BIG-IP 15.0.1.4 Fixes and Known Issues

Supplemental Document : BIG-IP 15.0.1.4 Fixes and Known Issues

Applies To:

Show Versions

BIG-IP AAM

15.0.1

BIG-IP APM

15.0.1

BIG-IP Link Controller

15.0.1

BIG-IP Analytics

15.0.1

BIG-IP LTM

15.0.1

BIG-IP AFM

15.0.1

BIG-IP PEM

15.0.1

BIG-IP FPS

15.0.1

BIG-IP DNS

15.0.1

BIG-IP ASM

15.0.1

Updated Date: 05/28/2022

BIG-IP Release Information

Version: 15.0.1.4
Build: 2.0

Cumulative fixes from BIG-IP v15.0.1.3 that are included in this release
Cumulative fixes from BIG-IP v15.0.1.2 that are included in this release
Cumulative fixes from BIG-IP v15.0.1.1 that are included in this release
Cumulative fixes from BIG-IP v15.0.1 that are included in this release
Known Issues in BIG-IP v15.0.x

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
900757-3	CVE-2020-5902	K52145254	TMUI RCE vulnerability CVE-2020-5902
895525-3	CVE-2020-5902	K52145254	TMUI RCE vulnerability CVE-2020-5902
909237-5	CVE-2020-8617	K05544642	CVE-2020-8617: BIND Vulnerability
909233-5	CVE-2020-8616	K97810133	DNS Hardening
905905-2	CVE-2020-5904	K31301245	TMUI CSRF vulnerability CVE-2020-5904
895993-3	CVE-2020-5902	K52145254	TMUI RCE vulnerability CVE-2020-5902
895981-3	CVE-2020-5902	K52145254	TMUI RCE vulnerability CVE-2020-5902
895881-2	CVE-2020-5903	K43638305	BIG-IP TMUI XSS vulnerability CVE-2020-5903
888417-7	CVE-2020-8840	K15320518	Apache Vulnerability: CVE-2020-8840
838677-2	CVE-2019-10744	K47105354	lodash library vulnerability CVE-2019-10744
830401-2	CVE-2020-5877	K54200228	TMM may crash while processing TCP traffic with iRules
818709-1	CVE-2020-5858	K36814487	TMSH does not follow current best practices
781377-5	CVE-2019-6681	K93417064	tmrouted may crash while processing Multicast Forwarding Cache messages
767373-5	CVE-2019-8331	K24383845	CVE-2019-8331: Bootstrap Vulnerability
859089-6	CVE-2020-5907	K00091341	TMSH allows SFTP utility access
825597-2	CVE-2019-6687	K59957337	Cloud Security Services do not apply current best practices
816413-1	CVE-2019-1125	K31085564	CVE-2019-1125: Spectre SWAPGS Gadget
809165-1	CVE-2020-5854	K50046200	TMM may crash will processing connector traffic
808525-1	CVE-2019-6686	K55812535	TMM may crash while processing Diameter traffic
789921-1	CVE-2020-5881	K03386032	TMM may restart while processing VLAN traffic
778049-3	CVE-2018-13405	K00854051	Linux Kernel Vulnerability: CVE-2018-13405
775833-1	CVE-2020-5880	K94325657	Administrative file transfer may lead to excessive resource consumption
761112-2	CVE-2019-6683	K76328112	TMM may consume excessive resources when processing FastL4 traffic
756458-4	CVE-2018-18559	K28241423	Linux kernel vulnerability: CVE-2018-18559
725551-1	CVE-2019-6682	K40452417	ASM may consume excessive resources
887637-3	CVE-2019-3815	K22040951	Systemd-journald Vulnerability: CVE-2019-3815
823893-1	CVE-2020-5890	K03318649	Qkview may fail to completely sanitize LDAP bind credentials
748122-7	CVE-2018-15333	K53620021	BIG-IP Vulnerability CVE-2018-15333
746091-7	CVE-2019-19151	K21711352	TMSH Vulnerability: CVE-2019-19151
760723-1	CVE-2015-4037	K64765350	Qemu Vulnerability
757617-2	CVE-2018-16864 CVE-2018-16865	K06044762	Systemd vulnerabilities: CVE-2018-16864, CVE-2018-16865

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
816233-2	2-Critical		Session and authentication cookies should use larger character set
858229-4	3-Major	K27551003	XML with sensitive data gets to the ICAP server
837837-1	3-Major		SSH Client Requirements Hardening
760234-6	3-Major		Configuring Advanced shell for Resource Administrator User has no effect
738330-4	3-Major		/mgmt/toc endpoint issue after configuring remote authentication
745465-2	4-Minor		The tcpdump file does not provide the correct extension

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
891477-2	2-Critical		No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server
872673-2	2-Critical		TMM can crash when processing SCTP traffic
842865-3	2-Critical		Add support for Auto MAC configuration (ixlv)
811701-2	2-Critical		AWS instance using xnet driver not receiving packets on an interface.
811149-3	2-Critical		Remote users are unable to authenticate via serial console.
789993-2	2-Critical		Failure when upgrading to 15.0.0 with config move and static management-ip.
789169-1	2-Critical		Unable to create virtual servers with port-lists from the GUI★
788057-4	2-Critical		MCPD may crash while processing syncookies
769817-2	2-Critical		BFD fails to propagate sessions state change during blade restart
762205-3	2-Critical		IKEv2 rekey fails to recognize VENDOR_ID payload when it appears
746122-3	2-Critical		'load sys config verify' resets the active master key to the on-disk master key value
891721-2	3-Major		Anti-Fraud Profile URLs with query strings do not load successfully
891457-3	3-Major		NIC driver may fail while transmitting data
886689-5	3-Major		Generic Message profile cannot be used in SCTP virtual
882557-3	3-Major		TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)
871657-6	3-Major		Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S
830481-2	3-Major		SSL TMUI hardening
812929-1	3-Major		mcpd may core when resetting a DSC connection
811789-1	3-Major		Device trust UI hardening
810957-1	3-Major		Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core
807005-4	3-Major		Save-on-auto-sync is not working as expected with large configuration objects
802685-1	3-Major		Unable to configure performance HTTP virtual server via GUI
800185-5	3-Major		Saving a large encrypted UCS archive may fail and might trigger failover
785741-2	3-Major	K19131357	Unable to login using LDAP with 'user-template' configuration
778125-2	3-Major		LDAP remote authentication passwords are limited to fewer than 64 bytes
762073-4	3-Major		Continuous TMM restarts when HSB drops off the PCI bus
759654-3	3-Major		LDAP remote authentication with remote roles and user-template failing
757519-2	3-Major		Unable to logon using LDAP authentication with a user-template
754691-2	3-Major		During failover, an OSPF routing daemon may crash.
742628-2	3-Major	K53843889	Tmsh session initiation adds increased control plane pressure
688399-1	3-Major		HSB failure results in continuous TMM restarts
648621-7	3-Major		SCTP: Multihome connections may not expire
605675-5	3-Major		Sync requests can be generated faster than they can be handled
856961-1	4-Minor		INTEL-SA-00201 MCE vulnerability CVE-2018-12207
722230-2	4-Minor		Cannot delete FQDN template node if another FQDN node resolves to same IP address
591732-6	4-Minor		Local password policy not enforced when auth source is set to a remote type.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
715032-3	1-Blocking		iRulesLX Hardening
898949-2	2-Critical		APM may consume excessive resources while processing VPN traffic
886085-4	2-Critical		TMM may crash while processing UDP traffic
858429-2	2-Critical		BIG-IP system sending ICMP packets on both virtual wire interface
839401-2	2-Critical		Moving a virtual-address from one floating traffic-group to another does not send GARPs out.
817417-2	2-Critical		Blade software installation stalled at Waiting for product image★
812525-2	2-Critical	K27551003	HTTP parsing restrictions
892385-1	3-Major		HTTP does not process WebSocket payload when received with server HTTP response
858301-2	3-Major	K27551003	HTTP RFC compliance now checks that the authority matches between the URI and Host header
858297-2	3-Major	K27551003	HTTP requests with multiple Host headers are rejected if RFC compliance is enabled
858289-2	3-Major	K27551003	HTTP parsing restrictions
858285-2	3-Major	K27551003	HTTP parsing of Request URIs with spaces in them has changed
798105-2	3-Major		Node Connection Limit Not Honored
797977-2	3-Major		Self-IP traffic does not preserve the TTL from the Linux host
765517-2	3-Major		Traffic Match Criteria validation fails when create Virtual server with address list with overlapping address space but a different ingress VLAN
758599-2	3-Major		IPv6 Management route is preferred over IPv6 tmm route
756817-2	3-Major		ZebOS addresses blocks do not reflect RFC5735 changes to reserved address blocks.
745923-5	3-Major		Connection flow collision can cause packets to be sent with source and/or destination port 0
852373-1	4-Minor		HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error
822025-1	4-Minor		HTTP response not forwarded to client during an early response

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
760471-2	3-Major		GTM iQuery connections may be reset during SSL key renegotiation.

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
911629-1	2-Critical		Manual upload of LiveUpdate image file results in NULL response
858025-2	2-Critical	K33440533	Proactive Bot Defense does not validate redirected paths
900797-3	3-Major		Brute Force Protection (BFP) hash table entry cleanup
900793-5	3-Major		APM Brute Force Protection resources do not scale automatically
900789-3	3-Major		Alert before Brute Force Protection (BFP) hash are fully utilized
888493-3	3-Major		ASM GUI Hardening
888489-3	3-Major		ASM UI hardening
883717-2	3-Major		BD crash on specific server cookie scenario
880753-2	3-Major		Possible issues when using DoSL7 and Bot Defense profile on the same virtual server
871905-3	3-Major		Incorrect masking of parameters in event log
789817-2	4-Minor		In rare conditions info fly-out not shown

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
902485-4	3-Major		Incorrect pool member concurrent connection value

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
811965-1	2-Critical		Some VDI use cases can cause excessive resource consumption

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
811105-2	2-Critical		MRF SIP-ALG drops SIP 183 and 200 OK messages
904373-2	3-Major		MRF GenericMessage:Implement limit to message queues size
900905-2	3-Major		TMM may crash while processing SIP data
876953-3	3-Major		Tmm crash while passing diameter traffic
876077-2	3-Major		MRF DIAMETER: stale pending retransmission entries may not be cleaned up
868381-2	3-Major		MRF DIAMETER: Retransmission queue unable to delete stale entries
866021-2	3-Major		Diameter Mirror connection lost on the standby due to "process ingress error"
842625-4	3-Major		SIP message routing remembers a 'no connection' failure state forever
824149-4	3-Major		SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured
817369-1	3-Major		TCP, UDP, and SCTP proxy converts to GEO proxy when georedundancy profile is attached with virtual server.
815877-3	3-Major		Information Elements with zero-length value are rejected by the GTP parser
763157-1	3-Major		MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped
761685-2	3-Major		Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set
760370-1	3-Major		MRF SIP ALG with SNAT: Next active ingress queue filling
759077-1	3-Major		MRF SIP filter queue sizes not configurable
836357-4	4-Minor		SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2
788513-1	4-Minor		Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log
760930-3	4-Minor		MRF SIP ALG with SNAT: Added additional details to log events

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
818309-1	3-Major		'tmsh list' / 'tmsh list security' hangs when AFM / Herculon DDoS Hybrid Defender are not provisioned
780837-2	3-Major		Firewall rule list configuration causes config load failure

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
839597-5	3-Major		Restjavad fails to start if provision.extramb has large value
837773-1	3-Major		Restjavad Storage and Configuration Hardening

Cumulative fixes from BIG-IP v15.0.1.3 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
846917-2	CVE-2019-10744	K47105354	lodash Vulnerability: CVE-2019-10744
819197-3	CVE-2019-13135	K20336394	BIGIP: CVE-2019-13135 ImageMagick vulnerability
819189-2	CVE-2019-13136	K03512441	BIGIP: CVE-2019-13136 ImageMagick vulnerability
794561-2	CVE-2020-5874	K46901953	TMM may crash while processing JWT/OpenID traffic.
873469-3	CVE-2020-5889	K24415506	APM Portal Access: Base URL may be set to incorrectly
864109-2	CVE-2020-5889	K24415506	APM Portal Access: Base URL may be set to incorrectly
838881-2	CVE-2020-5853	K73183618	APM Portal Access Vulnerability: CVE-2020-5853
832021-2	CVE-2020-5888	K73274382	Port lockdown settings may not be enforced as configured
832017-2	CVE-2020-5887	K10251014	Port lockdown settings may not be enforced as configured
782529-1	CVE-2019-6685	K30215839	iRules does not follow current design best practices
761144-3	CVE-2019-6684	K95117754	Broadcast frames may be dropped
745103-7	CVE-2018-7159	K27228191	NodeJS Vulnerability: CVE-2018-7159
868097-2	CVE-2020-5891	K58494243	TMM may crash while processing HTTP/2 traffic
779177-1	CVE-2019-19150	K37890841	Apmd logs "client-session-id" when access-policy debug log level is enabled
738236-6	CVE-2019-6688	K25607522	UCS does not follow current best practices

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
890421-1	3-Major		New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers★
769193-6	3-Major		Added support for faster congestion window increase in slow-start for stretch ACKs
788269-4	4-Minor		Adding toggle to disable AVR widgets on device-groups

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
747203-1	2-Critical		Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding
877145-3	3-Major		Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException
866925-4	3-Major		The TMM pages used and available can be viewed in the F5 system stats MIB
852001-2	3-Major		High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously
812981-5	3-Major		MCPD: memory leak on standby BIG-IP device
793121-4	3-Major		Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication
766329-1	3-Major		SCTP connections do not reflect some SCTP profile settings
764873-1	3-Major		An accelerated flow transmits packets to a dated, down pool member.
758527-1	3-Major	K39604784	BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode
758387-1	3-Major		BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
860881-2	2-Critical		TMM can crash when handling a compressed response from HTTP server
853329-3	2-Critical		HTTP explicit proxy can crash TMM when used with classification profile
826601-6	2-Critical		Prevent receive window shrinkage for looped flows that use a SYN cookie
813561-4	2-Critical		MCPD crashes when assigning an iRule that uses a proc
791057-2	2-Critical		MCP may crash when traffic matching criteria is updated
774913-3	2-Critical		IP-based bypass can fail if SSL ClientHello is not accepted
853613-3	3-Major		Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp
847325-2	3-Major		Changing a virtual server that uses a oneconnect profile can trigger persistence misbehavior.
814761-1	3-Major		PostgreSQL monitor fails on second ping with count != 1
809701-1	3-Major		Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist
805017-1	3-Major		DB monitor marks pool member down if no send/recv strings are configured
773821-2	3-Major		Certain plaintext traffic may cause SSLO to hang
758992-3	3-Major		The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address
757827	3-Major		Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution
755727-1	3-Major		Ephemeral pool members not created after DNS flap and address record changes
750278-5	3-Major	K25165813	A sub-second timeout for the SSL alert-timeout option may be desirable in certain cases
617929-1	3-Major		Support non-default route domains
754003-4	4-Minor	K73202036	Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
772233-2	3-Major		IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
850673-2	3-Major		BD sends bad acks to the bd_agent for configuration
800453-4	3-Major		False positive virus violations
749184-1	3-Major		Added description of subviolation for the suggestions that enabled/disabled them
681010-5	3-Major	K33572148	'Referer' is not masked when 'Query String' contains sensitive parameter

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
838709-3	2-Critical		Enabling DoS stats also enables page-load-time
817065-1	2-Critical		Avrinstall crashes and admd restarts in endless loop when APM provision is Minimal★
870957-3	3-Major		"Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage
863161-2	3-Major		Scheduled reports are sent via TLS even if configured as non encrypted
835381-2	3-Major		HTTP custom analytics profile 'not found' when default profile is modified
833113-4	3-Major		Avrd core when sending large messages via https
830073-1	3-Major		AVRD may core when restarting due to data collection device connection timeout
817649-3	3-Major		AVR statistics for NAT cannot be shown on multi-bladed machine
797785-1	3-Major		AVR reports no ASM-Anomalies data.
792265-2	3-Major		Traffic logs does not include the BIG-IQ tags
787677-4	3-Major		AVRD stays at 100% CPU constantly on some systems
781581-2	3-Major		Monpd uses excessive memory on requests for network_log data
771025-4	3-Major		AVR send domain names as an aggregate
865053-2	4-Minor		AVRD core due to a try to load vip lookup when AVRD is down
863069-2	4-Minor		Avrmail timeout is too small

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
871761-3	2-Critical		Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS
788593-1	2-Critical	K43404365	APM logs may contain additional data
866685-2	3-Major		Empty HSTS headers when HSTS mode for HTTP profile is disabled
866161-2	3-Major		Client port reuse causes RST when the security service attempts server connection reuse.
853325-2	3-Major		TMM Crash while parsing form parameters by SSO.
852313-3	3-Major		VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured
850277-2	3-Major		Memory leak when using OAuth
844781-2	3-Major		[APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection
844281-2	3-Major		[Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.
832569-1	3-Major		APM end-user connection reset
831781-3	3-Major		AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode
825805-2	3-Major		NTLM Auth may fail due to incorrect handling of EPM response★
803825-2	3-Major		WebSSO does not support large NTLM target info length
802381-1	3-Major		Localdb authentication fails
798261-1	3-Major		APMD fails to create session variables if spanning is enabled on SWG transparent virtual server
794585-1	3-Major		User cannot log in after license reactivation on vCMP host
775621-1	3-Major		urldb memory grows past the expected ~3.5GB
774301-5	3-Major		Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList
768025-3	3-Major		SAML requests/responses fail with "failed to find certificate"
761303-1	3-Major		Upgrade of standby BIG-IP system results in empty Local Database
759392-1	3-Major		HTTP_REQUEST iRule event triggered for internal APM request
744407-2	3-Major		While the client has been closed, iRule function should not try to check on a closed session
741222-1	3-Major		Install epsec1.0.0 into software partition.★
706782-4	3-Major		Inefficient APM processing in large configurations.

WebAccelerator Fixes

ID Number	Severity	Solution Article(s)	Description
833213-2	3-Major		Conditional requests are served incorrectly with AAM policy in webacceleration profile

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
771173-4	3-Major		FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.★

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
815649-2	3-Major		Named.config entry getting overwriting on SSL Orchestrator deployment

Cumulative fixes from BIG-IP v15.0.1.2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
846365-2	CVE-2020-5878	K35750231	TMM may crash while processing IP traffic
846157-2	CVE-2020-5862	K01054113	TMM may crash while processing traffic on AWS
817917-2	CVE-2020-5856	K00025388	TMM may crash when sending TCP packets

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
834857	3-Major		Azure walinuxagent has been updated to v2.2.42.

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
804313-1	3-Major		MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.

Cumulative fixes from BIG-IP v15.0.1.1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
818429-5	CVE-2020-5857	K70275209	TMM may crash while processing HTTP traffic
808301-4	CVE-2019-6678	K04897373	TMM may crash while processing IP traffic
805837-1	CVE-2019-6657	K22441651	REST does not follow current design best practices
802261-1	CVE-2020-5875	K65372933	TMM may crash while processing SSL traffic via an HTTP/2 full-proxy
795437-5	CVE-2019-6677	K06747393	Improve handling of TCP traffic for iRules
795197-9	CVE-2019-11477, CVE-2019-11478, CVE-2019-11479	K26618426	Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
780601-1	CVE-2020-5873	K03585731	SCP file transfer hardening
778077-4	CVE-2019-6680	K53183580	Virtual to virtual chain can cause TMM to crash
771873-6	CVE-2019-6642	K40378764	TMSH Hardening
759343-7	CVE-2019-6668	K49827114	MacOS Edge Client installer does not follow best security practices
758065-5	CVE-2019-6667	K82781208	TMM may consume excessive resources while processing FIX traffic
757357-5	CVE-2019-6676	K92002212	TMM may crash while processing traffic
757023-8	CVE-2018-5743	K74009656	BIND vulnerability CVE-2018-5743
753975-4	CVE-2019-6666	K92411323	TMM may crash while processing HTTP traffic with webacceleration profile
636400-4	CVE-2019-6665	K26462555	CPB (BIG-IP->BIGIQ log node) Hardening
810657-3	CVE-2019-6674	K21135478	Tmm core while using service chaining for SSLO
810537-1	CVE-2020-5883	K12234501	TMM may consume excessive resources while processing iRules
795797-1	CVE-2019-6658	K21121741	AFM WebUI Hardening
788773-1	CVE-2019-9515	K50233772	HTTP/2 Vulnerability: CVE-2019-9515
788769-1	CVE-2019-9514	K01988340	HTTP/2 Vulnerability: CVE-2019-9514
788033-2	CVE-2020-5851	K91171450	tpm-status may return "Invalid" after engineering hotfix installation
781449-1	CVE-2019-6672	K14703097	Increase efficiency of sPVA DoS protection on wildcard virtual servers
777737-1	CVE-2019-6671	K39225055	TMM may consume excessive resources when processing IP traffic
773673-1	CVE-2019-9512	K98053339	HTTP/2 Vulnerability: CVE-2019-9512
768981-1	CVE-2019-6670	K05765031	vCMP Hypervisor Hardening
761014-1	CVE-2019-6669	K11447758	TMM may crash while processing local traffic
798249-1	CVE-2019-6673	K81557381	TMM may crash while processing HTTP/2 requests
789893-1	CVE-2019-6679	K54336216	SCP file transfer hardening
773653-7	CVE-2019-6656	K23876153	APM Client Logging
773649-7	CVE-2019-6656	K23876153	APM Client Logging
773641-7	CVE-2019-6656	K23876153	APM Client Logging
773637-7	CVE-2019-6656	K23876153	APM Client Logging
773633-7	CVE-2019-6656	K23876153	APM Client Logging
773621-7	CVE-2019-6656	K23876153	APM Client Logging
756571	CVE-2018-17972	K27673650	CVE-2018-17972: Linux kernel vulnerability
759536-1	CVE-2019-8912	K31739796	Linux kernel vulnerability: CVE-2019-8912

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
819397	1-Blocking	K50375550	TMM does not enforce RFC compliance when processing HTTP traffic
759135-1	3-Major		AVR report limits are locked at 1000 transactions

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
819089	1-Blocking	K63920829	Manually licensing a versioned VE license through the GUI fails to activate the license★
806093-2	2-Critical		Unwanted LDAP referrals slow or prevent administrative login
796113-1	2-Critical		Unable to load 14.1.0 config on 15.0.0 for a virtual server using a port/address list★
793045-1	2-Critical		File descriptor leak in net-snmpd while reading /shared/db/cluster.conf
780817-6	2-Critical		TMM can crash on certain vCMP hosts after modifications to VLANs and guests.
767877-4	2-Critical		TMM core with Bandwidth Control on flows egressing on a VLAN group
809205-4	3-Major		CVE-2019-3855: libssh2 Vulnerability
797609-1	3-Major		Creating or modifying some virtual servers to use an address or port list may result in a warning message
794501-1	3-Major		Duplicate if_indexes and OIDs between interfaces and tunnels
788557-6	3-Major		BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior
788301-6	3-Major	K58243048	SNMPv3 Hardening
784733-4	3-Major		GUI LTM Stats page freezes for large number of pools
783113-5	3-Major		BGP sessions remain down upon new primary slot election
777261-5	3-Major		When SNMP cannot locate a file it logs messages repeatedly
770657-1	3-Major		On hardware platforms with ePVA, some valid traffic is blocked when in L2 transparent mode and syn cookies are enabled
761993-1	3-Major		The nsm process may crash if it detects a nexthop mismatch
761160-1	3-Major		OpenSSL vulnerability: CVE-2019-1559
760680-2	3-Major		TMSH may utilize 100% CPU (single core's worth) when set to be a process group leader and SSH session is closed.
760439-5	3-Major		After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status
760164	3-Major		BIG-IP VE Compression Offload HA action requires modification of db variable
759499-1	3-Major		Upgrade from version 12.1.3.7 to version 14.1.0 failing with error★
758781-4	3-Major		iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates
758119-7	3-Major	K58243048	qkview may contain sensitive information
738943-2	3-Major		imish command hangs when ospfd is enabled
724109-1	3-Major		Manual config-sync fails after pool with FQDN pool members is deleted
776073-2	4-Minor		OOM killer killing tmm in system low memory condition as process OOM score is high
755018-1	4-Minor		Egress traffic processing may be stopped on one or more VE trunk interfaces

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
816273-1	1-Blocking		L7 Policies may execute CONTAINS operands incorrectly.
839749-1	2-Critical		Virtual server with specific address list might fail to create via GUI
831325-1	2-Critical	K10701310	HTTP PSM detects more issues with Transfer-Encoding headers
825561-1	2-Critical		TMM may core in a rare condition serving an HTTP response
824881-1	2-Critical		A rare TMM crash cause by the fix for ID 816625
816625-2	2-Critical		The TMM may crash in a rare scenario involving HTTP unchunking, and plugins.
810801-1	2-Critical		TMM may core in a rare condition when tearing down a connection
800369-1	2-Critical		The fix for ID 770797 may cause a TMM crash
800305-1	2-Critical		VDI::cmp_redirect generates flow with random client port
794153-1	2-Critical		TMM may core in a rare condition when handling an HTTP request
787825-1	2-Critical	K58243048	Database monitors debug logs have plaintext password printed in the log file
759968-4	2-Critical		Distinct vCMP guests are able to cluster with each other.
757578-1	2-Critical		RAM cache is not compatible with verify-accept
834373-4	3-Major		Possible handshake failure with TLS 1.3 early data
830797-1	3-Major		Standby high availability (HA) device passes traffic through virtual wire
815449-1	3-Major		BIG-IP closes connection when an unsized response is served to a HEAD request
809729-1	3-Major		When HTTP/2 stream is reset by a client, BIG-IP may not respond properly
795261-1	3-Major		LTM policy does not properly evaluate condition when an operand is missing
790205-4	3-Major		Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core
788325-1	3-Major	K39794285	Header continuation rule is applied to request/response line
787821-1	3-Major		httprouter may deadlock
785481-1	3-Major		A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached
784565-1	3-Major		VLAN groups are incompatible with fast-forwarded flows
773421-4	3-Major		Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
772545-4	3-Major		Tmm core in SSLO environment
769801-2	3-Major		Internal tmm UDP filter does not set checksum
761185-1	3-Major	K50375550	Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic
754525-2	3-Major		Disabled virtual server accepts and serves traffic after restart
726176-1	3-Major		Platforms using RSS hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
714372-4	3-Major		Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari
830833-1	4-Minor		HTTP PSM blocking resets should have better log messages
824365-4	4-Minor		Need informative messages for HTTP iRule runtime validation errors
806085-1	4-Minor		In-TMM MQTT monitor is not working as expected
787905-5	4-Minor		Improve initializing TCP analytics for FastL4
769309-1	4-Minor		DB monitor reconnects to server on every probe when count = 0
747628-7	4-Minor		BIG-IP sends spurious ICMP PMTU message to server

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
781637-1	3-Major		ASM brute force counts unnecessary failed logins for NTLM
781605-4	3-Major		Fix RFC issue with the multipart parser
781069-1	3-Major		Bot Defense challenge blocks requests with long Referer headers
778681-1	3-Major		Factory-included Bot Signature update file cannot be installed without subscription★
778261-1	3-Major		CPB connection is not refreshed when updating BIG-IQ logging node domain name or certificate
773553-1	3-Major		ASM JSON parser false positive.
769997	3-Major		ASM removes double quotation characters on cookies
769981-1	3-Major		bd crashes in a specific scenario
764373-4	3-Major		'Modified domain cookie' violation with multiple enforced domain cookies with different paths
727107-5	3-Major		Request Logs are not stored locally due to shmem pipe blockage
803445-2	4-Minor		When adding several mitigation exceptions, the previously configured actions revert to the default action
795769-4	4-Minor		Incorrect value of Systems in system-supplied signature sets
772473-4	4-Minor		Request reconstruct issue after challenge
765413-3	4-Minor		ASM cluster syncs caused by PB ignored suggestions updates
761231-1	4-Minor	K79240502	Bot Defense Search Engines getting blocked after configuring DNS correctly
761088-2	4-Minor		Remove policy editing restriction in the GUI while auto-detect language is set
769061-1	5-Cosmetic		Improved details for learning suggestions to enable violation/sub-violation

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
756102-1	2-Critical		TMM can crash with core on ABORT signal due to non-responsive AVR code
760356-1	3-Major		Users with Application Security Administrator role cannot delete Scheduled Reports

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
811145-1	2-Critical		VMware View resources with SAML SSO are not working
797541-2	2-Critical	K05115516	NTLM Auth may fail when user's information contains SIDS array
784989-1	2-Critical		TMM may crash with panic message: Assertion 'cookie name exists' failed
777173-1	2-Critical		Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error
815753-1	3-Major		TMM leaks memory when explicit SWG is configured with Kerberos authentication
788417-1	3-Major		Remote Desktop client on macOS may show resource auth token on credentials prompt
786173-2	3-Major		UI becomes unresponsive when accessing Access active session information
783817-1	3-Major		UI becomes unresponsive when accessing Access active session information
782569-2	3-Major		SWG limited session limits on SSLO deployments
774633-1	3-Major		Memory leak in tmm when session db variables are not cleaned up
774213-2	3-Major		SWG session limits on SSLO deployments
769853-1	3-Major	K24241590	Access Profile option to restrict connections from a single client IP is not honored for native RDP resources
766577-1	3-Major		APMD fails to send response to client and it already closed connection.
757781-4	3-Major		Portal Access: cookie exchange may be broken sometimes
697590-1	3-Major		APM iRule ACCESS::session remove fails outside of Access events
807509-1	4-Minor		SWG license does not get released for sessions created through iRules

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
825013-2	3-Major		GENERICMESSAGE::message's src and dst may get cleared in certain scenarios
811745-1	3-Major		Failover between clustered DIAMETER devices can cause mirror connections to be disconnected
786565-1	4-Minor		MRF Generic Message: unaccepted packets received by GENERIC MESSAGE filter causes subsequent messages to not be forwarded

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
761234-1	3-Major		Changing a virtual server to use an address list should be prevented if the virtual server has a security policy with a logging profile attached
738284-1	3-Major		Creating or deleting rule list results in warning message: Schema object encode failed
760355-2	4-Minor		Firewall rule to block ICMP/DHCP from 'required' to 'default'★

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
821133-1	3-Major		Wrong wildcard URL matching when none of the configured URLS include QS
804185-1	3-Major		Some WebSafe request signatures may not work as expected
787601-1	3-Major		Unable to add 'Enforce' parameter if already configured in different URL
783565-1	3-Major		Upgrade support for DB variable to attach AJAX payload to vToken cookie should be consistent with config in MCP
775013-1	3-Major		TIME EXCEEDED alert has insufficient data for analysis

Anomaly Detection Services Fixes

ID Number	Severity	Solution Article(s)	Description
803477-3	3-Major		BaDoS State file load failure when signature protection is off

Protocol Inspection Fixes

ID Number	Severity	Solution Article(s)	Description
795329-3	3-Major		IM installation fails if 'auto-add-new-inspections' enabled on profile★

Cumulative fixes from BIG-IP v15.0.1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
807477-1	CVE-2019-6650	K04280042	ConfigSync Hardening
797885-1	CVE-2019-6649	K05123525	ConfigSync Hardening
796469-3	CVE-2019-6649	K05123525	ConfigSync Hardening
810557-1	CVE-2019-6649	K05123525	ASM ConfigSync Hardening
809377-1	CVE-2019-6649	K05123525	AFM ConfigSync Hardening
799617-1	CVE-2019-6649	K05123525	ConfigSync Hardening
799589-1	CVE-2019-6649	K05123525	ConfigSync Hardening
794389-4	CVE-2019-6651	K89509323	iControl REST endpoint response inconsistency
794413-1	CVE-2019-6471	K10092301	BIND vulnerability CVE-2019-6471
793937-2	CVE-2019-6664	K03126093	Management Port Hardening

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
744937-2	3-Major	K00724442	BIG-IP DNS and GTM DNSSEC security exposure

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
808129-2	2-Critical		Cannot use BIG-IQ to license BIG-IP 14.1.0.3 on AWS.
798949-2	3-Major		Config-Sync fails when Config-Sync IP configured to management IP

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
811333-5	3-Major		Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile★

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
777937-1	1-Blocking		AWS ENA: packet drops due to bad checksum

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
753485-3	3-Major		AVR global settings are being overridden by HA peers

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
757306-1	2-Critical		SNMP MIBS for AFM NAT do not yet exist

Protocol Inspection Fixes

ID Number	Severity	Solution Article(s)	Description
808849	3-Major		Can't load keyword definition (ips-inspection-compliance.subscription) on upgrade from v14.1.0.5 to v15.0.0★

Cumulative fix details for BIG-IP v15.0.1.4 that are included in this release

911629-1 : Manual upload of LiveUpdate image file results in NULL response

Component: Application Security Manager

Symptoms:
When uploading a LiveUpdate image file from the GUI, the upload fails.

In /var/log/restjavad.0.log you see the following error:

[SEVERE][768][25 May 2020 05:38:20 UTC][com.f5.rest.workers.liveupdate.LiveUpdateFileTransferWorker] null

Conditions:
LiveUpdate images are uploaded manually.

Impact:
LiveUpdate images fail to upload.

Workaround:
1. Upload the file to LiveUpdate files directory '/var/lib/hsqldb/live-update/update-files' on the host.

2. Send a POST request with the filename for inserting the file to the LiveUpdate
database:
* url : https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/update-files
* payload - json:
{ "filename": "<FILE_NAME>",
  "fileLocationReference": {"link": "<FILE_NAME>"}}

3. Get the file link reference:
   https://{{big_ip1}}/mgmt/tm/live-update/asm-attack-signatures/update-files?$filter=filename eq '<FILE_NAME>'

4. From the response copy the "selfLink" part :
   "selfLink": "https://localhost/mgmt/tm/live-update/asm-attack-signatures/update-files/<UPDATE_FILE_ID>"

5. Create a POST request with the value above for creating a new installation record:
* url : https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/installations
* payload - json:
{ "updateFileReference": {
        "link": "https://localhost/mgmt/tm/live-update/asm-attack-signatures/update-files/<UPDATE_FILE_ID>"}
}

6. Now the file is available to install it from the GUI.

7. Another option is to install it via the PATCH request and the installation_id from the response received at step 5:
* url: https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/installations/<INSTALLATION_ID>
* payload: { "status" : "install" }

909237-5 : CVE-2020-8617: BIND Vulnerability

Solution Article: K05544642

909233-5 : DNS Hardening

Solution Article: K97810133

905905-2 : TMUI CSRF vulnerability CVE-2020-5904

Solution Article: K31301245

904373-2 : MRF GenericMessage:Implement limit to message queues size

Component: Service Provider

Symptoms:
The GenericMEssage filter does not have a configurable limit to the number of messages that can be received.

Conditions:
If a message is waiting for an asynchronous iRule operation during GIENERICMESSAGE_INGRESS or GENERICMESSAGE_EGRESS iRule event, new messages will be placed in wither the ingress or egress queue. As the number of messages increase, more memory is required.

Impact:
If too many messages are queued, the system may exceed an internal count which could lead to a core.

Workaround:
NA

Fix:
The existing max_pemnding_messages attribute of the message router profile is used to limit the side of the queues.

902485-4 : Incorrect pool member concurrent connection value

Component: Application Visibility and Reporting

Symptoms:
In AVR pool-traffic report, 'server-concurrent-conns' reports a larger value than 'server-max-concurrent-conns'.

Conditions:
This is encountered when viewing the pool-traffic report.

Impact:
Incorrect stats reported in the pool-traffic report table

Workaround:
In /etc/avr/monpd/monp_tmstat_pool_traffic_measures.cfg, change the formula of server_concurrent_connections:

From this:
formula=round(sum(server_concurrent_conns),2)

Change it to this:
formula=round(sum(server_concurrent_conns)/count(distinct time_stamp),2)

Fix:
Changed the calculation formula of 'server-concurrent-conns' so it reports the correct statistics.

900905-2 : TMM may crash while processing SIP data

Component: Service Provider

Symptoms:
Under certain conditions, TMM may crash while processing SIP data

Conditions:
-SIP ALG profile enabled.

Impact:
TMM crash, leading to a failover event.

Workaround:
None.

Fix:
TMM now processes SIP traffic as expected.

900797-3 : Brute Force Protection (BFP) hash table entry cleanup

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.

Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.

Impact:
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.

Workaround:
N/A

Fix:
Mitigated entries are kept in the hash table.

900793-5 : APM Brute Force Protection resources do not scale automatically

Component: Application Security Manager

Symptoms:
Under certain conditions, resources for Brute Force Protection must be manually scaled by administrators to provide full protection.

Conditions:
-- Many virtual server (hundreds) that have web application protection with brute force protection enabled.
-- Numerous failed login requests coming to all virtual servers all the time.

Impact:
Administrators must manually change the hash size upon need instead of relying on the automatic configuration.

Workaround:
Set the internal parameter external_entity_hash_size to 0 to allow automatic recalculation of the correct value.

Fix:
Brute Force Protection resources are now scaled automatically based on available system resources.

900789-3 : Alert before Brute Force Protection (BFP) hash are fully utilized

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IP addresses and usernames. There is a separate hash table for each virtual server. When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed without logging a warning.

Conditions:
This can be encountered when Brute Force Protection is enabled and the hash table reaches its maximum capacity.

Impact:
No alert is sent when entries are evicted.

Workaround:
None.

Fix:
Alert/Warning is now announced in ASM logs, describing the status of the hash table.

900757-3 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254

898949-2 : APM may consume excessive resources while processing VPN traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, APM may consume excessive resources while processing VPN traffic

Conditions:
-APM provisioned
-VPN clients connected

Impact:
Excessive resources consumption, potentially leading to a TMM crash and failover event.

Workaround:
None.

Fix:
APM now processes VPN traffic as expected.

895993-3 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254

895981-3 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254

895881-2 : BIG-IP TMUI XSS vulnerability CVE-2020-5903

Solution Article: K43638305

895525-3 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254

892385-1 : HTTP does not process WebSocket payload when received with server HTTP response

Component: Local Traffic Manager

Symptoms:
WebSocket connection hangs on the clientside if the serverside WebSocket payload is small and received in the same TCP packet with server HTTP response.

Conditions:
-- Virtual contains HTTP and WebSocket filters.
-- HTTP response and a small WebSocket payload is received in the same TCP packet from the server.
-- Small WebSocket payload is not delivered on the clientside.

Impact:
-- WebSocket connection hangs.

Workaround:
None.

Fix:
HTTP processes WebSocket payload without delay when payload is received with server HTTP response.

891721-2 : Anti-Fraud Profile URLs with query strings do not load successfully

Component: TMOS

Symptoms:
When a URL containing a query string is added to an anti-fraud profile, the BIG-IP config load fails:

010719d8:3: Anti-Fraud URL '/url\?query=string' is invalid. Every protected URL should be a valid non-empty relative path specified in lower case in the case insensitive Anti-Fraud profile '/Common/antifraud'.
Unexpected Error: Loading configuration process failed.

Conditions:
Adding a query string to a URL for an anti-fraud profile.

Impact:
After a BIG-IP config save, loading of new bigip.conf fails.

Workaround:
Follow this procedure:

1. Remove the escaping characters \ (backslash) for ? (question mark) in the bigip.conf file.
2. Load the configuration.

Fix:
The issue has been fixed: Now Anti-fraud profile URLs support query strings such as /uri?query=data, and they can be successfully loaded.

891477-2 : No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server

Component: TMOS

Symptoms:
When a bandwidth control policy is applied on a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.

Both static bandwidth control policies and dynamic bandwidth control policies can cause the problem.

Conditions:
This issue occurs when both of the following conditions are met:

-- Virtual server configured with a bandwidth control policy.
-- Standard type of virtual server.

Impact:
The BIG-IP system does not retransmit unacknowledged data segments.

Workaround:
None.

891457-3 : NIC driver may fail while transmitting data

Component: TMOS

Symptoms:
In certain VE configurations, the NIC driver may fail and leave TMM in a state where it cannot transmit traffic.

Conditions:
-Virtual Edition.
-SRIOV enabled on a VMware hypervisor.
-Intel 82599 NIC.

Impact:
TMM is unable to transmit traffic, potentially leading to a failover event.

Workaround:
None.

Fix:
The VE NIC driver now processes traffic as expected.

890421-1 : New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers★

Component: TMOS

Symptoms:
The Georedundancy traps introduced in 15.0.1.2 with trap IDs in the F5 enterprise MIB of .1.3.6.1.4.1.3375.2.4.0.206 to .1.3.6.1.4.1.3375.2.4.0.211 should have been numbered from .1.3.6.1.4.1.3375.2.4.0.212 to .1.3.6.1.4.1.3375.2.4.0.217

Conditions:
When 15.0.1.2 is upgraded to 15.1.0 then the traps would be renumbered.

Impact:
This may be confusing for SNMP clients expecting specific trap IDs.

Workaround:
None.

Fix:
The traps have been correctly numbered in 15.0.1.3.

Behavior Change:
New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers. These traps will be renumbered when you upgrade 15.0.1.2 to 15.1.0.

The Georedundancy traps introduced in 15.0.1.2 with trap IDs in the F5 enterprise MIB of .1.3.6.1.4.1.3375.2.4.0.206 to .1.3.6.1.4.1.3375.2.4.0.211 should have been numbered from .1.3.6.1.4.1.3375.2.4.0.212 to .1.3.6.1.4.1.3375.2.4.0.217

888493-3 : ASM GUI Hardening

Component: Application Security Manager

Symptoms:
The ASM GUI does not follow current best practices.

Conditions:
-ASM provisioned.
-WebUI administrative user.

Impact:
ASM WebUI does not does not follow current best practices.

Workaround:
N/A

Fix:
ASM WebUI does now follows current best practices.

888489-3 : ASM UI hardening

Component: Application Security Manager

Symptoms:
The ASM UI for DOS profile does not follow current best practices.

Conditions:
-ASM provisioned.

Impact:
The ASM UI for DOS profile does not follow current best practices.

Workaround:
N/A

Fix:
The ASM UI for DOS profile now follows current best practices.

888417-7 : Apache Vulnerability: CVE-2020-8840

Solution Article: K15320518

887637-3 : Systemd-journald Vulnerability: CVE-2019-3815

Solution Article: K22040951

886689-5 : Generic Message profile cannot be used in SCTP virtual

Component: TMOS

Symptoms:
When creating virtual server or transport config containing both SCTP and Generic Message profile, it will fail with an error:

01070734:3: Configuration error: Profile(s) found on /Common/example_virtual that are not allowed: Only (TCP Profile, SCTP Profile, DIAMETER Profile, Diameter Session Profile, Diameter Router Profile, Diameter Endpoint, SIP Profile, SIP Session Profile, SIP Router Profile, DoS Profile, profile statistics)

Conditions:
Create virtual server or transport config which contains both SCTP and Generic Message profile.

Impact:
You are unable to combine the Generic Message profile with the SCTP profile.

Fix:
Generic Message profile can be used in SCTP virtual

886085-4 : TMM may crash while processing UDP traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing internally generated UDP traffic.

Conditions:
None.

Impact:
TMM crash, leading to a failover event.

Workaround:
None.

Fix:
TMM now processes internally generated UDP traffic as expected.

883717-2 : BD crash on specific server cookie scenario

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
Server sends many domain cookies with different domains or paths.

Impact:
Traffic distraction, failover.

Workaround:
There is no workaround, except changing the server's cookies.

Fix:
BD does not crash when server sets many different attributes.

882557-3 : TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)

Component: TMOS

Symptoms:
If the underlying virtio platform specifies RX and/or TX queue sizes that are 4096 or larger, the BIG-IP system cannot allocate enough contiguous memory space to accommodate this. Errors similar to these are seen in the tmm log files:

ndal Error: Failed to allocate 2232336 (2228224 + 4096 + 16) bytes
virtio[0:7.0]: Error: Failed to allocate descriptor chain
virtio[0:7.0]: Error: Failed allocate indirect rx buffers

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with virtio drivers.
-- The underlying platform specifies RX and/or TX queue sizes of 4096 or larger.

Impact:
TMM continually restarts.

Workaround:
Use the sock driver instead of virtio.

In your BIG-IP VE VM execute the lspci command to determine which virtio driver is present:

# lspci -nn | grep -i eth | grep -i virtio
00:03.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:04.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:0b.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]

Configure a socket driver:

echo "device driver vendor_dev 1af4:1000 sock" > /config/tmm_init.tcl

Reboot the instance

880753-2 : Possible issues when using DoSL7 and Bot Defense profile on the same virtual server

Component: Application Security Manager

Symptoms:
When DoSL7 and Bot Defense profiles are configured together on the same Virtual Server, some requests might not be handled by the Bot Defense profile.

Conditions:
-- DoSL7 profile is attached to the virtual server (with Application).
-- Bot Defense profile is attached to the virtual server.
-- Another security module is attached to the virtual server (WebSafe, MobileSafe, ASM).

Impact:
Some requests might not be processed by the Bot Defense profile.

Workaround:
Disable dosl7.idle_fast_path:
tmsh modify sys db dosl7.idle_fast_path value disable

Fix:
The mechanism which caused this issue is now correctly enabled.

877145-3 : Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException

Component: TMOS

Symptoms:
You are unable to log in to iControl REST via /mgmt/toc/.
Also a NullPointerException is logged to /var/log/restjavad log.

Conditions:
This can be encountered intermittently while using iControl REST.

Impact:
Login failure.

Workaround:
None.

Fix:
Fixed an issue related to authenticating to the iControl REST endpoint /mgmt/TOC.

876953-3 : Tmm crash while passing diameter traffic

Component: Service Provider

Symptoms:
Tmm crashes with the following log message.

-- crit tmm1[11661]: 01010289:2: Oops @ 0x2a3f440:205: msg->ref > 0.

Conditions:
This can be encountered while passing diameter traffic when one or more of the pool members goes down and retransmissions occur.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash while passing diameter traffic.

876077-2 : MRF DIAMETER: stale pending retransmission entries may not be cleaned up

Component: Service Provider

Symptoms:
DIAMETER router messages queued for retransmission may not be deleted until the connection closes.

Conditions:
-- Diameter transmission setting is enabled and a DIAMETER message is queued for retransmission.
-- The retransmission for the message is not triggered

Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.

Workaround:
None.

Fix:
Stale pending retransmission entries are cleaned up properly.

873469-3 : APM Portal Access: Base URL may be set to incorrectly

Solution Article: K24415506

872673-2 : TMM can crash when processing SCTP traffic

Component: TMOS

Symptoms:
Under certain conditions, TMM may crash while processing SCTP traffic.

Conditions:
-- SCTP listener enabled.

Impact:
TMM crash, leading to a failover event.

Workaround:
None.

Fix:
TMM now processes SCTP traffic as expected.

871905-3 : Incorrect masking of parameters in event log

Component: Application Security Manager

Symptoms:
When using CSRF protection, sensitive parameters values can be masked incorrectly in the event log.

Conditions:
The request contains a CSRF token and sensitive parameters.

Impact:
Sensitive parameters values can be masked incorrectly in the event log.

Workaround:
None.

Fix:
Sensitive parameters values are now correctly masked in the event log when request contains CSRF token.

871761-3 : Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS

Component: Access Policy Manager

Symptoms:
APM virtual server user's GUI (e.g., 'Logon page') cannot be rendered by browsers.

Conditions:
This issue is encountered when an XML profile is configured for the APM virtual server.

Impact:
APM end users are unable to get a logon page.

Workaround:
Disable the XML profile for the APM virtual server.

Fix:
There is no unexpected traffic interruption from the APM virtual server when the XML profile is configured for the virtual server.

871657-6 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S

Component: TMOS

Symptoms:
Mcpd restarts and produces a core file.

Conditions:
This can occur while adding a pool member to a NAPTR GTM pool where the flag used is an uppercase 'A' or 'S' character.

Impact:
Mcpd crash and restart results in high availability (HA) failover.

Workaround:
Use a lowercase 'a' or 's' as the flag value.

Fix:
Mcpd no longer crashes under these conditions. The flag value is always stored in lowercase regardless of the case used as input in the REST call or tmsh command, etc.

870957-3 : "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage

Component: Application Visibility and Reporting

Symptoms:
TMM CPU utilization around 100 percent under Security ›› Reporting : ASM Resources : CPU Utilization.

Conditions:
No special conditions. Only viewing at the stats of TMM CPU in 'Security ›› Reporting : ASM Resources : CPU Utilization'. They will always be in wrong scale, but when the TMM has ~1% CPU usage, it will be presented as 100% CPU usage.

Impact:
Wrong scale is presented and might cause machine's state to be interpreted wrongly.

Workaround:
1. Backup /etc/avr/monpd/monp_asm_cpu_info_measures.cfg file.
2. Run the following:
    $ sed -i 's|tmm_avg_cpu_util)/(count(distinct time_stamp)|tmm_avg_cpu_util)/(count(distinct time_stamp)*100|g' /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
3. Compare the backup file to /etc/avr/monpd/monp_asm_cpu_info_measures.cfg:
    Make sure that there are two lines modified, and that the modification is multiplying with 100 the denominator (i.e., actually dividing the TMM value with 100).
4. To make those changes take affect, run the following command:
    $ bigstart restart monpd

Fix:
Dividing the TMM value with 100 to fit correct scale.

868381-2 : MRF DIAMETER: Retransmission queue unable to delete stale entries

Component: Service Provider

Symptoms:
DIAMETER messages queued for retransmission that do not receive answer responses may be missed by the sweeper logic and not be deleted until the connection closes.

Conditions:
-- A DIAMETER message is queued for retransmission without a timeout to tigger retransmission.
-- No answer response is received.

Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.

Workaround:
None.

Fix:
The retransmission queue has been fixes so all stale messages are deleted as expected.

868097-2 : TMM may crash while processing HTTP/2 traffic

Solution Article: K58494243

866925-4 : The TMM pages used and available can be viewed in the F5 system stats MIB

Component: TMOS

Symptoms:
The memory pages available and in use are tracked with system statistics. Previously those statistics were available only with the tmctl command in the shell.

Conditions:
When system resource decisions are being made, the information about memory usage is important.

Impact:
It is not feasible to query each BIG-IP device separately.

Workaround:
None.

Fix:
You can query these statistics with SNMP through the F5-BIGIP-SYSTEM-MIB::sysTmmPagesStat table.

866685-2 : Empty HSTS headers when HSTS mode for HTTP profile is disabled

Component: Access Policy Manager

Symptoms:
HTTP Strict-Transport-Security (HSTS) headers have an empty value for some APM Access Policy-generated responses.

Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS mode=disabled (which it is by default).
-- HTTP requests for APM renderer content, including CSS, JS, and image files from the webtop.

Impact:
Some audit scanners can consider the empty value of Strict-Transport-Security headers as a vulnerability. For browsers, the empty HSTS value equals no HSTS in response.

Workaround:
1. Enable HSTS mode for the HTTP profile.
2. Use an iRule to remove the empty HSTS header from responses:

when HTTP_RESPONSE_RELEASE {
    if { [HTTP::header value "Strict-Transport-Security"] eq "" } {
        HTTP::header remove "Strict-Transport-Security"
    }
}

Fix:
When the HTTP profile is configured with HSTS mode=disabled, responses from APM renderer content are now sent without an HSTS header.

866161-2 : Client port reuse causes RST when the security service attempts server connection reuse.

Component: Access Policy Manager

Symptoms:
If the security service attempts server connection reuse, client port reuse causes RST on new connections.

Conditions:
-- Service profile is attached to virtual server.
or
-- SSL Orchestrator (SSLO) is licensed and provisioned and Service chain is added in the security policy.
-- Security service reuses server-side connection.
-- Client reuses the source port.

Impact:
The BIG-IP system or SSLO rejects new connection from clients when a client reuses the port.

Workaround:
None.

Fix:
The BIG-IP system or SSLO no longer rejects the client connection when the service tries to the reuse server connection and the client reuses the port.

866021-2 : Diameter Mirror connection lost on the standby due to "process ingress error"

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.

Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.

Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.

Fix:
Diameter mirror connection no longer lost due to "process ingress error" when there is high mirror traffic.

865053-2 : AVRD core due to a try to load vip lookup when AVRD is down

Component: Application Visibility and Reporting

Symptoms:
AVRD cores during startup.

Conditions:
Avrd receives a SIGTERM while it is starting.

Impact:
This can lead to an AVRD core.

Fix:
Added some more checks while loading new configuration. Suppose to reduce the frequent of these occurrences. Still can happen in very rare occasions.

864109-2 : APM Portal Access: Base URL may be set to incorrectly

Solution Article: K24415506

863161-2 : Scheduled reports are sent via TLS even if configured as non encrypted

Component: Application Visibility and Reporting

Symptoms:
The scheduled report email is sent from BIG-IP using TLS even if configured to not use encryption. When the mail server TLS is outdated it may lead to failure of the mail delivery.

Conditions:
The scheduled reports are enabled and configured to use a mail server which reports TLS capability.

Impact:
The minor impact is unexpected behaviour. In rare cases it may lead to malfunction of the scheduled reports.

Fix:
The automatic TLS connection was introduced via udate of the phpmailer module. The current fix disables automatic behaviour such that encryption will be used according to BIG-IP configuration.

863069-2 : Avrmail timeout is too small

Component: Application Visibility and Reporting

Symptoms:
AVR report mailer times out prematurely and reports errors:

AVRExpMail|ERROR|2019-11-26 21:01:08 ECT|avrmail.php:325| PHPMailer exception while trying to send the report: SMTP Error: data not accepted.

Conditions:
Configure reports, which will be sent to e-mail

Impact:
Error response from SMTP server, and the report is not sent

Workaround:
Increase timeout in avrmail.php via bash commands

Fix:
The timeout was increased in avrmail.php

860881-2 : TMM can crash when handling a compressed response from HTTP server

Component: Local Traffic Manager

Symptoms:
TMM crashes while handling HTTP response

Conditions:
HTTP virtual server performing decompression of response data from a server, e.g. because a rewrite profile is attached to the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable compression on the server.

859089-6 : TMSH allows SFTP utility access

Solution Article: K00091341

858429-2 : BIG-IP system sending ICMP packets on both virtual wire interface

Component: Local Traffic Manager

Symptoms:
ICMP packets are forwarded to both virtual wire interface, which causes MAC-Flip on the connected switches.

Conditions:
-- Ingress ICMP packet is on one TMM.
-- Egress is on another TMM.

Impact:
Traffic is disrupted in the network.

Workaround:
None.

858301-2 : HTTP RFC compliance now checks that the authority matches between the URI and Host header

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
It is possible to have an absolute URI with an authority different from that in the Host header. The HTTP profile by default does not verify that these are the same.

Conditions:
HTTP profile is enabled.
A request contains an absolute URI with an authority different from that in the Host header.

Impact:
HTTP requests with mismatched authority and Host headers are forwarded to back-end servers.

Workaround:
None.

Fix:
The HTTP RFC compliance option now rejects requests with an absolute URI that contains an authority different than that in the Host header.

HTTP PSM's "invalid host" option now checks that the authorities match between the URI and Host header.

858297-2 : HTTP requests with multiple Host headers are rejected if RFC compliance is enabled

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
HTTP requests with multiple Host headers may confuse servers. The HTTP parser currently uses the last header of a given name in a header block, whereas other software may not. This miss-match in parsing may lead to a security hole.

Note that many servers reject such requests. Such servers are not vulnerable to this kind of attack.

Conditions:
HTTP profile enabled.
Multiple Host headers exist in a HTTP request.

Impact:
HTTP requests with multiple host headers may be forwarded to back-end servers.

Workaround:
None.

Fix:
If HTTP RFC compliance is enabled on the HTTP profile, then a request that has multiple Host headers will be rejected.

HTTP PSM can now be configured to reject multiple Host headers.

