the spelling of 'defualt' to 'default'. Although there are no negative consequences of this typo, it is still a good idea.
The new profile should appear similar to the following:
ltm profile client-ssl /Common/cssl {
app-service none
cert /Common/default.crt
chain none
cert-key-chain {
default_rsa_ckc {
cert /Common/default.crt
key /Common/default.key
}
}
key /Common/default.key
}
747777 : Extractions are learned in manual learning mode
Component: Application Security Manager
Symptoms:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"
Conditions:
Direct cause: Policy contains parameters with dynamic type
Indirect cause: Policy Builder is configured to classify parameters as dynamic (related to bug 717525)
Impact:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"
Workaround:
- Change all dynamic parameters value types to User Input with Alpha Numeric data type
- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').
Fix:
Policy Builder does not set extractions for dynamic parameters in manual mode
747735 : Virtual server with access profile in local traffic group is disabled after upgrade from pre-13.1
Component: Access Policy Manager
Symptoms:
Virtual server is disabled, error message:
Oct 3 16:03:00 istc-sslvpn warning mcpd[6831]: 0107185a:4: Warning generated, for version 13.1.0 or greater : Disable virtual server /Common/VPN_vs because it has access profile attached and its associated traffic group (/Common/traffic-group-local-only) is different from another one () that is also associated with a virtual server with access profile attached
Conditions:
Standalone device with a VS using the same IP address as the Self-IP.
Impact:
Virtual server with access profile is disabled.
Workaround:
Manually re-enable virtual server.
Fix:
Virtual server state is kept the same after upgrade.
747727 : HTTP Profile Request Header Insert Tcl error
Component: Local Traffic Manager
Symptoms:
A TMM crash.
Conditions:
When the HTTP profile Request Header Insert field contains a Tcl interpreted string, Tcl is executed to expand the string before the header is inserted into the request header block.
If a Tcl error occurs
Impact:
In some cases this can cause TMM to crash. Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following to mitigate this:
-- Verify that your Tcl executes correctly in all cases.
-- Use a static string.
Fix:
TMM no longer crashes under these conditions.
747725 : Kerberos Auth agent may override settings that manually made to krb5.conf
Component: Access Policy Manager
Symptoms:
when apmd starts up, it can override settings in krb5.conf file with those required for Kerberos Auth agent
Conditions:
- Kerberos Auth is configured in an Access Policy,
- administrator made changes to krb5.conf manually
to the section [realms] of the configured realm
Impact:
Kerberos Auth agent behavior is not what administrator expects with the changes.
it may also affect websso(kerberos) to behave properly
Workaround:
None
Fix:
after fix, the configuration file changes are merged.
Kerberos Auth agent adds the lines it requires and does not override existing settings
747682 : Phishing detection is loaded without being licensed
Component: Fraud Protection Services
Symptoms:
When client has phishing detection enabled but not licensed, phishing enable still loaded even though it's not supposed to.
Conditions:
Phishing Detection is enabled but not licensed.
Impact:
Phishing Detection is loaded even though it's not licensed
Workaround:
Configure as BLFN:
function(C){C.repeat=1;C.A.B.B=0;}
Fix:
Phishing Detection now will no longer be loaded when module is not licensed.
747657 : Paging controller changed
Component: Application Security Manager
Symptoms:
Old paging controller allowed you jump to the last page or to any custom page you wanted.
This could result in really long load time.
Conditions:
Lots of entries in split view pages (e.g. Request Log)
Impact:
Very long load time or event timeout.
Workaround:
instead of going to the last page - you can just change sorting order.
jump to specific page out of the first 3-5 - is not a common scenario and can be replaced by applying filter.
Fix:
paging controller changed to more modern one which doesn't allow jump to the last/custom page - only 3-4 pages in each direction.
747624 : RADIUS Authentication over RSA SecureID is not working in challenge mode
Component: Access Policy Manager
Symptoms:
Cannot change/reset RSA PIN.
Conditions:
Using RADIUS Auth Agent to communicate with RSA SecurID server for user authentication.
Impact:
Users cannot change or reset RSA PIN.
Workaround:
None.
Fix:
RADIUS Authentication over RSA SecurID now works in challenge mode.
747617 : TMM core when processing invalid timer
Component: Local Traffic Manager
Symptoms:
TMM crashes while processing an SSLO iRules that enables the SSL filter on an aborted flow.
Conditions:
SSLO is configured and passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround
Fix:
SSL filter will no longer be enabled after connection close.
747592 : PHP vulnerability CVE-2018-17082
Component: TMOS
Symptoms:
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.
Conditions:
This exploit doesn't need any authentication and can be exploited via POST request. Because of 'Transfer-Encoding: Chunked' header php is echoing the body as response.
Impact:
F5 products not affected by this vulnerability. Actual impact of this vulnerability is possible XSS attack.
Workaround:
No known workaround.
Fix:
The brigade seems to end up in a messed up state if something fails in shutdown, so we clean it up.
747560 : ASM REST: Unable to download Whitehat vulnerabilities
Component: Application Security Manager
Symptoms:
When using the Whitehat Sentinel scanner, the REST endpoint for importing vulnerabilities (/mgmt/tm/asm/tasks/import-vulnerabilities) does not download the vulnerabilities from the server automatically when no file is provided.
Conditions:
The ASM REST API (/mgmt/tm/asm/tasks/import-vulnerabilities) is used to download vulnerabilities from the server when a Whitehat Sentinel Scanner is configured.
Impact:
Vulnerabilities from the Whitehat server are not automatically downloaded when no file is provided, and it must be downloaded manually, or the GUI must be used.
Workaround:
The ASM GUI can be used to download the vulnerabilities from the Whitehat Server, or the file can be downloaded separately, and provided to the REST endpoint directly.
Fix:
The REST endpoint for importing Scanner Vulnerabilities for the Whitehat Scanner now correctly downloads the vulnerability file automatically when no file is provided.
747550 : Error 'This Logout URL already exists!' when updating logout page via GUI
Component: Application Security Manager
Symptoms:
When you try to update the Logout Page, you get an error about the URL existence: Error 'This Logout URL already exists!'
Conditions:
1. Create any Logout page.
2. Try to update it.
Impact:
The properties of the Logout Page cannot be updated.
Workaround:
Delete the logout page and create a new one.
Fix:
This release addresses the issue, so that no error is reported when updating the Logout Page.
747239 : TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection
Component: Local Traffic Manager
Symptoms:
TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection.
Conditions:
This might occur rarely when the HTTP/2 gateway is configured on a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fix:
TMM SIGABRT no longer occurs under these conditions.
747225 : PCCD may get into crash-loop after BIG-IP upgrade or after BIG-IP restart
Component: Advanced Firewall Manager
Symptoms:
When there are scheduled firewall rules, and per-policy compilation optimization enabled, PCCD may enter crash-loop after installing new build. In very rare cases this can happen after regular BIG-IP restart. Per-policy compilation optimization is enabled by default, the sys db variable pccd.perpolicycompilation is true.
Conditions:
-- AFM is licensed and provisioned.
-- There are scheduled firewall rules.
-- Per-policy compilation optimization enabled (sys db variable pccd.perpolicycompilation is true)
-- The BIG-IP system is upgraded or restarted
Impact:
After this failure, an rare problem is that PCCD is continuously crashing. New firewall config is not applied on data traffic. The pre-upgrade firewall config is still applied on data traffic.
Workaround:
Set sys db variable pccd.perpolicycompilation to false.
Fix:
PCCD works correctly in these conditions.
747187 : SIP falsely detects media flow collision when SDP is in both 183 and 200 response
Component: Service Provider
Symptoms:
A spurious error message is logged ("MR SIP: Media flow creation (...) failed due to collision") and media does not flow.
Conditions:
A SIP server responds to an INVITE with both a 183 "Session Progress" and later a "200 OK" for a single SIP call, and both responses contain an SDP with the same media info.
Impact:
Media does not flow on pinholes for which a collision was detected and reported.
Workaround:
None
Fix:
No collision is detected or logged when multiple messages with SDP recreate the same flows in the same call.
747136 : CSRF fires Javascript error in IE7 or IE11 Compatibility View to IE7
Component: Application Security Manager
Symptoms:
When csrf enabled in asm policy, it fires javascript errors in IE7
Conditions:
- ASM provisioned
- ASM policy attached to a virtual
- ASM csrf protection configured
- An HTML page accessed via IE7 or IE11 Compatibility View to IE7
Impact:
csrf doesn't work in IE7, POST requests being sent from IE7 will be blocked.
Workaround:
Disable CSRF protection in asm policy
Fix:
csrf code is fixed and now have basic support for IE7
747104 : LibSSH Vulnerability: CVE-2018-10933
Solution Article: K52868493
Component: Advanced Firewall Manager
Symptoms:
For more information see: https://support.f5.com/csp/article/K52868493
Conditions:
For more information see: https://support.f5.com/csp/article/K52868493
Impact:
For more information see: https://support.f5.com/csp/article/K52868493
Fix:
For more information see: https://support.f5.com/csp/article/K52868493
747085 : A blade may occasionally get stuck and never be ready due to shared_random_data not ready
Component: Local Traffic Manager
Symptoms:
A blade may occasionally get stuck and never be ready due to shared_random_data not ready.
Conditions:
Very occasionally shows up when a new blade is inserted.
Impact:
The blade cannot start properly.
Workaround:
None.
Fix:
There is now reliable communication for shared_random_data to guarantee a non-primary node gets a copy of shared_random data.
747065 : PEM iRule burst of session ADDs leads to missing sessions
Component: Policy Enforcement Manager
Symptoms:
Some PEM sessions that were originally added, later disappear and cannot be added back.
Conditions:
-- Subscriber addition is done by iRule on UDP virtual servers.
-- The sessions are added in a burst.
-- A small fraction of such sessions cannot be added back after delete.
Impact:
Policies available in the missing session cannot be accessed.
Workaround:
Add a delay of at least a few milliseconds between adding multiple session with same subscriber-id and IP address.
Fix:
The release handles the issue that prevented the addition of the new subscriber. Now, even after the bursts of iRule additions, no re-additions fail.
746941-3 : avrd memory leak when BIG-IQ fails to receive stats information
Component: Application Visibility and Reporting
Symptoms:
AVRD has memory leak when it is failing to send statistical information to BIG-IQ.
Conditions:
BIG-IP is used by BIG-IQ version 6.0.0 or higher, and stats collection is enabled.
Plus, BIG-IQ has some malfunction that prevents it from receiving the statistical information that BIG-IP is sending (for example: all DCDs are down, or not network connection between BIG-IP and BIG-IQ).
Impact:
avrd memory is increased over time, leading to avrd restart when it is getting too large
Workaround:
Connectivity issue between BIG-IP and BIG-IQ should be fixed, not just in order to prevent this memory leak, but for more important functionality such as visibility and alerts features in BIG-IQ.
Fix:
Memory leak is fixed.
746926 : Pattern match in profile configuration may cause excessive memory and CPU usage
Component: Local Traffic Manager
Symptoms:
tmm has abnormally high memory and CPU usage
Conditions:
In profile configuration, a pattern match such as "glob" is used, e.g.
ltm profile http-compression my_httpcompression {
uri-include { .* "(\?#glob)*" }
}
Impact:
Excessive memory and CPU usage can drag system performance.
746922 : When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
Component: Local Traffic Manager
Symptoms:
In a situation when a routing entity belonging to the child route domain is searching for an egress point for a traffic flow, it's searching for a routing entry in the child domain first, then if nothing is found, it searches for it in the parent route domain and returns the best found routing entry.
If the best routing entry from the parent route domain is selected, then it is held by a routing entity and is used to forward a traffic flow. Later, a new route entry is added to the child route domain's routing table and this route entry might be better than the current, previously selected, routing entry. But the previously selected entry doesn't get invalidated, thus the routing entity that is holding this entry is forwarding traffic to a less-preferable egress point.
#Example:
RD0(parent) -> RD1(child)
routing table: default gw for RD0 is 0.0.0.0/0%0
pool member is 1.1.1.1/32%1
-
Pool member searches for the best egress point and finds nothing in the routing table for route domain 1, and then later finds a routing entry, but from the parent route domain - 0.0.0.0/0%0.
Later a new gw for RD1 was added - 0.0.0.0/0%1, it's preferable for the 1.1.1.1/32%1 pool member. 0.0.0.0/0%0 should be (but is not) invalidated to force the pool member to search for a new routing entry and find a better one if it exists, as in this case, with - 0.0.0.0/0%1.
Conditions:
1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. New routing entry for child route domain is added.
Impact:
If a new added route is preferable to an existing one in a different route domain, the new, preferable, route is not going to be used by a routing object that has previously selected a route. Thus, traffic flows through these routing objects to an unexpected/incorrect egress point. This might result in undesirable behavior:
-- The route might be unreachable, and all traffic for a specific pool member is dropped.
-- The virtual server cannot find an available SNAT address.
-- Simply, the wrong egress interface is being used.
Workaround:
Use either of these workaround after a new route in child domain is added.
-- Recreate a route.
Recreate a parent route domain's routes. Restart tmrouted daemon if routes are gathered via routing protocols.
-- Recreate a routing object.
- If a pool member is affected, recreate the pool member.
- If a SNAT pool list is affected, recreate it.
- And so on.
Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table.
746877 : Omitted check for success of memory allocation for DNSsec resource record
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM may panic from SIGABRT while logging this message:
./rdata.c:25: ldns_rdf_size: Assertion `rd != ((void *)0)' failed.
Conditions:
During memory stress while handling DNSsec traffic.
Impact:
TMM panic and subsequent interruption of network traffic.
Workaround:
Keeping the workload within normal ranges reduces the probability of encounter.
746875 : When the rate-limit setting is configured to a low value, sampled attack log messages are not logged
Component: Advanced Firewall Manager
Symptoms:
On hardware platforms, with the default-internal-rate-limit of a DoS vector being set to a low number, there is no sampled attack message in the log, even the attack is being detected.
Conditions:
-- Setting the default-internal-rate-limit of the targeted DoS vector to a low number, e.g., 2.
-- Detect attack.
Impact:
No visibility of the attack after being detected.
Workaround:
Use a higher number for the default-internal-rate-limit of the targeted DoS vector.
Fix:
A low default-internal-rate-limit value does not create problem. The sampled attack log message is being shown.
746873 : Non-admin users are not able to run the tmsh list command due to permissions error for LTM message-routing
Component: TMOS
Symptoms:
Any non-admin cannot use tmsh list commands. Running the command gives the following error:
Unexpected Error: Can't display all items, can't get object count from mcpd.
Conditions:
Run a tmsh list command when logged in as non-admin user.
Impact:
Error is posted. Non-admin users cannot use the tmsh list commands.
Workaround:
Log in as admin to execute the tmsh list command.
Fix:
Non-admin users can now run tmsh list commands, as appropriate for the Role associated with the type of user account.
746825-4 : MRF SIP ALG with SNAT: Ephemeral listeners not created for un-subscribed outgoing calls
Component: Service Provider
Symptoms:
When a temporary registration is created for an un-subscribed user making an outgoing call, an ephemeral listener to receive incoming messages is not created.
Conditions:
If nonregister-subscriber-callout attribute in the siprouter-alg profile is enabled, and an unregiatered client device places an outgoing call, a temporary registration is created. This temporary registration lives for the life of the call. During the lifetime of the temporary registration if the connection from the client is closed, it is not possible for an external device to reach the client.
Impact:
The callee of an outgoing call initiated by an un-registered sip device will not be able to end the call.
Workaround:
There is no workaround at this time.
Fix:
When a temporary registration is created, an ephemeral listener is created to receive SIP commands to be forwarded to the client device.
746823-1 : AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members
Component: Application Visibility and Reporting
Symptoms:
In a configuration that AVR is set to send telemetry data to external source (like connection with BIG-IQ), and there is large number of config objects in the system, such as virtual servers and pool-members. AVRD is constantly crashing.
Conditions:
1. AVR is set to send telemetry data to external source (like connection with BIG-IQ).
2. Large number of config objects in the system, such as virtual servers and pool-members.
Impact:
AVRD process is crashing and telemetry data is not collected.
Workaround:
N/A
Fix:
The issue is fixed, AVR can handle any number of virtuals/pool-members when sending its telemetry.
746771 : APMD recreates config snapshots for all access profiles every minute
Component: Access Policy Manager
Symptoms:
When the access profile configurations in APMD and MCPD are out of sync, APMD will detect the config snapshot for one access profile is missing. This triggers AMPD to recreates the config snapshots for all access profiles. The detect-recreate cycle will repeat every minute.
Sep 11 17:57:39 BIG-IP err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...
Sep 11 17:57:59 BIG-IP notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
...
Sep 11 17:58:39 BIG-IP err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...
Sep 11 17:59:00 BIG-IP notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
Conditions:
The condition under which the access profile configurations in APMD and MCPD become out of sync is unknown.
Impact:
TMM memory usage will increase due to excessive config snapshots created.
Workaround:
Restart APMD to clear the APMD and MCPD out of sync condition.
Fix:
N/A
746768 : APMD leaks memory if access policy policy contains variable/resource assign policy items
Component: Access Policy Manager
Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.
Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.
Impact:
APMD's memory footprint will increase whenever the access policy is applied.
Workaround:
There is no workaround.
Fix:
Memory growth has been addressed.
746750 : Search Engine get Device ID challenge when using the predefined profiles
Component: Application Security Manager
Symptoms:
When using one of the pre-defined profiles, "bot-defense-device-id-generate-after-access" and "bot-defense-device-id-generate-after-access", Search Engines might get Device ID challenges (and will most likely get blocked since cannot run JS)
Conditions:
One of the pre-defined profiles ("bot-defense-device-id-generate-after-access" or "bot-defense-device-id-generate-after-access") are attached to vs, and a valid search engine sends requests.
Impact:
Search Engines may be blocked.
Workaround:
Change mitigation of "Trusted Bot" in the attached profile to "Alarm":
1. Go to
Security ›› Bot Defense : Bot Defense Profiles ›› bot-defense-device-id-generate-after-access
or
Security ›› Bot Defense : Bot Defense Profiles ›› bot-defense-device-id-generate-before-access
2. Go to tab "Mitigation Settings"
3. For "Trusted Bot" choose "Alarm".
4. Save profile.
746746 : syn-cookies incorrectly enabled in f5.ip_forwarding iApp template
Component: TMOS
Symptoms:
The f5.ip_fowarding iApp template disables loose-init and loose-close but does not disable syn-cookie protection in the fastL4 profile, causing traffic degradation.
Conditions:
Any deployment of the f5.ip_forwarding template will trigger this issue.
Impact:
Dropped packets.
Workaround:
Disable app-service strict-updates and then disable syn-cookie-enable on the appropriate fastL4 profile.
Fix:
SYN cookie protection is now correctly disabled in the fastL4 profile created during deployments of the f5.ip_forwarding iApp template.
746731 : BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set
Component: Service Provider
Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Firmware-Revision AVPs in DIAMETER Capabilities Exchange Request messages.
Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Firmware-Revision AVP.
Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.
Workaround:
Configure an iRule in the MRF transport-config, for example:
ltm rule workaround {
when DIAMETER_EGRESS {
if {[serverside] && [DIAMETER::command] == "257" } {
DIAMETER::avp flags set 267 0
}
}
}
Fix:
This release always clears the Mandatory bit for Firmware-Revision AVPs in DIAMETER Capabilities Exchange Request messages.
746719 : SERVFAIL when attempting to view or edit NS resource records in zonerunner
Component: Global Traffic Manager (DNS)
Symptoms:
While attempting to use ZoneRunner to edit NS resource records, getting error:
01150b21:3: RCODE returned from query: 'SERVFAIL'.
Conditions:
- An NS resource record is selected using the zonerunner GUI
- The NS record points to a zone that bind is not authoritative for.
- Recursion is enabled on the zone in question
- The bind process is not able to reach the nameserver referenced in the NS record.
Impact:
Administrator is unable to use ZoneRunner to edit NS records.
Workaround:
Set recursion to no for the appropriate zone, perform the change, set recursion back to yes.
Note: This will be impacting to any clients expecting recursion for the duration of the change.
746710 : Use of HTTP::cookie after HTTP:disable causes TMM core
Component: Local Traffic Manager
Symptoms:
When an iRule disables HTTP with HTTP:disable, subsequent use of HTTP::cookie for that request will cause a TMM core dump.
Conditions:
1) HTTP profile is configured on the virtual.
2) HTTP:disable is called on request.
3) HTTP:cookie is then called on that request.
Impact:
Use of iRules in the above mentioned order will result in a TMM core. Traffic disrupted while tmm restarts.
Workaround:
Do not call HTTP:cookie on requests that have had HTTP disabled by HTTP:disable
746704 : Syslog-ng Memory Leak
Component: TMOS
Symptoms:
After a long uptime (almost a year) syslog-ng had consumed 1.1G of virtual memory on BIG-IP.
Conditions:
Memory leak when syslog-ng handles continuous SIGHUP signals.
Impact:
Memory necessary for optimal operation is constrained.
Workaround:
Run this command once a month:
service syslog-ng restart
746657 : tmsh help for FQDN node or pool member shows incorrect default for fqdn interval
Component: TMOS
Symptoms:
The tmsh help text for LTM nodes and pools shows the incorrect default for the fqdn 'interval' value.
The default is indicated as the TTL, whereas the actual default value is 3600 seconds (1 hour).
The configured value is displayed correctly if the node or pool is displayed using the 'all-properties' keyword.
Conditions:
Always.
Impact:
FQDN nodes and pool members may be created with a different fqdn refresh interval than intended.
Workaround:
When creating an FQDN node or pool member, specify the desired fqdn 'interval' value (either TTL, or the desired number of seconds).
Fix:
The tmsh help text for LTM nodes and pools correctly shows the default value of 3600 seconds for the fqdn 'interval' value.
746460 : SCTP profiles have been modified to advertise one stream unless configured otherwise
Component: TMOS
Symptoms:
SCTP profiles used to default to two streams. When a client connects, the profile negotiates assuming that the server can accept two streams. When a server connection is established later, if the server advertises only one stream, the connection resets. This scenario results in a difficult-to-diagnose condition.
Conditions:
If not configured, the default for SCTP profiles is now to advertise and accept only one stream in each direction.
Impact:
Unless otherwise explicitly configured, SCTP profiles advertises one stream only.
Workaround:
If more than one stream is required, configure the SCTP profile for a greater number.
Fix:
The SCTP profile has been modified to default to a more-reliable and easier-to-understand configuration.
Behavior Change:
The BIG-IP SCTP profile has been modified so that the default configuration for SCTP profiles supports 1 (one) stream.
746424-1 : Patched Cloud-Init to support AliYun Datasource
Component: TMOS
Symptoms:
Shipped Cloud-Init in this version of VE has no support of Alibaba Cloud metadata service for having no support of AliYun Datasource.
Conditions:
VE for Alibaba Cloud
Impact:
Provisioning VE through Cloud-Init won't work on Alibaba cloud
Workaround:
N/A
Fix:
Patched Cloud-Init to support AliYun Datasource
746394 : With ASM CORS set to 'Disabled' it strips all CORS headers in response.
Component: Application Security Manager
Symptoms:
All access-control-* headers are removed by ASM, including Cross-Origin Resource Sharing (CORS) headers. This causes CORS-related JavaScript errors on the browser console, and blocks cross-domain requests that should be allowed.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Backend server sends CORS headers access-control-*.
Impact:
Any webapp that sends cross origin AJAX requests might not work.
Workaround:
Set up an iRule on a virtual server, for example:
when HTTP_RESPONSE {
array set header_list { }
foreach header_name [HTTP::header names] {
if { [string tolower $header_name] starts_with "access-control-" } {
set header_list($header_name) [HTTP::header $header_name]
}
}
}
when HTTP_RESPONSE_RELEASE {
foreach header_name [array names header_list] {
if {!([HTTP::header exists $header_name])} {
HTTP::header insert $header_name $header_list($header_name)
}
}
}
Fix:
ASM no longer removes CORS headers when the feature is set to set to 'Disabled'. This is correct behavior.
746344 : PEM may not re-establish diameter connection after HA switchover
Component: Policy Enforcement Manager
Symptoms:
PEM diameter may not establish diameter connection after a failover, if more than 25 days have elapsed between failovers
Conditions:
If 25 days have elapsed between failovers
Impact:
Diameter connection may not happen
Workaround:
tmm restart
Fix:
Allow establishment of diameter connection by resetting the reconnect timer
746298 : Server Technologies logos all appear as default icon
Component: Application Security Manager
Symptoms:
Server Technologies logos all appear as the default icon.
Conditions:
Browsing the list of available Server Technologies in an ASM policy.
Impact:
Server Technologies logos all appear as the default icon.
Workaround:
Install the most recent Server Technologies update file.
Fix:
Server Technology-specific logos appear correctly.
746266 : Vcmp guest vlan mac mismatch across blades.
Component: TMOS
Symptoms:
Guests running on blades in a single chassis report different MAC addresses on a single vlan upon host reboot for vcmp guest.
Conditions:
This issue may be seen when all of the following conditions are met:
- One (or more) blade(s) are turned off completely via AOM.
- Create two vlans.
- Deploy a multi-slot guest with the higher lexicographic vlan.
- Now, assign the smaller vlan to the guest.
- Reboot the host
Impact:
Incorrect MAC addresses are reported by some blades.
Workaround:
There is no workaround at this time.
746261 : HA-Status changes to "Changes Pending" after Edge Client download
Component: Access Policy Manager
Symptoms:
In a HA device group, trying to download edge client on one device cause the "changes pending" indicator to turn on.
Conditions:
- Create a failover device group and put at et least two devices in it.
- Navigate to Access Profile > Connectivity / VPN > Connectivity > Profiles
- Choose a connectivity profile (create one if there is not already one).
- Click on drop down button "Customize Package" and select either of them ("Windows" or "Mac)
- Click Download
Impact:
Give user a false sense of config being changed.
Workaround:
No workaround.
Fix:
"Changes Pending" indicator won't turn on with Edge Client download
746260 : Attack status is not updated when Protected Objects Details Panel is refreshed
Component: Advanced Firewall Manager
Symptoms:
The Protected Objects Attack Status in the Protected Objects list table row is not updated when the details panel is refreshed
Conditions:
For Protected Objects that show "Attack Detected...", it is possible that the initial loading or subsequent refresh of the details panel may not show any attacks because the attack has come to an end.
Impact:
Detail Panel Attack info and Row data could be out of sync
Workaround:
Reload Protected Objects page
746243 : Usage of whitelist in DoS profile is not clear
Component: Advanced Firewall Manager
Symptoms:
- When adding an fqdn to the address list in a DoS profile or shared objects, we can get this message if an FQDN policy is not configured:
01070734:3: Configuration error: Please configure a dns-resolver under global-fqdn-policy.
However, if AFM is not provisioned, then an fqdn policy cannot even be configured.
- HTTP (DoSL7) section of the DoS profile only supports single IP addresses, and IP with netmask.
- DNS/SIP/Network sections of the DoS profile only support single IP addresses, IP ranges, and FQDN.
Conditions:
DoS profile is configured and IP whitelist contains IP ranges, netmasks, or FQDN.
Impact:
- Some of the entries in the address whitelist may not be applied in the DoS profile.
- Confusing error messages
Workaround:
- For HTTP (DoSL7) section of the DoS profile, use only Single IP addresses, or IP network + netmask.
- For DNS/SIP/Network sections of the DoS profile, use only Single IP addresses, IP ranges, or FQDN.
746152 : Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column
Component: TMOS
Symptoms:
The DMA drop packet and bytes registers (rqm_dma_drp_pkts and rqm_dma_drp_bytes in tmm/hsbe2_internal_pde_ring
table) can have huge numbers, which appear to be close to multiples of 4G (2^32). The count reported in the register from hsb_snapshot shows very small number:
from tmm/hsbe2_internal_pde_ring
name active bus rqm_dma_drp_pkts rqm_dma_drp_bytes
---------------- ------ --- ---------------- -----------------
lbb0_pde1_ring2 1 2 17179869185 4398046511186
lbb0_pde1_ring3 1 2 8589934597 2199023256108
lbb0_pde2_ring0 1 2 0 0
lbb0_pde2_ring1 1 2 0 0
lbb0_pde2_ring2 1 2 8589934592 2199023255552
lbb0_pde2_ring3 1 2 0 0
lbb0_pde3_ring0 1 2 0 0
lbb0_pde3_ring1 1 2 0 0
lbb0_pde3_ring2 1 2 8589934592 2199023255552
lbb0_pde3_ring3 1 2 0 0
lbb0_pde4_ring0 1 2 0 0
lbb0_pde4_ring1 1 2 0 0
lbb0_pde4_ring2 1 2 8589934592 2199023255552
lbb0_pde4_ring3 1 2 0 0
lbb1_pde1_ring1 1 3 0 0
lbb1_pde1_ring2 1 3 4294967298 1099511627952
From hsb_snapshot for pde1's ring 0 to ring 3:
50430: 00000000 rqm_dma_drp_pkt_cnt_4
50530: 00000000 rqm_dma_drp_pkt_cnt_5
50630: 00000001 rqm_dma_drp_pkt_cnt_6
50730: 00000005 rqm_dma_drp_pkt_cnt_7
Conditions:
The register reads sometimes return a 0 value.
Impact:
The DMA drop stats are not accurate
Workaround:
Restart tmm can reset the stats, but it will disrupt traffic.
Fix:
Add the protection in register reads to avoid occasional read errors.
746146 : AVRD can crash with core when disconnecting/reconnecting on HTTPS connection
Component: Application Security Manager
Symptoms:
AVRD crashes repeatedly when the BIG-IP system is configured to work with BIG-IQ.
Conditions:
-- BIG-IP system is connected to BIG-IQ.
-- Disconnecting/reconnecting on HTTPS connection.
Impact:
Statistics collection is unstable : some stats data are lost during avrd crash.
Workaround:
None.
Fix:
Object associated with HTTPS connection was deleted before the last event on this connection arrived. Object deletion is now deferred, so this issue no longer occurs..
746137 : DNSSEC: Creating a new DNSSEC Zone can result in gtmd attempting to sync every 10 seconds
Component: Global Traffic Manager (DNS)
Symptoms:
Creating a new DNSSEC Zone can result in gtmd attempting to sync every 10 seconds even though the configuration appears to be the same on each GTM in the sync group. This will last until another change is committed to the database (for example: create a new un-related object like a gtm wideip)
Conditions:
The user creates a new DNSSEC Zone.
Impact:
gtmd may attempt to sync every 10 seconds until another configuration change is made.
Workaround:
If the user makes another un-realted configuration change, like creating a gtm datacenter or wideip, the attempt to sync every 10 seconds will stop.
746131 : OpenSSL Vulnerability: CVE-2018-0732
Component: Local Traffic Manager
Symptoms:
OpenSSL RSA key generation was found to be vulnerable to cache side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover parts of the private key.
Conditions:
Advanced shell access.
Impact:
OpenSSL RSA key generation was found to be vulnerable to cache side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover parts of the private key.
Workaround:
None.
Fix:
Updated to OpenSSL 1.0.2p
746078 : Upgrades break existing iRulesLX workspaces that use node version 6
Component: Local Traffic Manager
Symptoms:
When upgrading a BIG-IP with iRulesLX plugins, if those plugins are based on workspaces that use node version 6 (instead of version 0.12) they will fail to work properly after the upgrade once the plugin is reloaded from the workspace.
Errors like this will be seen in /var/log/ltm:
Oct 5 06:37:12 B7200-R14-S36 info sdmd[17582]: 018e0017:6: pid[26853] plugin[/Common/test-jt-plugin.test-jt-extension] Starting the server.....jt...after upgrade...
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: Resuming log processing at this invocation; held 233 messages.
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] /var/sdm/plugin_store/plugins/:Common:test-jt-plugin_62858_3/extensions/test-jt-extension/node_modules/f5-nodejs/lib/ilx_server.js:30
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ILXServerWrap = process.binding('ILXServerWrap').ILXServerWrap;
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ^
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] Error: No such module: ILXServerWrap
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] at Error (native)
Conditions:
Upgrading a version of BIG-IP that is using iRulesLX that has a workspace based on node version 6. Later reloading the iRulesLX plugin from the workspace.
Impact:
The iRulesLX plugin no longer works.
Workaround:
- Navigate to the workspace folder on the BIG-IP (/var/ilx/workspaces/<partition>/<workspace name>.
- Make the file "node_version" writable (chmod +w node_version).
- Edit the node_version file: change "0.12" to "6"
- Save the node_version file.
- Make the file "node_version" read-only (chmod -w node_version).
- Reload the iRulesLX plugin from the workspace.
Fix:
Prevented the node version from getting reverted to default during an upgrade.
746077 : If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified
Component: Local Traffic Manager
Symptoms:
DHCP-RELAY overwrites the 'giaddr' field containing a non-zero value. This violates RFC 1542.
Conditions:
DHCP-RELAY processing a message with the 'giaddr' field containing a non-zero value,
Impact:
RFC 1542 violation
Workaround:
None.
Fix:
DHCP-RELAY no longer overwrites the 'giaddr' field containing a non-zero value.
745947 : Add log events for MRF SIP registration/deregistration and media flow creation/deletion
Component: Service Provider
Symptoms:
Generally only error conditions are logged for SIP. More logging is needed around SIP registration/deregistration, media flow creation/deletion, to help debug in the field.
Conditions:
log.mrsip.level notice or above.
Impact:
Only error conditions are logged. Events helpful for debugging are not available in the logs.
Workaround:
There is no workaround at this time.
Fix:
Log information logging is available around SIP registration/deregistration and media flow creation/deletion.
745912 : Improve WebRootKit alert details
Component: Fraud Protection Services
Symptoms:
WebRootKit alert is not informative in some cases.
Conditions:
Script override native function and the native function toString.
Impact:
The overwritten native method toString will look like real native method toString in the alert
Workaround:
There is no workaround.
745859 : DNSSEC: gtmd leaks memory when dnssec keys on a dnssec zone are auto-rolling
Component: Global Traffic Manager (DNS)
Symptoms:
gtmd leaks memory every time an auto-rolling DNSSEC Key on a DNSSEC Zone expires or rolls-over.
Conditions:
Auto-rolling DNSSEC Keys are associated with a DNSSEC Zone.
Impact:
gtmd leaks memory every time an auto-rolling DNSSEC Key on a DNSSEC Zone expires or rolls-over.
Workaround:
The user can modify their DNSSEC Keys to be non-rolling/static dnssec keys. Also gtmd can be restarted to temporarily correct the memory leak. But this workaround is not recommended except during a scheduled maintenance window or unless traffic processing seems to be impacted by gtmd memory usage (unlikely scenario).
745851-1 : Changed Default Cloud-Init log level to INFO from DEBUG
Component: TMOS
Symptoms:
Cloud-Init services generate too many debug log lines that populate their systemd journal.
Conditions:
Any BIG-IP VE release with Cloud-Init enabled and using "systemd".
Impact:
There're too many debug log lines that might make VE admin miss any more important information and severe errors when reading it.
Workaround:
Manually change all Cloud-Init's log levels to INFO from DEBUG.
Fix:
Cloud-Init's log default levels have been changed to INFO from DEBUG.
745825 : The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading
Component: TMOS
Symptoms:
This message may be logged while the audit_forwarder is loading the configuration:
audit_forwarder is disabled as the configuration is incomplete. Please define the following db variables: config.auditing.forward.sharedsecret, config.auditing.forward.destination and config.auditing.forward.type. And make sure config.auditing.forward.destination is not set to "::".
These DB variables may all be actually configured correctly, but since the configuration has not loaded yet this message may be logged multiple times.
Conditions:
The audit_forwarder process is starting up and loading the configuration.
Impact:
Confusing error messages in /var/log/ltm. Logging will still work as configured.
Workaround:
There is no workaround.
Fix:
Message has been modified to indicate the possibility of loading the configuration. Message is now logged only once. A new messages is logged indicating when audit_forwarder is enabled.
745813 : Requests are reported to local log even if only Bot Defense remote log is configured
Component: Application Security Manager
Symptoms:
Requests are logged locally on the BIG-IP system while they supposed to be sent only to the remote logger.
Conditions:
- Bot Defense profile attached to a virtual server.
- Bot Defense remote logger profile attached to a virtual server.
Impact:
Requests logged locally on the BIG-IP system when they are not supposed to be.
Workaround:
None.
Fix:
Logging profile filter mechanism now honors remote and local logging configurations.
745809-1 : The /var partition may become 100% full requiring manual intervention to clear space
Component: Advanced Firewall Manager
Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free
Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.
Conditions:
Process traffic while DoS Dashboard is open.
Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition
Workaround:
This workaround is temporary in nature, should the conditions of this bug still be met, and may need to be periodically performed either manually or from a script. While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.
Run the following commands, in sequence:
bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad
Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.
745802 : Brute Force CAPTCHA response page truncates last digit in the support id
Component: Application Security Manager
Symptoms:
Brute Force CAPTCHA response page shown to an end-user has a support id and the last digit is truncated.
Conditions:
- ASM Provisioned
- ASM policy attached to a virtual server
- ASM Brute Force Protection enabled in the asm policy
- ASM Brute Force sends captcha mitigation page when a website is under brute force attack.
Impact:
The support id presented to an end-user won't be matched to the one shown in the asm logs
Workaround:
There is no workaround at this time.
Fix:
The code is fixed, correct support id is shown in the captcha response page.
745783 : Anti-fraud: remote logging of login attempts
Component: Fraud Protection Services
Symptoms:
There is no support for logging of login attempts to a remote service.
Conditions:
Using high speed logging (HSL) to log login attempts.
Impact:
There is no support for logging of login attempts.
Workaround:
None.
Fix:
FPS now uses HSL to report login attempts using configured templates, rate-limit, and publisher to a remote service.
To enable this feature:
# via tmsh only
tmsh modify sys db antifraud.riskengine.reportlogins value enable
# via tmsh or GUI
tmsh modify sys db antifraud.internalconfig.string1 value "<login attempt log template>"
tmsh modify sys db antifraud.internalconfig.string2 value "<log-rate-exceeded log template>"
tmsh modify sys db antifraud.internalconfig.number1 value "<log-rate-exceeded threshold>"
tmsh modify security anti-fraud profile <fps profile> risk-engine-publisher <publisher>
It is recommended that you use encoding when composing an HTTP template. The default encoding level is 0, meaning 'never encode'.
To change encoding level:
tmsh modify sys db antifraud.internalconfig.number2 value <0/1/2>
Behavior Change:
FPS now includes the ability to perform High Speed Logging (HSL) of all login attempts to specific protected URLs. These events can be forwarded to remote services (e.g. SIEM Server), and, when enabled, can help indicate whether applications are under attack.
745715 : MRF SIP ALG now supports reading SDP from a mime multipart payload
Component: Service Provider
Symptoms:
Previously all non-SDP SIP payloads were ignored. This would cause media pinhole flows to not be created.
Conditions:
An INVITE message or its response contained a SDP section in a mime multipart payload.
Impact:
Media pinhole flows were not created
Workaround:
None.
Fix:
The SIP ALG functions can now extract and process the SDP section of a mime multipart payload.
745713 : TMM may crash when processing HTTP/2 traffic
Solution Article: K94563344
745711 : GUI - SSL Certificate Instances section to include Monitor Instances
Component: TMOS
Symptoms:
The GUI SSL Certificate Instances section was enhanced to include Monitor Instances
Conditions:
Use SSL certificate and key in monitor instances.
Impact:
It's now easier to view all referencing monitors will make certificate management easier.
Workaround:
None
Fix:
GUI SSL Certificate Instances section now include Monitor Instances.
745707 : Portal Access Web Page does not render properly
Component: Access Policy Manager
Symptoms:
Some of the Microsoft hosted cloud sites, including dynamics, use a logon process that goes through secure.aadcdn.microsoftonline-p.com. This might result in a number of different kinds of problems:
-- iOS devices do not send the MRHSession cookie, so are denied when requesting CSS and JavaScript.
-- Android devices might 'fail to load'.
Conditions:
Using Portal Access (PA) on a Microsoft-hosted cloud site.
Impact:
-- The PA Web Page does not load correctly.
-- Script errors appear on the browser console.
-- Intended functionality on the web page is not provided.
Workaround:
You can use an iRule to work around this.
Fix:
Portal Access Web Page now renders properly under these conditions.
745654 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
Component: Access Policy Manager
Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.
Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.
Impact:
Low throughput and slow responses from Virtual server.
Workaround:
There is no workaround at this time.
Fix:
Increase the size of websso worker queue, so that tmm and websso process can communicate effectively. This eliminates VS slowness and hence increase throughput.
745649 : Added comments which elaborated not to use any ACL that includes the reserved address range 127.10.x.x if multiple Views are defined.
Component: Global Traffic Manager (DNS)
Symptoms:
Based on ZoneRunner's design, each view has a unique client acl such as zrd-acl-000-xxx from 127.10.x.x address range. ZoneRunner communicates with bind using the unique IP address, so that bind knows which View ZoneRunner is querying for.
If using 'any' for a View's match-clients attribute, bind always returns information from that View, because 127.10.x.x also belongs to any.