858289-2 : HTTP parsing restrictions

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
When parsing HTTP the following non-compliant behavior was accepted:
White-space before a colon in a header name.

Conditions:
HTTP profile enabled.

Impact:
Non-compliant HTTP traffic is accepted and forwarded to pool members.

Workaround:
None.

Fix:
HTTP parsing was more lenient than that required by the RFC. HTTP parsing now is more strict.

858285-2 : HTTP parsing of Request URIs with spaces in them has changed

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
An HTTP request URI with a white-space character in it is malformed. The HTTP parser now will handle this as a HTTP/0.9 style request, rather than a HTTP/1.x request.

Conditions:
The uri in an HTTP request has a horizontal tab or space character within it.

Impact:
The detected HTTP version changes. HTTP version 0.9 may be blocked by other security modules. This allows detection and blocking of this kind of malformed HTTP requests.

Workaround:
None.

Fix:
HTTP request URI's with white-space in them are now parsed as HTTP/0.9 style requests. Such requests do not have headers, so only the first line will be emitted to the server.

Other security modules may disallow HTTP/0.9 style requests. In particular, if the HTTP profile RFC compliance option is enabled, then this form of request will be rejected.

858229-4 : XML with sensitive data gets to the ICAP server

Solution Article: K27551003

Component: Application Security Manager

Symptoms:
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.

Conditions:
XML profile is configured with sensitive elements on a policy.
ICAP server is configured to inspect file uploads on that policy.

Impact:
Sensitive data will reach the ICAP server.

Workaround:
No immediate workaround except policy related changes

Fix:
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.

Behavior Change:
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1.

When this is changed to 0 (using this command):
/usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0
XML requests with sensitive data will not be sent to ICAP.

858025-2 : Proactive Bot Defense does not validate redirected paths

Solution Article: K33440533

Component: Application Security Manager

Symptoms:
Under certain conditions, Proactive Bot Defense may redirect clients to an unvalidated path.

Conditions:
-Proactive Bot Defense enabled.

Impact:
Clients may be redirected to an unvalidated path.

Workaround:
None.

Fix:
Proactive Bot Defense now validates redirected paths as expected.

856961-1 : INTEL-SA-00201 MCE vulnerability CVE-2018-12207

Component: TMOS

Symptoms:
This is a known issue.
A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries. A privileged guest user may use this flaw to induce a hardware Machine Check Error on the host processor, resulting in a severe DoS scenario by halting the processor.

Conditions:
This is hardware issue and following processors are vulnerable.
Xeon
Pentium Gold
Core X-series
Core i
Celeron G

Impact:
A privileged guest user may use this flaw to induce a hardware Machine Check Error (MCE) that halts the host processor and results in a denial-of-service (DoS) scenario.

Workaround:
There is no workaround.

Fix:
Fix to mitigate CVE-2018-12207 has been included under linux kernel source.

853613-3 : Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp

Component: Local Traffic Manager

Symptoms:
A TCP connection hangs occasionally.

Conditions:
-- The TCP connection is on the clientside.
-- sys db tm.tcpsendrandomtimestamp is enabled (default is disabled).
-- A virtual server's TCP's Verified Accept and Timestamps are both enabled.

Impact:
TCP connections hangs, and data transfer cannot be completed.

Workaround:
You can use either of the following workarounds:
-- Disable tm.tcpsendrandomtimestamp.
-- Disable either the TCP's Verified Accept or Timestamps option.

Fix:
This release provides improved interaction between TCP's Verified Accept and Timestamps options and the tm.tcpsendrandomtimestamp setting.

853329-3 : HTTP explicit proxy can crash TMM when used with classification profile

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may serve HTTP traffic as forward proxy and use DNS resolver objects to provide a server to connect to for request processing. When a classification profile is attached to the virtual server, it may result in a TMM crash with regards to some HTTP requests.

Conditions:
-- PEM is provisioned.
-- HTTP explicit proxy is configured on a virtual server.
-- A classification profile attached to the virtual server.

Impact:
TMM crashes, causing failover. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release prevents a condition causing this TMM crash.

853325-2 : TMM Crash while parsing form parameters by SSO.

Component: Access Policy Manager

Symptoms:
When a form is received in the response, TMM crashes when SSO identifies the form parameter, and logs the Form parameter value and type in SSOv2 form-based passthrough log.

Conditions:
-- When any of the form parameters that SSO receives in the response does not have a value.
-- Passthrough mode is enabled in SSO.

Impact:
TMM crash when Passthrough mode is enabled in SSO. Traffic disrupted while tmm restarts.

Workaround:
Do not use Passthrough mode with SSO.

Fix:
TMM does not crash when Passthrough mode is enabled in SSO, and SSO receives any valid form in a response.

852373-1 : HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error

Component: Local Traffic Manager

Symptoms:
HTTP/2 connection breaks and Tcl error is logged in /var/log/ltm similar to the following:

TCL error: /Common/http2_disable <CLIENT_ACCEPTED> - Unknown error (line 1) (line 1) invoked from within "HTTP2::disable".

Conditions:
Any of the following Tcl commands are used in any iRule event: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside.

Impact:
HTTP/2 traffic is not passed to the serverside.

Workaround:
Do not use the following Tcl commands: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside

Fix:
When the previously mentioned Tcl commands are used in appropriate HTTP iRule events, such as CLIENT_ACCEPTED, HTTP/2 filter is put into passthrough mode and traffic is delivered to the server.

852313-3 : VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured

Component: Access Policy Manager

Symptoms:
VMware Horizon clients cannot ,connect to APM and /var/log/apm contains hte following error:
... err tmm3[12345]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_BOUNDS. File: ../modules/hudfilter/access/access.c, Function: access_do_internal_retry, Line: 16431

Conditions:
-- Access Policy has 'VMware View Logon Page' agent configured with 'Kerberos Authentication'.
-- The policy has been in use for some time.

Impact:
VMware Horizon client cannot connect to APM after some time.

Workaround:
None.

Fix:
Fixed an issue, where 'VMware View Logon Page' agent configured with 'Kerberos Authentication' does not process logon requests after some time.

852001-2 : High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously

Component: TMOS

Symptoms:
When using more than 4 BIG-IP devices connected in a device cluster, and adding 2 more devices to the trust domain, the mcpd processes of each device may get into a sync loop. This causes mcpd to reach up to 90% CPU utilization during this time, and causes other control-plane functionality to halt. This state may last 10-20 minutes in some cases, or continuous in other cases.

Conditions:
-- More than 4 BIG-IP devices are configured in a trust domain configuration.
-- Adding at least 2 more devices to the trust domain, one after the other, without waiting for the full sync to complete.
-- ASM, FPS, or DHD (DOS) is provisioned.

Impact:
High CPU utilization, GUI, TMSH, and REST API not responding or slow-responding, other system processes halted.

Workaround:
When adding a BIG-IP device to the trust domain, before adding any other device, wait a few minutes until the sync is complete, and no more sync logs display in /var/log/ltm.

Fix:
MCPD no longer utilizes high CPU resources when adding simultaneously 4 or more devices to CMI.

850673-2 : BD sends bad acks to the bd_agent for configuration

Component: Application Security Manager

Symptoms:
The bd_agents stops sending configuration in the middle of startup or a configuration change.
The policy maybe incomplete in the bd causing a wrong enforcement.

Conditions:
This is a rare issue and the exact conditions that trigger it are unknown.

Impact:
Bd_agent hangs or restarts which may cause a complete asm restart (and failover).
A partial policy may exist in bd causing improper enforcement.

Workaround:
Export and import the policy in case the policy is enforced incorrectly and un-assigning / re-assigning does not help.

Fix:
Fixed inconsistency scenario between bd and bd_agent.

850277-2 : Memory leak when using OAuth

Component: Access Policy Manager

Symptoms:
Tmm memory usage keeps going up when passing multiple HTTP requests through a kept-alive TCP connection carrying an OAuth token as bearer in the Authorization header.

Conditions:
-- Multiple HTTP requests through a kept-alive TCP connection.
-- Requests carry an OAuth token as bearer in the Authorization header.

Impact:
Memory leak occurs in which tmm memory usage increases.

Workaround:
None.

847325-2 : Changing a virtual server that uses a oneconnect profile can trigger persistence misbehavior.

Component: Local Traffic Manager

Symptoms:
High tmm CPU utilization.
Stalled connection.
Incorrect persistence decisions

Conditions:
A oneconnect profile is combined with certain persist profiles on a virtual server.

The virtual server configuration is changed while there is an ongoing connection to the virtual server. Any connections that make a request after the configuration change can be affected.

The persistence types that are affected are
Source Address (but not hash-algorithm carp)
Destination Address (but not hash-algorithm carp)
Universal
Cookie (only cookie hash)
Host
SSL session
SIP
Hash (but not hash-algorithm carp)

Impact:
High tmm CPU utilization.
Stalled connection.
Incorrect persistence decisions

846917-2 : lodash Vulnerability: CVE-2019-10744

Solution Article: K47105354

846365-2 : TMM may crash while processing IP traffic

Solution Article: K35750231

846157-2 : TMM may crash while processing traffic on AWS

Solution Article: K01054113

844781-2 : [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection

Component: Access Policy Manager

Symptoms:
SELinux policy does not allow the rewrite plugin to create a directory and write troubleshooting data into /var/tmp/WebAppTrace.

Conditions:
Collecting Portal Access web applications traces per K13384: Performing a web applications trace (11.x - 14.x) :: https://support.f5.com/csp/article/K13384

Impact:
Cannot collect Portal Access web applications troubleshooting data as it described in in that AskF5 Article.

Workaround:
Connect via SSH using the root account and run this command:
restorecon -Rv /var/tmp/WebAppTrace/

Fix:
Fixed an issue with an SELinux policy blocking Portal Access from processing web applications traces.

844281-2 : [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.

Component: Access Policy Manager

Symptoms:
Java applets are not patched when accessed through APM Portal Access.

/var/log/rewrite contains error messages similar to following:
-- notice rewrite - fm_patchers/java_patcher_engine/CryptoToolsManager.cpp:568 (0x1919ab0): CryptoToolsManager :: _ReadCA() - cannot open CA file.

/var/log/auditd/audit.log contains AVC denials for rewrite on attempt to read file under /config/filestore/.

Conditions:
Java patching is enabled via rewrite profile and Portal Access resource.

Impact:
Java applets cannot be patched by APM Portal Access rewriter.

Workaround:
None.

Fix:
Fixed an issue with SELinux policy blocking Portal Access code from reading Java Patcher certificates.

842865-3 : Add support for Auto MAC configuration (ixlv)

Component: TMOS

Symptoms:
Mac addresses are forced to be the same for ixlv trunks.

Conditions:
This happens when ixlv trunks are used.

Impact:
Mac addresses may not be as depicted on the device.

Workaround:
None.

Fix:
Unicast mac filters are used for ixlv trunks.

842625-4 : SIP message routing remembers a 'no connection' failure state forever

Component: Service Provider

Symptoms:
When SIP message routing fails to route to a pool member (Triggering a MR_FAILED, MR::message status of 'no connection'), The BIG-IP system caches the failed state and continues to return this even after the pool member becomes reachable again.

Conditions:
When BIG-IP systen fails to route messages to the peer (server) due to unavailability of route or any other issues.

Impact:
The BIG-IP system is never be able to establish connection to the peer.

Workaround:
None.

Fix:
SIP message routing now recovers from a 'no connection' failure state.

839749-1 : Virtual server with specific address list might fail to create via GUI

Component: Local Traffic Manager

Symptoms:
When a user tries to create a virtual server with address list, it might fail with below shown error:

01b90011:3: Virtual Server /Common/VS1's Traffic Matching Criteria /Common/testvs1 illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/testvs2 destination address, source address, service port.

Conditions:
-- One or more virtual servers that were created via the GUI already exist on the BIG-IP system.
-- Attempt to use the GUI to create another virtual server with address list.

Impact:
Cannot create the virtual server.

Workaround:
Create the virtual server via tmsh:

-- First create the traffic matching criteria using the address list.
-- Then use the traffic matching criteria to create a virtual server.

Fix:
You can now create virtual servers with address lists directly from the GUI.

839597-5 : Restjavad fails to start if provision.extramb has large value

Component: Device Management

Symptoms:
Rolling restarts of restjavad every few seconds typically due to failure to start and reports messages in daemon log:

daemon.log: emerg logger: Re-starting restjavad

The system reports similar message at the command line.

No obvious cause is logged in rest logs.

Conditions:
-- System DB variable provision.extramb has an unusually high value*:
+ above ~2700-2800MB for v12.1.0 and earlier.
+ above ~2900-3000MB for v13.0.0 and later.

-- On v13.0.0 and later, sys db variable restjavad.useextramb needs to have the value 'true'

*A range of values is shown. When the value is above the approximate range specified, constant restarts are extremely likely, and within tens of MB below that point may be less frequent.

To check the values of these system DB varaiables use:
tmsh list sys db provision.extramb

tmsh list sys db restjavad.useextramb

Impact:
This impacts the ability to use the REST API to manage the system

Workaround:
If needing sys db restjavad.useextramb to have the value 'true', keep sys db provision.extramb well below the values listed (e.g., 2000 MB work without issue).

To set that at command line:

tmsh modify sys db provision.extrammb value 2000

If continual restarts of restjavad are causing difficulties managing the unit on the command line:

1. Stop restjavad (you can copy this string and paste it into the command line on the BIG-IP system):
tmsh stop sys service restjavad

2. Reduce the large value of provision.extramb if necessary.

3. Restart the restjavad service:
tmsh start sys service restjavad

839401-2 : Moving a virtual-address from one floating traffic-group to another does not send GARPs out.

Component: Local Traffic Manager

Symptoms:
Gratuitous ARPs (GARPs) are not sent out when moving a virtual-address from one floating traffic-group to another (e.g., from traffic-group-1 to traffic-group-2).

Conditions:
-- Moving a virtual-address from one floating traffic-group to another.
-- The traffic-groups are active on different devices.

Impact:
Application traffic does not immediately resume after the virtual-address is moved. Instead, the surrounding network devices have to ARP out for the IP address after reaching a timeout condition.

Workaround:
After moving the virtual-address, disable and then re-enable the ARP setting for the virtual-address. This forces GARPs to be sent out.

Fix:
GARPs are sent out as expected.

838881-2 : APM Portal Access Vulnerability: CVE-2020-5853

Solution Article: K73183618

838709-3 : Enabling DoS stats also enables page-load-time

Component: Application Visibility and Reporting

Symptoms:
If collect-all-dos-statistic is enabled, AVR 'promises' to the client a JavaScript injection in the response by adding the expected length of the JavaScript to the Content-length header.

Conditions:
Security :: reporting : settings : collect-all-dos-statistic is enabled.

Impact:
In addition to collecting DoS statistics, JavaScript injection also occurs.

Workaround:
Can use iRules to control which pages should get the JavaScript injection.

For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.

Fix:
Changed the condition that insert the JavaScript injection in case that "collect all dos stats" is enabled.

838677-2 : lodash library vulnerability CVE-2019-10744

Solution Article: K47105354

837837-1 : SSH Client Requirements Hardening

Component: TMOS

Symptoms:
In some configurations, BIG-IP systems allow the use of DSA keys for SSH authentication.

Conditions:
Terminal Access (SSH) enabled for users with DSA keys.

Impact:
DSA keys are allowed for authentication, exposing BIG-IP to the limitations of this key format, including potential compromise of the authenticated session.

Workaround:
For ssh key based authentications, DSA keys should not be used.

Fix:
ssh-dss is disabled from supported authentication methods. It can be enabled under BIGIP using command tmsh modify sys sshd { include '"HostKeyAlgorithms +ssh-dss"' }

Behavior Change:
ssh-dss is now disabled by default from supported SSH authentication methods. It can be explicitly enabled under BIG-IP using command: tmsh modify sys sshd { include '"HostKeyAlgorithms +ssh-dss"' }

837773-1 : Restjavad Storage and Configuration Hardening

Component: Device Management

Symptoms:
The restjavad component does not follow current best coding practices.

Conditions:
-REST endpoints in use

Impact:
The restjavad component does not follow current best coding practices.

Workaround:
None.

Fix:
The restjavad component now follows current best coding practices.

836357-4 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2

Component: Service Provider

Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.

Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.

Impact:
This causes the BIG-IP system to abort the flow that originates the message.

Workaround:
None.

Fix:
SIP MBLB correctly initiates a new flow from a virtual IP to the client when an existing flow is in the FIN-wait2 stage.

835381-2 : HTTP custom analytics profile 'not found' when default profile is modified

Component: Application Visibility and Reporting

Symptoms:
Adding SMTP config to default HTTP analytics profile results in config parsing failures for child profiles that are assigned to virtual servers. Removing SMTP config resolves the issue. The 'tmsh load sys config' command fails with the following error:

-- 01020036:3: The requested profile (/Common/child-analytics) was not found.
-- Unexpected Error: Validating configuration process failed.

Conditions:
-- Child analytics profile applied to virtual server.
-- Parent analytics profile contains SMTP config.

Impact:
Loading configuration might fail.

Workaround:
None.

Fix:
The system now avoids setting SMTP field for child profiles on MCP validation when in load/merge phase.

834857 : Azure walinuxagent has been updated to v2.2.42.

Component: TMOS

Symptoms:
Some onboarding features are not available in the current version of walinuxagent.

Conditions:
Attempting to use a feature that is not available in the current version of the Azure walinuxagent that is included in the BIG-IP release.

Impact:
Cannot use new features in the Azure walinuxagent until the Azure walinuxagent is updated.

Workaround:
None.

Fix:
The Azure walinuxagent has been updated to v2.2.42.

834373-4 : Possible handshake failure with TLS 1.3 early data

Component: Local Traffic Manager

Symptoms:
During TLS 1.3 early data handshake, a code alert and handshake failure may occur

Conditions:
TLS 1.3 with early data resumption.

Impact:
Handshake failure.

Workaround:
Turn off early data.

Fix:
Fixes a possible TLS 1.3 early data handshake failure and code alert.

833213-2 : Conditional requests are served incorrectly with AAM policy in webacceleration profile

Component: WebAccelerator

Symptoms:
HTTP 1.1 allows a conditional request with header If-Modified-Since or If-Unmodified-Since to determine whether a resource changed since a specified date and time. If AAM is provisioned and its policy is assigned to a virtual server, it may incorrectly respond with 304 Not Modified, even after the resource was updated.

Conditions:
-- AAM is provisioned and webacceleration policy is attached to a virtual server.
-- Client sends a conditional request with If-Modified-Since or If-Unmodified-Since header.
-- The BIG-IP system responds from AAM cache.

Impact:
Client does not receive an updated resource.

Workaround:
Use webacceleration profile without AAM policy for resources that require conditional checks falling back into Ramcache.

Fix:
The BIG-IP system now respects If-Modified-Since or If-Unmodified-Since header and provides an appropriate response for the requested resource when compared to the date supplied in either header.

833113-4 : Avrd core when sending large messages via https

Component: Application Visibility and Reporting

Symptoms:
When sending large messages (>4KB) via HTTPs may cause avrd to core.

Conditions:
This typically happens when BIG-IP is managed by BIG-IQ and configuration is large and complex or traffic capturing is enabled.

Impact:
Messages to BIG-IQ are lost. In severe cases, analytics functionality may be unavailable due contiguous AVRD cores.

Workaround:
None.

Fix:
Fixed an avrd crash

832569-1 : APM end-user connection reset

Component: Access Policy Manager

Symptoms:
When the URL being accessed exceeds a length of 8 KB, the BIG-IP resets the connection.

Conditions:
-- APM deployed with a per-request policy.
-- The per-request policy includes a category lookup.

Impact:
The APM end-user connection is reset, and the system posts an error message in /var/log/apm:

-- crit tmm[23363]: 01790601:2: [C] 10.62.118.27:65343 -> 65.5.55.254:443: Maximum URL size exceeded.

Workaround:
None.

832021-2 : Port lockdown settings may not be enforced as configured

Solution Article: K73274382

832017-2 : Port lockdown settings may not be enforced as configured

Solution Article: K10251014

831781-3 : AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode

Component: Access Policy Manager

Symptoms:
Both AD Query and LDAP Auth/Query fails.

Conditions:
-- AD Query Agent, LDAP Auth Agent, or LDAP Query Agent is configured in Per-Session or Per-Request Policy.
-- These agents are configured in Direct mode.
-- The AD and LDAP server address is configured as IPv6 address.

Impact:
Users may not be able to login to APM, and hence service is disrupted.

Workaround:
None.

Fix:
Users are now able to login to APM.

831325-1 : HTTP PSM detects more issues with Transfer-Encoding headers

Solution Article: K10701310

Component: Local Traffic Manager

Symptoms:
HTTP PSM may not detect some invalid Transfer-Encoding headers.

Conditions:
HTTP PSM is used to detect HTTP RFC violations. A request with an invalid Transfer-Encoding header is sent.

Impact:
Traffic is not alarmed/blocked as expected.

Workaround:
None.

Fix:
HTTP PSM detects new cases of invalid Transfer-Encoding headers.

830833-1 : HTTP PSM blocking resets should have better log messages

Component: Local Traffic Manager

Symptoms:
When reset-cause logging is turned on, or when RST packet logging is used, the reset reason used when rejecting bad HTTP PSM traffic is not descriptive.

Conditions:
This occurs under either of these conditions:

-- HTTP PSM is used, and a request is blocked.
-- Reset cause or RST packet logging is enabled.

Impact:
The reset reason given is not descriptive, making troubleshooting difficult.

Workaround:
None.

Fix:
The reset reason used when rejecting HTTP PSM traffic is more descriptive.

830797-1 : Standby high availability (HA) device passes traffic through virtual wire

Component: Local Traffic Manager

Symptoms:
Virtual wire is forwarding traffic on standby resulting in traffic loops and potential network outage.

Conditions:
-- High availability (HA) configured.
-- Virtual wire configured.

Impact:
Standby device is passing traffic, which may create traffic loops and bring down the network.

Workaround:
Do not configure virtual wire on standby devices.

Fix:
Although you can create this configuration, the standby no longer forwards any traffic, which prevents the traffic loop and potential network outage.

830481-2 : SSL TMUI hardening

Component: TMOS

Symptoms:
The SSL TMUI does not implement current best practices.

Conditions:
-Authenticated administrative user accessing SSL TMUI,

Impact:
The SSL TMUI does not implement current best practices.

Fix:
The SSL TMUI now implements current best practices.

830401-2 : TMM may crash while processing TCP traffic with iRules

Solution Article: K54200228

830073-1 : AVRD may core when restarting due to data collection device connection timeout

Component: Application Visibility and Reporting

Symptoms:
Avrd crashes, one or more core avrd files exist in /var/core

Conditions:
-- A BIG-IP system is managed by BIG-IQ via secure channel
-- Avrd is restarted.

Impact:
Avrd cores as it is shutting down. During avrd shutdown, the BIG-IQ data collection device (DCD) is unreachable for 10 minutes

Workaround:
None.

Fix:
The AVRD HTTPS module now stops any connection attempts when shutdown sequence is in progress, so this issue no longer occurs.

826601-6 : Prevent receive window shrinkage for looped flows that use a SYN cookie

Component: Local Traffic Manager

Symptoms:
TMM cores.

Conditions:
-- VIP to VIP (looped flow) configuration.
-- SYN cookie is used.
-- Initial receive window is greater than 3.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
-- Set the initial receive window value of the VIP to 3.

Fix:
Receive window shrinkage is prevented for looped flows using SYN cookies.

825805-2 : NTLM Auth may fail due to incorrect handling of EPM response★

Component: Access Policy Manager

Symptoms:
NTLM passthrough authentication may stop working after upgrade.

Conditions:
-- NTLM authentication configured.
-- Upgraded to a BIG-IP software version that contains the implementation for the Microsoft Internet Explorer feature, 'Enhanced protected mode' (EPM).
-- There are more than two protocol sequence towers included in the EPM response.

Impact:
APM end users cannot login.

Workaround:
None.

Fix:
The system can now parse EPM response as expected.

825597-2 : Cloud Security Services do not apply current best practices

Solution Article: K59957337

825561-1 : TMM may core in a rare condition serving an HTTP response

Component: Local Traffic Manager

Symptoms:
Sometimes when HTTP server receives a POST request, it can serve a response prior the whole request payload is arrived. When a response is chunked in some occasions TMM may fail to process it correctly.

Conditions:
-- The BIG-IP system has a virtual server configured with HTTP profile.
-- POST request is processing.
-- A chunked response is served before the whole request is received.
-- A Security Policy is applied to the virtual server.

Impact:
TMM cores, failover condition occurs, and traffic processing can be interrupted while tmm restarts.

Workaround:
None.

Fix:
The BIG-IP system now properly handles early chunked responses and does not allow TMM to core for this reason.

825013-2 : GENERICMESSAGE::message's src and dst may get cleared in certain scenarios

Component: Service Provider

Symptoms:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands may not work properly if iRule processing changes to a different TMM. These commands may return an empty string rather than correct data.

Conditions:
-- Using "GENERICMESSAGE::message src" and/or "GENERICMESSAGE::message dst" iRule commands.
-- iRule processing moves from one TMM to another TMM.

Impact:
Incorrect data returned from "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands.

Fix:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands now return correct data.

824881-1 : A rare TMM crash cause by the fix for ID 816625

Component: Local Traffic Manager

Symptoms:
In rare scenarios involving HTTP unchunking and plugins, the TMM may crash.

Conditions:
Software that contains the fix for ID 816625, which involves HTTP unchunking and some plugins, dynamically removing the unchunking logic when required.

Impact:
In addition, other plugin behavior may abort the unchunking logic in an unexpected way. This causes a double-abort, and triggers a TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The TMM no longer crashes in a rare scenario involving HTTP unchunking and plugins.

824365-4 : Need informative messages for HTTP iRule runtime validation errors

Component: Local Traffic Manager

Symptoms:
For HTTP iRule runtime validation errors, an ERR_NOT_SUPPORTED error message is appended (with rule name and event) to /var/log/ltm, but the message is not informative about the cause of the validation error:

err tmm1[20445]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri".

The system should post a more informative message, in this case:

err tmm[10662]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - can't call after responding - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri"

Conditions:
-- HTTP filter and HTTP iRules are used by a virtual server.
-- An HTTP iRule runtime validation error happens. For example, HTTP::uri is called after HTTP::respond () which is not supported.

Impact:
With no informative error messages, it is difficult to identify the validation error.

Workaround:
There is no workaround at this time.

Fix:
Informative messages are provided for HTTP iRule runtime validation errors.

824149-4 : SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured

Component: Service Provider

Symptoms:
In SIP ALG virtual with source-nat-policy assigned, if traffic processed by the virtual server does not match source-nat-policy, or if it matches source-nat-policy that does not have source-translation configured, tmm cores and restarts.

Conditions:
-- SIP ALG virtual server with an assigned source-nat-policy.
-- Traffic does not match the source-nat-policy, or traffic matches a source-nat-policy that has no source-translation configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure SIP ALG virtual so that the condition never happens. For example, apply a source attribute to the virtual server that filters out traffic that will not match the source-nat-policy. Never use a source-nat-policy that has no source-translation.

823893-1 : Qkview may fail to completely sanitize LDAP bind credentials

Solution Article: K03318649

822025-1 : HTTP response not forwarded to client during an early response

Component: Local Traffic Manager

Symptoms:
In early server responses, the client does not receive the intended response from the HTTP::respond iRule. The client instead receives an unexpected 500 internal server error.

Conditions:
-- A slow client.
-- early server response with the HTTP::respond iRule.

Impact:
A client does not receive the redirect from the HTTP::respond iRule.

Workaround:
None.

Fix:
The client now receives the redirect from the HTTP:respond iRule.

821133-1 : Wrong wildcard URL matching when none of the configured URLS include QS

Component: Fraud Protection Services

Symptoms:
Wildcard URLs has a flag (include_query_string) which indicates if the matching should include traffic URL's QS or not

For example, if the traffic URL is '/path?a=b' and configured URL is '/path*b':

1. if include QS enabled, URL is matched
2. otherwise, no match (since matching against '/path' only)

if there are no configured URLs with "Include Query String" enabled, matching may be wrong

Conditions:
1. Wildcard URL configured in anti-fraud profile (URL name contains an asterisk)
2. None of the configured URLs has "Include Query String" enabled
3. Traffic URL contains a query-string

Impact:
URL is incorrectly matched (when it either shouldn't be matched at all or should match another configured URL). Features/signatures might not work as expected.

Workaround:
Configure at least one URL with "Include Query String" enabled

Fix:
FPS should match query string correctly (according to configuration)

819397 : TMM does not enforce RFC compliance when processing HTTP traffic

Solution Article: K50375550

Component: Local Traffic Manager

Symptoms:
TMM does not require RFC compliance when processing HTTP traffic. This does not impact the performance or security of BIG-IP systems, but may impact connected systems if they expect only compliant traffic to be forwarded.

Conditions:
-- HTTP virtual server
-- Non-compliant HTTP request from client

Impact:
Pool members may be exposed to non-compliant HTTP requests.

Workaround:
None.

Fix:
The HTTP filter now optionally performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.

Behavior Change:
A new BigDB variable has been added.

The new 'Tmm.HTTP.RFC.Enforcement' option may be enabled or disabled. It is disabled by default.

If enabled, the HTTP filter performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.

The checks performed are a subset of those described within the HTTP PSM module. If a blocking page is required, or more detailed control over which checks are performed, configure HTTP PSM or ASM on the virtual server.

If either HTTP PSM or ASM are configured on a virtual server, the state of the 'Tmm.HTTP.RFC.Enforcement' BigDB variable is ignored on that virtual server.

819197-3 : BIGIP: CVE-2019-13135 ImageMagick vulnerability

Solution Article: K20336394

819189-2 : BIGIP: CVE-2019-13136 ImageMagick vulnerability

Solution Article: K03512441

819089 : Manually licensing a versioned VE license through the GUI fails to activate the license★

Solution Article: K63920829

Component: TMOS

Symptoms:
The BIG-IP system does not activate a versioned BIG-IP VE (VE) license using the manual licensing process through the GUI.

Conditions:
Any VE license installed using the manual method that contains Exclusive_version for versioning.

Impact:
The BIG-IP system does not go active, as the license does not activate properly.

Workaround:
Use the CLI to paste the license file into /config/bigip.license then reload the license using 'reloadlic' in the bash shell.

Fix:
The system prevents using manual license installs through the GUI for versioned VE licenses.

818709-1 : TMSH does not follow current best practices

Solution Article: K36814487

818429-5 : TMM may crash while processing HTTP traffic

Solution Article: K70275209

818309-1 : 'tmsh list' / 'tmsh list security' hangs when AFM / Herculon DDoS Hybrid Defender are not provisioned

Component: Advanced Firewall Manager

Symptoms:
The 'tmsh list security' command hangs when ASM is provisioned and AFM or Herculon DDoS Hybrid Defender are licensed, but not provisioned.

Conditions:
This occurs when AFM and/or Herculon DDoS Hybrid Defender are licensed but not provisioned.

Impact:
The tmsh command hangs when running any of following commands:

- tmsh show running-config
- tmsh show running-config security
- tmsh show running-config security presentation tmui virtual-list
- tmsh list
- tmsh list security
- tmsh list security presentation tmui virtual-list

Workaround:
None.

Fix:
The tmsh list security command no longer hangs when ASM is provisioned and AFM/Herculon DDoS Hybrid Defender is not provisioned.

817917-2 : TMM may crash when sending TCP packets

Solution Article: K00025388

817649-3 : AVR statistics for NAT cannot be shown on multi-bladed machine

Component: Application Visibility and Reporting

Symptoms:
The system presents an error messagewhen trying to get AVR statistics for NAT:

Data Input Error: Database is unavailable.

Conditions:
Using AVR reports for NAT on a multi-bladed BIG-IP device.

Impact:
Cannot view AVR statistics for NAT.

Workaround:
1. Back up the file /etc/avr/monpd/monp_tmstat_fw_nat_entities.cfg

2. Run the following command:
sed -i 's/measures=/measures=period,/' /etc/avr/monpd/monp_tmstat_fw_nat_entities.cfg

3. Verify that the only change made to 'sed -i 's/measures=/measures=period,/' /etc/avr/monpd/monp_tmstat_fw_nat_entities.cfg' was adding a 'period,' to the list of measures (can be compared against the backup file).

4. Restart monpd (to pick up the changes):
bigstart restart monpd

Fix:
Fixed formula for statistics to allow using it on a multi-bladed BIG-IP device.

817417-2 : Blade software installation stalled at Waiting for product image★

Component: Local Traffic Manager

Symptoms:
On a chassis system where the active/primary blade is running version 14.1.0 or later and a new blade is inserted that has version 14.0.0 or lower, the secondary blades fail to receive the updated images and the installation stalls. The primary blade reports 'Waiting for product image' when running the tmsh show sys software status command.

Conditions:
Primary blade running version 14.1.0 or above.
Secondary running an earlier version is inserted.

Impact:
Newly inserted blade does not synchronize volumes with the primary blade and cannot be used.

The tmsh show sys software status command reports that one or more blades are in 'waiting for product image' status indefinitely.

Workaround:
Ensure all blades are running the same version. This can be accomplished manually by running the following command at the command prompt (this example is for new blade inserted at slot #3):

scp /shared/images/* slot3:/shared/images

817369-1 : TCP, UDP, and SCTP proxy converts to GEO proxy when georedundancy profile is attached with virtual server.

Component: Service Provider

Symptoms:
When a georedundancy profile is attached to a TCP, UDP, and SCTP virtual server, proxy does not convert to GEO proxy.

Conditions:
Attach georedundancy profile to a standard TCP, UDP, or SCTP virtual server.

Impact:
Unable to convert proxy to GEO proxy when georedundancy profile is attached with TCP, UDP and SCTP virtual

Workaround:
None.

817065-1 : Avrinstall crashes and admd restarts in endless loop when APM provision is Minimal★

Component: Application Visibility and Reporting

Symptoms:
During upgrade, avrinstall crashes, and then admd restarts repeatedly.

Conditions:
This occurred with the following provisioning:

-- APM: Minimal
-- ASM: Minimal

Impact:
Avrinstall crashes, and admd restarts in an endless loop. No stress-based anomaly detection or behavioral statistics aggregation.

Workaround:
Increase the APM provision to Nominal.

Fix:
Fixed an avrinstall crash related to low memory.

816625-2 : The TMM may crash in a rare scenario involving HTTP unchunking, and plugins.

Component: Local Traffic Manager

Symptoms:
The TMM crashes while passing traffic.

Conditions:
This occurs rarely on a Virtual Server configured with an HTTP profile that has HTTP response chunking enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The TMM no longer crashes in a rare scenario involving HTTP unchunking and plugins.

816413-1 : CVE-2019-1125: Spectre SWAPGS Gadget

Solution Article: K31085564

816273-1 : L7 Policies may execute CONTAINS operands incorrectly.

Component: Local Traffic Manager

Symptoms:
L7 Policies involving CONTAINS operands may execute incorrectly in some cases.

The policy compiler may incorrectly combine some internal states, 'forgetting' degrees of partial evaluation of a CONTAINS operation.

Conditions:
Multiple CONTAINS conditions are used on the same virtual server.

Impact:
The wrong policy actions may be triggered.

Workaround:
It may be possible to reorder the rules in a policy to restore correct operation. However, the more complex the policy, the less likely this is.

Fix:
L7 Policy CONTAINS operations are compiled correctly. Policies with CONTAINS operations no longer trigger the wrong rule actions.

816233-2 : Session and authentication cookies should use larger character set

Component: TMOS

Symptoms:
The session and authentication cookies are created using a limited character set.

Conditions:
Creating session and authentication cookies.

Impact:
Cookies are created with a less broad character set than they could be.

Workaround:
None.

Fix:
JSESSIONIDs and AuthCookies are created using a wider character set.

Behavior Change:
This release changes the format of the BIGIPAuthCookie and JSESSIONID cookies to use a larger alphabet during encoding (case sensitive alphanumeric).

815877-3 : Information Elements with zero-length value are rejected by the GTP parser

Component: Service Provider

Symptoms:
When processing a GTP message containing zero-length IEs (which are allowed by the 3GPP Technical Specification), the message might get rejected.

Conditions:
Virtual server with GTP profile enabled processing GTP traffic.

Impact:
Well-formed GTP messages might get rejected.

Workaround:
Avoid sending GTP messages containing zero-length IEs.

Fix:
Zero-length IEs are now processed correctly.

815753-1 : TMM leaks memory when explicit SWG is configured with Kerberos authentication

Component: Access Policy Manager

Symptoms:
Memory usage of filter keeps increasing over time and becomes one of major consumers of the TMM memory.

Conditions:
This issue happens if the following conditions are met:
1. Access profile type is SWG-explicit.
2. Access policy contains HTTP 407 Response policy item with HTTP Auth Level being Negotiate.
3. Kerberos is used to authenticate a user.

Impact:
TMM sweeper enters aggressive mode and reaps connections.

Workaround:
None.

815649-2 : Named.config entry getting overwriting on SSL Orchestrator deployment

Component: Device Management

Symptoms:
When topology or general settings are re-deployed, named.config is modified, and entries which do not belong to SSL Orchestrator are overwritten.

Conditions:
This occurs when topology or system settings are re-deployed.

Impact:
Content of named.conf file is lost/overwritten.

Workaround:
Modify named.conf manually or using zoneRunner (DNS :: Zones : ZoneRunner : named Configuration) after SSL orchestrator deployment.

815449-1 : BIG-IP closes connection when an unsized response is served to a HEAD request

Component: Local Traffic Manager

Symptoms:
When HTTP response has neither Content-Length nor Transfer-Encoding and has a body, BIG-IP closes a connection to designate end of the response body. HTTP protocol allows to send HEAD request instead of GET request to obtain a response headers only (without). BIG-IP erroneously closes a connection when a response to HEAD request lacks both Content-Length and Transfer-Encoding.

Conditions:
BIG-IP has a virtual server configured to use an HTTP profile.
The server response does not include the Content-Length or Transfer-Encoding headers in response to a HEAD request, and both client and server sides expects the communication to continue over the same connection.

Impact:
Connection closes and a client may not repeat the corresponding GET request on another connection.

Fix:
Connection keeps opened when an unsized response provided to a HEAD request.

814761-1 : PostgreSQL monitor fails on second ping with count != 1

Component: Local Traffic Manager

Symptoms:
When using one of the DB monitors (Oracle, MSSQL, MySQL, PostgreSQL) to monitor the health of a server, the pool member may initially be marked UP, but then will be marked DOWN on the next and all subsequent pings.

When this occurs, an error message similar to the following appears in the monitor-instance log under /var/log/monitors:

Database down, see /var/log/DBDaemon.log for details.
Exception in thread "DBPinger-##" java.lang.AbstractMethodError: org.postgresql.jdbc3.Jdbc3Connection.isValid(I)Z
    at com.f5.eav.DB_Pinger.db_Connect(DBDaemon.java:1474)
    at com.f5.eav.DB_Pinger.db_Ping(DBDaemon.java:1428)
    at com.f5.eav.MonitorWorker.run(DBDaemon.java:772)
    at java.lang.Thread.run(Thread.java:748)

Conditions:
This may occur if all of the following conditions are true:
1. You are using a DB monitor (Oracle, MSSQL, MySQL, PostgreSQL) configured with a 'count' value of either '0' or a value of '2' or higher.
2. You are using a version of BIG-IP (including an Engineering Hotfix) which contains the fix for ID 775901.

Impact:
Unable to monitor the health of postgresql server pool members accurately.

Workaround:
To work around this issue, configure a 'count' value of '1' in the postgresql monitor configuration.

Fix:
The DB monitor reports the health of a DB server pool member accurately in conjunction with the fix for ID 775901.

813561-4 : MCPD crashes when assigning an iRule that uses a proc

Component: Local Traffic Manager

Symptoms:
MCPD crashes when assigning an iRule to a Virtual Server or loading a config with an iRule assigned.

Conditions:
The iRule must uses a proc that contains three statements associated with different feature flags.

Impact:
MCPD will crash, unable to use a desired iRule.

Workaround:
None

Fix:
iRules using proc can be assigned to a Virtual Server without crashing MCPD.

812981-5 : MCPD: memory leak on standby BIG-IP device

Component: TMOS

Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.

Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically

Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.

Fix:
MCPD on standby BIG-IP device does not take more memory than the same daemon on active BIG-IP device.

812929-1 : mcpd may core when resetting a DSC connection

Component: TMOS

Symptoms:
In rare circumstances mcpd may core when resetting its DSC connection.

Conditions:
The exact conditions are not known for this to occur. The BIG-IP system must be in a Device Service Cluster, and must have configuration sync enabled. It might be related to when an Administrative BIG-IP user makes manual changes to the device trust group that would cause the trust to be broken (and optionally, re-established).

Impact:
mcpd cores and restarts. This results in a failover to the next active peer.

Workaround:
None.

Fix:
The system now prevents mcpd from coring when it resets it DSC connection.

812525-2 : HTTP parsing restrictions

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
When parsing HTTP the following non-compliant behavior was accepted:
White-space before a colon in a header name.
Bad characters in HTTP/2 URIs

Conditions:
HTTP profile enabled.

Impact:
Non-compliant HTTP traffic is accepted and forwarded to pool members.

Workaround:
None.

Fix:
HTTP parsing was more lenient than that required by the RFC. HTTP parsing now is more strict.

In addition, version handling of non-HTTP protocols like RTSP/2.0 is now somewhat altered.

811965-1 : Some VDI use cases can cause excessive resource consumption

Component: Access Policy Manager

Symptoms:
Under certain conditions, APM may consume excessive resources while processing VDI traffic.

Conditions:
APM is used as VDI proxy.

Impact:
Excessive resource usage, potentially leading to a failover event.

Workaround:
None.

Fix:
APM now processes VDI traffic as expected.

811789-1 : Device trust UI hardening

Component: TMOS

Symptoms:
Improved device trust UI input sanitization

Conditions:
-ConfigSync in use

Impact:
Improved device trust UI input sanitization

Workaround:
None

Fix:
Improved device trust UI input sanitization

811745-1 : Failover between clustered DIAMETER devices can cause mirror connections to be disconnected

Component: Service Provider

Symptoms:
When using DIAMETER with certain settings, a failover might cause mirror connections to get disconnected.

Conditions:
-- Two or more BIG-IP systems in a high availability (HA) configuration.
-- Aggressive settings for the DIAMETER watchdog timeout and max failures.

Impact:
Loss of mirroring between BIG-IP systems.

Workaround:
None.

Fix:
Mirror connections no longer disconnect during a failover.

811701-2 : AWS instance using xnet driver not receiving packets on an interface.

Component: TMOS

Symptoms:
Packets are being sent to the AWS instance but no packets are seen on interface.

Conditions:
-- AWS instance using xnet driver.
-- Occurs when the instances are idle and then suddenly passes traffic again.
-- Other, more specific conditions are unknown at this time.

Impact:
Loss of packets in the interface, in turn, causing data loss.

Workaround:
A temporary way to avoid the problem is to configure BIG-IP Virtual Edition (VE) to use an alternative network driver in place of the default 'xnet' driver. In releases 14.1.0 and later, this would be the 'sock' driver.

Use The following command sequences from the BIG-IP instance's 'bash' prompt to configure the alternative driver. (Note the use of the 'greater-than' symbol.)

  # echo "device driver vendor_dev 1d0f:ec20 sock" > /config/tmm_init.tcl

[check that the file's contents are correct]

  # cat /config/tmm_init.tcl

[restart the BIG-IP's TMM processes]

  # bigstart restart tmm

[make certain that the 'driver_in_use' is 'sock']

  # tmctl -dblade -i tmm/device_probed

811333-5 : Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile★

Component: Local Traffic Manager

Symptoms:
After upgrade, configuration load fails and the following error is present in /var/log/ltm log:

01070312:3: Invalid keyword 'sslv2' in ciphers list for profile /Common/serverssl-insecure-compatible
Unexpected Error: Loading configuration process failed.

Conditions:
-- BIG-IP system with SSLv2 as ciphers option in SSL profile running software v12.x/v13.x.
-- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.

Impact:
The config is not loaded, and upgrade fails.

Workaround:
If you are encountering this after upgrading, run the following commands from the bash prompt:

1. Backup the configuration:
#cp /config/bigip.conf /config/bigip_backup.conf

2. List the occurrences of 'sslv2' in the bigip.conf:
#more bigip.conf | grep -i sslv2

3. Remove the SSLv2 references:
#sed -i "s/\!SSLv2://g" /config/bigip.conf

4. Check to ensure there are no 'sslv2' references:
#more bigip.conf | grep -i sslv2

5. Verify the configuration:
#tmsh load sys config verify

6. Try loading the configuration:
#tmsh load sys config

Fix:
SSLv2 validation is removed from the configuration and upgrade succeeds.

811149-3 : Remote users are unable to authenticate via serial console.

Component: TMOS

Symptoms:
Attempts to login to the serial console with remote user credentials (e.g., RADIUS, LDAP, TACACS remote auth) fail with one of the following error messages:

-- 'Cannot load user credentials for user' (v13.1.1.2)
-- 'Session setup problem, abort.' (v14.1.0.1)

Conditions:
Configure system for remote authentication and attempt authentication via serial console.

Impact:
Remote authentication users are unable to login via serial console.

Workaround:
There are two workarounds:
-- Remote authentication users can login using an SSH connection to the BIG-IP system's management IP address.

-- Use the credentials of a local user account to login to the serial console.

811145-1 : VMware View resources with SAML SSO are not working

Component: Access Policy Manager

Symptoms:
Connections to SAML-enabled VMware View resources fail with following error in /var/log/apm:
err vdi[18581]: 019cffff:3: /pathname: {a7.C} Failed to handle View request: Can't find 'artifact' parameter.

Conditions:
VMware View resource is configured with SAML SSO method.

Impact:
Users cannot launch VMware View apps/desktops via SAML-enabled resource.

Workaround:
None.

Fix:
Can now successfully use VMware View resources with SAML SSO.

811105-2 : MRF SIP-ALG drops SIP 183 and 200 OK messages

Component: Service Provider

Symptoms:
SIP 183 and 200 OK messages are dropped after an INVITE in MRF SIP-ALG when media info is present in the Session Description Protocol.

Conditions:
- MRF SIP-ALG default configuration
- INVITE sent with media info in SDP
- Media info contains an rtcp without an IP address

Impact:
SIP calls are unable to establish media connections.

Workaround:
Ensure all RTCP attributes in the SDP have IP addresses.
Example: Change "a=rtcp:29974\r\n" to "a=rtcp:29974 IN IP4 10.10.10.10\r\n"

Fix:
Calls are able to establish media connections in MRF SIP-ALG when media info contains an RTCP with no IP information.

810957-1 : Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core

Component: TMOS

Symptoms:
When using dynamic routing, changing a virtual server's address from IPv6 to IPv4 can cause tmrouted to core.

Conditions:
-- Using dynamic routing.
-- Changing a virtual server's destination address from IPv6 to IPv4.
-- The virtual server's state changes.

Impact:
Tmrouted cores and restarts, which causes a temporary interruption of dynamic routing services.

Workaround:
Use TMSH to modify both the destination address and the netmask at the same time, e.g.:

tmsh modify ltm virtual <virtual server name> destination <destination address> mask <netmask>

Fix:
Now preventing tmrouted from coring when a virtual server's address is changed from IPv6 to IPv4.

810801-1 : TMM may core in a rare condition when tearing down a connection

Component: Local Traffic Manager

Symptoms:
HTTP or HTTP2 virtual server receives a request and tries to create a connection to the server. If this connection establishment fails, the connection to the client is torn down. This core occurs when trying to abort the clientside connection.

Conditions:
-- A virtual server with HTTP profile is created.
-- HTTP2 profile may or may not be present on the virtual server.
-- An httprouter profile is present on the virtual server.
-- Connection establishment with the server fails.

Impact:
TMM cores, failover condition occurs, and traffic processing can be interrupted while tmm restarts.

Workaround:
None.

Fix:
A TMM core no longer occurs under these conditions.

810657-3 : Tmm core while using service chaining for SSLO

Solution Article: K21135478

810557-1 : ASM ConfigSync Hardening

Solution Article: K05123525

810537-1 : TMM may consume excessive resources while processing iRules

Solution Article: K12234501

809729-1 : When HTTP/2 stream is reset by a client, BIG-IP may not respond properly

Component: Local Traffic Manager

Symptoms:
When a client resets the HTTP/2 stream, the BIG-IP system may have several DATA frames ready to send. It drops these frames but does not account back those in a connection-send window. It can reduce this window to the value when no DATA frames are sent over this connection until the client updates the send window.

Conditions:
-- BIG-IP system has a virtual server.
-- HTTP/2 profile is assigned to it.

Impact:
For any subsequent request after the send window loses enough size, DATA frames with payload are not sent to the client over the affected HTTP/2 connection.

Workaround:
None.

Fix:
BIG-IP systems correctly handle dropping DATA frames accounting back their lengths in a connection-send window.

809701-1 : Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist

Component: Local Traffic Manager

Symptoms:
In BIG-IP GUI iRule definitions, when hovering over HTTP::proxy, the help text mentions 'HTTP::proxy dest', which is an invalid command.

Conditions:
The system displays incorrect information when the iRule help text is visible.

Impact:
The help text mentions 'HTTP::proxy dest', which is an invalid command option.

Workaround:
Do not use the invalid 'HTTP::proxy dest' command.

Fix:
The help text now shows 'HTTP::proxy', which is correct.

809377-1 : AFM ConfigSync Hardening

Solution Article: K05123525

809205-4 : CVE-2019-3855: libssh2 Vulnerability

Component: TMOS

Symptoms:
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server.

Conditions:
-- Authenticated administrative user with Advanced Shell Access.
-- Use of cURL from the command line to connect to a compromised SSH server.

Impact:
A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

Workaround:
None.

Fix:
libcurl updated

809165-1 : TMM may crash will processing connector traffic

Solution Article: K50046200

808849 : Can't load keyword definition (ips-inspection-compliance.subscription) on upgrade from v14.1.0.5 to v15.0.0★

Component: Protocol Inspection

Symptoms:
Upgrade fails from v14.1.0.5 to v15.0.0:

Can't load keyword definition (ips-inspection-compliance.subscription) can't find parse node (ips::inspection::compl::subscription).

Conditions:
Upgrading from v14.1.0.5 to v15.0.0.

Impact:
Upgrade fails.

Workaround:
None.

Fix:
You can now upgrade from v14.1.0.5 to 15.0.1 or later.

808525-1 : TMM may crash while processing Diameter traffic

Solution Article: K55812535

808301-4 : TMM may crash while processing IP traffic

Solution Article: K04897373

808129-2 : Cannot use BIG-IQ to license BIG-IP 14.1.0.3 on AWS.

Component: TMOS

Symptoms:
BIG-IP 14.1.0.3 on AWS license does not complete from BIG-IQ.

Conditions:
-- Using BIG-IQ.
-- Attempting to license BIG-IP 14.1.0.3 on AWS.

Impact:
Cannot use BIG-IQ to license BIG-IP 14.1.0.3 on AWS.

Workaround:
Restart restjavad on the BIG-IP system.

Fix:
Can now use BIG-IQ to license BIG-IP 14.1.0.3 on AWS.

807509-1 : SWG license does not get released for sessions created through iRules

Component: Access Policy Manager

Symptoms:
Requests get blocked/reset as SWG license does not get released for sessions created through iRules

Conditions:
SWG iRules is used to create APM/SWG session with per-request policy having category lookup agent.

Impact:
Requests get blocked/reset.

Workaround:
None

Fix:
SWG license gets released for sessions created through irules.

807477-1 : ConfigSync Hardening

Solution Article: K04280042

807005-4 : Save-on-auto-sync is not working as expected with large configuration objects

Component: TMOS

Symptoms:
In device group has enabled 'save sys config' for all auto-sync operations using the following command:
modify cm device-group name save-on-auto-sync true

Warning: Enabling the save-on-auto-sync option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.

Conditions:
-- The save-on-auto-sync option is enabled.
-- Device has large configuration, such as 2,100 virtual servers and ~1100 partitions

Impact:
Configuration is not saved, which leads to out-of-sync condition.

Workaround:
You can avoid this issue by using manual sync instead of auto-sync, or by not enabling 'save-on-auto-sync'.

806093-2 : Unwanted LDAP referrals slow or prevent administrative login

Component: TMOS

Symptoms:
On a BIG-IP system configured with remote LDAP/Active Directory authentication, attempting to login to the Configuration Utility or to the command-line interface may proceed very slowly or fail.

Conditions:
-- LDAP/Active Directory 'system-auth' authentication configured.
-- The Active Directory enables LDAP referral chasing (the default).
-- There are a number of Active Directory servers in the enterprise, or the BIG-IP system does not have complete network connectivity to all Active Directory servers (caused by firewalls or special routes).

Impact:
The BIG-IP system may chase LDAP referrals that reference LDAP servers that are unreachable, resulting in authentication timeouts/failures.

Workaround:
Which workaround to use to temporarily disable referrals chasing depends on the version you have.

-- For BIG-IP 14.1.0 - 14.1.2.2, and 15.0.0 - 15.0.1.0

   1. Edit the configuration files
   -- /etc/nslcd.conf

   2. Add add the following line to the end of the file:
   referrals no

   3. Restart nslcd service to apply change:
   systemctl restart nslcd

   Important: This change is not persistent, and will be lost whenever MCPD reloads the BIG-IP configuration (tmsh load sys config), or when other changes are made to system-auth configuration values.

-- For BIG-IP 14.1.2.3 (and later 14.1.x releases), and 15.0.1.1 (and later 15.0.x.x releases), a db key has been added to allow this setting to be controlled. After making the db key change, the BIG-IP configuration must be saved and then loaded again, in order to update nslcd.conf

   tmsh modify sys db systemauth.referrals value no
   tmsh save sys config
   tmsh load sys config

Fix:
Changes to LDAP referrals value in configuration are now saved, so this issue no longer occurs.

806085-1 : In-TMM MQTT monitor is not working as expected

Component: Local Traffic Manager

Symptoms:
The monitoring probes are not being sent out to the network. Regardless of the monitor config and sys db variable.

Conditions:
Configuring the in-TMM MQTT monitor.

Impact:
Pool members with attached MQTT monitor state is incorrectly shown as DOWN.

Workaround:
None.

Fix:
In-TMM MQTT monitor now works as expected.

805837-1 : REST does not follow current design best practices

Solution Article: K22441651

805017-1 : DB monitor marks pool member down if no send/recv strings are configured

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle or PostgreSQL database monitor type) is configured without a 'send' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- AnLTM pool or pool members are configured to us an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- No send string is configured for the monitor.

Impact:
With this configuration, the monitor connects to the configured database, but does not issue a query or check for a specific response. Pool members are always marked DOWN when using a database monitor with no 'send' string configured.

Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).

804313-1 : MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.

Component: Service Provider

Symptoms:
The mirrored-message-sweeper-interval configuration option has no effect on the BIG-IP.

Conditions:
MRF in use, high availability configured, and a SIP profile is configured to use a specific Mirrored Message Sweeper Interval setting.

Impact:
On a system under high load, the next active device in a high availability (HA) pair could run out of memory.

Workaround:
None

Fix:
Message sweeper interval value now loads correctly.

804185-1 : Some WebSafe request signatures may not work as expected

Component: Fraud Protection Services

Symptoms:
Request signatures are part of the WebSafe signature mechanism. The request signature is achieved by configuring an FPS-protected URL and a corresponding custom-alert. If the URL is a wildcard, a priority must be assigned to determine the order of matching. URL matching by priority is not working properly. As a result, the signature do not work as expected

Conditions:
There is at least one wildcard URL configured by the request signature update file.

Impact:
A portion of WebSafe request signature do not work as expected:
-- An alert is sent, though it should not be (false-positive).
-- An alert was not sent, though it should be (false-negative).

Workaround:
Configure the same signature manually in the BIG-IP system's GUI/tmsh.

Fix:
FPS now correctly handles signature-based wildcard URL's priority.

803825-2 : WebSSO does not support large NTLM target info length

Component: Access Policy Manager

Symptoms:
WebSSO crashes.

Conditions:
When the optional field of the target info is about 1000 bytes or larger.

Impact:
WebSSO crashes and loss of service.

Workaround:
Config NTLM not to have large target info, recommend < 800.

803477-3 : BaDoS State file load failure when signature protection is off

Component: Anomaly Detection Services

Symptoms:
Behavioral DoS (BADoS) loses its learned thresholds.

Conditions:
Restart of admd when signature protection is off.

Impact:
The system must relearn the thresholds, BADoS protection is not available during the learning time.

Workaround:
Turn on signatures detection.

Fix:
BADoS State file successfully loads after admd restart, even without signatures detection.

803445-2 : When adding several mitigation exceptions, the previously configured actions revert to the default action

Component: Application Security Manager

Symptoms:
After adding a new item to the mitigation exception list, you can also change its mitigation action. If you do not save the changes and then add more new exception items, the mitigation actions of the previously added items return to their default value actions.

Conditions:
-- Add mitigation exception to the Bot Configuration.
-- Change mitigation action on that new exception.
-- Add new items to exception list without first saving.

Impact:
Mitigation action exceptions might be saved with their default value actions instead of the actions you configured.

Workaround:
After adding a group of exception items and editing their actions, save the Bot Configuration properties before adding any new mitigation exception items.

Fix:
When adding several mitigation exceptions, the previously configured actions no longer revert to the default action.

802685-1 : Unable to configure performance HTTP virtual server via GUI

Component: TMOS

Symptoms:
When creating 'performance HTTP' virtual servers via GUI, the following error is reported:
01070734:3: Configuration error: A Virtual Server(/Common/vfasthttp) cannot be associated with both fasthttp and L4 profile.

Conditions:
Use the GUI to create a virtual server of type Performance (HTTP).

Impact:
Failed to create a 'performance HTTP' virtual server.

Workaround:
Use TMSH to configure the performance HTTP virtual server:
tmsh create ltm virtual vfasthttp destination 1.1.1.1:80 ip-protocol tcp profiles add { fasthttp }

802381-1 : Localdb authentication fails

Component: Access Policy Manager

Symptoms:
In Active / Standby setup, user authentication fails after failover occurs.

Conditions:
-- APM configured in Active / Standby setup.
-- Per-session policy configured with Localdb Auth .
-- Failover occurs.

Impact:
APM end users are unable to authenticate.

Workaround:
Restart localdbmgr on the new active device, using the following command:
# bigstart restart localdbmgr

Fix:
In Active / Standby setup, user authentication no longer fails after failover occurs, so APM end users are able to authenticate.

802261-1 : TMM may crash while processing SSL traffic via an HTTP/2 full-proxy

Solution Article: K65372933

800453-4 : False positive virus violations

Component: Application Security Manager

Symptoms:
False positive ASM virus violations.

Conditions:
Specific connection characteristics between ASM and the antivirus server may cause replies from the antivirus server to be missed by the ASM. ASM reports a virus when the antivirus reply is timed out.

Impact:
False positive blocking or violation reporting.

Workaround:
The EnableASMByPass internal parameter setting can be configured to allow the antivirus server to not reply, so it won't issue a violation when it occurs.

/usr/share/ts/bin/add_del_internal add EnableASMByPass 1
bigstart restart asm

Notes:
When the internal is enabled, asm will also bypass huge HTTP requests (when they come on multiple connections) instead of reseting them.

800369-1 : The fix for ID 770797 may cause a TMM crash

Component: Local Traffic Manager

Symptoms:
In rare situations the TMM may crash after the original fix for ID 770797 is applied.

Conditions:
HTTP2 is used on the client-side of a virtual server without an MRF http_router profile.

The original fix for ID 770797 is used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The fix for ID 770797 has been altered to prevent the TMM from crashing in rare situations.

800305-1 : VDI::cmp_redirect generates flow with random client port

Component: Local Traffic Manager

Symptoms:
The VDI::cmp_redirect iRule command generates a flow with a randomly-assigned client port.

Conditions:
-- VDI::cmp_redirect iRule command used

Impact:
Client port is not the same as the original client port.

Fix:
The VDI::cmp_redirect iRule command now uses the same port.

800185-5 : Saving a large encrypted UCS archive may fail and might trigger failover

Component: TMOS

Symptoms:
-- When saving a very large encrypted UCS file, you may encounter an error:

# tmsh save /sys ucs my_ucs passphrase <mysecret>
Saving active configuration...
Can't fork at /usr/local/bin/im line 305.
/var/tmp/configsync.spec: Error creating package

-- If saving UCS is automated you may find related errors in /var/log/audit:

err scriptd[45342]: 014f0013:3: Script (/Common/f5.automated_backup__backup) generated this Tcl error: (script did not successfully complete: (UCS saving process failed. while executing "tmsh::save /sys ucs $fname ))

-- Other services might be restarted due to lack of memory, which might result in failover.

--System management via config utility or command line may be sluggish while UCS saves.

Conditions:
-- Large encrypted UCS files and low free host memory.

-- UCS file sizes in hundreds of MB are much more likely to encounter this issue, along with free memory less than 1 GB.

Impact:
The operation uses at least 1.3 times the UCS file size of RAM. The UCS may not get saved correctly, and if not enough memory is available, low free-memory symptoms become apparent.

The latter may result in services being killed to free memory, resulting in service impact and failover, though it is quite typical for the overly large process saving the UCS to be terminated with no other impact.

Workaround:
A mitigation is to minimise UCS file size. UCS files large enough to encounter this issue typically contain very large files, some of which may not be needed or are no longer necessary.

Remove unnecessary large files from directories that contribute to UCS archives, for example, stray, large files such as packet captures in /config or its subdirectories. (For help understanding what is in UCS archives, see K12278: Removing non-essential files from a UCS when disk space errors are encountered :: https://support.f5.com/csp/article/K12278.)

If using APM, remove unnecessary EPSEC ISO files. (For more information, see K21175584: Removing unnecessary OPSWAT EPSEC packages from the BIG-IP APM system :: https://support.f5.com/csp/article/K21175584.

Fix:
Saving a large UCS file no longer fails.

799617-1 : ConfigSync Hardening

Solution Article: K05123525

799589-1 : ConfigSync Hardening

Solution Article: K05123525

798949-2 : Config-Sync fails when Config-Sync IP configured to management IP

Component: TMOS

Symptoms:
Device Group Sync Fails with error in the GUI: 01070712:3: Caught configuration exception (0), Failed to sync files.

Conditions:
Config-Sync IP configured to management IP:
sys db configsync.allowmanagement value enable

Impact:
Config-Sync of file objects such as SSL certificates fails.

Workaround:
None.

Fix:
Config-Sync has been updated to allow synchronization of file objects over the mgmt port.

798261-1 : APMD fails to create session variables if spanning is enabled on SWG transparent virtual server

Component: Access Policy Manager

Symptoms:
The following logs showed up in APM log and user session was terminated.

Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_finish_set_pipeline()" line: 720 Msg: Error: Set pipeline: While receiving response to 0 cmd set /.*/tmm.session.6833364e.session.assigned.uuid 0 0 32 s
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_server_disconnect()" line: 2533 Msg: Error: bad memcache connection (tmm:1), (fd:205)
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.

The SET command failed because it incorrectly attempted to create session variable in all traffic groups.

Conditions:
1. Virtual address for SWG transparent is 0.0.0.0
2. Spanning on the virtual address is enabled.

Impact:
User sessions will be terminated

Workaround:
Disable virtual address spanning.

Fix:
N/A

798249-1 : TMM may crash while processing HTTP/2 requests

Solution Article: K81557381

798105-2 : Node Connection Limit Not Honored

Component: Local Traffic Manager

Symptoms:
Connection limits on nodes are not honored.

Conditions:
A node with connection limits set.

Impact:
More traffic will pass to the node than the limit is supposed to allow.

Workaround:
Modify the node's limit after the node is created and it will start honoring the limit.

Fix:
The node's limit is now honored.

797977-2 : Self-IP traffic does not preserve the TTL from the Linux host

Component: Local Traffic Manager

Symptoms:
The Egress traffic from TMM has IP TTL set to 255 instead of keeping the TTL from the Linux host.

Conditions:
IP/IPv6 TTL for host traffic.

Impact:
Tools like traceroute do not work because Linux host rejects the packets.

Workaround:
Adjust TTL verification restrictions

Fix:
IP TTL is preserved.

797885-1 : ConfigSync Hardening

Solution Article: K05123525

797785-1 : AVR reports no ASM-Anomalies data.

Component: Application Visibility and Reporting

Symptoms:
AVR collects data for ASM-Anomalies, which include Brute-Force and Web-Scraping activities. When reported, all metrics and dimensions are hidden. AVR output looks like this:
errdefs_msgno=\"22282253\",Entity=\"ASM_ANOMALIES\

Conditions:
When gathering statistics reporting a Brute-Force or Web-Scraping attack.

Impact:
AVR reports no ASM-Anomalies data.

Workaround:
None.

797609-1 : Creating or modifying some virtual servers to use an address or port list may result in a warning message

Component: TMOS

Symptoms:
Creating or modifying a virtual server with TCP or UDP profiles to use an address or port list may result in an error similar to:

01070096:3: Virtual server /Common/vs lists profiles incompatible with its protocol.

Conditions:
-- Configure virtual server using a TCP or UDP profile.
-- Attempt to attach an address or port list to the virtual server.

Impact:
Unable to configure a virtual server to use an address or port list.

Workaround:
Create a traffic-matching-criteria object manually, and associated it with the virtual server.

Note: The protocol of the traffic-matching-criteria object must match that of the virtual server.

Fix:
Now, the system adjusts the protocol of the traffic-matching-criteria object to match that of the virtual server.

797541-2 : NTLM Auth may fail when user's information contains SIDS array

Solution Article: K05115516

Component: Access Policy Manager

Symptoms:
NTLM authentication fails when the authentication response contains a nonempty sid_and_attributes array. This will most likely occur when a user is a member of universal groups from a trusted domain.

Conditions:
- NTLM front-end authentication is configured.
- The authentication response contains nonempty sid_and_attributes array (most likely user is a member of universal groups from trusted domain)

Impact:
Users are unable to log in through the BIG-IP.

Warning messages similar to the following can be found in /var/log/apm logfile:

warning eca[11436]: 01620002:4: [Common] 192.168.0.1:60294 Authentication with configuration (/Common/server1.testsite.com) result: user01@USER01 (WORKSTATION): Fail (UNEXP_006C0065)

warning nlad[11472]: 01620000:4: <0x2b4d27397700> client[46]: DC[172.29.67.112]: schannel[0]: authentication failed for user 'user01', return code: 0x006c0065

NOTE: the return code is not necessary 0x006c0065 or 0x00000007. It can be any value. However, the larger the size of SIDS and Attributes array. The more likely the error value will be 0x00000007

Workaround:
None.

796469-3 : ConfigSync Hardening

Solution Article: K05123525

796113-1 : Unable to load 14.1.0 config on 15.0.0 for a virtual server using a port/address list★

Component: TMOS

Symptoms:
If there is a Virtual server configured with port/address list on v14.1.0 and try to load the same config into v15.0.0 it will fail with the following error

01070096:3: Virtual server %s profiles incompatible with its protocol.

Conditions:
Create a virtual server with port/address list and load the configuration on to v15.0.0.

Impact:
Config loading failing.

795797-1 : AFM WebUI Hardening

Solution Article: K21121741

795769-4 : Incorrect value of Systems in system-supplied signature sets

Component: Application Security Manager

Symptoms:
In properties of system-supplied Attack Signature Sets, the field "Systems" is always displayed with value All.

For example, for Generic Detection Signatures the "Systems" field should be: System Independent, General Database, Various systems

Instead, "Systems" is set to "All".

Conditions:
Only for system-supplied signature sets, while user-defined signatures sets are displayed with correctly assigned Systems.

Impact:
Misleading value of Systems

Workaround:
N/A

Fix:
Correct value of "Systems" is displayed for system-supplied signature sets

795437-5 : Improve handling of TCP traffic for iRules

Solution Article: K06747393

795329-3 : IM installation fails if 'auto-add-new-inspections' enabled on profile★

Component: Protocol Inspection

Symptoms:
IPS IM package installation fails. IPS log /var/log/pi_hitless_upgrade shows following message:

Error during switching: unsupported type for timedelta seconds component: tuple.

Conditions:
-- IM package should contain compliance check related to a specific service (e.g., HTTP).

-- At the time of IM package installation, there is an IPS profile with following parameters:
  + The 'auto-add-new-inspections' property set to 'on'.
  + Contains a service related to compliance checks, for example:

    * Presence on the following services causes an issue with the BIG-IP v14.1.0 IM:
HTTP, SIP, IMAP

    * Presence on the following services causes an issue with the BIG-IP v15.0.0 IM:
HTTP, SIP, IMAP, GTP, Diameter

Impact:
IPS IM package is not installed.

Workaround:
1. Before IM package installation, set the profile property 'auto-add-new-inspections' to 'off' (disable).
2. Install IM package.
3. Manually add compliance checks from the IM package to profile. Compliance checks names appear similar to the following:
-- pi_updates_14.0.0-20190607.2216.im
-- pi_updates_14.0.0-20190607.2216.im

Fix:
IM installation now succeeds when 'auto-add-new-inspections' is enabled on a profile.

795261-1 : LTM policy does not properly evaluate condition when an operand is missing

Component: Local Traffic Manager

Symptoms:
The BIG-IP system provides an LTM policies mechanism to process traffic based on a set of rules. A rule may include a number of conditions and a number of actions to execute when the conditions are satisfied. Conditions use operands to evaluate. When an operand is missing, the BIG-IP system may fail to properly evaluate the condition.

Conditions:
-- A virtual server is configured with an LTM policy.
-- The policy contains a rule with a condition which has an operand and a negative matching type like 'not equals' or 'not starts-with', etc. (e.g., http-referer host not contains { www.example.com }).
-- A processing entity (like HTTP request, etc.) is missing an operand or has an empty value (e.g., header 'Referer' is missing from the request).

Impact:
The policy is improperly evaluated on the processing entity and may produce incorrect results when load balancing a request and/or serving a response.

Workaround:
You can use either workaround:

-- Convert rules into a 'positive' (lacking of negative matching type) whenever possible.

-- Use iRules instead of a policy (might impact performance).

Fix:
The BIG0IP system no longer incorrectly evaluates conditions in LTM policy rules when their operands are missing in a processing entity.

795197-9 : Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Solution Article: K26618426

794585-1 : User cannot log in after license reactivation on vCMP host

Component: Access Policy Manager

Symptoms:
Client connections to an APM virtual server is reset after license is reactivated on vCMP host. The following error logs showed up in vCMP guest /var/log/apm:

Jerr tmm2[2666]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_process_state_client_get_license, Line: 9627
err tmm2[2666]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 3679

Conditions:
-- APM configured
-- License is reactivated on vCMP host.

Impact:
APM clients will not be able to log in.

Workaround:
Disassociate and then re-associate the APM profile with the virtual server.

Fix:
Profile license namespace will be recreated if found missing.

794561-2 : TMM may crash while processing JWT/OpenID traffic.

Solution Article: K46901953

794501-1 : Duplicate if_indexes and OIDs between interfaces and tunnels

Component: TMOS

Symptoms:
In certain instances, having a configuration with both tunnels and interfaces can result in duplicate if_indexes between a tunnel and an interface, which also results in duplicate OIDs for SNMP.

Conditions:
There is no completely predictable trigger, but at a minimum, a configuration with at least one interface and at least one tunnel is needed.

Impact:
Duplicate if_indexes and duplicate OIDs. SNMP logs error messages:

# tmsh list net interface all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net vlan all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net tunnel all-properties | egrep "(^net)|(if-index)"
net interface 0.10 {
    if-index 64 <-------------------------------
net interface mgmt {
    if-index 32
net vlan external {
    if-index 96
net vlan internal {
    if-index 112
net vlan test {
    if-index 128
net vlan tmm_bp {
    if-index 48
net tunnels tunnel http-tunnel {
    if-index 64 <-------------------------------
net tunnels tunnel socks-tunnel {
    if-index 80

# snmpwalk -c public -v 2c localhost >/dev/null; tail /var/log/ltm

-- notice sod[4258]: 010c0044:5: Command: running disable zrd bigstart.
-- notice zxfrd[6556]: 01530007:5: /usr/bin/zxfrd started
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID ZXFRD_Publisher and filterType 1024
-- info bigd[11158]: 0114002b:6: high availability (HA) daemon_heartbeat bigd enabled.
-- info cbrd[6106]: 0114002b:6: high availability (HA) daemon_heartbeat cbrd enabled.
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID cbrd and filterType 1152921504606846976
-- info runsm1_named[6104]: 0114002b:6: high availability (HA) proc_running named enabled.
=========================

-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if_x.c:289

Workaround:
No workaround currently known.

Fix:
Duplicate if_indexes are no longer assigned to tunnels and interfaces. The resulting duplicate SNMP OIDs are prevented.

794413-1 : BIND vulnerability CVE-2019-6471

Solution Article: K10092301

794389-4 : iControl REST endpoint response inconsistency

Solution Article: K89509323

794153-1 : TMM may core in a rare condition when handling an HTTP request

Component: Local Traffic Manager

Symptoms:
When an HTTP or HTTP2 virtual server receives a request, it may try to send this request on an existing connection to the server. This core occurs if the clientside and serverside connections are on two different TMMs.

Impact:
TMM cores, failover condition occurs, and traffic processing can be interrupted while tmm restarts.

Workaround:
None. This issue is not seen with a single TMM, however, this condition may not be really enforceable.

Fix:
The BIG-IP system now reuses the serverside connection when the conditions are suitable. If not a new serverside connection is created to handle the request.

793937-2 : Management Port Hardening

Solution Article: K03126093

793121-4 : Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication

Component: TMOS

Symptoms:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, high availability (HA) status, provisioning, and installed software information.

Conditions:
The TMUI redirect-http-to-https is enabled.

Impact:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, HA status, provisioning, and installed software information.

Workaround:
On the vCMP guest, disable sys httpd redirect-http-to-https.

793045-1 : File descriptor leak in net-snmpd while reading /shared/db/cluster.conf

Component: TMOS

Symptoms:
Net-snmpd is leaking the file descriptors during the SNMP traps add/delete via tmsh.

Observe that the file descriptors used by snmpd increase using 'ls -l /proc/$(pidof snmpd)/fd'

Following error is logging into /var/log/daemon.log
err snmpd[5160]: /proc/stat: Too many open files

Conditions:
Perform add/delete on SNMP traps via tmsh.

Impact:
Failure of snmpd operations on BIG-IP systems.

Workaround:
None.

Fix:
No longer leaks file descriptors in net-snmpd while reading /shared/db/cluster.conf.

792265-2 : Traffic logs does not include the BIG-IQ tags

Component: Application Visibility and Reporting

Symptoms:
AVR collects traffic data. When that data is reported to BIG-IQ, it omits the BIG-IQ tags which are required by BIG-IQ.

Conditions:
When AVR collects traffic data and sending it BIG-IQ.

Impact:
There are no BIG-IQ tags in the traffic logs. BIG-IQ is unable to map traffic-capturing logs to applications.

Workaround:
None.

Fix:
Traffic logs now include the BIG-IQ tags.

791057-2 : MCP may crash when traffic matching criteria is updated

Component: Local Traffic Manager

Symptoms:
MCP may crash when traffic matching criteria is updated, either directly or as the result of a configuration sync operation.

Conditions:
The specific root cause is unknown, although the crash is related to the update of traffic matching criteria.

Impact:
mcpd restarts. This results in a failover (when DSC is in use) or a halt to traffic processing (when DSC is not in use) while mcpd is restarting.

Workaround:
None.

790205-4 : Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core

Component: Local Traffic Manager

Symptoms:
TMM cores when adding a route (either statically or dynamically) to a child route domain.

Conditions:
Adding a more-specific route to a child domain that overrides a route in the default domain.

Impact:
TMM cores. A failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when adding routes to child domains.

789993-2 : Failure when upgrading to 15.0.0 with config move and static management-ip.

Component: TMOS

Symptoms:
Upgrade to 15.0.0 from earlier version fails.

Conditions:
This happens when upgrading to 15.0.0 from earlier versions with static management-ip (dhclient.mgmt set to disabled).

Impact:
As the config move fails, the Management IP address might not be correct on the newly installed 15.0.0 device.

Workaround:
Keep DHCP enabled before upgrading or reset the management-ip after upgrade.

Fix:
Failure when upgrading to 15.0.0 with config move and static management-ip.

789921-1 : TMM may restart while processing VLAN traffic

Solution Article: K03386032

789893-1 : SCP file transfer hardening

Solution Article: K54336216

789817-2 : In rare conditions info fly-out not shown

Component: Application Security Manager

Symptoms:
When the question mark icon ('?') is close to the right upper corner of the page, the info fly-out is not shown when the question mark icon is clicked.

Conditions:
This can occur under the following conditions:
-- On Security :: Application Security screens that display a question mark for a help icon.
-- The ? icon is close to the right upper corner of the page.
-- Clicking the question mark icon to open the fly-out menu.

Impact:
Info fly-out not shown.

Workaround:
Change page size so that the ? icon is not in the right upper corner.

Fix:
Fly-out is shown correctly in all cases.

789169-1 : Unable to create virtual servers with port-lists from the GUI★

Component: TMOS

Symptoms:
Using the GUI to create a virtual server with a port-list or address-list fails with the following error:

01070096:3: Virtual server <virtual server name> lists profiles incompatible with its protocol.

Conditions:
- The virtual server is created with an ip-protocol set to a value other than 'any'.

- A port-list or address-list is used.

Impact:
Virtual server creation fails.

Workaround:
Create the configuration in tmsh.

1. Create an LTM traffic-matching-criteria object to define the port-list and/or address list. The protocol on the traffic-matching-criteria must be set to the protocol that the virtual server will use.

2. Create the LTM virtual server, and set the traffic-matching-criteria to the name of the traffic-matching-criteria object.

Fix:
While creating virtual server with port-list from the GUI, a traffic-matching-criteria is created internally and mapped to the virtual server. This ensures that the traffic-matching-criteria object uses the same ip-protocol as the virtual server.

788773-1 : HTTP/2 Vulnerability: CVE-2019-9515

Solution Article: K50233772

788769-1 : HTTP/2 Vulnerability: CVE-2019-9514

Solution Article: K01988340

788593-1 : APM logs may contain additional data

Solution Article: K43404365

Component: Access Policy Manager

Symptoms:
Under certain conditions, APM logs may include more information than was requested.

Conditions:
-APM licensed and enabled.
-ACCESS::log iRule in use.

Impact:
Additional data recorded in the APM log, potentially disrupting log filters or logging unrequested data.

Workaround:
None.

Fix:
APM logs now contain the expected information.

788557-6 : BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior

Component: TMOS

Symptoms:
GRST - BGP graceful reset.

The problem occurs when the routing daemon bgpd restarts/starts (e.g., by terminating the bgpd daemon) its distribution of a process and is not supported. Another way we've found is to call "bigstart restart" command on a primary blade on chassis with more than one blade.

After the new primary blade takes over, BGP and BFD sessions are recreated at around the 'graceful restart' timeout interval.

Conditions:
-- BGP and BFD are configured.
-- BGP router's 'graceful restart' option is configured, enabled (set to 120 by default).
-- The bgpd daemon is terminated.

Another way to trigger the issue is to run 'bigstart restart' on a primary blade on a chassis with more than one blade.

Impact:
If BGP peering is reset, it causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocol from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decisions come from networks learnt by affected routing protocol when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system, typically, the routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
None.

Fix:
BGP and BFD peering is not recreated in GRST timeout anymore.

788513-1 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log

Component: Service Provider

Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:

warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]

This appears to be benign, as the configuration loads successfully, and the script works as expected.

Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name

Instead of:
RADIUS::avp replace USER-NAME "static value"

Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.

Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.

788417-1 : Remote Desktop client on macOS may show resource auth token on credentials prompt

Component: Access Policy Manager

Symptoms:
APM uses the 'username' attribute to pass auth token for SSO enabled native RDP resources on macOS. In case Windows policy forces the user to provide credentials, or if Single Sign-on fails, the end user may see a credentials prompt containing the base 64-encoded auth token in the username field.

This behavior is observed only with Remote Desktop Client v10.x for macOS.

Conditions:
-- APM Webtop is configured with Single Sign-on enabled native RDP resource.
-- Try to access the RDP resource from macOS using RDP client v10.x.

Note: This issue is known to occur when Microsoft Group Policy 'Always prompt for password upon connection' is enabled on the target RDP server: Computer Configuration \ Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Security \ Always prompt for password upon connection.

Impact:
Prompt for credentials (contains auth token in username field) causing APM end user confusion.

Workaround:
Apply the following iRule:

Note: With the following iRule implemented, users running RDP client v8 for macOS may see an empty credentials prompt when launching APM native RDP resources.

when HTTP_RESPONSE_RELEASE {
    catch {
        set locationUri [HTTP::header Location]
        if { [HTTP::status] == 302 && $locationUri starts_with "rdp://" &&
                $locationUri contains "username=s:f5_apm"} {
            HTTP::header Location \
                [string map {"username=s:f5_apm" "gatewayaccesstoken=s:"} $locationUri]
        }
    }
}

Fix:
Remote Desktop client on macOS does not show resource auth token on credentials prompt.

788325-1 : Header continuation rule is applied to request/response line

Solution Article: K39794285

Component: Local Traffic Manager

Symptoms:
When a browser communicates with a server over HTTP, it can split a long header into several lines, prepending continuation lines with leading whitespace symbols. This rule does not apply to request or response line, so having leading whitespace in a first header line is invalid. The BIG-IP system parses such line a header with empty value.

Conditions:
A virtual server is configured on the BIG-IP system with HTTP profile.

Impact:
The BIG-IP system can hide some important HTTP headers either passing those to the pool member or failing to properly handle the request (or response) or failing to correctly load balance a connection (or request in case of OneConnect profile).

Workaround:
None.

Fix:
Now, when the BIG-IP system receives an invalid request or response with leading whitespace in first header line, it properly parses the header and handles it correctly.

788301-6 : SNMPv3 Hardening

Solution Article: K58243048

Component: TMOS

Symptoms:
SNMPv3 agents do not follow current best practices.

Conditions:
SNMPv3 agents enabled.

Impact:
SNMPv3 agents do not follow current best practices.

Fix:
SNMPv3 features now follow current best practices.

788269-4 : Adding toggle to disable AVR widgets on device-groups

Component: Application Visibility and Reporting

Symptoms:
Devices on device-group get into state of not-synced when AVR-related widgets are created or modified.

It occurs more frequently when manual config sync is enabled.

It can also occur when visiting a widgets page for the first time that automatically creates default widgets on the first page visit, such as Security :: Overview : Application : Traffic. This can make it appear that a 'read-only' user visiting the page has triggered the need for a config sync.

Conditions:
-- Two or more devices are in a device-group.
-- AVR-related widgets are created or modified.

Impact:
Devices go into a non-synced state.

Workaround:
None.

Fix:
A DB-variable called avr.gui.widgets.sync has been added to disable widgets syncing. Possible values are 'disable' or 'enable', it is enabled by default.

Behavior Change:
This release adds a DB-variable, avr.gui.widgets.sync, to disable widget syncing. Possible values are 'disable' or 'enable'. It is enabled by default.

788057-4 : MCPD may crash while processing syncookies

Component: TMOS

Symptoms:
Under certain conditions, MCPD may crash while processing syncookies.

Conditions:
-Multi-blade VIPRION.

Impact:
MCPD crash, leading to a failover event.

Workaround:
None.

Fix:
MCPD now processes syncookies as expected.

788033-2 : tpm-status may return "Invalid" after engineering hotfix installation

Solution Article: K91171450

787905-5 : Improve initializing TCP analytics for FastL4

Component: Local Traffic Manager

Symptoms:
TCP analytics for FastL4 might stay uninitialized under specific circumstances.

Conditions:
System clock advances while initializing TCP analytics for FastL4.

Impact:
TCP analytics for FastL4 might stay uninitialized for a while and miss some analytics data.

Workaround:
N/A

Fix:
Initialization of TCP analytics for FastL4 is improved.

787825-1 : Database monitors debug logs have plaintext password printed in the log file

Solution Article: K58243048

Component: Local Traffic Manager

Symptoms:
When monitor instance is in "debug" logging enabled mode for certain monitor types, the resulting monitor instance logs may contain sensitive details like password

Conditions:
When debug mode is enabled for following monitoring types
1. mssql
2. mysql
3. oracle
4. postgresql

Impact:
The user-account password configured in the health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors/.

Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected monitor types. 2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes , remove the resulting log files from the BIG-IP system after troubleshooting is completed.

Fix:
The password filed for monitor will now be redacted by external monitors when monitor debugging is enabled.

787821-1 : httprouter may deadlock

Component: Local Traffic Manager

Symptoms:
The httprouter proxy may get into a state where it closes the TCP window, and never reopens it.

Conditions:
The HTTP MRF Router is used. This configuration is typically used with the HTTP2 Full Proxy when you use the httprouter profile.

A very large amount of data arrives from the server in a short amount of time after connection setup.

Impact:
Traffic on a HTTP2 stream, or HTTP 1 connection blocks. Eventually, the connection will be killed by the sweeper.

Fix:
The HTTP MRF Router will not get into a state where the TCP window is permanently closed.

787677-4 : AVRD stays at 100% CPU constantly on some systems

Component: Application Visibility and Reporting

Symptoms:
One thread of the avrd process spontaneously starts to consume 100% CPU.

Conditions:
The exact conditions under which this occurs are unknown, but might occur only on vCMP configurations.

Impact:
System performance degrades.

Workaround:
Restart TMM:
bigstart restart tmm

Fix:
Added processing that prevents AVRD from entering endless loops.

787601-1 : Unable to add 'Enforce' parameter if already configured in different URL

Component: Fraud Protection Services

Symptoms:
If two or more URLs are configured with 'Application Type = Mobile', is is not possible to add the 'Enforce' parameter to more than one URL.

Also, the 'Mobile Encryption Parameter' option is automatically checked if already checked in another URL.

Conditions:
1. License FPS and MobileSafe.
2. Add two or more URLs with 'Application Type = Mobile'.

Impact:
Data sent from MobileSafe SDK may not be encrypted.

Workaround:
Use TMSH to configure these settings.

Fix:
The 'Enforce' parameter is now added correctly, and the 'Mobile Encryption Parameter' is not checked automatically, which is correct functionality.

786565-1 : MRF Generic Message: unaccepted packets received by GENERIC MESSAGE filter causes subsequent messages to not be forwarded

Component: Service Provider

Symptoms:
When a message is created using the GENERICMESSAGE::message create iRule command during the CLIENT_DATA event, if the TCP payload buffer is not cleared before the event completes, the data in the payload buffer is forwarded to the generic message filter disrupting its statemachine.

Conditions:
-- A message is created using GENERICMESSAGE::message create iRule command during CLIENT_DATA event.
-- TCP payload buffer is not cleared before the event completes.

Impact:
The data in the payload buffer is forwarded to the generic message filter disrupting its statemachine. Subsequent messages are not forwarded.

Workaround:
To fix the problem, add the following to CLIENT_DATA:
TCP::payload replace 0 [TCP::payload length] ""

Fix:
Data left in the TCP payload buffer is now ignored and does not negatively impact the filter.

786173-2 : UI becomes unresponsive when accessing Access active session information

Component: Access Policy Manager

Conditions:
-- Two vCMP guests or two chassis are set up in high availability mode.
-- If Network Mirroring is toggled between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.

Impact:
Some session variables may be lost, which results in the GUI becoming unresponsive. The Access :: Overview :: Active Sessions page in the Admin UI becomes unusable.

Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.

Fix:
The solution for the reported issue is handled by the fix provided for ID 783817. ID 786173 fixes a null pointer exception that might occur in the specific case of a certain missing session variable, which is relevant only in BIG-IP releases 14.1.0 or later.

785741-2 : Unable to login using LDAP with 'user-template' configuration

Solution Article: K19131357

Component: TMOS

Symptoms:
Unable to login as remote-user.

Conditions:
When the following are true:
-- LDAP remote-auth configured with user-template.
-- Remote-user configured to permit login.

Impact:
Unable to login with remote-user.

Workaround:
Use bind-dn for authentication.

785481-1 : A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached

Component: Local Traffic Manager

Symptoms:
Setting the DB variable tm.rejectunmatched to 'false' causes the BIG-IP system to not send RSTs when there is a match but the connection is rejected due to connection limits.

Conditions:
- tm.rejectunmatched is set to 'false'.
- A packet is matching a BIG-IP object.
- The packet is to be rejected because of connection limits.

Impact:
Reset packets are not sent back to clients when they should be.

Workaround:
None.

Fix:
Packets that match a BIG-IP object but fail due to connection limits will now be rejected with an RST.

784989-1 : TMM may crash with panic message: Assertion 'cookie name exists' failed

Component: Access Policy Manager

Symptoms:
TMM crashes with SIGFPE panic

panic: ../modules/hudfilter/http/http_cookie.c:489: Assertion 'cookie name exists' failed.

Conditions:
-- Virtual server with remote desktop or VDI profile attached.
-- VDI logging level is set to Debug.
-- iRule that modifies/reads HTTP cookies.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Increase the log-level for VDI from 'Debug' to a higher level.

Fix:
Fixed TMM crash, which occurred when remotedesktop/VDI profile was used together with custom iRule and Debug level logging.

784733-4 : GUI LTM Stats page freezes for large number of pools

Component: TMOS

Symptoms:
When a configuration has approximately 5400 pools and 40,000 pool members, navigating to the GUI page to look at stats for all or one pool, the GUI page may freeze indefinitely.

Conditions:
Configurations with large number of pools and pool members, e.g., 5400 pools and/or 40,000 pool members.

Impact:
Cannot view pool or pool member stats in GUI.

Workaround:
Use iControl REST or TMSH to retrieve stats for such a large number of pools or pool members.

Fix:
The stats page now returns data for configurations of large numbers of pools and pool members, though a Timeout window may pop up after 30-seconds for big queries. You can dismiss that Timeout window, and the stats display as expected.

784565-1 : VLAN groups are incompatible with fast-forwarded flows

Component: Local Traffic Manager

Symptoms:
Traffic flowing through VLAN groups may get fast-forwarded to another TMM, which might cause that connection to be reset with reason 'Unable to select local port'.

Conditions:
-- Using VLAN groups.
-- Flows are fast-forwarded to other TMMs.

Impact:
Some connections may fail.

Workaround:
None.

Fix:
The system now prevents flows on VLAN groups from being fast-forwarded to other TMMs.

783817-1 : UI becomes unresponsive when accessing Access active session information

Component: Access Policy Manager

Symptoms:
When accessing Admin UI Access :: Overview :: Active Sessions page, the page status is stuck in 'Receiving configuration data from your device'. TMSH command 'show apm access-info' also hangs.

The following error messages shows up in TMM log:

-- notice mcp error: 0x1020002 at ../mcp/db_access.c:831
-- notice mcp error: 0x1020031 at ../mcp/mcp_config.c:588

Impact:
Some session variables may be lost, which results in UI hang. Admin UI becomes unusable.

Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.

783565-1 : Upgrade support for DB variable to attach AJAX payload to vToken cookie should be consistent with config in MCP

Component: Fraud Protection Services

Symptoms:
Upgrade support for DB variable to attach AJAX payload to vToken cookie sets 'send in alerts' flag configured on parameters without checking whether automatic transaction detection is turned on on the URL.

Conditions:
-- BIG-IP version 13.1.x or 14.0.x
-- A protected URL is configured with automatic transaction detection turned off.
-- A parameter on that URL is configured with all flags turned off.
-- The DB variable antifraud.internalconfig.flag1 is set to 'enabled' value.
-- Upgrade to 13.1.x or later (with load config) started.

Impact:
After upgrade, the configuration fails to load due to an error during schema change validation

Workaround:
-- Set the DB variable antifraud.internalconfig.flag1 value to 'disabled' before the upgrade.
-- Configure 'send in alerts' flag on the parameters manually.

Fix:
Now upgrade support takes into consideration the automatic transaction detection flag on URL and sets 'send in alerts' flag on URL parameters only for URLs with automatic transaction detection turned on.

783113-5 : BGP sessions remain down upon new primary slot election

Component: TMOS

Symptoms:
BGP flapping after new primary slot election.

Conditions:
--- A BFD session is processed on a secondary blade. (It can be identified by running tcpdump.)

-- After a primary blade reset/reboot, the BFD session should be processed by the same tmm on the same blade, which was secondary before the primary blade reset/reboot.

-- The BFD session creation should happens approximately in 30 seconds after the reset/reboot.

Impact:
BGP goes down. BGP flaps cause route-dampening to kick-in on the BGP neighbors.

Workaround:
There is no workaround, but you can stabilize the BIG-IP system after the issue occurs by restarting the tmrouted daemon. To do so, issue the following command:
bigstart restart tmrouted

Fix:
BFD no longer remains DOWN after a blade reset/reboot. There is a convergence period caused by blade changes(blade reset/reboot, new blade installed, blade comes up), which may take a few moments, but after that BFD sessions show correct status.

782569-2 : SWG limited session limits on SSLO deployments

Component: Access Policy Manager

Symptoms:
SWG limited session limits are enforced on SSLO deployments that enable Explicit proxy authentication.

Conditions:
-- SSLO with Explicit proxy authentication is deployed.
-- Many concurrent SSLO connections that use custom category lookup (beyond the SWG limited session limit).

Impact:
SSLO fails to connect when the SWG limited session limit is reached.

Workaround:
None.

Fix:
If there is an SSLO profile paired with either an APM or SSLO per-request policy on a virtual server, and the operation has done a custom category only lookup, an SWG limited license is no longer consumed. This answers the case where there is auth (APM) on one virtual server, and the transparent virtual server is SSLO with custom category lookup only.

782529-1 : iRules does not follow current design best practices

Solution Article: K30215839

781637-1 : ASM brute force counts unnecessary failed logins for NTLM

Component: Application Security Manager

Symptoms:
False positive brute force violation raised and login request is blocked

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM Brute force protection enabled for NTLM login type

Impact:
login request blocked by asm policy

Workaround:
Define higher thresholds in brute force protection settings

Fix:
asm code has been fixed and do not count unnecessary failed logins for NTLM

781605-4 : Fix RFC issue with the multipart parser

Component: Application Security Manager

Symptoms:
false positive or false negative attack signature match on multipart payload.

Conditions:
very specific parsing issue.

Impact:
A parameter specific excluded signature may be matched or un-matched.

Workaround:
N/A

Fix:
Multi part parser issue was fixed.

781581-2 : Monpd uses excessive memory on requests for network_log data

Component: Application Visibility and Reporting

Symptoms:
Monpd allocates excessive memory on multi-blade devices, and in some cases the kernel may kill monpd. The following log signature may be encountered in /var/log/kern.log:

err kernel: : [1537424.588160] Out of memory: Kill process 28371 (monpd) score 117 or sacrifice child

Conditions:
This can occur in a multi-blade BIG-IP environment when you are displaying pages that query for network_log data, for example Bot Defense requests in the event log, or realtime AVR data.

Impact:
Large fluctuations in host memory usage, occasionally leading to OOM events.

Workaround:
None.

Fix:
A db variable has been added: avr.eventlogsreportrownumber, which controls the number of logs displayed. The db variable default is 10000, and supports a range from 100 through 1000000.

Note: Using the maximum value may trigger the behavior described here. The system behavior depends on the specific machine hardware.

781449-1 : Increase efficiency of sPVA DoS protection on wildcard virtual servers

Solution Article: K14703097

781377-5 : tmrouted may crash while processing Multicast Forwarding Cache messages

Solution Article: K93417064

781069-1 : Bot Defense challenge blocks requests with long Referer headers

Component: Application Security Manager

Symptoms:
The Bot Defense challenge may block the client if the Referer header is between about 1400 characters and 3072 characters long.
This client may get blocked by TCP RST, or suffer from a challenge loop.

Conditions:
-- Bot Defense with Verify before Access, or Proactive Bot Defense are configured
-- Request has a Referer header that is between ~1400 and 3072 characters long

Impact:
Legitimate browsers may get blocked or suffer from a challenge loop

Workaround:
Use an iRule to override the Referer header from the HTTP_REQUEST event, to make it shorter.

Fix:
Challenges with long Referer headers no longer block legitimate clients.

780837-2 : Firewall rule list configuration causes config load failure

Component: Advanced Firewall Manager

Symptoms:
'tmsh load sys config' reports a syntax error.

The syntax error is reported on 'security firewall rule-list rule' configuration.

Conditions:
This occurs only if any of the rule-list rule ip-protocol contains one of the following protocols:

Note: You can see the mismatched protocol names in the /etc/protocols listing file (column 1 and column 3 differ):

bbn-rcc 10 BBN-RCC-MON # BBN RCC Monitoring
nvp 11 NVP-II # Network Voice Protocol
dcn 19 DCN-MEAS # DCN Measurement Subsystems
ospf 89 OSPFIGP # Open Shortest Path First IGP
crdup 127 CRUDP # Combat Radio User Datagram

Impact:
The system fails to load the configuration.

Workaround:
Manually edit the configuration file: /config/bigip_base.conf

1. Replace the ip-protocol name from rule-list configuration:

-- Change BBN-RCC-MON to bbn-rcc.
-- Change NVP-II to nvp.
-- Change DCN-MEAS to dcn.
-- Change OSPFIGP to ospf.
-- Change CRUDP to crudp.

2. Save the file.
3. Issue the command:
tmsh load sys config.

The configuration now loads without syntax errors.

780817-6 : TMM can crash on certain vCMP hosts after modifications to VLANs and guests.

Component: TMOS

Symptoms:
TMM crashes and produces a core file. TMM logs show the crash was of type SIGFPE, with the following panic message:

notice panic: ../base/vcmp.c:608: Assertion "guest has vlan ref" failed.

Conditions:
-- The vCMP host is a platform with more than one tmm process per blade or appliance.

+ VIPRION B4300, B4340, and B44xx blades.
+ BIG-IP iSeries i15x00 platforms

-- A VLAN is assigned to a vCMP guest.
-- The TAG of the VLAN is modified.
-- The VLAN is removed from the vCMP guest.

Impact:
While TMM crashes and restarts on the host, traffic is disrupted on all the guests running on that system.

Guests part of a redundant pair may fail over.

Workaround:
None.

Fix:
TMM no longer crashes on certain vCMP hosts after modifications to VLANs and guests.

780601-1 : SCP file transfer hardening

Solution Article: K03585731

779177-1 : Apmd logs "client-session-id" when access-policy debug log level is enabled

Solution Article: K37890841

778681-1 : Factory-included Bot Signature update file cannot be installed without subscription★

Component: Application Security Manager

Symptoms:
After upgrade, the factory-included Bot Signature update file cannot be installed without subscription, even if it is already installed.

Conditions:
Device is upgraded to 14.1.0 from previous version, and does not have a Bot Signatures subscription.

Impact:
The factory-included Bot Signature update file cannot be installed.

778261-1 : CPB connection is not refreshed when updating BIG-IQ logging node domain name or certificate

Component: Application Security Manager

Symptoms:
CPB Connection (between BIG-IP and BIG-IQ logging node) is not refreshed to use the new certificate / new domain name to validate the certificate.

Conditions:
Either:
-- BIG-IQ logging node domain name updated.
-- BIG-IQ logging node webd certificate is replaced (and updated using webd restart).

Impact:
CPB Connection (between BIG-IP and BIG-IQ logging node) remains the same and is not refreshed to use the new certificate.

Workaround:
Restart Policy Builder on the BIG-IP system:

killall -s SIGHUP pabnagd

Fix:
Policy Builder now resets the connection upon update of BIG-IQ logging node certificate / domain name.

778125-2 : LDAP remote authentication passwords are limited to fewer than 64 bytes

Component: TMOS

Symptoms:
The LDAP remote authentication password is limited to fewer than 64 bytes.

Conditions:
Configured for remote authentication with a password is longer than or equal to 64 bytes.

Impact:
Unable to login as remote-user with long password.

Workaround:
Set password that is shorter than 64 bytes.

778077-4 : Virtual to virtual chain can cause TMM to crash

Solution Article: K53183580

778049-3 : Linux Kernel Vulnerability: CVE-2018-13405

Solution Article: K00854051

777937-1 : AWS ENA: packet drops due to bad checksum

Component: Performance

Symptoms:
-- Lower throughput and tps.
-- High availability (HA) heartbeat is getting dropped, resulting in an active-active configuration.

Conditions:
AWS Elastic Network Adapter (ENA) NIC is in use.

Impact:
Performance degradation and invalid HA configuration.

Workaround:
On the BIG-IP system, turn off checksum offloading in on TX as follows:

modify sys db tm.tcpudptxchecksum value Software-only

Important: This workaround negatively affects NICs other than ENA. Therefore, the workaround is recommended exclusively when ENA is the only dataplane NICs in use in the BIG-IP system.

Fix:
AWS ENA: no packet drops due to bad checksum.

777737-1 : TMM may consume excessive resources when processing IP traffic

Solution Article: K39225055

777261-5 : When SNMP cannot locate a file it logs messages repeatedly

Component: TMOS

Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.

Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.

Impact:
This can fill up the log with errors.

Fix:
The SNMP daemon has been fixed to log this error once.

777173-1 : Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error

Component: Access Policy Manager

Symptoms:
When administrator runs Citrix vdi iApp in APM standalone deployment (LTM is not licensed), iApp fails with the following error:
01070356:3: HTTP header transformation feature not licensed

This is result of a license check added for HTTP header transformation.

Conditions:
- APM is licensed as stand alone (no LTM license)
- Admin tries to run Citrix vdi iApp

Impact:
Administrator is not able to use the iApp to configure Citrix vdi access

Workaround:
Adding LTM module license will resolve the error.

Fix:
Citrix vdi iApp now can be used to configure Citrix vdi access in an APM standalone deployment.

776073-2 : OOM killer killing tmm in system low memory condition as process OOM score is high

Component: TMOS

Symptoms:
When BIG-IP system running under low memory situation, Out-Of-Memory killer more likely selects tmm to kill and release the resources.

Conditions:
BIG-IP version 13.0.x or later installed and system running with low memory.
AFM provisioned makes the tmm process more likely to be selected by the oom killer

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Adjust OOM score of "tmm" process through oom_score_adj proc setting.

echo "-500" > /proc/<pid_of_tmm>/oom_score_adj

Fix:
OOM score for "tmm" process is adjusted such that OOM killer will not prioritize "tmm" during system low memory condition.

775833-1 : Administrative file transfer may lead to excessive resource consumption

Solution Article: K94325657

775621-1 : urldb memory grows past the expected ~3.5GB

Component: Access Policy Manager

Symptoms:
When using the categorization engine (urldb), memory may increase when real-time update databases are downloaded (once every ten minutes, as available).

Conditions:
-- SWG provisioned.
-- Using urldb.
-- Real-time database updates occurring.

Impact:
Memory increases, and if there is not enough room on the BIG-IP system, urldb can core.

Workaround:
None.

Fix:
The system no longer preloads the database into memory, so memory no longer grows past what is expected.

775013-1 : TIME EXCEEDED alert has insufficient data for analysis

Component: Fraud Protection Services

Symptoms:
The time-exceeded alert does not include sufficient alert details to troubleshoot the process. It is difficult to determine whether or not the alert is valid, or how long past the request time the alert occurred.

Conditions:
Viewing alert logs for time-exceeded messages.

Impact:
Makes troubleshooting and/or analysis difficult.

Workaround:
None.

Fix:
All encryption failures alert now provides additional details to assist in troubleshooting the process.

774913-3 : IP-based bypass can fail if SSL ClientHello is not accepted

Component: Local Traffic Manager

Symptoms:
IP-based bypass can fail for SSL stream if the client sends a ClientHello that is not accepted by the BIP-IP system.

Conditions:
Client's SSL ClientHello message is not accepted by the BIG-IP system.

Impact:
Connection drop.

Workaround:
None.

Fix:
Check SSL bypass policy before parsing ClientHello message.

774633-1 : Memory leak in tmm when session db variables are not cleaned up

Component: Access Policy Manager

Symptoms:
There are some session db variables created as part of the split session proxy that have an indefinite timeout. If there is an error path or a failure with an inline service, the delete never gets called and these session keys build up over time, causing memory to leak in tmm.

Conditions:
SSLO setup with a service connector that fails.

Impact:
tmm eventually runs out of memory and generates a core file.

Workaround:
None.

Fix:
Variables have been set with a timeout so that they don't leak memory if the inline service fails.

774301-5 : Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList

Component: Access Policy Manager

Symptoms:
When the BIG-IP system is configured as SAML IdP or SAML SP processes SAML Requests/Responses, the verification of digital signature fails in certain cases:

err apmd[19684]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 5321 Msg: ERROR: verifying the digest of SAML Response

Conditions:
-- BIG-IP system is configured as SAML IdP or SAML SP.

-- SAML sends the "ArtifactResponse" message with both "ArtifactResponse" and "Assertion" signed.

-- This is also applicable to any SAML requests/responses that are signed:
   a) SAML Authentication Request
   b) SAML Assertion
   c) SAML Artifact Response
   e) SAML SLO Request/Response

Impact:
Output does not match the 'Canonicalized element without Signature' calculated by APM. BIG-IP SAML IdP or SAM SP fails to process SAML Requests/Responses resulting in errors. Cannot deploy APM as SAML SP with Assertion Artifact binding.

Workaround:
None.

Fix:
Output now matches the Canonicalized element without Signature' calculated by APM, so deployment occurs without error.

774213-2 : SWG session limits on SSLO deployments

Component: Access Policy Manager

Symptoms:
SWG session limits are enforced on SSLO deployments that enable Explicit proxy authentication.

Conditions:
-- SSLO with Explicit proxy authentication is deployed.
-- Many concurrent SSLO connections (beyond the SWG session limit).

Impact:
SSLO fails to connect when the SWG session limit is reached.

Workaround:
None.

Fix:
If there is an SSLO profile paired with either an APM or SSLO per-request policy on a virtual server, and the operation has done a hostname only lookup, an SWG license is no longer consumed. This answers the case where there is auth (APM) on one virtual server, and the transparent virtual server is SSLO with hostname Category Lookup only.

773821-2 : Certain plaintext traffic may cause SSLO to hang

Component: Local Traffic Manager

Symptoms:
SSLO relies on SSL hudfilter to detect non-SSL traffic; but certain plaintext can be mistaken as SSL traffic, which can cause a hang.

Conditions:
Initial plaintext traffic resembles SSLv2 hello message or has less than enough bytes for SSL to process.

Impact:
SSLO hangs, unable to bypass traffic.

Workaround:
None.

Fix:
Improve SSL hello parser.

773673-1 : HTTP/2 Vulnerability: CVE-2019-9512

Solution Article: K98053339

773653-7 : APM Client Logging

Solution Article: K23876153

773649-7 : APM Client Logging

Solution Article: K23876153

773641-7 : APM Client Logging

Solution Article: K23876153

773637-7 : APM Client Logging

Solution Article: K23876153

773633-7 : APM Client Logging

Solution Article: K23876153

773621-7 : APM Client Logging

Solution Article: K23876153

773553-1 : ASM JSON parser false positive.

Component: Application Security Manager

Symptoms:
False positive JSON malformed violation.

Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.

Impact:
HTTP request is blocked or an alarm is raised.

Workaround:
There is no workaround other than disabling the JSON profile.

Fix:
JSON parser has been fixed as per RFC8259.

773421-4 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied

Component: Local Traffic Manager

Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.

Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).

-- OneConnect is applied.

-- proxy-mss is enabled (the default value starting in v12.0.0).

Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.

Workaround:
Disable proxy-mss in the configured TCP profile.

Fix:
OneConnect prevents sending ICMP fragmentation needed messages to servers.

772545-4 : Tmm core in SSLO environment

Component: Local Traffic Manager

Symptoms:
Unexpected SSL events can occur in SSLO configuration, possibly resulting in tmm core.

Conditions:
SSLO environment which can cause serverside ssl to become enabled during clientside handshake causing unexpected events.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Enabling SSL forward proxy verified-handshake setting available in 14.0.

772473-4 : Request reconstruct issue after challenge

Component: Application Security Manager

Symptoms:
False positive on Content-Type header in GET request.

Conditions:
After challenge is completed, the server responds to the reconstructed request with a 302-redirect.

Impact:
The BIG-IP adds to the next request (GET request) a Content-Type header.

Workaround:
There is no workaround at this time.

Fix:
The BIG-IP no longer reconstructs the next request after a redirect.

772233-2 : IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.

Component: Global Traffic Manager (DNS)

Symptoms:
When probing DNS Path, the metric round trip time (RTT) is not set correctly if the collection protocols used are NDS_DOT or DNS_REV.

The problem occurs only if the Path involves an IPv6 address; IPv4 address works fine.

Conditions:
-- Path involves IPv6 addresses.
-- Collection protocol used is either DNS_DOT or DNS_REV.

Impact:
RTT metric is not set at all.

Workaround:
Use collection protocols - ICMP instead.

Fix:
The problem for both collection protocols - DNS_DOT and DNS_REV no longer occurs, and the RTT is set correctly.

771873-6 : TMSH Hardening

Solution Article: K40378764

771173-4 : FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.★

Component: Advanced Firewall Manager

Symptoms:
The system does not roll forward the FastL4 profile syn-cookie-enable attribute after upgrading from 12.x to 13.x and beyond.

Conditions:
This happens when upgrading from 12.x to 13.x and beyond.

Impact:
If syn cookies are explicitly disabled on a FastL4 profile prior to upgrading, they may be enabled.

Workaround:
You can fix the configuration by modifying it manually after upgrading.

In tmsh:
tmsh modify ltm profile fastl4 <profile_name> syn-cookie-enable <enabled|disabled>

771025-4 : AVR send domain names as an aggregate

Component: Application Visibility and Reporting

Symptoms:
AVR sends domain name as an aggregate of a number of domain names.

Conditions:
-- AVR receives more than the number of domain names it can handle.
-- After AVR gets DNS calls with different domain name, it no longer clears the domain name.
-- When AVR receives the maximum number of total domain names, it start to aggregate all the new domain names.

Impact:
Cannot see the correct domain name.

Workaround:
None.

Fix:
AVR now removes old domain names, so it can add new ones and send the actual domain names it collected.

770657-1 : On hardware platforms with ePVA, some valid traffic is blocked when in L2 transparent mode and syn cookies are enabled

Component: TMOS

Symptoms:
Valid traffic gets blocked under L2 transparent mode if syn cookie protection is enabled.

Conditions:
-- In L2 transparent mode.
-- Syn cookie protection is enabled.
-- ePVA offloading is enabled.
-- BIG-IP platform contains the embedded Packet Velocity Acceleration (ePVA) chip.
-- Attack traffic in progress.

Impact:
Some valid traffic gets blocked.

Workaround:
None.

Fix:
-- For releases 15.0.x and earlier, ePVA offloading is now disabled if syn cookie is turned on.

-- Beginning with release 15.1.0, ePVA offloading works as expected with syn cookies.

769997 : ASM removes double quotation characters on cookies

Component: Application Security Manager

Symptoms:
ASM removes the double quotation characters on the cookie.

Conditions:
Cookie sent that contains double quotation marks.

Impact:
The server returns error as the cookie is changed by ASM.

Workaround:
Set asm.strip_asm_cookies to false using the following command:

tmsh modify sys db asm.strip_asm_cookies value false

Fix:
ASM no longer removes the double quotation characters on the cookie.