Added comments to caution against using any ACL that includes the 127.10.x.x address range the configuration needs to have multiple Views.
Conditions:
If using 'any' for a View's match-clients attribute, bind will always return information from that View as 127.10.x.x also belongs to any.
Impact:
Documentation enhancement. No direct impact.
Workaround:
Added comments which elaborated not to use any ACL that includes the reserved address range 127.10.x.x if multiple Views are defined.
Fix:
The comment section now provides a much clearer description when creating a new View.
745628 : MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message
Component: Service Provider
Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a NOTIFY message has been processed.
Conditions:
This occurs because the NOTIFY message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.
Impact:
Media addresses in the SDP payload are not translated.
Workaround:
There is no workaround.
Fix:
Hairpin mode is not entered when processing NOTIFY messages
745624 : Tooltips for OWASP Bot Categories and Anomalies were added
Component: Application Security Manager
Symptoms:
Tooltips for some OWASP Bot Categories and Anomalies are 'N/A' in GUI/REST.
Conditions:
- GUI page: Event Logs:: Bot Defense :: Bot Traffic.
- Bot classification is 'OWASP Automated Threat'.
Impact:
Tooltip shows 'N/A' instead of detailed description. You cannot see detailed description of Bot classification of traffic.
Workaround:
None.
Fix:
Tooltips for OWASP Bot Categories and Anomalies were added.
745607 : Bot Defense : Bot Traffic - 3 month/last year filter not displayed correctly
Component: Application Security Manager
Symptoms:
3 month/last year filters are not displayed correctly in the applied filter.
Conditions:
3 month/last year filter applied in Bot Defense : Bot Traffic.
Impact:
You cannot see which filter is currently applied.
Workaround:
None.
Fix:
3 month/last year filter is now displayed correctly in applied filter.
745590 : SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added
Component: Service Provider
Symptoms:
In MRF SIP ALG, the hairpin flag is part of the translation_details structure. Because a connection/translation might be used for multiple simultaneous calls, if any call is hairpinned, subsequent calls on the same connection will not translate SDP addresses.
Conditions:
-- A connection/translation using multiple simultaneous calls
-- A call is hairpinned.
Impact:
Subsequent calls on the same connection do not translate SDP addresses.
Workaround:
None.
Fix:
SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added.
745589 : In very rare situations, some filters may cause data-corruption.
Component: Local Traffic Manager
Symptoms:
In very rare situations, an internal data-moving function may cause corruption.
Filters that use the affected functionality are:
HTTP2, Sip, Sipmsg, MQTTsession, serdes_diameter, FTP.
Conditions:
The affected filters are used, and some very rare situation occurs.
Impact:
This may cause silent data corruption, or a TMM crash.
Workaround:
There is no workaround at this time.
Fix:
The data-moving function has been fixed to correctly notify its callers about its behavior in rare situations.
745574 : URL is not removed from custom category when deleted
Component: Access Policy Manager
Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.
Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.
Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.
Workaround:
"bigstart restart tmm" will resolve the issue.
Fix:
Made sure that the deletion takes effect properly and SSL traffic is no longer miscategorized after removal of the URL from the custom category.
745533 : NodeJS Vulnerability: CVE-2016-5325
Component: Local Traffic Manager
Symptoms:
It was found that the reason argument in ServerResponse#writeHead() was not properly validated.
Conditions:
iRules LX is running at the BigIP.
Impact:
A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request.
Workaround:
N/A.
Fix:
NodeJS updated to patch for CVE-2016-5325
745531 : Puffin Browser gets blocked by Bot Defense
Component: Application Security Manager
Symptoms:
Users using the Puffin Browser are blocked when accessing the Virtual Server when it is protected with either Proactive Bot Defense (within DoSL7 profile) or with the Bot Defense profile.
This applies to all version of the Puffin Browsers: Desktop, Android, iOS.
Conditions:
- Users using the Puffin Browser on Desktop, Android, iOS
- Bot Defense Profile, or: DoSL7 profile with Proactive Bot Defense is used while the "Block Suspicious Browsers" checkbox is enabled
Impact:
Users of the Puffin Browser cannot access the website
Workaround:
None
Fix:
Users of the Puffin Browser can now access the website that is protected by Bot Defense without getting blocked.
For the fix to be applied, both BIG-IP Release and ASU must be installed which contain the fix. Also, it is recommended to enable the following DB variables:
tmsh modify sys db dosl7.proactive_defense_validate_ip value disable
tmsh modify sys db dosl7.cs_validate_ip value disable
745514 : MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message
Component: Service Provider
Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a SUBSCRIBE message has been processed.
Conditions:
This occurs because the SUBSCRIBE message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.
Impact:
Media addresses in the SDP payload are not translated.
Workaround:
There is no workaround.
Fix:
Hairpin mode is not entered when processing SUBSCRIBE messages
745405-1 : Under heavy SSL traffic, sw crypto codec queue is stuck and taken out of service without failover
Component: TMOS
Symptoms:
Under heavy SSL traffic, it is observed that sw crypto codec queue is stuck and taken out of service, but no failover happened
Conditions:
Heavy SSL traffic
Impact:
Traffic is impacted and a large number of SSL handshakes to the BIG-IP are failing.
Workaround:
Increase crypto.queue.timeout to a much larger number(from 100 to 500 for example). Restart tmms for the change to take effect.
745404 : MRF SIP ALG does not reparse SDP payload if replaced
Component: Service Provider
Symptoms:
When a SIP message is loaded, the SDP is parsed. If modified or replaced, the system does not reparse the modified payload.
Conditions:
This occurs internally while processing SDP in a SIP message.
Impact:
Changes to the SDP are ignored when creating media pinhole flows
Workaround:
None.
Fix:
The SDP payload is now reparsed if modified or replaced.
745397 : Virtual server configured with FIX profile can leak memory.
Component: Service Provider
Symptoms:
System memory increases with each transmitted FIX message. tmm crash.
Conditions:
-- Virtual server configured with a FIX profile.
-- FIX profile specifies a message-log-publisher.
Impact:
Memory leak. Specifically, in the xdata cache. Potential traffic disruption while tmm restarts.
Workaround:
If possible, discontinue use of message logging functionality. Removing the message-log-publisher from the FIX profile stops xdata growth.
745387 : Resource-admin user roles can no longer get bash access
Solution Article: K07702240
745371 : AFM GUI does not follow best security practices
Component: Advanced Firewall Manager
Symptoms:
AFM GUI does not follow best security practices.
Conditions:
AFM provisioned
Authenticated administrative user
Impact:
AFM GUI does not follow best security practices.
Workaround:
None.
Fix:
AFM GUI now follows best security practices.
745262 : Error encountered when performing a policy sync on an access profile of SSO type
Component: Access Policy Manager
Symptoms:
When performing a policy sync on an access profile of SSO type, it fails with an error message:
"PolicySyncMgr: Internal error while collecting objects for policy /Common/MySSOProf. Exception: PolicySyncMgr: MCP query queryallincludereferencetree failed for macros. Encountered MCP exception 01020036:3: The requested Access Policy (/Common/MySSOProf) was not found"
Conditions:
- Create an access profile of type SSO
- Start a policy sync on the profile
Impact:
Access profile cannot be sync'ed to other devices.
Workaround:
No workaround.
Fix:
Access profile of SSO type won't be in the list of policy sync windows so that user won't be able to perform the operation on this type of access profile.
745261 : The TMM process may crash in some tunnel cases
Component: TMOS
Symptoms:
When Direct Server Return (DSR) or asymmetric routing with a tunnel is deployed, the TMM process may crash.
Conditions:
There are two scenarios that may lead to this issue:
Scenario 1: DSR
- DSR is deployed.
Scenario 2: Asymmetric routing
- The sys db variable connection.vlankeyed is set to 'disable'.
- A VLAN and a tunnel are used to handle asymmetric routing.
Impact:
The TMM process crashes.Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The TMM process no longer crashes.
745257 : Linux kernel vulnerability: CVE-2018-14634
Solution Article: K20934447
745165 : Users without Advanced Shell Access are not allowed SFTP access
Solution Article: K38941195
745127 : If style attribute contains HTML entities, it may not be rewritten correctly on client side.
Component: Access Policy Manager
Symptoms:
Wrong styling of web-application page, direct links to scc resources from web-application.
Conditions:
HTML entities within style attribute in some tags.
For example:
url('some.jpg')
Impact:
User experience may suffer.
Workaround:
Custom iRule can be used.
Fix:
The issue with html entities in style attribute is fixed.
745094 : ASM tsconfig log message mispellings
Component: Application Security Manager
Symptoms:
error logged in /var/log/asm:
Sep 19 19:57:10 f5-ha-ltm1 info tsconfig.pl[3955]: ASM initial configration script launched
Sep 19 19:57:25 f5-ha-ltm1 err tsconfig.pl[3955]: initial configuration script encountered a fatal error: Failed To Retrive Self Mac Address
First line, "configration" should be configuration (missing u)
Second line, "Retrive" should be Retrieve (missing second e"
Conditions:
ASM provisioned
Impact:
ASM tsconfig log message mispellings
Workaround:
n/a
745035 : gtmd crash
Component: Global Traffic Manager (DNS)
Symptoms:
gtmd crashes
Conditions:
This rarely occurs when an iQuery connection is abnormally terminated.
Impact:
Under rare circumstances, gtmd may crash and restart.
Workaround:
None
745027-3 : AVR is doing extra activity of DNS data collection even when it should not
Component: Application Visibility and Reporting
Symptoms:
When collecting DNS data, AVR generates data that is used only for BIG-IQ, even if not connected to BIG-IQ.
Conditions:
DNS Statistics collection or DNS-DoS is configured.
Impact:
avrd process is taking more CPU cycles for activity that is not needed. There is no impact to functionality.
Workaround:
None.
Fix:
The system no longer performs extra computation that is not needed in this case.
744959 : SNMP OID for sysLsnPoolStatTotal not incremented in stats
Component: Carrier-Grade NAT
Symptoms:
SNMP OID for sysLsnPoolStatTotal is not incremented in stats totals.
Conditions:
This affects all of the global port block allocation (PBA) counters.
Impact:
SNMP OID for sysLsnPoolStatTotal is not incremented when it should be. Stats are not accurate.
Workaround:
None.
Fix:
SNMP OID for sysLsnPoolStatTotal is now incremented in stats totals.
744949 : MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix
Component: Service Provider
Symptoms:
SIP response messages have the wrong IP address in the FROM header when using NAT64.
Conditions:
If the client's IPv6 address does not match the virtual server's configured IPv6 prefix, the FROM header on a response message will have a different IP address that the request message.
Impact:
The SIP ALG with SNAT system will be unable to establish a call for the client.
Workaround:
There is no workaround at this time.
Fix:
The FROM header will now contain the client's IP address.
744922 : Traffic intelligence hitless upgrade uses load sys config
Component: Traffic Classification Engine
Symptoms:
Traffic intelligence (cec) uses load sys config on each hitless upgrade. This may cause configuration load to fail if the configuration has some errors, and hence virtual servers may go down.
Conditions:
When the system triggers manual or automatic hitless upgrade for traffic classification.
Impact:
System may go offline if the configuration has errors.
Workaround:
Disable automatic hitless upgrade for traffic intelligence.
Fix:
Update the hitless upgrade scripts to avoid load sys config while loading new IM package. Now, IM will load only the new classification_update.conf file as a part of hitless upgrade.
744773 : The name of the ltmPoolMemberStatCurrentConnsPerSec statistic is confusing
Component: TMOS
Symptoms:
The ltmPoolMemberStatCurrentConnsPerSec statistic is maintained only when rate limiting is configured for the LTM pool member. The statistic records the last value when the rate limit was hit.
Conditions:
When accessing SNMP statistics for pool members, and viewing the values for CurrentConns.
Impact:
Values might be confusing when using SNMP to monitor LTM pool members.
Workaround:
None.
Fix:
The description text has been updated as follows:
snmptranslate -Td F5-BIGIP-LOCAL-MIB::ltmVirtualServStatCurrentConnsPerSec
snmptranslate -Td F5-BIGIP-LOCAL-MIB::ltmNodeAddrStatCurrentConnsPerSec
snmptranslate -Td F5-BIGIP-LOCAL-MIB::ltmPoolMemberStatCurrentConnsPerSec
744740 : After upgrade, dhclient overwrites configured hostname, even when 'sys management-dhcp' does not contain the 'host-name' in the request-options.★
Component: TMOS
Symptoms:
The configured hostname is overwritten by dhclient after upgrade.
Conditions:
-- DHCP enabled.
-- Custom hostname configured using the procedure described in K45728203: AWS generates the BIG-IP VE instance host name to include the host name's private IP address :: https://support.f5.com/csp/article/K45728203, instead of using the one provided by the DHCP server.
Impact:
Incorrect hostname assigned to the BIG-IP system.
Workaround:
Change the DHCP settings, and issue the following command to correct the name without losing connectivity to management:
# tmsh modify sys global-settings mgmt-dhcp disabled; tmsh modify sys global-settings mgmt-dhcp enabled
Fix:
Disable and reenable dhclient to fix the dhclient overwritten hostname after upgrade when 'sys management-dhcp' does not contain the 'host-name' in the request-options.
744730 : Specifying a larger system disk during VE launch requires manual reboot for the increase to go into effect
Component: TMOS
Symptoms:
It is allowed to specify larger system disk size during VE launch. The larger disk will be allocated, but VE will not be able to use the extra space initially. Manual reboot will allow VE to use the extra space. Desired behavior for VE is to reboot by itself.
Conditions:
This occurs when you launch VE with a larger system disk in the initial version of 14.1
Impact:
BIG-IP cannot use the extra space
Workaround:
Reboot VE
Fix:
If a larger system disk size is specified during VE launch, it will be allocated. But VE will not be able to use the extra space initially. Manual reboot will allow VE to use the extra space.
744707 : Fixed crash related to DNSSEC key rollover
Component: Global Traffic Manager (DNS)
Symptoms:
When running out of memory, a DNSSKEY rollover event can cause a tmm core dump.
Conditions:
System low/out of memory.
DNSSKEY rollover event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
Fix:
Fixed an issue in DNSSEC Key Rollover event that can cause a crash.
744686 : Wrong certificate can be chosen during SSL handshake
Component: Local Traffic Manager
Symptoms:
If two certificates of the same type are configured in an SSL profile, one marked `usage CA' and the other not, the wrong one could be chosen during the handshake.
Conditions:
Two certificates of the same type are configured in an SSL profile.
Impact:
The wrong certificate could be chosen during the handshake.
Workaround:
Do not configure two certificates of the same type on an SSL profile.
744685 : BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension
Component: Local Traffic Manager
Symptoms:
An intermediate CA certificate should be considered invalid if the certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension. The BIG-IP system does not enforce this.
Conditions:
The SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop.
Impact:
The system might unexpectedly accept the SSL connection while the peer is using an inappropriate certificate.
Workaround:
None.
Fix:
With this fix, if the SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the SSL handshake if the peer's CA certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension.
Behavior Change:
When authenticating a peer's SSL certificate, the system requires a CA certificate to have the 'Basic Constraints' and 'CA:True' in its extension, like this:
X509v3 Basic Constraints: critical
CA:TRUE
If an SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the handshake if the peer's CA certificate does not satisfy this requirement.
744595 : DoS-related reports might not contain some of the activity that took place
Component: Application Visibility and Reporting
Symptoms:
Occasionally, some telemetry data of DoS related activity is lost.
Conditions:
No specific condition other than using the BIG-IP system anti-DDoS feature.
Impact:
DoS related reports might not contain some of the activity that takes place.
Workaround:
None.
Fix:
Issue was fixed, all telemetry data is collected without errors.
744589 : Missing data for Firewall Events Statistics
Component: Application Visibility and Reporting
Symptoms:
Statistical information that is collected for Firewall event, has some data that is getting lost and not reported.
When this is taking place, the following message appears at avrd log:
Some rows of load_stat_firewall_events_<some number> not loaded
Conditions:
AFM is used, no particular condition that leads to this situation of losing some of the stats, usually takes place under heavy activity.
Impact:
Statistical reports of Firewall Events are missing some the the activity that actually took place.
Workaround:
There is no workaround at this time.
Fix:
Issue with missing data was fixed.
744520 : virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface
Component: TMOS
Symptoms:
virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface.
Conditions:
Virtual server with pem profile and Vxlan-GRE tunnel interface.
Impact:
Traffic drop.
Workaround:
There is no workaround.
744516 : TMM panics after a large number of LSN remote picks
Component: Carrier-Grade NAT
Symptoms:
TMM panics with the assertion "nexthop ref valid" failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.
Conditions:
A LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.
Impact:
TMM restarts. Traffic is interrupted.
Workaround:
There is no workaround.
Fix:
TMM no longer panics regardless of the number of remote picks.
744407 : While the client has been closed, iRule function should not try to check on a closed session
Component: Access Policy Manager
Symptoms:
tmm cores. System posts a message:
access::session exists is used during CLIENT_CLOSED iRule event.
Conditions:
-- Client has closed the connection.
-- iRule function tries to check on a closed session.
-- An 'access session::exists' command is used inside the iRule event CLIENT_CLOSED.
Impact:
tmm may core. Traffic disrupted while tmm restarts.
Workaround:
Do not use the iRule command 'access session::exists' inside CLIENT_CLOSED.
Fix:
Command execution of 'access::session exists' is now prevented in the iRule event CLIENT_CLOSED.
744347 : Protocol Security logging profiles cause slow ASM upgrade and apply policy
Component: Application Security Manager
Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.
Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.
Impact:
ASM upgrade and apply policy are delayed.
Workaround:
There is no workaround at this time.
744275 : BIG-IP system sends Product-Name AVP in CER with Mandatory bit set
Component: Service Provider
Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.
Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Product-Name AVP.
Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.
Workaround:
Configure an iRule in the MRF transport-config, for example:
ltm rule workaround {
when DIAMETER_EGRESS {
if {[serverside] && [DIAMETER::command] == "257" } {
DIAMETER::avp flags set 269 0
}
}
}
Fix:
This release always clears the Mandatory bit for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.
744252 : BGP route map community value: either component cannot be set to 65535
Component: TMOS
Symptoms:
The community value for BGP route map entries should allow values of 1-65535 for both components, but it is not allowing 65535 for either component.
Conditions:
-- Using BGP route map community values.
-- Attempting to set one or both components to 65535.
Impact:
Unable to use the full range of BGP route map community values
Workaround:
There is no workaround at this time.
Fix:
This release allows the usage of 65535 for either (or both) BGP route map community values.
744236 : SNMP MIBs and docs are included in two RPMs
Component: TMOS
Symptoms:
The BIG-IP .iso file includes both 32-bit and 64-bit versions of net-snmp (the alert daemon uses 32bit and the snmp daemon uses 64 bit). Both the net-snmp-libs x86_64 and i686 RPMs include the MIBs and the docs.
Conditions:
Viewing the SNMP MIBs and docs in the RPMs.
Impact:
There is no functional impact. net-snmp documentation is provided by two files when it should be provided by just one.
Workaround:
None.
Fix:
SNMP MIBs and docs are included in only one RPM now.
744226 : DoSL7-related logs are not throttled
Component: Application Security Manager
Symptoms:
The tmm log has lots of DoSL7-related messages.
Conditions:
The system encounters a condition that may lead to notice messages.
Impact:
tmm log is flooding with messages.
Workaround:
None.
Fix:
The DoSL7 module is no longer floods the tmm logs.
744210 : DHCPv6 does not have the ability to override the hop limit from the client.
Component: Local Traffic Manager
Symptoms:
DHCPv6 packet may be dropped by a device after the DHCP relay if the client provided hop limit is 1.
Conditions:
DHCPv6 Relay configured on the BIG-IP.
Impact:
Loss of DHCPv6 service.
Workaround:
There is no workaround at this time.
Fix:
Configurable hop limit over-ride capabilities provided for client sent DHCPv6 packets.
744188-2 : First successful auth iControl REST requests will now be logged in audit and secure log files
Component: TMOS
Symptoms:
Previously, when making a REST request from a client for the first time and it is successful, this action was not logged.
Just subsequent REST calls were logged or initial failed REST calls from a client were logged.
Conditions:
Making a successfully auth-ed initial REST request from a new client to BIG-IP.
Impact:
BIG-IP admins would not know when a new client first made a successful REST call to BIG-IP.
Workaround:
None.
Fix:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.
Here's an example of what shows in audit log:
-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user bart2 - RAW: httpd(pam_audit): user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
Here's an example of what shows in secure log:
-- info httpd(pam_audit)[26561]: user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user usr2 - RAW: httpd(pam_audit): user=usr2(usr2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
Subsequent REST calls will continue to be logged normally.
Behavior Change:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.
Subsequent REST calls will continue to be logged normally.
744183 : VMware Horizon HTML5 client launch results in certificate mismatch warning
Component: Access Policy Manager
Symptoms:
VMware Horizon HTML5 client launch from APM Webtop results in certificate mismatch warning, as browser is redirected to IP address instead of host name due to use of "view.proxy_addr" session variable.
Conditions:
VMware Horizon HTML5 client is used.
"view.proxy_addr" session variable is set to external IP address.
Impact:
Certificate mismatch warning is shown.
Workaround:
Unset "view.proxy_addr" session variable, it's required only for PCoIP clients and HTML5 client uses Blast protocol.
Fix:
"view.proxy_addr" session variable is now ignored for Blast protocol, which lets VMware Horizon HTML5 client to launch without warnings, even when this session variable is configured.
743961-1 : Signature Overrides for Content Profiles do not work after signature update
Component: Application Security Manager
Symptoms:
JSON profile signature override does not include legacy signature after Automatic Signature Update (ASU).
Conditions:
Signature override on content profile ASU with major update to targeted sig.
Impact:
-- Unexpected block on a previously white-listed signature.
-- Confusing logging for why the signature was blocked (should indicate it was due to using an old signature version).
Workaround:
-- Create the signature override at higher context, e.g., the URL. Removing the URL context override again keeps it fixed.
-- Enforce new version of sig globally.
Fix:
Signature Overrides for Content Profiles now work after signature update.
743954 : QOE module is deprecated and upgrade causes QOE config to be removed★
Component: Policy Enforcement Manager
Symptoms:
When upgrade happens to 15.0.0, some QOE related configuration will be removed.
1. Virtual server will not have QOE profile and QOE iRule.
2. PEM rule will not have QOE reporting.
Conditions:
When upgrade happens to 15.0.0, some QOE related configuration will be removed.
Impact:
QOE reporting and iRules will not work as intended.
Fix:
QOE related configuration will be removed and following warnings will be logged in ltm.log file to inform the user of change in configuration:
1. Virtual Server containing QOE profile and iRule:
Removing QOE profile (<ProfileName>) from the virtual server (<VirtualServerName>) because QOE module is deprecated.
The ltm rule (<iRuleName>) assigned to the virtual server (<VirtualServerName>) contains at least one 'QOE::*' command. Detaching ltm rule from virtual server because QOE module is deprecated.
2. PEM rule containing QOE reporting:
PEM Rule '<PEMRuleName>' : Disabling QOE reporting action because QOE module is deprecated.
743900 : Custom DIAMETER monitor requests do not have their 'request' flag set
Component: Local Traffic Manager
Symptoms:
Using the technique detailed in the Article: K14536: Customizing the BIG-IP Diameter monitor https://support.f5.com/csp/article/K14536 to create custom DIAMETER monitor requests fails for any request that uses the numeric form of a DIAMETER command code, because the 'request' flag is not set in the DIAMETER packet.
Conditions:
-- Using custom DIAMETER monitor requests.
-- Using numeric DIAMETER command codes.
Impact:
The monitor probes fail because the BIG-IP system does not set the DIAMETER 'request' flag for requests it sends when using a numeric value for the command code, so the DIAMETER server thinks it is a response
Workaround:
None.
Fix:
Ensured that the 'request' flag is set for all DIAMETER monitor requests.
743815 : vCMP guest observes connflow reset when a CMP state change occurs.
Component: TMOS
Symptoms:
There is a connflow reset when a CMP state change occurs on a vCMP guest. The system posts log messages similar to the following: CMP Forwarder expiration.
Conditions:
-- vCMP configured.
-- Associated virtual server has a FastL4 profile with loose init and loose close enabled.
Impact:
This might interrupt a long-lived flow and eventually cause an outage.
Workaround:
None.
Fix:
The system now drops the connflow instead of resetting it.
743471 : PEM Gx/Sd session will support Redirect-Information AVP with URL address type and enforce HTTP Redirect
Component: Policy Enforcement Manager
Symptoms:
HTTP Redirect action need to get enforced when Redirect-Information AVP with URL address type is received via Gx/Sd interface
Conditions:
When Redirect-Information AVP with URL address type is received via Gx/Sd interface
Impact:
HTTP Redirect action need to get applied
Workaround:
None
Fix:
PEM will support Redirect-Information AVP with URL address type and enforce HTTP redirect action
Behavior Change:
For Gx/Sd session, if dynamic rules with Redirect-Information AVP of type URL address is received PEM will enforce HTTP Redirect action.
743437 : Portal Access: Issue with long 'data:' URL
Component: Access Policy Manager
Symptoms:
HTML page may contain a very long 'data:' URL. Portal Access cannot handle such URLs correctly.
Conditions:
HTML page with very long 'data:' similar to the following example:
data:image/png;base64,...
Such URLs might be several megabytes long.
Impact:
The rewrite plugin cannot process HTML pages with very long URLs and restarts. The page is not sent to the end user client; web application may not work correctly.
Workaround:
There is no workaround at this time.
Fix:
Now Portal Access handles very long 'data:' URLs correctly.
743346 : External references in XML Profiles are not retrieved via defined HTTP proxy
Component: Application Security Manager
Symptoms:
Externally referenced XML schema files in a XML Profile cannot be retrieved using a defined HTTP proxy.
Conditions:
-- An XML profile has externally referenced XML schema files.
-- Outbound access from the device is only available using a HTTP proxy.
Impact:
The XML profile cannot be saved or enforced.
Workaround:
As a workaround, the external referenced files can be uploaded to the XML Profile with the appropriate Import URL.
743257 : Fix block size insecurity init and assign
Component: Local Traffic Manager
Symptoms:
After an HA failover the block size insecurity checks were creating conditions for an infinite loop. This causes tmm to be killed by sod daemon via SIGABRT.
Conditions:
Rare not reproducible.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
Fix:
The init and assign of block size insecurity were modified and debug checks added. A possible loop condition in ssl renegotiation was removed.
743150 : Increase the limit of the maximum allowed timestamp for OAuth token processing for OAuth Client
Component: Access Policy Manager
Symptoms:
During OAuth token processing for OAuth Client, if the timestamp is set to a value greater than INT32_MAX (2147483647), the BIG-IP system posts an error message, but the error is not descriptive enough to assist in troubleshooting. The error message appears similar to the following:
err apmd[14229]: 01490290:3: /Internet/Oauth_OpenAM_Preprod:Internet:46ea50d9:/Internet/server_act_oauth_client_ag: OAuth Client: failed for server '/Internet/server1' using 'authorization_code' grant type (client_id=oidc), error: stoi
Conditions:
-- OAuth token processing for OAuth Client.
-- Timestamp value greater than INT32_MAX.
Impact:
The APM end user is not granted access because the the policy does not complete successfully.
Workaround:
None.
Fix:
The maximum allowed timestamp is increased from INT32_MAX (2147483647) to 6249223209600, and now includes more descriptive error messages for better troubleshooting when the BIG-IP system receives invalid timestamps.
742852 : Bot Defense protection blocks Safari browser requests while using cross site redirect protection by 'Location' header
Component: Application Security Manager
Symptoms:
Bot defense blocks a request containing a TSPD101 cookie in query string. TSPD101 is sent when using the Safari browser, and cross-site redirect protection is applied on a request.
Conditions:
- ASM provisioned.
- Bot Defense profile attached to a virtual server.
- Cross-site redirection is applied on a request.
- Using the Safari browser.
Impact:
Cross-site requests are blocked during the grace period configured on the bot defense profile.
Workaround:
Disable browser verification in the bot defense profile.
Fix:
Cross-site redirect protection now works as expected when cookie is sent via query string.
742838 : A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition
Component: Local Traffic Manager
Symptoms:
If you have a published policy in /Common that is in use by a virtual server in a different partition, if you try to create and modify a draft of the existing policy, you will get an error like this:
"01070726:3: Policy /Common/Drafts/test-policy in partition Common cannot reference policy reference /Common/Drafts/test-policy /test/test-vs in partition test"
This happens in both the GUI and TMSH.
Conditions:
-- A published policy exists in /Common.
-- The published policy is attached to a virtual server in a different partition.
-- Attempt to create and modify a draft of the policy.
Impact:
Inability to edit the published policy.
Workaround:
None.
742829 : SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0
Component: Service Provider
Symptoms:
The BIG-IP system incorrectly handles SDP media ports. UAC sends SDP message body publishing capable of handling voice, text, and video. UAS responds, publishing voice, text and video not desired by setting video port to '0'. The BIG-IP system does not honor the fact that UAS does not want video, and translates video port '0' to an ephemeral port, causing the UAC to believe it must open a video channel. When the UAC sends a video connection request, the BIG-IP system sends the request to the wrong port, i.e., to the media port for text, which causes the connection to fail.
Conditions:
RTP media port defined in the SIP message is set to 0.
Impact:
Improper media channel creation.
Workaround:
You can use an iRule workaround to remove the media attributes with ports set to 0 at the ingress, and update the message body size accordingly.
742754 : EDI alert on autofill of multiple fields
Component: Fraud Protection Services
Symptoms:
When browser autofills more than one EDI protected field, a false-positive alert is triggered.
Conditions:
Protect multiple input fields with EDI
Impact:
False-positive EDI alert is thrown
Workaround:
N/A
Fix:
Support for multiple autofill was added to JS engine
742668 : Origin header is not reconstructed after Bot defense challenge
Component: Application Security Manager
Symptoms:
Origin header is not reconstructed after Bot defense challenge. It is shown as 'null' after cross site redirect, and is incorrect after browser or device ID challenge.
Conditions:
- Bot defense profile is attached to a virtual server.
- Origin header is present in POST request.
- Cross site redirect, Browser, or DID challenge during POST request.
Impact:
Servers might block requests from unknown origins.
Workaround:
None
Fix:
Origin header is now correctly reconstructed after Bot challenge
742558 : Request Log export document fails to show some UTF-8 characters
Component: Application Security Manager
Symptoms:
After exporting an ASM security event log, the log file exists but the characters are not visible.
Conditions:
Decoding of UTF-8 characters fails in Request Log export on small range of characters.
Impact:
The contents of the log are not human readable.
Workaround:
None.
Fix:
Request Log export document now shows UTF-8 characters correctly.
742251 : Add Alibaba Cloud support to Qkview
Component: TMOS
Symptoms:
Qkview has been updated to support obtaining files relevant to the Alibaba Cloud.
Conditions:
Run Qkview.
Impact:
Files related to the Alibaba Cloud were not collected.
Workaround:
None
Fix:
Files related to Alibaba Cloud are now collected.
742237 : CPU spikes appear wider than actual in graphs
Component: Local Traffic Manager
Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.
Conditions:
CPU usage has spikes.
Impact:
Graphs of CPU spikes appear to last longer than they actually last.
Workaround:
Perform the following procedure:
1. Run the following command to record the 5-second average rather than the 1-second average:
sed -i.bak 's/TMCOLNAME "ratio"/TMCOLNAME "five_sec_avg.ratio"/;s/TMCOLNAME "cpu_ratio_curr"/TMCOLNAME "cpu_ratio_5sec"/g' /config/statsd.conf
2. Restart statsd to load the new configuration:
bigstart restart statsd
Fix:
CPU samples for graphs are averaged over longer time to more closely represent actual time between samples.
742226 : TMSH platform_check utility does not follow best security practices
Component: TMOS
Symptoms:
No functional issues.
Conditions:
TMSH access to the platform_check command
Impact:
None.
Workaround:
None.
Fix:
Security violation removed
742184 : TMM memory leak
Component: Local Traffic Manager
Symptoms:
-- High TMM memory utilization;
-- Aggressive sweeper activated;
-- the 'packet', 'xdata' and 'xhead' caches in the memory_usage_stat tmstat table have high 'allocated' and 'curr_allocs' numbers with a steadily increasing profile.
Conditions:
A fastL4 and a L7 profile (e.g. HTTP) are assigned to a virtual server.
Impact:
Degraded performance, possible TMM crash due to out-of-memory condition.
Workaround:
Do not add a L7 profile to a fastL4 virtual server.
Fix:
No memory leak in the TMM.
742171 : /32 self ip addresses display invalid mask
Component: TMOS
Symptoms:
tmos routing table (show net route) displays an invalid mask for the self ip's with a 32/128 bitmask
Conditions:
Self IPs configured an address with 32/128 bitmasks.
Impact:
Routing table displays an invalid mask.
Workaround:
There is no workaround
742120 : MCPd crash seen during load sys config
Component: Advanced Firewall Manager
Symptoms:
If the system is gathering IP intelligence category stats (e.g., by issuing the following command: show security ip-intelligence global-policy ip-intelligence-categories) and simultaneously you issue the command 'load sys config', MCPd might crash while fetching the stats.
Conditions:
-- IP intelligence category stats are being fetched.
-- The command 'load sys config' is executed.
Impact:
MCPd restarts.Traffic disrupted while the daemon restarts.
Workaround:
There is no workaround other than not gathering IP intelligence category stats while the load sys config operation is being performed.
Fix:
MCPd no longer crashes during load sys config while the system is gathering IP intelligence category stats.
742095 : False positive in SFTP policy enforcement
Component: Advanced Firewall Manager
Symptoms:
In some rare cases, SFTP policy enforcement may detect a false positive. This will only have an effect if the SSH Proxy profile in place has actions in place for SFTP enforcement.
Conditions:
SFTP file transfers.
Impact:
Either a disconnect to the user, a log being generated, or no effect at all, depending on the SSH Proxy profile.
Workaround:
N/A
Fix:
N/A
742080 : do not count resumed connections against SSL TPS
Component: Local Traffic Manager
Symptoms:
The SSL TPS limit is based on the time complexity of the operations needed to create a new session. A resumed session does not have this complexity, and therefore should not count against the licensed TPS limit.
Conditions:
SSL is licensed with a limit other than `unlimited'
Impact:
Not as many new SSL connections/second as expected.
Workaround:
There is no workaround
Fix:
Resumed SSL sessions no longer count against the TPS limit.
742078 : Incoming SYNs are dropped and the connection does not time out.
Component: Local Traffic Manager
Symptoms:
There is a hard-coded limit on the number of SYNs forwarded on a FastL4 connection. This might cause a problem when a connection is reused, for example, if a connection is not correctly closed.
Conditions:
-- SYN forwarding on FastL4 connections.
-- The number of SYNs on a single connection reaches the hard-coded limit.
Impact:
If the number of SYNs on a single connection reaches this limit, subsequent incoming SYNs are dropped and the connection might not time out.
Workaround:
There is no workaround.
741967-1 : APM custom report with active field failed on vcmp
Component: Access Policy Manager
Symptoms:
APM custom report, when including active field, fail to run on VCMP platform.
Conditions:
1. Create an APM custom report (Access :: Overview :: Access Reports, click on "Custom Reports" panel, then "create". Select fields for the report, make sure check "Active" under "Session")
2. Run the report
Impact:
Unable to run the report with the specific field.
Workaround:
There is no workaround at this time.
Fix:
Admin can run APM custom report with active field without problem on vcmp.
741951 : Multiple extensions in SIP NOTIFY request cause message to be dropped.
Component: Service Provider
Symptoms:
When SIP NOTIFY messages are sent with a request URI that contains multiple client extensions, the system does not forward the message as expected.
Conditions:
SIP NOTIFY messages sent with a request URI that contains multiple client extensions.
Impact:
NOTIFY message is not forwarded.
Workaround:
None.
Fix:
Improved SIP URI parser now correctly handles multiple extensions in a URI.
741869 : Enable SysDb variable 'Connection.VgL2Transparent' prior to operating the BIG-IP in L2 transparent mode using VLAN groups.
Component: Local Traffic Manager
Symptoms:
Traffic is not passed across the VLAN group.
Conditions:
BIG-IP system configured to operate in L2 transparent mode using VLAN groups.
Impact:
Packets are not forwarded.
Workaround:
Configure a transparent next hop on the virtual server.
Fix:
SysDb variable 'Connection.VgL2Transparent' has been added to enable this functionality.
Behavior Change:
A new SysDb variable called 'Connection.VgL2Transparent has been added. It can be enabled to enable L2 transparent forwarding in a VLAN group without needing to configure a transparent next hop on the virtual server.
Usage:
tmsh modify sys db Connection.VgL2Transparent value <enable|disable>
It is disabled by default, and needs to be set prior to configuring the VLAN group.
741449 : alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts
Component: Fraud Protection Services
Symptoms:
JAVASCRIPT_THRESHOLD alert should contain 2 timestamps:
1. component-validation cookie timestamp (set on cookie creation)
2. current BIG-IP timestamp
currently, these timestamps are not available in the alert details
Conditions:
JAVASCRIPT_THRESHOLD alert is triggered
Impact:
it is impossible to analyze the alert
Workaround:
There is no workaround at this time.
Fix:
FPS should always include both timestamps when triggering the JAVASCRIPT_THRESHOLD alert
741248 : ANTIFRAUD::disable may stall the connection
Component: Fraud Protection Services
Symptoms:
ANTIFRAUD::disable may stall the connection if FPS self-responds to the first request (FPS fictive URL).
Conditions:
-- ANTIFRAUD::disable is called for a request that follows a request for which FPS self-responds (a fictive URL: js engine, js config, etc.).
-- The fictive request was the first request on this connection.
-- Connection is keep-alive.
Impact:
Connection is stalled.
Workaround:
Use the following iRule:
when HTTP_REQUEST {
set URI [HTTP::path]
if { URI eq "<DISABLE_URL>"} {
ANTIFRAUD::disable
}
}
when HTTP_RESPONSE_RELEASE {
if { $URI eq "<FICTIVE_URL>" } {
HTTP::close
}
}
Fix:
FPS closes the connection in case FPS responds to the client directly and the corresponding request is the first one on the connection.
741163 : RHEL7: Kernel CVE-2018-3693
Solution Article: K54252492
741113 : Removing 'Check Member Attribute in Group' option ClientCert LDAP Authentication
Component: TMOS
Symptoms:
'Check Member Attribute in Group' option wrongfully shows up under System :: Users : Authentication : Change : ClientCert LDAP when it is not used during this specific authentication at all.
Conditions:
1. Navigate to System :: Users : Authentication : Change : Set User Directory to 'Remote - ClientCert LDAP'.
2. Modify the 'Check Member Attribute in Group' option and save the changes.
Impact:
Modifying this variable has no effect on authentication. In fact, the option 'Check Member Attribute in Group' is not needed for ClientCert LDAP Authentication.
Workaround:
None.
Fix:
Removed extraneous option 'Check Member Attribute in Group' from ClientCert LDAP Authentication screen.
741109 : Application Security Operations Adminstrator AuthZ role
Component: Application Security Manager
Symptoms:
The existing AuthZ roles for Application Security are:
-- Application Security Administrator (aka ASA aka WASA)
-- Application Security Editor (aka ASE aka WASE)
ASA is an administrator role and has significant authority to make device-wide changes. On the other hand, ASE is very limited in capabilities.
Conditions:
There is a specific demand for a role which can manipulate virtual server association for ASM, but is not an administrator.
Impact:
ASOA will not be able to create or delete Virtual Servers or LTM policies in GUI or in tmsh.
Workaround:
You can use the ASA role to perform required tasks.
Fix:
A new role was added, to be called Application Security Operations Administrator (aka ASOA) which can associate and disassociate ASM policies and Logging Profiles with Virtual Servers.
ASOA will have the same capabilities as ASE. Additionally, on the 'Virtual Server:: Security :: Policies' GUI page, ASOA will be able to:
-- associate ASM policy with virtual server (which will implicitly create a LTM policy for the association).
-- disassociate ASM policy from virtual server (which will implicitly delete the associated L7 policy).
-- associate Logging Profile with virtual server.
-- disassociate Logging Profile with virtual server.
-- associate DoS Profile with virtual server.
-- disassociate DoS Profile from virtual server.
-- associate Bot Profile with virtual server.
-- disassociate Bot Profile from virtual server.
-- ASOA will also be able to associate and disassociate these policies/profiles from the 'Security :: Overview :: Summary' page.
ASOA will have read access to the virtual server list and LTM policy list in both GUI and tmsh. ASOA will also be able to modify the list of LTM policies associated with a virtual server in both GUI and tmsh.
741048 : iRule execution order could change after editing the scripts
Component: Local Traffic Manager
Symptoms:
iRule execution order might change. For example, you have the following iRules configured on a virtual server: rule1, rule2, rule3, and they all have CLIENT_ACCEPTED. If you do not specify their priority, or if you specify the same priority to each one, when you edit one, the execution order changes. For example, if you edit the rule2 script, the execution order changes to rule2, rule1, rule3.