769981-1 : bd crashes in a specific scenario

Component: Application Security Manager

Symptoms:
bd crash with a core file.

Conditions:
-- XML profile with schema validation is attached to a security policy.

-- The bd.log shows out-of-memory messages relating to XML.

Impact:
Failover; traffic disruption.

Workaround:
Increase the memory XML uses by using the internal parameters total_xml_memory and/or additional_xml_memory_in_mb. For more information, see K10803: Customizing the amount of memory allocated to the BIG-IP ASM XML processing engine available at https://support.f5.com/csp/article/K10803

769853-1 : Access Profile option to restrict connections from a single client IP is not honored for native RDP resources

Solution Article: K24241590

Component: Access Policy Manager

Symptoms:
When launching a native RDP resource (desktop/application) from APM Webtop, APM provides an RDP file to the browser and the browser invokes the native RDP client to launch the resource with the parameters specified in the RDP file.

When Access profile option 'Restrict to Single Client IP' option is enabled, user should only be allowed to launch the resource from the client that initiated the request.

Conditions:
-- APM Webtop is configured with native RDP resource.
-- 'Restrict to Single Client IP' option is enabled in Access Profile.

Impact:
RDP file provided by APM can be used for launching the RDP resource on a client machine that did not initiate the APM session.

Workaround:
None.

Fix:
When Access Profile option 'Restrict to Single Client IP' is enabled, APM restricts native RDP resource launch from the client that initiated the APM session.

769817-2 : BFD fails to propagate sessions state change during blade restart

Component: TMOS

Symptoms:
BFD fails to propagate sessions state change during blade restart.

Conditions:
-- On a chassis with multiple blades, several routing protocol sessions are established, (e.g., BGP sessions).
-- BFD sessions are configured for each BGP session to sustain fast failover of BGP sessions.
-- There is a BGP session that can be established only via specific blade and the corresponding BFD session of this BGP session is processed on the same blade.
-- This blade is restarted (e.g., using the bladectl command) or experienced a blade failure.

Impact:
The BFD session remains in the BFD sessions table and remains there until BGP session is timed out by hold the timer (90 seconds, by default). Dynamic routes, which are learnt via affected BGP session, remain in the routing table until the hold time is reached.

Workaround:
Change BGP hold time to reasonable lower value.

Fix:
The affected BFD session is removed from the BFD table after blade reset during the period configured for this BFD session.

769801-2 : Internal tmm UDP filter does not set checksum

Component: Local Traffic Manager

Symptoms:
An internal tmm UDP filter does not set checksum for outgoing UDP packets.

Conditions:
-- An internal tmm UDP filter is in use.

Impact:
Even though a UDP packet with no checksum is permitted, it could cause some problems with some firewalls/servers.

Workaround:
For internal tmm udp filters, add the following to the UDP profile in use:

no_cksum 0

Fix:
Internal tmm UDP filters set checksum for outgoing UDP packets.

769309-1 : DB monitor reconnects to server on every probe when count = 0

Component: Local Traffic Manager

Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.

Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).

Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.

Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.

Fix:
The LTM database monitor keeps the network connection to the monitored database server open indefinitely when configured with the default 'count' value of 0 (zero).

769193-6 : Added support for faster congestion window increase in slow-start for stretch ACKs

Component: Local Traffic Manager

Symptoms:
When Appropriate Byte Counting is enabled (the default), TCP's congestion window increases slower in slow-start when the data receiver sends stretch ACKs.

Conditions:
-- TCP data sender receives stretch ACKs (ACKs that acknowledges more than 2*MSS bytes of data).
-- Appropriate Byte Counting (ABC) is enabled in slow-start.

Impact:
ABC limits the increase of congestion window by 2*MSS bytes per ACK. TCP's congestion window is increased slower in slow-start, which may lead to longer transfer times.

Workaround:
There is no workaround at this time.

Fix:
A new sys db (TM.TcpABCssLimit) is provided to set TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received. If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.

Behavior Change:
There is a new db variable, TM.TcpABCssLimit for specifying TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received.

Note: If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.

769061-1 : Improved details for learning suggestions to enable violation/sub-violation

Component: Application Security Manager

Symptoms:
The title for the entity in suggestions to enable violation/sub-violation is 'Match violation'/'Matched HTTP Check', though these suggestions are created when there is no match in the observed traffic.

Conditions:
There are learning suggestions to enable violations/sub-violation in the policy

Impact:
Misleading suggestion details.

Workaround:
None.

Fix:
The misleading word 'Matched' was removed from the title.

768981-1 : vCMP Hypervisor Hardening

Solution Article: K05765031

768025-3 : SAML requests/responses fail with "failed to find certificate"

Component: Access Policy Manager

Symptoms:
BIG-IP as SP and BIG-IP as IdP fail to generate signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after the certificate that is used for signing is modified.

Conditions:
The certificate used for signing SAML requests/responses or SAML SLO requests/responses is modified or re-imported.

Impact:
When this issue occurs, SAML services are impacted when BIG-IP is configured as SP or IdP. Subsequent SAML/SAML SLO requests/responses fail with the error 'failed to find certificate'.

-- When BIG-IP is configured as IdP, then SAML Authentication fails and SAML/SAML SLO services do not work.

-- When BIG-IP is configured as SP, resources that need SAML Authentication cannot be accessed. Also, SAML SLO service does not work.

Workaround:
-- When BIG-IP as IdP is affected, configure a different certificate associated with SAML IdP configuration that is used for signing, change it back to the original certificate, and then the apply policy.

-- Similarly, when BIG-IP as SP is affected, configure a different certificate associated with SAML SP configuration that is used for signing, change it back to the original certificate, and then apply the policy.

Fix:
BIG-IP as SP and BIG-IP as IdP works as expected while generating signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after certificate that is used for signing is modified.

767877-4 : TMM core with Bandwidth Control on flows egressing on a VLAN group

Component: TMOS

Symptoms:
TMM cores during operation.

Conditions:
Known condition:
1. BWC attached to serverside connflow
2. Serverside traffic traversing/egressing VLAN group

Impact:
Traffic disrupted while tmm restarts.

767373-5 : CVE-2019-8331: Bootstrap Vulnerability

Solution Article: K24383845

766577-1 : APMD fails to send response to client and it already closed connection.

Component: Access Policy Manager

Symptoms:
APMD fails to send response to client and produces error message:
err apmd[8353]: 01490085:3: /pt-qp-campus/apm-cdp-qp-qa:pt-qp-campus:bb651ae6: Response could not be sent to remote client. Socket error: Connection reset by peer

APMD does most of its action with backend authentication servers (e.g., AD, LDAP, RADIUS). If the backend server response is very slow (because of various reasons such as network issues), it might cause slow apmd client response. Sometimes, the client has already closed the connection to the virtual server, so the client connection is no longer valid.

Conditions:
Backend server is slow, causing longer-than-usual response times.

Impact:
This causes the client to close the connection. APMD fails to respond to the client.

The cumulative slowness of the backend server causes delay in response. Most of the time, the client connection is already closed. As a result, the request queue gets full. When apmd starts processing the request from the queue, the client connection is already closed for some of them, and processing those requests still continues, which is unnecessary and causes more delay.

Fix:
The system now tests the client connection after picking up the request from the request queue and before processing.
-- If the connection is already closed, the system drops the request.
-- If the request is already in progress, the system checks the client connection before saving the session variables and sending the response to client.

766329-1 : SCTP connections do not reflect some SCTP profile settings

Component: TMOS

Symptoms:
The effective receive-chunks, transmit-chunks, in-streams, and out-streams parameters in SCTP traffic do not match the settings from the configured SCTP profile:

  -- The in-streams setting alters both the in-streams parameter and the tx-chunks parameter.
  -- The out-streams setting alters both the out-streams parameter and the rx-chunks parameter.
  -- The tx-chunks setting has no effect.
  -- The rx-chunks setting has no effect.

Conditions:
An SCTP virtual server is configured.

Impact:
Unexpected SCTP parameters are negotiated on SCTP connections.

Workaround:
None.

Fix:
The SCTP profile settings are now used during SCTP connection negotiation.

765517-2 : Traffic Match Criteria validation fails when create Virtual server with address list with overlapping address space but a different ingress VLAN

Component: Local Traffic Manager

Symptoms:
When two virtual servers are created and they have same address list but different incoming VLANs, Traffic Match Criteria validation fails.

Conditions:
Create 2 virtual servers and they have same address list but different incoming VLANs.

Impact:
System validation fails.

Workaround:
Use non-overlapping address lists.

765413-3 : ASM cluster syncs caused by PB ignored suggestions updates

Component: Application Security Manager

Symptoms:
Frequent syncs occurring within an ASM device group.

Conditions:
Several (updating) suggestions are marked 'ignored'.

Impact:
Syncs appear in the logs (no actual performance degradation).

Workaround:
-- Remove the Ignored Suggestions. (Note: These might be re-added and you must refrain from clicking the Ignore button).

-- Remove the Ignored Suggestions and uncheck the Learn flag for the violation that causes it. (Note: The impact is that the system does not learn this violation anymore, so any future suggestions to amend the policy for that violation will not be created.)

Fix:
Policy Builder (PB) no longer updates Ignored Suggestions, so unnecessary sync operations no longer occur.

764873-1 : An accelerated flow transmits packets to a dated, down pool member.

Component: TMOS

Symptoms:
Normally, when a pool member becomes unavailable, the flow is redirected towards another available pool member. However, an accelerated flow can continue to send traffic to the dated pool member rather than the updated one.

Conditions:
A flow changes the pool member it goes to while the flow is accelerated.

Impact:
The traffic continues to target the dated pool member that is not available.

Workaround:
Disable HW acceleration.

Or on BIG-IP v14.1.0 and later, if a pool member goes away, run the following command to flush all accelerated flow to be handled correctly by software:
tmsh modify sys conn flow-accel-type software-only

764373-4 : 'Modified domain cookie' violation with multiple enforced domain cookies with different paths

Component: Application Security Manager

Symptoms:
When the server sends enforced cookies with the same name for different paths, a false-positive 'Modified domain cookie' violation is reported.

Conditions:
Server sends enforced cookies with the same name but with different paths.

Impact:
A valid request might be rejected.

Workaround:
None.

Fix:
The system now checks all enforced cookies correctly, so this issue no longer includes.

763157-1 : MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped

Component: Service Provider

Symptoms:
Processing the response to an outbound request at the same time as an inbound request message on the same connection could cause internal state generated to be confused and the inbound request to be dropped.

Conditions:
Processing the response to an outbound request at the same time as an inbound request message on the same connection.

Impact:
The inbound request will be dropped.

Workaround:
None.

Fix:
The internal state generated is no longer confused so the inbound request is no longer dropped.

762205-3 : IKEv2 rekey fails to recognize VENDOR_ID payload when it appears

Component: TMOS

Symptoms:
Rekey with non BIG-IP systems can fail when a response contains a VENDOR_ID payload.

Conditions:
- IKEv2 Responder sends VENDOR_ID payload in rekey response.
- The ipsec.log misleadingly reports:
[I] [PROTO_ERR]: unexpected critical payload (type 43)
Note: This message may be correctly present under other conditions, with different type constants not equal to 43.

Impact:
BIG-IP as the initiator of rekey drops the rekey negotiation without making further progress when the responder included a VENDOR_ID payload in a response. This will result in deleting the SA for good when the hard lifetime expires, causing a tunnel outage.

Workaround:
No workaround is known at this time.

Fix:
Handling of payload types during rekey will now ignore VENDOR_ID when it appears, the same way we ignore VENDOR_ID in other messages during IKE negotiation.

762073-4 : Continuous TMM restarts when HSB drops off the PCI bus

Component: TMOS

Symptoms:
In the unlikely event that HSB drops off the PCI bus, TMM continuously restarts until the BIG-IP system is rebooted.

Conditions:
The conditions under which the issue occurs are unknown, but it is a rarely occurring issue.

Impact:
Repeated TMM restarts. Traffic disrupted until you reboot the BIG-IP system. The HSB reappears and is functional after reboot.

Workaround:
Manually reboot the BIG-IP system.

Fix:
TMM no longer gets stuck in a restart loop, as a reboot is now automatic in this scenario.

761993-1 : The nsm process may crash if it detects a nexthop mismatch

Component: TMOS

Symptoms:
If there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop, nsm may crash and restart.

Conditions:
-- Dynamic routing is in use.
-- A mismatch between tmrouted and nsm for the interface index or gateway of a nexthop exists.

Impact:
There is a temporary interruption to dynamic routing while nsm is restarted.

Workaround:
None.

Fix:
Prevented nsm crashing when there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop.

761685-2 : Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set

Component: Service Provider

Symptoms:
Systems desiring to create a unique connection per connection client may silently end up with clients sharing an outgoing connection if routing uses a virtual server as the outgoing connection transport definition, and the virtual server has the source-port attribute set to preserve-strict.

Conditions:
-- Routing using a virtual server as the transport definition for the outgoing connection.
-- The virtual server has the source-port attribute set to preserve-strict.

Impact:
Systems desiring to create a unique connection per connection client may silently end up sharing an outgoing connection.

Workaround:
None.

Fix:
Per-client mode is now maintained when routing to a virtual server, even when preserve-strict is selected.

761303-1 : Upgrade of standby BIG-IP system results in empty Local Database

Component: Access Policy Manager

Symptoms:
Upgrade of standby BIG-IP system results in empty Local Database.

Conditions:
This happens on standby device in a high availability (HA) setup.

Impact:
All previously existing local users disappear from the standby device. If a failover happens, then none of the local users will be able to login now.

Workaround:
To trigger a full database dump from the active BIG-IP system that returns the standby device's database to its original state, on the standby device, after rebooting into the volume with the upgraded installation, do the following:

1. Force stop the localdbmgr process:
bigstart stop localdbmgr
2. Wait at least 15 minutes.
3. Restart the localdbmgr:
bigstart restart localdbmgr

761234-1 : Changing a virtual server to use an address list should be prevented if the virtual server has a security policy with a logging profile attached

Component: Advanced Firewall Manager

Symptoms:
If you create a virtual server with a single address ('Host' in the GUI) for both its source and destination, then configure the virtual server's security policy with a logging profile, and then (after creating the virtual server) modify the source or destination to use a traffic matching condition, the system reports no error when updating the configuration.

Conditions:
Attempting to use a virtual server with a security policy attached that uses a logging profile with an address list as the virtual server's source or destination.

Impact:
An invalid configuration is not caught. When later loading the configuration, the system reports a validation error, and the configuration does not load.

Workaround:
None.

Fix:
An error is now generated under these conditions.

761231-1 : Bot Defense Search Engines getting blocked after configuring DNS correctly

Solution Article: K79240502

Component: Application Security Manager

Symptoms:
Bot Defense performs a reverse DNS for requests with User-Agents of known Search Engines.

A cache is stored for legal / illegal requests to prevent querying the DNS again.

This cache never expires, so in case of an initial misconfiguration, after fixing the DNS configuration, or routing or networking issue, the Search Engines may still be blocked until TMM is restarted.

Conditions:
-- Initial misconfiguration of DNS or routing or networking issue.
-- Cache stores requests to prevent future queries to DNS.
-- Correct the misconfiguration.

Impact:
Cache does not expire and is never updated, so it retains the misconfigured requests. As a result, valid Search Engines are getting blocked by Bot Defense.

Workaround:
Restart TMM by running the following command:
bigstart restart tmm

Fix:
The internal DNS cache within Bot Defense and DoSL7 now expires after five minutes.

761185-1 : Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic

Solution Article: K50375550

Component: Local Traffic Manager

Symptoms:
For more information please see: https://support.f5.com/csp/article/K50375550

Conditions:
For more information please see: https://support.f5.com/csp/article/K50375550

Impact:
For more information please see: https://support.f5.com/csp/article/K50375550

Workaround:
For more information please see: https://support.f5.com/csp/article/K50375550

Fix:
For more information please see: https://support.f5.com/csp/article/K50375550

761160-1 : OpenSSL vulnerability: CVE-2019-1559

Component: TMOS

Symptoms:
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).

Conditions:
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).

Impact:
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).

Workaround:
None.

Fix:
Update OpenSSL to 1.0.2s.

761144-3 : Broadcast frames may be dropped

Solution Article: K95117754

761112-2 : TMM may consume excessive resources when processing FastL4 traffic

Solution Article: K76328112

761088-2 : Remove policy editing restriction in the GUI while auto-detect language is set

Component: Application Security Manager

Symptoms:
While policy language was set to auto-detect, the policy editing was not allowed.

Conditions:
Create a new policy and set the language to auto-detect.

Impact:
While policy language was set to auto-detect, the policy editing was not allowed.

Workaround:
The policy language must be set to something other than auto-detect to allow user to edit the policy from GUI. However, policy editing is possible using REST API.

Fix:
The GUI restriction was removed. User can modify the policy while the language is set to auto-detect.

761014-1 : TMM may crash while processing local traffic

Solution Article: K11447758

760930-3 : MRF SIP ALG with SNAT: Added additional details to log events

Component: Service Provider

Symptoms:
Subscriber name is not included in debug log events for temporary subscriber registration creation and deletion.

Conditions:
debug log events for temporary subscriber registration creation and deletion.

Impact:
No functional impact, but the associated MRF SIP ALG with SNAT issue might be difficult to debug.

Workaround:
None.

Fix:
Subscriber ID is now included in the log events.

760723-1 : Qemu Vulnerability

Solution Article: K64765350

760680-2 : TMSH may utilize 100% CPU (single core's worth) when set to be a process group leader and SSH session is closed.

Component: TMOS

Symptoms:
TMSH does not correctly handle absence of input stream after closing an interactive SSH session and remains active in an infinite loop using 100% CPU.

Conditions:
If TMSH is a process group leader, it is not killed when the parent shell is terminated upon SSH session close.

This is a rare case, as TMSH must be deliberately promoted to a process group leader, e.g., with the 'setsid' command.

Usually the shell process is a group leader and, when it is terminated upon SSH session close, it kills its child processes, including TMSH.

Impact:
The equivalent of one CPU core is utilized to 100% by the TMSH process. It may be mostly scheduled on one core or spread over multiple control plane cores.

Workaround:
TMSH should not be intentionally promoted to a process group leader.

You can kill all TMSH processes using the command:

killall -9 tmsh

Warning: This command kills both abandoned and in-use TMSH processes. The latter can include other users' TMSH shells, and even system-level processes invoking the TMSH utility internally. Killing all TMSH processes can lead to various unexpected failures. You can use the 'top' command to see which TMSH process is using high CPU (e.g., 90% or more), and kill just those, as those are the likely zombie processes. pstree may also show the problem TMSH processes with no sshd ancestor.

You can kill specific TMSH processes using the command:
kill -9 <pid>

Where <pid> is the process ID of the TMSH instance to kill.

Possible mitigation
===================
Set a CLI idle timeout to a value lower than the sshd idle timeout (which is not set by default):

tmsh modify cli global-settings idle-timeout <timeout in minutes>

Fix:
I/O error handling in TMSH has been corrected, so it no longer ignores absence of input stream, which led to infinite loop.

760471-2 : GTM iQuery connections may be reset during SSL key renegotiation.

Component: Global Traffic Manager (DNS)

Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.

Conditions:
This occurs occasionally during routine renegotiation.

Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.

Workaround:
There is no workaround.

Fix:
GTM iQuery renegotiations no longer cause the error that reset the connection.

760439-5 : After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status

Component: TMOS

Symptoms:
After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status (e.g., transitions to standby or active).

Conditions:
Installing UCS that was taken in forced-offline state on clean installed unit.

Impact:
Unit may become active/standby before intended (e.g., during maintenance).

Workaround:
After installing the UCS, ensure that the unit is in forced-offline state as intended. If not in forced-offline state, force the unit offline before proceeding.

760370-1 : MRF SIP ALG with SNAT: Next active ingress queue filling

Component: Service Provider

Symptoms:
When running MRF SIP ALG with SNAT, the ingress queue may fill, causing messages to be dropped on the next-active device.

Conditions:
-- The active device determines that an operation can be skipped because the details are already discovered processing a previous message.
-- The next-active device has not yet processed the previous message and is not able to skip the operation.

Impact:
Mirroring state is lost for the connection.

Workaround:
None.

Fix:
When the connection is mirrored, the processing operation is not skipped on either the active or next-active device.

760356-1 : Users with Application Security Administrator role cannot delete Scheduled Reports

Component: Application Visibility and Reporting

Symptoms:
User accounts configured with the Application Security Administrator role cannot delete scheduled reports, while they can create/view/edit them.

Conditions:
-- Logged on with a user account configured as an Application Security Administrator.
-- Attempting to delete a scheduled report.

Impact:
Cannot complete the delete operation. Deleting scheduled reports requires root/admin intervention.

Workaround:
Use root or a user account configured as Administrator to delete scheduled reports.

Fix:
User accounts configured with the Application Security Administrator role can now delete Scheduled Reports

760355-2 : Firewall rule to block ICMP/DHCP from 'required' to 'default'★

Component: Advanced Firewall Manager

Symptoms:
If firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.

Conditions:
-- Firewall is configured on the management port.
-- Firewall is configured with an ICMP rule to block.

Impact:
ICMP packets cannot be blocked with a firewall rule to drop on management port. ICMP packets are allowed from the management port.

Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.

# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP

Fix:
ICMP firewall rule has been moved from the f5-required to f5-default.

760234-6 : Configuring Advanced shell for Resource Administrator User has no effect

Component: TMOS

Symptoms:
Advanced shell is present in the Terminal Access dropdown list when creating a Resource Administrator User, but the functionality is not available.

Conditions:
Configuring Advanced shell for Resource Administrator User.

Impact:
There is no warning message, but the setting has no effect. Gives the false impression that you can configure a Resource Administrator User to have Advanced shell access when the role does not support it.

Workaround:
None.

Fix:
The Advanced shell option is no longer present in the Resource Administrator User Terminal Access dropdown list.

Behavior Change:
Resource Administrator User can no longer select Advanced shell. The option has been removed from the dropdown list in the GUI for the Resource Administrator User.

760164 : BIG-IP VE Compression Offload HA action requires modification of db variable

Component: TMOS

Symptoms:
When TMM detects a compression offload device hang it does not invoke the configured high availability (HA) action.

Conditions:
This occurs when the following conditions exist:
-- BIG-IP Virtual Edition (VE) Cryptographic Offload is licensed.
-- BIG-IP VE VM has been assigned QuickAssist Virtual Functions (VFs).
-- A QuickAssist endpoint associated with one of the VFs hangs.
-- BIG-IP VE executes compression operations.

Impact:
The configured HA action does not occur when a compression offload device hangs. Clients compression requests eventually time out.

Workaround:
Disable the pfmand by running the following commands:
tmsh modify sys db pfmand.healthstatus value disable
tmsh save sys config

The configured HA action will now occur when a compression offload device hangs.

Note: The pfmand daemon is not needed for BIG-IP VE, so disabling the db variable has no impact for BIG-IP VE configurations.

759968-4 : Distinct vCMP guests are able to cluster with each other.

Component: Local Traffic Manager

Symptoms:
-- Distinct vCMP guests are able to cluster with each other.

-- Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:

clsh tmctl -d blade tmm/vcmp -w 200 -s vcmp_name,tmid,rebroad_mac

Check the 'rebroad_mac' field for duplicate mac addresses.

vcmp_name tmid rebroad_mac
--------- ---- -----------------
default 0 02:01:23:45:01:00
vcmp1 0 00:00:00:00:00:00
vcmp5 0 02:01:23:45:01:04
vcmp6 0 00:00:00:00:00:00
vcmp7 0 02:01:23:45:01:06
vcmp8 0 00:00:00:00:00:00
vcmp9 0 02:01:23:45:01:08
vcmp10 0 02:01:23:45:01:0A <--------------
vcmp11 0 02:01:23:45:01:0A <--------------

Conditions:
-- It is not yet clear under what circumstances the issue occurs.

-- One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate 'rebroad_mac' on one or more slots.

Impact:
Only the vCMP guest acting as primary will be operative.

Workaround:
-- Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:

modify sys db clusterd.communicateovertmmbp value false.

To disable the db variable on the affected guest use the following procedure:

1. Stop sys service clusterd.
2. Modify sys db clusterd.communicateovertmmbp value false.
3. Start sys service clusterd.
4. Save sys conf.

Afterwards, the affected guest might still have the wrong management IP address. To resolve that, log into the vCMP Hypervisor and force a management IP update such as changing the netmask.

With the above steps, the duplicated rebroadcaster MAC still shows, but the vguests are in stable states. To fix the duplicated MAC problem, apply the workaround (on all blades) documented in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.

Important: Applying procedure described in K13030 interrupts traffic.

Fix:
The vCMP guests no longer end up having a non-null and duplicate 'rebroad_mac' on one or more slots. Distinct vCMP guests are no longer able to cluster with each other.

759654-3 : LDAP remote authentication with remote roles and user-template failing

Component: TMOS

Symptoms:
The directory server that performs authentication requests refuses a query for authorization (user attributes), which prevents the BIG-IP user from logging on with remote authentication.

BAD_NAME errors are usually present in LDAP communication.

Conditions:
-- Configure LDAP remote authentication with remote roles and a user template.
-- As a remote user, attempt to logon.

Impact:
The query request sent to the directory server is refused because the password is not included in the request, and the server does not accept an anonymous bind request. The refused request prevents a lookup of the user account attributes on the directory server. As a result, the BIG-IP user cannot logon.

Workaround:
Remove user-template. bind-dn must be used to authenticate against LDAP server.

759536-1 : Linux kernel vulnerability: CVE-2019-8912

Solution Article: K31739796

759499-1 : Upgrade from version 12.1.3.7 to version 14.1.0 failing with error★

Component: TMOS

Symptoms:
Upgrade from version 12.1.3.7 to version 14.1.0 fails. Running 'tmsh show sys software' shows the following message:
failed (Could not access configuration source; sda,n)

Conditions:
1. Install BIG-IP version 12.1.3.7 in new volume.
2. From 12.1.3.7, try to install 14.1.0 in new volume.

Impact:
Upgrade fails.

Workaround:
To work around this issue, delete the 14.1.0 volume and try the installation again.

The second installation of 14.1.0 succeeds in this scenario.

759392-1 : HTTP_REQUEST iRule event triggered for internal APM request

Component: Access Policy Manager

Symptoms:
Requests for the internal APM renderer for logo customization trigger the HTTP_REQUEST iRule event.

Conditions:
Customized logo in Access Profile

Impact:
HTTP_REQUEST event will be raised for requests for the customized logo in the Access Profile.

Workaround:
Inside the HTTP_REQUEST event, if it is necessary to not take a certain action on a customized logo, it is possible to check that the URL does not equal the URL for the logo (it should start with '/public/images/customization/' and contain the image name).

759343-7 : MacOS Edge Client installer does not follow best security practices

Solution Article: K49827114

759135-1 : AVR report limits are locked at 1000 transactions

Component: Application Visibility and Reporting

Symptoms:
AVR reports are limited to 1000 transactions. This is due to a hard-coded limit.

Conditions:
Using AVR reports for more than 1000 transactions.

Impact:
Unable to create reports with more than 1000 rows.

Workaround:
None.

Fix:
A db variable avr.stats.reportrownumberlimit has been added, that can be controlled via TMSH. The variable controls the number of rows in report within the range of 1 to 100000.

For example, for a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:

tmsh modify sys db avr.stats.reportrownumberlimit value 10000

Behavior Change:
There is a new db variable avr.stats.reportrownumberlimit available in TMSH, which controls the number of rows in an AVR report. Valid values are from 1 to 100000.

For example, to create a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:

tmsh modify sys db avr.stats.reportrownumberlimit value 10000

759077-1 : MRF SIP filter queue sizes not configurable

Component: Service Provider

Symptoms:
The ingress and egress queues of the MRF SIP filter have fixed sizes that cannot be configured.

Conditions:
If the hard-coded queue size of 512 messages or 65535 bytes are exceeded, the filter enables its flow control logic.

Impact:
Messages may be dropped.

Workaround:
None.

Fix:
The max-pending-messages and max-pending-bytes values in the SIP router profile will be used as the limits for the SIP filter's queues. If the configured value is less than the existing hard-coded limits (512 bytes or 65535 bytes), the hard-coded limits will be used.

758992-3 : The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address

Component: Local Traffic Manager

Symptoms:
tmm may use a combination of the traffic-group MAC address and the per-VLAN MAC address for traffic associated with the traffic-group.

Conditions:
All of the following:
-- The traffic-group has a MAC address set.
-- The sys db variable 'tm.macmasqaddr_per_vlan' is set to true.
-- There are multiple tmm processes running on the BIG-IP system.

Note: BIG-IP Virtual Edition is not affected since there is only one tmm process.

Impact:
Incorrect MAC address used for traffic associated with the traffic-group.

Workaround:
None.

Fix:
tmm uses the proper MAC address when there is a traffic-group mac address defined and 'tm.macmasqaddr_per_vlan' is set to true.

758781-4 : iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates

Component: TMOS

Symptoms:
The following commands take a long time to complete when there are a large number of certificates:
get_certificate_list()
get_certificate_list_v2()
get_certificate_list_v3()

Conditions:
-- Using the get_certificate_list(), get_certificate_list_v2(), and get_certificate_list_v3() commands to get certificate information.
-- A large number of certificates (typically in the thousands) are installed on the BIG-IP system.

Impact:
Slowness might cause timeouts in applications that are calling these functions.

Workaround:
Use iControl REST API corresponding to sys/file/ssl-cert.

758599-2 : IPv6 Management route is preferred over IPv6 tmm route

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metric than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the mgmt interface.

Conditions:
Create an IPv6 mgmt route and a static IPv6 tmm route on the same BIG-IP system. IPv6 routes from TMM are injected at metric 1024.

Impact:
The incorrect routing table sends the traffic that matches the default route to the mgmt interface.

Workaround:
None.

Fix:
The IPv4 and IPv6 management routes now have a metric value of 4096. Default value of static routes are 1 for IPv4 and 1024 for IPv6. This makes static routes (TMM routes) preferred over management routes, which is correct behavior.

758527-1 : BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode

Solution Article: K39604784

Component: TMOS

Symptoms:
Under certain conditions BIG-IP may forward VLAN-tagged frames even if the VLAN is not defined on the ingress interface.

Conditions:
Tagged VLANs in use.
STP pass-through mode enabled.

Impact:
Frames not delivered as expected.

Workaround:
Disable global STP.

Fix:
Frames now delivered as expected.

758387-1 : BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it

Component: TMOS

Symptoms:
In STP 'passthru' mode, any packet sent to the BIG-IP system with a destination MAC of 01-80-c2-00-00-00 is treated as an STP bridge protocol data unit (BPDU), and is flooded to the VLAN.

Conditions:
-- The BIG-IP system is configured for STP 'passthru' mode
-- The BIG-IP system receives a packet with MAC 01-80-c2-00-00-00.

Impact:
A packet that is not an STP BPDU, but is sent to the same destination MAC address may be flooded as if it was a BPDU.

Workaround:
None.

Fix:
Added an STP drop rule for certain LLDP-type packets sent to STP destination MAC:

# list sys db bcm56xxd.rules.lldp_drop
sys db bcm56xxd.rules.lldp_drop {
value "disable"
}

It is disabled by default. You must manually set it to cause the LLDP frames to be dropped in STP passthrough mode.

758119-7 : qkview may contain sensitive information

Solution Article: K58243048

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048

Conditions:
For more information see: https://support.f5.com/csp/article/K58243048

Impact:
For more information see: https://support.f5.com/csp/article/K58243048

Workaround:
For more information see: https://support.f5.com/csp/article/K58243048

Fix:
For more information see: https://support.f5.com/csp/article/K58243048

758065-5 : TMM may consume excessive resources while processing FIX traffic

Solution Article: K82781208

757827 : Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution

Component: Local Traffic Manager

Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP reboot operation.

Conditions:
This may occur on affected BIG-IP versions when:
1. Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
2. DNS queries to resolve these FQDN names occur almost simultaneously.
3. The BIG-IP version in use contains the fix for ID 726319.

The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.

Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.
As a result, some pools may not have any active pool members, and will not pass traffic.
This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default fqdn interval value of 3600 seconds, such downtime would last approximately one hour.

Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter fqdn interval value for the FQDN nodes:
tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.

Fix:
When using FQDN nodes and pool members, ephemeral pool members will be created as expected following a configuration-load or BIG-IP reboot operation.

However, messages similar to the following may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name:

err mcpd[20479]: 01020066:3: The requested Node (****) already exists in partition ****.
err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.

757781-4 : Portal Access: cookie exchange may be broken sometimes

Component: Access Policy Manager

Symptoms:
Portal Access uses special HTTP request with URL '/private/fm/volatile.html' to exchange cookie data between client and BIG-IP. Sometimes the BIG-IP system might send an invalid response to such a request. As a result, no cookie data can be sent from the backend server to the client.

Conditions:
Invalid response to HTTP requests with the following URL:
/private/fm/volatile.html.

Impact:
Portal Access client cannot see cookies set by the backend server. Backend server does not send cookie data to the client.

Workaround:
None.

Fix:
Portal Access now sends correct HTTP responses with backend cookie data to the client.

757617-2 : Systemd vulnerabilities: CVE-2018-16864, CVE-2018-16865

Solution Article: K06044762

757578-1 : RAM cache is not compatible with verify-accept

Component: Local Traffic Manager

Symptoms:
The TCP profile's verify-accept option is not compatible with the RAM cache feature

Conditions:
A TCP profile is used with the 'verify-accept' option enabled, together with a Web Acceleration via RAM cache.

Impact:
There may be a log message in /var/log/tmm# describing an 'Invalid Proxy Transition'. The RAM cache feature may not handle later pipelined requests due to the proxy shutting down the connection.

Workaround:
Do not use TCP's verify-accept option together with RAM cache.

Fix:
RAM cache now works correctly when the TCP profile enables the verify-accept option.

757519-2 : Unable to logon using LDAP authentication with a user-template

Component: TMOS

Symptoms:
Cannot logon using remote LDAP authentication. This occurs because LDAP with user-template configured uses the user-template value as the distinguished name (DN) for the LDAP search, instead of a properly formed X.500 name, for example:
cn=xxx,ou=xxx,dc=example,dc=org

Conditions:
-- LDAP authentication configuration includes the user-template value as the DN.
-- Attempt to logon.

Impact:
Remote LDAP authentication users are unable to login.

Note: The user-template value is not a valid DN.

Workaround:
You can use either of the following workarounds:

-- Create a specific user for bind by configuring bind-dn and bind-pw, and remove user-template.

-- Switch to local authentication.

757357-5 : TMM may crash while processing traffic

Solution Article: K92002212

757306-1 : SNMP MIBS for AFM NAT do not yet exist

Component: Advanced Firewall Manager

Symptoms:
SNMP MIBS for AFM NAT do not yet exist.

Conditions:
This occurs in normal operation.

Impact:
Unable to read values that do not exist in SNMP, meaning that you cannot access information that you need.

Workaround:
None.

757023-8 : BIND vulnerability CVE-2018-5743

Solution Article: K74009656

756817-2 : ZebOS addresses blocks do not reflect RFC5735 changes to reserved address blocks.

Component: Local Traffic Manager

Symptoms:
Special IP address handling as per RFC6890 is done correctly in the routing protocols. There is a possibility of martian addresses getting announced or allowed addresses restricted (e.g., 128.0.0.0/16 and 191.255.0.0/16).

This impacts all components using dynamic routing.

Conditions:
-- Network advertisements in BGP, etc., allow martian addresses and restrict allowed network-space as per RFC6890, for example, 128.0.0.0/16 and 191.255.0.0/16, 223.255.255.0/24 are blocked.
-- In IPv6 loopback addressed are allowed, so ::/128 (unspec) and ::1/128 (loopback) addresses are allowed.
-- Some DSlite address ranges are not handled correctly.

Impact:
Martian addresses are allowed. Non-martian addresses are blocked.

Workaround:
None.

Fix:
Ensure that martian addresses like IPv6 (::/128 - unspec, ::1/128 - loopback) are not used.

Note: Although 128.0.0.0/16, 191.255.0.0/16, 223.255.255.0/24 are no longer martian addresses, they still cannot be used.

756571 : CVE-2018-17972: Linux kernel vulnerability

Solution Article: K27673650

756458-4 : Linux kernel vulnerability: CVE-2018-18559

Solution Article: K28241423

756102-1 : TMM can crash with core on ABORT signal due to non-responsive AVR code

Component: Application Visibility and Reporting

Symptoms:
ABORT signal is sent to TMM by SOD; TMM aborts with a core.

Conditions:
Non-responsive AVR code. No other special conditions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

755727-1 : Ephemeral pool members not created after DNS flap and address record changes

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.

Once this condition occurs, ephemeral pool members are no longer created for a given FQDN name in the affected pool.

Conditions:
This issue may occur under rare timing conditions when the following factors are present:

-- Using FQDN nodes/pool members.
-- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted.
-- There is a temporary loss of connectivity to/responsiveness from the DNS server.

Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool become unavailable and stop passing traffic.

Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by either of the following actions:

1. Restart the dynconfd daemon:
bigstart restart dynconfd

2. Delete and re-create the FQDN template pool member using the following two commands:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }

To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.

755018-1 : Egress traffic processing may be stopped on one or more VE trunk interfaces

Component: TMOS

Symptoms:
Trunk interface members might be missing from tmm on BIG-IP Virtual Edition (VE).

Conditions:
-- Using trunks on VE.
-- May happen after a TMM restart, or after interface link states change.

Impact:
No egress traffic processing on one or more interfaces of a VE trunk.

Workaround:
Modify an attribute of the trunk and then return it to its previous value, for example:

# tmsh modify net trunk <trunk name> link-select-policy maximum-bandwidth
# tmsh modify net trunk <trunk name> link-select-policy auto

Fix:
Traffic is processed on all trunk interfaces.

754691-2 : During failover, an OSPF routing daemon may crash.

Component: TMOS

Symptoms:
With a specific OSPF configuration, during a failover, a peer which is changed from standby to active may experience an ospfd daemon crash.

Conditions:
High availability configuration with a routing configuration:
1) access-list with 0.0.0.0/0 filtering:
access-list 199 remark test
access-list 199 deny ip host 0.0.0.0 host 0.0.0.0
access-list 199 permit ip any any

2) OSPF router with this access-list:
router ospf 1
ospf router-id 10.14.0.11
bfd all-interfaces
network 10.14.0.0/16 area 0.0.0.1
distribute-list 199 in
!

-- The device with this configuration is in the standby state.
-- A failover occurs.

Impact:
An OSPF daemon crashes, losing routing information and OSPF dynamic routes for a moment while ospfd daemon restarts.

Workaround:
None.

Fix:
An ospfd daemon no longer crashes during a failover.

754525-2 : Disabled virtual server accepts and serves traffic after restart

Component: Local Traffic Manager

Symptoms:
Disabled virtual servers accept traffic after being upgraded to an affected version, or after restarting.

Conditions:
1. A virtual server is configured on pre-v14.1.0.
2. Disable the virtual server.
3. Either upgrade to an affected version, or restart the system.

Impact:
The virtual server remains 'Disabled', but it accepts and processes traffic.

Workaround:
To correct the behavior, manually enable/disable the virtual server.

Fix:
Disabled virtual servers no longer process traffic after a restart.

754003-4 : Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate

Solution Article: K73202036

Component: Local Traffic Manager

Symptoms:
For more information please see: https://support.f5.com/csp/article/K73202036

Conditions:
For more information please see: https://support.f5.com/csp/article/K73202036

Impact:
For more information please see: https://support.f5.com/csp/article/K73202036

Workaround:
None.

Fix:
For more information please see: https://support.f5.com/csp/article/K73202036

753975-4 : TMM may crash while processing HTTP traffic with webacceleration profile

Solution Article: K92411323

753485-3 : AVR global settings are being overridden by HA peers

Component: Application Visibility and Reporting

Symptoms:
Configuration of AVR global settings is being overridden by high availability (HA) peers, and thus report incorrectly to BIG-IQ Data Collection Devices (DCDs).

Conditions:
Configuring HA for systems connected to BIG-IQ.

Impact:
Configuration of BIG-IP systems in HA configuration can override each other. This might result in the following behavior:
-- A common symptom is the 'Stats Last Collection Date' shows up as Dec 31, 1969 or Jan 01, 1970, depending the timezone configuration of the device
-- The 'Stats Last Collection Date' shows up as '--'
-- The BIG-IP systems incorrectly identify themselves to BIG-IQ.
-- The BIG-IP systems report to the wrong DCD.
-- The BIG-IP systems report to DCD, even if they are not configured to report at all.
-- The BIG-IP systems do not report at all, even if they are configured to report.

Note: This bug is tightly related to BIG-IQ Bug ID 757423.

Workaround:
None.

Fix:
Synchronization of relevant fields on AVR global settings are disabled, so this issue no longer occurs.

750278-5 : A sub-second timeout for the SSL alert-timeout option may be desirable in certain cases

Solution Article: K25165813

Component: Local Traffic Manager

Symptoms:
For certain high-throughput applications running over SSL (for instance, video streaming), it may be desirable for the BIG-IP system to reset both flows as soon as possible once one side has sent a FIN but the peer side is continuing to send data.

This situation can be undesirable (as it is wastes bandwidth) given that at this point the BIG-IP system is no longer proxying data but just dropping all remaining ingress packets (as SSL does not support half-closed TCP connections).

Conditions:
This issue occurs when the following conditions are met:

- A standard virtual server with the client SSL and server SSL profiles in use.

- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.

- The peer side ignores the FIN and continues to send data.

Impact:
Even if the SSL alert-timeout option was set to its lowest allowed value (1 second), given a large number of connections in this specific state, the wasted bandwidth can reach considerable levels.

Workaround:
None.

Fix:
The SSL alert-timeout option now supports the 'Immediate' value, which makes the BIG-IP system reset both flows after 1/1000 second.

749184-1 : Added description of subviolation for the suggestions that enabled/disabled them

Component: Application Security Manager

Symptoms:
Missing description of subviolation for the suggestions that enabled/disabled them.

Conditions:
There are suggestions that enabled/disabled subviolations in the security policy.

Impact:
Cannot determine the subviolation for the suggestions that enabled/disabled them.

Workaround:
Open Description in an additional tab in Learning and Blocking settings screen.

Fix:
Added description of subviolation for the suggestions that enabled/disabled them.

748122-7 : BIG-IP Vulnerability CVE-2018-15333

Solution Article: K53620021

747628-7 : BIG-IP sends spurious ICMP PMTU message to server

Component: Local Traffic Manager

Symptoms:
After negotiating an MSS in the TCP handshake, the BIG-IP system then sends an ICMP PMTU message because the packet is too large.

Conditions:
-- The server side allows timestamps and the client side does not negotiate them.

-- The client-side MTU is lower than the server-side MTU.

-- There is no ICMP message on the client-side connection.

Impact:
Unnecessary retransmission by server; suboptimal xfrag sizes (and possibly packet sizes).

Workaround:
Disable timestamps or proxy-mss on the server-side TCP profile.

747203-1 : Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding

Component: TMOS

Symptoms:
-- SYN/ACK packets arriving on a tunnel fail to be matched to an existing flow followed by a RST issued by the BIG-IP system.
-- The BIG-IP system reports 'no flow found'.
-- MAC addresses can contain random values, or fe:fe:fe:fe:fe:fe.

Conditions:
-- Using IKEv2 with both NAT-T and interface mode.
-- The BIG-IP is configured to use several tmm instances.
-- The combination of IP addresses and port numbers result in distributing legs of processing one flow across several tmm instances.

Impact:
NATT/ESP tunnel flows can end with a RST reset.

Workaround:
None.

Fix:
In the ESP proxy, The system now clears a bit in packet metainformation related to forwarding, so a decrypted packet such as SYN/ACK can reach the last tmm needed.

746122-3 : 'load sys config verify' resets the active master key to the on-disk master key value

Component: TMOS

Symptoms:
Master key is reset to an older value which may differ from the 'active' value.

Conditions:
Configuration is validated via 'tmsh load sys config verify'.

Impact:
Configuration elements may be encrypted with a different key leading to a corrupt configuration state. If the configuration is saved, future loads will fail.

Workaround:
None.

Fix:
Verification loads do not override the 'active' master-key.

746091-7 : TMSH Vulnerability: CVE-2019-19151

Solution Article: K21711352

745923-5 : Connection flow collision can cause packets to be sent with source and/or destination port 0

Component: Local Traffic Manager

Symptoms:
Symptoms vary based on traffic impacted:

Virtual server may reset a connection with the source and/or destination port set to 0 when the client sends an ACK after a 4-way close

UDP traffic to virtual server with UDP profile immediate timeout configured or datagram load-balancing can collide with existing connections and be incorrectly sent with source and/or destination port 0.

Conditions:
-- Conditions to trigger this issue with TCP traffic:
   - 3-way handshake initiated by client to virtual server.
   - Client actively closing the connection - 4-way close.
   - Client continues to send ACK after 4-way close.

-- Conditions to trigger this issue with UDP traffic:
   - UDP profile has timeout immediate configured or datagram load-balancing.
   - UDP packet arrives that matches an expiring but still-present connection.

-- Provisioned for AFM.

Impact:
Virtual server performs an incorrect reset with source or destination port 0, or UDP proxy traffic is sent incorrectly with source and/or destination port 0.

Workaround:
None.

Fix:
Connection flow collision no longer causes packets to be sent from source port 0.

745465-2 : The tcpdump file does not provide the correct extension

Component: TMOS

Symptoms:
The output file from tcpdump generation is named support.tcpdump even though it is a compressed file.

Conditions:
Whenever tcpdump is generated and downloaded.

Impact:
You must rename the file with the correct file extension and then decompress it to access the .dmp files.

Workaround:
Rename the downloaded file from support.tcpdump to <filename>.tar.gz and decompress it.

Fix:
File name changed to support.tcpdump.tar.gz.

Behavior Change:
The tcpdump file has a different name and file extension - support.tcpdump.tar.gz

745103-7 : NodeJS Vulnerability: CVE-2018-7159

Solution Article: K27228191

744937-2 : BIG-IP DNS and GTM DNSSEC security exposure

Solution Article: K00724442

Component: Global Traffic Manager (DNS)

Symptoms:
For more information please see: https://support.f5.com/csp/article/K00724442

Conditions:
For more information please see: https://support.f5.com/csp/article/K00724442

Impact:
For more information please see: https://support.f5.com/csp/article/K00724442

Workaround:
None.

Fix:
For more information please see: https://support.f5.com/csp/article/K00724442

Behavior Change:
Note: After installing a version of the software that includes the fix for this issue, you must set the following db variables:

-- dnssec.nsec3apextypesbitmap
-- dnssec.nsec3underapextypesbitmap.

These two db variables are used globally (i.e., not per-DNSSEC zone) to configure the NSEC3 types bitmap returned in one-off NODATA responses for apex and under-apex responses, respectively.

When the BIG-IP system is queried for a DNS name in which the DNS name exists and is not of the RR type requested, the NSEC3 types bitmap on the response reflects what you configure for the db variable, minus the queried-for type.

When using these variables:

-- Configure type values as all lowercase.
-- Enclose multiple types in quotation marks (e.g., "txt rrsig").
-- Understand that there is likely no need to change the apex type setting; do so with extreme care. The under-apex settings are what you will find helpful in addressing the negative caching issue.

744407-2 : While the client has been closed, iRule function should not try to check on a closed session

Component: Access Policy Manager

Symptoms:
tmm cores. System posts a message:

access::session exists is used during CLIENT_CLOSED iRule event.

Conditions:
-- Client has closed the connection.
-- iRule function tries to check on a closed session.
-- An 'access session::exists' command is used inside the iRule event CLIENT_CLOSED.

Impact:
tmm may core. Traffic disrupted while tmm restarts.

Workaround:
Do not use the iRule command 'access session::exists' inside CLIENT_CLOSED.

Fix:
Command execution of 'access::session exists' is now prevented in the iRule event CLIENT_CLOSED.

742628-2 : Tmsh session initiation adds increased control plane pressure

Solution Article: K53843889

Component: TMOS

Symptoms:
Under certain circumstances, the Traffic Management Shell (tmsh) can consume more system memory than expected.

Conditions:
Multiple users or remote processes connecting to the BIG-IP administrative command-line interface.

Impact:
Increased control plane pressure. Various delays may occur in both command-line and GUI response. Extreme instances may cause one or more processes to terminate, with potential disruptive effect. Risk of impact from this issue is increased when a large number of automated tmsh sessions are created.

Workaround:
For users with administrative privilege (who are permitted to use the 'bash' shell), the login shell can be changed to avoid invoking tmsh when it may not be needed:

tmsh modify /auth user ADMINUSERNAME shell bash

741222-1 : Install epsec1.0.0 into software partition.★

Component: Access Policy Manager

Symptoms:
On some hardware configurations, after the BIG-IP software upgrade, epsec1.0.0 install fails.

Conditions:
-- Upgrade from earlier versions to BIG-IP 14.1.0.
-- Attempting to install epsec1.0.0.

Note: This occurs on only some hardware platforms, including the following:
  + BIG-IP 4000
  + BIG-IP i2800 series
  + BIG-IP Virtual Edition
  + BIG-IP vCMP Guest

Impact:
Unable to install or use software check with APM endpoint inspection.

Workaround:
There is no workaround other than upgrading to a fixed version of the software.

Fix:
The epsec1.0.0 installation is now performed into active BIG-IP software volume (/var), so this issue no longer occurs.

738943-2 : imish command hangs when ospfd is enabled

Component: TMOS

Symptoms:
- dynamic routing enabled
- ospfd protocol enabled
- imish hangs

Conditions:
- running imish command

Impact:
ability to show dynamic routing state using imish

Workaround:
restart ospfd daemon

738330-4 : /mgmt/toc endpoint issue after configuring remote authentication

Component: TMOS

Symptoms:
'Invalid username or password.' error on the /mgmt/toc page after configuring remote authentication.

Conditions:
When remote auth is configured.

Impact:
Cannot configure remote authentication.

After configuring remote authentication, you can login to the mgmt/toc area with the admin user, but using a remote auth user ended up with 'You are not authorized to use this resource'.

Workaround:
On BIG-IP versions since 14.1.0.6 and 13.1.1.5:

Enable 'Fallback to Local' in the remote auth config section on the BIG-IP system:
tmsh modify auth source fallback true.

Both local BIG-IP user 'admin' and LDAP user are now able to authenticate and access https://XX.XX.XX.XX/mgmt/toc.

On other versions of BIG-IP software, there is no workaround.

Fix:
When source type is set to a remote auth method, login now succeeds. If the remote server is unavailable, authentication now falls back to local authentication, if authentication source fallback is set to true.

Behavior Change:
This release allows fallback to local authentication. When the authentication source type is set to a remote authentication source, if the remote server is unavailable, authentication now falls back to local authentication, if authentication source fallback is set to true.

738284-1 : Creating or deleting rule list results in warning message: Schema object encode failed

Component: Advanced Firewall Manager

Symptoms:
"Schema object encode failed: No foreign keys found for nested object" warning message is logged into /var/log/ltm while creating or deleting the rule list.

Jul 25 05:44:49 localhost.localdomain warning icr_eventd[4778]: 01a10008:4: Schema object encode failed: No foreign keys found for nested object with tag 17547

Conditions:
Observed when creating or deleting rule list in /var/log/ltm

tmsh create security firewall rule-list rule-list1
tmsh delete security firewall rule-list rule-list1

Impact:
The warning message has no impact on functionality and can be ignored.

Fix:
Log message has been changed to log at the debug level.

738236-6 : UCS does not follow current best practices

Solution Article: K25607522

727107-5 : Request Logs are not stored locally due to shmem pipe blockage

Component: Application Security Manager

Symptoms:
An unknown issue causes the communication layer between pabnagd and asmlogd to be become stuck. Messages similar to the following appear in pabnagd.log:

----------------------------------------------------------------------
account |NOTICE|... src/Account.cpp:183|Skipped 36 repeated messages. Request Log protobuf subscription queue is full. Message dropped.
rqlgwriter |WARNIN|... src/RequestLogWriter.cpp:137|Skipped 599 repeated messages. No space to write in shmem.

Messages similar to the following appear in pabnagd.log:

Conditions:
Request Logs are not stored locally due to shmem pipe blockage.

Impact:
Event logs stop logging locally.

Workaround:
Restart policy builder with:
killall -s SIGHUP pabnagd

Fix:
The policy builder now detects the blockage, and restarts the connection with the request logger.

726176-1 : Platforms using RSS hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve

Component: Local Traffic Manager

Symptoms:
The BIG-IP system running RSS DAG hash attempts to reuse ports while pool members remain in a TIME_WAIT state and are unable to process new connections.

Conditions:
This issue occurs when all of the following conditions are met:

-- You are running on a BIG-IP platform using RSS DAG hash, for instance, z100 and 2000 or 4000 series hardware platform
-- You have the FastL4 profile associated with a virtual server.
-- The virtual server is configured with source-port preserve.

Impact:
Traffic throughput may be degraded.

Workaround:
Set source-port to change.

Fix:
Platforms running RSS DAG hash now reuse source port at the correct rate when virtual server sets source-port preserve.

725551-1 : ASM may consume excessive resources

Solution Article: K40452417

724109-1 : Manual config-sync fails after pool with FQDN pool members is deleted

Component: TMOS

Symptoms:
If a user, deletes a fqdn pool on one BIG-IP in a cluster and then run a manual config sync with another BIG-IP, the change fails to sync with the other BIG-IPs in the cluster.

Conditions:
- Create fqdn pool in one BIG-IP
- Save sys config
- Run config sync
- Delete fqdn pool
- Save sys config
- Run config sync manually

Result: After deleting fqdn pool in BIG-IP and config sync with another BIG-IP, Manual config sync failed. Still, we can see the deleted fqdn pool in another BIG-IP

Impact:
FQDN pool delete failed in another BIG-IP and manual config sync operation is failed.

Workaround:
The workaround for this issue is to use auto-sync.

722230-2 : Cannot delete FQDN template node if another FQDN node resolves to same IP address

Component: TMOS

Symptoms:
If multiple FQDN nodes and corresponding pool members are created, with FQDN names that resolve to the same (or a common) IP address, you may not be able to delete any of the affected FQDN nodes even after its corresponding FQDN pool member has been deleted.

Conditions:
This occurs under the following conditions
-- Multiple FQDN template nodes exist with FQDN names that resolve to the same (or a common) IP address.
-- FQDN pool members exist for each FQDN template node, with corresponding ephemeral pool members for each which share the same IP address.
-- One of the FQDN pool members is removed from its pool.
-- You attempt to delete the corresponding FQDN template node.

Impact:
The FQDN template node remains in the configuration and cannot be deleted, while an ephemeral node or pool member exists with an IP address corresponding to that FQDN name.

Workaround:
To work around this issue:
1. Remove all remaining conflicting FQDN pool members (with FQDN names that resolve to the shared/conflicting IP address).
2. Delete the desired FQDN node.
3. Re-create the remaining FQDN pool members to replace those removed in step 1.

715032-3 : iRulesLX Hardening

Component: Local Traffic Manager

Symptoms:
iRulesLX does not follow current best practices and should be updated to ensure layered protections.

Conditions:
-iRulesLX in use

Impact:
iRulesLX does not follow current best practices.

Workaround:
None.

Fix:
iRulesLX now follows current best practices.

714372-4 : Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari

Component: Local Traffic Manager

Symptoms:
If the BIG-IP system has a web-acceleration which provides a number of caching and optimization options suitable for HTTP/1.1. It uses 'Connection: Keep-Alive' header on a server side, which results in appearance of 'Keep-Alive' header in a response. Such a HTTP header was adopted by the industry but not standardized. When a web-acceleration profile is configured and provides a response, Safari clients do not accept responses with a such header and reject those with a RST_STREAM message.

Conditions:
-- BIG-IP has a virtual server with HTTP/2 profile and a web-acceleration profile.
-- A pool member responds with 'Keep-Alive' header in the following format: Keep-Alive: timeout=<number>, max=<number>.

Impact:
A response to a request is rejected, which might cause incorrect rendering of HTTP page.

Workaround:
Use an iRule to remove the Keep-Alive header:

when HTTP_RESPONSE_RELEASE {
HTTP::header remove keep-alive
}

Alternatively use an LTM Policy where this header is removed from a server's response.

706782-4 : Inefficient APM processing in large configurations.

Component: Access Policy Manager

Symptoms:
In configurations with large numbers of virtual servers or other entities, the apmd, oauth, and localdbmgr processes may consume large amounts of system resources.

Conditions:
-- Large configuration.
-- APM provisioned.
-- Multiple traffic groups exacerbate the effect.

Impact:
Heavy use of odd-numbered CPU cores may slow all control-plane operations, including user-interface response.

Workaround:
None known.

697590-1 : APM iRule ACCESS::session remove fails outside of Access events

Component: Access Policy Manager

Symptoms:
ACCESS::session remove fails

Conditions:
iRule calling ACCESS::session remove outside of Access events.

Impact:
APM iRule ACCESS::session remove fails to remove session

Workaround:
Use "ACCESS::session modify" and set the timeout/lifetime to something small, like 1 second. This should cause the session to be deleted due to timeout almost immediately, but note that it will show up in logs as timeout.

688399-1 : HSB failure results in continuous TMM restarts

Component: TMOS

Symptoms:
The TMM is continually restarted due to lack of HSB PDE device. When this issue occurs, HSB errors may be present in the TMM log files, prior to a TMM core (SIGSEGV).

Conditions:
It's unknown how this issue occurs.

Impact:
TMM continually restarts until the unit is rebooted. Traffic disrupted while tmm restarts. The reboot appears to clear the condition.

Workaround:
Manually reboot the unit.

681010-5 : 'Referer' is not masked when 'Query String' contains sensitive parameter

Solution Article: K33572148

Component: Application Security Manager

Symptoms:
While 'Query String' contains masked sensitive parameter value the 'Referer' header sensitive parameter value is exposed.

Conditions:
-- Sensitive parameter is defined in: 'Security :: Application Security : Parameters : Sensitive Parameters'.

-- 'Query String' contains the defined sensitive parameter.

Impact:
"Referer" header contains unmasked value of the sensitive parameter.

Workaround:
Enable 'Mask Value in Logs' in: 'Security :: Application Security : Headers : HTTP Headers :: referer'.

Fix:
The 'Referer' header value is masked in case of sensitive parameter in 'Query String'.

648621-7 : SCTP: Multihome connections may not expire

Component: TMOS

Symptoms:
SCTP: Multihome connections may not expire when forcibly deleted.

Conditions:
When the multi-homing connections have been forcibly deleted from tmsh command.

Impact:
The multi-homing connections won't be expired.

Workaround:
Don't manually deleted the multi-homing connections.

636400-4 : CPB (BIG-IP->BIGIQ log node) Hardening

Solution Article: K26462555

617929-1 : Support non-default route domains

Component: Local Traffic Manager

Symptoms:
Some connections are reset

Conditions:
This occurs when the device is configured with non-default route domains when connecting to other tmms over the backplane

Impact:
Traffic processing failure

Workaround:
None

605675-5 : Sync requests can be generated faster than they can be handled

Component: TMOS

Symptoms:
Configuration changes in quick succession might generate sync change messages faster than the receiving BIG-IP system can parse them. The sending BIG-IP system's queue for its peer connection fills up, mcp fails to allocate memory, and then the system generates a core file.

Conditions:
Configuration changes in quick succession that might generate sync-change messages.

Impact:
Core file and sync operation does not complete as expected. The possibility for this occurring depends on the size and complexity of the configuration, which impacts the time required to sync, and the traffic load occurring at the time of the sync operation.

Workaround:
None.

591732-6 : Local password policy not enforced when auth source is set to a remote type.

Component: TMOS

Symptoms:
Local password policy not enforced when auth source is set to a remote type. Any non-default password policy change is not enforced for local users.

Conditions:
1) Some part of the local password policy has been changed from the default values, for example, changing the password minimum-length to 12 where the default is 6.

2) The auth source is set to a remote source, such as LDAP, AD, TACACS.

Impact:
The system does not enforce any of the non-default local password policy options.

For example, even if the minimum-length is set to 12, a local user's password can be set to something less than 12.

Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).

Workaround:
None.

Known Issues in BIG-IP v15.0.x

TMOS Issues

ID Number	Severity	Solution Article(s)	Description
864513-2	1-Blocking	K48234609	ASM policies may not load after upgrading to 14.x or later from a previous major version★
858173-2	1-Blocking		SSL Orchestrator RPM not installed on HA-peer after upgrade from 14.1.2.1★
809553-2	1-Blocking		ONAP Licensing - Cipher negotiation fails
778317-2	1-Blocking		IKEv2 HA after Standby restart has race condition with config startup
754989-2	1-Blocking		iControl REST API adds unnecessary escape character (\) to URL if the URL contains a wildcard character
915305-4	2-Critical		Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded
910201-2	2-Critical		OSPF - SPF/IA calculation scheduling might get stuck infinitely
908517-2	2-Critical		LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)'
896217-3	2-Critical		BIG-IP GUI unresponsive
888341-6	2-Critical		HA Group failover may fail to complete Active/Standby state transition
882757-2	2-Critical		sflow_agent crash SIGABRT in the cleanup flow
871561-4	2-Critical		Hotfix installation on vCMP guest fails with '(Software compatibility tests failed.)'
865329-2	2-Critical		WCCP crashes on "ServiceGroup size exceeded" exception
860517-2	2-Critical		MCPD may crash on startup with many thousands of monitors on a system with many CPUs.
860349-2	2-Critical		Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication
858877-2	2-Critical		SSL Orchestrator config sync issues between HA-pair devices
856713-2	2-Critical		IPsec crash during rekey
854493-4	2-Critical		Kernel page allocation failures messages in kern.log
849405-3	2-Critical		LTM v14.1.2.1 does not log after upgrade★
844569-1	2-Critical		HSB transmitter failure on i2000/i4000 series
841953-6	2-Critical		A tunnel can be expired when going offline, causing tmm crash
841333-6	2-Critical		TMM may crash when tunnel used after returning from offline
837637-6	2-Critical		Orphaned bigip_gtm.conf can cause config load failure after upgrading★
833173-1	2-Critical		SFP interfaces are flapping on 2xxx/4xxx on version 15.0.x
831821-2	2-Critical		Corrupted DAG packets causes bcm56xxd core on VCMP host
829677-3	2-Critical		.tmp files in /var/config/rest/ may cause /var directory exhaustion
829661-1	2-Critical		TCP connection fails to establish when an SFC policy is enabled
829277-3	2-Critical		A Large /config folder can cause memory exhaustion during live-install★
819009-4	2-Critical		Dynamic routing daemon mribd crashes if 'mrib debug all' is enabled in high availability (HA) config with Floating Self IP configured for PIM protocol.
817085-5	2-Critical		Multicast Flood Can Cause the Host TMM to Restart
813517-1	2-Critical		The cron daemon not running after upgrade from pre-v14.1.0 versions to 15.0.x★
810593-1	2-Critical	K10963690	Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade★
805417-2	2-Critical		Unable to enable LDAP system auth profile debug logging
797221-2	2-Critical		BCM daemon can be killed by watchdog timeout during blade-to-blade failover
796601-3	2-Critical		Invalid parameter in errdefsd while processing hostname db_variable
792285-1	2-Critical		TMM crashes if the queuing message to all HSL pool members fails
785017-2	2-Critical		Secondary blades go offline after new primary is elected
780437-1	2-Critical		Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
777993-1	2-Critical		Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same
777389-2	2-Critical		In a corner case, for PostgreSQL monitor MCP process restarts
775897-2	2-Critical		High Availability failover restarts tmipsecd when tmm connections are closed
774361-4	2-Critical		IPsec High Availability sync during multiple failover via RFC6311 messages
769581-2	2-Critical		Timeout when sending many large requests iControl Rest requests
769341-2	2-Critical		HA failover deletes outstanding IKEv2 SAs along with IKEv1 SAs
767013-2	2-Critical		Reboot when B2150 and B2250 blades' HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch
762385-2	2-Critical		Wrong remote-role assigned using LDAP authentication after upgrade to 14.1.x and later★
758929-1	2-Critical		Bcm56xxd MIIM bus access failure after TMM crash
757722-3	2-Critical		Unknown notify message types unsupported in IKEv2
756402-3	2-Critical		Re-transmitted IPsec packets can have garbled contents
755716-2	2-Critical		IPsec connection can fail if connflow expiration happens before IKE encryption
751924-1	2-Critical		TSO packet bit fails IPsec during ESP encryption
750588-2	2-Critical		While loading large configurations on BIG-IP systems, some daemons may core intermittently.
749249-3	2-Critical		IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP
746464-7	2-Critical		MCPD sync errors and restart after multiple modifications to file object in chassis
743946-1	2-Critical		Tmsh loads schema versions 12.x and earlier which are no longer supported★
741676-4	2-Critical		Intermittent crash switching between tunnel mode and interface mode
739507-2	2-Critical		How to recover from a failed state due to FIPS integrity check
737322-6	2-Critical		tmm may crash at startup if the configuration load fails
718573-2	2-Critical		Internal SessionDB invalid state
593536-8	2-Critical	K64445052	Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations
382363-4	2-Critical	K30588577	min-up-members and using gateway-failsafe-device on the same pool.
923745-2	3-Major		Ctrl-Alt-Del reboots the system
922153-3	3-Major		Tcpdump is failing on tmm 0.x interfaces
921881-3	3-Major		Use of IPFIX log destination can result in increased CPU utilization
921361-1	3-Major		SSL client and SSL server profile names truncated in GUI
921149-5	3-Major		After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy
921121-3	3-Major		Tmm crash with iRule and a PEM Policy with BWC Enabled
919317-4	3-Major		NSM consumes 100% CPU processing nexthops for recursive ECMP routes
919185-3	3-Major		Request adapt and response adapt profile options should not be available in the GUI when ICAP is not licensed
918409-3	3-Major		BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures
915825-3	3-Major		Configuration error caused by Drafts folder in a deleted custom partition while upgrading.
915557-3	3-Major		The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.
914645-2	3-Major		Unable to apply LTM policies to virtual servers after running 'mount -a'
914081-2	3-Major		Engineering Hotfixes missing bug titles
913849-4	3-Major		Syslog-ng periodically logs nothing for 20 seconds
909505-2	3-Major		Creating LTM data group external object fails.
909485-2	3-Major		Deleting LTM data-group external object incorrectly reports 200 when object fails to delete
909197-4	3-Major		The mcpd process may become unresponsive
908753-4	3-Major		Password memory not effective even when password policy is configured
908601-3	3-Major		System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option
906505-3	3-Major		Display of LCD System Menu cannot be configured via GUI on iSeries platforms
904041-3	3-Major		Ephemeral pool members are missing from pool of Common partition when reloading configuration for current partition
903265-2	3-Major		Single user mode faced sudden reboot
902401-4	3-Major		OSPFd SIGSEGV core when 'ospf clear' is done on remote device
901989-3	3-Major		Boot_marker writes to /var/log/btmp
900933-4	3-Major		IPsec interoperability problem with ECP PFS
900485-3	3-Major		Syslog-ng 'program' filter does not work
899933-3	3-Major		Listing property groups in TMSH without specifying properties lists the entire object
899085-5	3-Major		Configuration changes made by Certificate Manager role do not trigger saving config
898705-4	3-Major		IPv6 static BFD configuration is truncated or missing
898577-3	3-Major		Executing a command in "mgmt tm" using iControl REST results in tmsh error
898461-3	3-Major		Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'
898389-2	3-Major		Traffic is not classified when adding port-list to virtual server from GUI
896817-3	3-Major		iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb
895845-4	3-Major		Implement automatic conflict resolution for gossip-conflicts in REST
895837-2	3-Major		Mcpd crash when a traffic-matching-criteria destination-port-list is modified
894545-3	3-Major		Creating a virtual server in the GUI with a destination address list and 'All Ports' can erroneously conflict with other virtual servers
893885-2	3-Major		The tpm-status command returns: 'System Integrity: Invalid' after HotFix installation
893341-2	3-Major		BIG-IP VE interface is down after upgrade from v13.x w/ workaround for ID774445★
892445-3	3-Major		BWC policy names are limited to 128 characters
891337-2	3-Major		'save_master_key(master): Not ready to save yet' errors in the logs
891221-3	3-Major		Router bgp neighbor password CLI help string is not helpful
889029-3	3-Major		Unable to login if LDAP user does not have search permissions
888081-3	3-Major		BIG-IP VE Migration feature fails for 1NIC
887117-1	3-Major		Invalid SessionDB messages are sent to Standby
887089-4	3-Major		Upgrade can fail when filenames contain spaces
886273-2	3-Major		Unanticipated restart of TMM due to heartbeat failure
884989-2	3-Major		IKE_SA's Not mirrored of on Standby device if it reboots
884729-3	3-Major		The vCMP CPU usage stats are incorrect
883149-3	3-Major		The fix for ID 439539 can cause mcpd to core.
882833-3	3-Major		SELinux issue cause zrd down★
882709-3	3-Major		Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors in this release★
881085-2	3-Major		Intermittent auth failures with remote LDAP auth for BIG-IP managment
880473-2	3-Major		Under certain conditions, the virtio driver may core during shutdown
880013-2	3-Major		Config load fails after changing the BIG-IP Master key which has an encrypted key in it's configuration
880009-2	3-Major		Tcpdump does not export the TLS1.3 early secret
879969-4	3-Major		FQDN node resolution fails if DNS response latency >5 seconds
879405-2	3-Major		Incorrect value in Transparent Nexthop property
879001-2	3-Major		LDAP data is not updated consistently which might affect authentication.
878893-2	3-Major		During system shutdown it is possible the for sflow_agent to core
878401	3-Major		Intermittent core on BIG-IP 5000-series platforms configured for vCMP
878393	3-Major		Intermittent core on BIG-IP 5000-series platforms configured for vCMP
878385	3-Major		Intermittent core on BIG-IP 5000-series platforms configured for vCMP
878381	3-Major		Intermittent core on BIG-IP 5000-series platforms configured for vCMP
878373	3-Major		Intermittent core on BIG-IP 5000-series platforms configured for vCMP
876937-2	3-Major		DNS Cache not functioning
876809-2	3-Major		GUI cannot delete a cert with a name that starts with * and ends with .crt
876733	3-Major		Intermittent core on BIG-IP 5000-series platforms configured for vCMP
876717	3-Major		Intermittent core on BIG-IP 5000-series platforms configured for vCMP
876465	3-Major		Intermittent core on BIG-IP 5000-series platforms configured for vCMP
871705-5	3-Major		Restarting bigstart shuts down the system
871045-2	3-Major		IP fragments are disaggregated to separate TMMs with hardware syncookies enabled
870389-2	3-Major		Increase size of /var logical volume to 1.5 GiB for LTM-only VE images
867793-2	3-Major		BIG-IP sending the wrong trap code for BGP peer state
867253-2	3-Major		Systemd not deleting user journals
867181-2	3-Major		ixlv: double tagging is not working
867177-2	3-Major		Outbound TFTP and Active FTP no longer work by default over the management port
867013-3	3-Major		Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout
865241-2	3-Major		Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"
865177-3	3-Major		Cert-LDAP returning only first entry in the sequence that matches san-other oid
862693-1	3-Major		PAM_RHOST not set when authenticating BIG-IP using iControl REST
862525-2	3-Major		GUI Browser Cache Timeout option is not available via tmsh
860317-2	3-Major		JavaScript Obfuscator can hang indefinitely
860245-2	3-Major		SSL Orchestrator configuration not synchronized across HA peers after upgrade from 14.1.2.x
860181-2	3-Major		After sync failure due to lack of local self-IP on the peer, adding in the self-IP does not resolve the sync error
858769-5	3-Major		Net-snmp library must be upgraded to 5.8 in order to support SHA-2
858197-3	3-Major		Merged crash when memory exhausted
856953-3	3-Major		IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1
853617-2	3-Major		Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles
853161-3	3-Major		Restjavad has different behavior for error responses if the body is over 2k
852565-4	3-Major		On Device Management::Overview GUI page, device order changes
852265-2	3-Major		Virtual Server Client and Server SSL profile list boxes no longer automatically scale for width
851785-2	3-Major		BIG-IP 10350V-F platform reported page allocation failures in N3FIPS driver
851021-2	3-Major		Under certain conditions, 'load sys config verify file /config/bigip.conf' may result in a 'folder does not exist' error
850997-2	3-Major		'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page
850777-2	3-Major		BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config
850193-3	3-Major		Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues
849157-1	3-Major		An outgoing SCTP connection that retransmits the INIT chunk the maximum number of times does not expire and becomes stuck
846141-2	3-Major		Unable to use Rest API to manage GTM pool members that have an pipe symbol '\|' in the server name.
846137-2	3-Major		The icrd returns incorrect route names in some cases
844085-2	3-Major		GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address
843661-2	3-Major		TMSH allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command
843597-2	3-Major		Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle
842901-2	3-Major		Improve fast failover of PIM-DM-based multicast traffic when BIG-IP is deployed as an Active/Standby HA pair.
842669-2	3-Major		Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log
842125-5	3-Major		Unable to reconnect outgoing SCTP connections that have previously aborted
841721-1	3-Major		BWC::policy detach appears to run, but BWC control is still enabled
841649-3	3-Major		Hardware accelerated connection mismatch resulting in tmm core
841277-6	3-Major		C4800 LCD fails to load after annunciator hot-swap
839121-2	3-Major		A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade★
838901-3	3-Major		TMM receives invalid rx descriptor from HSB hardware
838337-2	3-Major		The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.
838297-3	3-Major		Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication
837481-6	3-Major		SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID
829821-2	3-Major		Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured
829317-4	3-Major		Memory leak in icrd_child due to concurrent REST usage
829193-3	3-Major		REST system unavailable due to disk corruption
828873	3-Major		Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor
828789-2	3-Major		Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters
827209-3	3-Major		HSB transmit lockup on i4600
827021-1	3-Major		MCP update message may be lost when primary blade changes in chassis
826313-5	3-Major		Error: Media type is incompatible with other trunk members★
826265-4	3-Major		The SNMPv3 engineBoots value restarts at 1 after an upgrade
824809-5	3-Major		bcm56xxd watchdog restart
821309-2	3-Major		After an initial boot, mcpd has a defunct child "systemctl" process
820845-4	3-Major		Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.
820213-3	3-Major		'Application Service List' empty after UCS restore
819457-2	3-Major		LTM high availability (HA) sync should not sync GTM zone configuration
818505-2	3-Major		Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
818417-1	3-Major		Flowspecd starts with message: Shm segment not found in /etc/ha_table/ha_table.conf.
817089-2	3-Major		Incorrect source MAC address with hardware acceleration (ePVA) and asymmetric routing
816229-2	3-Major		Kernel Log Messages Logged Twice
814585-2	3-Major		PPTP profile option not available when creating or modifying virtual servers in GUI
814353-5	3-Major		Pool member silently changed to user-disabled from monitor-disabled
814273-2	3-Major		Multicast route entries are not populating to tmm after failover
814053-3	3-Major		Under heavy load, bcm56xxd can be killed by the watchdog
812493-3	3-Major		When engineID is reconfigured, snmp and alert daemons must be restarted★
811053-1	3-Major		REBOOT REQUIRED prompt appears after failover and clsh reboot
811041-6	3-Major		Out of shmem, increment amount in /etc/ha_table/ha_table.conf
810613-1	3-Major		GUI Login History hides informative message about max number of lines exceeded
810381-3	3-Major		The SNMP max message size check is being incorrectly applied.
810373	3-Major		Errors running 'config' command
809657-1	3-Major		HA Group score not computed correctly for an unmonitored pool when mcpd starts
808485-1	3-Major		Add 'virtual-server' argument to 'tmsh help sys connection' for version 14.x
808277-5	3-Major		Root's crontab file may become empty
807945-1	3-Major		Loading UCS file for the first time not updating MCP DB
807337-4	3-Major		Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.
806985-2	3-Major		Installation issues when adding new blade v12.1.3 to VPR cluster v14.1.0.1 EHF★
806881-1	3-Major		Loading the configuration may not set the virtual server enabled status correctly
806073-2	3-Major		MySQL monitor fails to connect to MySQL Server v8.0
804477-5	3-Major		Log HSB registers when parts of the device becomes unresponsive
804273-2	3-Major		TMM is unable to redirect RRDAG'd traffic
803833-5	3-Major		On Upgrade or UCS Restore Decryption of the vCMP Guest sym-unit-key Field Fails on the Host★
803457-1	3-Major		SNMP custom stats cannot access iStats
803237-3	3-Major		PVA does not validate interface MTU when setting MSS
803157-2	3-Major		LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots
802889-2	3-Major		Problems establishing HA connections on DAGv2 chassis platforms
802281-2	3-Major		Gossip shows active even when devices are missing
799001-2	3-Major		Sflow agent does not handle disconnect from SNMPD manager correctly
798885-3	3-Major		SNMP response times may be long due to processing burden of requests
797829-1	3-Major		The BIG-IP system may fail to deploy new or reconfigure existing iApps
796985-2	3-Major		Default IPv4 IP address is assigned to Alt-Address in isolated vCMP guest; vCMP host or guest are upgraded and guest is 'Inoperative'★
795685-1	3-Major		Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer
795649-4	3-Major		Loading UCS from one iSeries model to another causes FPGA to fail to load
791365-1	3-Major		Bad encryption password error on UCS save
791061-1	3-Major		Config load in /Common removes routing protocols from other partitions
789181-4	3-Major		Link Status traps are not issued on VE based BIG-IP systems
788949-2	3-Major		MySQL Password Initialization Loses Already Written Password
788645-1	3-Major		BGP does not function on static interfaces with vlan names longer than 16 characters.
783293-2	3-Major		Special chars < > & displayed incorrectly in BIG-IP GUI logon banner window
782613-6	3-Major		Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp
781733-1	3-Major		SNMPv3 user name configuration allows illegal names to be entered
778513-2	3-Major		APM intermittently drops log messages for per-request policies
778041-2	3-Major		tcpdump fails with an unclear message when the 'epva' option is used on non-epva platforms (directly or through 'all' option)
776489-1	3-Major		Remote authentication attempts to resolve only LDAP host against the first three name servers configured.
775733-3	3-Major		/etc/qkview_obfuscate.conf not synced across blades
773577-1	3-Major		SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted
773333-1	3-Major		IPsec CLI help missing encryption algorithm descriptions
772497-6	3-Major		When BIG-IP is configured to use a proxy server, updatecheck fails
772117-5	3-Major		Overwriting FIPS keys from the HA peer with older config leads to abandoned key on FIPS card
769029-4	3-Major		Non-admin users fail to create tmp dir under /var/system/tmp/tmsh
767737-1	3-Major		Timing issues during startup may make an HA peer stay in the inoperative state
767341-2	3-Major		If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.
767305-1	3-Major		If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried
762097-2	3-Major		No swap memory available after upgrading to v14.1.0 and above★
761753-1	3-Major		BIG-IP system incorrectly flags UDP checksum as failed on x520 NICs
761321-1	3-Major		'Connection Rate Limit' is hidden, but 'Connection Rate Limit Mode' is not
759564-3	3-Major		GUI not available after upgrade
759258-1	3-Major		Instances shows incorrect pools if the same members are used in other pools
759172-2	3-Major		Read Access Denied: user (gu, guest) type (Certificate Order Manager)
756139-2	3-Major		Inconsistent logging of hostname files when hostname contains periods
755197-4	3-Major		UCS creation might fail during frequent config save transactions
754335-2	3-Major		Install ISO does not boot on BIG-IP VE★
753860-4	3-Major		Virtual server config changes causing incorrect route injection.
752228-4	3-Major		GUI Network Map to account for objects in a Disabled By Parent state
751581-4	3-Major		REST API Timeout while queriying large number of persistence profiles
751021-5	3-Major		One or more TMM instances may be left without dynamic routes.
746861-2	3-Major		SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated★
746758-2	3-Major		Qkview produces core file if interrupted while exiting
743803-6	3-Major		IKEv2 potential double free of object when async request queueing fails
743234-5	3-Major		Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons
730852-2	3-Major		The tmrouted repeatedly crashes and produces core when new peer device is added
726416-4	3-Major		Physical disk HD1 not found for logical disk create
721740-1	3-Major		CPU stats are not correctly recorded when snapshot files have timestamps in the future
721020-5	3-Major		Changes to the master key are reverted after full sync
719555-4	3-Major		Interface listed as 'disable' after SFP insertion and enable
718405-4	3-Major		RSA signature PAYLOAD_AUTH mismatch with certificates
718230-7	3-Major		Attaching a BIG-IP monitor type to a server with already defined virtual servers is not prevented
718108-4	3-Major		It is not possible to core the icrd_child process if iControl REST requests were sent to the BIG-IP system using non-admin accounts
715379-4	3-Major		IKEv2 accepts asn1dn for peers-id only as file path of certificate file
714216-3	3-Major		Folder in a partition may result in load sys config error
703090-2	3-Major		With many iApps configured, scriptd may fail to start
692218-2	3-Major		Audit log messages sent from the primary blade to the secondaries should not be logged.
688231-5	3-Major		Unable to set VET, AZOT, and AZOST timezones
677683	3-Major		Unexpected LOP reset
671372-6	3-Major	K01930721	When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.
662301-3	3-Major		'Unlicensed objects' error message appears despite there being no unlicensed config
601220-2	3-Major		Multi-blade trunks seem to leak packets ingressed via one blade to a different blade
587821-9	3-Major		vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
569859-6	3-Major		Password policy enforcement for root user when mcpd is not available
508302-6	3-Major		Auto-sync groups may revert to full sync
499348-10	3-Major		System statistics may fail to update, or report negative deltas due to delayed stats merging
431503-7	3-Major	K14838	TMSH crashes in rare initial tunnel configurations
385013-3	3-Major		Certain user roles do not trigger a sync for a 'modify auth password' command
291256-1	3-Major		Changing 'Minimum Length' and 'Required Characters' might result in an error
919745-3	4-Minor		CSV files downloaded from the Dashboard have the first row with all 'NaN
918209-2	4-Minor		GUI Network Map icons color scheme is not section 508 compliant
915141-3	4-Minor		Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'
914761-2	4-Minor		Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.
906449-3	4-Minor		Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load
906161	4-Minor		Unexpected reboot when system handles large numbers of EDAC/MCE logs
902417-3	4-Minor		Configuration error caused by Drafts folder in a deleted custom partition★
901985-5	4-Minor		Extend logging for incomplete HTTP requests
901669-3	4-Minor		Error status in "show cm failover-status" after MGMT-IP change
899097-1	4-Minor		Existence of rewrite profile with HTTP profile response chunking mode 'sustain' always triggers client-side chunking★
896693-3	4-Minor		Patch installation is failing for iControl REST endpoint.
896689-3	4-Minor		Asynchronous tasks can be managed via unintended endpoints
893813-2	4-Minor		Modifying pool enables address and port translation in TMUI
893093-3	4-Minor		An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing.
892677-5	4-Minor		Loading config file with imish adds the newline character
887505-2	4-Minor		Coreexpiration script improvement
882713-4	4-Minor		BGP SNMP trap has the wrong sysUpTime value
879189-2	4-Minor		Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section
869237-4	4-Minor		Management interface might become unreachable when alternating between DHCP/static address assignment.
858549-5	4-Minor		GUI does not allow IPv4-Mapped IPv6 Address to be assigned to self IPs
857045-2	4-Minor		LDAP system authentication may stop working
853101-1	4-Minor		ERROR: syntax error at or near 'FROM' at character 17
851393-2	4-Minor		Tmipsecd leaves a zombie rm process running after starting up
848681-6	4-Minor		Disabling the LCD on a VIPRION causes blade status lights to turn amber
846521-6	4-Minor		Config script does not refresh management address entry properly when alternating between dynamic and static
838925-6	4-Minor		Rewrite URI translation profile can cause connection reset while processing malformed CSS content
832665-3	4-Minor		The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5
831293-4	4-Minor		SNMP address-related GET requests slow to respond.
828625-2	4-Minor		User shouldn't be able to configure two identical traffic selectors
826297-2	4-Minor		Address list as source/destination for virtual server cannot be changed from tmsh
826189-1	4-Minor		The WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.
824205-2	4-Minor		GUI displays error when a virtual server is modified if it is using an address-list
822253-2	4-Minor		After starting up, mcpd may have defunct child "run" and "xargs" processes
819429-4	4-Minor		Unable to scp to device after upgrade: path not allowed
819421-4	4-Minor		Unable to scp/sftp to device after upgrade★
818737-2	4-Minor		Improve error message if user did not select a address-list or port list in the GUI
818297-2	4-Minor		OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure
816353-2	4-Minor		Unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1
805325-4	4-Minor		tmsh help text contains a reference to bigpipe, which is no longer supported
795429-4	4-Minor		Unrelated iControl REST transaction error message is returned when committing a transaction without any tasks.
776393-1	4-Minor		Memory leak in restjavad causing restjavad to restart frequently with OOM
774617-2	4-Minor		SNMP daemon reports integer truncation error for values greater than 32 bits
759993-1	4-Minor		'License verification failed' errors occur when changing license
759606-1	4-Minor		REST error message is logged every five minutes on vCMP Guest
759590-5	4-Minor		Creation of RADIUS authentication fails with service types other than 'authenticate only'
757167-2	4-Minor		TMM logs 'MSIX is not supported' error on vCMP guests
755317-2	4-Minor		/var/log logical volume may run out of space due to agetty error message in /var/log/secure
751103-3	4-Minor		TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop
724994-5	4-Minor		API requests with 'expandSubcollections=true' are very slow
713614-2	4-Minor		Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)
712241-4	4-Minor		A vCMP guest may not provide guest health stats to the vCMP host
675911-7	4-Minor	K13272442	Different sections of the WebUI can report incorrect CPU utilization
673573-2	4-Minor		tmsh logs boost assertion when running child process and reaches idle-timeout
583084-7	4-Minor	K15101680	iControl produces 404 error while creating records successfully
818777-1	5-Cosmetic		MCPD error - Trouble allocating MAC address for VLAN object
769145-1	5-Cosmetic		Syncookie threshold warning is logged when the threshold is disabled
761621-1	5-Cosmetic		Ephemeral FQDN pool members in Partition shown as Common under Local Traffic > Pools > "Members"
714176-2	5-Cosmetic		UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed

Local Traffic Manager Issues

ID Number	Severity	Solution Article(s)	Description
912289-2	2-Critical		Cannot roll back after upgrading on certain platforms★
910653-4	2-Critical		iRule parking in clientside/serverside command may cause tmm restart
910213-3	2-Critical		LB::down iRule command is ineffective, and can lead to inconsistent pool member status
908873-2	2-Critical		Incorrect MRHTTP proxy handling of passthrough mode in certain scenarios may lead to tmm core
908621-1	2-Critical		Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core
901033-3	2-Critical		TCP::respond causing memory exhaustion issue when send buffer overwhelmed available TCP window
886045-3	2-Critical		Multi-nic instances fail to come up when trying to use memory mapped virtio device
879409-4	2-Critical		TMM core with mirroring traffic due to unexpected interface name length
876801-4	2-Critical		Tmm crash: invalid route type
851857-2	2-Critical		HTTP 100 Continue handling does not work when it arrives in multiple packets
851581-2	2-Critical		Server-side detach may crash TMM
851385-3	2-Critical		Failover takes too long when traffic blade failure occurs
846217-2	2-Critical		Translucent vlan-groups set local bit in destination MAC address
842937-5	2-Critical		TMM crash due to failed assertion 'valid node'
841469-5	2-Critical		Application traffic may fail after an internal interface failure on a VIPRION system.
837617-2	2-Critical		Tmm may crash while processing a compression context
835505-6	2-Critical		Tmsh crash potentially related to NGFIPS SDK
831161-1	2-Critical		An iRule before HTTP_REQUEST calling persist none can crash tmm
824437-1	2-Critical		Chaining a standard virtual server and an ipother virtual server together can crash TMM.
812269-2	2-Critical		TMM might crash with traffic while deleting a pool member
811161-3	2-Critical		Tmm crash SIGSEGV - virtual_address_update() in ../mcp/db_vip.c:1992
807857-1	2-Critical		TMM can leak memory under specific traffic and iRule configurations.
803845	2-Critical		When in HA, the Standby device is forwarding traffic causing a loop and subsequent network shutdown
799649-1	2-Critical		TMM crash
788813-2	2-Critical		TMM crash when deleting virtual-wire config
758491-2	2-Critical		When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys
726900-2	2-Critical		Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters
726518-2	2-Critical		Tmsh show command terminated with CTRL-C can cause TMM to crash.
705768-3	2-Critical		dynconfd may core and restart with multiple DNS name servers configured
663925-2	2-Critical		Virtual server state not updated with pool- or node-based connection limiting
625807-4	2-Critical		tmm cored in bigproto_cookie_buffer_to_server
474797-3	2-Critical		Nitrox crypto hardware may attempt soft reset while currently resetting
926757-4	3-Major		ICMP traffic to a disabled virtual-address might be handled by a virtual-server.
922641-3	3-Major		Any iRules that park in a clientside or serverside command leave the iRule attached to the wrong flow
920285-1	3-Major		WS::disconnect may result in TMM crash under certain conditions
919257-2	3-Major		TMM can crash while passing VPN traffic
918277-3	3-Major		Slow Ramp does not take into account pool members' ratio weights
915689-3	3-Major		HTTP/2 dynamic header table may fail to identify indexed headers on the response side.
915605-5	3-Major		Image install fails if iRulesLX is provisioned and /usr mounted read-write★
915281-5	3-Major		Do not rearm TCP Keep Alive timer under certain conditions
913249-3	3-Major		Restore missing UDP statistics
912517-3	3-Major		MySQL monitor marks pool member down if 'send' is configured but no 'receive' strings are configured
912425-2	3-Major		Modification of in-tmm monitors may result in crash
912293-2	3-Major		Persistence might not work properly on virtual servers that utilize address lists
910673-3	3-Major		Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'
910273-3	3-Major		SSL Certificate version always displays as '1' in the GUI
910105-3	3-Major		Partial HTTP/2 payload may freeze on the BIG-IP system
909997-4	3-Major		Virtual server status displays as unavailable when it is accepting connections
909757-2	3-Major		HTTP CONNECT method with a delayed payload can cause a connection to be closed
909677-3	3-Major		HTTP/2 full proxy always sets the :scheme pseudo-header for HTTPS requests where the server-side connection is not encrypted
907177-3	3-Major		Priority of embedded APM iRules is ignored
905477-3	3-Major		The sdmd daemon cores during config sync when multiple devices configured for iRules LX
904625-3	3-Major		Changes to SSL.CertRequest.* DB variables cause high availability (HA) devices go out of sync
903581-3	3-Major		The pkcs11d process cannot recover under certain error condition
902377-1	3-Major		HTML profile forces re-chunk even though HTML::disable
901929-3	3-Major		GARPs not sent on virtual server creation
898733-2	3-Major		SSL handshakes fail on secondary blades for Thales keys created with fipskey.nethsm after upgrade to 14.1.x and re-import of the keys from HSM
898685-3	3-Major		Order of ciphers changes after updating cipher group
897185-3	3-Major		Resolver cache not using random port distribution
896245-2	3-Major		Inconsistency is observed in ARP behavior across releases
895205-3	3-Major		A circular reference in rewrite profiles causes MCP to crash
895165-3	3-Major		Traffic-matching-criteria with "any" protocol overlaps with explicit protocols
893281-4	3-Major		Possible ssl stall on closed client handshake
892801-3	3-Major		When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent"
892485-4	3-Major		A wrong OCSP status cache may be looked up and re-used during SSL handshake.
892073-2	3-Major		TLS1.3 LTM policy rule based on SSL SNI is not triggered
891373-3	3-Major		BIG-IP does not shut a connection for a HEAD request
891145-4	3-Major		TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal
890229-2	3-Major		Source port preserve setting is not honoured
889165-2	3-Major		"http_process_state_cx_wait" errors in log and connection reset
888113-2	3-Major		HUDEVT_CALLBACK is queued after HUDCTL_ABORT in HTTP-MR proxy
887045-3	3-Major		The session key does not get mirrored to standby.
885325-3	3-Major		Stats might be incorrect for iRules that get executed a large number of times
883049-3	3-Major		Statsd can deadlock with rrdshim if an rrd file is invalid
882725-4	3-Major		Mirroring not working properly when default route vlan names not match.
881065-4	3-Major		Adding port-list to Virtual Server changes the route domain to 0
881041-2	3-Major		BIG-IP system may forward IP broadcast packets back to the incoming VLAN interface via a forwarding virtual server.
879413-2	3-Major		Statsd fails to start if one or more of its *.info files becomes corrupted
878925-1	3-Major		SSL connection mirroring failover at end of TLS handshake
878405	3-Major		Intermittent core on BIG-IP 5000-series platforms configured for vCMP
878253-2	3-Major		LB::down no longer sends an immediate monitor probe
876741	3-Major		Intermittent core on BIG-IP 5000-series platforms configured for vCMP
876145-4	3-Major		Nitrox5 failure on vCMP guest results in all crypto requests failing.
874877-2	3-Major		Bigd http monitor shows misleading 'down' reason when recv does not match
874317-2	3-Major		Client-side asymmetric routing could lead to SYN and SYN-ACK on different VLAN
873677-6	3-Major		LTM policy matching does not work as expected
872981-2	3-Major		MCP crashes when deleting a virtual server and its traffic-matching-criteria in the same transaction
872721-2	3-Major		SSL connection mirroring intermittent failure with TLS1.3
870309-2	3-Major		Ephemeral pool member not created when FQDN resolves to new IP address
868889-1	3-Major		BIG-IP may reset a stream with an empty DATA frame as END_STREAM
868209-2	3-Major		Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection
868033-2	3-Major		SSL option "passive-close" option is unused and should be removed
867985-3	3-Major		LTM policy with a 'shutdown' action incorrectly allows iRule execution
864649-3	3-Major		The client-side connection of a dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server never expires from the connection table
863165-2	3-Major		Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
862597-6	3-Major		Improve MPTCP's SYN/ACK retransmission handling
862069-2	3-Major		Using non-standard HTTPS and SSH ports fails under certain conditions
862001-2	3-Major		Improperly configured NTP server can result in an undisciplined clock stanza
860277-3	3-Major		Default value of TCP Profile Proxy Buffer High Low changed in 14.1
860005-2	3-Major		Ephemeral nodes/pool members may be created for wrong FQDN name
858701-2	3-Major		Running config and saved config are having different route-advertisement values after upgrading from v12.1.x★
857845-7	3-Major		ASSERTs in hudproxy_tcp_repick() converted into an OOPS
854129-3	3-Major		SSL monitor continues to send client certificate after changes
852873-3	3-Major		Proprietary Multicast PVST+ packets are forwarded instead of dropped
852325-2	3-Major		HTTP2 does not support Global SNAT
851477-2	3-Major		Memory allocation failures during proxy initialization are ignored leading to TMM cores
851101-3	3-Major		Unable to establish active FTP connection with custom FTP filter
851045-2	3-Major		LTM database monitor may hang when monitored DB server goes down
850873-2	3-Major		LTM global SNAT sets TTL to 255 on egress.
850349-2	3-Major		Incorrect MAC when virtual wire is configured with FastL4
850145-2	3-Major		Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed
848777-2	3-Major		Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.
846977-2	3-Major		TCP:collect validation changed in 12.0.0: the first argument can no longer be zero★
846873-6	3-Major		Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure
846441-3	3-Major		Flow-control is reset to default for secondary blade's interface
845333-5	3-Major		An iRule with a proc referencing a datagroup cannot be assigned to Transport Config
844421-1	3-Major		Cipher ordering in cipher rules can be wrong
843317-2	3-Major		The iRules LX workspace imported with incorrect SELinux contexts
842517	3-Major		CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails
842425-2	3-Major		Mirrored connections on standby are never removed in certain configurations
842137-4	3-Major		Keys cannot be created on module protected partitions when strict FIPS mode is set
841369-2	3-Major		HTTP monitor GUI displays incorrect green status information
841341-5	3-Major		IP forwarding virtual server does not pick up any traffic if destination address is shared.
840785-2	3-Major		Update documented examples for REST::send to use valid REST endpoints
838353-2	3-Major		MQTT monitor is not working in route domain.
836661-1	3-Major		Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet.
832133-2	3-Major		In-TMM monitors fail to match certain binary data in the response from the server.
828601-2	3-Major		IPv6 Management route is preferred over IPv6 tmm route
827441	3-Major		Changing a UDP virtual server with an immediate timeout to a TCP virtual server can cause connections to fail
826349-1	3-Major		VXLAN tunnel might fail due to misbehaving NIC checksum offload
825245-3	3-Major		SSL::enable does not work for server side ssl
824433-2	3-Major		Added HTTP2 and HTTP3 request/response statistic fields to the HTTP profile
823921-1	3-Major		FTP profile causes memory leak
823825-6	3-Major		Renaming HA VLAN can disrupt state-mirror connection
820333-2	3-Major		LACP working member state may be inconsistent when blade is forced offline
818853-2	3-Major		Duplicate MAC entries in FDB
818833-2	3-Major		TCP re-transmission during SYN Cookie activation results in high latency
818789-6	3-Major		Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile
818109-2	3-Major		Certain plaintext traffic may cause SSL Orchestrator to hang
818097-5	3-Major		Plane CPU stats too high after primary blade failover in multi-blade chassis
815089-2	3-Major		On a system with no VLANs, you can create virtual servers or SNATs that have identical address/port combinations
812693	3-Major		Connection in FIN_WAIT_2 state may fail to be removed
810821-2	3-Major		Management interface flaps after rebooting the device
810533-3	3-Major		SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile
810445-1	3-Major		PEM: ftp-data not classified or reported
809597-4	3-Major		Memory leak in icrd_child observed during REST usage
808017-1	3-Major		When using a variable as the only parameter to the iRule persist command, the iRule validation fails
803629-1	3-Major		SQL monitor fails with 'Analyze Response failure' message even if recv string is correct
803233-2	3-Major		Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
803109-1	3-Major		Source-port preserve-strict configured along with OneConnect may result in zombie forwarding flows
801549-2	3-Major		Persist records do not expire properly if mirroring is configured incorrectly
801541-1	3-Major		Persist records do not expire properly if HA peer is unavailable
801497	3-Major		Virtual wire with LACP pinning to one link in trunk.
796993-5	3-Major		Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs
795933-1	3-Major		A pool member's cur_sessions stat may incorrectly not decrease for certain configurations
795501-4	3-Major		Possible SSL crash during config sync
795025-1	3-Major		Ssl_outerrecordtls1_0 config option is not honored
794505-4	3-Major		OSPFv3 IPv4 address family route-map filtering does not work
794417-3	3-Major		Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not
793669-2	3-Major		FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value
790845-3	3-Major		An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default
788753-3	3-Major		GATEWAY_ICMP monitor marks node down with wrong error code
788741-1	3-Major		TMM cores in the MQTT proxy under rare conditions
787973-2	3-Major		Potential memory leak when software crypto request is canceled.
787853-1	3-Major		BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps.
786517-4	3-Major		Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address
785877-3	3-Major		VLAN groups do not bridge non-link-local multicast traffic.
785701-2	3-Major		Changes to a Web Acceleration profile are not instantly applied to virtual servers using the profile
783617-2	3-Major		Virtual Server resets connections when all pool members are marked disabled
783145-5	3-Major		Pool gets disabled when one of its pool member with monitor session is disabled
781849-1	3-Major		On-Demand Certificate Authentication agent for Per-Request Policy does not work with multiple Client SSL profiles that have the 'Default SSL Profile for SNI' option disabled and assigned to a single Virtual Server
781753-2	3-Major		WebSocket traffic is transmitted with unknown opcodes
781041-2	3-Major		SIP monitor in non default route domain is not working.
779137-1	3-Major		Using a source address list for a virtual server does not preserve the destination address prefix
778841-1	3-Major		Traffic is not passing in virtual wire when Virtual server type is standard & IP profile is ipother
778517-3	3-Major	K91052217	Large number of in-TMM monitors results in delayed processing
778501	3-Major		LB_FAILED does not fire on failure of HTTP/2 server connection establishment
776229-1	3-Major		iRule 'pool' command no longer accepts pool members with ports that have a value of zero
773229-1	3-Major		Replacing a virtual server's FastL4 profile can cause traffic to fail in specific circumstances
770477-1	3-Major		SSL aborted when client_hello includes both renegotiation info extension and SCSV
767217-1	3-Major		Under certain conditions when deleting an iRule, an incorrect dependency error is seen
766593-2	3-Major		RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20
763093-4	3-Major		LRO packets are not taken into account for ifc_stats (VLAN stats)
761389-2	3-Major		Disabled Virtual Server Dropping the Virtual Wire traffic
760406-2	3-Major		HA connection might stall on Active device when the SSL session cache becomes out-of-sync
760050-1	3-Major		cwnd warning message in log
758655-3	3-Major		TMC does not allow inline addresses with non-zero Route-domain.
758041-2	3-Major		Pool Members may not be updated accurately when multiple identical database monitors configured
757029-1	3-Major		Ephemeral pool members may not be created after config load or reboot
756313-1	3-Major		SSL monitor continues to mark pool member down after restoring services
755791-1	3-Major		UDP monitor not behaving properly on different ICMP reject codes.
750705-1	3-Major		LTM logs are filled with error messages while creating/deleting virtual wire configuration
738045-6	3-Major		HTTP filter complains about invalid action in the LTM log file.
724824-2	3-Major		Ephemeral nodes on peer devices report as unknown and unchecked after full config sync
720440-5	3-Major		Radius monitor marks pool members down after 6 seconds
718790-4	3-Major		Traffic does not forward to fallback host when all pool members are marked down
718288-1	3-Major		MCPD might crash on secondary blades when DNSSEC client-facing SOA zone serial not updated
717346-6	3-Major	K13040347	[WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
714642-3	3-Major		Ephemeral pool-member state on the standby is down
714502-1	3-Major		bigd restarts after loading a UCS for the first time
710930-4	3-Major		Enabling BigDB key bigd.tmm may cause SSL monitors to fail
709381-3	3-Major		iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out.
705387-2	3-Major		HTTP/2, ALPN and SSL
705112-5	3-Major		DHCP server flows are not re-established after expiration
700639-3	3-Major		The default value for the syncookie threshold is not set to the correct value
696755-4	3-Major		HTTP/2 may truncate a response body when served from cache
646440-6	3-Major		TMSH allows mirror for persistence even when no mirroring configuration exists
636842-4	3-Major	K51472519	A FastL4 virtual server may drop a FIN packet when mirroring is enabled
601189-5	3-Major		The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode
505037-6	3-Major	K01993279	Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop
922005-4	4-Minor		Stats on a certain counter for web-acceleration profile may show excessive value
921477-3	4-Minor		Health monitors may fail when the HTTP RFC Compliance option is enabled in a dual BIG-IP setup.
916485-1	4-Minor		Tmsh install sys crypto key (SafeNet) command creates a duplicate mcp object
898753-4	4-Minor		Multicast control-plane traffic requires handling with AFM policies
898201-3	4-Minor		Fqdn nodes are not getting populated after BIG-IP reboot when DNS server is accessed through a local virtual server.
895153-1	4-Minor		HTTP::has_responded returns incorrect values when using HTTP/2
880697-2	4-Minor		URI::query command returning fragment part, instead of query part
869565-3	4-Minor		Disabling of HTTP/2 profile on server side does not prevent h2 in ALPN
869553-4	4-Minor		HTTP2::disable fails for server side allowing HTTP/2 traffic
859113-2	4-Minor		Using "reject" iRules command inside "after" may causes core
858309-2	4-Minor		Setting a self IP with an IPv6 Address with an embedded IPv4 address causes tmm to continually restart
844337-3	4-Minor		Tcl error log improvement for node command
839245-2	4-Minor		IPother profile with SNAT sets egress TTL to 255
838405-2	4-Minor		Listener traffic-group may not be updated properly when spanning is in use.
838305-6	4-Minor		BIG-IP may create multiple connections for packets that should belong to a single flow.
834217-6	4-Minor		Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.
832233-2	4-Minor		The iRule regexp command issues an incorrect warning
822245-3	4-Minor		Large number of in-TMM monitors results in some monitors being marked down
818721-2	4-Minor		Virtual address can be deleted while it is in use by an address-list.
814037-5	4-Minor		No virtual server name in Hardware Syncookie activation logs.
802721-3	4-Minor		Virtual Server iRule does not match an External Data Group key that's 128 characters long
801705-5	4-Minor		When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC
791337-2	4-Minor		Traffic matching criteria fails when using shared port-list with virtual servers
774261-2	4-Minor		PVA client-side current connections stat does not decrease properly
773253-4	4-Minor		The BIG-IP may send VLAN failsafe probes from a disabled blade
772297-1	4-Minor		LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade
760590-4	4-Minor		TCP Verified-Accept with proxy-mss enabled does not honor the route-metrics cache when sending the SYN to the server
751586-4	4-Minor		Http2 virtual does not honour translate-address disabled
898929-3	5-Cosmetic		Tmm might crash when ASM, AVR, and pool connection queuing are in use
897437-4	5-Cosmetic		First retransmission might happen after syn-rto-base instead of minimum-rto.
873249-2	5-Cosmetic		Switching from fast_merge to slow_merge can result in incorrect tmm stats

Performance Issues

ID Number	Severity	Solution Article(s)	Description
813609-1	2-Critical		Multpile process consumer more memory with multiple components provisioned and causing RAM usage grow during traffic testing.