Conditions:
Multiple events have the same priority.
Impact:
Execution order changes.
Workaround:
Specify different priorities for iRules containing the same event.
Fix:
iRule execution order is now maintained after editing the scripts.
740959 : User with manager rights cannot delete FQDN node on non-Common partition
Component: Local Traffic Manager
Symptoms:
A user that has manager rights for a non-Common partition, but not for the /Common partition, may be denied delete privileges for an FQDN template node that is created on the non-Common partition for which the user does have manager rights.
This occurs because ephemeral nodes created from the FQDN template node are 'shared' in the /Common partition, so the delete transaction fails because the user has insufficient permissions to delete the dependent ephemeral nodes on the /Common partition.
Conditions:
-- A user is created with manager rights for a non-Common partition.
-- That user does not have manager rights for the /Common partition;
-- At least one ephemeral node is created from that FQDN template node (due to DNS lookup), which is not also shared by other FQDN template nodes.
-- That user attempts to delete an FQDN template node on the non-Common partition for which the user has manager rights.
Impact:
The transaction to delete the FQDN template node fails due to insufficient permissions. No configuration changes occur as a result of the FQDN template node-delete attempt.
Workaround:
You can use either of the following workarounds:
-- Perform the FQDN template node-delete operation with a user that has manager rights to the /Common partition.
-- Create the FQDN template node on the /Common partition.
Fix:
A user with manager rights for a non-Common partition that has no manager rights to the /Common partition, is now able to successfully delete an FQDN template node created on that non-Common partition.
740761 : Kernel vulnerability: CVE-2018-3646
Solution Article: K31300402
740755 : Kernel vulnerability: CVE-2018-3620
Solution Article: K95275140
740543 : System hostname not display in console
Component: TMOS
Symptoms:
Hostname is not displayed in the shell prompt in bash and tmsh.
Conditions:
After reboot or upgrade, login to the host console, shell, or tmsh.
Impact:
Hostname is not displayed in the shell prompt.
Workaround:
Update hostname from GUI/TMSH.
Fix:
Hostname is now displayed in the shell prompt in bash and tmsh.
740345 : TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled.
Component: Local Traffic Manager
Symptoms:
TMM generates cores files on the device.
Conditions:
Issue is seen when connection mirroring, session mirroring and OCSP stapling is enabled.
Impact:
If a failover happens when a SSL handshake is in progress,
TMM restarts and a core file is generated on the standby device. Traffic disrupted while tmm restarts.
Workaround:
None.
740284 : Virtual servers 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM'
Component: Global Traffic Manager (DNS)
Symptoms:
Virtual servers on generic-hosts may be marked as Yellow, with a message of 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM'.
Conditions:
The conditions under which this occurs are not known.
Impact:
Virtual server is marked Yellow erroneously 'In Maintenance Mode'.
Workaround:
Use any of the following to reset the condition:
-- Restart gtmd by issuing the following command:
bigstart restart gtmd
-- Restart the system.
-- Remove any monitors from the affected server, save the configuration, and then add any required monitors.
-- Delete the affected server from the configuration and recreate it.
739963 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
Component: Local Traffic Manager
Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.
Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.
Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.
Workaround:
To restore the state of the member, remove it and add it back to the pool.
739945 : JavaScript challenge on POST with 307 breaks application
Component: Application Security Manager
Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.
Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.
Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.
Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.
Fix:
Having a JavaScript challenge on a POST request with 307 Response no longer prevents the application from working.
739349 : LRO segments might be erroneously VLAN-tagged.
Component: Local Traffic Manager
Symptoms:
Segments being processed for large receive offload (LRO) (the action the system performs to aggregate multiple incoming packets within a buffer before passing them up)
might be erroneously VLAN-tagged when LRO is enabled.
Conditions:
-- TCP LRO enabled.
-- Egress VLAN untagged.
Impact:
Egress traffic might sometimes be tagged.
Workaround:
Disable TCP LRO. To enable or disable LRO functionality, you can use the following command syntax:
tmsh modify sys db tm.tcplargereceiveoffload value <enable | disable>
Fix:
The system now ensures that fragment packet flags are correctly set.
738945 : SSL persistence does not work when there are multiple handshakes present in a single record
Component: Local Traffic Manager
Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.
Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.
Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.
Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.
After changing or disabling persistence, the transaction succeeds and no longer hangs.
738891 : TLS 1.3: Server SSL fails to increment key exchange method statistics
Component: Local Traffic Manager
Symptoms:
When TLS 1.3 is negotiated with a server SSL profile, the key exchange method statistics do not increment.
Conditions:
-- TLS 1.3 is configured on a server SSL profile.
-- TLS 1.3 is the protocol version negotiated.
Impact:
Missing statistics.
Workaround:
None.
Fix:
The key exchange method statistics are now correctly incremented.
Behavior Change:
When TLS 1.3 is now supported for configuration on server SSL profiles, so these statistics are now present.
738881 : Qkview does not collect any data under certain conditions that cause a timeout
Component: TMOS
Symptoms:
Qkview enforces a timeout mechanism in various locations for its submodules. In certain conditions, when a timeout occurs, Qkview should still be able to collect what data it can before doing this check.
Conditions:
A particular timeout is encountered during a Qkview operation.
Impact:
Data that might have been collected is not, which might result in missing helpful diagnostic information.
Workaround:
None.
Fix:
Changed the timeout check to occur after important data collection.
738677 : Configured name of wildcard parameter is not sent in data integrity alerts
Component: Fraud Protection Services
Symptoms:
FPS sends a data integrity alert when a parameter is configured with 'Check Data Manipulation' enabled.
the alert includes parameter's actual-name, actual-val-crc, and expected-val-crc.
For wildcard parameters, it is difficult to tell which parameter was found and triggered the data integrity alert, since FPS sends only the actual name that was found in the request.
Conditions:
Wildcard parameter defined for integrity check.
Impact:
Alert analysis is more difficult, as the actual matched parameter is not obvious.
Workaround:
None.
Fix:
FPS now includes wildcard parameter's configured-name in the data integrity alert.
738676 : Errors when trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests
Component: Application Security Manager
Symptoms:
When trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests
Delete fails with error and exceptions in restjavad.log:
[WARNING][593][30 Jul 2018 14:42:26 UTC][8100/mgmt ForwarderPassThroughWorker] URI:http://localhost:8100/mgmt/tm/asm/events/bot-defense-events?$top=200000, Referrer:https://<local_IP>/dms/bot_defense/bot_requests.php, Method:DELETE, Exception:java.util.concurrent.TimeoutException: remoteSender:<remote_IP>, method:DELETE
Conditions:
This can be encountered when deleting all bot requests while traffic is passing.
Impact:
Delete fails, and there is significant memory consumption in asm_config_server.
Workaround:
None.
Fix:
This release fixes the bot-requests deletion process to not fail with errors and not cause substantial memory consumption in asm_config_server.
738543 : Dynamic route with recursive nexthop might cause tmrouted restart
Component: TMOS
Symptoms:
tmrouted restart.
Conditions:
- Dynamic routing enabled.
- Routing update with recursive nexthop.
Impact:
Stability of the dynamic routing daemons. TMM cannot learn or advertise routes while the daemon restarts.
Workaround:
There is no workaround other than not exporting routes with recursive nexthop.
Fix:
Dynamic routes with recursive nexthop no longer cause tmrouted restart.
738430 : APM is not able to do compliance check on iOS devices running F5 Access VPN client
Component: Access Policy Manager
Symptoms:
Compliance check against Microsoft Intune fails when an APM end user attempts a VPN connection from a managed iOS device running the F5 Access VPN client.
Conditions:
-- APM policy is configured to use Microsoft Intune for device compliance check.
-- APM end user is attempting VPN connection using the F5 Access VPN client on an iOS device.
Impact:
APM is not able to do compliance checks on the device, and VPN connection fails.
Workaround:
None.
Fix:
APM can now check iOS devices for compliance against Microsoft Intune.
738330 : /mgmt/toc endpoint broken after configuring remote authentication
Component: TMOS
Symptoms:
'Invalid username or password.' error on the /mgmt/toc page after configuring remote authentication.
Conditions:
When remote auth is configured.
Impact:
Cannot configure remote authentication.
Workaround:
None.
738259 : F5_Inflate_onevent() issue when it assign value to user-defined object
Component: Access Policy Manager
Symptoms:
Unexpected undefined value retrieved from user-defined object property whose name matches the name of an event handler (e.g., onreadystatechange).
Conditions:
Assigning values to the property of user-defined object whose name matches the name of an event (e.g., onreadystatechange).
Impact:
Retrieved value from that property is undefined. Web-application might not work as expected.
Workaround:
Use an iRule to work around this issue.
Fix:
The system now correctly handles values retrieved from a user-defined object property whose name matches the name of an event handler.
738197 : IP address from XFF header is not taken into account when there are trailing spaces after IP address
Component: Application Visibility and Reporting
Symptoms:
X-FORWARDED-FOR (XFF) header is ignored by BIG-IP ASM even though usage of XFF is enabled in HTTP profile.
In DoS statistics, the original source IP is reported (instead of one taken from XFF).
Conditions:
There are spaces after IP address in the XFF header.
Impact:
Source IP is not reported as expected in all BIG-IP reports.
Workaround:
Configure the proxy server to not add trailing spaces after the IP address in the XFF header.
Fix:
Trailing spaces are now ignored when extracting IP addresses from XFF headers in AVR.
738148 : Misleading 'Invalid Nonce' error message
Component: Access Policy Manager
Symptoms:
An error occurs during access policy evaluation, resulting in a redirect to /my.logout.php3?errorcode=21
The end-user receives a logout/deny page that displays an error message of 'Invalid Nonce', which is an inaccurate and confusing log message.
Conditions:
'Invalid Nonce' is normally reserved for On-Demand Cert Auth nonce failures. It is also being mistakenly shown for some cases of invalid APM session IDs, especially a sessionID that fails any security checks.
This can sometimes be the symptom of the 'retry-after-reset' scenario. In this scenario, there is an unrelated failure in the access policy evaluation resulting in a reset being sent to the client. The client then tries to retry the original request. If the APM system has already rotated the sessionID (a security defense against session hijacking), then the retry has a stale sessionID. This invalid session ID results in displaying 'Invalid Nonce'.
Impact:
The error message of 'Invalid Nonce' is partially correct, since sessionID rotation is a form of cryptographic nonce. But the message is very confusing for end-users. It is also confusing for admins who do not think they have configured any nonce-based protocols. The error message should be more related to the real problem of invalid sessionID.
Workaround:
There is no workaround at this time.
738108 : SCTP multi-homing INIT address parameter doesn't include association's primary address
Component: TMOS
Symptoms:
When multihoming is enabled in an SCTP profile, the source-address of the INIT chunk was not added as an Address parameter in that INIT chunk.
Conditions:
Any SCTP profile where multi-homing is enabled.
Impact:
No impact for peers that implement SCTP in accordance with RFC 4960.
RFC does not require that the address either should or should not be included in the INIT chunk, but does require that an entity receiving an INIT chunk include the source-address in its list regardless of whether that is included in the INIT chunk.
Workaround:
No known workaround.
Fix:
BIG-IP now includes all relevant addresses in the INIT chunk.
Behavior Change:
When multihoming is enabled, the local address will now be added to the INIT chunk. Previously the local address (that is, the address that the datagram is sent from) was not listed as an Address parameter. This is permitted, but not required, by RFC 4960 section 3.3.2.1.
737985-3 : BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode.
Component: Local Traffic Manager
Symptoms:
Services that require Standard Proxy mode cannot be availed of.
Conditions:
A BIG-IP system deployed in an L2 transparent mode using VLAN groups.
Impact:
Prevents services that require Standard Proxy mode from being leveraged in an L2 transparent deployment.
Workaround:
None.
Fix:
Support standard proxy mode.
737910 : Security hardening on the following platforms
Solution Article: K18535734
737866 : Rare condition memory corruption
Component: Application Security Manager
Symptoms:
BD dameon core
Conditions:
Slow server and slow offload services.
Impact:
A bd crash, traffic distrubance
Workaround:
None.
Fix:
A memory corruption condition was solved.
737766 : Too many branches in agents may cause request process slow down
Component: Access Policy Manager
Symptoms:
When a policy has an agent with a lot of branches, and many requests are routed to the branches near the bottom of the agent, those requests may take significantly longer to process.
Conditions:
A policy that has an agent with a lot of branches, and many requests are routed to the branches near the bottom of the agent.
Impact:
Requests may take a significantly longer time to process. For example, a policy with 10 branches might experience twice the processing time (from 5.7 microseconds (the baseline) to 12.9 microseconds. Depending on the number of requests that are routed to the branches near the bottom of the agent, you might even experience a lag in which the BIG-IP system appears to have stopped responding.
Workaround:
There is no workaround other than not configuring too many branches on a single agent. You can use layered / cascaded agents to limit the number of branches per agent.
737731 : iControl REST input sanitization
Component: TMOS
Symptoms:
iControl REST worker input sanitization issue.
Conditions:
iControl REST worker service running on BIG-IP.
Impact:
iControl REST
Workaround:
None
Fix:
Improved iControl REST worker input sanitization.
737574 : iControl REST input sanitization★
Component: TMOS
Symptoms:
iControl REST worker input sanitization issue.
Conditions:
iControl REST worker service running on BIG-IP.
Impact:
iControl REST and TMSH
Workaround:
None.
Fix:
Improved iControl REST worker input sanitization.
737565 : iControl REST input sanitization
Component: TMOS
Symptoms:
iControl REST worker input sanitization issue.
Conditions:
iControl REST worker service running on BIG-IP.
Impact:
iControl REST and tmsh
Workaround:
None
Fix:
Improved iControl REST worker input sanitization.
737536 : Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
Component: TMOS
Symptoms:
The use case is the following:
|OSPF 1|---|Network1|------[|OSPF process 1|---BIG-IP system---|OSPF process 2|]-----|Network2|---|OSPF 2|
Attempting to redistribute default route received from OSPF process that is peering with the Internet to OSPF process 2. However, if that route is removed (e.g., an Internet link goes down), OSPF process 2 removes the associated route and the 'default-information originate' command is the ideal choice, because as long as the OSPF process 1 default route is in the routing table, the default route is redistributed into OSPF process 2. If that route is gone, OSPF process 2 immediately removes it from routing table. Enabling 'default-information originate' on OSPF process 2 does not affect the outcome, and a default route is not injected like it should be.
Conditions:
-- On the BIG-IP system, OSPF routing protocol is enabled on a route-domain.
-- Routing configuration example:
OSPF router config examples:
***
OSPF 1:
!router ospf 1
ospf router-id 10.13.0.7
redistribute ospf
network 10.13.0.0/16 area 0.0.0.1
default-information originate
OSPF 2:
router ospf 1
ospf router-id 10.14.0.5
redistribute ospf
network 10.14.0.0/16 area 0.0.0.1
BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
***
-- Enable 'default-information originate' on BIG-IP OSPF process 2 should allow OSPF process 2 to receive advertised default route from BIG-IP OSPF process 1 if such exists.
# expected OSPF routers configuration on the BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
default-information originate
Impact:
A default route from OSPF process 1 is not advertised into OSPF process 2 routing table.
Workaround:
None.
Fix:
Enabling 'default-information originate' on OSPF process 2 forces OSPF process 2 to receive a default route from OSPF process 1 if such exists.
737423 : Binutils vulnerabilities: CVE-2018-7569 CVE-2018-10373 CVE-2018-13033
Component: TMOS
Symptoms:
An integer wraparound has been discovered in the Binary File Descriptor (BFD) library distributed in GNU Binutils up to version 2.30. An attacker could cause a crash by providing an ELF file with corrupted DWARF debug information.
concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by nm-new.
The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file, as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc in libbfd.c. This can occur during execution of nm.
Conditions:
Command-line usage of binutils tools by users with Advanced Shell Access
Impact:
None in default, standard and recommended configurations.
Workaround:
None.
Fix:
Upgraded binutils to an unaffected version.
737094 : Reduce the impact of the Dynamic Script Removal Detection loading time
Component: Fraud Protection Services
Symptoms:
In some specific cases, Dynamic Script Removal Detection loading times impact can be meaningful.
Conditions:
Dynamic Script Removal Detection enabled.
Impact:
Loading times might be impacted.
Workaround:
Remove the problematic methods using the FPS GUI.
737035 : New and improved infrastructure for BDoS to share learned traffic characteristics within the device group/cluster setup.
Component: Advanced Firewall Manager
Symptoms:
BDoS feature (AFM/DHD) needs to share learned traffic characteristics across nodes (within a cluster) and across devices (within the device group).
Previous infrastructure used by BDOS could cause spikes in disk usage due to a large number of snapshot files being saved under /config/filestore/.trash_bin_d partition.
Conditions:
BDOS feature is enabled on at least 1 context (either at global context or at least 1 virtual server).
Impact:
The /config partition on the BIG-IP system consistently fills up with large numbers of directories/files under /config/filestore/.trash_bin_d, eventually causing system to run out of disk space under /config partition.
Workaround:
As a workaround, manually delete files/directories filling up under /config/filestore/.trash_bin_d partition to free up disk space.
Fix:
BDOS now uses a new (and improved) infrastructure for sharing data across nodes/devices (within device group/cluster setup) that does not require snapshot files to be maintained under /config/filestore/ partition.
734797 : URL suggestion is still explicit though it should be *.[Jj][Ss]
Component: Application Security Manager
Symptoms:
Unexpected URL suggestion populated for explicit URL even though URL's Filetype is defined in list: 'File types for which wildcard HTTP URLs will be configured (e.g. *.jpg)'.
Conditions:
Adding a Filetype to the 'File types for which wildcard HTTP URLs will be configured (e.g. *.jpg)' list after first traffic for specific URL with that Filetype arrived (problem persists even if suggestions is deleted).
Impact:
Unexpected URL suggestion populated for explicit URL when it should not.
Workaround:
- Ignore the suggestion (use the ignore button).
- Restart policy builder (run the command pabnagd).
Fix:
When adding a new Filetype to the 'File types for which wildcard HTTP URLs will be configured (e.g. *.jpg)' list, once the first traffic for an explicit URL with a suggestion arrives, the explicit URL suggestion will be deleted and a wildcard URL suggestion for matching Filetype will be created.
734551-2 : L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server
Component: Local Traffic Manager
Symptoms:
Configuration overhead that requires configuration of a virtual server per VLAN group.
Conditions:
A BIG-IP system deployed in an L2 transparent mode using VLAN groups.
Impact:
Configuration overhead to configure virtual server per VLAN group.
Workaround:
None.
Fix:
Prevent the need to configure a virtual server per VLAN group.
734303 : "tmsh show sys hardware" shows blade part number instead of chassis part number
Component: TMOS
Symptoms:
Near the end of the output of "tmsh show sys hardware", it will display "System Information" like the following:
System Information
Type A112
Chassis Serial chs500264s
Level 200/400 Part 400-0039-03 REV B
For a chassis based platform, the "Level 200/400 Part" will display the blade part number instead of the chassis part number.
Conditions:
This always happens on a chassis based platform. It does not affect appliance.
Impact:
It is cosmetic. This does not affect regular traffic at all.
Workaround:
None.
Fix:
The root cause has been identified, and will be fixed in the future.
727288 : Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC
Component: Service Provider
Symptoms:
Diameter message routing framework sends Capabilities-Exchange-Request (CER)/Device-Watchdog-Request (DWR) with hop-by-hop (h2h) ID and end-to-end (e2e) ID set to 0 as the server.
Conditions:
Diameter Message Routing Framework (MRF) in use
Impact:
The BIG-IP system sends CER and DWR to remote peers.
However, the BIG-IP system sends e2e=0 and h2h=0 as the server ID in the CER and DWR requests. This does not comply with RFC 6733 (https://tools.ietf.org/html/rfc6733).
Workaround:
Use an DIAMETER_EGRESS iRule event to change the hop-by-hop ID and end-to-end server ID.
727191 : Invalid arguments to run sys failover do not return an error
Component: TMOS
Symptoms:
If an invalid device name is used in the sys failover command, the device name reject is logged in /var/log/ltm and failover does not occur. No error or failure message is displayed on the command line.
Note: In prior versions, the system incorrectly performed a force-to-standby operation (no 'device' specified), rather than a directed failover operation (failover to specified 'device'). Although this resulted in the active device becoming standby, it did not cause the system to choose the (nonexistent) device specified.
Conditions:
Run a tmsh command similar to the following:
sys failover standby traffic-group traffic-group-1 device invalid_name
Impact:
Since no failover occurs and no error/warning is returned, this may result in some confusion.
Workaround:
There is no workaround.
727136 : One dataset contains large number of variations of TLS hello messages on Chrome
Component: Anomaly Detection Services
Symptoms:
Dataset of TLS fingerprints of clients of a site can consume significantly more space than needed.
Conditions:
-- BADOS with TLS signatures.
-- AFM end user clients using the Mozilla Chrome browser.
Impact:
Dataset is full, so it does not contain a full TLS fingerprints set. As result there is a risk of creating false-positive TLS signatures.
Workaround:
Turn off TLS signatures.
Fix:
Dataset of TLS fingerprints contains unique TLC fingerprints regardless GREASE ciphers.
726983-1 : Inserting multi-line HTTP header not handled correctly
Component: Local Traffic Manager
Symptoms:
Using an iRule to insert an HTTP header that contains an embedded newline followed by whitespace is not parsed properly. It can result in the new header being incorrectly split into multiple headers.
Conditions:
iRule which adds a header containing embedded newline followed by whitespace:
HTTP::header insert X-Multi "This is a\n multi-line header"
Impact:
New header does not get parsed properly, and its values are treated like new header values. In some cases the tmm may be restarted.
Workaround:
Ensure that the trailing whitespace text is not present (if not legitimately there). For manipulation of HTTP Cookie headers, use the HTTP::cookie API rather than directly via HTTP::header.
Fix:
Inserting multi-line HTTP header parsed correctly
726734 : DAGv2 port lookup stringent may fail
Component: Local Traffic Manager
Symptoms:
Under certain circumstances tmm might not be able to find a local port, and the connection may fail. This happens, for example, for active FTP with mirroring enabled.
Conditions:
Active FTP with mirroring enabled.
Impact:
Connection cannot get established.
Workaround:
There is no workaround other than to disable mirroring.
Fix:
TMM is now always able to find a local port.
726647 : PEM content insertion in a compressed response may truncate some data
Component: Policy Enforcement Manager
Symptoms:
HTTP compressed response with content insert action can truncate data.
Conditions:
PEM content insertion action with compressed HTTP response.
Impact:
Data might be truncated.
Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.
Fix:
HTTP compressed response with content insert action no longer truncates data.
726487 : MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
Component: TMOS
Symptoms:
The MCPD daemon on secondary VIPRION or vCMP blades exits and restarts, logging errors similar to the following:
-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.
-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.
Or:
--- err mcpd[8320]: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).
--- err mcpd[8320]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).... failed validation with error 17236027.
Conditions:
This issue occurs when all of the following conditions are met:
-- VIPRION or vCMP platform with more than one blade.
-- A partition with a non-default route domain.
-- Creating a pool member in the aforementioned partition while a configuration save is taking place at the same time (either system or user initiated).
Impact:
If the system is Active, traffic will be disrupted as the secondary blades restart. The capacity of the system will be reduced until all blades are on-line again. Additionally, depending on the system configuration, the system may fail over to its peer (if one exists).
Workaround:
There is no workaround other than not to create pool members from a different client while saving configuration changes in another client. However, this does not help if the configuration save operation was system-initiated.
Fix:
MCPD on secondary blades no longer restarts if a pool member is created in a partition that uses a non-default route domain at the same as the configuration is being saved.
726393 : DHCPRELAY6 can lead to a tmm crash
Component: Local Traffic Manager
Symptoms:
tmm can crash when handling a DHCPv6 request via the DHCPv6 relay.
Conditions:
tmm handling a DHCPv6 request.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm crash related to DHCPv6 request via the DHCPv6 relay.
726327-3 : NodeJS debugger accepts connections from any host
Component: Local Traffic Manager
Symptoms:
The NodeJS debugger accepts connections from any host.
Note: Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. This issue exists in Node.js, not in BIG-IP software.
Conditions:
This occurs under either of the following conditions:
-- iRuleLX plugin configured.
-- Administrator starts node-inspector.
Impact:
NodeJS Debugger exposed to remote access.
Important: Enabling the NodeJS debugger should only be part of active troubleshooting; it is not a recommended configuration for a production system.
Workaround:
Specify an authorized host for remote access using the following command:
--debug=<host>:<port>
726317 : Improved debugging output for mcpd
Component: TMOS
Symptoms:
In some cases, mcpd debugging output is insufficient for diagnosing a problem.
Conditions:
Using debugging in mcpd, specifically, setting log.mcpd.level to debug.
Impact:
None. Has no effect without log.mcpd.level set to debug.
Workaround:
None.
Fix:
New output helps F5 engineers diagnose mcpd problems more easily.
726232 : iRule drop/discard may crash tmm
Component: Local Traffic Manager
Symptoms:
TMM crash after an iRule attempts to drop packet.
Conditions:
Virtual server with UDP profile, and following iRule:
when LB_SELECTED {
drop
# discard - drop is the same as discard
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
TMM correctly handles 'drop' command in 'LB_SELECTED' event.
726011 : PEM transaction-enabled policy action lookup optimization to be controlled by a sys db
Component: Policy Enforcement Manager
Symptoms:
There is no way to disable optimization if time-based actions are enabled in the PEM policy and a statistical transaction-based action enforcement is desired.
Conditions:
If the PEM classification tokens do not change.
Impact:
Time-based actions such as insert content may not get applied to such flows.
Workaround:
None.
Fix:
There is now a sys db tmm.pem.actions.lookup.optimize variable to disable optimization if time-based actions are enabled in the policy and a statistical transaction based action enforcement is desired over per-flow enforcement
725906 : ASM Support for BITW
Component: Application Security Manager
Symptoms:
Missing ASM support for bump-in-the-wire (BITW), Layer 2 Transparent bridge mode on the same VLAN.
Conditions:
-- Deployment of ASM.
-- VLAN operating with Layer 2 Transparency.
Impact:
ASM deployment in bridge mode is not supported.
Workaround:
There is no workaround at this time.
Fix:
ASM now supports deployment in same VLAN operating with Layer 2 Transparency.
725791 : Potential HW/HSB issue detected
Component: TMOS
Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.
With a burst of CRC errors in the SRAM for ePVA transformation cache, it won't trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This is because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.
In these cases, there might be the following messages in /var/log/tmm*:
Device error: hsb_lbb* tre2_crc_errs count *
Conditions:
Traffic is offloaded to HSB hardware for acceleration.
Impact:
Hardware accelerated traffic drop.
Workaround:
Switch traffic to software acceleration.
Fix:
Including traffic-critical registers in failover triggers, helps failover happen quickly with minimum disruption to traffic in the case of SRAM hardware failures.
725625 : BIG-IP VE Cryptographic Offload updated to Intel QAT 1.7 v4.4.0 SDK
Component: TMOS
Symptoms:
Data compression offload to QuickAssist devices is now enabled as part of BIG-IP Virtual Edition (VE) Cryptographic Offload feature.
BIG-IP VE Cryptographic Offload uses the Intel QAT 1.7 SDK. A newer QAT 1.7 SDK v4.4.0 provides code and firmware that fixes several known QAT defects, including a compression defect specific to Lewisburg/Lewis Hill QuickAssist devices.
Conditions:
-- BIG-IP VE SSL Offload is licensed
-- The BIG-IP VE VM has been assigned QAT Virtual Functions.
Impact:
BIG-IP VE Cryptographic and Compression offload are more reliable. The QAT 1.7 v4.4.0 SDK should be installed on the hypervisor host.
Workaround:
None.
Fix:
Several Intel QuickAssist defects have been fixed for
BIG-IP VE Cryptographic and Compression Offload by
upgrading BIG-IP VE to the Intel QAT 1.7 v4.4.0 SDK.
This newer QAT SDK introduces code and firmware support to fix several defects. A new Compress and Verify mode is introduced to work around a compression defect specific to Lewisburg/Lewis Hill QuickAssist devices.
See Intel's QuickAssist Release Notes for additional details:
https://01.org/sites/default/files/downloads//336211-009qatrelnotes.pdf.
725514 : management IP address change in device-groups★
Component: Device Management
Symptoms:
When only the management ip address is changed on a BIG-IP, the rest resource /shared/resolver/device-groups/tm-shared-all-big-ips/devices/<uuid> is not updated with the new ip address.
This affects the deployment of the SSLO iApp, which relies on the management address.
Conditions:
Management IP address is changed on a BIG-IP
Impact:
SSLO iApp fails to deploy on a standalone BIG-IP.
Workaround:
The workaround is to update the managementAddress by sending a PATCH request to the device in tm-shared-all-big-ips device group.
restcurl -X PATCH -d '{"managementAddress":"10.80.99.157"}' /shared/resolver/device-groups/tm-shared-all-big-ips/devices/6911da3d-e3a5-4503-a42f-0ed80440638f
Fix:
The code is fixed to support a scenario in which only the management IP address is changed.
The restjavad daemon must be restarted after the management address was changed.
725022 : IKEv1 has unused CRL-File in GUI that does nothing at runtime
Component: TMOS
Symptoms:
The CRL File in config for an IKEv1 ike-peer does not actually do anything, so it should not be presented in the web GUI.
It also appears in the tmsh command line.
Conditions:
When using the configuration utility (web UI), the config for an IKEv1 ike-peer allows you to specify a CRL file that is not actually used for anything.
Impact:
The CRL file is not used in certificate checking.
Workaround:
There is no workaround other than not configuring the unused file.
724680 : OpenSSL Vulnerability: CVE-2018-0732
Component: TMOS
Symptoms:
For more information see: https://support.f5.com/csp/article/K21665601
Conditions:
For more information see: https://support.f5.com/csp/article/K21665601
Impact:
For more information see: https://support.f5.com/csp/article/K21665601
Workaround:
None.
Fix:
For more information see: https://support.f5.com/csp/article/K21665601
724556 : icrd_child spawns more than maximum allowed times (zombie processes)
Component: TMOS
Symptoms:
icrd_child is issued a SIGTERM. The SIGTERM might not succeed in destroying the process, especially if the system is under a lot of load. This leads to zombie processes.
Conditions:
-- The icrd_child process is issued a SIGTERM that does not successfully destroy the icrd_child process.
-- System under heavy load.
Impact:
There are zombie icrd_child processes consuming memory.
Workaround:
Restart the system.
Fix:
Introduced the following configuration in /etc/icrd.conf: sigkillDelaySeconds
If set to 0, or if missing from icrd.conf, SIGKILL will not be issued after SIGTERM is issued to the icrd_child process.
If set to greater than 0, after the specified delay, SIGKILL will be issued after SIGTERM is issued to the icrd_child process if icrd_child process is not terminated.
A 'safe' number for the delay may be 3 seconds, but will depend on your configuration.
Behavior Change:
Introduced the following configuration in /etc/icrd.conf: sigkillDelaySeconds
If set to 0, or if missing from icrd.conf, SIGKILL will not be issued after SIGTERM is issued to the icrd_child process.
If set to greater than 0, after the specified delay, SIGKILL will be issued after SIGTERM is issued to the icrd_child process if icrd_child process is not terminated.
A 'safe' number for the delay may be 3 seconds, but will depend on your configuration.
724327 : Changes to a cipher rule do not immediately have an effect
Component: Local Traffic Manager
Symptoms:
If a cipher rule is changed, and a cipher group that uses the rule is attached to an SSL profile, the change does not take effect until something else on the SSL profile changes.
Conditions:
-- A cipher group is used by an SSL profile.
-- One of its cipher rules changes.
Impact:
Unexpected behavior occurs because the cipher rule change does not take effect immediately.
Workaround:
After changing the cipher rule that's used by a cipher group, make a change to any SSL profile that uses the associated cipher group.
Fix:
Any changes to a cipher rule or cipher group now takes immediate effect.
723919 : Exists selector is added to L7 traffic policies
Component: Local Traffic Manager
Symptoms:
It is difficult to detect whether a string exists in an L7 policy traffic operand.
Conditions:
-- L7 traffic policies are used.
-- A rule requires a condition result string to either exist or not exist.
Impact:
The required rule cannot be written.
Workaround:
Using tmsh, it is possible to specify 'starts-with' an empty string to emulate a string 'exists' behavior. The GUI does not support this.
Fix:
The 'exists' selector has been added to L7 traffic policies to enable the detection of whether an output operand string exists.
Behavior Change:
There is now an 'exists' selector in L7 traffic policies to enable the detection of whether an output operand string exists.
723790 : Idle asm_config_server handlers consumes a lot of memory
Component: Application Security Manager
Symptoms:
Idle asm_config_server handlers needlessly uses a large amount of memory.
Conditions:
This issue might result from several sets of conditions. Here is one:
Exporting a big XML ASM policy and then leaving the BIG-IP system idle. Relevant asm_config_server handler process increases its memory consumption and stays that way, holding on to the memory until it is released with a restart.
Impact:
Unnecessary memory consumption.
Workaround:
1) Lower the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server:
---------------
# perl -pi.bak -e 's/MaxMemorySize=471859200/MaxMemorySize=262144000/' /etc/ts/tools/asm_config_server.cfg
---------------
2) Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
Notes:
-- The provided workaround does not permanently fix the issue. Instead it alleviates the symptoms of memory pressure, by (1) lowering the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server, and (2) freeing up all the memory that is currently taken by all asm_config_server processes.
-- This workaround does not cause any down time; the asm_config_server processes automatically start within ~30 seconds.
723278 : Radius Accounting-Request (STOP) always includes AVP Framed-IP-Address=0.16.0.0 when Network Access rescource configured with IPv4 & IPv6
Component: Access Policy Manager
Symptoms:
When VPN tunnel is terminated, 'Radius Accounting-Request (STOP)' always includes AVP Framed-IP-Address=0.16.0.0 instead of the assigned IPv4 addr to the PPP tunnel.
Conditions:
-- Network Access resource is configured with both IPv4 and IPv6.
-- PPP IP address can be either static (obtained from RADIUS) or dynamic (obtained from the lease pool).
-- Using an Edge client or a browser.
-- VPN tunnel is terminated.
Impact:
APM sends 'Radius Accounting-Request (STOP)' that includes the AVP Framed-IP-Address=0.16.0.0 value instead of the assigned IPv4 client IP address.
Workaround:
Configure only IPv4 IP addresses for the Network Access resource.
Fix:
Include Framed IP Address in RADIUS Acct STOP message only when it is a valid IPv4 address.
722707 : mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall
Component: Local Traffic Manager
Symptoms:
The 'debug' log for a 'mysql' monitor may incorrectly report data being received from the database when network routing is configured to drop packets from that database, causing confusion when diagnosing packet traffic. This might be stimulated by configuring the firewall to enable traffic to/from the 'mysql' database, and then (after the 'mysql' monitor successfully connecting with the database) changing firewall rules to drop packets returned *from* the database.
Conditions:
-- A 'mysql' monitor successfully connects to the 'MySql' database.
2. Once connection is established, firewall rules are changed to 'DROP' packets returned from the 'MySQL' database, resulting in several entries in the 'mysql' monitor 'debug' log that incorrectly suggest packets were received from the 'MySQL' database.
Impact:
Several log entries may be made in the 'mysql' debug log suggesting packets were received from the 'MySQL' database (after a previous successful database probe connection), when in fact those packets were dropped due to changes in the firewall rules. These log entries may confuse debugging scenarios, but will typically self-correct (such as after three log message entries).
Workaround:
When configuring network traffic for 'MySQL' database resources, ensure symmetry for traffic handling (either bi-directional packet routing between 'bigd' and the 'MySQL' database is supported, or neither 'send' nor 'receive' packet routing to the 'MySQL' database is supported).
722647 : The configuration of some of the Nokia alerts is incorrect
Component: TMOS
Symptoms:
The categories for perceived severity in the alert_nokia.conf file are 0-4, 10-11, but there is an entry in the file with a value of 6.
Conditions:
-- Traps are enabled to support SNMP alerts in the Nokia NetAct format, e.g., using the following command:
tmsh modify sys db alertd.nokia.alarm value enable
-- The values in the alert_nokia.conf file are applied.
Impact:
Some of the values are incorrect. Handling of the trap/clear for the mislabeled trap is incorrect.
Workaround:
Edit the alert_nokia.conf file and restart the alert daemon.
Fix:
All OIDs that clear a Specific Problem (SP) now have a perceived severity of 5.
721967 : SSL key files that have world-read permission are created during device trust reset
Component: TMOS
Symptoms:
After a reset of device trust, there are some SSL key files that are created and have world-read permission. These files should be protected or not exist.
Conditions:
Using either tmsh or GUI, the issue a reset to an existing device trust.
Impact:
Unauthorized user is given access to SSL key files in the file store.
Workaround:
There is no workaround at this time.
721585 : mcpd core processing ltm monitors with deep level of inheritance
Component: TMOS
Symptoms:
If the level of ltm monitor inheritance (defaults-from) is too large, i.e 9. then mcpd will fail to send sod a heartbeat within the heartbeat timeout; therefore sod will restart mcpd.
Conditions:
LTM monitors that have 9 levels of inheritance
i.e.
mon1 defaults from mon2, which defaults from mon3, which defaults from mon4 ... to mon10
Impact:
mcpd is restarted which will cause services to failover.
Workaround:
Rework the ltm monitors so that the level of inheritance is less than 9.
721319 : CVE-2018-3639
Solution Article: K29146534
720460 : Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly
Component: Local Traffic Manager
Symptoms:
The sys db compression.strategy is used to control the compression-provider selection. When it is set to 'softwareonly', compression somehow still selects a hardware accelerator.
Conditions:
This always happens when compression.strategy is set to 'softwareonly'.
Impact:
Compression.strategy set to 'softwareonly' does not work, and if there is a problem in a hardware accelerator, compression will still select the hardware accelerator, even though software compression is desired.
Workaround:
There is no workaround.
Fix:
The system now supports software compression when the sys db variable compression.strategy is set to 'softwareonly'.
720314 : Seamless BIG-IP upgrade with AWS cloudHSM Liquid Security
Component: Local Traffic Manager
Symptoms:
When upgrading a BIG-IP system running AWS cloudHSM Liquid Security, the cloudhsm-client service is not carried over to the new volume. Without cloudhsm-client service, PKCS#11 API communication with Cavium HSM always fail.
Conditions:
-- AWS cloudHSM Liquid Security is used.
-- Upgrading to a new version of the software.
Impact:
HSM service does not work on the new volume.
Workaround:
Manually install cloudhsm-client after upgrading.
Fix:
You can now pre-store a customized script at /shared/pkcs11d_post_process.sh to facilitate the post processing part after BIG-IP system upgrading. The post processing may include automatically re-installing cloudhsm-client or re-registering cloudhsm-client on the BIG-IP system.
720219-4 : HSL::log command can fail to pick new pool member if last picked member is 'checking'
Solution Article: K13109068
Component: Local Traffic Manager
Symptoms:
This occurs in certain configurations where the HSL::log command is using a remote high speed log (HSL) pool with failing pool members. If a pool member goes into a 'checking' state and the command attempts to send the log via that pool member, it can fail to send and all future log commands from that iRule will also fail, if that pool member is actually unavailable.
Conditions:
-- Using HSL::log command.
-- iRule with a remote high speed logging configured.
Impact:
Failure to send log messages via HSL.
Workaround:
Follow this procedure:
1. Change the 'distribution' method of the remote high speed config to something else.
2. Save the configuration.
3. Change the method back.
Fix:
This issue no longer occurs. If a 'down' pool member is picked, it will eventually be bypassed to find an 'up' pool member, if possible.
720110-3 : 0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session.
Component: TMOS
Symptoms:
Neither learned nor default-originate default routes (0.0.0.0/0) are sent to the BGP peer if the BGP peer has terminated the BGP session with TCP FIN, without BGP notify message.
Conditions:
1. BGP session is terminated without BGP notify (just TCP FIN).
2. Either learned (not originated in DUT) and default-originate (originated in DUT) routes are not sent.
Impact:
Default routes are not propagated in the network after the BGP peer restart.
Workaround:
There is no workaround at this time.
Fix:
Default routes are now always sent after the BGP session reset. Consistent behavior between BGP session reset with and without BGP notify message.
719304 : Inconsistent node ICMP monitor operation for IPv6 nodes
Component: Local Traffic Manager
Symptoms:
While running ping from different blades in a multi-blade environment, pings fail from blades that do not have the tmm that is responsible for pinging the node.
Conditions:
The blade that does not contain the owning tmm is responsible for the node monitors.
Impact:
The node will be incorrectly marked as being unavailable/down.
Workaround:
You can use the following workarounds:
-- Statically assign the NDP entries.
-- Set the route to a gateway that has a non-zero host portion in the address.
719300-2 : ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address
Component: Local Traffic Manager
Symptoms:
ICMP unreachable packets sent by a server may be received by a client with the BIG-IP system's MAC address as the source MAC address.
Conditions:
BIG-IP deployed in an L2 transparent mode using VLAN groups.
Impact:
May impact services on the client that rely on source MAC address of incoming packets.
Workaround:
None.
Fix:
ICMP packets are now sent via the BIG-IP system in an L2 transparent mode.
717896 : Monitor instances deleted in peer unit after sync
Component: Local Traffic Manager
Symptoms:
An incremental-sync from a modified-node that was set to 'user-down' causes the target-node on the target-device to have only a single monitor instance, rather than the several monitor instances that were present on the from-node.
During the incremental sync, the system issues several messages similar to the following: err mcpd[6900]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 24913.
Conditions:
-- In high availability (HA) configurations.
-- A node is modified, and then manually set to 'user-down'.
-- That node has more than one associated monitor.
-- An incremental-sync occurs to the paired device.
Impact:
After incremental-sync, a single monitor instance exists for the node on a 'backup' unit in an HA configuration, rather than the several monitor instances that exist for that node on the 'active' unit; and that node session is 'enabled' (where the 'from-node' was 'disabled); and that node status may be 'up' (where the 'from-node' was 'user-down'), and later transition to 'down' from a monitor-fail.
Thus, after incremental-sync, the target-node may then be 'down', while the active unit in the HA configuration continues to function as expected.
Workaround:
There are several workarounds:
-- Perform a 'full-sync' (rather than an 'incremental-sync').
-- Ensure the node is 'user-up' (not 'user-down') before the incremental-sync.
-- Perform 'tmsh load sys config' on the target unit. In this case, the 'Invalid monitor rule instance identifier' messages will be seen, but the configuration will successfully load, and the target-unit will run correctly with the expected configuration.
Fix:
An incremental-sync from a modified-node that was set to 'user-down' successfully replicates the several monitor instances on that node to the target-node on the backup device in an HA configuration.
717100 : FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
Component: Local Traffic Manager
Symptoms:
FQDN ephemeral pool members and corresponding FQDN ephemeral nodes may not be created if multiple FQDN template pool members are created rapidly, without the corresponding FQDN template nodes being created first.
The missing FQDN ephemeral pool members may be created an hour after initial operations.
Conditions:
This may occur when all of the following conditions are true:
-- Multiple FQDN template pool members are created rapidly, such as during config load or multiple FQDN template pool members created in a single tmsh cli transaction, without the corresponding FQDN template nodes being created first.
-- The FQDN names in the newly-created FQDN template nodes all resolve to the same IP address.
Impact:
One or more FQDN ephemeral pool members may not be created, which could result in a pool with no members, and any virtual servers using that pool to fail to pass traffic.
Workaround:
The following steps, alone or in combination, may help avoid this issue:
1. Avoid rapid creation of multiple FQDN template pool members (such as by creating multiple in a single tmsh CLI transaction).
2. Create the corresponding FQDN template nodes first, before creating the FQDN template pool members.
Once this issue occurs (such as, after a config load), you can recover from this condition by deleting and recreating the FQDN template pool members that have no corresponding FQDN ephemeral pool members.
In addition, creating the corresponding FQDN template nodes first, with an FQDN 'interval' value set to a shorter timeout than the default (3600 seconds) allows automatic recovery from this condition after the configured FQDN 'interval' period (instead of after the default period of one hour).
Fix:
Ephemeral pool members are now created for each pool under these conditions.
716936 : MPTCP might not process all MPTCP options when multiple are present on the same packet
Component: Local Traffic Manager
Symptoms:
MPTCP might not process all MPTCP options when there are multiple are present on the same packet.
Conditions:
TCP profile with 'Multipath TCP' enabled is attached to a virtual server.
Impact:
Depending on when the multiple options occur this might cause a variety of issues, including unnecessary retransmission or timeout of the connection.
Workaround:
There is no workaround at this time.
Fix:
The system now processes all MPTCP options on a packet.
716714 : OCSP should be configured to avoid TMM crash.
Component: Local Traffic Manager
Symptoms:
TMM generates a core if OCSP is not configured in the SSL profile.
Conditions:
OCSP not configured in the SSL profile.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than configuring OCSP in SSL profiles.
Fix:
In this release, TMM skips processing OCSP if it is not enabled.
716167 : The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp
Component: Local Traffic Manager
Symptoms:
The MTU of the tmm_bp kernel interface may be out-of-sync with the value of sys db vlan.backplane.mtu as well as out-of-sync with the MTU displayed by the following command:
tmsh show /net vlan all-properties -hidden.
Conditions:
This issue occurs on first-boot after upgrading to versions later than v12.1.1 HF1.
Impact:
From the data plane perspective, this issue can cause excessive IP fragmentation on tmm_bp VLAN and high CPU usage.
In some cases it also causes packet loss.
From the config perspective, this issue has a few smaller impacts:
-- Fragmented packets on the tmm_bp interface for those packets greater in length than the actual MTU of this interface as given by the kernel in response to the command:
ip address list dev tmm_bp | egrep -i mtu or $ifconfig tmm_bp.
Note: This has no impact to the running system. Fragmented packets are reassembled in order for TCP clients of the tmm_bp interface.
-- The sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp as given by either of the following commands:
ip address list dev tmm_bp
ifconfig tmm_bp
-- Similarly, the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the Net::Vlan tmm_bp as returned by the command:
tmsh show net vlan -hidden tmm_bp
Paraphrasing: The value of VLAN tmm_bp MTU (as found in vlan.backplane.MTU) is not applied to the corresponding kernel interface.
Workaround:
A series of subsequent restarts rolls the correct setting by issuing the following commands, in sequence:
tmsh stop sys service all
tmsh start sys service all
To verify the setting is correct, issue the command:
ip addr show dev tmm_bp ; tmsh show net vlan -hidden tmm_bp \; list sys db vlan.backplane.mtu
715548 : NSH context is not preseved in the SFF while traversing a non-NSH aware SF
Component: TMOS
Symptoms:
A packet forwarded by a Service Function Forwarder (SFF) after being received from a non-Network Service Header (NSH) aware Service Function (SF), will not contain NSH context.
Conditions:
Traffic going through a Service Function Chain (SFC) containing an F5 SFF subtending a non-NSH aware SF.
Impact:
Loss of service dependent on content in a NSH context.
Workaround:
There is no workaround at this time.
713817 : BIG-IP images are available in Alibaba Cloud
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) images are now available in the Alibaba International Cloud Marketplace.
Conditions:
Create virtual server instance within Alibaba International Cloud environment and select BIG-IP from the list of available images.
Impact:
New offerings for BYOL and PAYG for BIG-IP VE are now available in the Alibaba International Cloud Marketplace.
Workaround:
BIG-IP VE images are now available in Alibaba Cloud.
Fix:
BIG-IP VE images are now available in Alibaba Cloud.
Behavior Change:
BIG-IP VE now supports the Alibaba International Cloud Marketplace.
713806 : CVE-2018-0739: OpenSSL Vulnerability
Solution Article: K08044291
712919 : Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server.
Component: Local Traffic Manager
Symptoms:
When an iRule is removed from a Virtual Server, especially one with explicitly specified high priority (with "priority" keyword), other iRules on the same Virtual Server may become "invisible" i.e. they are present but some of them are no longer executed. It may affect all the events or only certain types of them. Under certain conditions the defect may even disappear upon removing another iRule, particularly if it has low priority and handles the same event as the one which introduced the problem.
Conditions:
Removing an iRule from a Virtual Server.
Impact:
Some or all iRules on given Virtual Servers stop being executed.
Workaround:
Restart or reload the configuration. If removing iRules needs to be performed in run-time and it triggers the problem, it can be prevented by having any iRule (even an empty one) for the same event, as the iRule which is going to be removed, but with higher priority e.g. with attribute "priority 1".
Fix:
Corrected scanning of iRules stored behind the one which is being deleted.
712336 : bd daemon restart loop
Component: Application Security Manager
Symptoms:
Continuous BD restarts after period where /var was full and then cleaned
Conditions:
/var was full and then cleaned
Impact:
Continuous BD restarts
Workaround:
A) Make a spurious change in a policy and apply it.
OR
B) Restart ASM
711910 : The drops statistics in tmsh for LTM::DNS Profile Unhandled Query Action percentage column does not display the percentage
Component: Global Traffic Manager (DNS)
Symptoms:
The drops stat for LTM::DNS Profile Unhandled Query Action percentage column always displays as '-' in tmsh, regardless of the actual percentage.
Conditions:
LTM and DNS services provisioned, enabled, and configured.
Impact:
Incorrect drops stat for LTM::DNS Profile Unhandled Query Action percentage. Column always displays the value '-' instead of an actual percentage.
Workaround:
None.
Fix:
The drops stat for LTM::DNS Profile Unhandled Query Action percentage column now displays the actual percentage.
711056 : License check VPE expression fails when access profile name contains dots
Component: Access Policy Manager
Symptoms:
License Check Agent always flows down fallback branch. Logs show the following pattern:
-- err apmd[13738]: 01490190:3: /Common/my.profile.name:Common:2a392ccd: Key 'tmm.profilelicense./Common/my.profile.name#' was not found in MEMCACHED.
-- err apmd[13738]: 01490086:3: /Common/my.profile.name:Common:2a392ccd: Rule evaluation failed with error: can't use empty string as operand of "-"
Conditions:
-- Access profile contains '.' (dot) characters in its name.
-- License Check agent is used in the VPE to check against profile license.
Impact:
License check always fails, resulting in denied logon.
Workaround:
Use a different policy name without '.' characters.
Fix:
A new session variable named 'session.access.profileid' contains the profile name, with '.' characters being replaced with '_' characters, if any. If License agent branch rule uses profile license consumption as the criterion, do one of the following:
-- If profile name is hard-coded, manually replace the '.' characters with '_' characters in the profile name.
-- If the profile name is fetched from session variable, use 'session.access.profileid' instead of 'session.access.profile', as shown in the following example:
expr {(([mcget -license "tmm.profilelicense.[mcget {session.access.profileid}]"] - [mcget -license "tmm.profilelicense.[mcget {session.access.profileid}]#"]) * 100) >= ([mcget -license "tmm.profilelicense.[mcget {session.access.profileid}]"] * 20)}
Behavior Change:
A new session variable named 'session.access.profileid' contains the profile name, with '.' characters being replaced with '_' characters, if any. If License agent branch rule uses profile license consumption as the criterion, do one of the following:
-- If profile name is hard-coded, manually replace the '.' characters with '_' characters in the profile name.
-- If the profile name is fetched from session variable, use 'session.access.profileid' instead of 'session.access.profile', as shown in the following example:
expr {(([mcget -license "tmm.profilelicense.[mcget {session.access.profileid}]"] - [mcget -license "tmm.profilelicense.[mcget {session.access.profileid}]#"]) * 100) >= ([mcget -license "tmm.profilelicense.[mcget {session.access.profileid}]"] * 20)}
710857 : iControl requests may cause excessive resource usage
Component: Device Management
Symptoms:
Under certain conditions, iControl requests submitted by authenticated users may cause excessive resource usage.
Conditions:
Authenticated iControl user
Impact:
Excessive resource usage, potentially leading to a failover event.
Workaround:
None.
Fix:
iControl now processes requests as expected.
709126 : Localdb authentication may fail
Component: Access Policy Manager
Symptoms:
In Rare scenarios, localdb authentication may fail - due to thread synchronization issue in apmd deamon.
Conditions:
- APM is provisioned
- Using localdb for authentication.
Impact:
Localdb authentication may fail
Workaround:
There is no workaround at this time.
Fix:
Software has been upgraded to fix the race condition issue.
708068-4 : Tcl commands like "HTTP::path -normalize" do not return normalized path.
Component: Local Traffic Manager
Symptoms:
When using HTTP::path with the -normalized parameter:
"%2E%2E" is converted to ".." (expected)
"/foo/../bar" is converted to "/bar" (expected)
"/foo/%2E%2E/bar" is converted to "/foo/../bar" (unexpected)
Conditions:
The TCL command HTTP::path -normalize does not return normalized path as expected.
Impact:
Unexpected result.
Workaround:
There is no workaround.
Fix:
The TCL command HTTP::path -normalize should return normalized path.
707643 : ASM Single page application causes JavaScript error when cross domain request is sent
Component: Application Security Manager
Symptoms:
JavaScript error is reported to the browser developer's console: 'Refused to get unsafe header X-Security-Action', 'Refused to get unsafe header 'X-Security-Token'
Conditions:
-- ASM provisioned.
-- Bot defense/DoS Application/ASM policy attached to a virtual server.
-- Single page application enabled.
Impact:
Cross domain requests might be not handled properly.
Workaround:
Disable single page application using one of the following workarounds:
-- Go to the bot defense profile in the GUI and disable single page application.
-- Run the following tmsh command:
tmsh modify security bot-defense profile all { single-page-application disabled }
-- Go to DoS application profile in the GUI and disable single page application.
-- Run the following tmsh command:
tmsh modify security dos profile all { application modify { all { single-page-application disabled } } }
-- To disable single page application for an ASM policy, run the following shell command:
/usr/share/ts/bin/add_del_internal del single_page_application
Fix:
Single page application now handles cross domain requests for configured domains only.
707581 : Enhance the GUI to handle large number of SSL profiles
Component: Local Traffic Manager
Symptoms:
It is hard to manage large numbers of SSL profiles through GUI, and sometimes GUI crashes due to memory issues because of it.
Conditions:
Have large number of SSL profiles, certificates, and keys.
Impact:
It is hard to manage large number SSL objects through GUI and sometimes GUI crashes due to memory issues.
Workaround:
Use tmsh to manage large number of SSL objects.
Fix:
GUI user experience is enhanced to ease the management of large number SSL objects through GUI without crash.
707490 : ePVA hardware acceleration/offloading needs flow prioritization
Component: TMOS
Symptoms:
The system does not provide a prioritization mechanism that supports application-level control of which flows utilize the limited FPGA resources. As a result, higher priority flows might often be processed in software because the ePVA resources are consumed with lower priority flows.
Conditions:
Using ePVA hardware for processing flows.
Impact:
Higher priority flows might often be processed in software rather than hardware, which might be preferred.
Workaround:
None.
Fix:
The system now provides a prioritization mechanism that supports application-level control of which flows utilize the limited FPGA resources.
707254 : If snmp disk-monitors minspace-type is percent then a 'load sys config default' fails
Component: TMOS
Symptoms:
The SNMP disk-monitors minspace-type default type is size. If you change it to percent, the 'load sys config default' command reports an error while loading the minspace value.
Conditions:
Loading default configuration when the disk-monitors minspace-type is percent.
Impact:
The 'load sys config default' fails.
Workaround:
First change the minspace-type to size and then issue the load defaults command.
Fix:
This bug has been fixed; the minspace-type size setting is included in the default configuration.
707013-1 : vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest
Component: TMOS
Symptoms:
-- clusterd restarts on secondary blade.
-- Messages similar to the following are logged in each secondary blade's /var/log/ltm file as clusterd restarts:
Management IP (<guest_management_ip>) already in use by (vcmp guest <guest_name>)
-- Messages similar to the following are logged in the primary blade's /var/log/ltm file when clusterd restarts on a secondary blade:
notice clusterd[3676]: 013a0006:5: Hello from slot 1.
notice clusterd[3676]: 013a0006:5: Informing MCP about slot ID 1 member status.
notice clusterd[3676]: 013a0006:5: Goodbye from slot 1.
Conditions:
-- Power-cycling a blade reproduces the issue most of the time.
-- Possibly specific to platform:
+ This issue has been seen multiple hardware platforms, including B2100, B2150, B2250, and PB300.
+ Issue does not reproduce under the same conditions on a VIPRION 4800.
Impact:
Secondary slot on VIPRION hypervisor is in 'INOPERATIVE' state.
Workaround:
On the vCMP Host, copy the file /shared/db/cluster.conf from the primary to each secondary cluster members. For each secondary blade's slot, use a command similar to the following:
scp /shared/db/cluster.conf slot<slot number>:/shared/db/cluster.conf
Note: Implementing the workaround does not prevent the issue from recurring. An upgrade to an unaffected version is recommended.
706445 : Multiple manual incremental sync operations might cause race condition in ASMConfig
Component: Application Security Manager
Symptoms:
Numerous repeated sync recoveries by ASM after a manual incremental sync that contains many changes.
Conditions:
-- Delete/create many ASM policies.
-- Issue a manual incremental sync repeatedly.
Impact:
High availability configuration goes out of sync and into 'Changes Pending' shortly after a manual incremental sync operation.
Workaround:
Use manual full sync.
704450 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
Component: Local Traffic Manager
Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').
Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.
Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.
Workaround:
Reduce the load on the system.
Fix:
'bigd' does not crash and runs with complete configuration when (re-)starting when BIG-IP runs under heavy configuration resulting in 'mcpd' delaying its configuration of 'bigd'.
703835 : When using SCP into BIG-IP systems, you must specify the target filename
Solution Article: K82814400
703593 : TMSH tab completion for adding profiles to virtual servers is not working as expected
Component: Local Traffic Manager
Symptoms:
TMSH tab completion for adding profiles to virtual servers does not work. The list of profiles is not displayed when tab is pressed.
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm virtual asdf profiles add {
Configuration Items:
[enter profile name]
Conditions:
List of profiles is not displayed when trying to add profiles during creation of a virtual server.
Impact:
List of available profiles is not displayed.
Workaround:
None.
Fix:
TMSH tab completion for adding profiles to virtual servers now shows the list of profiles.
703165-1 : shared memory leakage
Component: Advanced Firewall Manager
Symptoms:
Processes that require shared memory to operate are failing (e.g. pabnagd).
Conditions:
Many shmem segments allocated and used by tmm.
Impact:
Potential failures in any process that requires shared memory segments, causing lack of services such as learning (bd+pabnagd), request logging (pabnagd+asm-config), etc.
Workaround:
There is no workaround at this time.
702472 : Appliance Mode Security Hardening
Solution Article: K87659521
702469 : Appliance mode hardening in scp
Component: TMOS
Symptoms:
When running in Appliance mode scp permits greater access than is required for administration tasks.
Conditions:
Appliance mode licensed.
Impact:
Appliance mode does not restrict scp access as strictly as possible.
Workaround:
N/A.
Fix:
Appliance mode functionality of scp now applies stronger restrictions.
701232 : Two-way iQuery connections fail to get established between GTM devices with the same address on different networks connected through address translation
Component: Global Traffic Manager (DNS)
Symptoms:
Two GTM devices that have the same local IP address are not able to establish an iQuery connection, even when a translated address is configured.
Conditions:
This condition may occur if two GTM servers have the same self IP address on separate networks that are attempting to use address translation to establish a connection.
Impact:
When one or more GTM devices attempt to establish an iQuery connection to another device, it actually establishes a connection with itself instead of the other device.
Workaround:
To resolve the issue,
1. Configure the devices to have different self IP addresses.
2. Change the addresses and translated addresses of the corresponding GTM servers to match the new configuration using the following example command:
tmsh modify gtm server <server_name> addresses ...
Fix:
You can now mitigate this issue by setting a variable to the name of the configured device that matches the local machine using a command similar to the following example:
tmsh modify sys db gtm.selfdevicename value <device_name>
If those values match and the two GTM servers are configured with different data centers, then a proper connection between devices can be established using address translation.
699977 : CVE-2016-7055: OpenSSL Vulnerability in NodeJS ILX
Solution Article: K43570545
699515 : nsm cores during update of nexthop for ECMP recursive route
Component: TMOS
Symptoms:
The Network Services Module daemon (nsm) cores while processing updates for ECMP recursive route nexthop.
Conditions:
Dynamic routing enabled.
BGP peers provides ECMP routes with recursive nexthop.
Impact:
Failures passing traffic using the dynamic routes.
Workaround:
There is no workaround.
Fix:
nsm is able to process ECMP route updates without problem.
698933 : Setting metric-type via ospf redistribute command may not work correctly
Component: TMOS
Symptoms:
When using a dynamic routing configuration, where an OSPF process redistributes routes setting a metric-type from another OSPF process the metric type is not changed.
Conditions:
Dynamic routing configuration with 2 or more OSPF processes redistributing routes using the "redistribute ospf <other process number> metric-type <type>"
Impact:
Metric type is not changed.
Workaround:
Change metric-type using a route-map applied to the redistribute command.
Fix:
BIG-IP now correctly sets the metric-type on redistribution
698651-7 : CVE-2017-5715 (Spectre Variant 2)
Solution Article: K91229003
698376 : Non-admin users have limited bash commands and can only write to certain directories
Solution Article: K46524395
697991 : Source client information not available in DOS DNS Protocol event logs
Component: Advanced Firewall Manager
Symptoms:
In Security > Event Logs > DoS > DNS Protocol GUI, client/source information is not available to view
Conditions:
Source ip address and port can be used to filter logs and set conditions based on these logs.
Impact:
You are not able to view source/client ip-address and port in GUI but it can be viewed from CLI
Fix:
Source information is now available in GUI.
697403 : iRule URI::encode command does not follow RFC3986 for hexadecimal digits used in percent-encoded octets
Component: Local Traffic Manager
Symptoms:
The iRule URI::encode command does not follow RFC3986 for hexadecimal digits used in percent-encoded octets. The URI::encode command always generates a lowercase hexadecimal number, so when uppercase is expected, the output of URI::encode does not work..
Conditions:
Using the iRule URI::encode command.
Impact:
When upper case is expected, the output of URI::encode does not work.
Workaround:
Use the Tcl toupper command to convert the output to uppercase.
Fix:
The iRule URI::encode command now generates RFC-compliant value.
696382 : Max in-progress sessions per client IP does not work correctly with Redirect ending
Component: Access Policy Manager
Symptoms:
Once the 'Max In Progress Sessions Per Client IP' limit is reached, new sessions cannot be established even after manually deleting few sessions.
Conditions:
-- APM is licensed and provisioned.
-- Per-session policy is created with Redirect ending agent.
-- 'Close session after redirect' setting is not checked in Redirect Ending agent.
Impact:
New sessions from client cannot be created after 'Max In Progress Sessions Per Client IP' limit is reached. End users may not be redirected to another internal or external URL.
Workaround:
If it's not required to keep the access session after redirecting to internal or external URL, check the 'Close session after redirect' setting in Redirect Ending agent of per-session policy.
Fix:
New sessions are created from same client after manually deleting the existing access sessions once 'Max In Progress Sessions Per Client IP' limit is reached.
695985 : Access HUD filter has URL length limit (4096 bytes)
Component: Access Policy Manager
Symptoms:
Access HUD filter cannot process a URL if it is longer than 4096 bytes.
Conditions:
Any URL with a request consisting of more than 4096 bytes.
Impact:
The URL cannot be processed, and client gets a RST.
Workaround:
None.
Fix:
In this release, the URL length limit increased to 8192 bytes.
695878 : Signature enforcement issue on specific requests
Component: Application Security Manager
Symptoms:
Request payload does not get enforced by attack signatures on a certain policy configuration with specific traffic.
Conditions:
-- The violation 'Request exceeds max buffer size' is turned off.
-- The request is longer than the max buffer size (i.e., a request is larger than the internal long_request_buffer_size).
Impact:
Attack signatures are not enforced on the payload of this request at all.
Workaround:
Turn on the violation in blocking 'Request exceed max buffer size'.
Fix:
The operation now looks into part of the payload for the attack signatures enforcement.
690294 : New DIAMETER::persist keyword to set the timeout without changing key
Component: Service Provider
Symptoms:
Setting the DIAMETER persistence key's timeout using DIAMETER::persist <new_key> <new_timeout> disables bidirectional persistence.
Conditions:
Setting the DIAMETER persistence key's timeout using DIAMETER::persist <new_key> <new_timeout>.
Impact:
Disables bidirectional persistence. Persistence entry records only destination (not source) of the session.
Workaround:
None.
Fix:
New keyword, DIAMETER::persist timeout <new_timeout> allows changing the timeout without changing the key.
Behavior Change:
There is a new keyword, DIAMETER::persist timeout <new_timeout>, which supports changing the timeout without changing the key. Previously, if you changed the timeout, it disabled bidirectional persistence.
687887 : Unexpected result from multiple changes to a monitor-related object in a single transaction
Component: Local Traffic Manager
Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction will attempt to 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.
Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object, such as (delete, create, modify).
Impact:
The monitor-related object may be unchanged; or monitoring may stop for that object.
Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').
Fix:
Behavior is as-expected when a transaction executes multiple commands (such as 'delete', 'create', 'modify') upon the same monitor-related object (pool, pool_member, node_address, monitor).
683135 : Hardware syncookies number for virtual server stats is unrealistically high
Component: TMOS
Symptoms:
In some situations 'tmsh show ltm virtual' shows unrealistically high hardware (HW) syncookie numbers.
These unrealistically high HW syncookie stats cause AFM DoS TCP synflood vector to have high numbers, and that can cause TCP synflood vector to drop packets in HW based on the configured rate-limit for that vector.
Conditions:
Virtual server with hardware syncookie protection enabled.
Impact:
Stats issue. Can have impact to traffic if AFM TCP Synflood vector is enabled in mitigation mode.
Workaround:
Disable the TCP Synflood vector in mitigate mode.
Since Syncookie is already providing protection, the TCP Synflood option should be enabled only in detect-only mode, if at all.
Fix:
Hardware syncookies number for virtual server now reports stats as expected.
680917 : Invalid monitor rule instance identifier
Component: TMOS
Symptoms:
iApp triggers an error while attempting to change server properties for pool members. The error reads "Invalid monitor rule instance identifier"
Conditions:
While changing the server properties associated with the pool members through iApp.
Impact:
Will not be able to change the server properties using iApp.
679735 : Multidomain SSO infinite redirects from session ID parameters
Component: Access Policy Manager
Symptoms:
If an application uses a URL parameter of 'sid', 'sess', or 'S', the APM can enter an infinite redirect loop.
In a packet capture, the policy completes on the auth virtual server. After policy completion, the client is redirected back to the resource virtual server. The resource virtual server cannot find the session, and redirects back to the auth virtual server. This begins the infinite loop of redirecting between resource and auth virtual servers.
Conditions:
Application with URL paramater containing 'sid', 'sess', or 'S' while using multidomain SSO.
Impact:
Applications that use 'sid', 'sess', or 'S' parameters cannot be fronted by an APM.
Workaround:
None.
Fix:
Continue to lookup for token param to find session ID for multidomain SSO configuration even when the URI contains S/sess/sid query param to prevent infinite redirects.
679431 : In routing module the 'sh ipv6 interface <interface> brief' command may not show header
Component: TMOS
Symptoms:
In the BIG-IP Advanced Routing module the 'sh ipv6 interface <interface> brief' command does not show header
Conditions:
- Advanced Routing module licensed and configured
- From within imish shell, run the command 'sh ipv6 interface <interface> brief'.
Impact:
The header is not shown.
Workaround:
Run the equivalent command without indicating the interface:
sh ipv6 interface brief
Fix:
The Advanced routing module 'sh ipv6 interface <interface> brief command now shows header.
674256-1 : False positive cookie hijacking violation
Solution Article: K60745057
Component: Application Security Manager
Symptoms:
A false positive cookie hijacking violation.
Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.
Impact:
False positive violation / blocking.
Workaround:
Cookie hijacking violation when the device ID feature is turned off is almost never relevant, as it should be able to detect only cases where some of the TS cookies were taken. The suggestion is to turn off this violation.
673842 : vCMP does not follow best security practices
Component: TMOS
Symptoms:
Under certain conditions, vCMP may generate internal configuration data that does not comply with best security practices.
Conditions:
vCMP platform
Impact:
vCMP does not comply with best security practices.
Workaround:
None.
Fix:
vCMP does now complies with best security practices.
673018 : Parsed text violates expected format error encountered while upgrading or loading UCS★
Component: TMOS
Symptoms:
During a configuration roll-forward on an upgrade, the UCS load fails and reports the following error:
Parsed text violates expected format.
Conditions:
This can occur under the following conditions:
-- When loading a configuration that contains iFiles.
-- During an upgrade process, when the source-path for an iFile contain a URL with a space or other invalid URL character in it, for example: http://myfiles.com/get this file.txt.
Impact:
Configuration fails to load, and the system reports the following error: Parsed text violates expected format.
Workaround:
You can use either of the following workarounds:
-- Modify the URL to the iFile to remove any spaces, and then reload the configuration.
-- Use the HTTP specification for specifying spaces (and other characters) in URLs. For example, represent a space using the string %20 in the URL: http://myfiles.com/get%20this%20file.txt.
671458 : RAM Cache uses HTTP/1.0
Component: Local Traffic Manager
Symptoms:
The web-acceleration profile will rewrite some requests to HTTP/1.0
Conditions:
A web-acceleration profile is assigned to a virtual server, and the response is to be cached, or will be used to update the cache.
Impact:
Some responses are not cached.
Fix:
The web-acceleration profile will use version HTTP/1.1 for more requests to the server, allowing for more efficient use of Keep-Alive.
671214 : CAPTCHA requests are not logged
Component: Application Security Manager
Symptoms:
A CAPTCHA challenge is not logged in the ASM request logs.
Conditions:
-- A CAPTCHA challenge is made to an ASM end user client system.
-- View the ASM request logs.
Impact:
Cannot locate the request that triggers the captcha.
Workaround:
None.
Fix:
ASM logs the captcha request.
670994 : There is no validation for IP address on the ip-address-list for static subscriber
Component: Policy Enforcement Manager
Symptoms:
You can add IP address for a static subscriber with a subnet mask, and the system creates a subscriber by discarding the subnet mask without any error message.
Conditions:
This occurs when you add a ip address with a subnet mask to the ip address list for a static subscriber.
Impact:
An invalid ip address is added without warning or error.
Fix:
Validated with adding an invalid ip address for static ip address list and the system now throws appropriate error message.
670833 : window.fetch() should be supported
Component: Access Policy Manager
Symptoms:
Some URLs are not rewritten.
Conditions:
Web-application which use function
window.fetch()
Impact:
Web-application misfunction.
Workaround:
Custom iRule can be used to fix this issue.
No general iRule exists.
668041 : Config load fails when an iRule comment ends with backslash in a config where there is also a policy.★
Solution Article: K27535157
Component: TMOS
Symptoms:
Config load fails when an iRule contains a commented line that ends with an escape character (backslash), and the config also contains an LTM policy. Depending on the iRule, you might also see the following error: Syntax Error:(/config/bigip.conf at line: 42078) double quotes are not balanced.
Conditions:
-- iRule contains commented line that ends with a backslash.
-- The config also contains a policy.
For example, an iRule similar to the first example, and a policy similar to the second:
ltm rule /Common/log_info {
when HTTP_RESPONSE {
#log local0. "Original Location header value: [HTTP::header value Location],\
updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"
}
}
...
ltm policy /Common/Test_Policy {
controls { forwarding }
requires { http tcp }
rules {
TestPol_Rule1 {
actions {
0 {
forward
select
node 10.2.10.20
}
}
conditions {
0 {
tcp
address
matches
values { 10.1.10.20 }
}
}
}
}
strategy /Common/first-match
}
Impact:
Config load fails.
Workaround:
You can use any of the following workarounds:
-- Delete the line of code with the comment.
-- Put the entire comment on one line of code.
-- Divide lengthy comments into a series of smaller ones, so that each comment fits within one line of code.
-- Move the iRule so that it is sequentially before the LTM policy in the config file.
Fix:
Config load no longer fails when an iRule comment ends with backslash in a config where there is also a policy.
665016 : tmsh show ltm virtual <vs-name> policies does not display policy-stats
Component: TMOS
Symptoms:
You are not able to view the policy stats when executing the tmsh show ltm virtual policy command.
Conditions:
Executing the command from cli
tmsh show ltm virtual <vs-name> policies
Impact:
Policy stats are not displayed.
Workaround:
No workaround.
Fix:
tmsh show ltm virtual <vs-name> policies now displays policy stats.
664449 : PPP MRU calculation for TLS network access tunnels
Component: Access Policy Manager
Symptoms:
PPP MRU calculation is not accurate for TLS Network Access tunnels.
Conditions:
TLS-based Network Access tunnels.
Impact:
Network packet fragmentation might occur, which might impact Network Access tunnel performance.
Workaround:
None.
Fix:
PPP MRU calculation is accurate, so this issue no longer occurs.
663819 : APM NTLM Authentication for RDP Client Gateway and Microsoft Exchange Proxy are incompatible with Microsoft workaround for MS17-010 (Wannacry / Eternalblue)
Component: Access Policy Manager
Symptoms:
Microsoft recently released security bulletin MS17-010 (https://technet.microsoft.com/library/security/MS17-010). This bulletin announces a recommended software patch to fix multiple vulnerabilities in SMBv1. It suggests an alternate workaround to disable SMBv1. When this workaround is followed, NTLM Authentication does not work in the following APM configurations:
-- APM RDP Gateway and NTLM Auth.
-- APM Exchange (Outlook Anywhere/ActiveSync) and NTLM Auth.
-- SWG Explicit and NTLM Auth.
Conditions:
-- SMBv1 is disabled as described in the Microsoft workaround in MS17-010.
--Together with one or more of the following APM/SWG configurations, which can be configured to use NTLM Authentication:
+ APM RDP Gateway and NTLM Auth.
+ APM Exchange (Outlook Anywhere/ActiveSync) and NTLM Auth.
+ SWG Explicit and NTLM Auth.
Impact:
Authentication for connecting clients fails.
Workaround:
Do one of the following:
-- Do not follow the Microsoft workaround to disable SMBv1; instead install the recommended security patch.
-- For Exchange: Reconfigure Exchange CAS pool to use Kerberos Constrained Delegation SSO rather than NTLM. This will ensure that NTLM Passthrough is not used.
-- For RDP Proxy: Instead of RDP Proxy, use the Native RDP resource mode in BIG-IP APM v13.0.0 and later.
-- For SWG Explicit: Reconfigure to use Kerberos Authentication.
660913 : For ActiveSync client type, browscap info provided is incorrect.★
Component: Access Policy Manager
Symptoms:
Clients using Microsoft ActiveSync are failing access policy evaluation.
Conditions:
-- This occurs with clients using Microsoft ActiveSync.
-- It can be encountered on upgrade if you are upgrading to version 12.1.2 - 14.1.0 from an earlier version.
Impact:
Clients using ActiveSync cannot authenticate.
Workaround:
None.
Fix:
Session variable session.client.browscap_info is now set correctly.
660759 : Cookie hash persistence sends alerts to application server.
Component: Fraud Protection Services
Symptoms:
When Persistence cookie insert is enabled with a non-default cookie name, the cookie might be overwritten after an alert is handled.
Conditions:
-- Persistence profile in their virtual server.
-- Profile relies on cookie hash persistence.
-- Non-default Cookie name used for cookie persistence.
(Default cookie naming strategy appends Pool Name, which results in two cookies set with different names and different values, leaving the application pool persistence cookie unmodified.)
Impact:
Sends alerts to application server. Traffic might be sent to wrong pool member.
Workaround:
Use an iRule similar to the following to remove persistence cookie in case of alerts:
ltm rule /Common/cookie_persist_exclude_alerts {
when HTTP_REQUEST {
#enable the usual persistence cookie profile.
if { [HTTP::path] eq "/<alert-path>/" } {
persist none
}
}
}
657834 : Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent
Solution Article: K45005512
Component: TMOS
Symptoms:
When using OSPF with high load and network recalculation there is a possibility of a race condition that can lead to additional OSPF retransmissions being sent out. This might also cause SNMP traps to be sent, if configured on the system.
Conditions:
-- OSPF routing protocol configured.
-- System configured to send SNMP traps.
-- OSPF instability/networking flaps.
Note: The greater the number of routes flapping, the more likely to see the condition.
Impact:
There is no impact on the OSPF processing itself. The additional traffic does not cause failing adjacencies or loss of routing information.
However, this might cause many additional OSPF related traps to be sent, which might cause additional load on the external network monitoring system.
Workaround:
While this does not have a direct workaround, you may want to investigate the cause of the network/OSPF instability that causes the additional retransmissions.
653573-7 : ADMd not cleaning up child rsync processes
Component: Anomaly Detection Services
Symptoms:
ADMd daemon on device is spinning up rsync processes and not cleaning them up properly, causing tons of this zombie processes
Conditions:
If rsync process ends via exit (in the case of some trouble)
Impact:
No technical impact, but there are many zombie processes
Workaround:
Restart admd (bigstart restart admd) to remove all existing rsync zombies.
Fix:
admd should handle SIGCHLD signal from rsync (in the case of some trouble)
652502 : snmpd returns 'No Such Object available' for ltm OIDs
Component: TMOS
Symptoms:
When the BIG-IP starts with an expired license snmp queries for ltm related OIDs will return 'No Such Object available on this agent at this OID'.
Even if you re-activate the license or install a new one snmpd will not be notified of the change in license and will stil return 'No Such Object available on this agent at this OID' until the snmpd process is restarted.
Conditions:
The BIG-IP starts with an expired licensed which is reactivated later.
Impact:
snmp queries to the ltm OIDs like ltmRst and ltmVirtual will not return any data.
Workaround:
A restart of snmpd (bigstart restart) after the license is re-activated or a new one is installed will resolve the issue.
648270 : mcpd can crash if viewing a fast-growing log file through the GUI
Component: TMOS
Symptoms:
If the GUI tries to display a log file that is actively growing by thousands of log entries per second, the GUI might hang, and mcpd could run out of memory and crash.
Conditions:
The GUI tries to display a log file that is actively growing by thousands of log entries per second.
Impact:
mcpd crashes, and it and tmm restart. Traffic disrupted while tmm restarts.
Workaround:
Do not use the GUI to view a log file that is growing by thousands of log entries per second.
643935 : Rewriting may cause an infinite loop while processing some objects
Component: Access Policy Manager
Symptoms:
Browser might become unresponsive when the end user client attempts to access a page containing specific script constructions through Portal Access.
Conditions:
The client application code contains an object that includes a toString() method and property names similar to ones from the JavaScript builtin Location interface.
Impact:
Browser becomes unresponsive when accessing the page through Portal Access.
Workaround:
None.
Fix:
None.
641450-3 : A transaction that deletes and recreates a virtual may result in an invalid configuration
Solution Article: K30053855
Component: TMOS
Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.
Config load error:
01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.
Configuration-change-time error in /var/log/ltm:
err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>
Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).
Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.
Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
1. Delete virtual server.
2. Create virtual server (with an empty profile list).
3. Modify the virtual server's profile list.
639619 : UCS may fail to load due to Master key decryption failure on EEPROM-less systems★
Component: TMOS
Symptoms:
The following error:
'Symmetric Unit Key decrypt failure - decrypt failure'
is logged to /var/log/ltm when attempting to load a UCS.
Configuration fails then to load due to a secure attribute decryption failure.
Conditions:
1. UCS contains secure attributes.
2. UCS contains a '/config/bigip/kstore/.unitkey' file.
3. The current '/config/bigip/kstore/.unitkey' file does not match the '.unitkey' file within UCS.
4. System does not utilize an EEPROM for storing its unitkey. (For more information, see K73034260: Overview of the BIG-IP system Secure Vault feature :: https://support.f5.com/csp/article/K73034260.)
Impact:
The configuration fails to load.
Workaround:
Perform the following procedure:
1. Stop the system:
# bigstart stop
2. Replace the '/config/bigip/kstore/.unitkey' file with the '.unitkey' file from the UCS
3. Replace the '/config/bigip/kstore/master' file with the 'master' file from the UCS
4. Remove the mcp db to forcibly reload the keys:
# rm -f /var/db/mcpd.bin
# rm -f /var/db/mcpd.info
5. Restart the system and reload the configuration:
# bigstart start
# tmsh load sys config
or
# reboot
Fix:
The system now always reload the .unitkey from storage when loading other keys, so the UCS loads as expected.
632246 : Configuring pvasyncookies db variable does not persist over reboots or to non-primary blades.
Component: Advanced Firewall Manager
Symptoms:
pvasyncookies db variable does not disable/enable HW syn-cookies on secondary blades, and does not persist across MCPD restart/reboot.
Conditions:
Non-default setting for the pvasyncookies db variable.
Impact:
Setting does not persist across MCPD restart/reboot.
Workaround:
None.
626786 : Provide a means to prevent QKView files from being uploaded to iHealth
Component: TMOS
Symptoms:
There is no way to prevent QKView files from being uploaded to iHealth unintentionally.
Conditions:
Running the qkview utility.
Impact:
QKView file might unintentionally be uploaded to iHealth.
Workaround:
None.
Fix:
The qkview utility now supports a -i command line argument, which embeds a tag into the QKView file that instructs iHealth to ignore any QKView file containing that tag.
Behavior Change:
The qkview utility has a new -i argument that prevents unintentional upload of QKView files to iHealth.
This argument can be configured to be persistent through the tmsh diagnostics setting: no-ihealth. For example:
tmsh modify sys diagnostics ihealth no-ihealth true
By default, this value is false.
This causes the GUI to present options only for creating QKViews, and not for uploading to iHealth.
When this config setting ('no_ihealth') is enabled, the qkview operation adds metadata to QKView files that prevent the files from being uploaded to iHealth.