Global Traffic Manager (DNS) Issues

ID Number	Severity	Solution Article(s)	Description
918597-7	2-Critical		Under certain conditions, deleting a topology record can result in a crash.
905557-2	2-Critical		Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure
788465-1	2-Critical		DNS cache idx synced across HA group could cause tmm crash
744743-3	2-Critical		Rolling DNSSEC Keys may stop generating after BIG-IP restart
921625-3	3-Major		The certs extend function does not work for GTM/DNS sync group
921549-5	3-Major		The gtmd process does not receive updates from local big3d.
920817-5	3-Major		DNS Resource Records can be lost in certain circumstances
913917-3	3-Major		Unable to save UCS
912761-3	3-Major		Link throughput statistics are different
911241-5	3-Major		The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug
903521-3	3-Major		TMM fails to sign responses from BIND when BIND has "dnssec-enable no"
899253-5	3-Major		[GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist
898093-1	3-Major		Removing one member from a WideIP removes it from all WideIPs.
894081-3	3-Major		The Wide IP members view in the WebUI may report the incorrect status for a virtual server.
890285-1	3-Major		DNS resolver cannot forward DNS query to local IPv6 virtual server
880125-4	3-Major		WideIP (A) created together with aliases (CNAME) causes missing A records in ZoneRunner
879301-2	3-Major		When importing a BIND zone file, SRV/DNAME/NAPTR RRs do not have correct $ORIGIN appended
874221-2	3-Major		DNS response recursion desired (rd) flag does not match DNS query when using iRule command DNS::header rd
872037-1	3-Major		DNS::header rd does not set the Recursion desired
869361-2	3-Major		Link Controller inbound wide IP load balancing method incorrectly presented in GUI when updated
858973-2	3-Major		DNS request matches less specific WideIP when adding new wildcard wideips
852101-2	3-Major		Monitor fails.
844689-2	3-Major		Possible temporary CPU usage increase with unusually large named.conf file
835209-2	3-Major		External monitors mark objects down
813221-2	3-Major		Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync
803645-4	3-Major		GTMD daemon crashes
800265-3	3-Major		Undefined subroutine in bigip_add_appliance_helper message
789421-3	3-Major		Resource-administrator cannot create GTM server object through GUI
783849-1	3-Major		DNSSEC Key Generations are not imported to secondary FIPS card
781985-3	3-Major		DNSSEC zone SEPS records may be wiped out from running configuration
781829-5	3-Major		GTM TCP monitor does not check the RECV string if server response string not ending with \n
779793-1	3-Major		[LC] Error Message "Cannot modify the destination address of monitor" for destination * bigip_link monitor
779769-1	3-Major		[LC] [GUI] destination cannot be modified for bigip-link monitors
778365-3	3-Major		dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service
774481-1	3-Major		DNS Virtual Server creation problem with Dependency List
769385-2	3-Major		GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message
760835-3	3-Major		Static generation of rolling DNSSEC keys may be missing when the key generator is changed
760833-3	3-Major		BIG-IP GTM might not always sync a generation of a DNSSEC key from its partner
760615-1	3-Major		Virtual Server discovery may not work after a GTM device is removed from the sync group
726164-3	3-Major		Rolling DNSSEC Keys can stop regenerating after a length of time on the standby system
665117-6	3-Major	K33318158	DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping
889801-2	4-Minor		Total Responses in DNS Cache stats does not increment when an iRule suspending command is present under DNS_RESPONSE.
886145-3	4-Minor		The 'Reconnect' and 'Reconnect All' buttons do not work if reached via a particular section of the DNS WebUI.
885869-3	4-Minor		Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime
839361-5	4-Minor		iRule 'drop' command does not drop packets when used in DNS_RESPONSE
790113-1	4-Minor		Cannot remove all wide IPs from GTM distributed application via iControl REST
775801-1	4-Minor		[GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener
744280-4	4-Minor		Enabling or disabling a Distributed Application results in a small memory leak
774257-3	5-Cosmetic		tmsh show gtm pool and tmsh show gtm wideip print duplicate object types

Application Security Manager Issues

ID Number	Severity	Solution Article(s)	Description
868641-2	2-Critical		Possible TMM crash when disabling bot profile for the entire connection
865981-2	2-Critical		ASM GUI and REST become unresponsive upon license change
865461-2	2-Critical		BD crash on specific scenario
865289-2	2-Critical		TMM crash following DNS resolve with Bot Defense profile
857677-2	2-Critical		Security policy changes are applied automatically after asm process restart
854001-3	2-Critical		TMM might crash in case of trusted bot signature and API protected url
852437-2	2-Critical	K25037027	Overly aggressive file cleanup causes failed ASU installation
843801-3	2-Critical		Like-named previous Signature Update installations block Live Update usage after upgrade★
825413-3	2-Critical		/var/lib/mysql disk is full
813945-4	2-Critical		PB core dump while processing many entities
803813-1	2-Critical		TMM may experience high latency when processing WebSocket traffic
790349-3	2-Critical		merged crash with a core file
923221-3	3-Major		BD does not use all the CPU cores
922261-3	3-Major		Websocket server messages are logged even it is not configured
921665	3-Major		Policy Signatures: updating a filtered list causes all signatures to be updated
920197-5	3-Major		Brute force mitigation can stop mitigating without a notification
907337-3	3-Major		BD crash on specific scenario
907025-2	3-Major		Live update error" 'Try to reload page'
903357-5	3-Major		Bot defense Profile list is loads too slow when there are 750 or more Virtual servers
901061-3	3-Major		Safari browser might be blocked when using Bot Defense profile and related domains.
898825-3	3-Major		Attack signatures are enforced on excluded headers under some conditions
898741-3	3-Major		Missing critical files causes FIPS-140 system to halt upon boot
893061-3	3-Major		Out of memory for restjavad
892653-3	3-Major		Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI
891181-3	3-Major		Wrong date/time treatment in logs in Turkey/Istambul timezone
888289-2	3-Major		Add option to skip percent characters during normalization
882377-2	3-Major		ASM Application Security Editor Role User can update/install ASU
880789-2	3-Major		ASMConfig Handler undergoes frequent restarts
874753-2	3-Major		Filtering by Bot Categories on Bot Requests Log shows 0 events
868721-2	3-Major		Transactions are held for a long time on specific server related conditions
868053-2	3-Major		Live Update service indicates update available when the latest update was already installed
867825-3	3-Major		Export/Import on a parent policy leaves children in an inconsistent state
867373-3	3-Major		Methods Missing From ASM Policy
864677-2	3-Major		ASM causes high mcpd CPU usage
863609-3	3-Major		Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies
862793-2	3-Major		ASM replies with JS-Challenge instead of blocking page upon "Virus detected" violation
862413-2	3-Major		Broken layout in Threat Campaigns and Brute Force Attacks pages
857633-1	3-Major		Attack Type (SSRF) appears incorrectly in REST result
854177-4	3-Major		ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
853989-2	3-Major		DOSL7 Logs breaks CEF connector by populating strings into numeric fields
850677-3	3-Major		Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy
849349-4	3-Major		Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db
848757-2	3-Major		Link between 'API protection profile' and 'Security Policy' is not restored after UCS upload
846181-4	3-Major		Request samples for some of the learning suggestions are not visible
846057-4	3-Major		UCS backup archive may include unnecessary files
845933-2	3-Major		Unused parameters remain after modifying the swagger file of a policy
833685-4	3-Major		Idle async handlers can remain loaded for a long time doing nothing
831661-1	3-Major		ASMConfig Handler undergoes frequent restarts
824101-3	3-Major		Request Log export file is not visible for requests including binary data
824037-1	3-Major		Bot Defense whitelists do not apply for IP 'Any' when using route domains
809125-1	3-Major		CSRF false positive
805353-2	3-Major		ASM reporting for WebSocket frames has empty username field
799749-3	3-Major		Asm logrotate fails to rotate
795965	3-Major		BIG-IP does not close connection after deception blocking response page is sent
793149-4	3-Major		Adding the Strict-transport-Policy header to internal responses
793017-2	3-Major		Files left behind by failed Attack Signature updates are not cleaned
792569-1	3-Major		Security URL name created from swagger file starts with double '/'
792341-1	3-Major		Google Analytics shows incorrect stats.
786913-1	3-Major		Upgrade failure from 13.0.x or earlier when using LTM Policies with DOSL7
783165-2	3-Major		Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile
781021-1	3-Major		ASM modifies cookie header causing it to be non-compliant with RFC6265
767057-1	3-Major		In a sync-only device group, inactive policy is synced to peer, ASM is removed from virtual server
742549-4	3-Major		Cannot create non-ASCII entities in non-UTF ASM policy using REST
640842-4	3-Major		ASM end user using mobile might be blocked when CSRF is enabled
887625-2	4-Minor		Note should be bold back, not red
882769-2	4-Minor		Request Log: wrong filter applied when searching by Response contains or Response does not contain
882729-2	4-Minor		Applied Blocking Masks discrepancy between local/remote event log
879777-2	4-Minor		Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge
875373-5	4-Minor		Unable to add domain with leading '.' through webUI, but works with tmsh.
864989-1	4-Minor		Remote logger violation_details field content appears as "N/A" when violations field is not selected.
850633-2	4-Minor		Policy with % in name cannot be exported
841985-4	4-Minor		TSUI GUI stuck for the same session during long actions
824093-4	4-Minor		Parameters payload parser issue
756998-2	4-Minor		DoSL7 Record Traffic feature is not recording traffic

Application Visibility and Reporting Issues

ID Number	Severity	Solution Article(s)	Description
812993-2	1-Blocking		Monpd process consumes considerable amount of RAM on systems with many virtual servers
828937-2	2-Critical	K45725467	Some systems can experience periodic high IO wait due to AVR data aggregation
924945-2	3-Major		Fail to detach HTTP profile from virtual server
913085-3	3-Major		Avrd core when avrd process is stopped or restarted
908065-3	3-Major		Logrotation for /var/log/avr blocked by files with .1 suffix
898333-3	3-Major		Avrd logs errors while DCD is restarting
869049-5	3-Major		Charts discrepancy in AVR reports
838685-3	3-Major		DoS report exist in per-widget but not under individual virtual
808801-3	3-Major		AVRD crash when configured to send data externally
805817-3	3-Major		Distributed reports fail when management address is used for config sync in a device group
697421-2	3-Major		Monpd core when trying to restart
648242-5	3-Major	K73521040	Administrator users unable to access all partition via TMSH for AVR reports

Access Policy Manager Issues

ID Number	Severity	Solution Article(s)	Description
904441-3	2-Critical		APM vs_score for GTM-APM load balancing is not calculated correctly
903905-1	2-Critical		Default configuration of security mechanism causes memory leak in TMM
891505-2	2-Critical		TMM might leak memory when OAuth agent is used in APM per-request policy subroutine.
886729-1	2-Critical		Intermittent TMM crash in per-request-policy allow-ending agent
882545-2	2-Critical		Multiple rate-limiting agents sharing the same rate-limiting key config may not function properly
879401-2	2-Critical		Memory corruption during APM SAML SSO
838861-1	2-Critical		TMM might crash once after upgrading SSL Orchestrator★
789085-4	2-Critical		When executing the ACCESS::session iRule command under a serverside event, tmm may crash
783233-3	2-Critical		OAuth puts quotation marks around claim values that are not string type
579219-4	2-Critical		Access keys missing from SessionDB after multi-blade reboot.
925573-1	3-Major		SIGSEGV: receiving a sessiondb callback response after the flow is aborted
924697-3	3-Major		VDI data plane performance degraded during frequent session statistic updates
918053-2	3-Major		[Win][EdgeClient] 'Enable Always Connected mode' is checked for all connectivity profiles with same Parent profile.
915509-2	3-Major		RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true
884797-3	3-Major		Portal Access: in some cases data is not delivered via WebSocket connection
883577-3	3-Major		ACCESS::session irule command does not work in HTTP_RESPONSE event
874529	3-Major		APM: Incorrect messages on logout page
844573-2	3-Major		Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret.
842149-1	3-Major		Verified Accept for SSL Orchestrator
821369-1	3-Major		Incomplete Action 'Deny' does not take effect for HTTP-Connect
773309-1	3-Major		API Profile: Real swagger can not be loaded with "transaction failed:incomplete command" error message
771961-2	3-Major		While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core
771905-3	3-Major		JWT token rejected due to unknown JOSE header parameters
738865-2	3-Major		MCPD might enter into loop during APM config validation
547692	3-Major		Firewall-blocked KPASSWD service does not cause domain join operation to fail
470916-2	3-Major		Using native View clients, cannot launch desktops and applications from multiple VMware back-ends
833049-1	4-Minor		Category lookup tool in GUI may not match actual traffic categorization
819233-4	4-Minor		Ldbutil utility ignores '--instance' option if '--list' option is specified
766761-1	4-Minor		Ant-server does not log requests that are excluded from scanning
766017-3	4-Minor		[APM][LocalDB] Local user database instance name length check inconsistencies
719589-1	4-Minor		GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic

WebAccelerator Issues

ID Number	Severity	Solution Article(s)	Description
900825-1	3-Major		WAM image optimization can leak entity reference when demoting to unoptimized image
890573-1	3-Major		BigDB variable wam.cache.smallobject.threshold may not pickup its value on restart
890401-1	3-Major		Restore correct handling of small object when conditions to change cache type is satisfied
792045-2	3-Major		Prevent WAM cache type change for small objects
489960-5	4-Minor		Memory type stats is incorrect

Service Provider Issues

ID Number	Severity	Solution Article(s)	Description
814097-1	2-Critical		Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.
781725-1	2-Critical		BIG-IP systems might not complete a short ICAP request with a body beyond the preview
766405-1	2-Critical		MRF SIP ALG with SNAT: Fix for potential crash on next-active device
921441-1	3-Major		MR_INGRESS iRules that change diameter messages corrupt diam_msg
917637-3	3-Major		Tmm crash with ICAP filter
908477-3	3-Major		Request-adapt plus request-logging causes HTTP double-chunking in an ICAP request
898997-3	3-Major		GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes
895801-3	3-Major		Changing an MRF transport-config's TCP profile does not take effect until TMM is restarted
891385-3	3-Major		Add support for URI protocol type "urn" in MRF SIP load balancing
853545-2	3-Major		MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event
840821-2	3-Major		SCTP Multihoming not working within MRF Transport-config connections
815529-1	3-Major		MRF outbound messages are dropped in per-peer mode
811033-1	3-Major		MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used
803809-3	3-Major		SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.
790949-1	3-Major		MRF Router Profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' Do Not Match Behavior.
782353-5	3-Major		SIP MRF via header shows TCP Transport when TLS is enabled
759370-3	3-Major		FIX protocol messages parsed incorrectly when fragmented between the body and the trailer.
755033-2	3-Major		Dynamic Routes stats row does not appear in the UI
748355-3	3-Major		MRF SIP curr_pending_calls statistic can show negative values.
696348-4	3-Major		"GTP::ie insert" and "GTP::ie append" do not work without "-message" option
862337-1	4-Minor		Message Routing Diameter profile fails to forward messages with zero length AVPs
859721-2	4-Minor		Using GENERICMESSAGE create together with reject inside periodic after may cause core
844169-3	4-Minor		TMSH context-sensitive help for diameter session profile is missing some descriptions
786981-4	4-Minor		Pending GTP iRule operation maybe aborted when connection is expired
793005-2	5-Cosmetic		'Current Sessions' statistic of MRF/Diameter pool may be incorrect

Advanced Firewall Manager Issues

ID Number	Severity	Solution Article(s)	Description
802421-5	2-Critical		The /var partition may become 100% full requiring manual intervention to clear space
915221-3	3-Major		DoS unconditionally logs MCP messages to /var/tmp/mcpd.out
910417-5	3-Major		TMM core may be seen when reattaching a vector to a DoS profile
905153-2	3-Major		HW offload of vector 22 (IPv6 Duplicate Extension Headers) not operational
876805-2	3-Major		Modifying address-list resets the route advertisement on virtual servers.
872645-1	3-Major		Protected Object Aggregate stats are causing elevated CPU usage
870385-4	3-Major		TMM may restart under very heavy traffic load
867321-2	3-Major		Error: Invalid self IP, the IP address already exists.
851745-2	3-Major		High cpu consumption due when enabling large number of virtual servers
844597-3	3-Major		AVR analytics is reporting null domain name for a dns query
837233-2	3-Major		Application Security Administrator user role cannot use GUI to manage DoS profile
813969-4	3-Major		Network DoS reporting events as 'not dropped' while in fact, events are dropped
813057-1	3-Major		False positive attack detection on DoS profile vectors for unbalanced traffic
812481-1	3-Major		HSL logging may work unreliably for Management-IP firewall rules
811157-1	3-Major		Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself
808893-1	3-Major		DNS DoS profile vectors do not function correctly★
808889-1	3-Major		DoS vector or signature stays hardware-accelerated even when traffic rate is lower than mitigation threshold
800209-2	3-Major		The tmsh recursive list command includes DDoS GUI-specific data info
793217-1	3-Major		HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation
791361-2	3-Major		Configured management port rules can be lost after loading UCS file and rebooting
789857-2	3-Major		"TCP half open' reports drops made by LTM syn-cookies mitigation.
781425-1	3-Major		Firewall rule list configuration causes config load failure
761345-4	3-Major		Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode
757279-2	3-Major		LDAP authenticated Firewall Manager role cannot edit firewall policies
716746-2	3-Major		Possible tmm restart when disabling single endpoint vector while attack is ongoing
803149-4	4-Minor		Flow Inspector cannot filter on IP address with non-default route_domain

Policy Enforcement Manager Issues

ID Number	Severity	Solution Article(s)	Description
845313-2	2-Critical		Tmm crash under heavy load
875401-1	3-Major		PEM subcriber lookup can fail for internet side new connections
842989-4	3-Major		PEM: tmm could core when running iRules on overloaded systems
814941-3	3-Major		PEM drops new subscriber creation if historical aggregate creation count reaches the max limit
783289-4	3-Major		PEM actions not applied in VE bigTCP.
741213-1	3-Major		Modifying disabled PEM policy causes coredump
911585-2	4-Minor		PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval

Carrier-Grade NAT Issues

ID Number	Severity	Solution Article(s)	Description
723658-4	2-Critical		TMM core when processing an unexpected remote session DB response.
837269-1	3-Major		Processing ICMP unreachable packets causes FWNAT/CGNAT persistence issues with UDP traffic
812705-2	3-Major		'translate-address disabled' setting for LTM virtual server does not have any effect with iRules for NAT64 traffic
806825-2	3-Major		Align the behavior of NAT44 and NAT64 when translate-address is disabled under Virtual Configuration with LTM Pool and LSN Pool
761517-2	4-Minor		nat64 and ltm pool conflict

Fraud Protection Services Issues

ID Number	Severity	Solution Article(s)	Description
876581-3	3-Major		JavaScript engine file is empty if the original HTML page cached for too long
891729-3	4-Minor		Errors in datasyncd.log★

Anomaly Detection Services Issues

ID Number	Severity	Solution Article(s)	Description
914293-2	3-Major		TMM SIGSEGV and crash
824917-1	3-Major		Behavioral DoS dashboard disregards user access rights to virtual servers
767045-3	4-Minor		TMM cores while applying policy

Traffic Classification Engine Issues

ID Number	Severity	Solution Article(s)	Description
913453-4	2-Critical		URL Categorization: wr_urldbd cores while processing urlcat-query
901041-1	2-Critical		CEC update using incorrect method of determining number of blades in VIPRION chassis★
887609-4	2-Critical		TMM crash when updating urldb blacklist
874677-2	2-Critical		Traffic Classification auto signature update fails from GUI★
816529-3	3-Major		If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart.

Device Management Issues

ID Number	Severity	Solution Article(s)	Description
718796-4	2-Critical		IControl REST token issue after upgrade★
880565-2	3-Major		Audit Log: "cmd_data=list cm device recursive" is been generated continuously
858189-2	3-Major		Make restnoded/restjavad/icrd timeout configurable with sys db variables.
767613-1	3-Major		Restjavad can keep partially downloaded files open indefinitely

iApp Technology Issues

ID Number	Severity	Solution Article(s)	Description
842193-2	3-Major		Scriptd coring while running f5.automated_backup script
818069-5	3-Major		GUI hangs when iApp produces error message
802189-1	4-Minor		iApps: Calling 'Package Require <PKG>' in a template with a manager role is not supported

Protocol Inspection Issues

ID Number	Severity	Solution Article(s)	Description
802449-2	2-Critical		Valid GTP-C traffic may cause buffer overflow
737558	2-Critical		Protocol Inspection user interface elements are active but do not work
825501-2	3-Major		IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.★
778225-2	3-Major		vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host
787845-2	4-Minor		Tmsh command 'show running-config' fails when Protocol Inspection is not licensed.
760740-2	4-Minor		Mysql error is displayed when saving UCS configuration on BIG-IP system when MySQL is not running

Known Issue details for BIG-IP v15.0.x

926757-4 : ICMP traffic to a disabled virtual-address might be handled by a virtual-server.

Component: Local Traffic Manager

Symptoms:
ICMP traffic to a disabled virtual-address might be handled by a virtual-server.

Conditions:
Virtual-server with an address space overlapping with a self-ip, capable of handling ICMP traffic.

For example, ip-forward wildcard 0.0.0.0/0 virtual-server.

Impact:
ICMP traffic to a virtual-address might be handled by a virtual-server.

Workaround:
There is no workaround.

925573-1 : SIGSEGV: receiving a sessiondb callback response after the flow is aborted

Component: Access Policy Manager

Symptoms:
A SIGSEGV error occurs after a connection is ended. This is an intermittent issue that inconsistently recurs.

Conditions:
The cause of the flow being aborted is a 'RST stream' abort from HTTP/2 that is caused by the HTTP/2 client sending a RST_STREAM frame. This might occur when a client resets multiple streams on the connection at the same time.

Impact:
You might intermittently see this issue.

Workaround:
None.

924945-2 : Fail to detach HTTP profile from virtual server

Component: Application Visibility and Reporting

Symptoms:
The virtual server might stay attached to the initial HTTP profile.

Conditions:
Attaching new HTTP profiles or just detaching an existing one.

Impact:
The virtual server stays attached to the former HTTP profile, meaning that the virtual server might be attached to a different HTTP profile than what the GUI displays. Configuration changes to the HTTP profile the GUI shows as attached are not reflected in the virtual server. For example, the new HTTP profile might enable XFF, but if the former attached profile does not enable it, the virtual server does not accept XFF.

Workaround:
Create new similar virtual server and attach it to the correct HTTP profile.

924697-3 : VDI data plane performance degraded during frequent session statistic updates

Component: Access Policy Manager

Symptoms:
Data plane performance for VDI use cases (Citrix/VMware proxy) is degraded during frequent access session statistic updates.

Conditions:
APM is used as VDI proxy for Citrix or VMware.

Impact:
APM's VDI proxy does not perform to its full capacity.

Workaround:
None.

923745-2 : Ctrl-Alt-Del reboots the system

Component: TMOS

Symptoms:
A device reboot occurs when pressing Ctrl-Alt-Del.

Conditions:
This occurs when pressing Ctrl-Alt-Del or sending the command to a BIG-IP Virtual Edition (VE) virtual console.

Impact:
Accidental reboots are possible. You should not reboot VE using Ctrl-Alt-Del.

Workaround:
Run the following command:

systemctl mask ctrl-alt-del.target

923221-3 : BD does not use all the CPU cores

Component: Application Security Manager

Symptoms:
Not all the CPUs are utilized. The CPUs that are not loaded are those with ID greater than 31.

Conditions:
BIG-IP is installed on a device with more than 32 cores.

Impact:
ASM does not use all of the available CPU cores.

Workaround:
1. Modify the following file on the BIG-IP system:
   /usr/local/share/perl5/F5/ProcessHandler.pm

Change this:
  ALL_CPUS_AFFINITY => '0xFFFFFFFF'

To this:
  ALL_CPUS_AFFINITY => '0xFFFFFFFFFFFF',

2. Restart the asm process:
   bigstart restart asm.

922641-3 : Any iRules that park in a clientside or serverside command leave the iRule attached to the wrong flow

Component: Local Traffic Manager

Symptoms:
iRule commands issued after a clientside or serverside command operate on the wrong peer flow.

Conditions:
An iRule contains a script that parks in a clientside or serverside command.

Examples of parking commands include 'table' and 'persist'.

Impact:
The iRule commands operate on the wrong peer flow.

Workaround:
Avoid using commands that park inside the clientside or serverside command.

922261-3 : Websocket server messages are logged even it is not configured

Component: Application Security Manager

Symptoms:
BIG-IP sends unexpected websocket server messages to a remote logging server

Conditions:
- ASM provisioned
- ASM policy and websocket profile attached to a virtual server
- More then one remote logging profile attached to a virtual server
- One of the remote loggers has response-logging=all

Impact:
Remote logging server overloaded with unexpected websockets messages

Workaround:
Set response-logging=illegal in all remote logging profiles

922153-3 : Tcpdump is failing on tmm 0.x interfaces

Component: TMOS

Symptoms:
The tcpdump command exits immediately with an error:
errbuf ERROR:TMM side closing: Aborted
tcpdump: pcap_loop: TMM side closing: Aborted

Conditions:
Capturing the packets on tmm interfaces.

Impact:
Unable to capture the packets on specific tmm interfaces.

Workaround:
There are two possible workarounds:

-- Start tcpdump on the tmm that actually owns the interface using the TCPDUMP_ADDR command; for example, using blade1 for 1/0.16, run the command:

TCPDUMP_ADDR=127.1.1.16 tcpdump -w testcap.pcap -s 0 -i 1/0.16

-- Send the TCPDUMP_ADDR command to a specific tmm, which could work from any blade (127.20.<slot>.<tmmnumber+1> (e.g. 127.20.1.1 == slot1/tmm0, 127.20.2.16 == slot2/tmm15):

TCPDUMP_ADDR=127.20.1.16 tcpdump -w testcap.pcap -s 0 -i 1/0.16

922005-4 : Stats on a certain counter for web-acceleration profile may show excessive value

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system is configured to use the RAM Cache feature, a corresponding profile may report an excessively large value for the cache_misses_all counter under certain conditions.

Conditions:
-- The BIG-IP system has a virtual server with web-acceleration profile without an application (RAM Cache feature).
-- The virtual receives uncacheable requests which are interrupted by a client or are not served by a server.

Impact:
A value for cache_misses_all incurs an arithmetic overflow, and shows an excessive number comparable with 1.8e19. The issue has no functional impact; the system operates as normal.

Workaround:
None.

921881-3 : Use of IPFIX log destination can result in increased CPU utilization

Component: TMOS

Symptoms:
-- Increased baseline CPU.

- The memory_usage_stats table shows a continuous increase in mds_* rows.

Conditions:
Configure IPFIX log destination and make regular changes to the associated configuration.

Impact:
Increased baseline CPU may result in exhaustion of CPU resources.

Workaround:
Limiting changes to associated configuration can slow the effects of this issue.

921665 : Policy Signatures: updating a filtered list causes all signatures to be updated

Component: Application Security Manager

Symptoms:
After making a change to a filtered list of signatures, ASM updates all signatures instead.

Conditions:
This can occur when applying changes to a filtered signatures list two or more times in rapid succession.

Impact:
All signatures may be updated without the intention to do so.

Workaround:
You can use either workaround:

-- Apply the filter after each action.
-- Reload the page

921625-3 : The certs extend function does not work for GTM/DNS sync group

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.

As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.

The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.

You might see messages similar to the following:

-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....

Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device.
-- Configuration is as follows:
   1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
   2. GTMDNS1 has a self-authorized CA cert.
   3. You add a BIG-IP server that is is reachable but with which GTMDNS1 has not exchanged SSL certs.

Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.

Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.

921549-5 : The gtmd process does not receive updates from local big3d.

Component: Global Traffic Manager (DNS)

Symptoms:
Oversized server.crt file causes gtmd (other devices in a same syncgroup) from receiving from local big3d.

Conditions:
One GTM/DNS device in the syncgroup has an oversized server.crt file (approximately 4000 or larger) and sends a client cert direct message to peer GTM/DNS devices.

Impact:
The gtmd process marks resources down unexpectedly and does not receive persist updates.

Workaround:
1. For each GTM/DNS device, use bigip_add to add all BIG-IP servers configured in bigip_gtm.conf file.
2. Restart each GTM/DNS that is affected.

921477-3 : Health monitors may fail when the HTTP RFC Compliance option is enabled in a dual BIG-IP setup.

Component: Local Traffic Manager

Symptoms:
With the HTTP RFC enforcement profile option enabled, incoming health monitor requests without an HTTP version in the request line (HTTP/0.9) may fail to produce the correct result for dual BIG-IP configurations. This can result in incoming health monitor traffic being incorrectly blocked when traveling through a virtual server. These health monitors will be unable to provide the correct availability of the intended resource. The default HTTP and HTTPS monitors as well as any custom monitors with a missing HTTP version in their requests could see this issue.

Conditions:
A dual BIG-IP configuration may provisioned with the following considerations.

-- One or more BIG-IP systems are in the network path for monitor traffic.

-- The first BIG-IP system uses a health monitor that initiates a health check request (without an HTTP version) in the request line (HTTP/0.9) against a second BIG-IP system.

-- The second (downstream) BIG-IP system has a virtual server that is the endpoint for the monitor. The virtual server is configured with an HTTP profile with the HTTP RFC Compliance profile option selected.

Impact:
Rather than receiving the correct health check result, the original BIG-IP system can fail to report whether the second BIG-IP is available.

Workaround:
You can use http_head_f5 monitor to perform health checks.

921441-1 : MR_INGRESS iRules that change diameter messages corrupt diam_msg

Component: Service Provider

Symptoms:
1. 'DIAMETER::host origin' command may not be set correctly.
2. Errors in ltm log:
err tmm[18562]: 014c0001:3: DIAMETER: hud_diam_handle error: Not found

Conditions:
Virtual Server with a diameter profile enabled with an ingress iRule.

ltm rule Diameter - iRule {
  when MR_INGRESS {
    DIAMETER:: host origin "hostname.realm.example"
  }
}

Traffic arrives containing CER + ULR messages

Impact:
Using the iRule to change host origin breaks diameter message.

921361-1 : SSL client and SSL server profile names truncated in GUI

Component: TMOS

Symptoms:
Unable to see the full name of the SSL client and SSL server profiles when assigning them in the GUI.

Conditions:
In Local Traffic :: Virtual Server :: Properties, the fields for the 'Selected' and 'Available' lists are narrower than they were in previous versions.

Impact:
With longer SSL profile names, the full name is not visible. Even the default, provided profiles, such as crypto-server-default-clientssl and crypto-client-default-serverssl, are truncated.

Note: The fields remain at the limited width even when the browser window is maximized.

Workaround:
Use tmsh to see the full SSL client and SSL server name.

921149-5 : After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy

Component: TMOS

Symptoms:
All Bandwidth Controller (BWC) stats are 0 (zero) even though traffic is passing.

Conditions:
-- A BWC policy is attached to a virtual server.
-- The virtual server's description is changed.

Impact:
The system disassociates the BWC policy from the virtual server. Traffic is no longer throttled according to the policy rules.

Workaround:
To reattach the policy, detach the Bandwidth Controller policy from the virtual server, and then reapply it.

921121-3 : Tmm crash with iRule and a PEM Policy with BWC Enabled

Component: TMOS

Symptoms:
Tmm crashes while passing traffic through PEM.

Conditions:
-- PEM policy with bandwidth controller.
-- iRule makes a traffic decision based on certain unique PEM sessions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

920817-5 : DNS Resource Records can be lost in certain circumstances

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Zone syncing is missing Resource Records.

Conditions:
This occurs when a large number of configuration changes, including Wide IP changes, are made simultaneously on multiple GTM/DNS devices in a sync group.

Impact:
DNS Resource Records can be missing from the BIND DNS database.

The impact of this is that if GSLB Load Balancing falls back to BIND, the DNS Resource Records may not be present.

Workaround:
Restrict configuration (Wide IP) changes to one GTM/DNS device in a device group.

Note: It is also possible to turn off Zone Syncing. GTM/DNS configuration is still synced, but the you lose the ability to sync non-Wide IP changes to the BIND DB. If you do not utilize ZoneRunner to add additional non-Wide IP records, this is a problem only when GSLB resorts to Fallback to BIND. This can be mitigated with DNSX and DNS (off device) for non Wide IP Resource Records.

920285-1 : WS::disconnect may result in TMM crash under certain conditions

Component: Local Traffic Manager

Symptoms:
The WebSocket profile allows use of the WS::disconnect iRule command to gracefully terminate a connection with a client or a server. Use of this command may result in crash if tmm parts the iRule before execution completes.

Conditions:
-- BIG-IP has a virtual server configured with a WebSocket profile.
-- An iRule the includes the WS::disconnect command is attached to the virtual server.
-- BIG-IP is under heavy load and/or the iRule requires an extended time to execute, which might happen, for example, during execution on an iRule, tmm might park the iRule execution because the operation takes more CPU cycle than tmm can allocate to complete the iRule execution.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

920197-5 : Brute force mitigation can stop mitigating without a notification

Component: Application Security Manager

Symptoms:
A brute force attack coming from an entity (such as an IP address, etc.) may be stopped prematurely.

Conditions:
-- Many brute force attacks are happening at once, coming from many sources.
-- Distributed attack is not detected (due to configuration).

Impact:
At some point, an entity might not be mitigated due to the sheer number of mitigated entities. When this occurs, there is no notification.

Workaround:
None.

919745-3 : CSV files downloaded from the Dashboard have the first row with all 'NaN

Component: TMOS

Symptoms:
In the Dashboard .csv file, all of the values in the first row are set to 'NaN'

Conditions:
This is encountered when loading the downloaded Dashboard .csv files with historical data from the GUI.

Impact:
The first row of the downloaded .csv from Dashboard shows all the values as 'NaN'.

Workaround:
None.

919317-4 : NSM consumes 100% CPU processing nexthops for recursive ECMP routes

Component: TMOS

Symptoms:
The NSM process might enter a state where it gets stuck at 100% CPU usage.

Conditions:
ECMP routes reachable via recursive nexthops.

Impact:
NSM is stuck at 100% CPU usage.

Workaround:
Avoid using EMCP routes reachable via recursive nexthops.

919257-2 : TMM can crash while passing VPN traffic

Component: Local Traffic Manager

Symptoms:
While passing VPN traffic, tmm crashes

Conditions:
-- APM configured and passing VPN traffic

Impact:
Under certain timing conditions, tmm can crash. Traffic disrupted while tmm restarts.

Workaround:
None.

919185-3 : Request adapt and response adapt profile options should not be available in the GUI when ICAP is not licensed

Component: TMOS

Symptoms:
The Request Adapt Profile and Response Adapt Profile settings are visible when creating or editing a virtual server in the GUI on systems that do not have ICAP licensed. If these profiles are configured, traffic does not pass through the virtual server and the following error is reported in /var/log/ltm:

crit tmm[3328]: 01010022:2: ICAP feature not licensed

Conditions:
-- ICAP is not licensed.
-- At least one virtual server has been configured with a Request Adapt Profile and/or a Response Adapt Profile.

Impact:
Traffic does not pass through the affected virtual servers.

Workaround:
Remove any configured Request Adapt Profiles and Response Adapt Profiles from virtual servers.

918597-7 : Under certain conditions, deleting a topology record can result in a crash.

Component: Global Traffic Manager (DNS)

Symptoms:
During a topology load balancing decision, TMM can crash.

Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.

Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.

Workaround:
None.

918409-3 : BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures

Component: TMOS

Symptoms:
If a BIG-IP device has more than 24 tmm instances and one of the tmm processes above the 24th cpu loops (e.g., in response to an internal issue), it loops indefinitely.

Conditions:
-- BIG-IP i15600 / i15800 platforms.
-- Another issue occurs that that causes a tmm process greater than the 24th tmm process to loop.

Impact:
Traffic disrupted on the tmm process that is looping indefinitely.

Workaround:
1. Manually change /defaults/daemon.conf to include the appropriate tmm number and respective heartbeat action if the supported tmm is not listed.

Note: The change does not persist across software installs.

    a. mount -o remount,rw /usr
    b. Edit /defaults/daemon.conf and put these contents at the top of the file:

sys daemon-ha tmm24 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm25 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm26 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm27 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}

    c. mount -o remount,ro /usr

2. After performing the edit, load the changes into the running configuration via 'tmsh load sys config partitions all'.
3. Verify that sod is now correctly monitoring tmm instances above tmm24 using a command such as:

    tmsh show sys ha-status all-properties | grep "daemon-heartbeat" | grep tmm

918277-3 : Slow Ramp does not take into account pool members' ratio weights

Component: Local Traffic Manager

Symptoms:
When a pool member is within its slow-ramp period, and is a member of a pool that uses a static-ratio-based load balancing algorithm, its ratio weight is not taken into account when balancing connections to it. If it has a ratio that is higher than other pool members, this can result in a sudden influx of connections once the pool member exits the slow-ramp period.

Conditions:
-- Pool with a non-zero slow-ramp timeout and a static-ratio-based load balancing algorithm.
-- Pool members within the pool have different ratio weights.
-- At least one pool member is inside its slow-ramp period.

Impact:
The pool member could still be overwhelmed despite the attempt to slow-ramp connections to it.

Workaround:
None.

918209-2 : GUI Network Map icons color scheme is not section 508 compliant

Component: TMOS

Symptoms:
Network Map color scheme is not compliant with Section 508 of the Rehabilitation Act (section 508). There is no clear difference between a green/active node and the blue/square items. With the new system colors and flat shapes, the icons are nearly identical. Other than shape (circle vs. square), the new colors appear identical; the blue and green are nearly appearing as one color.

Conditions:
Accessing Network Map from GUI via Local Traffic :: Network Map.

Impact:
There is no clear color difference between a green/active node icon and the blue/square icon.

Workaround:
None.

918053-2 : [Win][EdgeClient] 'Enable Always Connected mode' is checked for all connectivity profiles with same Parent profile.

Component: Access Policy Manager

Symptoms:
The default value of 'Enable Always Connected' becomes enabled for connectivity profiles after adding 'Server List' to one of the connectivity profiles with the same Parent profile.

Conditions:
-- Add 'Server List' to one of the connectivity profiles with the same Parent profile.
-- Enable the 'Always Connected mode' setting for one of the connectivity profiles.

Impact:
This change affects all of the connectivity profiles. The parent-child inheritance logic is broken.

Workaround:
Manually uncheck the setting in all new profiles where 'Enable Always Connected' is not needed.

917637-3 : Tmm crash with ICAP filter

Component: Service Provider

Symptoms:
Tmm crashes while passing traffic.

Conditions:
-- Per-request policies configured.
-- ICAP is configured.

This is rare condition that occurs intermittently.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

916485-1 : Tmsh install sys crypto key (SafeNet) command creates a duplicate mcp object

Component: Local Traffic Manager

Symptoms:
Running 'tmsh install sys crypto key' command for SafeNet keys creates a new mcp object with the keyname as the label name in HSM, and with the duplicate key-id.

Conditions:
This happens when trying to install the key using the key-label as the argument.

Impact:
Even after deleting the tmsh key (tmsh delete sys crypto key), the BIG-IP system can still pass traffic because there's a duplicate key pointing to the same key in the HSM.

Workaround:
None.

915825-3 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.

Component: TMOS

Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.

Configuration error: Can't associate folder (/User/Drafts) folder does not exist.

Conditions:
This occurs in the following scenario:

1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.

Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.

Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.

915689-3 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.

Component: Local Traffic Manager

Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already stored in the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.

Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.

Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers are incrementally indexed on subsequent responses instead of using the existing table index.

Workaround:
None.

915605-5 : Image install fails if iRulesLX is provisioned and /usr mounted read-write★

Component: Local Traffic Manager

Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.

tmsh show software status will report the status for the target volume:

Could not access configuration source.

Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.

Impact:
Unable to upgrade or more generally install an image on a new or existing volume.

Workaround:
Re-mount /usr as read-only:

mount -o remount,ro /usr

915557-3 : The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.

Component: TMOS

Symptoms:
When using the pool statistics GUI page, the page stops displaying and the GUI shows the following error:

General database error retrieving information.

Conditions:
You attempt to apply a Status filter (e.g., Available) to display only some pools.

Impact:
The Status filter is not usable. Additionally, the page continues not to display even after you navigate away from the page and later return to it.

Workaround:
There is no workaround to prevent the issue, but if you wish to access that page again (and not use the Status filter), you can do so by clearing your browser's cache.

915509-2 : RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true

Component: Access Policy Manager

Symptoms:
After enabling 'show-extended-error' on the RADIUS Auth agent, instead of seeing the expected message: 'The username or password is not correct. Please try again.', the system reports the message: (error: Access-Reject).

Conditions:
RADIUS Auth with 'show-extended-error' enabled.

Impact:
The content of the Reply Message is not reported. The actual reported error message is confusing and provides no assistance in resolving the condition causing the access error: username, password, passcode, or tokencode.

Workaround:
None.

915305-4 : Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded

Component: TMOS

Symptoms:
Dynamic routing changes do not cause point-to-point tunnel flows to refresh their connection entries causing tunneled traffic to be dropped/discarded.

Conditions:
Path to a remote tunnel endpoint is provided by a dynamic routing.

Impact:
Tunneled traffic might be dropped/discarded by the BIG-IP system.

Workaround:
Use static routing to provide a path to remote tunnel endpoint.

915281-5 : Do not rearm TCP Keep Alive timer under certain conditions

Component: Local Traffic Manager

Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.

Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.

Impact:
Continuous rearming results in consuming CPU resources unnecessarily.

Workaround:
None.

915221-3 : DoS unconditionally logs MCP messages to /var/tmp/mcpd.out

Component: Advanced Firewall Manager

Symptoms:
Excessive and large DoS debug messages associated with tmsh commands and stat queries are logged to /var/tmp/mcpd.out which is not log-rotated.

Conditions:
-- AFM is provisioned.
-- DoS queries executed via tmsh.

Impact:
Disk space is consumed on the filesystem for /var/tmp, which can eventually lead to follow-on failures when the disk fills up.

Workaround:
Delete or purge /var/tmp/mcpd.out.

915141-3 : Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'

Component: TMOS

Symptoms:
Availability status of virtual server can be left 'available' even if the corresponding pool's availability becomes 'unknown'.

Conditions:
- Pool member is configured as an FQDN node.
- You set monitor to 'none' with the pool.

Impact:
Inconsistent availability status of pool and virtual server.

Workaround:
Set the FQDN node to 'force offline', and then 'enable'. This triggers virtual server's status updates and syncs to pool.

914761-2 : Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.

Component: TMOS

Symptoms:
Using crontab to automatically backup UCS file by scheduling cronjobs fails due to SELinux permissions. The failure produces the following error:

Unexpected Error: UCS saving process failed.

Conditions:
This is encountered when 'tmsh save sys ucs' is executed through a cronjob.

Impact:
UCS file is not successfully saved and backup fails.

Workaround:
None.

914645-2 : Unable to apply LTM policies to virtual servers after running 'mount -a'

Component: TMOS

Symptoms:
After attempting to assign an LTM policy to a virtual server, you may get an error in the GUI:

010716d8:3: Compilation of ltm policies for virtual server /Common/VS failed; Couldn't publish shared memory segment.

You may also see this logged in /var/log/ltm:

err mcpd[6905]: 010716d5:3: Failed to publish LOIPC object for (loipc_VS.1589526000.777142413). Call to (shm_open) failed with errno (13) errstr (Permission denied).

Conditions:
-- Run the command:
mount -a
-- Attempt to assign an LTM policy to a virtual server.

Impact:
Unable to apply LTM policies.

Workaround:
Run the following command to enable assigning an LTM policy to a virtual server:
umount -l /dev/shm

914293-2 : TMM SIGSEGV and crash

Component: Anomaly Detection Services

Symptoms:
Tmm crash when using iRule to reject connections when Behavioral DoS is enabled.

Conditions:
This can occur due to an interaction between a Behavioral DoS policy and an iRule designed to potentially drop some of the connections.

Impact:
With heavy traffic, the tmm process might crash. Traffic disrupted while tmm restarts.

Workaround:
Do not use iRules to reject connections that are bound to a virtual server with a Behavioral DoS policy attached.

914081-2 : Engineering Hotfixes missing bug titles

Component: TMOS

Symptoms:
BIG-IP Engineering Hotfixes may not show the summary titles for fixed bugs (as appear for the affected bugs published via Bug Tracker).

-- The 'tmsh show sys version' command displays the bug numbers for fixes included in Engineering Hotfixes.
-- If a given bug has been published via Bug Tracker, the summary title of the bug is expected to be displayed as well.
-- Running BIG-IP Engineering Hotfixes built on or after March 18, 2019.

Conditions:
For affected BIG-IP Engineering Hotfixes, titles are not displayed for any bugs fixed in the Engineering Hotfix.

Impact:
Cannot see the summaries of the bugs fixed by running the 'tmsh show sys version' command.

Workaround:
For bugs that are published via Bug Tracker, you can query for the affected bug in Bug Tracker (https://support.f5.com/csp/bug-tracker).

Note: Not all bugs fixed in BIG-IP Engineering Hotfixes are published to Bug Tracker.

For information on such bugs, consult F5 support, or the original Service Request submitted to F5 in which the affected Engineering Hotfix was requested.

913917-3 : Unable to save UCS

Component: Global Traffic Manager (DNS)

Symptoms:
You are unable to create a backup UCS.

You see a warning in /var/log/restjavad.0.log:

[WARNING][8100/tm/shared/sys/backup/306b4630-aa74-4a3d-af70-0d49bdd1d89e/worker UcsBackupTaskWorker] Failure with backup process 306b4630-aa74-4a3d-af70-0d49bdd1d89e.
This is followed by a list of some files in /var/named/config/namedb/.

Conditions:
Named has some Slave zones configured and is going through frequent zone transfer.

Impact:
You are unable to create a UCS file.

Workaround:
Stop named zone transfer while doing UCS backup.

913849-4 : Syslog-ng periodically logs nothing for 20 seconds

Component: TMOS

Symptoms:
Once per minute, syslog-ng logs nothing for 20 seconds.

Conditions:
-- A remote syslog server is specified by hostname, forcing syslog-ng to resolve it.
-- the DNS resolution times out (for example, if the DNS server is unreachable)

Impact:
When using DNS names to specify remote syslog destinations and DNS is unreachable, syslog-ng re-attempts to resolve the name every 60 seconds. This resolution has a 20 seconds timeout, and blocks the syslog process from writing logs to disk during that time.

Note that the logs are buffered, not lost, and will still be written to disk (with the correct timestamps) once the DNS query times out.

Workaround:
None.

913453-4 : URL Categorization: wr_urldbd cores while processing urlcat-query

Component: Traffic Classification Engine

Symptoms:
The webroot daemon (wr_urldbd) cores.

Conditions:
This can occur while passing traffic when webroot is enabled.

Impact:
The wr_urldbd daemon cores. URL Categorization functionality may not work as expected.

Workaround:
None.

913249-3 : Restore missing UDP statistics

Component: Local Traffic Manager

Symptoms:
The following UDP statistics are missing:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes

Conditions:
Viewing UDP statistics.

Impact:
Unable to view these UDP statistics.

Workaround:
None.

913085-3 : Avrd core when avrd process is stopped or restarted

Component: Application Visibility and Reporting

Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.

Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.

Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.

Workaround:
None.

912761-3 : Link throughput statistics are different

Component: Global Traffic Manager (DNS)

Symptoms:
Different link throughput statistics are seen on GTM/DNS systems that are connected by full-mesh iQuery.

Conditions:
-- The same link is used on different BIG-IP addresses as a pool member in the default gateway pool.
-- A forwarding virtual server is used.

Impact:
Each GTM/DNS server might get different link throughput for the same link, and therefore make less-than-optimal decisions.

Workaround:
Do not use the same uplink for different BIG-IP devices.

912517-3 : MySQL monitor marks pool member down if 'send' is configured but no 'receive' strings are configured

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.

Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.

912425-2 : Modification of in-tmm monitors may result in crash

Component: Local Traffic Manager

Symptoms:
TMM crash.

Conditions:
-- Modify in-tmm monitors.
-- Perform configuration sync.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
-- Disable in-tmm monitors.
-- Avoid config syncing to the active device.

912293-2 : Persistence might not work properly on virtual servers that utilize address lists

Component: Local Traffic Manager

Symptoms:
-- Connections to the virtual server might hang.
-- Increased tmm CPU utilization.

Conditions:
-- A virtual server is configured with a traffic-matching-criteria that utilizes a source-address-list and/or destination-address-list.

-- The virtual server utilizes certain persistence one of the following persistence types:
  + Source Address (but not hash-algorithm carp)
  + Destination Address (but not hash-algorithm carp)
  + Universal
  + Cookie (only cookie hash)
  + Host
  + SSL session
  + SIP
  + Hash (but not hash-algorithm carp)

Impact:
-- High tmm CPU utilization.
-- Stalled connections.

Workaround:
Enable match-across-virtuals in the persistence profile.

Note: Enabling match-across-virtuals might might affect the behavior of other virtual servers in the configuration that utilize persistence.

912289-2 : Cannot roll back after upgrading on certain platforms★

Component: Local Traffic Manager

Symptoms:
On certain platforms, after upgrade to BIG-IP v16.0.0, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.

Conditions:
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

-- Upgrade the software to v16.0.0.

-- Attempt to roll back to a previous version.

Impact:
Cannot boot into a previous version. Contact F5 Support for the reversion process if this is required.

Workaround:
None.

911585-2 : PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval

Component: Policy Enforcement Manager

Symptoms:
PEM sessions go to a stale state and the Credit Control Request (CCRi) is not sent.

Conditions:
-- PEM is configured and passing normal PEM traffic.
-- Using BIG-IP Virtual Edition (VE)

Impact:
Session is not established.

Workaround:
None.

911241-5 : The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug

Component: Global Traffic Manager (DNS)

Symptoms:
The iqsyncer utility leaks memory.

Conditions:
-- There is a large bigip_gtm.conf.
-- The log.gtm.level is set to debug.

Impact:
The iqsyncer utility exhausts memory and is killed.

Workaround:
Do not set log.gtm.level equal to or higher than debug.

910673-3 : Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'

Component: Local Traffic Manager

Symptoms:
Thales installation script fails with error message.

ERROR: Could not reach Thales HSM "<ip>". Make sure the HSM IP address is correct and that the HSM is accessible to the BIG-IP.

Conditions:
This occurs when the ICMP ping is blocked between the BIG-IP system and netHSM.

Impact:
Thales/nCipher NetHSM client software installation fails.

Workaround:
Unblock ICMP ping between the BIG-IP system and netHSM.

910653-4 : iRule parking in clientside/serverside command may cause tmm restart

Component: Local Traffic Manager

Symptoms:
If an iRule utilizing the clientside or serverside command causes parking to occur while in the clientside/serverside command (table or after commands, for example), the connection is aborted while parked, and a subsequent iRule event attempts to run (CLIENT_CLOSED, for example), tmm may restart.

Conditions:
-- iRule using clientside or serverside command.
-- Use of commands that may park while in the clientside/serverside command.
-- Flow is aborted while iRule is parked.
-- iRule also has CLIENT_CLOSED or SERVER_CLOSED event handler.

For more information on the conditions that trigger iRule parking, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Rework iRules to avoid use of clientside/serverside command.
-- Eliminate parking within the clientside/serverside commands.

910417-5 : TMM core may be seen when reattaching a vector to a DoS profile

Component: Advanced Firewall Manager

Symptoms:
TMM core resulting in potential loss of service.

Conditions:
Attaching and deleting the vector to a DoS profile multiple times while the traffic is ongoing.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

910273-3 : SSL Certificate version always displays as '1' in the GUI

Component: Local Traffic Manager

Symptoms:
In GUI an SSL certificate's version is displayed as '1', even if its version is higher than 1.

Conditions:
-- Viewing an SSL certificate in the GUI.
-- The SSL certificate's version is higher than 1.

Impact:
SSL certificate's version is displayed as '1'. There is no functional impact.

Workaround:
None.

910213-3 : LB::down iRule command is ineffective, and can lead to inconsistent pool member status

Component: Local Traffic Manager

Symptoms:
Use of the LB::down command in an iRule may not have the desired effect.

Specifically, the pool member is marked down within the tmm thread executing the iRule, but the status change is not updated to mcpd, or to other tmm threads.

As a result, the message 'Pool /Common/mypool member /Common/1.1.1.1:80 monitor status iRule down' does not appear in the log, and the status of the pool member is not updated when viewed in the GUI or via 'tmsh show ltm pool xxxx members'.

Conditions:
Using the LB::down command in an iRule.

Impact:
Because mcpd believes the pool member to be up, it does not update tmm's status, so tmm continues to regard it as down indefinitely, or until a monitor state change occurs.

If the LB::down command is used on all members of a pool, the affected tmms cannot load balance to that pool, even though the GUI/tmsh indicate that the pool has available members.

Because pool member status is stored on per-tmm basis and incoming connections are distributed across tmms using a hash, this can lead to apparently inconsistent results, where some traffic (traffic hitting a particular tmm) is rejected with an RST cause of 'No pool member available'.

Workaround:
No direct workaround, but the use of an inband monitor instead of the LB::down command may be effective. You must tune the inband monitor's settings to values consistent with the desired behavior.

910201-2 : OSPF - SPF/IA calculation scheduling might get stuck infinitely

Component: TMOS

Symptoms:
After SPF/IA calculation gets suspended, it might enter a state where it never fires again.

Conditions:
SPF/IA calculation gets suspended;

This occurs for various reasons; BIG-IP end users have no influence on it occurring.

Impact:
OSPF routes are visible in the OSPF database, but not installed in the routing table.

Workaround:
Restart the routing daemons:
# bigstart restart tmrouted

Running this command allows you to recover from this situation, but does not prevent the event from reoccurring.

If due to a topology, SPF/IA calculation suspension occurs again after a restart, this workaround essentially has no effect.

910105-3 : Partial HTTP/2 payload may freeze on the BIG-IP system

Component: Local Traffic Manager

Symptoms:
HTTP/2 allows sending the payload in both directions gradually, until a frame with an END_STREAM flag closes a direction. The BIG-IP does not properly handles an early response from a server when HTTP router is configured on a virtual and partial payload sent in each direction. In this case, communication over the stream hangs.

Conditions:
-- Virtual server is configured on the BIG-IP system with HTTP and HTTP/2 profiles on both the client and server sides.
-- HTTP router profile is configured on the virtual server.
-- Client sends a request and delivers a partial payload, waiting for a response from a server.
-- Server responds with a partial payload.

Impact:
A response with a partial payload is not delivered to a client. Communication freezes on that specific stream.

Workaround:
None.

909997-4 : Virtual server status displays as unavailable when it is accepting connections

Component: Local Traffic Manager

Symptoms:
After a rate limit is triggered and released, the virtual server status in the GUI remains as 'unavailable'. The virtual server resumes accepting new connections while the GUI shows the virtual server is unavailable.

Conditions:
-- The virtual server has a source address list configured.
-- Address lists define more than one address.
-- The connections are over the rate limit, and the virtual server status is marked unavailable.
-- The number of connections falls below the limit.

Impact:
Actual virtual server status is not reflected in GUI.

Workaround:
If the deployment design allows, you can use either of the following workarounds:

-- Remove the source address list from the virtual server.

-- Have a single address in the source address list.

909757-2 : HTTP CONNECT method with a delayed payload can cause a connection to be closed

Component: Local Traffic Manager

Symptoms:
If the HTTP CONNECT method is utilized and payload arrives in a later TCP segment, the HTTP connection will be closed.

Conditions:
-- HTTP profile.
-- HTTP CONNECTION with delayed payload.

Impact:
The HTTP connection is incorrectly closed.

Workaround:
None.

909677-3 : HTTP/2 full proxy always sets the :scheme pseudo-header for HTTPS requests where the server-side connection is not encrypted

Component: Local Traffic Manager

Symptoms:
When using HTTP/2, the :scheme pseudo-header appears to always be set to HTTPS on requests, even when the server-side connection is not encrypted.

Conditions:
-- Using an HTTP/2 virtual server.
-- The server-side connection that is unencrypted.

Impact:
The impact of this issue varies based on how the application reacts at the server-side.

Workaround:
None.

909505-2 : Creating LTM data group external object fails.

Component: TMOS

Symptoms:
iControl REST command to create a data group fails if you do not set the externalFileName variable.

The same command works in tmsh, and you are not required to specify the externalFileName.

Conditions:
-- Creating a data group using iControl REST.
-- POST payload does not contain the externalFileName variable.

Impact:
You are unable to create the data group.

Workaround:
The command works if you specify the externalFileName parameter:

curl -sku $PASS https://$HOST/mgmt/tm/ltm/data-group/external -X POST -H "Content-type: application/json" -d '{"name":"fooBar", "externalFileName":"fooBar.txt"}'

909485-2 : Deleting LTM data-group external object incorrectly reports 200 when object fails to delete

Component: TMOS

Symptoms:
When you delete an LTM external data-group object using iControl REST, it incorrectly returns '200 OK' even though the object is not deleted.

Conditions:
-- Deleting an external data-group object via iControl REST.
-- The LTM external data-group object is referenced by another object (such as an iRule).

Impact:
The object still exists, even though the system returns a '200 OK' message indicating that the operation completed successfully.

Workaround:
None.

909197-4 : The mcpd process may become unresponsive

Component: TMOS

Symptoms:
-- The mcpd process is killed with SIGABRT by the sod watchdog due to failed heartbeat check.
-- There is high memory usage by the mcpd process prior to getting killed.
-- There is an mcpd core file contains a very long string. The core might contain a repeating pattern of '{ } { } { } ...'.

Conditions:
The mcpd process receives a malformed message from one of the control plane daemons.

Impact:
-- There is a temporary lack of responsiveness related to actions of inspecting and/or modifying system configuration: GUI, TMSH, etc., operations may fail or time out.
-- SNMP queries might go unanswered.
-- System daemons restart.
-- Traffic disrupted while mcpd restarts.

Workaround:
None.

908873-2 : Incorrect MRHTTP proxy handling of passthrough mode in certain scenarios may lead to tmm core

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
-- Virtual server has HTTP and HTTP Router profiles attached.
-- Certain scenarios where the proxy goes into passthrough mode.

This was encountered during internal testing of a certain iRule configurations.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

908753-4 : Password memory not effective even when password policy is configured

Component: TMOS

Symptoms:
The BIG-IP system does not prevent you from specifying previously used passwords, even if Secure Password Enforcement is enabled with password memory set to a non-zero value.

Conditions:
-- Password memory in auth settings is not 0 (zero).
-- Attempt to specify a previously specified password

Impact:
Password history to prevent user from using same password is not enforced.

Workaround:
None.

908621-1 : Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
-- Virtual server has HTTP and HTTP Router profiles attached to it.
-- Certain scenarios where the proxy goes into passthrough mode.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

908601-3 : System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option

Component: TMOS

Symptoms:
When the BIG-IP system boots, mcpd continually restarts.

Conditions:
This may occur after you issue the 'diskinit' command with the '--style=volumes' option in the MOS (Maintenance Operating System) shell, install BIG-IP into the new volume, then boot into the new installation of the BIG-IP system.

Impact:
The BIG-IP system is unable to complete the boot process and become active.

Workaround:
In the MOS shell, do not issue the 'diskinit' command with the '--style=volumes' option.

Instead, on BIG-IP v14.1.2.1 and later, you may use the 'image2disk' utility with the '-format' option to recreate the desired volume.

You also can achieve the same result by following the shell guidance. To begin, type 'start<enter>'.

If the system is already in the defective state, use this shell command, and then reboot:

touch /.tmos.platform.init

The problem should be resolved.

908517-2 : LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)'

Component: TMOS

Symptoms:
LDAP authentication fails with an error message:

err nslcd[2867]: accept() failed: Too many open files

Conditions:
This problem occurs when user-template is used instead of Bind DN.

Impact:
You cannot logon to the system using LDAP authentication.

Workaround:
None.

908477-3 : Request-adapt plus request-logging causes HTTP double-chunking in an ICAP request

Component: Service Provider

Symptoms:
When an HTTP chunked request is sent to a virtual server that has both a request-adapt (e.g., for ICAP), and a request-logging profile attached, the request that is sent to the ICAP server is doubly chunked.

Conditions:
-- A virtual server is configured with both a request-adapt (ICAP) and request-logging profile.
-- HTTP chunked requests are sent to this virtual server.

Impact:
Data corruption in the HTTP stream.

Workaround:
You can use either of the following workarounds:

-- Force rechunking on the HTTP profile:
request-chunking rechunk

-- Remove the request-logging profile (and potentially log requests) using an iRule instead.

908065-3 : Logrotation for /var/log/avr blocked by files with .1 suffix

Component: Application Visibility and Reporting

Symptoms:
AVR logrotate reports errors in /var/log/avr:

error: error creating output file /var/log/avr/avrd.log.1: File exists
/var/log/avr/avrd.log will remain unchanged
/var/log/avr/avrd.log.1 will remain unchanged

Conditions:
Files ending with .1 exist in the log directory.

Impact:
Logrotate does not work. This might fill the disk with logs over time.

Workaround:
Remove or rename all of the .1 log files.

907337-3 : BD crash on specific scenario

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
A specific scenario that results in memory corruption.

Impact:
Failover, traffic disturbance. Traffic disrupted while BD restarts.

Workaround:
None.

907177-3 : Priority of embedded APM iRules is ignored

Component: Local Traffic Manager

Symptoms:
Custom iRule events are executed before the embedded APM iRule events, despite the custom iRule's priority value being larger than the APM iRule's priority value.