621260-1 : mcpd core on iControl REST reference to non-existing pool
Component: TMOS
Symptoms:
MCPd cores when attempting to create a pool and a monitor reference by using a REST call such as:
curl -u admin:admin -H "Content-Type: application/json" -X POST http://localhost:8100/tm/ltm/pool -d'{"name":"test_pool","monitor":" "}'
Conditions:
The monitor reference in the REST call must be comprised of a single space character.
Impact:
MCPd restarts, causing many of the system daemons to restart as well.
Workaround:
Don't use spaces in the monitor reference name.
620301 : Policy import fails due to missing signature System in associated Signature Set
Component: Application Security Manager
Symptoms:
ASM policy import fails due to a missing System, used in an associated Signature Set.
Conditions:
ASM policy is imported using an export file from a device with a more recent ASM Signature Update.
Impact:
The ASM policy import fails.
Workaround:
Update the ASM Signature on the target device before importing the policy.
603124 : [FW FQDN] RFE to address lower minimum allowed refresh interval (than current min of 10 mins)
Component: Advanced Firewall Manager
Symptoms:
Firewall FQDN feature allowed the periodic refresh interval to be no less than 10 minutes. However, there are use cases where the FQDN -> IP mappings may change more frequently than 10 minutes.
This would cause mis-match between the actual FQDN -> IP mappings and the mappings AFM/Firewall had learnt.
Conditions:
Firewall rules have been configured with FQDNs as one of the match dimensions (either source or destination or both).
AFM DNS resolver refresh interval can be set to lowest possible allowed value of 10 minutes whereas the FQDN -> IP mappings change more frequently than 10 minutes.
Impact:
This would cause mis-match between the actual FQDN -> IP mappings and the mappings AFM/Firewall had learnt/cached.
Workaround:
None
Fix:
Firewall (AFM) now allows the minimum refresh interval for AFM DNS resolver to be set to as low as 5 seconds (and default is changed to 60 seconds).
600985 : Network access tunnel data stalls
Component: Access Policy Manager
Symptoms:
In certain scenarios, the network access tunnel stays up; however, no data transfer occurs on the tunnel. This issue occurs intermittently.
Conditions:
The cause of this issue is not yet known.
Impact:
Data stalls on the tunnel and hence wont be able to access any applications. However, Edge Client shows the VPN tunnel as 'Connected'.
Workaround:
Manually re-establish the tunnel.
599567-1 : APM assumes SNAT automap, does not use SNAT pool
Component: Local Traffic Manager
Symptoms:
When a virtual server configured to use a SNAT pool is also associated with APM (for example, when configured as a RDP gateway), the SNAT pool setting is not honored.
Also SNAT configuration of 'None' does not work. It always works as if it is configured with Automap.
Conditions:
SNAT pool configured.
-- APM configured (one example is deploying the Horizon View iApp for APM).
Impact:
The VLAN Self IP address is used instead of the SNAT pool addresses.
Workaround:
First, follow the configuration details in K03113285: Overview of BIG-IP APM layered virtual servers :: https://support.f5.com/csp/article/K03113285, to ensure everything is configured properly.
Then ensure that the appropriate SNAT pool is set on the new layered forwarding virtual sever.
Note: This workaround does not work when using a pool of VMware vCenter Server (VCS) as configured by default with the iApp.
Fix:
The system now honors the virtual server SNAT configuration.
581921 : Required files under /etc/ssh are not moved during a UCS restore
Solution Article: K22327083
Component: TMOS
Symptoms:
The SSH files required for SSH sign on are not transferred when performing a UCS restore operation. Further, files are not transferred even during upgrade.
Conditions:
This can happen when performing a UCS restore operation, or when upgrading from one version to the next.
Impact:
This might impact SSH operations.
Workaround:
Add the /etc/ssh directory to the UCS backup configuration. This causes all subsequent UCS backup and restore operations will now include the /etc/ssh/ directory.
To complete this procedure, refer to K4422: Viewing and modifying the files that are configured for inclusion in a UCS archive :: https://support.f5.com/csp/article/K4422.
Fix:
The correct folder is now present when performing a UCS restore operation, so that all of the files required for the operation of SSH are transferred.
571409 : Step-up auth with APM native Email OTP and SMS OTP
Component: Access Policy Manager
Symptoms:
APM now has support for step-up auth with APM native Email OTP and SMS OTP. The HTTP Auth agent can now be attached to a step-up policy.
Conditions:
N/A - this describes an improvement.
Impact:
N/A - this describes an improvement.
Workaround:
None.
Fix:
None.
555465 : Extremely large number of SessionDB entries may cause HA flapping
Component: TMOS
Symptoms:
With enough SessionDB entries and a small enough high availability (HA) connections, the HA channel can become oversaturated.
Conditions:
-- Very large number of SessionDB entries.
-- Small/inefficient HA channel.
Impact:
Mirroring and other HA-related TMM usage might be disrupted.
Workaround:
If this condition is occurring, the HA channel is continually being reset and then overflowing again when the SessionDB table is synced.
You can mitigate by temporarily disabling session mirroring:
1. Disable session mirroring:
tmsh modify sys db statemirror.mirrorsessions value disable
2. Wait a minute for HA connections to stabilize.
3. Sync the config changes.
4. Reboot the standby device.
5. Re-enable session mirroring:
tmsh modify sys db statemirror.mirrorsessions value enable
Fix:
Added a new variable 'tmm.sessiondb.ha_mps_limit' to throttle the number of messages that SessionDB sends from the Active to Next Active after an HA state change.
Note: Messages from CRUD operations are not throttled.
The initial value is 0 for 'no throttling.' If set to a non-zero value N, SessionDB will ensure that, at most, N messages are sent per second. However, if the database is significantly larger than the configured limit, it will take more than 8 seconds to complete the sync.
Example usage; to configure at most 1000 messages per second:
tmsh modify sys db tmm.sessiondb.ha_mps_limit value 1000
534187 : Passphrase protected signing keys are not supported by SAML IDP/SP
Component: Access Policy Manager
Symptoms:
Signing operation may fail if the BIG-IP system is used as a SAML Identity Provider or Service Provider and is configured to use passphrase-protected signing keys.
Conditions:
Private key used to perform digital signing operations is passphrase protected.
Impact:
SAML protocol will not function properly due to inability to sign messages.
Workaround:
To work around the problem, remove the passphrase from the signing key.
533461 : Core file may be overwritten.
Component: Local Traffic Manager
Symptoms:
Core file might be overwritten, removing useful information to determine a RCA for the initial event.
Conditions:
-- A tmm, bigd, or mcpd core file exists.
-- A process occurs that results in a new core file being generated.
Impact:
The previously created core file is overwritten. Unable to provide F5 with a useful core for RCA.
Workaround:
None.
Fix:
You can now use new tmsh command under sys core to configure the BIG-IP system to not overwrite existing tmm, bigd, or mcpd core files, and instead create multiple core files, or skip creation of the core file.
522241 : Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete
Component: Local Traffic Manager
Symptoms:
After running the tmsh command "show ltm dns cache records <key|msg|nameserver|rrset> cache <name> count-only" you may experience the following symptoms:
- One of the TMM instances on the system climbs to 100% CPU utilization for a prolonged amount of time.
- The odd-numbered hyperthread (i.e. 1) corresponding to the even-numbered hyperthread (i.e. 0) where the busy TMM instance is running is partially halted by the HT-Split feature (this will be observable in utilities such as "top" and by the presence of "Idle enforce starting" log messages in the /var/log/kern.log file).
- After waiting for a very long time, the tmsh command may not actually return and display a record count.
- The tmsh command does not respond to CTRL+C and continues running.
Conditions:
A DNS cache contains a large number of records and the BIG-IP Administrator runs the following tmsh command to determine the exact record count:
"show ltm dns cache records <key|msg|nameserver|rrset> cache <name> count-only"
Impact:
Due to the high CPU utilization, traffic handling is impaired. Control-plane processes can also become affected, leading to different issues (this depends on the size and load of the BIG-IP system). For example, the lacpd process can become descheduled causing trunks to flap.
Workaround:
Do not run the specified tmsh command.
If you have run the specified tmsh command and this has not returned after a very long time and you want restore normal system operation, perform the following steps:
1) Press CTRL+Z to background execution of the command.
2) Enter the "killall -9 tmsh" command (if you have multiple tmsh commands running and only want to kill the affected one, you will have to identify the correct tmsh process using utilities such as ps and top).
If your login shell is tmsh and not bash, simply close your SSH session to the BIG-IP system (as you won't be able to perform the aforementioned steps).
511600 : DTLS does not support PFS ciphers
Component: Local Traffic Manager
Symptoms:
DTLS does not support PFS ciphers such as ECDHE-RSA-* ciphers.
Conditions:
Use of DTLS.
Impact:
Creates a situation where only non-forward secure ciphers are used for DTLS. If a non-forward secure cipher is used and if an encryption key is compromised, then previously-recorded encrypted traffic can be decrypted.
Workaround:
None.
Fix:
Added support for two PFS ciphers:
* ECDHE-RSA-AES128-CBC-SHA
* ECDHE-RSA-AES256-CBC-SHA
Behavior Change:
Added support for two PFS ciphers:
* ECDHE-RSA-AES128-CBC-SHA
* ECDHE-RSA-AES256-CBC-SHA
These will now be negotiated by default depending on cipher set up in the SSL profile.
504522 : Trailing space present after 'tmsh ltm pool members monitor' attribute value
Component: Local Traffic Manager
Symptoms:
Values returned from the tmsh command 'ltm pool pool members monitor' have a trailing space, such as returning '/Common/myhttps ' (note the trailing-space). This trailing-space is also observed for the value returned from a REST call.
Conditions:
'tmsh' or a REST call is used to return the 'monitor' for pool members.
Impact:
Scripts or custom applications processing this returned output may wish to 'trim' whitespace on the value (as a trailing space is present); or should not assume the trailing space will be present in the future (as this behavior is not guaranteed).
Workaround:
Use a script or custom applications to 'trim' trailing whitespace for returned values.
Fix:
Values returned from the tmsh command 'ltm pool pool members monitor' no longer have a trailing space.
488323 : Chassis fan status alert not observed on BIG-IP 2000/4000/5000/7000/10000/12000/VPR-B4300/VPR-B2100/VPR-B4450N
Component: TMOS
Symptoms:
Chassis fan status alert not observed in system_check logs or as SNMP trap. One can only observe sensor alerts about the fan sensor values being outside the threshold limits on the console, logs and LCD.
Conditions:
When there is a hardware issue with the chassis fans.
Impact:
Malfunctioning chassis fans can affect the cooling of the system. If the temperature within the system goes beyond the threshold, the system will self shutdown to prevent any hardware damage.
Workaround:
There is no workaround.
Fix:
We can now see explicit alerts about the chassis fan being bad/defective on the console, logs and LCD.
484683-1 : Certificate_summary is not created at peer when the chain certificate is synced to HA peer.
Component: TMOS
Symptoms:
The other Peer of a high-availability (HA) pair cannot show the summary of cert-chain by 'tmsh run sys crypto check-cert verbose enabled' after config-sync.
Conditions:
Conditions leading to this issue include:
1. On the command line or in the GUI, setup an HA Pair
2. Import Certificate chain to one BIG-IP system.
3. 'run config-sync' to sync the Certificate chain to the peer BIG-IP system.
Impact:
After a ConfigSync operation, the certificate chain summary is not created on other HA peers.
Workaround:
Copy the cert-chain file to a place (such as /shared/tmp/), and update the cert-chain using a command similar to the following:
modify sys file ssl-cert Cert-Chain_Browser_Serv.crt source-path file:/shared/tmp/Cert-Chain_Browser_Serv.crt_58761_1
478924 : LTM Policy supports fallback pool
Component: Local Traffic Manager
Symptoms:
The new 'fallback-pool' is an extension to the 'pool' forwarding action. If for some reason the primary pool within that action is not available, traffic will be forwarded to the fallback pool. Previously if the pool was not available, the connection would get reset. This new parameter makes LTM Policy forwarding to a pool more resilient to failures of the primary pool.
Conditions:
-- Selects a forwarding action of 'pool', specifying pool name.
-- For that forward-to-pool action, specify a fallback pool.
Note: The fallback pool must be different from the primary pool name.
Impact:
This is new functionality.
Workaround:
N/A
Fix:
LTM Policy now supports fallback pool.
Behavior Change:
- With this change, you can select 'fallback-pool' along with primary 'pool' using LTM policy.
- If the primary pool present in the forward action is unavailable, the LTM policy will forward traffic to the fallback pool.
- Sample Usage
ltm policy Drafts/mypolicy {
controls { forwarding }
last-modified 2018-05-21:11:31:27
requires { http }
rules {
1 {
actions {
1 {
forward
select
fallback-pool fallback_pool
pool http_pool
}
}
}
}
status draft
}
- 'fallback-pool' is an extension of the 'pool' param present in the same action, and LTM policy will forward traffic only if primary 'pool' within that action is not available.
- Also, you must specify 'pool' along with 'fallback-pool', and both cannot have same pool name.
473787-1 : System might fail to unchunk server response when compression is enabled
Component: Local Traffic Manager
Symptoms:
If a BIG-IP virtual server is configured with a compression profile and either:
- an NTLM profile
- or an APM access policy
When a pool member sends a chunked (and uncompressed) HTTP response to the BIG-IP system (Transfer-Encoding: chunked), if the BIG-IP system compresses the payload, it does so without unchunking it.
This results in the BIG-IP system sending the client a malformed response that contains chunked encoding markers in the compressed content.
Conditions:
This issue occurs when the following conditions are met:
-- The NTLM and OneConnect profiles are applied to a virtual server. This can also be triggered when replacing the NTLM profile with an APM access policy configuration on the virtual server.
-- HTTP compression is enabled on the virtual server.
Impact:
HTTP responses to the client are malformed. When decompressed, the HTTP response payload incorrectly contains HTTP chunked encoding markers.
Workaround:
To work around this issue, you can either modify the type of response chunking or disable compression. For information on how to do so, see K14030: The BIG-IP system may fail to unchunk server responses when compression is enabled, available here: https://support.f5.com/csp/article/K14030.
Fix:
This release properly manages chunking and unchunking when compression is configured, so this issue no longer occurs.
464934 : Tcpdump enhancement for better SSL/TLS data analysis
Component: TMOS
Symptoms:
tcpdump does not have the functionality to help analysis of encrypted data issues such as issues during encrypted TLS 1.3 handshakes, encrypted SSL/TLS payload for TLS 1.3, TLS 1.2 and earlier.
Conditions:
When there is a need to look at the encrypted traffic in an SSL/TLS connection or when there is a need to debug the encrypted handshake of TLS 1.3.
Impact:
No ability to debug and analyze encrypted handshake and encrypted data of SSL/TLS connections.
Workaround:
You can use the OpenSSL keylogfile option to gather the same information needed to decrypt. This has to be done separately from the tcpdump capture.
Fix:
In this release, there is a '--f5 ssl' option provided, which along with setting the dbvar 'tcpdump.sslprovider' to 'enable' supports capture of information needed to decrypt encrypted handshake and data.
Behavior Change:
tcpdump has a new option: '--f5 ssl. When the db variable 'tcpdump.sslprovider' is set to 'enable', the tcpdump operation captures information needed to decrypt encrypted handshake and data.
426963 : Delay in SWG forwarding with an Expect: 100-continue
Solution Article: K15164
Component: Access Policy Manager
Symptoms:
When the client sends an HTTP POST with an "Expect: 100-continue", APM will fail to forward it to the backend server. The client will wait about 3 seconds to timeout before sending the actual data of the POST request.
Conditions:
This occurs when the APM is deployed in SWG explicit mode.
Impact:
The client will not receive a 100-continue. Usually, it waits for about 3 seconds and then forwards the data anyway.
Workaround:
The following iRule appears to resolve the issue.
when HTTP_REQUEST {
if {([HTTP::method] eq "POST") && [HTTP::header exists "Expect"] } {
HTTP::header remove "Expect"
SSL::respond "HTTP/1.1 100 Continue\r\n\r\n"
}
}
Fix:
SWG explicit prompts with 100-continue to process the POST data immediately.
422665 : APM requires external IP address to be specified for PCoIP client to connect to via NAT
Component: Access Policy Manager
Symptoms:
APM requires that you specify an externally visible IP address for PCoIP client to connect to when it differs from virtual server IP address. (You set the IP address using the 'view.proxy_addr' session variable.)
Conditions:
VMware Horizon PCoIP client connects via a NAT (i.e., APM's externally visible IP address differs from the virtual server IP address).
Impact:
This configuration is non-obvious and can lead to confusion.
Workaround:
Set the IP address using the 'view.proxy_addr' session variable.
Fix:
Now, for PCoIP clients, which support name resolution, APM does not require explicit configuration of an externally visible IP address via the 'view.proxy_addr' session variable.
Note: VMware Horizon clients for most platforms (Windows, Mac, Android, and iOS) except Linux, support name resolution.
305920 : Added partial masking option for information leakage masking functionality
Component: Application Security Manager
Symptoms:
A credit card or social security number is completely masked in the response.
Conditions:
-- Information leakage masking is enabled.
-- Sensitive data appears in the response.
Impact:
Cannot see some of the numbers and some remain masked.
Workaround:
None.
Fix:
There is now an option to expose the last X digits to the ASM configuration.
248424 : Content length doesn't get updated during replacement using stream profile
Component: Local Traffic Manager
Symptoms:
When using the stream filter to modify content dynamically, the client might observe either an unspecified Content-length, or the Content-length header may be incorrect on the low side.
Conditions:
When using stream filter and Response Chunking mode is 'rechunk', Content-length reflects the original, unmodified length. When Response Chunking is 'selective' the Content-length is not specified.
Impact:
Clients which depend on the Content-Length header may see missing or incorrect values.
Workaround:
None.
Fix:
Content length now gets updated during replacement using stream profile.
Known Issues in BIG-IP v15.0.x
TMOS Issues
ID Number | Severity | Solution Article(s) | Description |
778317-2 | 1-Blocking | IKEv2 HA after Standby restart has race condition with config startup | |
780437-1 | 2-Critical | Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration. | |
777993-1 | 2-Critical | Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same | |
769341-2 | 2-Critical | HA failover deletes outstanding IKEv2 SAs along with IKEv1 SAs | |
769169-4 | 2-Critical | BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring | |
767877-4 | 2-Critical | TMM core with Bandwidth Control on flows egressing on a VLAN group | |
767013-2 | 2-Critical | Reboot when B2150 and B2250 blades' HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch | |
762205-3 | 2-Critical | IKEv2 rekey fails to recognize VENDOR_ID payload when it appears | |
760164 | 2-Critical | BIG-IP VE Compression Offload HA action requires modification of db variable | |
757722-3 | 2-Critical | Unknown notify message types unsupported in IKEv2 | |
756402-3 | 2-Critical | Re-transmitted IPsec packets can have garbled contents | |
755716-2 | 2-Critical | IPsec connection can fail if connflow expiration happens before IKE encryption | |
751924-1 | 2-Critical | TSO packet bit fails IPsec during ESP encryption | |
747203-1 | 2-Critical | Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding | |
746464-7 | 2-Critical | MCPD sync errors and restart after multiple modifications to file object in chassis | |
719711 | 2-Critical | BIG-IP system reboots due to watchdog timeout or Southbridge system reset | |
610257 | 2-Critical | mcpd memory leak and core | |
419345 | 2-Critical | Changing Master Key on the standby might cause secondaries to restart processes | |
782613-6 | 3-Major | security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp | |
777261-5 | 3-Major | When SNMP cannot locate a file it logs messages repeatedly | |
776489-1 | 3-Major | Remote authentication attempts to resolve only LDAP host against the first three name servers configured. | |
775733-3 | 3-Major | /etc/qkview_obfuscate.conf not synced across blades | |
773577-1 | 3-Major | SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted | |
773333-1 | 3-Major | IPsec CLI help missing encryption algorithm descriptions | |
772497-6 | 3-Major | When BIG-IP is configured to use a proxy server, updatecheck fails | |
769029-4 | 3-Major | Non-admin users fail to create tmp dir under /var/system/tmp/tmsh | |
767737-1 | 3-Major | Timing issues during startup may make an HA peer stay in the inoperative state | |
767305-1 | 3-Major | If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried | |
766329-1 | 3-Major | SCTP connections do not reflect some SCTP profile settings | |
765761-2 | 3-Major | URI Parsing is failing when certificate name contains "[", "]" | |
764873-1 | 3-Major | An accelerated flow transmits packets to a dated, down pool member. | |
762073-4 | 3-Major | Continuous TMM restarts when HSB drops off the PCI bus | |
761993-1 | 3-Major | The nsm process may crash if it detects a nexthop mismatch | |
761356 | 3-Major | Hyperv SR-IOV: MTU more than 1500 is not supported | |
761321-1 | 3-Major | 'Connection Rate Limit' is hidden, but 'Connection Rate Limit Mode' is not | |
759499-1 | 3-Major | Upgrade from version 12.1.3.7 to version 14.1.0 failing with error★ | |
758387-1 | 3-Major | BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it | |
754691-2 | 3-Major | During failover, an OSPF routing daemon may crash. | |
754335-2 | 3-Major | Install ISO does not boot on BIG-IP VE | |
751581-4 | 3-Major | REST API Timeout while queriying large number of persistence profiles | |
743803-6 | 3-Major | IKEv2 potential double free of object when async request queueing fails | |
740280 | 3-Major | Configuration Utility and tmsh may not validate Certificate Authority profile names | |
738943-2 | 3-Major | imish command hangs when ospfd is enabled | |
737346 | 3-Major | After entering username and before password, the logging on user's failure count is incremented. | |
721338 | 3-Major | Error creating application service from imported iApp Template | |
718405-4 | 3-Major | RSA signature PAYLOAD_AUTH mismatch with certificates | |
715379-4 | 3-Major | IKEv2 accepts asn1dn for peers-id only as file path of certificate file | |
711248 | 3-Major | K96275603 | After upgrade to 13.1.0 or later, mcpd fails to start due to syslog config parsing error.★ |
708549 | 3-Major | The SNMP ipNetToMediaPhysAddress table is not supported in version 12.1.2 and forward | |
703090-2 | 3-Major | With many iApps configured, scriptd may fail to start | |
701341 | 3-Major | K52941103 | If /config/BigDB.dat is empty, mcpd continuously restarts |
671940 | 3-Major | configure a transaction with several 10 KB firewall objects results in MCP stuck | |
658850-1 | 3-Major | Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP | |
657977 | 3-Major | iControl REST: Unable to create valid iRule with symbol '{' via iControl REST | |
637979 | 3-Major | IPsec over isession not working | |
636182 | 3-Major | Cannot update_indexes error during load sys config | |
607110 | 3-Major | REWRITE filter should enable INFLATE only when it is necessary for content detection and patching. | |
601220-2 | 3-Major | Multi-blade trunks seem to leak packets ingressed via one blade to a different blade | |
590377 | 3-Major | Changing the destination address of a virtual server when there is no other VIP with that same destination virtual address, the virtual address is not removed. | |
556505 | 3-Major | K19252010 | Load UCS failure for objects with unique IP address constraints. |
455066 | 3-Major | Read-only account can save system config | |
454640 | 3-Major | mcpd instances on secondary blades might restart on boot | |
382040 | 3-Major | K16592 | Deleting and recreating pool members with named nodes can cause config sync to fail. |
364522 | 3-Major | App_editors cannot add pool members unless node already exist | |
776393-1 | 4-Minor | Memory leak in restjavad causing restjavad to restart frequently with OOM | |
776073-2 | 4-Minor | OOM killer killing tmmin system low memory condition as process OOM score is high | |
774617-2 | 4-Minor | SNMP daemon reports integer truncation error for values greater than 32 bits | |
759606-1 | 4-Minor | REST error message is logged every five minutes on vCMP Guest | |
742105 | 4-Minor | Displaying network map with virtual servers is slow | |
722230 | 4-Minor | Cannot delete FQDN template node if another FQDN node resolves to same IP address | |
713183-1 | 4-Minor | Malformed JSON files may be present on vCMP host | |
692218 | 4-Minor | Audit log messages sent from the primary blade to the secondaries should not be logged. | |
657459-1 | 4-Minor | K51358480 | Single-NIC BIG-IP VE may erroneously revert to the default management httpd port after a configuration reload |
476544 | 4-Minor | mcpd core during sync | |
769145-1 | 5-Cosmetic | Syncookie threshold warning is logged when the threshold is disabled | |
761621-1 | 5-Cosmetic | Ephemeral FQDN pool members in Partition shown as Common under Local Traffic > Pools > "Members" | |
620374-1 | 5-Cosmetic | VCMP guest may temporarly fail to send information to the VCMP host | |
571727 | 5-Cosmetic | K52707821 | 'force-full-load-push' is not tab expandable |
528314-1 | 5-Cosmetic | K16816 | Generating new default certificate and key pairs for BIG-IP ssl profiles via CLI will not be reflected in GUI or in tmsh |
Local Traffic Manager Issues
ID Number | Severity | Solution Article(s) | Description |
759968-4 | 2-Critical | Distinct vCMP guests are able to cluster with each other. | |
756234 | 2-Critical | In SSL forward proxy, forged untrusted server certs are no longer cached. | |
474797-3 | 2-Critical | Nitrox crypto hardware may attempt soft reset while currently resetting | |
781041-2 | 3-Major | SIP monitor in non default route domain is not working. | |
779137-1 | 3-Major | Using a source address list for a virtual server does not preserve the destination address prefix | |
778501 | 3-Major | LB_FAILED does not fire on failure of HTTP/2 server connection establishment | |
776229-1 | 3-Major | iRule 'pool' command no longer accepts pool members with ports that have a value of zero | |
773821-2 | 3-Major | Certain plaintext traffic may cause SSLO to hang | |
773421-4 | 3-Major | Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied | |
773229-1 | 3-Major | Replacing a virtual server's FastL4 profile can cause traffic to fail in specific circumstances | |
770477-1 | 3-Major | SSL aborted when client_hello includes both renegotiation info extension and SCSV | |
769801-2 | 3-Major | Internal tmm UDP filter does not set checksum | |
767217-1 | 3-Major | Under certain conditions when deleting an iRule, an incorrect dependency error is seen | |
766593-2 | 3-Major | RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20 | |
763093-4 | 3-Major | LRO packets are not taken into account for ifc_stats (VLAN stats) | |
760050-1 | 3-Major | cwnd warning message in log | |
758992-3 | 3-Major | The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address | |
757029-1 | 3-Major | Ephemeral pool members may not be created after config load or reboot | |
755791-1 | 3-Major | UDP monitor not behaving properly on different ICMP reject codes. | |
755727-1 | 3-Major | Ephemeral pool members not created after DNS flap and address record changes | |
754553 | 3-Major | STP fails when passed through a BIG-IP system in VLAN group L2 transparent mode with bridge mode enabled | |
754525-2 | 3-Major | Disabled virtual server accepts and serves traffic after restart | |
753482 | 3-Major | Proxy initialization fails/port denied when excessively large max header size is set in the HTTP/1 profile | |
726176-1 | 3-Major | platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve | |
709381-3 | 3-Major | iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out. | |
679316 | 3-Major | iQuery connections reset during SSL renegotiation | |
584414-2 | 3-Major | Deleting persistence-records via tmsh may result in persistence being created to different nodes | |
564270 | 3-Major | [DNS] A query is not sent out in secondary mapping when no AAAA response. | |
505037-6 | 3-Major | K01993279 | Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop |
496155 | 3-Major | tmsh show ltm persistence persist-records sometimes shows an incorrect number of entries on VIPRION chassis | |
387904 | 3-Major | Cannot use TMSH to change virtual server type | |
369640 | 3-Major | K17195 | Folder path objects in iRules can have only a single context per script |
225358 | 3-Major | K04604131 | Both units probe both gateway fail-safe pools regardless of their unit IDs |
774261-2 | 4-Minor | PVA client-side current connections stat does not decrease properly | |
773253-4 | 4-Minor | The BIG-IP may send VLAN failsafe probes from a disabled blade | |
772297-1 | 4-Minor | LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade | |
769309-1 | 4-Minor | DB monitor reconnects to server on every probe when count = 0 | |
756376 | 4-Minor | Residual folders after uninstalling the cloudhsm from BIG-IP |
Performance Issues
ID Number | Severity | Solution Article(s) | Description |
777937-1 | 1-Blocking | AWS ena: packet drops due to bad checksum |
Global Traffic Manager (DNS) Issues
ID Number | Severity | Solution Article(s) | Description |
779793-1 | 3-Major | [LC] Error Message "Cannot modify the destination address of monitor" for destination * bigip_link monitor | |
779769-1 | 3-Major | [LC] [GUI] destination cannot be modified for bigip-link monitors | |
778365-3 | 3-Major | dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service | |
774481-1 | 3-Major | DNS Virtual Server creation problem with Dependency List | |
774225-4 | 3-Major | mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting | |
772233-2 | 3-Major | IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV. | |
769385-2 | 3-Major | GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message | |
760615-1 | 3-Major | Virtual Server discovery may not work after a GTM device is removed from the sync group | |
751540 | 3-Major | GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server | |
685669 | 3-Major | 'Failed to reload dns-express db (Version).' can be logged a few times a second if DNS Express was configured on a different partition but not the current one★ | |
775801-1 | 4-Minor | [GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener | |
744280-4 | 4-Minor | Enabling or disabling a Distributed Application results in a small memory leak | |
741203 | 4-Minor | DNS cache will respond from cache for records with TTL=0 |
Application Security Manager Issues
ID Number | Severity | Solution Article(s) | Description |
781637-1 | 3-Major | ASM brute force counts unnecessary failed logins for NTLM | |
781069-1 | 3-Major | Bot Defense challenge blocks requests with long Referer headers | |
781021-1 | 3-Major | ASM modifies cookie header causing it to be non-compliant with RFC6265 | |
773553-1 | 3-Major | ASM JSON parser false positive. | |
769997 | 3-Major | ASM removes double quotation characters on cookies | |
769981-1 | 3-Major | bd crashes in a specific scenario | |
764373-4 | 3-Major | 'Modified domain cookie' violation with multiple enforced domain cookies with different paths | |
753358 | 3-Major | Deprecated Fields in Bot Defense Request Log | |
752940 | 3-Major | False positive illegal meta char violation in param name | |
476230 | 3-Major | False positive malformed json on legitimate unicode character | |
772473-4 | 4-Minor | Request reconstruct issue after challenge | |
765413-3 | 4-Minor | ASM cluster syncs caused by PB ignored suggestions updates | |
761088-2 | 4-Minor | Remove policy editing restriction in the GUI while auto-detect language is set | |
756998-2 | 4-Minor | DoSL7 Record Traffic feature is not recording traffic |
Application Visibility and Reporting Issues
ID Number | Severity | Solution Article(s) | Description |
756102-1 | 2-Critical | TMM can crash with core on ABORT signal due to non-responsive AVR code | |
771025-4 | 3-Major | AVR send domain names as an aggregate | |
760356-1 | 3-Major | Users with Application Security Administrator role cannot delete Scheduled Reports | |
597161-1 | 3-Major | Upgrading from BIG-IP v11.6.1 to BIG-IP v12.0.0 will fail if AVR is provisioned (or has been provisioned), and the configuration will fail to load in the new software boot location★ | |
758996-2 | 4-Minor | Data in the 'Last 4 hours' view have a 1-hour delay |
Access Policy Manager Issues
ID Number | Severity | Solution Article(s) | Description |
566273 | 2-Critical | Changing URL Filter logging configuration causes tmm crash | |
553516-1 | 2-Critical | Unable to sync events from SharePoint 2010 to local Outlook calendar | |
775621-1 | 3-Major | urldb memory grows past the expected ~3.5GB | |
774633-1 | 3-Major | Memory leak in tmm when session db variables are not cleaned up | |
774213-2 | 3-Major | SWG session limits on SSLO deployments | |
768025-3 | 3-Major | SAML requests/responses fail with "failed to find certificate" | |
761303-1 | 3-Major | Upgrade of standby BIG-IP system results in empty Local Database | |
759392-1 | 3-Major | HTTP_REQUEST iRule event triggered for internal APM request | |
757781-4 | 3-Major | Portal Access: cookie exchange may be broken sometimes | |
756250 | 3-Major | On Demand Cert Auth Mode option set to Require in Per-Request Policy | |
739042 | 3-Major | SWG ACE database download for antserver uses direct connection and does not go through upstream proxy configured. | |
723419 | 3-Major | tmsh does not automatically add websso and rba information when access profile associated to a virtual server | |
697590-1 | 3-Major | APM iRule ACCESS::session remove fails outside of Access events | |
693844 | 3-Major | K58335157 | APMD may restart continuously and cannot come up |
672039 | 3-Major | Portal access fails with java exceptions for Oracle E-Business application | |
666845 | 3-Major | K08684622 | Rewrite plugin can accumulate memory used for patching very large files |
635684 | 3-Major | Apmd can't bind socket to port 10001 after named.conf modification | |
630895 | 3-Major | Network Access tunnel cannot be re-established after failover | |
624085 | 3-Major | K25471169 | IE11 on Win10 after Anniversary update may break APM session |
601403 | 3-Major | Network access only supports ZLIB provider for compression | |
600872 | 3-Major | Access session inactivity expiration time not updated when accessed with http/2 enabled browsers on Windows platforms. | |
552444 | 3-Major | Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD | |
547692 | 3-Major | Firewall-blocked KPASSWD service does not cause domain join operation to fail | |
534410 | 3-Major | CRLDP AAA server in non-default partition uses self-ip in default partition with strict isolation | |
495401 | 3-Major | Flash AS3 with ExternalInterface call may not work as expected | |
475283 | 3-Major | Category Lookup by SNI doesn't work for SWG transparent + Mobile AppTunnel in case of using SWG SSL bypass | |
468878 | 3-Major | Portal access: external links in SVG tags are not rewitten | |
465978 | 3-Major | Compression from BIG-IP APM to client is still present even if it is disabled in connectivity profile. | |
456927 | 3-Major | K53372963 | iOS Edge Client is not able to establish per-app VPN connections with APM when it has VPE with On-Demand certificate authentication without assigned webtop resource. |
441537 | 3-Major | APM form-based SSOv1 values allows url encoding of some special characters like '-' | |
422512 | 3-Major | APM SharePoint integration might not work using Internet Explorer 10 on Microsoft Windows 8. | |
406745 | 3-Major | Office on Mac cannot open SharePoint files through web applications | |
385188 | 3-Major | Portal Access Resource does not support session variables in custom HTTP Headers | |
380810 | 3-Major | Front-end Kerberos Authentication fails when Request Based Authentication is enabled and non-standard port is in use | |
362325 | 3-Major | [OWA] links in HTML attachments are rewritten after save to disk | |
355981 | 3-Major | CRLDP AAA requires anonymous access to the CA / LDAP | |
224145 | 3-Major | Errors in the visual policy editor when creating new VPE actions | |
498049 | 5-Cosmetic | APM End user interface pages customized using session data will render using defaults when session data is not available. |
Service Provider Issues
ID Number | Severity | Solution Article(s) | Description |
766405-1 | 2-Critical | MRF SIP ALG with SNAT: Fix for potential crash on next-active device | |
763157-1 | 3-Major | MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped | |
761685-2 | 3-Major | Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set | |
760370-1 | 3-Major | MRF SIP ALG with SNAT: Next active ingress queue filling | |
759077-1 | 3-Major | MRF SIP filter queue sizes not configurable | |
760930-3 | 4-Minor | MRF SIP ALG with SNAT: Added additional details to log events |
Advanced Firewall Manager Issues
ID Number | Severity | Solution Article(s) | Description |
757306-1 | 2-Critical | SNMP MIBS for AFM NAT do not yet exist | |
709563 | 2-Critical | New blob compilation may fail with 'No Blobs available' error | |
781425-1 | 3-Major | Firewall rule list configuration causes config load failure | |
771173-4 | 3-Major | FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.★ | |
761345-4 | 3-Major | Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode | |
761234-1 | 3-Major | Changing a virtual server to use an address list should be prevented if the VS has a security policy with a logging profile attached |
Policy Enforcement Manager Issues
ID Number | Severity | Solution Article(s) | Description |
760000 | 3-Major | Cannot select individual reporting fields for destination Splunk | |
752163 | 3-Major | PEM::session info cannot set subscriber type and ID | |
741213-1 | 3-Major | Modifying disabled PEM policy causes coredump | |
759046 | 4-Minor | "PEM::session info" does not set IMSI, IMEISV of a subscriber | |
757340 | 4-Minor | TMCTL stats counters are still available for QoE module which is deprecated |
Carrier-Grade NAT Issues
ID Number | Severity | Solution Article(s) | Description |
679752 | 3-Major | Connections may fail when iRule LSN::port is used, L4 mirroring is enabled and LSN pool/AFM dynamic-pat NAPT mode is configured with default DAG | |
673826 | 3-Major | Some FTP log messages may not be logged to /var/log/ltm | |
530016 | 3-Major | CGNAT: Changing the PBA client-block-limit on a LSN pool while blocks are allocated can lead to incorrect 'Clients Using Max Port Blocks' counts in the stats |
Device Management Issues
ID Number | Severity | Solution Article(s) | Description |
720434-2 | 2-Critical | Multi-blade Chassis iAppLX Package upgrade sync is incomplete across blades |
Protocol Inspection Issues
ID Number | Severity | Solution Article(s) | Description |
737558 | 2-Critical | Protocol Inspection user interface elements are active but do not work | |
778225-2 | 3-Major | vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host |
Known Issue details for BIG-IP v15.0.x
782613-6 : security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp
Component: TMOS
Symptoms:
If a security firewall policy is part of an iApp inside a folder created by that iApp, then when the iApp is deleted any config sync peer will not delete the policy when it deletes the rest of the iApp.
Conditions:
iApp with folder and security firewall policy is deleted
HA config sync configuration
Impact:
The system that the iApp was deleted on is fine, but the config sync peer(s) that had that iApp synced to them will still have the security firewall policy after the rest of the iApp is deleted, and there is no way to get rid of it.
781637-1 : ASM brute force counts unnecessary failed logins for NTLM
Component: Application Security Manager
Symptoms:
False positive brute force violation raised and login request is blocked
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM Brute force protection enabled for NTLM login type
Impact:
login request blocked by asm policy
Workaround:
Define higher thresholds in brute force protection settings
781425-1 : Firewall rule list configuration causes config load failure
Component: Advanced Firewall Manager
Symptoms:
'tmsh load sys config' has a syntax error.
The syntax error is reported on 'security firewall rule-list rule' configuration.
Conditions:
This occurs only if any of the rule-list rule ip-protocol contains one of the following protocols:
-- BBN-RCC-MON
-- NVP-II
-- DCN-MEAS
-- OSPFIGP
-- CRUDP
Impact:
The system fails to load the configuration.
Workaround:
Manually edit the configuration file: /config/bigip_base.conf
1. Replace the ip-protocol name from rule-list configuration:
-- Change BBN-RCC-MON to bbn-rcc.
-- Change NVP-II to nvp.
-- Change DCN-MEAS to dcn.
-- Change OSPFIGP to ospf.
-- Change CRUDP to crudp.
2. Save the file.
3. Issue the command:
tmsh load sys config.
The configuration now loads without syntax errors.
781069-1 : Bot Defense challenge blocks requests with long Referer headers
Component: Application Security Manager
Symptoms:
The Bot Defense challenge may block the client if the Referer header is between about 1400 characters and 3072 characters long.
This client may get blocked by TCP RST, or suffer from a challenge loop.
Conditions:
-- Bot Defense with Verify before Access, or Proactive Bot Defense are configured
-- Request has a Referer header that is between ~1400 and 3072 characters long
Impact:
Legitimate browsers may get blocked or suffer from a challenge loop
Workaround:
Use an iRule to override the Referer header from the HTTP_REQUEST event, to make it shorter.
781041-2 : SIP monitor in non default route domain is not working.
Component: Local Traffic Manager
Symptoms:
SIP pool members in non-default route domain are being marked as unavailable even though they are available.
Conditions:
SIP pool members in non default route domain.
Impact:
SIP service unavailable.
781021-1 : ASM modifies cookie header causing it to be non-compliant with RFC6265
Component: Application Security Manager
Symptoms:
When ASM strips the cookie header from the ASM cookies, it leaves the cookie header in a way that is not compliant with RFC6265 on two aspects:
1. No space after the semicolon
2. A cookie with no value is sent without the equals sign
Conditions:
-- ASM Security Policy is used
-- Request includes an ASM cookie
Impact:
Some web servers may refuse to handle non-compliant Cookie headers, causing the application flow to break.
Workaround:
Disable the cookie stripping by modifying the DB variable as follows:
tmsh modify sys db asm.strip_asm_cookies value false
780437-1 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
Component: TMOS
Symptoms:
It is possible, although unlikely, for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.
As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.
The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.
Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.
Symptoms for this issue include:
-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.
-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.
-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):
qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img
qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img
-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]
Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.
-- Large configuration with many guests.
-- The VIPRION chassis is rebooted.
-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is Bug ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.
Impact:
-- Loss of entire configuration on previously working vCMP guests.
-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.
-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.
Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.
If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.
779793-1 : [LC] Error Message "Cannot modify the destination address of monitor" for destination * bigip_link monitor
Component: Global Traffic Manager (DNS)
Symptoms:
Using BIG-IP Link Controller (LC), every 10 seconds, the system logs messages similar to the following example:
-- err mcpd[5570]: 0107082c:3: Cannot modify the destination address of monitor /Common/_user_gslbMonitor_bigipLink_fast_60sec.
-- err mcpd[5570]: 01071488:3: Remote transaction for device group /Common/gtm to commit id 1 6681134264373087063 /Common/ELC002.kbn.mlit.go.jp 0 failed with error 0107082c:3: Cannot modify the destination address of monitor /Common/_user_gslbMonitor_bigipLink_fast_60sec..
Conditions:
-- A bigip_link monitor with destination * written in bigip_gtm.conf.
-- That monitor is associated with a link.
-- The following command is run on one of the sync group peers:
tmsh load /sys config gtm-only.
Impact:
LC system failing to load configuration.
Workaround:
Run this command on the LC system that is logging the error message:
tmsh load /sys config gtm-only
779769-1 : [LC] [GUI] destination cannot be modified for bigip-link monitors
Component: Global Traffic Manager (DNS)
Symptoms:
The 'destination' for BIG-IP Link Controller (LC) bigip_link monitor cannot be modified through GUI.
Conditions:
Using the LC bigip_link monitor in the GUI.
Impact:
Cannot change 'destination' for LC bigip_link monitor through GUI.
Workaround:
Use tmsh.
779137-1 : Using a source address list for a virtual server does not preserve the destination address prefix
Component: Local Traffic Manager
Symptoms:
Configuring a network virtual server with a source address list causes the system to treat the virtual server as a host.
Conditions:
-- Configure a source address list on the virtual server.
-- Configure a network address for the destination of the virtual server (not an address list).
Impact:
Traffic does not flow to the virtual server as expected.
Workaround:
None.
778501 : LB_FAILED does not fire on failure of HTTP/2 server connection establishment
Component: Local Traffic Manager
Symptoms:
When the server connection fails to be established due to server being down or actively rejecting the connection, LB_FAILED should fire and allow a new destination to be selected via iRule.
Conditions:
- iRule with LB_FAILED event
- server connection establishment fails
Impact:
Selection of a new destination via LB_FAILED is not possible, thus the client connection will be aborted.
Workaround:
No workaround available.
778365-3 : dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service
Component: Global Traffic Manager (DNS)
Symptoms:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS. If there is DNS service running on the LDNS, RTT metrics should be collected successfully as expected. However if there is no DNS service on the LDNS, there should not be any RTT metrics collected. But BIG-IP still populates the RTT values giving users a "false positive" results.
Conditions:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS and there is no DNS service running on the LDNS.
Impact:
RTT metrics are collected even though no response from the DNS service is present giving users wrong impression that there is.
778317-2 : IKEv2 HA after Standby restart has race condition with config startup
Component: TMOS
Symptoms:
A restarted standby system can end up with missing SAs, if the high availability (HA) process that mirrors the SAs from persistent storage runs before the configuration of IPsec has completed.
Conditions:
The loss of mirrored SAs requires this sequence of events:
-- A system becomes standby after failover; then is restarted.
-- During restart, HA manages to run before IPsec configuration.
-- SAs unsupported by current config are lost despite mirroring.
-- After another failover, the newly active system is missing SAs.
Impact:
A tunnel outage can occur (until SAs are renegotiated) after failover, if the newly active system lost some mirrored SAs when it was restarted while still acting as the standby system.
The impact cannot be observed until standby becomes active, when the missing SAs require a new key negotiation.
Workaround:
None.
778225-2 : vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host
Component: Protocol Inspection
Symptoms:
Automatic hitless upgrade for protocol inspection fails on vCMP guests. This occurs because vCMP guest don't install f5_api_com key and certificates.
Conditions:
After licensing a vCMP guest, there is no f5_api_com key or certificate (you can run key_cache_path and crt_cache_path to determine that).
Impact:
Hitless upgrade fails for protocol inspection and traffic classification on vCMP guests.
Workaround:
Install the hitless upgrade IM package manually.
777993-1 : Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same
Component: TMOS
Symptoms:
Egress TCP/UDP traffic with same L4 source port and destination port to an external trunk is pinned to one link only.
Conditions:
This happens on BIG-IP hardware platforms with broadcom switch chip, so BIG-IP 2000/4000 and i2000/i4000 series are not impacted.
Impact:
Performance degradation as only a portion of the trunk bandwidth is utilized.
Workaround:
None.
777937-1 : AWS ena: packet drops due to bad checksum
Component: Performance
Symptoms:
1. Lower throughput and tps
2. HA heartbeat getting dropped resulting in active-active configuration
Conditions:
AWS ena NIC is in use
Impact:
Performance degradation and invalid HA configuration
Workaround:
In BIG-IP, turn off checksum offloading in on TX as follows:
modify sys db tm.tcpudptxchecksum value Software-only
Note that this work around will negatively affect NICs other than ena. Therefore, the work around is recommended if ena is the only dataplane NICs in use in the BIG-IP.
777261-5 : When SNMP cannot locate a file it logs messages repeatedly
Component: TMOS
Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.
Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.
Impact:
This can fill up the log with errors.
776489-1 : Remote authentication attempts to resolve only LDAP host against the first three name servers configured.
Component: TMOS
Symptoms:
'Login failed' is displayed on the BIG-IP system's login screen.
Conditions:
-- Remote authentication is enabled.
-- There are more than three name servers configured.
Impact:
Admins may not be able to log into the BIG-IP GUI with their admin user account if the first 3 configured DNS name servers are not reachable.
Workaround:
None.
776393-1 : Memory leak in restjavad causing restjavad to restart frequently with OOM
Component: TMOS
Symptoms:
restjavad frequently (approximately every 5 minutes) restarting due to OutOfMemory:Java heap space with no extra memory.
Conditions:
-- Dedicated SSLO deployed BIG-IP system.
-- No extra memory.
-- The configuration contains a large number of configuration items related to APM access-policies, APM policy-items, APM policy agents, LTM nodes, LTM rules, DNS Requests, sys application services, LTM data-groups, LTM profiles, security bot-defense profiles, and sys file ssl-certs.
Impact:
REST API intermittently unavailable.
Workaround:
Give restjavad extra memory. This is two-step process.
1. Update memory allocated to restjavad using TMUI. System :: Resource Provisioning. The line for Management has a drop-down box for Small, Medium, or Large. The resulting sizes for restjavad is 192, 352, and 592, respectively. Set this to Large.
2. Run the following two commands, in sequence:
tmsh modify sys db restjavad.useextramb value true
bigstart restart restjavad
776229-1 : iRule 'pool' command no longer accepts pool members with ports that have a value of zero
Component: Local Traffic Manager
Symptoms:
Values of 0 (zero) are no longer accepted for pool member ports in iRule 'pool' commands. The system reports an error similar to the following in /var/log/ltm:
err tmm3[12179]: 01220001:3: TCL error: /Common/_user_script_member <CLIENT_ACCEPTED> - bad port in 'pool member <addr> <port>' cmd while executing "pool test_pool member 10.1.30.10 0"
Conditions:
-- Configure an iRule to use the 'pool' command to go to the pool member using a zero port in the CLIENT_ACCEPTED event.
-- Attach the iRule to the virtual server.
-- Run traffic through it.
Impact:
The iRule rejects traffic when the pool member's port number is 0.
Workaround:
Configure any iRule using the 'pool' command to go to apool member using a non-0 port in the CLIENT_ACCEPTED event.
776073-2 : OOM killer killing tmmin system low memory condition as process OOM score is high
Component: TMOS
Symptoms:
When BIG-IP system running under low memory situation, Out-Of-Memory killer more likely selects tmm to kill and release the resources.
Conditions:
BIG-IP version 13.0.x or later installed and system running with low memory.
AFM provisioned makes the tmm process more likely to be selected by the oom killer
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Adjust OOM score of "tmm" process through oom_score_adj proc setting.
echo "-500" > /proc/<pid_of_tmm>/oom_score_adj
775801-1 : [GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener
Component: Global Traffic Manager (DNS)
Symptoms:
'Route Advertisement' is not enabled even if you check the checkbox.
Conditions:
Creating GTM listener using the GUI.
Impact:
'Route Advertisement' is not enabled.
Workaround:
After the listener is created, modify the listener in the GUI and check the checkbox for 'Route Advertisement', and save.
775733-3 : /etc/qkview_obfuscate.conf not synced across blades
Component: TMOS
Symptoms:
By default, sensitive data, such as SSL keys, are excluded from QKView files. However, in some cases you may want to include sensitive information in the QKView file, so it must be obfuscated it for security purposes. (Note: For information on how to configure this feature, see K55559493: Obfuscating sensitive data in a QKView file :: https://support.f5.com/csp/article/K55559493.)
In high availability (HA) configurations, the /etc/qkview_obfuscate.conf file is not copied to secondary blades on chassis platforms during sync operations.
Conditions:
-- Run qkview.
-- Upload qkview file to iHealth.
Impact:
Potentially sensitive information could be uploaded to iHealth or F5 Support. This occurs because qkview acts differently if there is an obfuscate.conf on the active by automatically gathering the same information on the blades, but not obfuscating that sensitive data.
Workaround:
Manually copy /etc/qkview_obfuscate.conf to all blades.
Note: Do not upload sensitive data to iHealth or F5 Support. If you are obfuscating data, make sure to complete this step for every blade.
775621-1 : urldb memory grows past the expected ~3.5GB
Component: Access Policy Manager
Symptoms:
When using the categorization engine (urldb), memory may increase when real-time update databases are downloaded (once every ten minutes, as available).
Conditions:
-- SWG provisioned.
-- Using urldb.
-- Real-time database updates occurring.
Impact:
Memory increases, and if there is not enough room on the BIG-IP system, urldb can core.
Workaround:
None.
774633-1 : Memory leak in tmm when session db variables are not cleaned up
Component: Access Policy Manager
Symptoms:
There are some session db variables created as part of the split session proxy that have an indefinite timeout. If there is an error path or a failure with an inline service, the delete never gets called and these session keys build up over time, causing memory to leak in tmm.
Conditions:
SSLO setup with a service connector that fails.
Impact:
tmm eventually runs out of memory and generates a core file.
Workaround:
None.
774617-2 : SNMP daemon reports integer truncation error for values greater than 32 bits
Component: TMOS
Symptoms:
Some values sent to SNMP can grow too large over time, causing an integer truncation error.
Conditions:
Values greater than 32 bits sent to SNMP.
Impact:
SNMP values are truncated. An error message is logged in var/log/daemon.log:
err snmpd[20680]: truncating integer value > 32 bits
Workaround:
No current workaround.
774481-1 : DNS Virtual Server creation problem with Dependency List
Component: Global Traffic Manager (DNS)
Symptoms:
Cannot use the GUI to create virtual servers with dependent virtual server.
Conditions:
This occurs when creating a virtual server that contains a dependent virtual server.
Impact:
Cannot use the GUI to create the virtual server that contains a dependent virtual server in one step.
Workaround:
You can use either of the following workarounds:
-- Use tmsh;
-- Create the virtual server through GUI without dependent virtual server first and then edit the virtual server to add dependency.
774261-2 : PVA client-side current connections stat does not decrease properly
Component: Local Traffic Manager
Symptoms:
When FTP is used with bigproto, the PVA client-side current connections stat does not decrease after connections are closed.
Conditions:
-- Use an FTP virtual server.
-- End user clients connect to the virtual server.
Impact:
An incorrect stat for client-side current connections will be reported for 'tmsh show sys pva-traffic global' and 'tmctl pva_stat'.
Example:
config # tmsh show sys pva-traffic global
-------------------------------------------------
Sys::PVA
-------------------------------------------------
PVA Traffic ClientSide ServerSide
Bits In 23.6K 219.7K
Bits Out 219.7K 23.6K
Packets In 40 335
Packets Out 335 40
Current Connections 295 0 <-----
Maximum Connections 296 8
Total Connections 335 40
Miscellaneous
Cur PVA Assist Conns 0
Tot PVA Assist Conns 335
HW Syncookies Generated 0
HW Syncookies Detected 0
config # tmsh show sys conn all-properties
Really display 1000 connections? (y/n) y
Sys::Connections
Total records returned: 0 <--------- No connections; this is the correct state.
Workaround:
This issue does not occur when 'inherit parent profile' is enabled on the FTP profile used by the virtual server.
774225-4 : mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting
Component: Global Traffic Manager (DNS)
Symptoms:
mcpd is in a restart loop after creating an internal DNSSEC FIPS key on a secondary GTM while rebooting the primary DNSSEC key generator GTM (gtm.peerinfolocalid==0).
Conditions:
New DNSSEC internal FIPS key is created and assigned to DNSSEC zone when BIG-IP system with gtm.peerinfolocalid==0 is down.
Impact:
mcpd is in a restart loop.
Workaround:
For maintenance window operations, set DNSSEC peer leader to the unit that will remain UP while rebooting the primary key generator in sync group (gtm.peerinfolocalid==0).
# tmsh modify gtm global-settings general peer-leader <gtm-server-name>
After the reboot is complete, all devices are back up, and everything looks good in the configs, clear the peer-leader setting:
# tmsh modify gtm global-settings general peer-leader none
If there are two GTM units: GTM1 (having gtm.peerinfolocalid == 0), GTM2, and you are going to reboot GTM1, then before rebooting, run the following command to configure the DNSSEC peer-leader setting:
# tmsh modify gtm global-settings general peer-leader GTM2
After reboot, clear the peer-leader setting:
# tmsh modify gtm global-settings general peer-leader none
774213-2 : SWG session limits on SSLO deployments
Component: Access Policy Manager
Symptoms:
SWG session limits are enforced on SSLO deployments that enable Explicit proxy authentication.
Conditions:
-- SSLO with Explicit proxy authentication is deployed.
-- Many concurrent SSLO connections (beyond the SWG session limit).
Impact:
SSLO fails to connect when the SWG session limit is reached.
Workaround:
None.
773821-2 : Certain plaintext traffic may cause SSLO to hang
Component: Local Traffic Manager
Symptoms:
SSLO relies on SSL hudfilter to detect non-SSL traffic; but certain plaintext can be mistaken as SSL traffic, which can cause a hang.
Conditions:
Initial plaintext traffic resembles SSLv2 hello message or has less than enough bytes for SSL to process.
Impact:
SSLO hangs, unable to bypass traffic.
Workaround:
None.
773577-1 : SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted
Component: TMOS
Symptoms:
On an SNMPv3 configuration, when a security-name and a username are the same but have different passwords, traps are not properly crafted.
Conditions:
security-name is the same as an SNMPv3 username.
Impact:
SNMP traps cannot be decoded
Workaround:
Delete or rename user.
773553-1 : ASM JSON parser false positive.
Component: Application Security Manager
Symptoms:
False positive JSON malformed violation.
Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.
Impact:
HTTP request is blocked or an alarm is raised.
Workaround:
There is no workaround other than disabling the JSON profile.
773421-4 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
Component: Local Traffic Manager
Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.
Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).
-- OneConnect is applied.
-- proxy-mss is enabled (the default value starting in v12.0.0).
Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.
Workaround:
Disable proxy-mss in the configured TCP profile.
773333-1 : IPsec CLI help missing encryption algorithm descriptions
Component: TMOS
Symptoms:
Encryption algorithms against IPsec help are not listed in the CLI.
Conditions:
LTM licensed on the BIG-IP.
Impact:
Unable to view the help.
Workaround:
None. The actual command line help should be:
(/Common)(tmos)# create net ipsec ike-peer test version add { v2 } phase1-encrypt-algorithm ?
Specifies the encryption algorithm used for the isakmp phase 1 negotiation. This directive must be defined. Possible value is one of following:
3des, aes128, aes192, aes256, blowfish, camellia, cast128, des
Note: The values blowfish, cast128, and camellia are v1 only.
773253-4 : The BIG-IP may send VLAN failsafe probes from a disabled blade
Component: Local Traffic Manager
Symptoms:
The BIG-IP system sends multicast ping from a disabled blade. tmm core
Conditions:
-- There is one or more blades disabled on the VIPRION platform.
-- VLAN failsafe is enabled on one or more VLANs.
-- the VLAN failsafe-action is set to 'failover'.
-- There is more than one blade installed in the chassis or vCMP guest.
Impact:
The BIG-IP system sends unexpected multicast ping requests from a disabled blade.
Workaround:
To mitigate this issue, restart tmm on the disabled blade. This causes tmm to stop sending the multicast traffic.
Impact of workaround: Traffic disrupted while tmm restarts.
773229-1 : Replacing a virtual server's FastL4 profile can cause traffic to fail in specific circumstances
Component: Local Traffic Manager
Symptoms:
If a virtual server starts with a FastL4 profile with an idle_timeout of zero, and this profile is then replaced with one that has a non-zero idle_timeout, it can cause traffic to fail with a 'No flow found for ACK' error in the RST packet (if DB variable tm.rstcause.pkt is enabled) or logged (if DB variable tm.rstcause.log is enabled).
Conditions:
-- There is a virtual server configured with a FastL4 profile with an idle-timeout setting of zero ('immediate').
-- The FastL4 profile is replaced with one that has a non-zero idle-timeout setting.
Impact:
Traffic no longer passes through the virtual server properly.
Workaround:
To avoid this issue, if you need to change the FastL4 profile in this manner, delete and recreate the entire virtual server rather than replace the profile.
Impact of workaround: This results in a traffic disruption for that virtual server.
If the issue has already occurred, the only way to recover is to restart TMM
Impact of workaround: This also results in a traffic disruption, this time a general one.
772497-6 : When BIG-IP is configured to use a proxy server, updatecheck fails
Component: TMOS
Symptoms:
Executing Update Check fails when run on a BIG-IP system that is behind a proxy server.
Conditions:
-- A proxy server is configured on the BIG-IP system using proxy.host db variable (and associated port, protocol, etc.).
-- You run Update Check.
Impact:
The Update Check fails to connect because the script resolves the IP address prior to sending the request to the proxy server.
Workaround:
You can use either of the following workarounds:
I
=======
Modify the /usr/bin/updatecheck script to not resolve the service ip for callhome.f5.com. To do so, remove the script text 'PeerAddr => $service_ip,' from lines 336,337:
1. Locate the following section in the script:
@LWP::Protocol::http::EXTRA_SOCK_OPTS = ( PeerAddr => $service_ip,
SSL_hostname => $service_name,
2. Update the script to remove the content 'PeerAddr => $service_ip,', so that it looks like the following example:
@LWP::Protocol::http::EXTRA_SOCK_OPTS = ( SSL_hostname => $service_name,
II
=======
As an alternative, use a sed command, as follows:
1. Remount /usr as rw.
2. Run the following command:
# sed -e "s/PeerAddr => $service_ip,//" -i /usr/bin/updatecheck
772473-4 : Request reconstruct issue after challenge
Component: Application Security Manager
Symptoms:
False positive on Content-Type header in GET request.
Conditions:
After challenge is completed, the server responds to the reconstructed request with a 302-redirect.
Impact:
The BIG-IP adds to the next request (GET request) a Content-Type header.
Workaround:
There is no workaround at this time.
772297-1 : LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade
Component: Local Traffic Manager
Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.
Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.
Impact:
LLDP-related options under 'tmsh net interface' for that secondary blade are reset to default.
Workaround:
Run 'tmsh load sys config' on the primary blade, and the LLDP-settings will reapply to the interfaces.
772233-2 : IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.
Component: Global Traffic Manager (DNS)
Symptoms:
When probing DNS Path, the metric round trip time (RTT) is not set correctly if the collection protocols used are NDS_DOT or DNS_REV.
The problem occurs only if the Path involves an IPv6 address; IPv4 address works fine.
Conditions:
-- Path involves IPv6 addresses.
-- Collection protocol used is either DNS_DOT or DNS_REV.
Impact:
RTT metric is not set at all.
Workaround:
Use collection protocols - ICMP instead.
771173-4 : FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.★
Component: Advanced Firewall Manager
Symptoms:
The system does not roll forward the FastL4 profile syn-cookie-enable attribute after upgrading from 12.x to 13.x and beyond.
Conditions:
This happens when upgrading from 12.x to 13.x and beyond.
Impact:
If syn cookies are explicitly disabled on a FastL4 profile prior to upgrading, they may be enabled.
Workaround:
You can fix the configuration by modifying it manually after upgrading.
In tmsh:
tmsh modify ltm profile fastl4 <profile_name> syn-cookie-enable <enabled|disabled>
771025-4 : AVR send domain names as an aggregate
Component: Application Visibility and Reporting
Symptoms:
AVR sends domain name as an aggregate of a number of domain names.
Conditions:
-- AVR receives more than the number of domain names it can handle.
-- After AVR gets DNS calls with different domain name, it no longer clears the domain name.
-- When AVR receives the maximum number of total domain names, it start to aggregate all the new domain names.
Impact:
Cannot see the correct domain name.
Workaround:
None.
770477-1 : SSL aborted when client_hello includes both renegotiation info extension and SCSV
Component: Local Traffic Manager
Symptoms:
Client SSL reports an error and terminates handshake.
Conditions:
Initial client_hello message includes both signaling mechanism for secure renegotiation: empty renegotiation_info extension and TLS_EMPTY_RENEGOTIATION_INFO_SCSV.
Impact:
Unable to connect with SSL.
Workaround:
None.
769997 : ASM removes double quotation characters on cookies
Component: Application Security Manager
Symptoms:
ASM removes the double quotation characters on the cookie.
Conditions:
Cookie sent that contains double quotation marks.
Impact:
The server returns error as the cookie is changed by ASM.
Workaround:
Set asm.strip_asm_cookies to false using the following command:
tmsh modify sys db asm.strip_asm_cookies value false
769981-1 : bd crashes in a specific scenario
Component: Application Security Manager
Symptoms:
bd crash with a core file.
Conditions:
-- XML profile with schema validation is attached to a security policy.
-- The bd.log shows out-of-memory messages relating to XML.
Impact:
Failover; traffic disruption.
Workaround:
Increase the memory XML uses by using the internal parameters total_xml_memory and/or additional_xml_memory_in_mb. For more information, see K10803: Customizing the amount of memory allocated to the BIG-IP ASM XML processing engine available at https://support.f5.com/csp/article/K10803
769801-2 : Internal tmm UDP filter does not set checksum
Component: Local Traffic Manager
Symptoms:
An internal tmm UDP filter does not set checksum for outgoing UDP packets.
Conditions:
-- An internal tmm UDP filter is in use.
Impact:
Even though a UDP packet with no checksum is permitted, it could cause some problems with some firewalls/servers.
Workaround:
For internal tmm udp filters, add the following to the UDP profile in use:
no_cksum 0
769385-2 : GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message
Component: Global Traffic Manager (DNS)
Symptoms:
GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message:
err mcpd[7649]: error: crypto codec New token is smaller with added values.
Conditions:
Two or more GTM devices with internal FIPS modules are configured with DNSSEC keys with 'use-fips internal' set, and GTM config sync between the devices is configured and enabled.
Impact:
DNSSEC keys are not imported into the FIPS cards of devices that receive the key via a synchronization from another device.
Workaround:
None.
769341-2 : HA failover deletes outstanding IKEv2 SAs along with IKEv1 SAs
Component: TMOS
Symptoms:
High availability (HA) failover from active to next-active device should delete existing IKEv1 SAs because the IKEv1 racoon daemon terminates on standby. But it should not also delete the IKEv2 SAs at the same time, and it does.
Conditions:
This occurs during failover.
Impact:
The deletes IKEv2 SAs mirrored for HA. In the event of rapid failover and failback, this issue might result in missing SAs on the active device.
Workaround:
None.
769309-1 : DB monitor reconnects to server on every probe when count = 0
Component: Local Traffic Manager
Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.
Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).
Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.
Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.
769169-4 : BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring
Component: TMOS
Symptoms:
BIG-IQ sends a lot of request to the BIG-IP system to collect the stats it makes the BIG-IP slow and eventually GUI goes unresponsive.
Conditions:
-- BIG-IQ monitoring a large BIG-IP configuration.
-- With a very large number of requests, and with resource-expensive requests.
Impact:
ICRD requests wait longer in the ICRD queue, which can make the BIG-IP system becomes unresponsive. Policy Creation, Device Overview, and stats pages take more time to respond, and eventually, the GUI becomes unresponsive on these three pages.
Lot of process terminated/re-created messages in restjavad logs.
Workaround:
Remove the BIG-IP device from the BIG-IQ and restart the mcpd.
769145-1 : Syncookie threshold warning is logged when the threshold is disabled
Component: TMOS
Symptoms:
Setting connection.syncookies.threshold to zero disables the threshold, but the system still reports log messages similar to:
warning tmm3[18189]: 01010055:4: Syncookie embryonic connection counter 38 exceeded sys threshold 0
Conditions:
Setting connection.syncookies.threshold to zero.
Impact:
Warnings that do not provide valid information. If the threshold value is a non-zero value, it does indicate an issue. However, this message is benign when the end of the message reads 'exceeded sys threshold 0'.
Workaround:
None.
769029-4 : Non-admin users fail to create tmp dir under /var/system/tmp/tmsh
Component: TMOS
Symptoms:
The cron.daily/tmpwatch script deletes the /var/system/tmp/tmsh directory. After some time, the tmsh directory is created again as part of another cron job.
During the interval, if a non-admin accesses tmsh, tmsh creates the /tmp/tmsh directory with that user's permissions, which creates issues for subsequently non-admin user logons.
Conditions:
Try to access the tmsh from non-admin users when /var/system/tmp/tmsh is deleted.
Impact:
The first non-admin user can access tmsh. Other, subsequent non-admin users receive the following error:
01420006:3: Can't create temp directory, /var/system/tmp/tmsh/SKrmSB, errno 13] Permission denied.
After some time this /var/system/tmp/tmsh permission is updated automatically.
Workaround:
So that the script does not remove tmsh directory, but deletes 1-day old tmp files under /var/system/tmp/tmsh, update the last line of /etc/cron.daily/tmpwatch as follows:
tmpwatch --nodirs 1d /var/system/tmp
768025-3 : SAML requests/responses fail with "failed to find certificate"
Component: Access Policy Manager
Symptoms:
BIG-IP as SP and BIG-IP as IdP fail to generate signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after the certificate that is used for signing is modified.
Conditions:
The certificate used for signing SAML requests/responses or SAML SLO requests/responses is modified or re-imported.
Impact:
When this issue occurs, SAML services are impacted when BIG-IP is configured as SP or IdP. Subsequent SAML/SAML SLO requests/responses fail with the error 'failed to find certificate'.
-- When BIG-IP is configured as IdP, then SAML Authentication fails and SAML/SAML SLO services do not work.
-- When BIG-IP is configured as SP, resources that need SAML Authentication cannot be accessed. Also, SAML SLO service does not work.
Workaround:
-- When BIG-IP as IdP is affected, configure a different certificate associated with SAML IdP configuration that is used for signing, change it back to the original certificate, and then the apply policy.
-- Similarly, when BIG-IP as SP is affected, configure a different certificate associated with SAML SP configuration that is used for signing, change it back to the original certificate, and then apply the policy.
767877-4 : TMM core with Bandwidth Control on flows egressing on a VLAN group
Component: TMOS
Symptoms:
TMM cores during operation.
Conditions:
Known condition:
1. BWC attached to serverside connflow
2. Serverside traffic traversing/egressing VLAN group
Impact:
Traffic disrupted while tmm restarts.
767737-1 : Timing issues during startup may make an HA peer stay in the inoperative state
Component: TMOS
Symptoms:
When two BIG-IP systems are paired, it is possible during startup for the network connection to be made too early during the boot sequence. This may leave a peer in the inoperative state.
Conditions:
This is a timing-related issue that might occur during boot up of high availability (HA) peers.
Impact:
An HA peer does not become ACTIVE when it should.
Workaround:
None.
767305-1 : If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried
Component: TMOS
Symptoms:
Upon querying a sysTmmStat* SNMP OID (for example, sysTmmStatTmUsageRatio5s), you find your SNMP client returns an error message similar to the following example:
No Such Instance currently exists at this OID
The very next time you query that same SNMP OID (or any other sysTmmStat* SNMP OID), you find they all work as expected and return the correct result.
Conditions:
This issue occurs after restarting only the mcpd daemon, i.e., running bigstart restart mcpd.
Impact:
All sysTmmStat* SNMP OIDs do not work until one of them is queried at least once, and the query is allowed to fail. After that, all sysTmmStat* SNMP OIDs work as expected.
Workaround:
Restart all services together, i.e., running the command: bigstart restart.
Should the mcpd daemon happen to be restarted on its own, you can simply ignore the error message and allow your SNMP polling station to fail a single polling cycle.
If you want to ensure that this issue does not occur, for example, so that your SNMP polling station does not generate unnecessary alarms, do not restart the mcpd daemon on its own, but rather restart all services together by running the following command:
bigstart restart
767217-1 : Under certain conditions when deleting an iRule, an incorrect dependency error is seen
Component: Local Traffic Manager
Symptoms:
If an iRule is being referenced by another iRule, and the reference is then removed, attempts to delete the formerly referenced iRule will result in an error similar to the following:
01070265:3: The rule (/Common/irule1) cannot be deleted because it is in use by a rule (/Common/irule2).
Conditions:
-- An iRule referencing another iRule.
-- The referencing iRule is in use.
Impact:
Unable to delete the iRule.
Workaround:
Save and re-load the configuration.
767013-2 : Reboot when B2150 and B2250 blades' HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch
Component: TMOS
Symptoms:
In a rare scenario, the HSB sends a large amount and continuous pause frames to the Broadcom switch, which indicates that the HSB is in a bad state.
Conditions:
This happens when there is heavy traffic load on VIPRION B2150 and B2250 blades. The root cause of that is still under investigation. It happens extreme rarely.
Impact:
Reboot the BIG-IP system.
Workaround:
None.
766593-2 : RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20
Component: Local Traffic Manager
Symptoms:
RESOLVE::lookup returns empty string.
Conditions:
Input bytes array is at length of 4, 16, or 20.
For example:
[RESOLV::lookup @dnsserveraddress -a [binary format a* $host1.d1test.com]]
Impact:
RESOLVE::lookup returns empty string.
Workaround:
Use lindex 0 to get the first element of the array.
For example:
[RESOLV::lookup @dnsserveraddress -a [lindex [binary format a* $host1.d1test.com] 0]]
766405-1 : MRF SIP ALG with SNAT: Fix for potential crash on next-active device
Component: Service Provider
Symptoms:
The next active device may crash with a core when attempting to create media flows.
Conditions:
The names for the LSN pool and router profile are longer than expected.
Impact:
The TMM on the next active device may core. Traffic disrupted while tmm restarts; If the next-active device was not carrying traffic for a traffic group, traffic is not disrupted.
Workaround:
None.
766329-1 : SCTP connections do not reflect some SCTP profile settings
Component: TMOS
Symptoms:
The effective receive-chunks, transmit-chunks, in-streams, and out-streams parameters in SCTP traffic do not match the settings from the configured SCTP profile:
-- The in-streams setting alters both the in-streams parameter and the tx-chunks parameter.
-- The out-streams setting alters both the out-streams parameter and the rx-chunks parameter.
-- The tx-chunks setting has no effect.
-- The rx-chunks setting has no effect.
Conditions:
An SCTP virtual server is configured.
Impact:
Unexpected SCTP parameters are negotiated on SCTP connections.
Workaround:
None.
765761-2 : URI Parsing is failing when certificate name contains "[", "]"
Component: TMOS
Symptoms:
As per URI specification RFC 3986 "[" and "]" are reserved as IP literals.
When certificate name contains "[" , "]" parsing is failing.
Conditions:
running "tmsh load sys config" command when certificate name contains reserved character. (e.g. "[" , "]")
Impact:
"tmsh load sys config" is failing with invalid URI error
Workaround:
Do not use reserved characters in URI.
765413-3 : ASM cluster syncs caused by PB ignored suggestions updates
Component: Application Security Manager
Symptoms:
Frequent syncs occurring within an ASM device group.
Conditions:
Several (updating) suggestions are marked 'ignored'.
Impact:
Syncs appear in the logs (no actual performance degradation).
Workaround:
-- Remove the Ignored Suggestions. (Note: These might be re-added and you must refrain from clicking the Ignore button).
-- Remove the Ignored Suggestions and uncheck the Learn flag for the violation that causes it. (Note: The impact is that the system does not learn this violation anymore, so any future suggestions to amend the policy for that violation will not be created.)
764873-1 : An accelerated flow transmits packets to a dated, down pool member.
Component: TMOS
Symptoms:
Normally, when a pool member becomes unavailable, the flow is redirected towards another available pool member. However, an accelerated flow can continue to send traffic to the dated pool member rather than the updated one.
Conditions:
A flow changes the pool member it goes to while the flow is accelerated.
Impact:
The traffic continues to target the dated pool member that is not available.
Workaround:
Disable HW acceleration.
Or on BIG-IP v14.1.0 and later, if a pool member goes away, run the following command to flush all accelerated flow to be handled correctly by software:
tmsh modify sys conn flow-accel-type software-only
764373-4 : 'Modified domain cookie' violation with multiple enforced domain cookies with different paths
Component: Application Security Manager
Symptoms:
When the server sends enforced cookies with the same name for different paths, a false-positive 'Modified domain cookie' violation is reported.
Conditions:
Server sends enforced cookies with the same name but with different paths.
Impact:
A valid request might be rejected.
Workaround:
None.
763157-1 : MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped
Component: Service Provider
Symptoms:
Processing the response to an outbound request at the same time as an inbound request message on the same connection could cause internal state generated to be confused and the inbound request to be dropped.
Conditions:
Processing the response to an outbound request at the same time as an inbound request message on the same connection.
Impact:
The inbound request will be dropped.
Workaround:
None.
763093-4 : LRO packets are not taken into account for ifc_stats (VLAN stats)
Component: Local Traffic Manager
Symptoms:
The ifc_stats do not correctly reflect the number of incoming octets/packets. There is a discrepancy between octets/packets in/out in the ifc_stats table, which tracks per-VLAN stats.
Conditions:
LRO is enabled and used for incoming packets.
Impact:
ifc_stats are incorrect for incoming octets and packets.
Workaround:
Disable LRO using the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable
After modifying that variable, you must restart tmm for it to take effect (traffic disrupted while tmm restarts):
bigstart restart tmm
762205-3 : IKEv2 rekey fails to recognize VENDOR_ID payload when it appears
Component: TMOS
Symptoms:
Rekey with non BIG-IP systems can fail when a response contains a VENDOR_ID payload.
Conditions:
- IKEv2 Responder sends VENDOR_ID payload in rekey response.
- The ipsec.log misleadingly reports:
[I] [PROTO_ERR]: unexpected critical payload (type 43)
Note: This message may be correctly present under other conditions, with different type constants not equal to 43.
Impact:
BIG-IP as the initiator of rekey drops the rekey negotiation without making further progress when the responder included a VENDOR_ID payload in a response. This will result in deleting the SA for good when the hard lifetime expires, causing a tunnel outage.
Workaround:
No workaround is known at this time.
762073-4 : Continuous TMM restarts when HSB drops off the PCI bus
Component: TMOS
Symptoms:
In the unlikely event that HSB drops off the PCI bus, TMM continuously restarts until the BIG-IP system is rebooted.
Conditions:
The conditions under which the issue occurs are unknown, but it is a rarely occurring issue.
Impact:
Repeated TMM restarts. Traffic disrupted until you reboot the BIG-IP system. The HSB reappears and is functional after reboot.
Workaround:
Manually reboot the BIG-IP system.
761993-1 : The nsm process may crash if it detects a nexthop mismatch
Component: TMOS
Symptoms:
If there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop, nsm may crash and restart.
Conditions:
-- Dynamic routing is in use.
-- A mismatch between tmrouted and nsm for the interface index or gateway of a nexthop exists.
Impact:
There is a temporary interruption to dynamic routing while nsm is restarted.
Workaround:
None.
761685-2 : Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set
Component: Service Provider
Symptoms:
Systems desiring to create a unique connection per connection client may silently end up with clients sharing an outgoing connection if routing uses a virtual server as the outgoing connection transport definition, and the virtual server has the source-port attribute set to preserve-strict.
Conditions:
-- Routing using a virtual server as the transport definition for the outgoing connection.
-- The virtual server has the source-port attribute set to preserve-strict.
Impact:
Systems desiring to create a unique connection per connection client may silently end up sharing an outgoing connection.
Workaround:
None.
761621-1 : Ephemeral FQDN pool members in Partition shown as Common under Local Traffic > Pools > "Members"
Component: TMOS
Symptoms:
When Ephemeral FQDL pool members exist in non-Common partition, they are shown to be in the /Common partition on the Local Traffic : Pools : Members page. In the statistics view of the same object, they are shown appropriately with their non-Common partition.
Conditions:
-- Ephemeral FQDL pool members exist in a non-Common partition.
-- View the FQDL pool members on Local Traffic : Pools : Members page.
Impact:
No impact to configuration, however, the display is confusing and shows contradictory partition information.
Workaround:
None.
761356 : Hyperv SR-IOV: MTU more than 1500 is not supported
Component: TMOS
Symptoms:
Packet length observed (using tcpdump or any other tool) is 1514 bytes.
Conditions:
1. Hyper-V SR-IOV NICs are in use on the BIG-IP system.
2. VLAN MTU is greater than 1500 on the BIG-IP system, and MTU is greater than 1500 on client and server NICs.
Impact:
Jumbo frames do not work.
Note: This is a limitation in the drivers themselves, and is not unique to BIG-IP systems. The same issue occurs if the MTU change is attempted from the Linux command line instead.
Workaround:
None.
761345-4 : Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode
Component: Advanced Firewall Manager
Symptoms:
When manual config-sync mode is enabled for a HA setup, additional config-sync may be required after firewall blob compilation.
Conditions:
Firewall rule configuration modified on a high availability (HA) setup with manual config-sync mode enabled.
Impact:
Additional config-sync may be required after compilation completion.
A warning may be given: "There is a possible change conflict between <device1> and <device2>.", and full sync may be forced.
Workaround:
Enable auto config-sync instead of manual config-sync.
761321-1 : 'Connection Rate Limit' is hidden, but 'Connection Rate Limit Mode' is not
Component: TMOS
Symptoms:
'Connection Rate Limit' setting is hidden when it is appropriate to do so. However, the 'Connection Rate Limit Mode' setting is still visible, even when 'Connection Rate Limit' is hidden.
Conditions:
1. Create a Virtual Server with type Standard.
2. Click Configuration 'Advanced'.
3. Enter values for 'Connection Rate Limit" and "Connection Rate Limit Mode'.
4. Save the configuration.
5. Change the virtual server type to Forwarding (Layer 2).
Impact:
'Connection Rate Limit' is hidden -- which it should be, but 'Connection Rate Limit Mode' is not -- which it should be as well. Although 'Connection Rate Limit Mode' is available, the system ignores any setting specified.
Workaround:
Do not configure 'Connection Rate Limit Mode', as it has no effect.
761303-1 : Upgrade of standby BIG-IP system results in empty Local Database
Component: Access Policy Manager
Symptoms:
Upgrade of standby BIG-IP system results in empty Local Database.
Conditions:
This happens on standby device in a high availability (HA) setup.
Impact:
All previously existing local users disappear from the standby device. If a failover happens, then none of the local users will be able to login now.
Workaround:
To trigger a full database dump from the active BIG-IP system that returns the standby device's database to its original state, on the standby device, do the following:
1. Reboot.
2. Switch to a new installation volume.
3. Force stop the localdbmgr process:
bigstart stop localdbmgr
4. Wait at least 15 minutes.
5. Restart the localdbmgr:
bigstart restart localdbmgr
761234-1 : Changing a virtual server to use an address list should be prevented if the VS has a security policy with a logging profile attached
Component: Advanced Firewall Manager
Symptoms:
If you create a virtual server with a single address ('Host' in the GUI) for both its source and destination, then configure the virtual server's security policy with a logging profile, and then (after creating the virtual server) modify the source or destination to use a traffic matching condition, the system reports no error when updating the configuration.
Conditions:
Attempting to use a virtual server with a security policy attached that uses a logging profile with an address list as the virtual server's source or destination.
Impact:
An invalid configuration is not caught. When later loading the configuration, the system reports a validation error, and the configuration does not load.
Workaround:
None.
761088-2 : Remove policy editing restriction in the GUI while auto-detect language is set
Component: Application Security Manager
Symptoms:
While policy language was set to auto-detect, the policy editing was not allowed.
Conditions:
Create a new policy and set the language to auto-detect.
Impact:
While policy language was set to auto-detect, the policy editing was not allowed.
Workaround:
The policy language must be set to something other than auto-detect to allow user to edit the policy from GUI. However, policy editing is possible using REST API.
760930-3 : MRF SIP ALG with SNAT: Added additional details to log events
Component: Service Provider
Symptoms:
Subscriber name is not included in debug log events for temporary subscriber registration creation and deletion.