Conditions:
-- APM is provisioned.
-- Custom iRule with a priority value larger the APM iRule's priority value.

Impact:
Custom iRule event is executed before APM iRule event.

Workaround:
None.

907025-2 : Live update error" 'Try to reload page'

Component: Application Security Manager

Symptoms:
When trying to update Attack Signatures. the following error message is shown:

Could not communicate with system. Try to reload page.

Conditions:
Insufficient disk space to update the Attack Signature.

Impact:
Live Update unable to restore the database during startup. Device runs out of disk space, which leads to failure in writing live update hsqldb log file. The liveupdatedb.script file, which is based on the .log file, is truncated and missing necessary settings in order to initialize the live update database.

Workaround:
This following procedure restores the database to its default, initial state:

1. Remove the sigfile.tmp.* directories under /var/ts/var/tmp.

2. Delete the script:
delete /var/lib/hsqldb/live-update/liveupdatedb.script

3. Create a new script:
create new /var/lib/hsqldb/live-update/liveupdatedb.script.

4. Add the following lines to create the live update database schema and set the SA user as expected:

CREATE SCHEMA PUBLIC AUTHORIZATION DBA
CREATE MEMORY TABLE AVAILABILITY(ID VARCHAR(255) NOT NULL,ERRORMESSAGE VARCHAR(255),LASTCHECKDATETIME BIGINT,LASTCHECKUPDATEFILE VARCHAR(255),STATUS VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT AVAILABILITY_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLSCHEDULE(ID VARCHAR(255) NOT NULL,APPLYATALLTIMES BOOLEAN,APPLYONALLDAYS BOOLEAN,APPLYONFRIDAYS BOOLEAN,APPLYONMONDAYS BOOLEAN,APPLYONSATURDAYS BOOLEAN,APPLYONSUNDAYS BOOLEAN,APPLYONTHURSDAYS BOOLEAN,APPLYONTUESDAYS BOOLEAN,APPLYONWEDNESDAYS BOOLEAN,ENDTIME VARCHAR(255),FREQUENCY VARCHAR(255),STARTTIME VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT INSTALLSCHEDULE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE UPDATEFILE(ID VARCHAR(255) NOT NULL,CREATEDATETIME BIGINT,FILELOCATION VARCHAR(255),FILENAME VARCHAR(255),ISFILEAVAILABLE BOOLEAN,ISFILEMANUALLYUPLOADED BOOLEAN,ISGENESIS BOOLEAN,MD5 VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT UPDATEFILE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLATION(ID VARCHAR(255) NOT NULL,ADDEDENTITIESCOUNT INTEGER,DELETEDENTITIESCOUNT INTEGER,ERRORMESSAGE VARCHAR(255),LASTREADMEFILENAME VARCHAR(255),LASTUPDATEMICROS BIGINT,LOADDATETIME BIGINT,MODIFIEDENTITIESCOUNT INTEGER,README VARCHAR(500000),STATUS VARCHAR(255),"TYPE" VARCHAR(255),UPDATEFILE_ID_OID VARCHAR(255),CONSTRAINT INSTALLATION_PK PRIMARY KEY(ID),CONSTRAINT INSTALLATION_FK1 FOREIGN KEY(UPDATEFILE_ID_OID) REFERENCES UPDATEFILE(ID))
CREATE INDEX INSTALLATION_N49 ON INSTALLATION(UPDATEFILE_ID_OID)
CREATE MEMORY TABLE INSTALLATION_DELETEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_DELETEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_DELETEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_DELETEDENTITYLIST_N49 ON INSTALLATION_DELETEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_MODIFIEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_MODIFIEDENTITYLIST_N49 ON INSTALLATION_MODIFIEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_ADDEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_ADDEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_ADDEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_ADDEDENTITYLIST_N49 ON INSTALLATION_ADDEDENTITYLIST(ID_OID)
CREATE USER SA PASSWORD ""
GRANT DBA TO SA
SET WRITE_DELAY 20
SET SCHEMA PUBLIC

5. Restart the tomcat process:
bigstart restart tomcat

906505-3 : Display of LCD System Menu cannot be configured via GUI on iSeries platforms

Component: TMOS

Symptoms:
In the BIG-IP Graphical User Interface (TMUI), display of the System Menu on the LCD front panel of most BIG-IP platforms can be enabled or disabled under System :: Configuration :: Device :: General.

However, on iSeries appliances, the 'Display LCD System Menu' option does not appear on this page.

Conditions:
This occurs on the following iSeries appliances:
-- i850
-- i2000-series (i2600/i2800)
-- i4000-series (i4600/i4800)
-- i5000-series (i5600/i5800/i5820-DF)
-- i7000-series (i7600/i7600-D/i7800/i7800-D/i7820-DF)
-- i10000-series (i10600/i10600-D/i10800/i10800-D)
-- i11000-series (i11600/i11800/i11400-DS/i11600-DS/i11800-DS)
-- i15000-series (i15600/i15800)

Impact:
The 'Display LCD System Menu' option cannot be configured via the GUI.

Workaround:
You can enable display of the LCD System Menu using the Command Line (CLI) by running the following commands, in sequence:

tmsh mod sys global-settings lcd-display [enabled|disabled]
tmsh mod sys db lcd.showmenu value [enabled|disabled]

906449-3 : Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load

Component: TMOS

Symptoms:
The text that describes the monitor state of an LTM node, pool member, or monitor instance also contains a timestamp that initially indicates when the monitor set the affected node or pool member to the indicated state. This timestamp can be affected by other actions, such as incremental or full config sync and config load.

The monitor-state description and timestamp can be viewed in the CLI (CLI/TMSH) and GUI (TMUI) as follows:

-- From the CLI/TMSH:
tmsh show ltm monitor <monitor_type> <monitor_name>

This command shows the state of ltm nodes or pool members currently monitored by the specified ltm health monitor, as in the following example:
-------------------------------------
LTM::Monitor /Common/mysql_test
-------------------------------------
   Destination: 10.10.200.28:3296
   State time: down for 1hr:58mins:42sec
   | Last error: No successful responses received before deadline. @2020.03.25 14:10:24

-- From the GUI:
   + Navigate to Local Traffic :: Nodes : Node List :: <node_name>. The 'Availability' field shows text describing the node's monitored state with a timestamp.

   + Navigate to Local Traffic :: Pools : Pool List :: <pool_name>, under the Members tab, click the pool member name. The 'Availability' field shows text describing the pool member's monitored state with a timestamp.

Conditions:
This may occur under the following conditions:

-- If an incremental config sync occurs from one high availability (HA) member to another member or to the device group:
   + The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on HA members receiving the incremental config sync.
   + If a Node or Pool Member has been marked DOWN by a monitor, its timestamp may be updated in the GUI (Node List/Pool-Member list) on HA members receiving the incremental config sync.

-- If a full/forced config sync occurs from one HA member to another member or to the device group:
   + The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on HA members receiving the incremental config sync.
   + The timestamp for all Nodes or Pool Members may be updated in the GUI (Node List/Pool-Member list) on HA members receiving the incremental config sync.

-- If a config load occurs:
   + The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on the HA member where the config load occurred.
   + The timestamp for all Nodes or Pool Members may be updated in the GUI (Node List/Pool-Member list) on the HA member where the config load occurred.

Impact:
The timestamp indicated next to the monitored-state description for an LTM Node or Pool Member indicates when the Node or Pool Member was updated in ways other than by its configured monitor. Thus, this timestamp may not indicate the actual time of the monitor event suggested by the description text.

Workaround:
None.

906161 : Unexpected reboot when system handles large numbers of EDAC/MCE logs

Component: TMOS

Symptoms:
If a BIG-IP unit is experiencing a hardware issue that results in a large number of EDAC/MCE logs (typically over a substantial number of hours or days), the unit might experience a kernel panic in the EDAC kernel code leading to a system reboot.

Red Hat has documented this Linux kernel issue as System crash at gen_pool_free+0xb8 while there are massive EDAC/MCE :: https://access.redhat.com/solutions/3160241.

Logs similar to the following may be present in kern logs just before a reboot, showing kernel panics while processing function 'mce_gen_pool_process':

warning kernel: : [21099056.447181] EDAC MC1: 1 CE error on CPU#1Channel#0_DIMM#0 (channel:0 slot:0 page:0x0 offset:0x0 grain:8 syndrome:0x0)
warning kernel: : [21099072.478576] EDAC MC1: 1 CE error on CPU#1Channel#0_DIMM#0 (channel:0 slot:0 page:0x0 offset:0x0 grain:8 syndrome:0x0)
warning kernel: : [21099298.660540] ------------[ cut here ]------------
crit kernel: : [21099298.689641] kernel BUG at lib/genalloc.c:342!
warning kernel: : [21099298.717180] invalid opcode: 0000 [#1] SMP
warning kernel: : [21099298.924056] EDAC MC1: 281 CE error on CPU#1Channel#0_DIMM#0 (channel:0 slot:0 page:0x0 offset:0x0 grain:8 syndrome:0x0)
warning kernel: : [21099298.743177] Modules linked in: tcp_diag inet_diag nls_utf8 isofs nf_conntrack_ipv6 nf_defrag_ipv6 ebtable_filter ebtables slip slhc iptable_raw nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT nf_reject_ipv4 xt_physdev br_netfilterbridge stp llc iptable_filter ip_tables xt_CT nf_conntrack ip6table_raw ip6t_REJECT nf_reject_ipv6 ip6table_filter ip6_tables loop binfmt_misc ext2 womdict(O) vnic(O) lasthop(O) jiffies(O) sysstats i2c_dev evchannel hrsleep linux_user_bde(PO) linux_kernel_bde(PO) gpio_ich i2c_i801 i2c_core ti_usb_3410_5052 cdc_acm lpc_ich tg3 ptp pps_core ioatdma dca i7core_edac edac_core fjes acpi_cpufreq sg raid1 raid0 xen_blkfront virtio_scsi virtio_pci virtio_blk virtio virtio_ring nvme mvsas libsas scsi_transport_sas mptspi mptscsih mptbase scsi_transport_spi 3w_9xxx sata_svw ahci libahci serverworks sata_sil ata_piix libata sd_modcrc_t10dif crct10dif_common amd74xx piix ide_gd_mod ide_core dm_snapshot dm_bufio dm_zero dm_mirror dm_region_hash dm_log dm_mod ext3 jbd mbcache
warning kernel: : [21099299.338086] CPU: 12 PID: 262 Comm: kworker/12:1 Tainted: P O ------------ 3.10.0-514.26.2.el7.x86_64 #1
warning kernel: : [21099299.403005] Hardware name: F5 Networks A110/A110, BIOS 4.6.4 05/02/2014
warning kernel: : [21099299.444049] Workqueue: events mce_process_work
warning kernel: : [21099299.472108] task: ffff880cb9742900 ti: ffff88180e888000 task.ti: ffff88180e888000
warning kernel: : [21099299.518332] RIP: 0010:[<ffffffff81328840>] [<ffffffff81328840>] gen_pool_free +0xa0/0xb0
warning kernel: : [21099299.568206] RSP: 0018:ffff88180e88bd70 EFLAGS: 00010202
warning kernel: : [21099299.601447] RAX: 0000000000000002 RBX: ffff88017fd233c0 RCX: 0000000000000006
warning kernel: : [21099299.645595] RDX: 00000000000000f0 RSI: 0000000000000000 RDI: ffff88017fd233f0
warning kernel: : [21099299.689743] RBP: ffff88180e88bd98 R08: 0000000000000003 R09: 0000000000000002
warning kernel: : [21099299.733891] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
warning kernel: : [21099299.778039] R13: ffff88180f217dc0 R14: ffff88180f21c000 R15: 0000000000000000
warning kernel: : [21099299.822186] FS: 0000000000000000(0000) GS:ffff88180f200000(0000) knlGS:0000000000000000
warning kernel: : [21099299.872045] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
warning kernel: : [21099299.907884] CR2: 00002ab521bd4000 CR3: 00000001982e0000 CR4: 00000000000207e0
warning kernel: : [21099299.952031] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
warning kernel: : [21099299.996180] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
warning kernel: : [21099300.040324] Call Trace:
warning kernel: : [21099300.056439] [<ffffffff81044266>] mce_gen_pool_process+0x56/0x70
warning kernel: : [21099300.093840] [<ffffffff8109dc8f>] ? process_one_work+0x15f/0x400
warning kernel: : [21099300.131239] [<ffffffff810418ae>] mce_process_work+0xe/0x10
warning kernel: : [21099300.166040] [<ffffffff8109dc9f>] process_one_work+0x16f/0x400
warning kernel: : [21099300.202399] [<ffffffff810a01fc>] worker_thread+0x12c/0x470
warning kernel: : [21099300.237197] [<ffffffff810a00d0>] ? manage_workers+0x120/0x120
warning kernel: : [21099300.273558] [<ffffffff810a632e>] kthread+0xce/0xe0
warning kernel: : [21099300.304207] [<ffffffff810a6260>] ? kthread_freezable_should_stop+0x70/0x70
warning kernel: : [21099300.347320] [<ffffffff816764d8>] ret_from_fork+0x58/0x90
warning kernel: : [21099300.381086] [<ffffffff810a6260>] ? kthread_freezable_should_stop+0x70/0x70
warning kernel: : [21099300.424192] Code: 48 8d 7b 30 48 d3 ea 41 89 d4 e8 dc fb ff ff 85 c0 8b 4d d8 75 15 41 d3 e4 f0 44 01 63 10 48 83 c4 18 5b 41 5c c9 c3 0f 0b eb fe <0f> 0b eb fe 66 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41
alert kernel: : [21099300.538944] RIP [<ffffffff81328840>] gen_pool_free+0xa0/0xb0
warning kernel: : [21099300.574796] RSP <ffff88180e88bd70>
warning kernel: : [21099300.597220] ---[ end trace c67b367042ae243a ]---

Conditions:
-- The unit is producing large numbers of EDAC (error detection and correction) or MCE (machine check exception) logs, such as from a faulty DIMM.

-- BIG-IP systems running CentOS 7.2 and 7.3 Linux kernels used in TMOS versions 13.1.0 through 13.1.3.2 and 14.1.0 through 14.1.2.1. (CentOS 7.5 was introduced in software versions 13.1.3.3 and 14.1.2.2 and does not contain this issue.)

Note: This issue appears to be very rare. Occasional transient memory errors such as SEU (single event upsets) are not likely to trigger the kernel panic.

Impact:
Unit reboots. Traffic interrupted while system restarts. In high availability (HA) configurations, the system fails over.

Workaround:
None.

905557-2 : Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure

Component: Global Traffic Manager (DNS)

Symptoms:
A TMM daemon logs a SIGSEGV error, halts, and then be restarted.

Conditions:
-- A BIG-IP system configured to perform DNS/GTM Global Server Load Balancing.
-- High Speed Logging (HSL) is configured.
-- Multiple HSL destinations are configured.
-- The enabled HSL settings include 'replication'.
-- At least one HSL destination is up.
-- At least one HSL destination is down.
-- A pool resource changes state from up to down.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure HSL with only a single log destination.

905477-3 : The sdmd daemon cores during config sync when multiple devices configured for iRules LX

Component: Local Traffic Manager

Symptoms:
The iRules LX workspaces belong on only one device in a Device Service Cluster (DSC). If you have the same iRules LX workspace configured on multiple devices and then perform a config sync operation, the sdmd daemon cores.

Conditions:
-- Multiple devices configured with the same iRules LX workspace in a DSC.
-- Change one of the devices such that the configuration requires a config sync.
-- Perform the config sync.

Impact:
The sdmd daemon cores. Although having multiple devices configured with the same iRules LX workspace is an incorrect configuration, sdmd should not core.

Workaround:
When the iRules LX workspace is correctly configured, i.e., on only one device in a DSC, there is no need to config sync, so this issues does not occur.

905153-2 : HW offload of vector 22 (IPv6 Duplicate Extension Headers) not operational

Component: Advanced Firewall Manager

Symptoms:
All mitigation for IPv6 Duplicate Extension Headers DoS vector happens at the software level. The counter in int_drops column reads 0 (zero) in dos_stat tmctl for that vector.

Conditions:
Double IPv6 headers in the packets (except Destination Options header).

Impact:
You cannot offload DDoS vector 22 to FPGA hardware. Only the software-based DDoS mitigation is supported.

Workaround:
Use software DDoS mitigation for this vector.

904625-3 : Changes to SSL.CertRequest.* DB variables cause high availability (HA) devices go out of sync

Component: Local Traffic Manager

Symptoms:
The GUI saves SSL certificate/CSR subject fields data into SSL.CertRequest.* DB variables to use them in pre-populating subject fields for subsequent modifications.

Conditions:
-- SSL certificate/CSR modification through GUI.
-- Changing the content of the SSL.CertRequest.* DB variables.
-- High availability (HA) configuration.

Impact:
HA devices go out of sync.

Workaround:
SSL.CertRequest.* DB variables are used only as GUI SSL certificate/CSR pre-populated suggestions.

You can still review and modify them before completing SSL certificate/CSR modification operation, so it is safe to sync them onto the high availability (HA) peer.

904441-3 : APM vs_score for GTM-APM load balancing is not calculated correctly

Component: Access Policy Manager

Symptoms:
Output from the 'show ltm virtual <vs> detail' command reports an incorrect value for the APM Module-Score.

Conditions:
-- Using GTM/DNS and APM.
-- Configure an access profile attached to a virtual server.
-- Configure a non-zero number for 'Max Concurrent Users' for the access profile.
-- Access the virtual server.

Impact:
GTM/DNS load balancing does not work as expected.

Workaround:
None.

904041-3 : Ephemeral pool members are missing from pool of Common partition when reloading configuration for current partition

Component: TMOS

Symptoms:
-- A pool in a partition other than Common has issues when reloading the configuration of that partition when the ephemeral nodes are assigned to the Common partition instead of the partition that the ephemeral member belongs to.
-- Ephemeral pool members are missing from pool.

Conditions:
When reloading the configuration of non-'Common' partition, e.g.:
-- tmsh -c "cd /testpartition; load sys config current-partition"

Impact:
Missing pool members.

Workaround:
Reload the entire configuration instead of just the individual partition.

903905-1 : Default configuration of security mechanism causes memory leak in TMM

Component: Access Policy Manager

Symptoms:
Over time, memory is allocated by the TMM processes for use as 'xdata' buffers, yet this memory is never de-allocated; it is leaked and becomes unusable. Eventually a disruption of service occurs.

Conditions:
-- The BIG-IP system has been running for 8 weeks or longer without a system restart.

-- The BIG-IP system's internal risk-policy subsystem (used by the security feature modules) has not been configured to communicate with an external risk-policy server.

-- In a vCMP configuration, the BIG-IP 'host' instance is always susceptible, since no security features can be configured in its context.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

903581-3 : The pkcs11d process cannot recover under certain error condition

Component: Local Traffic Manager

Symptoms:
When the connection between the BIG-IP system and HSM (SafeNet) is interrupted, pkcs11d is unable to recover in some case.

Conditions:
Connection between the BIG-IP system and the HSM device is interrupted.

Impact:
SSL handshake failure.

Workaround:
Restart the pkcs11d process using the following command:
restart /sys service pkcs11d

903521-3 : TMM fails to sign responses from BIND when BIND has "dnssec-enable no"

Component: Global Traffic Manager (DNS)

Symptoms:
TMM fails to sign responses from BIND.

Conditions:
BIND has "dnssec-enable no" in named.conf.

Impact:
TMM fails to sign responses from BIND.

Workaround:
Remove "dnssec-enable no" from named.conf in options section.

903357-5 : Bot defense Profile list is loads too slow when there are 750 or more Virtual servers

Component: Application Security Manager

Symptoms:
Security :: Bot Defense : Bot Defense Profiles page loading takes a long time when there are profiles configured with hundreds of virtual servers. For example: a configuration with 750 virtual servers takes about 40 seconds to load the page. Configuration with 1300 virtual servers takes more than 70 seconds.

Conditions:
At least one Bot profile attached to hundreds of virtual servers. For 750 and more virtual servers attached the slow loading is significant.

Impact:
Bot Defense list page loading time can take more than 30 seconds.

Workaround:
None.

903265-2 : Single user mode faced sudden reboot

Component: TMOS

Symptoms:
Being logged into the system in single user mode (emergency shell) causes a sudden automatic reboot after some time (~5-to-10 minutes, or longer).

Conditions:
-- Using iSeries platforms.
-- When logged into the emergency shell by appending rd.break to kernel command line.

Impact:
The device reboots after some time. Because of the automatic reboot, you cannot reliably use the emergency shell.

Workaround:
None.

902417-3 : Configuration error caused by Drafts folder in a deleted custom partition★

Component: TMOS

Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.

01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.

Conditions:
Create draft policy under custom partition

Impact:
Impacts the software upgrade.

Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.

902401-4 : OSPFd SIGSEGV core when 'ospf clear' is done on remote device

Component: TMOS

Symptoms:
The ospfd process generates a core.

Conditions:
-- IA routes.
-- OSPF is in FULL/DR state.

Impact:
An OSPF daemon generates a core, potentially losing routing information and OSPF dynamic routes for a moment while the ospfd daemon restarts.

Workaround:
None.

902377-1 : HTML profile forces re-chunk even though HTML::disable

Component: Local Traffic Manager

Symptoms:
HTML profile performs a re-chunk even though HTML::disable has been executed in the HTTP_RESPONSE event.

Conditions:
Using HTML::disable in an HTTP_RESPONSE event.

Impact:
The HTML profile still performs a re-chunk.

Workaround:
None.

901989-3 : Boot_marker writes to /var/log/btmp

Component: TMOS

Symptoms:
The boot_marker is written to /var/log/btmp, but /var/log/btmp is a binary file.

A message similar to:

Apr 21 09:19:52 bigip1 warning sshd[10901]: pam_lastlog(sshd:session): corruption detected in /var/log/btmp

... may be logged to /var/log/secure.

Conditions:
-- Rebooting a BIG-IP.

Impact:
Since this file is unknowingly corrupt at first boot, any potential investigation needing this data may be compromised.

Workaround:
After bootup you can truncate the file.
$ truncate --size 0 /var/log/btmp

901985-5 : Extend logging for incomplete HTTP requests

Component: TMOS

Symptoms:
Logging is not triggered for incomplete HTTP requests.

Conditions:
- HTTP profile is configured.
- Request-log profile is configured.
- HTTP request is incomplete.

Impact:
Logging is missing for incomplete HTTP requests.

Workaround:
None.

901929-3 : GARPs not sent on virtual server creation

Component: Local Traffic Manager

Symptoms:
When a virtual server is created, GARPs are not sent out.

Conditions:
-- Creating a new virtual server.

Impact:
Traffic could be impacted if other systems have the virtual server address already in their ARP caches.

Workaround:
After creating the virtual server, disable and re-enable the ARP setting on the corresponding virtual address.

901669-3 : Error status in "show cm failover-status" after MGMT-IP change

Component: TMOS

Symptoms:
The "tmsh show cm failover-status" command shows failover connection status "Error" on one device, but manual failover is working properly.

Conditions:
-- Two or more devices configured with high availability (HA) and are in sync.
-- The management IP address is changed on one of the devices
--show cm failover-status" on peer. You will see "show cm failover-status" returns "Error" status.

Impact:
The tmsh show cm failover-status command indicates an error, even though the devices are in sync and failover communication is working.

Workaround:
tmsh restart sys service sod

901061-3 : Safari browser might be blocked when using Bot Defense profile and related domains.

Component: Application Security Manager

Symptoms:
As a fix to ID879777 (https://cdn.f5.com/product/bugtracker/ID879777.html), when navigating to a related domain using Safari, requests might be blocked.

Conditions:
- Using Bot Defense profile, with "Cross Domain Requests" mode "Validate Upon Request"
- BIG-IP version containing fix of ID879777 (16.0 and higher or EngHF)
- Surfing the site using Safari browser.

Impact:
Some requests might be blocked.

Workaround:
None.

901041-1 : CEC update using incorrect method of determining number of blades in VIPRION chassis★

Component: Traffic Classification Engine

Symptoms:
There is an issue with the script used for the Traffic Intelligence (CEC (Classification Engine Core)) Hitless Upgrade that misses installing on some blades during install/deploy on VIPRION systems.

Symptoms include:
-- POST error in the GUI.
-- Automatic classification updates are downloaded successfully, but downloaded packages disappear after some time if you do not proceed to install/deploy.

Conditions:
-- CEC hitless update.
-- Using VIPRION chassis.

Impact:
Unable to auto-update Classification signature package on all slots, because the slot count reported for CEC is 0. These packages are installed only on the current slot.

Workaround:
Install the package manually on each slot.

Note: When you refresh the GUI page, the downloaded package appears in the 'Available to Install' list, and you can proceed to install on each slot.

901033-3 : TCP::respond causing memory exhaustion issue when send buffer overwhelmed available TCP window

Component: Local Traffic Manager

Symptoms:
With increasing traffic on a virtual server with an iRule configured to send TCP::respond, iRules operate fine until some threshold is reached, after which memory usage continually increases even though the traffic level remains stable. This memory growth increases until the reaper is activated and connections are removed.

Conditions:
A specific threshold of data is reached. The threshold varies, depending on the memory available on the BIG-IP system.

Impact:
Memory usage continually increases even though the traffic level remains stable. This memory growth increases until the reaper is activated and connections are removed. A tmm core is observed. Traffic disrupted while tmm restarts.

Workaround:
None.

900933-4 : IPsec interoperability problem with ECP PFS

Component: TMOS

Symptoms:
IPsec tunnels fails to remain established after initially working.

On the first ESP Security Associations (SAs) establishment, an IPsec tunnel works. After the expiry of the SAs causes a re-key, the keys are calculated incorrectly by the BIG-IP system. The BIG-IP system sends ESP packets to the remote peer, but the remote peer cannot decrypt the packet. Likewise, the BIG-IP system cannot decrypt packets from the remote peer.

This may also immediately present as a problem when trying to establish a second tunnel to the same peer.

Conditions:
- IPsec IKEv2 tunnel.
- A remote peer that is not another BIG-IP system.
- Elliptic curve groups (ECP) is used for Perfect Forward Secrecy (PFS).

Impact:
Multiple IPsec tunnels to the same remote peer cannot be established concurrently, or tunnels fail after a period of time.

Workaround:
Do not use ECP for PFS.

900825-1 : WAM image optimization can leak entity reference when demoting to unoptimized image

Component: WebAccelerator

Symptoms:
WAM image optimization can leak entity reference when demoting to unoptimized image.

WAM allows PNG files to be optimized to WEBP and JPG files to be optimized to JPEG XR formats, based on capabilities inferred from the client's User-Agent value. Once the optimized version is in the cache, internal check failures might cause the entity/document to be reverted to the unoptimized version. If this unoptimized version is already present in the cache, a reference to the corresponding entity is leaked, thus causing the entity to be held in memory along with attached resource/document objects and associated storage (UCI).

Conditions:
-- WAM-optimized PNG files (to WEBP) and JPG files (to JPEG XR) on tye system.
-- A policy change occurs that causes an internal check to fail.

Note: This can also occur in some cases without actual changes to the policy if the optimization step is skipped by wamd.

Impact:
WAM image optimization might leak entity reference.

Workaround:
None.

900485-3 : Syslog-ng 'program' filter does not work

Component: TMOS

Symptoms:
The 'program' filter type does not work with the BIG-IP system's version of syslog-ng.

Conditions:
-- Using the 'program' expression in a syslog-ng filter.

Impact:
Unable to filter messages as expected.

Workaround:
None.

899933-3 : Listing property groups in TMSH without specifying properties lists the entire object

Component: TMOS

Symptoms:
When listing a property group, if you do not specify any specific properties within that group, the entire object is listed.

Conditions:
-- Using TMSH to list a property group of an object.
-- Not specifying any properties within the property group.

Impact:
Unexpected output.

Workaround:
None.

899253-5 : [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist

Component: Global Traffic Manager (DNS)

Symptoms:
Making changes to wide IP pools through GUI management do not take effect.

Conditions:
-- GTM configuration contains a sufficiently high number of pools (~ 15,000).
-- Using the GUI to assign a pool to a wide IP.

Impact:
Changes do not take effect. Unable to use the GUI to manage which pools are associated with a wide IP.

Workaround:
Use TMSH.

899097-1 : Existence of rewrite profile with HTTP profile response chunking mode 'sustain' always triggers client-side chunking★

Component: TMOS

Symptoms:
When using the rewrite profile, unchunked server responses where content-type is not text/html or text/css also gets converted to chunked encoding in client-side. Also, the server response is missing a message-body (no content-type/content-length).

The client device receives 'Transfer-Encoding: chunked' in the message-header and receives a chunked body if the origin response has a message-body. The client receives a zero-length chunk if the origin response has no message-body.

Prior to BIG-IP version 15, chunking happens only if origin server response has content-type header set to either text/html or text/css.

Conditions:
- HTTP profile response chunking is set to 'sustain'.
- The virtual server has rewrite profile attached.
- Server response has content-type set not to text/html or text/css OR no content-type header.

Impact:
End users may notice a change in chunking behavior after upgrading from prior release.

Workaround:
Use response chunking mode 'unchunk'

899085-5 : Configuration changes made by Certificate Manager role do not trigger saving config

Component: TMOS

Symptoms:
Configuration changes made in the BIG-IP GUI by a user with role 'Certificate Manager' do not result in the configuration being saved.

If the system is rebooted (or MCPD restarted) without saving the configuration, those changes will be lost.

Conditions:
-- User with role 'Certificate Manager'.
-- Changes made in GUI.
-- System rebooted.

Impact:
Loss of configuration changes.

Workaround:
Users with a 'Certificate Manager' role can save the configuration from tmsh:
tmsh save /sys config

Alternately, another user can save the configuration.

898997-3 : GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes

Component: Service Provider

Symptoms:
GTP message parsing fails and log maybe observed as below:

GTP:../modules/hudfilter/gtp/gtp_parser.c::242 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser_ver_2.c::153 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser.c::103 (Failing here).

Conditions:
- GTP profile is applied to virtual or GTP::parse command is used
- GTP message contains IE (information element) which is larger than 2048 bytes

Impact:
- message parsing fails, traffic maybe interupted

898929-3 : Tmm might crash when ASM, AVR, and pool connection queuing are in use

Component: Local Traffic Manager

Symptoms:
TMM crashes and generates a core file.

Conditions:
-- System is provisioned for at least ASM, AVR, and LTM.
-- An LTM pool is configured to use connection queuing.
-- The LTM pool is used on a virtual server with an analytics profile.

Impact:
Tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
Disable connection queuing on the pool.

898825-3 : Attack signatures are enforced on excluded headers under some conditions

Component: Application Security Manager

Symptoms:
Attack signatures are marked as detected when they should be marked as excluded (i.e., a false positive).

Conditions:
-- A 100-continue transaction occurs in HTTP.
-- The internal parameter answer_100_continue is set to a non-default value of 0.

Impact:
False positive enforcement for header signature.

Workaround:
Set the answer_100_continue to 1 (default) on versions later than 15.0.0.

898753-4 : Multicast control-plane traffic requires handling with AFM policies

Component: Local Traffic Manager

Symptoms:
AFM virtual-server specific rules are being matched against control-plane traffic.

Conditions:
-- Broadcast OSPF configured.
-- AFM provisioned.
-- OSPF neighbor configured.

Impact:
OSPF neighborship is not formed.

Workaround:
Add an AFM route-domain policy.

898741-3 : Missing critical files causes FIPS-140 system to halt upon boot

Component: Application Security Manager

Symptoms:
After activating a FIPS 140-2 license on a device and rebooting, the device fails to boot.

Conditions:
-- Device is licensed for FIPS 140 mode
-- A critical system file is missing

Impact:
System halts during boot because of sys-eicheck.py failure.

Workaround:
Prior to rebooting into FIPS 140-2 mode, ensure that there are no missing critical files by running the sys-eicheck command.

If the missing files are due to missing signature update files:

- Manually upload the missing images in System ›› Software Management : Live Update - this will ensure that the image is associated with an installation record.

898733-2 : SSL handshakes fail on secondary blades for Thales keys created with fipskey.nethsm after upgrade to 14.1.x and re-import of the keys from HSM

Component: Local Traffic Manager

Symptoms:
SSL handshakes intermittently fail for virtual servers using HSM keys.

In /var/log/ltm you see errors:
err pkcs11d[6575]: 01680002:3: Key table lookup failed. error.

Conditions:
1. Keys were created on earlier versions of BIG-IP software with fipskey.nethsm wrapper, and the device was upgraded to 14.1.0 or later.

2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm wrapper.

3. The platform is a multi-bladed Viprion.

This can occur after applying the workaround for ID758491:
https://cdn.f5.com/product/bugtracker/ID758491.html

Impact:
SSL handshakes that arrive on the secondary blade(s) fail.

Handshakes arriving on the primary blade work fine.

Workaround:
Re-install the Thales client after the upgrade.

898705-4 : IPv6 static BFD configuration is truncated or missing

Component: TMOS

Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.

-- IPv6 static BFD configuration entries go missing during a daemon restart.

Conditions:
IPv6 static BFD configuration.

Impact:
The IPv6 static BFD configuration does not persist during reloads.

-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.

Workaround:
None.

898685-3 : Order of ciphers changes after updating cipher group

Component: Local Traffic Manager

Symptoms:
The order of cipher results may change with no modification in the cipher group.

Conditions:
Click 'Update' in a cipher group in the GUI without making any changes.

Impact:
The order of the ciphers changes. During a handshake, SSL/TLS may not be able to select ciphers in the preferred order.

Workaround:
Create a cipher rule with the preferred cipher order and include only a single rule in cipher group allow list.

898577-3 : Executing a command in "mgmt tm" using iControl REST results in tmsh error

Component: TMOS

Symptoms:
When you try to update the frequency of live-update using iControl REST, it results in a java exception being returned instead of updating the value.

Conditions:
When a command for updating the frequency of live updates is executed using iControl REST in an ASM configured BIG-IP.

Impact:
You are unable to update the frequency of live-update via iControl REST.

898461-3 : Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'

Component: TMOS

Symptoms:
The following SCTP iRule commands:

-- SCTP::mss
-- SCTP::ppi
-- SCTP::collect
-- SCTP::respond
-- SCTP::client_port
-- SCTP::server_port

Are unavailable in the following MRF iRule events:

-- GENERICMESSAGE_EGRESS
-- GENERICMESSAGE_INGRESS
-- MR_EGRESS
-- MR_INGRESS

Attempts to use these commands in these events result in errors similar to:

01070151:3: Rule [/Common/sctp_TC] error: /Common/sctp1: error: [command is not valid in current event context (GENERICMESSAGE_EGRESS)][SCTP::ppi 46].

Conditions:
-- Using MRF and SCTP.
-- Using the specified set of iRule commands within the listed iRule events.

Impact:
Unable to use these iRule commands within these iRule events.

Workaround:
None.

898389-2 : Traffic is not classified when adding port-list to virtual server from GUI

Component: TMOS

Symptoms:
Traffic is not matching to the virtual server.

Conditions:
Using the GUI to configure traffic-matching-criteria by adding port-list to the virtual server.

Impact:
Traffic loss.

Workaround:
Creating traffic-matching-criteria from the command line

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm traffic-matching-criteria tmc_name_here destination-address-inline <IP ADDR>%10 route-domain <Route domain name>

898333-3 : Avrd logs errors while DCD is restarting

Component: Application Visibility and Reporting

Conditions:
-- The BIG-IP system is connected to the Data Collection Device (DCD), BIG-IQ.
-- DCD is going down.

Impact:
Avrd tries to reconnect, fails, and get stuck at some point for around 25 minutes. In the meantime the queue gets full and there are errors in avrd.log.

Workaround:
None.

898201-3 : Fqdn nodes are not getting populated after BIG-IP reboot when DNS server is accessed through a local virtual server.

Component: Local Traffic Manager

Symptoms:
After reboot, no access to services host using fqdn nodes.
-- fqdn nodes are not populated with IP addresses.
-- Unable to access virtual servers served by pools using fqdn nodes.

Conditions:
The issue happens after the BIG-IP is rebooted.
-- when DNS server is accessed through a local virtual server.
-- Single arm cloud BIG-IP with virtual server listening for DNS requests to redirect.

Impact:
-- FQDN DNS requests bypassing the listening virtual server.
-- Unable to access the pools of those configured fqdn nodes.

Workaround:
-- restarting dynconfd.
-- Running a script to trigger off "Tmm ready" and either delete the bad flow(s) or a specific connflow entry.
-- change the dummy dns server to be something in the same subnet as the single interface.

898093-1 : Removing one member from a WideIP removes it from all WideIPs.

Component: Global Traffic Manager (DNS)

Symptoms:
When you use the 'Remove' button to remove a member from a WideIP, the member is removed from all WideIPs.

Conditions:
Use the 'Remove' button.

Impact:
Unintended configuration changes via GUI.

Workaround:
Use the 'Manage' button, rather than the 'Remove' button.

897437-4 : First retransmission might happen after syn-rto-base instead of minimum-rto.

Component: Local Traffic Manager

Symptoms:
If a TCP profile is configured with a syn-rto-base value that is lower than minimum-rto, the first retransmission might happen after syn-rto-base.

This behavior is encountered only if the BIG-IP system is unable to compute the new RTO value before the retransmission timer expires, meaning:

-- The BIG-IP system has not received a packet with a TCP timestamp reply.
-- The BIG-IP system has not received an ACK for a timed sequence number.

Conditions:
Configured value of syn-rto-base is lower than minimum-rto.

Impact:
Retransmission might happen sooner than expected.

Workaround:
There are two possible workarounds:

-- Avoid using a syn-rto-base value that is lower than the minimum-rto value (the default values are 3 seconds for syn-rto-base and 1 second for minimum-rto).

-- Consider enabling timestamps to allow faster RTT measurement.

897185-3 : Resolver cache not using random port distribution

Component: Local Traffic Manager

Symptoms:
Outgoing queries to backend dns server use incremented port numbers instead of being distributed random ports.

Conditions:
-- Fix of ID726176 is applied (see https://cdn.f5.com/product/bugtracker/ID726176.html )

Impact:
The port numbers are incremented.

896817-3 : iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb

Component: TMOS

Symptoms:
When merging a configuration that modifies the list of iRules a virtual server uses, you may encounter an error similar to:

01070621:3: Rule priorities for virtual server (/Common/virtual1) must be unique.

Conditions:
-- Merging a configuration using the TMSH 'replace' verb.
-- Replacing a virtual server's iRule in a way that adjusts priorities of the iRules.

Impact:
Unable to replace configuration using TMSH's 'replace' verb.

Workaround:
None.

896693-3 : Patch installation is failing for iControl REST endpoint.

Component: TMOS

Symptoms:
iControl REST async endpoint /mgmt/tm/task/util/ihealth behaving inconsistently:

-- A call to VALIDATE the async task is rejected with the error message: 'Operation is not allowed on component /util/ihealth.'
-- The task can be started by calling a different endpoint (e.g., /mgmt/tm/task/cli/script). In this case, the task completes immediately, however, a qkview generating iHealth util is still running. At the end, the qkview is generated.

Conditions:
-- Use iControl REST to create an async task for creating qkview using 'ihealth' with -n option (just generate file, do not upload to iHealth).
-- Try starting the async task by changing the status to VALIDATING.

Impact:
Patch for iControl REST endpoint is not successful. Patch operation is accepted by /mgmt/tm/task/cli/script/ but rejected by /mgmt/tm/task/util/ihealth.

Workaround:
None.

896689-3 : Asynchronous tasks can be managed via unintended endpoints

Component: TMOS

Symptoms:
An asynchronous task created on one endpoint can be started using some other endpoint

Conditions:
Create an asynchronous task e.g. creating qkview using ihealth
using endpoint /mgmt/tm/task/util/ihealth

Gather the task id of the created asynchronous task and send it to a different endpoint e.g. /mgmt/tm/task/cli/script

Impact:
The asynchronous task can be started using this endpoint but this is not intended behavior.

896245-2 : Inconsistency is observed in ARP behavior across releases

Component: Local Traffic Manager

Symptoms:
Creating and deleting VLANs/self IPs might end up with a different number of GARP responses, depending on the BIG-IP software version.

You might notice the differences when comparing older and newer releases, for example, comparing v14.1.0 and earlier compared with versions older than v14.1.0.

Conditions:
This might become evident when you upgrade from an older version.

Impact:
There is no functional impact as a result of this discrepancy.

Workaround:
None.

896217-3 : BIG-IP GUI unresponsive

Component: TMOS

Symptoms:
When you try to log into the GUI via the management IP, you see only a single gray bar displayed in the middle of the window.

Conditions:
-- A GUI session expired while you were logged on.
-- The partition on which the GUI session expires is deleted.
-- You log on again.

Impact:
GUI becomes unresponsive.

Workaround:
Restart tomcat via SSH:
# bigstart restart tomcat

895845-4 : Implement automatic conflict resolution for gossip-conflicts in REST

Component: TMOS

Symptoms:
The devices in a high availability (HA) environment are out of sync in strange ways; config sync status indicates 'In Sync', but iApps such as SSL Orchestrator are out of sync.

Conditions:
-- high availability (HA) environment with two or more devices.
-- Gossip used for config sync. (Note: Gossip sync is used by BIG-IQ for BIG-IP config sync by iAppLX.)
-- A gossip conflict occurs for some reason.

You can detect gossip conflicts at the following iControl REST endpoint:
/mgmt/shared/gossip-conflicts

You can check gossip sync status at the following iControl REST endpoint:
/mgmt/shared/gossip

Impact:
If there are gossip conflicts, the devices requires manual intervention to get back in sync.

Workaround:
When two devices are out of sync with different generation numbers due to gossip conflict, you can use the following guidance to resolve the conflict:

1. Update devices info to use the same generation number.

2. This info found on REST Storage worker. Storage worker uses the selflink plus a generation number as the key to a given set of data.

3. Add the data from the unit with the highest generation number to the other unit.

4. Must also take care to increase the generation number on the new data to match that of the highest generation

Commands used:
1. Look for GENERATION_MISSING and gossip-conflict objects:
tmsh list mgmt shared gossip-conflicts

2. Get the 'selflink in remoteState' attribute. This self link is same across all devices and checks on the browser with each device to discover the device that is on the highest generation number:
tmsh list mgmt shared gossip-conflicts <OBJECT_ID>

3. Now you know what device contains the most recent version of your data, run this command to get up-to-date data:
restcurl /shared/storage?key=<everything after 'https://localhost/mgmt/' on selflink>

4. Make a post to the out-of-date device that includes the info from the up-to-date device as the post body:
restcurl -X POST /shared/storage -d '{<data from above command>}'

895837-2 : Mcpd crash when a traffic-matching-criteria destination-port-list is modified

Component: TMOS

Symptoms:
Virtual server configured with:

-- Destination address in a non-default route-domain, for example:
0.0.0.0%100/0

-- The configuration uses a destination port list.

Conditions:
Modify the virtual server's port-list to a different one.

Impact:
Mcpd generates a core, and causes services to restart and failover.

Workaround:
None.

895801-3 : Changing an MRF transport-config's TCP profile does not take effect until TMM is restarted

Component: Service Provider

Symptoms:
After modifying an MRF transport-config to use a different TCP profile, TMM must be restarted for this change to take effect. tmm crash

Conditions:
-- Using MRF with a transport-config.
-- Modifying the transport-config so that it uses a different TCP profile.

Impact:
Expected changes do not take effect until TMM is restarted.

Workaround:
Restart TMM.

Note: Traffic is disrupted while tmm restarts.

895205-3 : A circular reference in rewrite profiles causes MCP to crash

Component: Local Traffic Manager

Symptoms:
MCPD crash when modifying rewrite profile.

Conditions:
-- More than one rewrite profile is configured.
-- At least two rewrite profiles are referencing each other circularly.

Impact:
MCPD crash. For a Device Service Cluster this results in a failover. For a standalone system, this results in an outage.

Workaround:
Do not create circular references with profiles.

895165-3 : Traffic-matching-criteria with "any" protocol overlaps with explicit protocols

Component: Local Traffic Manager

Symptoms:
An error like the example below when defining "any" protocol after previously defining traffic-matching-criteria with explicit protocols.
01b90011:3: Virtual Server /Common/vs-tcp's Traffic Matching Criteria /Common/vs-tcp_IP_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs-any destination address, source address, service port.

Conditions:
-- Previously defining traffic-matching-criteria with explicit protocols
-- Afterwards defining virtual server with "any" protocol

Impact:
Cannot define a valid virtual server with "any" protocol

Workaround:
N/A

895153-1 : HTTP::has_responded returns incorrect values when using HTTP/2

Component: Local Traffic Manager

Symptoms:
HTTP::has_responded isn't detected in an iRule when the request comes across via HTTP/2. Instead, HTTP::has_responded will always return the value false.

Conditions:
-- HTTP2 Profile.
-- iRule containing the command HTTP::has_responded

Impact:
Calls to HTTP::respond or HTTP::redirect will not be correctly identified by HTTP::has_responded when using HTTP/2.

Workaround:
None.

894545-3 : Creating a virtual server in the GUI with a destination address list and 'All Ports' can erroneously conflict with other virtual servers

Component: TMOS

Symptoms:
If you have an existing virtual server that uses an address list for its destination and 'All Ports' configured for its port, then if you attempt to create another virtual server with a different (non-overlapping) address list with 'All Ports' configured and a protocol that overlaps (i.e., is either the same, or one of the protocols is 'All Protocols'), then creation of the virtual server will fail with an error similar to:

01b90011:3: Virtual Server /Common/test's Traffic Matching Criteria /Common/test_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/test2 destination address, source address, service port.

Conditions:
-- Using the GUI.
-- An existing virtual server that uses an address list as its destination and has its Service Port set to 'All Ports'.
-- An attempt to create another virtual server with a (non-overlapping) destination address list and 'All Ports' that has an overlapping Protocol (i.e., is either the same, or one of the protocols is 'All Protocols').

Impact:
Unable to create a valid virtual server.

Workaround:
Use TMSH to create the second virtual server instead.

894081-3 : The Wide IP members view in the WebUI may report the incorrect status for a virtual server.

Component: Global Traffic Manager (DNS)

Symptoms:
A virtual server which is actually down and should show red is reported as up and shows green.

Conditions:
This issue happens when a virtual server is marked down by the system due to inheriting the status of its parent link.

Note: This issue only affects Link Controller systems, and not DNS/GTM systems.

Impact:
The WebUI cannot be used to reliably assess the status of Wide IP members (virtual servers).

Workaround:
Use the tmsh utility in one of the following ways to inspect the status of Wide IP members:

# tmsh show gtm pool a members

# tmsh show gtm server virtual-servers

893885-2 : The tpm-status command returns: 'System Integrity: Invalid' after HotFix installation

Component: TMOS

Symptoms:
The tpm-status command incorrectly reports system integrity status as 'Invalid' even when system software is not modified.

Conditions:
-- BIG-IP software v14.1.0 or later version.
-- EHF installed on TPM-supported BIG-IP platform.

Impact:
Incorrect presentation of system software status.

Workaround:
None.

893813-2 : Modifying pool enables address and port translation in TMUI

Component: TMOS

Symptoms:
When modifying the pool for a virtual server, address translation and port translation checkboxes are enabled irrespective of their initial state.

Conditions:
-- Creating a virtual server using the GUI
-- Advanced Configuration is selected
-- Address Translation or Port Translation checkboxes are initially unchecked
-- You modify a pool from this screen

Impact:
Virtual server is created with address and port translation enabled.

Workaround:
You can disable it by again editing the virtual server.

893341-2 : BIG-IP VE interface is down after upgrade from v13.x w/ workaround for ID774445★

Component: TMOS

Symptoms:
You have BIG-IP Virtual Edition (VE) v13.1.x affected with ID 774445, and its workaround is in place.

echo "device driver vendor_dev 15ad:07b0 unic" >> /config/tmm_init.tcl

After upgrading to a newer version, interfaces are down.

Conditions:
-- Virtual Edition environment affected by the ID774445.
-- Apply the workaround described in in Final - K74921042: BIG-IP VE may fail to process traffic after upgrading the VMware ESXi 6.7 host to Update 2 (or later) :: https://support.f5.com/csp/article/K74921042.

Impact:
Interfaces are down.

Workaround:
1. Edit the /config/tmm_init.tcl file to remove the following line:
device driver vendor_dev 15ad:07b0 unic

2. Reboot into into the new software version.

3.Restart TMM:
tmsh restart sys service tmm

893281-4 : Possible ssl stall on closed client handshake

Component: Local Traffic Manager

Symptoms:
If a client connection closes before finishing client ssl handshake, in some cases BIG-IP ssl does not close and connection remains until idle timeout.

Conditions:
Client ssl handshake and client FIN must arrive while BIG-IP server ssl finished is in crypto.

Impact:
Some ssl client connection remain until idle timeout.

893093-3 : An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing.

Component: TMOS

Symptoms:
The intended screen does not show when you navigate in the WebUI to either of the following locations:

-- System :: Certificate Management :: Device Certificate Management->Device Trust Certificates

-- DNS :: GSLB :: Servers :: Trusted Server Certificates

The system returns the following error:

An error has occurred while trying to process your request.

Additionally, a Java stack trace is also logged to the /var/log/tomcat/catalina.out file.

Conditions:
An extraneous SSL CSR file is present in the /config/big3d or /config/gtm directory.

-- When the extraneous file is in the /config/big3d directory, the System :: Certificate Management :: Device Certificate Management :: Device Trust Certificates screen is affected.

-- When the extraneous file is in the /config/gtm directory, the DNS :: GSLB :: Servers :: Trusted Server Certificates screen is affected.

Impact:
The WebUI cannot be used to inspect those particular SSL certificate stores.

Workaround:
The /config/big3d and /config/gtm directories are meant to contain only one file each (client.crt and server.crt, respectively).

You can resolve this issue by inspecting those directories and removing any file that may have been accidentally copied to them.

For more information on those directories, refer to: K15664: Overview of BIG-IP device certificates (11.x - 15.x) :: https://support.f5.com/csp/article/K15664.

893061-3 : Out of memory for restjavad

Component: Application Security Manager

Symptoms:
REST framework not available due to Out of memory error

Conditions:
Long list of Live Update installations

Impact:
Live Update GUI is not responding.

Workaround:
1) Increase memory assigned to the Linux host: (value dependant on platform)

# tmsh modify sys db provision.extramb value 1000

2) Allow restjavad to access the extra memory:

# tmsh modify sys db restjavad.useextramb value true

3) Save the config:

# tmsh save sys config

4) The re-provisioning will trigger a restart of the services. Wait until the unit is online again.

5) Increase the restjavad maxMessageBodySize property:

# curl -s -f -u admin: -H "Content-Type: application/json" -d '{"maxMessageBodySize":134217728}' -X POST http://localhost:8100/mgmt/shared/server/messaging/settings/8100 | jq .
{
  "maxMessageBodySize": 134217728,
  "localhostRestnodedConnectionLimit": 8,
  "defaultEventHandlerTimeoutInSeconds": 60,
  "minEventHandlerTimeoutInSeconds": 15,
  "maxEventHandlerTimeoutInSeconds": 60,
  "maxActiveLoginTokensPerUser": 100,
  "generation": 6,
  "lastUpdateMicros": 1558012004824502,
  "kind": "shared:server:messaging:settings:8100:restservermessagingpoststate",
  "selfLink": "https://localhost/mgmt/shared/server/messaging/settings/8100"
}

Ensure the command returns output showing the limit has been increased (as shown above).

6) Reboot the unit.

892801-3 : When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent"

Component: Local Traffic Manager

Symptoms:
When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent".

Conditions:
-- An Internal Virtual Server is created without an existing 0.0.0.0 virtual address.

Impact:
The Internal Virtual Server will be considered unavailable and will not process traffic.

Workaround:
Create a 0.0.0.0 virtual address prior to creating the Internal Virtual Server.

892677-5 : Loading config file with imish adds the newline character

Component: TMOS

Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.

In particular, this affects the bigip_imish_config Ansible module.

Conditions:
Loading a config with 'imish -f <f_name>' commands.

Note: This command is used with the bigip_imish_config Ansible module.

Impact:
Regex expressions are not created properly.

Workaround:
You can use either of the following workarounds:

-- Delete and re-add the offending commands using the imish interactive shell.

-- Restart tmrouted:
bigstart restart tmrouted

892653-3 : Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI

Component: Application Security Manager

Symptoms:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.

Conditions:
This is encountered when configuring the Splunk Logging Format in the GUI

Impact:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.

Workaround:
Use tmsh to define the maximum query string size and maximum request size. For more information, see the tmsh command reference for the security log profile at https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/security/security-log-profile.html

892485-4 : A wrong OCSP status cache may be looked up and re-used during SSL handshake.

Component: Local Traffic Manager

Symptoms:
A wrong OCSP status entry in SessionDB is returned during a cache lookup due to using a wrong input parameter - certificate serial number. The result is wrong OCSP status is used in the SSL handshake.

Conditions:
If OCSP object is configured in a clientSSL or serverSSL profile.

Impact:
A wrong OCSP status may be reported in the SSL handshake.

892445-3 : BWC policy names are limited to 128 characters

Component: TMOS

Symptoms:
A 128-character limit for BWC policy object names is enforced and reports an error:

01070088:3: The requested object name <name> is invalid.

Conditions:
Attempting to create a BWC policy object with a name longer than 128 characters.

Impact:
Unable to create BWC policy objects with names that have more than 128 characters.

Workaround:
Use fewer than 128 characters when creating a BWC policy.

892073-2 : TLS1.3 LTM policy rule based on SSL SNI is not triggered

Component: Local Traffic Manager

Symptoms:
A policy rule based on SSL SNI at SSL client hello is not triggered for a TLS1.3 connection.

Conditions:
-- LTM policy rule specifying SSL client hello SNI.
-- TLS1.3 connection.

Impact:
Policy rule not triggered for TLS1.3.

Workaround:
None.

891729-3 : Errors in datasyncd.log★

Component: Fraud Protection Services

Symptoms:
An error exists in datasyncd.log:
DATASYNCD|ERR |Mar 13 12:47:54.079|16301| datasyncd_main.c:1955|tbl_gen_state_machine: cannot start the generator for table CS_FPM

Conditions:
Upgrades from version 13.x to 14.0.0 or higher.

Impact:
FPS has a maximum of ~990 rows instead of 1001, and there are errors in datasyncd.log. However, the upgrade completes normally, and the system operates as expected.

Workaround:
These are benign error messages that you can safely ignore. Upgrade completes successfully, and the system operates as expected.

If you prefer, however, you can perform a clean install instead instead of upgrading. This has an impact on your configuration, as that information will be lost when you do a clean install.

891505-2 : TMM might leak memory when OAuth agent is used in APM per-request policy subroutine.

Component: Access Policy Manager

Symptoms:
TMM leaks memory and eventually crashes when it cannot allocate any more memory.

Conditions:
OAuth agent is used in APM per-request policy subroutine and authentication fails.

Impact:
Over a period of time, TMM crashes, as it is unable to allocate any more memory. Traffic is disrupted while tmm restarts.

Workaround:
None.

891385-3 : Add support for URI protocol type "urn" in MRF SIP load balancing

Component: Service Provider

Symptoms:
MRF SIP load balancing does not support the urn URI protocol type.

Conditions:
-- Using MRF SIP in LB mode.
-- Clients are using the urn protocol type in their URIs.

Impact:
SIP messages with urn URIs are rejected.

891373-3 : BIG-IP does not shut a connection for a HEAD request

Component: Local Traffic Manager

Symptoms:
When an HTTP request contains the 'Connection: close' header, the BIG-IP system shuts the TCP connection down. If a virtual server has a OneConnect profile configured, the BIG-IP system fails to close the connection for HEAD requests disregarding a client's demand.

Conditions:
-- A virtual server has HTTP and OneConnect profiles.
-- An HTTP request has the method HEAD and the header 'Connection: close'.