Conditions:
debug log events for temporary subscriber registration creation and deletion.
Impact:
No functional impact, but the associated MRF SIP ALG with SNAT issue might be difficult to debug.
Workaround:
None.
760615-1 : Virtual Server discovery may not work after a GTM device is removed from the sync group
Component: Global Traffic Manager (DNS)
Symptoms:
LTM configuration does not auto-discover GTM-configured virtual servers.
Conditions:
-- GTM is deprovisioned on one or more GTM sync group members, or the sync group is reconfigured on one or more members.
-- Those devices remain present in the GTM configuration as 'gtm server' objects.
-- iQuery is connected to those members.
Impact:
Virtual servers are not discovered or added automatically.
Workaround:
You can use either of the following workarounds:
-- Manually add the desired GTM server virtual servers.
-- Delete the 'gtm server' objects that represent the devices that are no longer part of the GTM sync group. These can then be recreated if the devices are operating as LTM-configured devices.
760370-1 : MRF SIP ALG with SNAT: Next active ingress queue filling
Component: Service Provider
Symptoms:
When running MRF SIP ALG with SNAT, the ingress queue may fill, causing messages to be dropped on the next-active device.
Conditions:
-- The active device determines that an operation can be skipped because the details are already discovered processing a previous message.
-- The next-active device has not yet processed the previous message and is not able to skip the operation.
Impact:
Mirroring state is lost for the connection.
Workaround:
None.
760356-1 : Users with Application Security Administrator role cannot delete Scheduled Reports
Component: Application Visibility and Reporting
Symptoms:
User accounts configured with the Application Security Administrator role cannot delete scheduled reports, while they can create/view/edit them.
Conditions:
-- Logged on with a user account configured as an Application Security Administrator.
-- Attempting to delete a scheduled report.
Impact:
Cannot complete the delete operation. Deleting scheduled reports requires root/admin intervention.
Workaround:
Use root or a user account configured as Administrator to delete scheduled reports.
760164 : BIG-IP VE Compression Offload HA action requires modification of db variable
Component: TMOS
Symptoms:
When TMM detects a compression offload device hang it does not invoke the configured high availability (HA) action.
Conditions:
This occurs when the following conditions exist:
-- BIG-IP Virtual Edition (VE) Cryptographic Offload is licensed.
-- BIG-IP VE VM has been assigned QuickAssist Virtual Functions (VFs).
-- A QuickAssist endpoint associated with one of the VFs hangs.
-- BIG-IP VE executes compression operations.
Impact:
The configured HA action does not occur when a compression offload device hangs. Clients compression requests eventually time out.
Workaround:
Disable the pfmand by running the following commands:
tmsh modify sys db pfmand.healthstatus value disable
tmsh save sys config
The configured HA action will now occur when a compression offload device hangs.
Note: The pfmand daemon is not needed for BIG-IP VE, so disabling the db variable has no impact for BIG-IP VE configurations.
760050-1 : cwnd warning message in log
Component: Local Traffic Manager
Symptoms:
The following benign message appears in the log: cwnd too low.
Conditions:
The TCP congestion window has dropped below one Maximum Segment Size, which should not happen.
Impact:
None. TCP resets the congestion window to 1 MSS.
Workaround:
This message does not indicate a functional issue, so you can safely ignore this message. There is no action to take, but the presence of the message can be useful information for debugging other TCP problems.
760000 : Cannot select individual reporting fields for destination Splunk
Component: Policy Enforcement Manager
Symptoms:
Cannot select individual reporting fields(flow or session granularity) for reporting destination Splunk.
Conditions:
This occurs when individual reporting fields are selected for reporting destination Splunk.
Impact:
The report has all the fields as opposed to just the selected ones.
759968-4 : Distinct vCMP guests are able to cluster with each other.
Component: Local Traffic Manager
Symptoms:
--Distinct vCMP guests are able to cluster with each other.
--Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:
clsh tmctl -d blade tmm/vcmp -w 200
Look at the "rebroad_mac" field.
Conditions:
--It is not yet clear under what circumstances the issue occurs.
--One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate "rebroad_mac" on one or more slots.
Impact:
Only the vCMP guest acting as primary will be operative.
Workaround:
--Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:
modify sys db clusterd.communicateovertmmbp value false.
Note: This command should be issued on the guest acting as primary since config changes are only allowed on cluster primary.
759606-1 : REST error message is logged every five minutes on vCMP Guest
Component: TMOS
Symptoms:
Guestagentd periodically logs the following REST error message for each secondary slot in /var/log/ltm:
Rest request failed{"code":502."message":"This is a non-primary slot on the Viprion. Please access this device through the cluster address.","restOperationId":6410038,"kind":":resterrorresponse"}
Conditions:
Upgrade a vCMP guest from pre-13.1.x to a 13.1.x or later version.
Impact:
There is stale stat information for vCMP guests running on secondary slots.
Workaround:
Create a Log Filter with no publisher on the vCMP guest to discard the specific error message:
sys log-config filter Filter_RestError {
level info
message-id 01810007
source guestagentd
}
759499-1 : Upgrade from version 12.1.3.7 to version 14.1.0 failing with error★
Component: TMOS
Symptoms:
Upgrade from version 12.1.3.7 to version 14.1.0 fails. Running 'tmsh show sys software' shows the following message:
failed (Could not access configuration source; sda,n)
Conditions:
1. Install BIG-IP version 12.1.3.7 in new volume.
2. From 12.1.3.7, try to install 14.1.0 in new volume.
Impact:
Upgrade fails.
Workaround:
To work around this issue, delete the 14.1.0 volume and try the installation again.
The second installation of 14.1.0 succeeds in this scenario.
759392-1 : HTTP_REQUEST iRule event triggered for internal APM request
Component: Access Policy Manager
Symptoms:
Requests for the internal APM renderer for logo customization trigger the HTTP_REQUEST iRule event.
Conditions:
Customized logo in Access Profile
Impact:
HTTP_REQUEST event will be raised for requests for the customized logo in the Access Profile.
Workaround:
Inside the HTTP_REQUEST event, if it is necessary to not take a certain action on a customized logo, it is possible to check that the URL does not equal the URL for the logo (it should start with '/public/images/customization/' and contain the image name).
759077-1 : MRF SIP filter queue sizes not configurable
Component: Service Provider
Symptoms:
The ingress and egress queues of the MRF SIP filter have fixed sizes that cannot be configured.
Conditions:
If the hard-coded queue size of 512 messages or 65535 bytes are exceeded, the filter enables its flow control logic.
Impact:
Messages may be dropped.
Workaround:
None.
759046 : "PEM::session info" does not set IMSI, IMEISV of a subscriber
Component: Policy Enforcement Manager
Symptoms:
Cannot set imsi, imeisv for subscriber using irule PEM::session info <ip addr> <imsi | imeisv > <value> to values greater than 2,147,483,647.
Conditions:
Trying to set IMSI and IMEISV attributes of a subscriber to values greater than 2,147,483,647 (INT32 max value) using PEM::session info iRule returns an error.
Impact:
Cannot set IMSI, IMEISV using PEM:session info attributes with values greater than 2,147,483,647.
Workaround:
If IMSI, IMEISV attributes need to be set to values greater than 2,147,483,647 then force the TCL to interpret them as strings by using the iRule as
PEM::session info <ip addr> <imsi | imeisv> [format %d <value>]
758996-2 : Data in the 'Last 4 hours' view have a 1-hour delay
Component: Application Visibility and Reporting
Symptoms:
AVR aggregates data hourly, so data reported in the 'Last 4 hours' view are shown with a 1-hour delay.
Conditions:
Viewing data in the 'Last 4 hours' view.
Impact:
Some data in the 'Last 4 hours' view is reported after a 1-hour delay.
Workaround:
None.
758992-3 : The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address
Component: Local Traffic Manager
Symptoms:
tmm may use a combination of the traffic-group MAC address and the per-VLAN MAC address for traffic associated with the traffic-group.
Conditions:
All of the following:
-- The traffic-group has a MAC address set.
-- The sys db variable 'tm.macmasqaddr_per_vlan' is set to true.
-- There are multiple tmm processes running on the BIG-IP system.
Note: BIG-IP Virtual Edition is not affected since there is only one tmm process.
Impact:
Incorrect MAC address used for traffic associated with the traffic-group.
Workaround:
None.
758387-1 : BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it
Component: TMOS
Symptoms:
In STP 'passthru' mode, any packet sent to the BIG-IP system with a destination MAC of 01-80-c2-00-00-00 is treated as an STP bridge protocol data unit (BPDU), and is flooded to the VLAN.
Conditions:
-- The BIG-IP system is configured for STP 'passthru' mode
-- The BIG-IP system receives a packet with MAC 01-80-c2-00-00-00.
Impact:
A packet that is not an STP BPDU, but is sent to the same destination MAC address may be flooded as if it was a BPDU.
Workaround:
None.
757781-4 : Portal Access: cookie exchange may be broken sometimes
Component: Access Policy Manager
Symptoms:
Portal Access uses special HTTP request with URL '/private/fm/volatile.html' to exchange cookie data between client and BIG-IP. Sometimes the BIG-IP system might send an invalid response to such a request. As a result, no cookie data can be sent from the backend server to the client.
Conditions:
Invalid response to HTTP requests with the following URL:
/private/fm/volatile.html.
Impact:
Portal Access client cannot see cookies set by the backend server. Backend server does not send cookie data to the client.
Workaround:
None.
757722-3 : Unknown notify message types unsupported in IKEv2
Component: TMOS
Symptoms:
IKE negotiation fails when an unrecognized notify payload type is seen in a message processed by IKEv2.
Conditions:
Receiving an IKE message that contains a notify payload whose numeric type value is unrecognized by IKEv2.
Impact:
Negotiation fails with an aborted connection, preventing tunnel creation.
Workaround:
A peer can suppress notification payloads with advisory values that get rejected by IKEv2 within the BIG-IP system.
757340 : TMCTL stats counters are still available for QoE module which is deprecated
Component: Policy Enforcement Manager
Symptoms:
QoE module is deprecated from 15.0.0. But TMCTL stats counters are still available for QoE module.
Conditions:
View PEM action and High Speed Logging (HSL) stats using the tmctl command, for example:
-- tmctl -w120 pem_actions_stat
-- tmctl -w120 pem_hsl_stat
Impact:
There is no functional impact. Because QoE cannot be configured, it cannot be used, the stats will never be updated. The values for the stats will always be zero and can be ignored.
Workaround:
None.
757306-1 : SNMP MIBS for AFM NAT do not yet exist
Component: Advanced Firewall Manager
Symptoms:
SNMP MIBS for AFM NAT do not yet exist.
Conditions:
This occurs in normal operation.
Impact:
Unable to read values that do not exist in SNMP, meaning that you cannot access information that you need.
Workaround:
None.
757029-1 : Ephemeral pool members may not be created after config load or reboot
Component: Local Traffic Manager
Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP system reboot operation.
Conditions:
This may occur on affected BIG-IP versions when:
-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
-- DNS queries to resolve these FQDN names occur almost simultaneously.
The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.
Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.
As a result, some pools may not have any active pool members, and do not pass traffic.
This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.
Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes:
tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.
756998-2 : DoSL7 Record Traffic feature is not recording traffic
Component: Application Security Manager
Symptoms:
Enabling 'Record Traffic During Attacks' in the DoS Application Profile does not record traffic during attacks: TCP Dump files are not being created in the /shared/dosl7/tcpdumps/ directory as expected.
Conditions:
-- Enabling 'Record Traffic During Attacks' in the DoS Application Profile.
-- DoSL7 Attacks are detected.
Impact:
Attack traffic is not being recorded as expected.
Workaround:
None.
756402-3 : Re-transmitted IPsec packets can have garbled contents
Component: TMOS
Symptoms:
Before re-transmitting a packet, it is discovered to be garbled, mainly in the form of having physical length that no longer matches the logical length recorded inside the packet.
Conditions:
Possibly rare condition that might cause packet freeing while still in use.
Impact:
Likely tunnel outage until re-established.
Workaround:
No workaround is known at this time.
756376 : Residual folders after uninstalling the cloudhsm from BIG-IP
Component: Local Traffic Manager
Symptoms:
After uninstalling cloudhsm from the BIG-IP system, you can still see /etc and /run in the installing path - /shared/cloudhsm or /opt/cloudhsm. Inside /etc, there are some old cloudhsm config file backups, which may take disk space, depending on how many times you configure cloudhsm.
Conditions:
When uninstalling AWS cloudhsm from the BIG-IP system.
Impact:
The leftover folders may take some disk space.
Workaround:
You can manually delete these folders to free up space if you do not need them. However, keep in mind these old configuration backup files are intentionally kept by AWS cloudhsm.
756250 : On Demand Cert Auth Mode option set to Require in Per-Request Policy
Component: Access Policy Manager
Symptoms:
Setting the On Demand Cert Auth Modeoption to 'Require' in a per-request policy causes the browser to spin if no certificate is provided.
Conditions:
-- In a Per Request Policy, set On Demand Cert Auth to Require.
-- Client SSL Profile as:
-- LTM client SSL profile configured similar to the following:
ltm profile client-ssl /Common/test_clientssl_ignore {
ca-file /Common/BACKEND_ROOT
client-cert-ca /Common/BACKEND_ROOT
inherit-ca-certkeychain true
inherit-certkeychain true
peer-cert-mode ignore
}
-- Virtual server containing the client SSL profile and Per Request Policy.
-- Navigate to the virtual server using a browser that has no client certificate.
-- Press F5 (Refresh) after receiving the RST.
Impact:
The browser does not receive a response for one or more minutes, until you get RST.
tmm logs shows messages similar to the following:
[C] 172.31.68.130:582 -> 172.31.73.74:443:ERR_NOT_FOUND: access2 token not found; subsession might be inactive
Workaround:
The client browser must have a valid SSL certificate for the BIG-IP system to pass on demand certificate authentication in a per-request policy and avoid a delayed RST. Setting the Auth Mode to Require should only be used if the client provides a client certificate.
756234 : In SSL forward proxy, forged untrusted server certs are no longer cached.
Component: Local Traffic Manager
Symptoms:
Previously, SSL forward proxy cached forged server certs on the client side even if the server cert was untrusted. Now, SSL forward proxy does not cache the forged cert if the server cert is untrusted.
Conditions:
SSL forward proxy is enabled and server cert is untrusted.
Impact:
You might notice a performance impact compared with previous releases.
Workaround:
None.
756102-1 : TMM can crash with core on ABORT signal due to non-responsive AVR code
Component: Application Visibility and Reporting
Symptoms:
ABORT signal is sent to TMM by SOD; TMM aborts with a core.
Conditions:
Non-responsive AVR code. No other special conditions.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
755791-1 : UDP monitor not behaving properly on different ICMP reject codes.
Component: Local Traffic Manager
Symptoms:
Unexpected or improper pool/node member status.
Conditions:
The BIG-IP system receives the ICMP rejection code as icmp-net/host-unreachable.
Impact:
The monitor might consider a server available when some type of ICMP rejection has been received that is not port unreachable.
Workaround:
You can use either of the following workarounds:
-- Use UDP monitors configured with a receive string.
-- Do not use UDP monitors.
755727-1 : Ephemeral pool members not created after DNS flap and address record changes
Component: Local Traffic Manager
Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.
Once this condition occurs, ephemeral pool members are no longer created for a given FQDN name in the affected pool.
Conditions:
This issue may occur under rare timing conditions when the following factors are present:
-- Using FQDN nodes/pool members.
-- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted.
-- There is a temporary loss of connectivity to/responsiveness from the DNS server.
Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool become unavailable and stop passing traffic.
Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by either of the following actions:
1. Restart the dynconfd daemon:
bigstart restart dynconfd
2. Delete and re-create the FQDN template pool member using the following two commands:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }
To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.
755716-2 : IPsec connection can fail if connflow expiration happens before IKE encryption
Component: TMOS
Symptoms:
IKEv2 negotiation fails, and tmm log shows the following error:
notice [INTERNAL_ERR]: ikev2....: Invalid BIG-IP flow context
Conditions:
Unusual timing that results in connflow expiration immediately preceding Diffie Hellman generation.
Impact:
IKE Negotiation fails, so an SA cannot be established.
Workaround:
None.
754691-2 : During failover, an OSPF routing daemon may crash.
Component: TMOS
Symptoms:
With a specific OSPF configuration, during a failover, a peer which is changed from standby to active may experience an ospfd daemon crash.
Conditions:
High availability configuration with a routing configuration:
1) access-list with 0.0.0.0/0 filtering:
access-list 199 remark test
access-list 199 deny ip host 0.0.0.0 host 0.0.0.0
access-list 199 permit ip any any
2) OSPF router with this access-list:
router ospf 1
ospf router-id 10.14.0.11
bfd all-interfaces
network 10.14.0.0/16 area 0.0.0.1
distribute-list 199 in
!
-- The device with this configuration is in the standby state.
-- A failover occurs.
Impact:
An OSPF daemon crashes, losing routing information and OSPF dynamic routes for a moment while ospfd daemon restarts.
Workaround:
None.
754553 : STP fails when passed through a BIG-IP system in VLAN group L2 transparent mode with bridge mode enabled
Component: Local Traffic Manager
Symptoms:
STP error at the STP-enabled switch ports results in the switch ports being blocked.
Conditions:
-- BIG-IP system configured in VLAN group L2 transparent mode with bridge mode enabled.
-- STP traffic between source and sink switch ports passing through the BIG-IP system.
Impact:
Traffic does not pass through the BIG-IP system.
Workaround:
Use one of the following workarounds:
-- Disable STP on the switch ports.
-- Disable bridge mode on the VLAN group.
754525-2 : Disabled virtual server accepts and serves traffic after restart
Component: Local Traffic Manager
Symptoms:
Disabled virtual servers accept traffic after being upgraded to an affected version, or after restarting.
Conditions:
1. A virtual server is configured on pre-v14.1.0.
2. Disable the virtual server.
3. Either upgrade to an affected version, or restart the system.
Impact:
The virtual server remains 'Disabled', but it accepts and processes traffic.
Workaround:
To correct the behavior, manually enable/disable the virtual server.
754335-2 : Install ISO does not boot on BIG-IP VE
Component: TMOS
Symptoms:
The install ISO does not boot on BIG-IP Virtual Edition (VE).
Conditions:
Attempting to boot a BIG-IP VE from a virtual DVD-ROM drive loaded with an affected ISO file.
Impact:
The system does not fully boot and hangs, preventing you from performing an installation or using the live environment for other recovery purposes.
Workaround:
To work around this issue, boot the BIG-IP VE from an ISO file earlier than 14.1.0. If necessary, install that version, and then upgrade to 14.1.0 using the live installer.
753482 : Proxy initialization fails/port denied when excessively large max header size is set in the HTTP/1 profile
Component: Local Traffic Manager
Symptoms:
If the configuration has an excessively large 'Maximum Header Size' value in the HTTP/1 profile on a virtual server that also has HTTP/2, initialization fails.
The tmm log file contains messages similar to the following:
notice Proxy initialization failed for /Common/https_virtual1. Defaulting to DENY.
The ltm log file contains messages that indicate that the virtual server is not accepting traffic.
Conditions:
-- Large max_header_size (e.g., 4294967295) is configured in HTTP profile.
-- The system does not have enough free memory.
Impact:
-- As a result, the initialization fails.
-- Browsing via the virtual server does not work.
Workaround:
To prevent this issue from occurring, if a virtual server has an HTTP/2 profile on it, the max_header_size value inside the HTTP profile should be between 0 and 131072.
753358 : Deprecated Fields in Bot Defense Request Log
Component: Application Security Manager
Symptoms:
Some fields in the Bot Defense request log have been supplanted by new ones that add more information reflecting new features.
There are duplicated fields for Bot Defense request log. The previous fields are being kept for backward compatibility so that existing code reading the remote logs do not break. Their presence might introduce confusion as to their significance and use.
Conditions:
Using the Bot Defense remote logger.
Impact:
Redundant fields that may create confusion.
Workaround:
You can safely ignore these fields and use the new ones.
752940 : False positive illegal meta char violation in param name
Component: Application Security Manager
Symptoms:
false positive illegal meta char violation in param name.
Conditions:
-- There is a definition for an illegal meta char.
-- That meta char arrives escaped.
Impact:
False positive violation.
Workaround:
Change the parameter name meta illegal meta chars.
752163 : PEM::session info cannot set subscriber type and ID
Component: Policy Enforcement Manager
Symptoms:
Cannot set the subscriber type and ID with iRule PEM::session info <subs-id | subs-type | subscriber-type | subscriber-id > <value>.
Conditions:
Trying to set a subscriber type and ID attributes using the following iRules returns error.
PEM::session info <ip> subscriber-id <value>
PEM::session info <ip> subscriber-type <value>
PEM::session info <ip> subs-id <value>
PEM::session info <ip> subs-type <value>
Impact:
Cannot set subscriber type and ID using PEM:session info iRule.
Workaround:
Set the subscriber type and ID together using the following iRule.
PEM::session info <ip addr> subscriber subscriber-id> <subscriber-type>
751924-1 : TSO packet bit fails IPsec during ESP encryption
Component: TMOS
Symptoms:
Internal error when an unexpected packet bit for TCP segment offload manages to reach crypto code for ESP in IPsec, when this is not expected.
Conditions:
Traffic passing through ESP encapsulation for an IPsec tunnel when the TSO bit (for TcpSegmentationOffload) is set on the packet involved.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
751581-4 : REST API Timeout while queriying large number of persistence profiles
Component: TMOS
Symptoms:
When you have a large number of collections in BIG-IP, REST API seems to be timed out without any response from BIG-IP
Conditions:
When BIG-IP has large number of persistence profiles.
Impact:
REST API gets timed out when REST API queries the BIG-IP for persistence profiles. There is no response sent for given REST API.
Workaround:
When you have a large number of collections, you are recommended to use paging mechanism.
Please refer https://devcentral.f5.com/d/icontrol-rest-user-guide-version-131-246.
"iControl ® REST supports pagination options for large collections.
751540 : GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server
Component: Global Traffic Manager (DNS)
Symptoms:
GTM changes in some devices are not synced to other GTM-configured devices in the same syncgroup.
Conditions:
-- There are multiple self IP addresses configured on one VLAN.
-- Some, but not all, self IP addresses are configured for GTM server.
Impact:
GTM Sync group not syncing properly.
Workaround:
Configure all self IP addresses in the syncgroup for GTM server.
747203-1 : Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding
Component: TMOS
Symptoms:
-- SYN/ACK packets arriving on a tunnel fail to be matched to an existing flow followed by a RST issued by the BIG-IP system.
-- The BIG-IP system reports 'no flow found'.
-- MAC addresses can contain random values, or fe:fe:fe:fe:fe:fe.
Conditions:
-- Using IKEv2 with both NAT-T and interface mode.
-- The BIG-IP is configured to use several tmm instances.
-- The combination of IP addresses and port numbers result in distributing legs of processing one flow across several tmm instances.
Impact:
NATT/ESP tunnel flows can end with a RST reset.
Workaround:
None.
746464-7 : MCPD sync errors and restart after multiple modifications to file object in chassis
Component: TMOS
Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:
1. Errors are logged to /var/log/ltm similar to the following:
-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..
2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.
Conditions:
This can be encountered when rapidly making changes to files such as creating and then deleting them while the config sync of the file creation is still in progress.
Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.
Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.
744280-4 : Enabling or disabling a Distributed Application results in a small memory leak
Component: Global Traffic Manager (DNS)
Symptoms:
Enabling or disabling a Distributed Application results in an 8 byte memory leak.
Conditions:
Enabling or disabling a Distributed Application.
Impact:
8 bytes of memory are leaked every time a Distributed Application is enabled or disabled. If Distributed Applications are repeatedly programmatically enabled and disabled, over time, the system might eventually exhaust all available memory.
Workaround:
None.
743803-6 : IKEv2 potential double free of object when async request queueing fails
Component: TMOS
Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.
Conditions:
When an async IPsec crypto operation fails to queue.
Impact:
Restart of tmm. All tunnels lost must be re-established.
Workaround:
No workaround known at this time.
742105 : Displaying network map with virtual servers is slow
Component: TMOS
Symptoms:
The network map loads slowly when it contains lots of objects.
Conditions:
Load the network map in a configuration that contains 1000 or more objects.
Impact:
The network map loads very slowly.
Workaround:
None.
741213-1 : Modifying disabled PEM policy causes coredump
Component: Policy Enforcement Manager
Symptoms:
TMM undergoes core dump after a disabled policy has a new rule added.
Conditions:
-- Add a rule to disabled PEM policy.
-- Enable the PEM policy, and this policy is applied by PCRF.
-- Traffic is generated for this subscriber.
Impact:
TMM restarts. Traffic disrupted while tmm restarts.
Workaround:
Modify a PEM policy only when the policy is enabled.
741203 : DNS cache will respond from cache for records with TTL=0
Component: Global Traffic Manager (DNS)
Symptoms:
When a query reply with TTL=0 is received by DNS cache, the BIG-IP system caches the result for a short amount of time (slightly less than one second). Queries made to the cache during this time receive a response from the cache, and do not come from the origin server.
Conditions:
-- DNS cache is configured.
-- A query reply with TTL=0 is received by DNS cache
Impact:
Even though the TTL of zero implies that responses are not cached, they are. This means that for clients requesting that cached record during that very short period of time (less than a second) the BIG-IP system sends it from the cache, rather than from the origin DNS server.
Workaround:
None.
740280 : Configuration Utility and tmsh may not validate Certificate Authority profile names
Component: TMOS
Symptoms:
Under certain circumstances it is possible to create a Certificate Authority profile with the same name of an already existing profile. The system should prevent the creation of the duplicate-name profile, but it allows it. Once the duplicate-name profile is created, the system reports a validation error when loading the configuration.
Conditions:
-- A profile exists with a specific name.
-- A new Certificate Authority profile is created with the same name as the existing profile.
-- The configuration with the new Certificate Authority profile is saved (note that this should not be allowed, and validation should fail and prevent the save operation).
Impact:
Although this is a prohibited configuration, the system does not prevent it. After saving, when you reload the configuration using the command 'tmsh load sys configuration', the system reports a validation error similar to the following:
01070293:3: The profile name (/Common/ca_profile_name) is already assigned to another profile.
Unexpected Error: Validating configuration process failed.
Workaround:
There is no workaround other than to ensure that every Certificate Authority profile has a unique name.
739042 : SWG ACE database download for antserver uses direct connection and does not go through upstream proxy configured.
Component: Access Policy Manager
Symptoms:
SWG ACE database download for antserver uses direct connection and does not go through the upstream proxy configured.
Conditions:
-- Configure Upstream Proxy information in System Settings.
-- Enable Use-Proxy in SWG Database Download.
Impact:
ACE database download fails where there is no direct Internet connectivity.
Workaround:
Modify /var/antserver/wsgsdk/bin/DDSCommWrapper.py
use_proxy= True
proxy= "<<proxy-ip>>"
proxy_port= "<<proxy-port>>"
user_name=None
password=None
[..]
def get_proxy_info():
global use_proxy
global proxy
global proxy_port
global user_name
global password
use_proxy = True <=== Changed from 'False' to 'True'
738943-2 : imish command hangs when ospfd is enabled
Component: TMOS
Symptoms:
- dynamic routing enabled
- ospfd protocol enabled
- imish hangs
Conditions:
- running imish command
Impact:
ability to show dynamic routing state using imish
Workaround:
restart ospfd daemon
737558 : Protocol Inspection user interface elements are active but do not work
Component: Protocol Inspection
Symptoms:
Protocol Inspection (PI) user interface options are present, but are not applied to traffic.
Protocol Inspection (PI) now requires the presence of either an add-on subscription or an AFM standalone license for any of the features to work. A 'Good' or 'Better' license does not activate the PI features. The Configuration Utility still allows you to configure inspection profiles, compliance checks, and signatures, but they are not applied to traffic. There is no feedback that they are not applied.
Conditions:
-- AFM licensed and provisioned through 'Good' or 'Better' license, but no add-on subscription license for Protocol Inspection. Alternately, AFM licensed as an add-on module to another module (typically LTM).
-- PI profile configured and applied to a virtual server or referenced in a firewall rule in an active firewall policy.
Impact:
If you previously had Protocol Inspection configured without the add-on license installed, the features are no longer applied to traffic until the add-on license is obtained. However, the GUI options remain active.
Workaround:
None.
737346 : After entering username and before password, the logging on user's failure count is incremented.
Component: TMOS
Symptoms:
Listing login failures (i.e., using the following command: 'tmsh show auth login-failures') shows a failed login for the user who is currently logging in via console or SSH.
Conditions:
-- A user is logging in via console or SSH.
-- Between the time the system presents the password prompt and the user enters the password.
Note: This does not apply to GUI or iControl REST logins.
Impact:
If many logins for the same user get to this state simultaneously, it may be enough to exceed a specified lockout threshold, locking the user out.
Workaround:
There is no workaround other than using the GUI or iControl REST to log in to the system.
726176-1 : platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
Component: Local Traffic Manager
Symptoms:
The BIG-IP system running RSS DAG hash attempts to reuse ports while pool members remain in a TIME_WAIT state and are unable to process new connections.
Conditions:
This issue occurs when all of the following conditions are met:
-- You are running on a BIG-IP platform using RSS DAG hash, for instance, z100 and 2000 or 4000 series hardware platform.
-- You have the FastL4 profile associated with a virtual server.
-- The virtual server is configured with source-port preserve.
Impact:
Traffic throughput may be degraded.
Workaround:
Set source-port to change.
723419 : tmsh does not automatically add websso and rba information when access profile associated to a virtual server
Component: Access Policy Manager
Symptoms:
After an access profile is associated with a virtual server via tmsh connections get reset with this error signature in /var/log/ltm:
err tmm1[7894]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: access_process_state_client_enforce_acl, Line: 11058
Conditions:
This occurs when using tmsh to add an access profile to a virtual server.
Impact:
The access profile is added, but its dependent profiles are not, and connections resets.
Workaround:
Use the GUI to add the access profile.
722230 : Cannot delete FQDN template node if another FQDN node resolves to same IP address
Component: TMOS
Symptoms:
If multiple FQDN nodes and corresponding pool members are created, with FQDN names that resolve to the same (or a common) IP address, you may not be able to delete any of the affected FQDN nodes even after its corresponding FQDN pool member has been deleted.
Conditions:
This occurs under the following conditions
-- Multiple FQDN template nodes exist with FQDN names that resolve to the same (or a common) IP address.
-- FQDN pool members exist for each FQDN template node, with corresponding ephemeral pool members for each which share the same IP address.
-- One of the FQDN pool members is removed from its pool.
-- You attempt to delete the corresponding FQDN template node.
Impact:
The FQDN template node remains in the configuration and cannot be deleted, while an ephemeral node or pool member exists with an IP address corresponding to that FQDN name.
Workaround:
To work around this issue:
1. Remove all remaining conflicting FQDN pool members (with FQDN names that resolve to the shared/conflicting IP address).
2. Delete the desired FQDN node.
3. Re-create the remaining FQDN pool members to replace those removed in step 1.
721338 : Error creating application service from imported iApp Template
Component: TMOS
Symptoms:
When creating app service from an imported iApp template, the system might generate error messages similar to following examples:
-- Error parsing template:can't eval proc: "script::run" script does not exist while executing "tmsh::run_proc f5.iapp.1.5.3.cli:tmsh::run_proc f5.iapp.1.5.6.cli:iapp_safe_display ::choices" (procedure "script::run" line 3) invoked from within "script::run" line:1.
-- notice scriptd[30977]: 014f0005:5: AUDIT - user=testuser1 action="run stand-alone script: Script" status="can't eval proc: "script::run" script does not exist.
Conditions:
Create a new virtual server using an imported iApp template.
Impact:
Cannot deploy application service from imported iApp.
Workaround:
Although there is no workaround that prevents the issue, you can recover by forcing the mcpd process to reload the BIG-IP configuration.
To do so, follow the steps in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.
720434-2 : Multi-blade Chassis iAppLX Package upgrade sync is incomplete across blades
Component: Device Management
Symptoms:
Some iAppLX package files on primary blade do not exist on secondary blades.
Conditions:
After installing an iAppLX package on a multi-blade chassis the package files are synced to other blades. This process is not instantaneous and may take several minutes.
During this time if the same iAppLX package is upgraded, not all of the files will be synced across blades, and an incomplete iAppLX package will exist on secondary blades.
Impact:
When a failover occurs to a blade with an incomplete iAppLX package, parts of the iAppLX GUI may not work.
Workaround:
To trigger a resync of files from primary to secondary blades run the following command:
bigstart restart csyncd
719711 : BIG-IP system reboots due to watchdog timeout or Southbridge system reset
Component: TMOS
Symptoms:
The BIG-IP system spontaneously reboots if it is running a release with the Meltdown fixes and uses an AMD processor.
The system logs messages similar to the following in /var/log/ltm after the reboot:
-- notice chmand[7529]: 012a0005:5: CPLD indicates prior Host CPU subsystem reset
-- notice chmand[7529]: 012a0005:5: Host CPU subsystem reset - PCI reset asserted
-- chmand[7529]: 012a0005:5: Host CPU subsystem reset caused by a Southbridge system reset
Conditions:
- BIG-IP systems with AMD processors.
- Running a release that contains the Meltdown fixes.
For details about which software versions contain these fixes, see K91229003: Side-channel processor vulnerabilities CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 :: https://support.f5.com/csp/article/K91229003.
Impact:
The BIG-IP system reboots causing traffic disruption.
Workaround:
The workaround is to disable PTI, save the config and reboot. The reboot is required to ensure that the BIG-IP system has never been in a state where PTI was enabled.
# tmsh modify sys db kernel.pti value disable
# tmsh save sys config
# reboot
718405-4 : RSA signature PAYLOAD_AUTH mismatch with certificates
Component: TMOS
Symptoms:
IPsec IKEv2 negotiation with other vendors may fail to establish tunnels when certificate authentication is configured, using either RSA signature or DSS.
The value of PAYLOAD_AUTH does not match when the BIG-IP system compares it with what the remote peer sends. The same certificate works when the BIG-IP system is the initiator, but not when another vendor is the initiator.
Conditions:
Interoperating with other vendors under IKEv2 while using certificates.
Impact:
IKEv2 tunnels fail to establish, failing the second IKE_AUTH exchange in the protocol.
Workaround:
Use pre-shared key authentication.
715379-4 : IKEv2 accepts asn1dn for peers-id only as file path of certificate file
Component: TMOS
Symptoms:
IKEv2 only has a very inconvenient way to specify ID for an ike-peer when using peers-id-type asn1dn. The string value of peers-id-value was understood only as a file path, and not as a representation of the asn1dn value itself. The file had to be a certificate, whose subject happened to be the ID of the remote peer as a distinguished name (DN), so this could be extracted as binary DER for asn1dn. This was both awkward and error prone, requiring what amounts to a copy of a peer's certificate before it is sent during negotiation.
Conditions:
-- Using certificate based authentication in IPsec IKEv2.
-- Configuring an ike-peer with peers-id-type as asn1dn.
Impact:
Very difficult to use asn1dn as the ID of a peer, impeding inter-operation with other vendors.
Workaround:
If you can install a local copy of the peer's certificate, with an asn1dn value inside matching what that peer will actually send in an IKE_AUTH exchange, IKEv2 can extract the asn1dn provided the value of peers-id-value is an absolute file system path to this local certificate copy.
713183-1 : Malformed JSON files may be present on vCMP host
Component: TMOS
Symptoms:
Malformed JSON files may be present on vCMP host.
Conditions:
All needed conditions are not yet defined.
- vCMP is provisioned.
- Guests are deployed.
- Software versions later than 11.6.0 for both guest/host may be affected.
Impact:
Some vCMP guests may not show up in the output of the command:
tmsh show vcmp health
In addition, there might be files present named using the following structure:
/var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.
There is no functional impact to the guests or to the host, other than these lost tables, which are provided as a convenience to the vCMP host administrator.
Workaround:
None.
711248 : After upgrade to 13.1.0 or later, mcpd fails to start due to syslog config parsing error.★
Solution Article: K96275603
Component: TMOS
Symptoms:
Prior to 13.1.0, the left square bracket character '[' was not treated as a special character and therefore did not have to be escaped with a '\'.
13.1.0 (and later) uses a newer version of syslog-ng, 3.8.1, where the left square bracket '[' is a special character and needs to be escaped.
If you have a syslog filter that includes a match statement that formerly escaped only the right square bracket and not the left, when you upgrade to 13.1.0 or later, mcpd will fail to start with the following error:
01070920:3: Application error for confpp: Error parsing filter expression, error compiling search pattern, error=Error while compiling PCRE expression, error=missing terminating ] for character class, error_at=10 in /etc/syslog-ng/syslog-ng.conf.
Conditions:
-- The pre-v13.1.0 configuration contains a syslog filter that matches a string that contains a left and right square bracket.
-- Only the right square bracket is escaped with 2 backslashes.
For example:
filter f_ssl_acc_req {
not (facility(local6) and level(info) and match('[ssl_acc\\]')) or
not (facility(local6) and level(info) and match('[ssl_req\\]'));
};
Impact:
The BIG-IP system fails to start.
Workaround:
You can use either of the following workarounds:
-- Prior to upgrading, edit the syslog config with tmsh edit /sys syslog all-properties and escape the left square bracket with 4 backslashes '\', so for: [ssl_acc\\] change to \\\\[ssl_acc\\].
Example steps for vi editor
===========================
Change from:
filter f_ssl_acc_req {
not (facility(local6) and level(info) and match('[ssl_acc\\]')) or
not (facility(local6) and level(info) and match('[ssl_req\\]'));
};
Change to:
filter f_ssl_acc_req {
not (facility(local6) and level(info) and match('\\\\[ssl_acc\\]')) or
not (facility(local6) and level(info) and match('\\\\[ssl_req\\]'));
};
For more detailed instructions see K96275603: The mcpd process may not start due to a syslog configuration parsing error after upgrading to BIG-IP 13.1.0 or later :: https://support.f5.com/csp/article/K96275603.
-- You can prevent the issue from occurring altogether by defining filters using guidelines outlined in the following documents:
-- K16932: Configuring the BIG-IP system to suppress sending SSL access and request messages to remote syslog servers :: https://support.f5.com/csp/article/K16932.
-- Syslog-ng FAQ :: https://syslog-ng.com/wiki/syslog-ng-faq-filters.
709563 : New blob compilation may fail with 'No Blobs available' error
Component: Advanced Firewall Manager
Symptoms:
After modifying firewall configuration, the compilation of new blob may fail with 'No Blobs available' error.
Conditions:
Modifying firewall policies and rules.
Impact:
Firewall configuration changes are not applied. The previous configuration is used in data-path for processing data traffic.
Workaround:
Restart both tmm and pccd with the command:
bigstart restart tmm pccd
Traffic disrupted while tmm restarts.
Note: Versions 12.0.0 and later now better handle blob activation, so this is no longer an issue.
709381-3 : iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out.
Component: Local Traffic Manager
Symptoms:
An iRules LX plugin does not properly run and messages similar to the following example are logged to the /var/log/ltm file:
err tmm[17616]: 01220001:3: TCL error: /Common/my-plugin/my-rule <HTTP_REQUEST> - ILX timeout. invoked from within "ILX::call $ilx_handle -timeout 3000 my-function"
Conditions:
An iRules LX workspace archive is imported to BIG-IP version 13.1.0 or later from a previous software version.
It should be noted this is what happens during a regular software upgrade. Therefore, you might encounter this issue when upgrading a system to BIG-IP version 13.1.0 or later.
Impact:
The affected iRules LX are not functional under the new software version, and the virtual servers utilizing them will experience various failures.
Workaround:
Change the node version from 0.12.15 to 6.9.1 and back.
708549 : The SNMP ipNetToMediaPhysAddress table is not supported in version 12.1.2 and forward
Component: TMOS
Symptoms:
If LTM pool node member's MAC addresses were being learned through the access to this table then, they must now be accessed through tmsh or the rest api.
Conditions:
The use of SNMP to learn the MAC addresses of LTM pool members.
Impact:
The SNMP ipNetToMediaPhysAddress table is no longer present.
Workaround:
Use TMSH to display node MAC addresses. "tmsh show net arp" and "tmsh show net ndp"
703090-2 : With many iApps configured, scriptd may fail to start
Component: TMOS
Symptoms:
If many iApp instances are installed, scriptd may have issues starting up, including the log message:
"script has exceeded its time to live, terminating the script"
Conditions:
This occurs when many iApp instances exist. F5's internal testing has been able to show that it occurs with 70 instances.
Impact:
The error message will show up, and some instances of the script will not run.
Workaround:
Restarting scriptd will resolve the issue.
701341 : If /config/BigDB.dat is empty, mcpd continuously restarts
Solution Article: K52941103
Component: TMOS
Symptoms:
If another issue causes /config/BigDB.dat to be empty, mcpd will fail to start up.
Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.
Impact:
The system will fail to start up, and mcpd will continually restart.
Workaround:
Remove this empty file. (If BigDB.dat is nonexistent, the issue will not occur.)
697590-1 : APM iRule ACCESS::session remove fails outside of Access events
Component: Access Policy Manager
Symptoms:
ACCESS::session remove fails
Conditions:
iRule calling ACCESS::session remove outside of Access events.
Impact:
APM iRule ACCESS::session remove fails to remove session
Workaround:
Use "ACCESS::session modify" and set the timeout/lifetime to something small, like 1 second. This should cause the session to be deleted due to timeout almost immediately, but note that it will show up in logs as timeout.
693844 : APMD may restart continuously and cannot come up
Solution Article: K58335157
Component: Access Policy Manager
Symptoms:
apmd process cannot start correctly and restarts in an infinite loop. When apmd initializes the Allow Ending agent, the process tries to load all resources (including ACLs, the webtop, and all resources for every webtop, app tunnels, rdp, etc.). The most likely configuration to encounter this issue is with ACLs. For example, if you have thousands of ACL records, the Allow agent pulls them all at once. If the mcpd process is consumed with other operations, it might be that apmd cannot initialize the Allow agent in 30 secs, so it restarts, at which point the process tries to load all resources, cannot complete within the 30 seconds, and restarts in a loop.
Conditions:
Too many resources assigned in an Access Policy profile
for example thousands of ACLs configured.
apmd cannot initialize the Allow Ending agent in 30 seconds and decides it has stopped responding. Then it restarts by it's own, but problem is not solved, so it restarts in a loop
Impact:
APM end users cannot authenticate.
Workaround:
Reduce amount of resources so every agent can initialize within the 30-second timeframe.
692218 : Audit log messages sent from the primary blade to the secondaries should not be logged.
Component: TMOS
Symptoms:
Audit log messages sent from the primary blade to the secondaries are logged.
Conditions:
Multi-blade platform.
Impact:
Unnecessary messages in the log file.
Workaround:
None.
685669 : 'Failed to reload dns-express db (Version).' can be logged a few times a second if DNS Express was configured on a different partition but not the current one★
Component: Global Traffic Manager (DNS)
Symptoms:
'Failed to reload dns-express db (Version).' message can be logged a few times a second if DNS Express was configured on a different partition but not the current one.
Conditions:
This happens only if the following conditions are true:
-- The reboot occurs between partitions.
-- The previous partition had a DNS Express database with zones defined.
-- The new partition has a newer version of DNS Express.
-- There is no DNS Express configuration defined on the new partition.
Impact:
There is no negative impact to traffic flow or configuration. The logs simply fill with this message.
Workaround:
Remove the shared DNS Express database.
Important: Perform this step only if you are sure you do not want the shared DNS Express database when you reboot back to the partition it was originally created on:
rm /shared/zxfrd/* -f
679752 : Connections may fail when iRule LSN::port is used, L4 mirroring is enabled and LSN pool/AFM dynamic-pat NAPT mode is configured with default DAG
Component: Carrier-Grade NAT
Symptoms:
Connections may fail even when no colliding flows are present that use the same translation IP and port. /var/log/ltm contains tmm informational logs: "Requested Port busy"
Conditions:
LSN::port iRule command is used, L4 mirroring is enabled and LSN pool/AFM dynamic-pat NAPT modes is configured with default DAG.
Impact:
Connections fail, with log "Requested Port busy"
Workaround:
NA
679316 : iQuery connections reset during SSL renegotiation
Component: Local Traffic Manager
Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
Conditions:
This occurs when a system tries to send data over the iQuery connection while the two endpoints are performing SSL renegotiation.
Note: iQuery connections automatically perform SSL renegotiation every 24 hours.
Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.
Note: This is a subtly different issue from the one (with a very similar error, 140940F5 vs 140940E5) described in Bug ID 477240: iQuery connection resets every 24 hours :: https://cdn.f5.com/product/bugtracker/ID477240.html (K16185: BIG-IP GTM iQuery connections may be reset during SSL key renegotiation :: https://support.f5.com/csp/article/K16185).
This issue occurs even in versions where ID477240 is fixed. There is no fix for this specific trigger of the same message.
Workaround:
There is no workaround at this time.
673826 : Some FTP log messages may not be logged to /var/log/ltm
Component: Carrier-Grade NAT
Symptoms:
Some FTP log messages may not be logged to /var/log/ltm
Conditions:
Virtual with FTP profile is configured
Impact:
Some FTP_SETUP/FTP_TEARDOWN and FTP_DATA_SETUP/FTP_DATA_TEARDOWN logs may not be logged to /var/log/ltm.
Workaround:
Use remote HSL logging
672039 : Portal access fails with java exceptions for Oracle E-Business application
Component: Access Policy Manager
Symptoms:
When the META-INF/INDEX.LIST file is present in one of application jar files, additional jars could be requested with unmangled URL. APM will block these requests and Java application will fail to start.
Conditions:
[Java Patcher] Absolute paths in JAR Index are not patched
Impact:
Oracle webforms failed to load
Workaround:
The only workaround is to make all paths in META-INF/INDEX.LIST file of application jar file relative to the codebase and resign it.
671940 : configure a transaction with several 10 KB firewall objects results in MCP stuck
Component: TMOS
Symptoms:
Configure a transaction with a large number of firewall objects (several 10 KB) results in MCP getting stuck.
Conditions:
Configure a transaction with several 10 KB firewall objects.
Impact:
MCP gets stuck. Configuration operations fail.
Workaround:
Break the single transaction into several transactions with smaller sized configuration objects.
666845 : Rewrite plugin can accumulate memory used for patching very large files
Solution Article: K08684622
Component: Access Policy Manager
Symptoms:
Rewrite plugin memory usage is significantly higher than normal (up to 200 MB RSS) and does not decrease.
Conditions:
This happens because the plugin caches and reuses already allocated chunks of memory instead of releasing them to the operating system.
Impact:
Out-of-memory crashes on systems with low amounts of memory.
Workaround:
Use one or both of the following workarounds:
-- Restart rewrite when memory usage is too high.
-- Disable patching for large (15-20 MB uncompressed) files.
658850-1 : Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP
Component: TMOS
Symptoms:
When you load a UCS file using the platform-migrate parameter, the mgmt-dhcp value (enabled, disabled, or unset) will overwrite the value on the destination. Depending on the effect, this could change the destination's management IP and default management route.
If the UCS does not have mgmt-dhcp explicitly written out, note that its value is treated as the default for the local system, which varies by the type of system. On Virtual Edition (VE) platforms, the default is to enable DHCP. On all other platforms, the default is to disable DHCP.
Conditions:
This occurs when loading a UCS using the platform-migrate parameter:
tmsh load sys ucs <ucs_file_from_another_system> platform-migrate
Impact:
Changing the mgmt-dhcp value on the destination can result in management changing from statically configured to DHCP or DHCP to statically configured. This can result in loss of management access to the device, requiring in-band or console access.
Workaround:
If you want to reset the target device to use a static IP, run the following commands after loading the UCS with the platform-migrate command:
tmsh modify sys global-settings mgmt-dhcp disabled
tmsh create sys management-ip <ip>/<mask>
tmsh delete sys management-route default
tmsh create sys management-route default gateway <ip>
657977 : iControl REST: Unable to create valid iRule with symbol '{' via iControl REST
Component: TMOS
Symptoms:
iControl REST throws an error when attempting to create an iRule where an event declaration is followed by a { on the next line.
for example.
when CLIENT_ACCEPTED
{
log local0. "Hello world"
}
Conditions:
Creating iRule via iControl REST.
Impact:
User cannot create some iRules with iControl REST: some with "apiAnonymous" keyword.
Workaround:
Use TMSH or GUI to create iRule
657459-1 : Single-NIC BIG-IP VE may erroneously revert to the default management httpd port after a configuration reload
Solution Article: K51358480
Component: TMOS
Symptoms:
The single Network Interface Card (NIC) BIG-IP Virtual Edition (VE) may erroneously revert to the default management httpd port after you reload the configuration.
Conditions:
Management traffic port has been set to a value other than default port 8443.
Impact:
Management traffic port will revert to 8443 after any action which reloads configuration.
Workaround:
Reconfigure port after each configuration reload using the following command: modify sys httpd ssl-port 443.
637979 : IPsec over isession not working
Component: TMOS
Symptoms:
User cannot send IPsec encrypted application data traffic through a secured iSession connection, just by configuring symmetric optimization to use IPsec for IP encapsulation.
Conditions:
Configure IPSec with iSession through the Quick Start screen and/or under the "Local Endpoint" configuration. Do not create any new IKE peers or traffic selectors.
Impact:
User is unable to send encrypted traffic using IPsec over the tunnel without additional configuration required for a typical IPSec setup.
Workaround:
Configuration needed for a typical IPsec setup should be made explicitly.
isession encapsulation should be set to "none", and proper IKE-peer, IPsec policy, and traffic selectors should be configured to capture isession traffic between the isession endpoints.
BIG-IP1 GUI:
[Local Endpoint]
Acceleration->Symmetric Optimization : Local Endpoint->Properties
WAN Self IP Address: <BIG-IP1-local-endpoint-ipaddress>
IP Encapsulation Type: None
[Remote Endpoint]
Acceleration > Symmetric Optimization : Remote Endpoints >New Remote Endpoint...
IP Address: <BIG-IP2-local-endpoint-ipaddress>
[IKE peer]
Network->IPsec : IKE Peers->New IKE Peer...
Remote Address: <BIG-IP2-local-endpoint-ipaddress>
Version: Version1
Presented ID Value: <BIG-IP1-local-endpoint-ipaddress>
Verified ID Value: <BIG-IP2-local-endpoint-ipaddress>
[IPsec policy]
Network->IPsec : IPsec Policies->New IPsec Policy…
Name:<isession_policy_name>
Mode: Tunnel
Tunnel Local Address: <BIG-IP1-local-endpoint-ipaddress>
Tunnel Remote Address: <BIG-IP2-local-endpoint-ipaddress>
[Traffic selector]
Network ->IPsec : Traffic Selectors ->New Traffic Selector...
IPsec Policy Name: <isession_policy_name>
Source IP Address: <BIG-IP1-local-endpoint-ipaddress>
Destination IP Address: <BIG-IP2-local-endpoint-ipaddress>
BIG-IP2 GUI: Analogous--just swap the local and remote endpoint addresses where they appear above
636182 : Cannot update_indexes error during load sys config
Component: TMOS
Symptoms:
In some cases, loading a saved configuration onto a device will fail with the error:
"01070710:3: Cannot update_indexes/checkpoint DB object, class:devicegroup_device status:13"
Conditions:
The error occurs when loading a saved configuration file (SCF) for a device in a Device Service Cluster, where the CM Device Name locally differs from that which is in the SCF file.
Impact:
The 'tmsh load sys config file myFile merge' command fails with an error as such,
[root@aumy00vipr01:REBOOT REQUIRED:Standalone] tmp # tmsh load sys config file test-myvip1 merge
Loading configuration...
/shared/tmp/test-myvip1
There were warnings:
Since drop limit is less than detection limit, packets dropped below the detection limit rate will not be logged.
01070710:3: Cannot update_indexes/checkpoint DB object, class:devicegroup_device status:13 - EdbCfgObj.cpp, line 127
Unexpected Error: Loading configuration process failed.
Workaround:
Prior to loading the saved UCS file, run the tmsh command to rename the local CM device name to match that which is in the SCF file:
tmsh mv cm device <current_name> <new_name>
For example,
"tmsh mv cm device bigip1.local bigip1.siterequest.com"
635684 : Apmd can't bind socket to port 10001 after named.conf modification
Component: Access Policy Manager
Symptoms:
After modifying named.conf, apmd can no longer connect via 10001 after restarting the service.
Conditions:
This only happens when following conditions are met:
- DNS recursion is enabled on the BIG-IP DNS system
- Loopback address (127.0.0.1) is used to make recursive queries to the BIG-IP DNS system
Impact:
Apmd could not be started. Following error is logged in /var/log/apm:
Dec 14 09:17:39 HQNVLTM13 err apmd[10387]: 01490000:3: ApmD.cpp func: "create_listeners()" line: 1302 Msg: Couldn't bind socket 127.0.0.1:10001 [Address already in use].
Workaround:
Do not use loopback address (127.0.0.1) to make recursive queries to the BIG-IP DNS system. It is also recommended not to use loopback address since Apmd is already bound to it.
630895 : Network Access tunnel cannot be re-established after failover
Component: Access Policy Manager
Symptoms:
After failover, Network Access tunnel will not be able to be re-established.
Conditions:
1. Network Access is used
2. Failover event occurred
3. Config snapshot was deleted before failover
Impact:
Application traffic through network access tunnel will stop.
Workaround:
End users need to logout and login again to create a new APM session. Then, Network Access tunnel will start up correctly.
624085 : IE11 on Win10 after Anniversary update may break APM session
Solution Article: K25471169
Component: Access Policy Manager
Symptoms:
Internet Explorer version 11 on Windows version 10 Anniversary update does not send session cookie when retrieving shortcut icons.
For example:
<link rel="shortcut icon" href="fav_resource.ico" type="image/x-icon">
This may break APM session.
This behavior is described in Microsoft issue (https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/8748123/).
Conditions:
- Windows version 10 Anniversary update.
- Internet Explorer version 11.
- Any Web application with "shortcut icon" resource.
Impact:
Web Application might not work via APM.
Workaround:
It is possible to use iRule to send HTTP 404 response to such requests and to delete incorrect APM session; for example:
when ACCESS_SESSION_STARTED {
if { [HTTP::method] equals "GET" and ( [HTTP::path] ends_with ".ico" or [HTTP::path] ends_with ".ico?F5CH=I" ) and [HTTP::header
"User-Agent"] contains "Trident/7.0; rv:11.0" }{
ACCESS::session remove
HTTP::respond 404
}
}
620374-1 : VCMP guest may temporarly fail to send information to the VCMP host
Component: TMOS
Symptoms:
Under CPU or memory pressure conditions, the guestagentd may log the following messages to /var/log/ltm:
e.g. Sep 10 06:47:31 slot1/localhost info guestagentd[4858]: 01810007:6: Exit flags for PID 30469: 0x500
Conditions:
VCMP guest
Impact:
None as guestagentd keeps trying and recovers.
Workaround:
None
610257 : mcpd memory leak and core
Component: TMOS
Symptoms:
mcpd memory can slowly increase while making changes to device groups, eventually leading to an mcpd core.
Conditions:
It is not known exactly what triggers this.
Impact:
Stability of BIG-IP system might be degraded.
607110 : REWRITE filter should enable INFLATE only when it is necessary for content detection and patching.
Component: TMOS
Symptoms:
Rewrite in 'uri-translation' mode and HTML profiles are requesting to decompress all responses from backend server. This could impact performance and cause extra memory usage.
Conditions:
-- Either rewrite profile in 'uri-translation' mode or HTML profile is attached to a virtual server.
-- Backend responds with compressed data for any types other than HTML and CSS.
Impact:
Performance of Rewrite and HTML profiles is not optimal in case of compressed responses which should not be modified.
Workaround:
None.
601403 : Network access only supports ZLIB provider for compression
Component: Access Policy Manager
Symptoms:
Network access uses gzip compression provided by ZLIB. In Intel Cave creek platform, the compression is not offloaded to the Hardware and hence runs in tmm.
Trying to choose a different provider via tmsh command will result in failure as :
1070281:3: Invalid "compress preferred method" value for profile /Common/newconn. Value must be zlib
Conditions:
- APM is provisioned
- Network access functionality is configured.
Impact:
Under heavy load, BIG-IP might experience High CPU usage.
Workaround:
There is no workaround at this time.
601220-2 : Multi-blade trunks seem to leak packets ingressed via one blade to a different blade
Component: TMOS
Symptoms:
When a multi-blade VIPRION deployment first starts up or recovers from a chassis-wide force-offline/release-offline event, multi-blade trunks seem to leak packets that ingressed on one blade, out the same trunk's member interfaces on other blades.
Conditions:
-- Multi-blade VIPRION deployment.
-- Chassis-wide reboot or force-offline/release-offline event occurs.
Impact:
This is a very intermittent issue that is not reproducible and happens for only a few milliseconds. This may temporarily impact the upstream switch L2 FDB and cause slight traffic redirection as the upstream switch will learn the source MAC of the gratuitous ARPing host from the same trunk the traffic was broadcast to.
Note: This is not an F5-specific problem. It occurs on every stack switch hardware under these conditions.
Workaround:
There is no workaround.
600872 : Access session inactivity expiration time not updated when accessed with http/2 enabled browsers on Windows platforms.
Component: Access Policy Manager
Symptoms:
APM end user sessions start successfully, but end within a few minutes and they are forced to logon again.
The default timeout is 900 seconds.
Conditions:
- An HTTP/2-capable browser is in use on a Microsoft Windows platform.
- APM and HTTP/2 are enabled on the same virtual server.
Impact:
APM sessions time out at the configured inactivity timeout (default is 900 seconds) regardless of activity, and APM end users must restart their sessions.
Workaround:
Remove HTTP/2 profile from the affected virtual server.
597161-1 : Upgrading from BIG-IP v11.6.1 to BIG-IP v12.0.0 will fail if AVR is provisioned (or has been provisioned), and the configuration will fail to load in the new software boot location★
Component: Application Visibility and Reporting
Symptoms:
After an upgrade from BIG-IP v11.6.1 to BIG-IP v12.0.0, the system fails to load the configuration, and logs these messages to /var/log/ltm:
crit tmsh[8585]: 01420001:2: Can't load keyword definition (analytics-report.device_group) : framework/SchemaCmd.cpp, line 810
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all" - failed. --
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all" - failed. --
Running "tmsh load sys config" will report an error:
fatal: (Can't load keyword definition (analytics-report.device_group)) (framework/SchemaCmd.cpp, line 810), exiting...
This will also occur if restoring a UCS archive from a v11.6.1 system on a BIG-IP v12.0.0 system.
Conditions:
An upgrade is performed from BIG-IP v11.6.1 to BIG-IP v12.0.0, and AVR is provisioned.
Even if AVR is provisioned and then un-provisioned, if the configuration file contains "analytics" objects, this issue will also occur. This happens even if AVR was never configured.
Impact:
Config load fails after upgrade.
Workaround:
This only occurs on upgrade from 11.6.1 to 12.0.0. Upgrading from 11.6.1 to 12.1.0 does not exhibit this. If you encountered this when upgrading to 12.0.0, you can manually remove the analytics objects from the bigip.conf file and reload the configuration, then rebuild your analytics profiles.
590377 : Changing the destination address of a virtual server when there is no other VIP with that same destination virtual address, the virtual address is not removed.
Component: TMOS
Symptoms:
When removing the last virtual server whose destination IP address matches a virtual address with auto-delete enabled the virtual address is also removed.
However changing the destination address of a virtual server when there is no other VIP with that same destination virtual address, the virtual address is not removed.
Conditions:
-- Changing the destination address of a virtual server.
-- There is no other virtual IP address with that same destination virtual address.
-- Virtual address is configured with Route Health Injection (RHI) enabled.
Impact:
Virtual address with RHI enabled leaves routes injected into the routing process.
Workaround:
Remove the virtual address manually.
584414-2 : Deleting persistence-records via tmsh may result in persistence being created to different nodes
Component: Local Traffic Manager
Symptoms:
After deleting the persistence records, a connection may use persistent records to two different nodes breaking persistence.
Conditions:
Deleting persistence records when there is high concurrency for particular persistence records (e.g., load testing).
Impact:
Client fails to persist to a particular node.
Workaround:
Avoid removing persistence records from tmsh or use iRules to remove persistence records.
571727 : 'force-full-load-push' is not tab expandable
Solution Article: K52707821
Component: TMOS
Symptoms:
The 'force-full-load-push' option for 'run cm config-sync' is not tab expandable unless it's the first option given.
Conditions:
This is encountered when trying to use tab complete in tmsh for the 'run cm config-sync' command.
Impact:
The keyword 'force-full-load-push' has to be typed out in full or used as the first option.
Workaround:
Use 'force-full-load-push' as the first option, or type it out in full.
566273 : Changing URL Filter logging configuration causes tmm crash
Component: Access Policy Manager
Symptoms:
When SWG is configured with URL filtering, changing the URL Filter log configuration while traffic is running can cause a tmm crash.
Conditions:
Traffic is running through the box and logs are being collected while an admin simultaneously changes the configuration.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
564270 : [DNS] A query is not sent out in secondary mapping when no AAAA response.
Component: Local Traffic Manager
Symptoms:
When BIG-IP DNS configured with DNS64 in Secondary mode receives no response for AAAA query, it does not attempt A query.
Conditions:
DNS64 configured in secondary mode.
Impact:
DNS64 secondary mode does not work as expected.
556505 : Load UCS failure for objects with unique IP address constraints.
Solution Article: K19252010
Component: TMOS
Symptoms:
Loading a UCS on running configuration may fail on objects with unique IP address constraints (e.g., self IPs, pool member IPs, etc).
Conditions:
Loading a UCS on running configuration.
Impact:
UCS load failure.
Workaround:
Either load the UCS on a clean configuration (i.e., tmsh load sys config default), or run the load UCS command twice.
553516-1 : Unable to sync events from SharePoint 2010 to local Outlook calendar
Component: Access Policy Manager
Symptoms:
Unable to sync events from SharePoint 2010 to local Outlook calendar.
Conditions:
Steps to Reproduce:
1. Create a portal resource for SharePoint 2010 and assign it to webtop
2. Open VS and go to the SharePoint 2010
3. Create a calendar event
4. Sync the event to your local Outlook calendar
Actual Results:
Event is not synced to local Outlook calendar
Impact:
User unable sync events from SharePoint 2010 to local Outlook calendar.
Workaround:
There is no workaround at this time.
552444 : Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD
Component: Access Policy Manager
Symptoms:
Dynamic drive mapping in network access may not work if
mapping is configured to use session variable, and session variable is received from LDAP/AD.
Conditions:
Drive mapping is received from LDAP/AD and contains double slash in the path, e.g. "\\server\path"
Impact:
Dynamic drive mapping may not function.
Workaround:
For example using session.ad.last.attr.homeDirectory attribute value to drive map. Assign variable and escape the textra backslashes added by APM.
homeDirectory = return [regsub -all {\\\\} [mcget {session.ad.last.attr.homeDirectory}] {\\}]
547692 : Firewall-blocked KPASSWD service does not cause domain join operation to fail
Component: Access Policy Manager
Symptoms:
KPASSWD service runs on tcp/464 and udp/464. If both of these ports were blocked, BIG-IP would not be able to properly set the machine account password for the created machine account. However, there is a bug on BIG-IP as well, which fails to report this failure back to the administrator.
As the machine account itself was successfully created on ActiveDirectory side without the correct password, and BIG-IP's failure to report the KPASSWD failure problem, the domain join operation seems had worked perfectly.
However, since the password information is never set on ActiveDirectory side, this causes this machine account effectively unusable because BIG-IP would never be able to establish a working SCHANNEL with ActiveDirectory server because of this password mismatch.
creation is LDAP (+ Kerberos GSS-API with SASL binding), the machine account itself is generated. Furthermore, as password setting for machine account is not allowed to be performed by administrator, this situation obfuscate the fact the KPASSWD was failing as AD server never receives thus AD never logged any failure on this matter, while BIG-IP fails to detect the KPASSWD failure, and so as administrator's user experience goes, everything seems perfectly worked for domain join.
Conditions:
Out of DNS, LDAP, KERBEROS, KPASSWD services which are required for domain join operation, only KPASSWD is blocked.
Impact:
Created machine account is effectively unusable due to password mismatch, and BIG-IP would never be able to establish a working SCHANNEL, this renders NTLM authentication feature to be not working.
Workaround:
Allow KPASSWD to reach ActiveDirectory server
534410 : CRLDP AAA server in non-default partition uses self-ip in default partition with strict isolation
Component: Access Policy Manager
Symptoms:
CRLDP AAA server connection is made on the default interface which may not be part of the requesting partition.
Conditions:
A CRLDP resource is configured in a non-default partition and strict isolation is enabled.
Impact:
The CRLDP request is sent on the default interface for the box. If the AAA server is reachable from that interface there is no adverse impact.
530016 : CGNAT: Changing the PBA client-block-limit on a LSN pool while blocks are allocated can lead to incorrect 'Clients Using Max Port Blocks' counts in the stats
Component: Carrier-Grade NAT
Symptoms:
Statistic will be incorrect or negative: 'Clients Using Max Port Blocks'.
Conditions:
Changing the PBA client-block-limit on a LSN pool while there are active blocks and connections might result in incorrect 'Clients Using Max Port Blocks' counts in the stats.
Impact:
'Clients Using Max Port Blocks' count is used for monitoring the number of clients that have reached the block limit, then this will impact operations and monitoring of lsn-pool status.
Workaround:
Restarting the BIG-IP system resets the counter.
528314-1 : Generating new default certificate and key pairs for BIG-IP ssl profiles via CLI will not be reflected in GUI or in tmsh
Solution Article: K16816
Component: TMOS
Symptoms:
Using CLI to generate new default certificate and key pairs for BIG-IP ssl profiles are not reflected in GUI or in tmsh.
Conditions:
Using OpenSSL commands to generate a new default certificate and key pair, as described in SOL13579: Generating new default certificate and key pairs for BIG-IP ssl profiles, available here: https://support.f5.com/kb/en-us/solutions/public/13000/500/sol13579.html.
Impact:
After the renewal, tmsh list sys file ssl-cert default.crt command or the general properties in the GUI SSL Cert List shows the old one. This is a cosmetic issue only. The system uses the new default.
Workaround:
Perform a force reload of mcpd by running the following commands: -- touch /service/mcpd/forceload. -- tmsh restart sys service mcpd.
505037-6 : Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop
Solution Article: K01993279
Component: Local Traffic Manager
Symptoms:
Modifying a monitored pool with a gateway failsafe device might put secondary into restart loop.
Conditions:
Only occurs in clustered environments, when modifying a monitored pool to set the gateway failsafe device while the secondary is down. Symptom occurs when the secondary comes back up and attempts to update the health status of a pool.
Impact:
Secondary in a restart loop.
Workaround:
Remove the gateway failsafe device. Re-apply when the blade is up.
498049 : APM End user interface pages customized using session data will render using defaults when session data is not available.
Component: Access Policy Manager
Symptoms:
Any APM end user interface pages that use data from the user's session will require that session to be active in order to display content as expected. When actions such as a "refresh" of the logout page are executed, the page that is rendered no longer has access to session data used for rendering it originally. As a result, such actions will result in the display of content derived from defaults.
Conditions:
The following conditions have to exist for this issue to occur:
- Use of APM.
- Customization of end user interface pages.
- Use of data from the user's session for customization (e.g. results from evaluation of data to determine client type).
Impact:
Customized pages will render using default data due to unavailability of session data.
Workaround:
Use advanced customization in a manner that it only relies on available data for each type of customized content (e.g. for logout page, do not rely on session data).
496155 : tmsh show ltm persistence persist-records sometimes shows an incorrect number of entries on VIPRION chassis
Component: Local Traffic Manager
Symptoms:
tmsh show ltm persistence persist-records or tmsh show ltm persistence persist-records client-addr <client ip>
sometimes shows an incorrect number of entries on VIPRION chassis.
Conditions:
When there are multiple slots on a VIPRION chassis, and the command is executed on a secondary from the primary.
Impact:
Results are not reported correctly in tmsh. Results display a fluctuating number of src ip persistence entries.
Workaround:
Specify the virtual server name in the tmsh command directly, instead of running the command for all virtual servers.
495401 : Flash AS3 with ExternalInterface call may not work as expected
Component: Access Policy Manager
Symptoms:
Flash web applications might not work as expected with ActionScript 3 (AS3) using statements such as the following:
flash.external.ExternalInterface("eval", "document.location.href")
Conditions:
Using statements such as the following in AS3 scripts:
flash.external.ExternalInterface("eval", "document.location.href")
Impact:
Possible web application malfunction; rewrites not occurring as expected.
Workaround:
None.
476544 : mcpd core during sync
Component: TMOS
Symptoms:
mcpd can run out of memory and core when a device in a sync group is sending an extremely high volume of sync messages.
Conditions:
The exact cause of this is unknown, and it has been seen very rarely with a large sync in a sync group. Large incremental syncs could be a symptom of other things happening between the devices which could trigger the core.
Impact:
mcpd cores and restarts if it runs out or memory. Only through inspection of the core file can this condition be detected.
Workaround:
None.
476230 : False positive malformed json on legitimate unicode character
Component: Application Security Manager
Symptoms:
A malformed json violation is reported on legitimate json payload.
Conditions:
A unicode character that is not mapped in the json parser arrives with the payload.
Impact:
False positive violation, which might block a legitimate transaction.
Workaround:
None.
475283 : Category Lookup by SNI doesn't work for SWG transparent + Mobile AppTunnel in case of using SWG SSL bypass
Component: Access Policy Manager
Symptoms:
Category lookup by SNI doesn't work for Mobile Application Tunnels (i.e. iOS perAppVPN). An error "SWG Scheme not assigned to main access policy" appears.
Conditions:
SWG transparent + Mobile AppTunnel in use. Issue is reproducible only with "SSL Forward Proxy Bypass" option in SSL profile for layered virtual server.
Impact:
Per-request policy will fail when it hits the category lookup agent with conditions specified.
Workaround:
"Remove SSL Forward Proxy Bypass" option in SSL profile for layered virtual server.
474797-3 : Nitrox crypto hardware may attempt soft reset while currently resetting
Component: Local Traffic Manager
Symptoms:
Nitrox crypto hardware may attempt soft reset to clear a stuck condition while already engaged in a soft reset attempt.
Conditions:
Soft reset is needed to clear a stuck condition occurring in the timeframe during which another soft reset is occurring.
Impact:
The initial soft reset attempt does not complete as the process is restarted by the new attempt.
Workaround:
Correct the condition resulting in the need for the soft reset to clear the stuck condition or disable hardware-based crypto acceleration by setting db variable 'tmm.ssl.cn.shunt' to disable.
To disable hardware-based crypto acceleration issue the following command:
tmsh modify sys db tmm.ssl.cn.shunt value disable
Note: Disabling hardware-based crypto acceleration results in all crypto actions being processed in software, which might result in higher CPU and memory usage based on traffic patterns.
468878 : Portal access: external links in SVG tags are not rewitten
Component: Access Policy Manager
Symptoms:
If HTML page contains SVG tag with external reference inside, this reference is not rewritten.
Conditions:
HTML page with SVG tag and external reference inside this tag, for example:
<html><body><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image x="20" y="20" width="300" height="80" xlink:href="http://example.com/logo.gif" />
</svg></body></html>
Impact:
SVG external references may not be loaded correctly
Workaround:
It is possible to prepare iRule to replace URL in SVG external references.
465978 : Compression from BIG-IP APM to client is still present even if it is disabled in connectivity profile.
Component: Access Policy Manager
Symptoms:
Connectivity profile compression setting specifies compression level for BIG-IP-to-client direction. Compression from BIG-IP-APM-to-client is still present even if it is disabled in connectivity profile.
Conditions:
GZIP compression is enabled in network access resource. GZIP compression level is set to 0 (No compression) in the Network Access section of the connectivity profile. Expected behavior: there is compression in client-to-BIG-IP direction, there is no compression in BIG-IP-to-client direction. Observed behavior: there is compression in both directions.
Impact:
Compression from BIG-IP-to-client direction can not be turned off by connectivity profile setting.
Workaround:
To work around the problem, modify the value of the compression.strategy db variable to "speed": tmsh modify sys db compression.strategy value speed
456927 : iOS Edge Client is not able to establish per-app VPN connections with APM when it has VPE with On-Demand certificate authentication without assigned webtop resource.
Solution Article: K53372963
Component: Access Policy Manager
Symptoms:
iOS Edge Client is not able to establish per-app VPN connections with APM when it has VPE with On-Demand certificate authentication agent without assigned webtop resource.
Conditions:
VPE with On-Demand certificate authentication without assigned webtop resource.
Impact:
Cannot use iOS Edge Client to establish per-app VPN connections.
Workaround:
Add resource assignment agent with webtop resource.
455066 : Read-only account can save system config
Component: TMOS
Symptoms:
A read-only user can run the tmsh save sys config command, which saves the configuration including changes made by other read/write users.
Conditions:
This occurs when logged in as a read-only user and running save sys config in tmsh.
Impact:
Read-only users are able to run save sys config in tmsh.
Workaround:
None.
454640 : mcpd instances on secondary blades might restart on boot
Component: TMOS
Symptoms:
Secondary blades' mcpd instances might restart on boot.
Conditions:
This might occur intermittently on VIPRION bladed systems or VCMP guests. This might be the result of a race condition that occurs when /config is synced between the blades and when the mcpd process starts.
Impact:
The mcpd process restarts on secondary blades. The process eventually returns to normal, and the system finishes booting. The system posts messages similar to the following: 01071038:5: Secondaries couldn't load master key from the database. 01070734:3: Configuration error: Configuration from primary failed validation: 01071029:5: Master Key not present.
Workaround:
This issue has no workaround at this time.
441537 : APM form-based SSOv1 values allows url encoding of some special characters like '-'
Component: Access Policy Manager
Symptoms:
In APM form-based SSO, some special characters are incorrectly URL-encoded for certain fields, such as hidden parameters. (This does not apply to form-based client-initiated SSO.)
Conditions:
This occurs when using form-based SSO with a hidden parameter that contains a special character, such as dash ( - ), underscore ( _ ), period ( . ), exclamation mark ( ! ), tilde ( ~ ), asterisk ( * ), left round bracket ( ( ), right round bracket ( ) ), and backslash ( \ ).
Impact:
Form might not work as expected.
Workaround:
To work around the problem, use form-based client-initiated SSO if possible. Form-based client-initiated SSO has the correct URL encoding implementation. Alternatively, use an iRule to change the special ASCII characters back to the correct character.
422512 : APM SharePoint integration might not work using Internet Explorer 10 on Microsoft Windows 8.
Component: Access Policy Manager
Symptoms:
Microsoft Windows 8 does not share persistent cookies between the browser and Office components. This prevents session management tools like APM from connecting Windows 8 clients with SharePoint services.
The Microsoft case number is 112090575901186.
Conditions:
APM SharePoint integration in IE 10 on Windows 8
Impact:
System produces an error when trying to open documents from SharePoint through APM.
Workaround:
Word/Excel integration (i.e., Document library features) support is fixed by KB2846960.
419345 : Changing Master Key on the standby might cause secondaries to restart processes
Component: TMOS
Symptoms:
Changing Master Key on the standby of an HA configuration on a chassis might cause secondaries to restart processes.
Conditions:
This occurs when you modify the master key on standby chassis.
Impact:
Users might not be able to access the cluster. The secondary blades of that chassis might experience continuous restarts of mcpd and other daemons, accompanied by 'decrypt failure' messages in the ltm log.
Workaround:
Run the command bigstart restart on secondaries to return system functionality. In general, you should change master keys on the primary in the cluster.
406745 : Office on Mac cannot open SharePoint files through web applications
Component: Access Policy Manager
Symptoms:
Office for Mac 2011 gets login page html instead of document when "open in Office" used SharePoint.
Conditions:
Cannot open Office document using SharePoint.
Impact:
Not able to view the document from Portal Access.
Workaround:
N/A
387904 : Cannot use TMSH to change virtual server type
Component: Local Traffic Manager
Symptoms:
You cannot use TMSH to change the virtual server type, for example, take an IP forwarding virtual server and reconfigure it into a vanilla FastL4 or standard virtual server.
Conditions:
Want to change a non-standard virtual server to a standard virtual.
Impact:
There is no provision to change the virtual server type through TMSH.
Workaround:
Use GUI to make the change.
385188 : Portal Access Resource does not support session variables in custom HTTP Headers
Component: Access Policy Manager
Symptoms:
Portal Access Resource does not support session variables in custom HTTP Headers.
Conditions:
Here is example of Portal Access Resource,
where session variable %{session.last.logon.username}
substitution is expected:
apm resource portal-access minmal_patching {
acl-order 2
customization-group minmal_patchinb_resource_web_app_customization
host-replace-string 192.168.20.41
host-search-strings 192.168.20.41
items {
item {
compression-type none
host *
order 1
paths *
port any
scheme any
subnet 0.0.0.0/0
headers {
{
name X-G2-User
value "%{session.last.logon.username}"
}
{
name X-G2-Groupe
value testheader
}
}
}
}
patching-type min-patch
path-match-case false
scheme-patching true
}
Impact:
No substitution for session variables in custom HTTP headers.
Workaround:
Custom iRule can be used.
382040 : Deleting and recreating pool members with named nodes can cause config sync to fail.
Solution Article: K16592
Component: TMOS
Symptoms:
Config sync fails after changing an IP address of a pool member with a node name. IP addr change achieved by deleting the pool member and node then recreating the pool member/node.
Conditions:
This issue occurs when the following steps are followed.
1. Delete an existing pool member that has a node name set.
2. Recreate the pool member with a different IP address using the same node name before syncing the config.
3. Sync the configuration.
ltm pool ip_mod_pl {
members {
ip_mod2_nd:http {
address 10.168.1.4
}
ip_mod_nd:http {
address 10.168.1.1
}
}
}
ltm node ip_mod2_nd {
address 10.168.1.4
}
tmsh modify ltm pool ip_mod_pl members delete { ip_mod2_nd:http}
tmsh delete ltm node ip_mod2_nd
tmsh modify ltm pool ip_mod_pl members add { ip_mod2_nd:http { address 10.168.1.5 }}
tmsh run cm config-sync to-group S48-S49
On versions 11.4.0 and later, the issue happens only if a full is performed. Note that full loads may still complete successfully on occasion, even if full-load-on-sync is false for the device group.
Impact:
Config sync fails.
Workaround:
Delete the pool member and node on the peer then sync the configuration. The issue does not affect pool members/nodes with no name associated with the node.
380810 : Front-end Kerberos Authentication fails when Request Based Authentication is enabled and non-standard port is in use
Component: Access Policy Manager
Symptoms:
Front-end Kerberos Authentication fails.
Conditions:
-- Kerberos front-end authentication is configured.
-- Request based authentication (RBA) is enabled.
-- Virtual server is configured with non-standard HTTP/HTTPS port.
Impact:
End user clients cannot log in.
Workaround:
Configure the virtual server to use the standard port.
369640 : Folder path objects in iRules can have only a single context per script
Solution Article: K17195
Component: Local Traffic Manager
Symptoms:
If an iRule is assigned to two different virtual servers in different contexts, the first time the rule runs any internal object conversions/lookups will be performed in the first context. When the second virtual runs the same rule, it will assume that the objects that have been looked up are correct, and point to the wrong members.
Conditions:
Two virtual servers in different folder paths use short names for objects like pools, procs, nodes and virtual servers.
Impact:
iRule can point to objects outside the current folder path.
Workaround:
Give each virtual servers its own copy of the iRule (it is not necessary to provide complete folder paths).
364522 : App_editors cannot add pool members unless node already exist
Component: TMOS
Symptoms:
A user with the app_editor role can create an app service; however, because app_editor users cannot create objects (they can only update and enable/disable them), app_editor users actually cannot create an app service.
Conditions:
This occurs with users with the app_editor role.
Impact:
App_editors cannot add pool members unless node already exist.
Workaround:
There are two workarounds:
1. Use the new add_member_v2 method, which does not have this constraint (the add_member command is deprecated).
2. Have a user with the appropriate role create/manage the node address prior to using add_member.
362325 : [OWA] links in HTML attachments are rewritten after save to disk
Component: Access Policy Manager
Symptoms:
Links in content are rewritten in HTML attachments from Outlook Web Access (OWA) after you open the attachments in the browser or save them to disk using the Save as action. This happens because APM application access patches the links in HTML attachments. This occurs with OWA 2003, 2007, and 2010.
Conditions:
The APM end user downloads HTML files from OWA message attachment.
Impact:
If the downloaded file is HTML, Portal Access rewrites the file.
Workaround:
None.
355981 : CRLDP AAA requires anonymous access to the CA / LDAP
Component: Access Policy Manager
Symptoms:
APM CRLDP Authentication Agent binds anonymously to the LDAP server to retrieve CRL files. An option for a strong authentication bind is not currently supported.
Conditions:
Use of CRLDP authentication in APM
Impact:
Required to use anonymous access
225358 : Both units probe both gateway fail-safe pools regardless of their unit IDs
Solution Article: K04604131
Component: Local Traffic Manager
Symptoms:
Both units probe both gateway fail-safe pools regardless of their unit IDs.
Conditions:
This occurs in HA configurations.
Impact:
Members of a redundant configuration continue to probe both gateway fail-safe pools.
Workaround:
Reload config via "tmsh load sys config".
224145 : Errors in the visual policy editor when creating new VPE actions
Component: Access Policy Manager
Symptoms:
The visual policy editor can, on rare occasions, return a non-specific failure when attempting to create new items.
Conditions:
Adding new actions in the visual policy editor
Impact:
The failure is transient; the request invariably succeeds on retry.
Workaround:
None, but retrying seems to work.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/