Impact:
Connection remains idle until it expires normally, consuming network resources.

Workaround:
None.

891337-2 : 'save_master_key(master): Not ready to save yet' errors in the logs

Component: TMOS

Symptoms:
During config sync, you see error messages in the logs:
save_master_key(master): Not ready to save yet.

Conditions:
UCS load or configuration synchronization that includes encrypted objects.

Impact:
Many errors seen in the logs.

Workaround:
None.

891221-3 : Router bgp neighbor password CLI help string is not helpful

Component: TMOS

Symptoms:
Unable to confirm the supported encryption types.

enable or add BGP routing prorotol to a route domain
imish >> enable >> conf t >> router bgp 20065004 >> neighbor 1.2.3.4 password ?

b7000.lab[0](config-router)#neighbor 1.1.1.1 password ?
WORD Encryption Type or the password

Conditions:
Configuring the bgp neighbor with encryption password.

Impact:
Unable to confirm the supported encryption types.

Workaround:
None.

891181-3 : Wrong date/time treatment in logs in Turkey/Istambul timezone

Component: Application Security Manager

Symptoms:
There is mismatch between server and GUI timezone treatment for Turkey/Istambul timezone.

Conditions:
User sets Turkey/Istambul timezone on BIG-IP

Impact:
When filtering logs by time period, results differ from set period by an hour

Workaround:
Define time period one hour earlier for filtering ASM logs

891145-4 : TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal

Component: Local Traffic Manager

Symptoms:
SYNs received with TSVal <= TS.Recent are dropped without sending an ACK in FIN-WAIT-2 state.

Conditions:
-- Timestamps are enabled in TCP profile.
-- Local TCP connection is in FIN-WAIT-2 state.
-- Remote TCP connection abandoned the flow.
-- A new TCP connection sends a SYN with TSVal <= TS.Recent to the local connection.

Impact:
The new TCP connection cannot infer the half-open state of Local TCP connections, which prevents faster recovery of half-open connections. The local TCP connection stays around for a longer time.

Workaround:
There are two workarounds:

-- Reduce the Fin Wait 2 timeout (the default: 300 sec) so that TCP connection is terminated sooner.

-- Disable TCP Timestamps.

890573-1 : BigDB variable wam.cache.smallobject.threshold may not pickup its value on restart

Component: WebAccelerator

Symptoms:
BIG-IP WAM/AAM provides a faster cache store called small object cache. To get into this cache, an object must have its size below a threshold defined in BigDB variable wam.cache.smallobject.threshold. BIG-IP does not always pickup this value after a restart of TMM.

Conditions:
- WAM/AAM is provisioned;
- A virtual server is configured with a webacceleration profile having a web application.

Impact:
When small object cache has a non-default value, it may incorrectly place an object into Small Object cache (faster cache store) or MetaStor (slower cache store), causing performance impact.

Workaround:
Reset wam.cache.smallobject.threshold value.

890401-1 : Restore correct handling of small object when conditions to change cache type is satisfied

Component: WebAccelerator

Symptoms:
BIG-IP system software allows you to cache HTTP responses with WAM/AMM web applications. There is a special storage location for small-size objects. If a caching object is about to exceed a threshold limit, the BIG-IP system might change its caching storage to MetaStor. A fix for ID 792045 introduced an issue for instances in which it does not, which resulted in not serving a cached object.

Conditions:
-- WAM/AAM is provisioned.
-- Virtual server has a webacceleration profile with a web application.
-- The BIG-IP software contains a fix for ID 792045.

Impact:
The BIG-IP system resets a connection with an error, a cached object is not served, and the rendering of a client's webpage is not correct.

Workaround:
None.

890285-1 : DNS resolver cannot forward DNS query to local IPv6 virtual server

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS resolver is not sending backend dns request to local IPV6 virtual servers.

Conditions:
DNS resolver referring to local IPV6 virtuals.

Impact:
Unable to resolve dns requests properly.

890229-2 : Source port preserve setting is not honoured

Component: Local Traffic Manager

Symptoms:
The source port is always changed in source-port preserve mode even if the original source port with the other parameters would hash to the same TMM.

Conditions:
This issue occurs when both of the following conditions are met:

-- The virtual server is configured with source-port preserve (the default).
-- The system uses one of the following hash configurations including IP addresses.
    - Using RSS DAG as a default hash on BIG-IP Virtual Edition (VE) (Z100) or on 2000- and 4000-series devices.
    - Configuring a VLAN's 'CMP Hash' setting to a non-default value.
    - Using a special variable such as non-default udp.hash or tcp.hash.

Impact:
Applications relying on a specific, fixed source port might not work as expected.

Workaround:
Set source-port to preserve-strict.

889801-2 : Total Responses in DNS Cache stats does not increment when an iRule suspending command is present under DNS_RESPONSE.

Component: Global Traffic Manager (DNS)

Symptoms:
Upon close inspection of the statistics of a particular DNS Cache, for example by running the command 'tmsh show ltm dns cache resolver <name>', you realize that the 'Total Responses' counter for the cache is not incrementing as much as it should be.

Specifically, by comparing the counter with packet captures or the stats of the DNS Profile, you realize the system is under-reporting 'Total Responses'.

Conditions:
The virtual server using the DNS Cache also uses an iRule which happens to include a suspending command (e.g., 'table') under the DNS_RESPONSE event.

Impact:
The incorrect DNS Cache statistics may confuse or mislead a BIG-IP Administrator.

No traffic impact exists as part of this issue. Responses are still being served from the cache even when the counter says they are not.

Workaround:
None.

889165-2 : "http_process_state_cx_wait" errors in log and connection reset

Component: Local Traffic Manager

Symptoms:
Large POST requests are getting occasionally reset and you see the following in /var/log/ltm:

err tmm[19279]: 011f0007:3: http_process_state_cx_wait - Invalid action:0x100011 clientside

Conditions:
-- An HTTP iRule is configured on a virtual server
-- A large POST request arrives on the virtual server

Impact:
Possible connection failure.

889029-3 : Unable to login if LDAP user does not have search permissions

Component: TMOS

Symptoms:
A user is unable to log in using remote LDAP.

Conditions:
-- BIG-IP configured to use LDAP authentication.
-- Remote user has no search permissions on directory

Impact:
Authentication does not work

Workaround:
Grant search permissions to the user in LDAP.

888341-6 : HA Group failover may fail to complete Active/Standby state transition

Component: TMOS

Symptoms:
After a long uptime interval (i.e., the sod process has been running uninterrupted for a long time), high availability (HA) Group failover may not complete despite an high availability (HA) Group score change occurring. As a result, a BIG-IP unit with a lower high availability (HA) Group score may remain as the Active device.

Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.

For example:

-- For 1 floating traffic group, after 2485~ days.
-- For 2 floating traffic groups, after 1242~ days.
-- For 4 floating traffic groups, after 621~ days.
-- For 8 floating traffic groups, after 310~ days.
-- For 9 floating traffic groups, after 276~ days.

Note: You can confirm sod process uptime in tmsh:

# tmsh show /sys service sod

Conditions:
-- high availability (HA) Group failover mode configured.

Note: No other failover configuration is affected except for high availability (HA) Group failover.

o VLAN failsafe failover.
o Gateway failsafe failover.
o Failover triggered by loss of network failover heartbeat packets.
o Failover caused by system failsafe (i.e., the TMM process was terminated on the Active unit).

Impact:
HA Group Active/Standby state transition may not complete despite high availability (HA) Group score change.

Workaround:
There is no workaround.

The only option is to reboot all BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.

888289-2 : Add option to skip percent characters during normalization

Component: Application Security Manager

Symptoms:
An attack signature is not detected.

Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.

Impact:
An attack goes undetected.

Workaround:
Turn on the bad unescape violation or the metacharacter violation.

888113-2 : HUDEVT_CALLBACK is queued after HUDCTL_ABORT in HTTP-MR proxy

Component: Local Traffic Manager

Symptoms:
TMM cores in HTTP-MR proxy.

Conditions:
-- HTTP and HTTP Router profiles are configured on the virtual server.
-- HUDEVT_CALLBACK is queued after HUDCTL_ABORT in HTTP-MR proxy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

888081-3 : BIG-IP VE Migration feature fails for 1NIC

Component: TMOS

Symptoms:
When a saved UCS is attempted to be restored in a new BIG-IP Virtual Edition (VE) in order to migrate the configuration, it fails.

load_config_files[28221]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- 01071412:3: Cannot delete IP (x.x.x.x) because it is used by the system config-sync setting.

Conditions:
The UCS load step might fail if the DB variable Provision.1NicAutoconfig is set to disable.

Impact:
The UCS restore fails.

Workaround:
The DB variable can be set to enable before loading the UCS.

# tmsh modify sys db provision.1nicautoconfig value enable

887625-2 : Note should be bold back, not red

Component: Application Security Manager

Symptoms:
Under Session Hijacking :: Device Session Hijacking by Device ID Tracking, the note text below the 'enable' checkbox is shown in bold red color

Note : Device-ID mode must be configured in bot profile for this option to work.

Conditions:
This always occurs.

Impact:
The Note does not indicate a hazardous situation (as might be implied by the color), so the text should be black instead of red.

Workaround:
None.

887609-4 : TMM crash when updating urldb blacklist

Component: Traffic Classification Engine

Symptoms:
TMM crashes after updating the urldb blacklist.

Conditions:
-- The BIG-IP system is configured with URL blacklists.
-- Multiple database files are used.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

887505-2 : Coreexpiration script improvement

Component: TMOS

Symptoms:
Script fails with:
stat: cannot stat '/shared/core/*.core.*': No such file or directory.

In addition, the system reports a message in /var/log/user and /var/log/messages when there are no core files:
Deleting file /shared/core/*.core.*

Conditions:
Coreexpiration script is run.

Impact:
No core is produced. In addition, there is no core deleted.

Workaround:
To resolve the issue, add the following line to the script:

  for filename in /shared/core/*.core.*; do
   + [ -e "$filename" ] || continue
         # Time of last modification as seconds since Epoch

887117-1 : Invalid SessionDB messages are sent to Standby

Component: TMOS

Symptoms:
SessionDB messages sent from Active to Standby are dropped due to inconsistencies detected in the message. You see logs in /var/log/ltm:

SessionDB ERROR: received invalid or corrupt HA message; dropped message.

Conditions:
-- High availability (HA) pair configuration.
-- SessionDB messages sent from Active to Standby.

Impact:
Standby drops these messages

Workaround:
None.

887089-4 : Upgrade can fail when filenames contain spaces

Component: TMOS

Symptoms:
Filenames with spaces in /config directory can cause upgrade/UCS load to fail because the im upgrade script that backs up the config, processes the lines in a file spec using white space characters. The number of spaces in the filename is significant because it determines how the process separates the name into various fields, including a path to the file, an md5sum, and some file properties (notably size). If the path contains white space, when the upgrade/UCS load process attempts to use a field, the operation encounters a value other than what it expects, so the upgrade/UCS load fails.

The file's content is also significant because that determines the md5sum value.

Although rarely occurring, a tangential issue exists when the sixth word is a large number. The sixth field is used to determine the amount of space needed for the installation. When the value is a very large number, you might see an error message at the end of the upgrade or installation process:

Not enough free disk space to install!

Conditions:
Filenames with spaces in /config directory.

Impact:
Upgrade or loading of UCS fails.

Workaround:
Remove the spaces in filenames and try the upgrade/UCS load again.

887045-3 : The session key does not get mirrored to standby.

Component: Local Traffic Manager

Symptoms:
When a session variable key length is 65 KB, session mirroring fails for that specific key.

Conditions:
-- APM high availability (HA) setup.
-- Access Policy is configured and synced across both devices.
-- A session variable key of ~65 KB arrives

Impact:
The session key does not get mirrored to standby.

Workaround:
None

886729-1 : Intermittent TMM crash in per-request-policy allow-ending agent

Component: Access Policy Manager

Symptoms:
TMM crash.

Conditions:
When user trying to access a URL with unique hostname in the current session.

Impact:
TMM crash. No access to the URL. Traffic disrupted while tmm restarts.

Workaround:
None.

886273-2 : Unanticipated restart of TMM due to heartbeat failure

Component: TMOS

Symptoms:
A tmm thread might stall while yielding the CPU, and trigger a failsafe restart of the tmm process.

Conditions:
-- Appliance platforms (i.e., non-VIPRION platforms).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None known.

886145-3 : The 'Reconnect' and 'Reconnect All' buttons do not work if reached via a particular section of the DNS WebUI.

Component: Global Traffic Manager (DNS)

Symptoms:
The 'Reconnect' and 'Reconnect All' buttons (introduced in BIG-IP version 14.1.0 to restart some or all iQuery connections) do not work when clicked.

The 'Reconnect' button does not become enabled when a server is selected from the list, and an error is logged in the browser console.

The 'Reconnect All' button is clickable but returns the error "No response action specified by the request" when clicked.

Conditions:
You have accessed the buttons via the following WebUI path:

DNS > GSLB > Data Centers > [dc name] > Servers

Impact:
The buttons do not work, making the corresponding feature unavailable from the WebUI.

Workaround:
Access the buttons via the following alternative WebUI path:

DNS > GSLB > Servers

886045-3 : Multi-nic instances fail to come up when trying to use memory mapped virtio device

Component: Local Traffic Manager

Symptoms:
Multi-nic instances fail to come up while using memory mapped

Running the command lspci -s <pci-id> -vv
Results in the "region" field reporting 'Memory at xxxxx'

Conditions:
TMM crashes as soon as BIG-IP tries to come up.

Impact:
BIG-IP fails to attach to the underlying virtio devices

Workaround:
Switch to the sock driver by overriding tmm_init.tcl. For instructions on how to enable the sock driver, see the workaround in K74921042: BIG-IP VE may fail to process traffic after upgrading the VMware ESXi 6.7 host to Update 2 (or later), available at https://support.f5.com/csp/article/K74921042

885869-3 : Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime

Component: Global Traffic Manager (DNS)

Symptoms:
iQuery incorrectly interprets iQuery SSL certificate times when they are using GenericTime instead of UTCTime.

Conditions:
An iQuery certificate using GenericTime instead of UTCTime.

Note that this would only occur with a date beyond the year 2049.

Impact:
Internal years are interpreted to be much later than they should be.

Workaround:
Use SSL certificates with UTCTime instead of GenericTime.

885325-3 : Stats might be incorrect for iRules that get executed a large number of times

Component: Local Traffic Manager

Symptoms:
iRules that execute a lot can make stats counters large enough to overflow in a relatively short amount of time (e.g., a couple of months).

Conditions:
Execute an iRule a lot (e.g., make the total number of executions greater than 32 bits) and check its stats.

Impact:
After the total number exceeds 32 bits, the counter stats are no longer valid.

Workaround:
None.

884989-2 : IKE_SA's Not mirrored of on Standby device if it reboots

Component: TMOS

Symptoms:
After rebooting the standby BIG-IP device, IKE SA's are not mirrored.

Conditions:
-- IPSEC is configured in a high availability (HA) environment
-- Standby device is rebooted

Impact:
IKE_SA's will have to be renegotiated.
The performance impact is minimal.

884797-3 : Portal Access: in some cases data is not delivered via WebSocket connection

Component: Access Policy Manager

Symptoms:
If a client browser opens a WebSocket connection, Portal Access may not send data to the client if the first message in the new connection comes from the server.

Conditions:
- Web application with WebSocket connection
- First data in WebSocket connection is sent from server to client

Impact:
Data is not delivered to the client browser via the WebSocket connection.

884729-3 : The vCMP CPU usage stats are incorrect

Component: TMOS

Symptoms:
The vCMP CPU usage stats are incorrect when process on a secondary blade has the same PID as that of primary blade's qemu process.

Conditions:
A process on a secondary blade has the same PID as that of primary blade's qemu process.

Impact:
The vCMP CPU usage stats are intermittently incorrect.

Workaround:
None.

883577-3 : ACCESS::session irule command does not work in HTTP_RESPONSE event

Component: Access Policy Manager

Symptoms:
When ACCESS::session irule is used in HTTP_RESPONSE event, the APM session creation fails with the following log in /var/log/ltm

No HTTP data available - command unsupported in event (line XX)session creation failed - Operation not supported (line XX)

Conditions:
Using ACCESS::session create command under HTTP_RESPONSE.

Impact:
Cannot create APM session using the ACCESS::session irule command.

Workaround:
The same irule ACCESS::session can be used under HTTP_REQUEST to create the APM session.

883149-3 : The fix for ID 439539 can cause mcpd to core.

Component: TMOS

Symptoms:
Mcpd cores during config sync.

Conditions:
This has only been observed once. The device was going from standby to active, and the connection between the BIG-IP peers stalled out.

Impact:
Mcpd cores. Traffic disrupted while mcpd restarts.

Workaround:
NA

883049-3 : Statsd can deadlock with rrdshim if an rrd file is invalid

Component: Local Traffic Manager

Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.

You may see errors:

-- err statsd[5005]: 011b0600:3: Error ''/var/rrd/endpisession' is too small (should be 15923224 bytes)' during rrd_update for rrd file '/var/rrd/endpisession'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/endpisession'.

Conditions:
Truncation of a binary file in /var/rrd.

Impact:
Stats are no longer collected. Statsd and rrdshim deadlock.

Workaround:
Remove the truncated file and restart statsd:
bigstart restart statsd

882833-3 : SELinux issue cause zrd down★

Component: TMOS

Symptoms:
After upgrading BIG-IP, zrd fails to start.

In /var/log/daemon.log you encounter errors:

err named[19356]: open: /config/named.conf: permission denied

Conditions:
This can occur after upgrading. It was encountered when upgrading from version 14.1.0.6 to 15.0.1.1.

Impact:
DNS service disrupted as zrd fails to start after reboot

Workaround:
Restorecon -rF /var/named/

882769-2 : Request Log: wrong filter applied when searching by Response contains or Response does not contain

Component: Application Security Manager

Symptoms:
When searching by "Response contains" or "Response does not contain", an incorrect filter is applied and displayed

Conditions:
This occurs in the GUI when selecting "Response contains" or "Response does not contain" filter

Impact:
You are unable to search by response in the GUI

Workaround:
There is no way to search in GUI, but you can search using REST API

882757-2 : sflow_agent crash SIGABRT in the cleanup flow

Component: TMOS

Symptoms:
Disabling DHCP on the management port causes sflow_agent to crash.

Conditions:
This does not always occur, but when it does occur, it crashes when disabling DHCP on the management port.

Impact:
sflow_agent crashes.

Workaround:
Do not disable DHCP on the management port

882729-2 : Applied Blocking Masks discrepancy between local/remote event log

Component: Application Security Manager

Symptoms:
Applied Blocking Masks discrepancy between local/remote event log, ASM logging event logs both locally and remotely to BIG-IQ has discrepancy.

Conditions:
This occurs when "Applied Blocking Masks" logs are emitted on a device where local and remove event logging is configured.

Impact:
This is cosmetic but can lead to confusion.

882725-4 : Mirroring not working properly when default route vlan names not match.

Component: Local Traffic Manager

Symptoms:
When using two BIG-IP systems to mirror traffic, mirroring functions correctly if the default gateway VLAN names match; however, if default gateway VLAN names don't match, then the BIG-IP system does not mirror client-side packets to the peer, which causes the standby BIG-IP system to reset all client-side flows on failover.

Conditions:
-- Two BIG-IP LTM BIG-IP Virtual Edition (VE) systems configured as a high availability (HA) pair.
-- Default gateway VLAN names don't match between them.

Impact:
BIG-IP system does not mirror client-side packets to the peer, which causes the next-active device to reset all client-side flows on failover.

Upon failover all flows are being RST just like a typical failover scenario without mirroring implemented.

Workaround:
Use same VLAN name on all external VLANs that might be used for mirroring.

882713-4 : BGP SNMP trap has the wrong sysUpTime value

Component: TMOS

Symptoms:
The timestamp value of sysUpTime in SNMP traps reported by BGP is incorrect.

Conditions:
BGP connection with a peer flaps, and sends traps for the following:
bgpSnmpNotifyEstablished
bgpSnmpNotifyBackwardTransition

Impact:
The sysUpTime in the trap generated by BGP is incorrect.

Workaround:
None.

882709-3 : Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors in this release★

Component: TMOS

Symptoms:
In this release, traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.

This may manifest as traffic failing after an upgrade from earlier (unaffected) software versions.

Note: This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.

This is due to an interoperability issue between RedHat Enterprise Linux (RHEL) and Microsoft Hyper-V, which seems to affect RHEL v7.3 and RHEL v7.5.

Hyper-V on Windows Server 2016 and Windows Server 2012 do not seem to identify the version of the built-in LIS correctly on Centos 7.3 or Centos 7.5 (which are built on RHEL 7.3 and RHEL 7.5 respectively).

Although there is a statement of support by Microsoft for VLAN tagging on RHEL 7.3 and 7.5 when running on Hyper-V, that functionality does not appear to work at present: Supported CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V :: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/Supported-CentOS-and-Red-Hat-Enterprise-Linux-virtual-machines-on-Hyper-V.

Conditions:
-- BIG-IP VE is deployed on a Hyper-V hypervisor.
-- VLAN configured in BIG-IP VE with tagged interfaces, e.g.:

    net vlan external {
        interfaces {
            1.1 {
                tagged
            }
        }
        tag 4000
    }

-- At present, VLAN tagging on the v14.x and v15.x releases does not work because those releases are running on CentOS 7.3 and 7.5 respectively, which both are affected by the MS/RHEL interoperability issue.

-- BIG-IP v12.x and v13.x use a different (older) CentOS version, so VLAN tagging works without issue on those releases.

Impact:
-- The system does not prevent you from configuring tagged VLANs, even though they do not pass traffic.

-- Although upgrades complete and you can reboot into the new boot location (or you can set up on Hyper-V from scratch), traffic does not pass (into the guest) across VLANs that are tagged.

Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.

Workaround:
Essentially, there is no workaround in this release; you must reconfigure the virtual machine to use separate, untagged interfaces for each VLAN.

Note: Although this is technically a problem between Hyper-V and the built-in LIS on RHEL 7.3/7.5, this issue is being tracked internally in this bug.

882545-2 : Multiple rate-limiting agents sharing the same rate-limiting key config may not function properly

Component: Access Policy Manager

Symptoms:
When multiple rate-limiting agents share the same rate-limiting key config, removing one agent may cause other agents to not function properly. In case of using tmm.debug, it may generate a core.

Conditions:
-- Multiple rate-limiting agents sharing the same rate-limiting key config.
-- Removing one agent.

Impact:
Tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
Do not share the same rate-limiting key config among multiple agents.

882377-2 : ASM Application Security Editor Role User can update/install ASU

Component: Application Security Manager

Symptoms:
Live Update modifications are allowed for Application Security Editor Role.

Conditions:
Login as Application Security Editor user and try to install ASU.

Impact:
Application Security Editor Role role is permitted to update Attack Signatures when it shouldn't be.

881085-2 : Intermittent auth failures with remote LDAP auth for BIG-IP managment

Component: TMOS

Symptoms:
There are intermittent auth failures when accessing the BIG-IP administration interfaces via SSH or the GUI.

Conditions:
-- Remote LDAP auth is configured.
-- An idle timeout RST is received on the LDAP connection before the configured auth LDAP idle-timeout expires. This RST might be generated by tmm (if the connection to the LDAP server is via a defined VLAN), some other intervening device on the network, or from the LDAP server itself (depending on its connection time limit).

Impact:
There might be intermittend auth failures.

Workaround:
Set the auth ldap idle-timeout to a smaller value, for example, via tmsh:
modify auth ldap system-auth idle-timeout 299

881065-4 : Adding port-list to Virtual Server changes the route domain to 0

Component: Local Traffic Manager

Symptoms:
When attaching the port-list to virtual server dest:port-list, the route domain of the virtual server is changed to the default value of 0, and the port-list is not correctly applied. This is encountered in the GUI but not in the CLI.

Conditions:
Using port-list along with virtual server in non default route domain using the GUI.

Impact:
You are unable to use the GUI to attach a port-list that uses a non-default route domain to a virtual server.

Workaround:
Use tmsh to attach a port-list to a virtual server if the port-list uses a non-default route domain.

881041-2 : BIG-IP system may forward IP broadcast packets back to the incoming VLAN interface via a forwarding virtual server.

Component: Local Traffic Manager

Symptoms:
Some received packets are retransmitted back on the incoming VLAN interface.

Conditions:
The symptom is found with the following conditions:
1. A forwarding virtual server is configured.
2. A packet is received whose destination MAC address is its unicast VLAN MAC address and the destination IP address is the broadcast address of that subnet.

Impact:
Broadcast packets are forwarded back to the incoming VLAN interface might result in loops if there are multiple gateways on the network.

Workaround:
None.

880789-2 : ASMConfig Handler undergoes frequent restarts

Component: Application Security Manager

Symptoms:
Under some settings and load, the RPC handler for the botd process restarts frequently, causing unnecessary churn and message-cluttered logs.

Conditions:
-- Bot protection is enabled.
-- A high volume of bot attacks are handled.

Impact:
The RPC handler for the botd process restarts frequently, causing unnecessary churn and noisy logs

Workaround:
None.

880697-2 : URI::query command returning fragment part, instead of query part

Component: Local Traffic Manager

Symptoms:
The iRule URI commands are designed to parse a given URI string to each components such as scheme (URI::protocol) or authority (URI::host). The URI::query command is designed to return the query part of an URI, but the returned string contains the fragment part. For example, for the URI "foo://example.com:8042/over/there?name=ferret#nose" (an example from Section 3, RFC 3986), URI::query returns "name=ferret#nose". The "#nose" part should not be present in the return value

Conditions:
Create a test rule with URI having '#' like this.

when HTTP_REQUEST {
  # from RFC 3986 Section 3
  set url "foo://example.com:8042/over/there?name=ferret#nose"
  log local0. "query: [URI::query $url]"
}

Impact:
URI operations that involve #fragments may fail.

Workaround:
NA

880565-2 : Audit Log: "cmd_data=list cm device recursive" is been generated continuously

Component: Device Management

Symptoms:
The system generates and logs the following message continuously, at the rate of 3 times a minute, in /var/log/audit:

-- hostname.com notice tmsh[47755]: 01420002:5: AUDIT - pid=47755 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=cd / ;
-- hostname.com notice tmsh[47755]: 01420002:5: AUDIT - pid=47755 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=list cm

Conditions:
This occurs during normal operation.

Impact:
Audit log file contains numerous 'cmd_data=list cm device recursive' messages.

Workaround:
Edit the 'include' section of syslog configuration to suppress audit logs of 'cmd_data=cd /' and 'cmd_data=list cm device recursive'.

# tmsh edit /sys syslog all-properties

Replace 'include none' with following syntax.
===
sys syslog {
- snip -
include "
filter f_audit {
facility(local0) and match(AUDIT) and not match(\"cmd_data=list cm device recursive|cmd_data=cd /\");
};"
- snip -
}

880473-2 : Under certain conditions, the virtio driver may core during shutdown

Component: TMOS

Symptoms:
If the virtio driver fails to initialize, it may core during shutdown.

Conditions:
-- Using the virtio VE driver.
-- The virtio driver fails initialization and shuts down instead.

Impact:
TMM cores during driver shutdown.

880125-4 : WideIP (A) created together with aliases (CNAME) causes missing A records in ZoneRunner

Component: Global Traffic Manager (DNS)

Symptoms:
Creating WideIP with aliases at the same time causes ZoneRunner to create CNAME RRset without matching A RRset on the peer.

Conditions:
Creating WideIP with aliases at the same time(using GUI or tmsh) causes ZoneRunner to create CNAME RRset without matching A RRset on the peer.

Impact:
GTM peer will not respond with correct answer for DNS request.

Workaround:
Create wideip with two steps.

880013-2 : Config load fails after changing the BIG-IP Master key which has an encrypted key in it's configuration

Component: TMOS

Symptoms:
Config load fails with an error:

01071769:3: Decryption of the field (privatekey) for object (12004) failed.
Unexpected Error: Loading configuration process failed.

Conditions:
-- BIG-IP configuration has a secured attribute, for example an encrypted dynad key
-- The master key password is changed
-- The configuration is loaded before saving the changes

Impact:
"tmsh load sys config" fails.

Workaround:
After modifying the master key password, save the configuration and then perform the tmsh load sys configuration.

880009-2 : Tcpdump does not export the TLS1.3 early secret

Component: TMOS

Symptoms:
Users running tcpdump with the 'ssl:v' flag to obtain the early traffic secret are given the early master secret instead.

Conditions:
Run tcpdump with the 'ssl:v' flag.

Impact:
Users cannot decrypt TLS1.3 early data packets.

Workaround:
None.

879969-4 : FQDN node resolution fails if DNS response latency >5 seconds

Component: TMOS

Symptoms:
When resolving FQDN names for FQDN nodes/pool members, pending DNS requests are timed out after 5 seconds with no response from the DNS server.
If there is a persistent latency of 5 seconds or greater in the DNS server responses, FQDN name resolution will fail and ephemeral nodes/pool members will not be created.

Conditions:
- BIG-IP using FQDN nodes/pool members
- Persistent latency of 5 seconds or greater in the DNS server responses

Impact:
Ephemeral pool members may not be created, thus no traffic will be sent to the intended pool members.

Workaround:
Resolve any persistent latency issues that might cause delays of 5 seconds or more in DNS server responses.

879777-2 : Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge

Component: Application Security Manager

Symptoms:
After configuring the "validate upon request" option in "Cross Domain Requests" in a Bot Defense profile, JS challenges continue to be sent.

Conditions:
-- Bot Defense profile is enabled
-- "Cross Domain Request":"validate upon request" option is enabled
-- A browser navigates to a qualified (HTML) page from a related domain.

Impact:
Browser receives another JS challenge, instead of retrieving the cookie from the related domain. This causes extra latency for the client.

Workaround:
Use "validate in a bulk" option.

879413-2 : Statsd fails to start if one or more of its *.info files becomes corrupted

Component: Local Traffic Manager

Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd will fail to load it and end up restarting continuously. You see the following messages in /var/log/ltm:

err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'
err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.

Conditions:
-- Corrupted *.info file in /var/rrd.

Impact:
Stats will no longer be accurate.

Workaround:
It might take multiple attempts to retain the *.info file:

found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done

... where <filename> is the actual name of the file (e.g. "throughput.info").

879409-4 : TMM core with mirroring traffic due to unexpected interface name length

Component: Local Traffic Manager

Symptoms:
TMM cores.

Conditions:
-- Platform: B4400 Blade (BIG-IP VPR-B4450N).
-- High availability (HA) mirroring is set up.
-- Provisioned modules: LTM, AFM.
-- HA mirroring messages are received with unexpected interface name length.

Impact:
Processing of invalid length can cause memory corruption. The tmm process generates a core. Traffic disrupted while tmm restarts.

Workaround:
None.

879405-2 : Incorrect value in Transparent Nexthop property

Component: TMOS

Symptoms:
Incorrect value in Transparent Nexthop property on virtual server page with assigned VLAN.

Conditions:
-- Virtual server configured with with transparent next-hop bychecking 'Transparent Nexthop' in the GUI on the LTM Virtual Server page: Transparent Nexthop = None

Works fine with:

Impact:
Incorrect value shown in Transparent Nexthop property field.

Workaround:
Use tmsh to complete the action successfully.

879401-2 : Memory corruption during APM SAML SSO

Component: Access Policy Manager

Symptoms:
During processing of SAML SSO single logout (SLO) requests, a block of tmm memory may become corrupted.

Conditions:
- BIG-IP system is configured as SAML SP.
- External SAML IdP sends SLO request.

Impact:
Various possible negative effects, including TMM core. Traffic disrupted while tmm restarts.

879301-2 : When importing a BIND zone file, SRV/DNAME/NAPTR RRs do not have correct $ORIGIN appended

Component: Global Traffic Manager (DNS)

Symptoms:
When importing a BIND zone file, $ORIGIN is appended for rdata from SRV and NAPTR RRs, also not appended for DNAME's owner label.

Conditions:
$ORIGIN is used in original zone files and use zone runner to import.

Impact:
Zone files are not generated correctly.

Workaround:
Do not use $ORIGIN.

879189-2 : Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section

Component: TMOS

Symptoms:
Network map shows error message: One or more profiles are inactive due to unprovisioned modules.

Conditions:
-- ASM provisioned.
-- A profile is attached to a virtual but the module supporting the profile is not provisioned

Impact:
The Network Map shows an error message.

Workaround:
Provision the module that supports the profile.

879001-2 : LDAP data is not updated consistently which might affect authentication.

Component: TMOS

Symptoms:
Change not updated in LDAP when the system auth source ('systemauth.source' DB key/'Auth Source Type') is set to Active Directory.

This change is not applied when the setting is modified (e.g., from local or LDAP to Active Directory, or from Active Directory to LDAP). Instead, the change is applied only when MCPD is rewriting the file for other reasons.

Conditions:
Changing the 'systemauth.source' DB key/'Auth Source Type':
-- From local to Active Directory.
-- From LDAP to Active Directory.
-- From Active Directory to LDAP.

Impact:
LDAP data is not updated consistently, and authentication might fail.

Workaround:
None.

878925-1 : SSL connection mirroring failover at end of TLS handshake

Component: Local Traffic Manager

Symptoms:
In some cases, HTTP requests may fail if system failover occurs immediately after the TLS handshake finishes.

Conditions:
-- System failover to standby device with SSL connection mirroring.
-- Failover occurs immediately after the TLS handshake completes but before the HTTP request.

Impact:
Connection might fail the HTTP request; in some cases, the server may reset HTTP 1.0 requests.

Workaround:
None.

878893-2 : During system shutdown it is possible the for sflow_agent to core

Component: TMOS

Symptoms:
The shutdown sequence of the sflow_agent can include a timeout waiting for a response that results in an assert and core file.

Conditions:
BIG-IP reboot can cause the sflow_agent to core.

Impact:
There is a core file in the /var/core directory after a system reboot.

878405 : Intermittent core on BIG-IP 5000-series platforms configured for vCMP

Component: Local Traffic Manager

Symptoms:
On BIG-IP 5000-series platforms configured for vCMP, you might experience unexpected core files that occur intermittently and without a known pattern.

Conditions:
-- BIG-IP 5000-series platforms.
-- Configured for vCMP.
-- Other conditions required are unknown.

Impact:
The system might crash and generate a core file relating to GuestAgent or KeyMgmt daemons, or bigd.

Workaround:
None.

878401 : Intermittent core on BIG-IP 5000-series platforms configured for vCMP

Component: TMOS

Symptoms:
On BIG-IP 5000-series platforms configured for vCMP, you might experience unexpected core files that occur intermittently and without a known pattern.

Conditions:
-- BIG-IP 5000-series platforms.
-- Configured for vCMP.
-- Other conditions required are unknown.

Impact:
The system might crash and generate a core file relating to GuestAgent or KeyMgmt daemons, or bigd.

Workaround:
None.

878393 : Intermittent core on BIG-IP 5000-series platforms configured for vCMP

Component: TMOS

Symptoms:
On BIG-IP 5000-series platforms configured for vCMP, you might experience unexpected core files that occur intermittently and without a known pattern.

Conditions:
-- BIG-IP 5000-series platforms.
-- Configured for vCMP.
-- Other conditions required are unknown.

Impact:
The system might crash and generate a core file relating to GuestAgent or KeyMgmt daemons, or bigd.

Workaround:
None.

878385 : Intermittent core on BIG-IP 5000-series platforms configured for vCMP

Component: TMOS

Symptoms:
On BIG-IP 5000-series platforms configured for vCMP, you might experience unexpected core files that occur intermittently and without a known pattern.

Conditions:
-- BIG-IP 5000-series platforms.
-- Configured for vCMP.
-- Other conditions required are unknown.

Impact:
The system might crash and generate a core file relating to GuestAgent or KeyMgmt daemons, or bigd.

Workaround:
None.

878381 : Intermittent core on BIG-IP 5000-series platforms configured for vCMP

Component: TMOS

Symptoms:
On BIG-IP 5000-series platforms configured for vCMP, you might experience unexpected core files that occur intermittently and without a known pattern.

Conditions:
-- BIG-IP 5000-series platforms.
-- Configured for vCMP.
-- Other conditions required are unknown.

Impact:
The system might crash and generate a core file relating to GuestAgent or KeyMgmt daemons, or bigd.

Workaround:
None.

878373 : Intermittent core on BIG-IP 5000-series platforms configured for vCMP

Component: TMOS

Symptoms:
On BIG-IP 5000-series platforms configured for vCMP, you might experience unexpected core files that occur intermittently and without a known pattern.

Conditions:
-- BIG-IP 5000-series platforms.
-- Configured for vCMP.
-- Other conditions required are unknown.

Impact:
The system might crash and generate a core file relating to GuestAgent or KeyMgmt daemons, or bigd.

Workaround:
None.

878253-2 : LB::down no longer sends an immediate monitor probe

Component: Local Traffic Manager

Symptoms:
The iRule command LB::down is supposed to send an immediate monitor probe, but it does not.

Conditions:
-- Executing LB::down in an iRule.

Impact:
A monitor probe is not immediately sent, which may cause a pool member to be marked down longer than it should be.

876937-2 : DNS Cache not functioning

Component: TMOS

Symptoms:
DNS queries are not being cached on the BIG-IP device.

Conditions:
-- DNS cache is enabled (System :: Configuration : Device : DNS Cache).
-- Device receives DNS queries.

Impact:
DNS queries are forwarded, but the BIG-IP system does not cache them.

Workaround:
None.

876809-2 : GUI cannot delete a cert with a name that starts with * and ends with .crt

Component: TMOS

Symptoms:
If a cert is created with a name that begins with * (asterisk) and ending with .crt, you cannot delete it using the GUI.

Conditions:
-- Certificate with a name similar to *example.crt.

-- Select the checkbox in the GUI and click Delete.

Impact:
GUI displays the message: No records to display. The '*example' certificate is still present.

Workaround:
You can use TMSH to delete it without issue.

876805-2 : Modifying address-list resets the route advertisement on virtual servers.

Component: Advanced Firewall Manager

Symptoms:
If you modify an address list associated with a virtual server, any modifications done to virtual addresses are lost when the list itself is modified.

Conditions:
This occurs in the following scenario:
-- Create an address list.
-- Assign it to a Virtual Server.
-- Modify some or all of Virtual address
-- Modify the address list.

Impact:
Modifications done to virtual addresses are lost.

Workaround:
None.

876801-4 : Tmm crash: invalid route type

Component: Local Traffic Manager

Symptoms:
Tmm crashes. /var/log/tmm contains the log entries:

tmm1: notice panic: invalid route type
tmm1: notice ** SIGFPE **

Conditions:
The issue is intermittent.

1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. A new routing entry for child route domain is added.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
There is no way to workaround a problem, but there is a safe way to add and delete routes without putting a BIG-IP into a state where it could encounter this issue.

Safe way to add/delete a route.
1) Add routes to child route domains first, then to parent route domain.
2) Delete routes from parent route domain first, then from child route domain.

876741 : Intermittent core on BIG-IP 5000-series platforms configured for vCMP

Component: Local Traffic Manager

Symptoms:
On BIG-IP 5000-series platforms configured for vCMP, you might experience unexpected core files that occur intermittently and without a known pattern.

Conditions:
-- BIG-IP 5000-series platforms.
-- Configured for vCMP.
-- Other conditions required are unknown.

Impact:
The system might crash and generate a core file relating to GuestAgent or KeyMgmt daemons, or bigd.

Workaround:
None.

876733 : Intermittent core on BIG-IP 5000-series platforms configured for vCMP

Component: TMOS

Symptoms:
On BIG-IP 5000-series platforms configured for vCMP, you might experience unexpected core files that occur intermittently and without a known pattern.

Conditions:
-- BIG-IP 5000-series platforms.
-- Configured for vCMP.
-- Other conditions required are unknown.

Impact:
The system might crash and generate a core file relating to GuestAgent or KeyMgmt daemons, or bigd.

Workaround:
None.

876717 : Intermittent core on BIG-IP 5000-series platforms configured for vCMP

Component: TMOS

Symptoms:
On BIG-IP 5000-series platforms configured for vCMP, you might experience unexpected core files that occur intermittently and without a known pattern.

Conditions:
-- BIG-IP 5000-series platforms.
-- Configured for vCMP.
-- Other conditions required are unknown.

Impact:
The system might crash and generate a core file relating to GuestAgent or KeyMgmt daemons, or bigd.

Workaround:
None.

876581-3 : JavaScript engine file is empty if the original HTML page cached for too long

Component: Fraud Protection Services

Symptoms:
JavaScript engine file is empty.

Conditions:
Original HTML page with FPS injected content is cached for too long due to some caching headers (e.g., ETag), so the JavaScript engine link becomes invalid.

Impact:
No FPS protection for that HTML page.

Workaround:
You can use either workaround:

-- Use an iRule to disable caching for protected HTML pages.

-- Set caching time for protected HTML pages to the same value as the datasync tables regeneration timer according to the active datasync profile (default value is two 2 days).

876465 : Intermittent core on BIG-IP 5000-series platforms configured for vCMP

Component: TMOS

Symptoms:
On BIG-IP 5000-series platforms configured for vCMP, you might experience unexpected core files that occur intermittently and without a known pattern.

Conditions:
-- BIG-IP 5000-series platforms.
-- Configured for vCMP.
-- Other conditions required are unknown.

Impact:
The system might crash and generate a core file relating to GuestAgent or KeyMgmt daemons, or bigd.

Workaround:
None.

876145-4 : Nitrox5 failure on vCMP guest results in all crypto requests failing.

Component: Local Traffic Manager

Symptoms:
Nitrox5 SSL card failure on a vCMP guest deployed on i11000 platform might cause all SSL transactions to fail.

Conditions:
- i11000 platform.
- vCMP guest.
- Nitrox5 card experiences a failure.

Impact:
- SSL transactions do not complete the handshake.
- Following logs can be seen in /var/log/ltm :

01260013:4 SSL Handshake failed for TCP 10.1.1.5:55368 -> 10.1.1.55:443
01260009:4: 10.2.36.5:55384 -> 10.1.1.1:443: Connection error: ssl_hs_vfy_vfydata_cont:14608: alert(47) verify failed

875401-1 : PEM subcriber lookup can fail for internet side new connections

Component: Policy Enforcement Manager

Symptoms:
PEM subcriber lookup can fail for internet side new connections, as PEM might use the remote address to look up the session, which is not the subscriber.

Conditions:
-- PEM enabled and configured
-- Subscriber session has multiple IP's
-- Each IP lands on a different tmm

Impact:
PEM subscriber lookup can fail on the internet side

Workaround:
No workaround.

875373-5 : Unable to add domain with leading '.' through webUI, but works with tmsh.

Component: Application Security Manager

Symptoms:
It is possible to create certain domain matches with leading dot '.' in tmsh, but not in the GUI.

Conditions:
Advanced WAF bot signature configuration with domain with a leading . character.

Impact:
You are unable to use the GUI to create custom bot-defense signatures.

Workaround:
Use tmsh to add custom bot-defense signatures as follows:

tmsh create security bot-defense signature ockerdocker category Crawler domains add {.ockerdocker} rule "headercontent:\"Google_Analytics_Snippet_Validator\"; useragentonly; nocase;"

874877-2 : Bigd http monitor shows misleading 'down' reason when recv does not match

Component: Local Traffic Manager

Symptoms:
When a recv string is used with an http monitor, the http status code is collected and in the event of failure, the most recent value (from before the failure) is retrieved and used as part of the log output. This can result in a message that is misleading.

Conditions:
Configure a BIG-IP to monitor an HTTP server.

Impact:
Misleading log messages, difficulty in identifying the real cause of the monitor failure.

874753-2 : Filtering by Bot Categories on Bot Requests Log shows 0 events

Component: Application Security Manager

Symptoms:
A log that has 'Browser Automation’ as the ‘Bot Category’ exists.

When filtering for only Bot Category: Browser Automation, nothing Shows up.

Conditions:
-- ASM provisioned.
-- Filtering by Bot Categories on Bot Requests Log

Impact:
Legitimate requests being blocked but cannot filter on the category to narrow down their focus.

Workaround:
None.

874677-2 : Traffic Classification auto signature update fails from GUI★

Component: Traffic Classification Engine

Symptoms:
Beginning in BIG-IP software v14.1.0, Traffic Classification auto signature update fails when performed using the GUI.

The system reports an error:
Error: Exception caught in the script. Check logs (/var/log/hitless_upgrade.log) for details.

Conditions:
Performing Traffic Classification auto signature update using the GUI.

Impact:
Fails to update the classification signature automatically.

Workaround:
You can use either of the following:

-- Perform Traffic Classification auto signature update operations from the CLI.
-- Use the GUI to manually update Traffic Classification signatures.

874529 : APM: Incorrect messages on logout page

Component: Access Policy Manager

Symptoms:
In some cases, the customized APM logout page is shown without messages substituted. Internal template names are shown instead, for example:
%[message]

Conditions:
- Virtual server with APM access policy and full webtop.
- Normal logout from user session.

Impact:
Messages on customized logout page are not shown. This is essentially cosmetic, and does not affect normal functionality.

Workaround:
None.

874317-2 : Client-side asymmetric routing could lead to SYN and SYN-ACK on different VLAN

Component: Local Traffic Manager

Symptoms:
When BIG-IP is configured with at least two VLANs/interfaces, and a virtual server with auto-lasthop disabled, then when that virtual server receives a SYN from a client and sends the SYN/ACK back to the client on a different VLAN/interface, it currently expects the ACK to be received on the outgoing interface.

Conditions:
BIG-IP is configured with (at least) two VLANs/interfaces, and with a virtual server with auto-lasthop disabled.

Impact:
The mismatch could lead to connections failing to establish.

Workaround:
Use the same VLAN on the client side.

874221-2 : DNS response recursion desired (rd) flag does not match DNS query when using iRule command DNS::header rd

Component: Global Traffic Manager (DNS)

Symptoms:
DNS response recursion desired (rd) flag does not match the DNS query when using the iRule command DNS::header rd.

Conditions:
-- iRule command DNS::header rd is used to set DNS query rd bit to a different value.
-- At least one wide IP is configured.

Impact:
DNS response rd flag does not match the DNS query. This is not RFC compliant.

Workaround:
Do not configure any wide IPs.

873677-6 : LTM policy matching does not work as expected

Component: Local Traffic Manager

Symptoms:
Policy matching may fail to work as expected

Conditions:
Having many conditions with the same operand may trigger an issue where the wrong transition is taken.

This may also be triggered by very complex policies with large numbers of rules.

Impact:
LTM policy matching does not work as expected.

Workaround:
None.

873249-2 : Switching from fast_merge to slow_merge can result in incorrect tmm stats

Component: Local Traffic Manager

Symptoms:
TMM stats are reported incorrectly. For example, the system may report double the number of running TMMs or an incorrect amount of available memory.

Conditions:
Changing the DB key merged.method from fast_merge to slow_merge.

Impact:
Incorrect reporting for TMM stats.

Workaround:
Remove the file /var/tmstat/cluster/blade0-performance.

These files are roll-ups and will be re-created as necessary.

872981-2 : MCP crashes when deleting a virtual server and its traffic-matching-criteria in the same transaction

Component: Local Traffic Manager

Symptoms:
MCPD crashes when deleting a virtual server and traffic-matching-criteria in the same transaction. This can happen when explicitly using a transaction, or when using a feature that uses transactions, such as when deleting an iApp instance that created these objects.

Conditions:
-- Using a virtual server that has traffic-matching-criteria (e.g., port lists or address lists) attached.
-- Deleting the virtual server and its traffic-matching-criteria in the same transaction.

Impact:
MCP cores, which causes a failover (in a high availability (HA) system) or temporary outage.

Workaround:
Delete the traffic-matching-criteria object separately from the virtual server.

872721-2 : SSL connection mirroring intermittent failure with TLS1.3

Component: Local Traffic Manager

Symptoms:
Intermittent failure of standby connection mirroring TLS1.3 handshake.

Conditions:
TLS1.3 and connection mirroring. More easily reproduces with ecdsa signature.

Impact:
Standby device fails tls handshake, active success so connection succeeds but not mirrored.

872645-1 : Protected Object Aggregate stats are causing elevated CPU usage

Component: Advanced Firewall Manager

Symptoms:
Due to a large number of tables containing 'Protected Object Aggregate stats', the merged daemon might cause elevated CPU usage on odd-numbered CPU cores.

Conditions:
AFM, ASM, or DoS features are provisioned.

Impact:
Elevated CPU usage on odd-numbered cores caused by merged daemon.

Workaround:
None.

872037-1 : DNS::header rd does not set the Recursion desired

Component: Global Traffic Manager (DNS)

Symptoms:
iRule command DNS::header rd not working as expected.

Conditions:
Virtual server configured with an iRule command to set DNS::header rd.

Impact:
The DNS::header rd iRule command does not set the Recursion Desired flag in DNS headers.

Workaround:
None.

871705-5 : Restarting bigstart shuts down the system

Component: TMOS

Symptoms:
The 'bigstart restart bigstart' command shuts down the system without displaying or informing the BIG-IP system user that this command can interrupt service. The system goes directly to the inoperative state as soon as the command is run.

Conditions:
-- Running the command bigstart restart bigstart.
-- Running 'systemctl restart systemd-bigstart' twice.

Impact:
Different versions appear to have different behavior:

-- v12.1.5: shell hangs on bigstart command, but the BIG-IP system stays Active.
-- v13.1.0.7: The BIG-IP system goes inoperative upon 'bigstart restart bigstart'.
-- 1v4.1.2.3: The 'bigstart restart bigstart' command cannot find the 'bigstart' service, but 'systemctl restart systemd-bigstart' shows this behavior.

Workaround:
None.

871561-4 : Hotfix installation on vCMP guest fails with '(Software compatibility tests failed.)'

Component: TMOS

Symptoms:
Due to a known issue, software upgrade to an engineering hotfix might fail with a log message in /var/log/ltm similar to:

info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (Software compatibility tests failed.)

Conditions:
Performing a software upgrade to a hotfix release on a vCMP guest.

Impact:
Unable to perform an upgrade.

Workaround:
Option 1:
Make sure that .iso files for both base image and hotfix reside only on a vCMP guest before starting the installation.

Option 2:
Even if the hotfix installation has failed, the base image should still have been installed properly, so you can restart the vCMP guest and perform a hotfix installation on top of already installed base image.

Option 3:
Even if the hotfix installation has failed, the base image should still have been installed properly. Ensure there is copy of the hotfix locally within the vcmp Guest. Then restart the lind service

tmsh restart sys service lind

The hotfix installation should begin again this time using the hotfix from within the guest /shared/images/ location.

871045-2 : IP fragments are disaggregated to separate TMMs with hardware syncookies enabled

Component: TMOS

Symptoms:
With hardware syncookies enabled, HTTP POST requests that are fragmented into separate segments are processed by different TMMs.

Connection is subsequently reset with a TCP RST cause reported as: No flow found for ACK.

Conditions:
-- Hardware syncookies triggered.
-- IP fragmented HTTP POST request.

Impact:
Connection is subsequently reset with TCP RST cause 'No flow found for ACK'.

Workaround:
None.

870389-2 : Increase size of /var logical volume to 1.5 GiB for LTM-only VE images

Component: TMOS

Symptoms:
The /var logical volume size of 950 MiB for LTM-only BIG-IP Virtual Edition (VE) images may be too small for some deployments. This can result in result in loss of SSH access.

Conditions:
This applies to deployments that use declarative onboarding for configuration.

Impact:
Complex declarative onboarding configurations may fill the /var logical volume. You are locked out because of the too-small volume.

Workaround:
The workaround is to manually extend the /var logical volume.

For more information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952.

870385-4 : TMM may restart under very heavy traffic load

Component: Advanced Firewall Manager

Symptoms:
TMM occasionally restarts when running heavy workloads. The crash is a timing-related issue between different tmm threads, and thus happens only occasionally.

Conditions:
-- AFM is provisioned with DoS functionality.
-- The BIG-IP system is under heavy workload.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

870309-2 : Ephemeral pool member not created when FQDN resolves to new IP address

Component: Local Traffic Manager

Symptoms:
On rare occasions, when using FQDN nodes/pool members and the FQDN name resolves to a different IP address, the ephemeral pool member for the old IP address may be removed, but a new ephemeral pool member for the new IP address may not be created.

Under normal operation, the following sequence of messages is logged in /var/log/dynconfd.log when dynconfd logging is set to 'debug' level:

[D]: setFQDNPoolMembersModified: pool /Common/my_fqdn_pool node /Common/my_fqdn_node fqdn my.fqdn.com
[D]: PoolMember::scan: pool /Common/my_fqdn_pool member /Common/my_fqdn_node fqdn my.fqdn.com

But when this problem occurs, the 'setFQDNPoolMembersModified' log message is not followed by a 'PoolMember::scan' log message:

[D]: setFQDNPoolMembersModified: pool /Common/my_fqdn_pool node /Common/my_fqdn_node fqdn my.fqdn.com

Conditions:
This may occur under rare timing conditions while using using FQDN nodes/pool members, when the DNS server resolves the FQDN name to a different IP address.

Impact:
Pools configured with FQDN-based pool members may become empty, in which case no traffic will be processed by that pool.

Workaround:
To recover from this condition once it occurs, perform either of the following actions:

-- Restart the dynconfd daemon:
bigstart restart dynconfd

This temporarily interrupts queries for FQDN name resolution and updates (deletion/creation) of ephemeral nodes/pool members in response to FQDN resolution changes.

This action is not otherwise expected to affect traffic currently flowing to pools.

-- Remove the FQDN pool member, then re-add the FQDN pool member back to the pool:
tmsh modify ltm pool my_fqdn_pool { members delete { my_fqdn_node:port } }
tmsh modify ltm pool my_fqdn_pool { members add { my_fqdn_node:port <other parameters> } }

If the pool already has no ephemeral pool members, this has no effect on traffic (which is already not flowing to this pool).

If the pool has some ephemeral pool members but not the complete list of expected ephemeral members, this will interrupt traffic flowing to this pool while there are no pool members present.

In that case, temporarily adding at least one pool member with a statically-configured IP address before removing the FQDN pool member, then removing the same temporary pool members after replacing the FQDN pool member, allow straffic to continue flowing to the pool while this action is performed.

869565-3 : Disabling of HTTP/2 profile on server side does not prevent h2 in ALPN

Component: Local Traffic Manager

Symptoms:
HTTP/2 protocol can be negotiated with the Application-Layer Protocol Negotiation (ALPN) on the Transport Layer Security (TLS) level of communication. When an iRule disables HTTP/2 on a server side, it is assumed that the BIG-IP system no longer offers h2 to a server as an option.

Conditions:
-- A virtual server has an HTTP/2 profile configured on both the client and server sides.
-- A server SSL profile is configured on the virtual server.
-- An iRule using the 'HTTP2::disable serverside' command is attached to the virtual server.

Impact:
The BIG-IP system offers h2 as an option in ALPN when the HTTP/2 profile is disabled on a server side. If h2 is accepted by the server, communication fails since HTTP/2 is disabled and does not decode HTTP/2 traffic.

Workaround:
None.

869553-4 : HTTP2::disable fails for server side allowing HTTP/2 traffic

Component: Local Traffic Manager

Symptoms:
The BIG-IP system provides an iRule command 'HTTP2::disable serverside' to put http2 in passthrough mode. When the command is called during the CLIENT_ACCEPTED event, it should completely disable http2 until the end of TCP connection, or until the HTTP2::enable command is executed.

Conditions:
-- A virtual server has an HTTP/2 profile configured on the server side.
-- An iRule with an the command 'HTTP2::disable serverside' command is attached to the virtual server in the CLIENT_ACCEPTED event.

Impact:
The BIG-IP system continues to send HTTP/2 traffic to a server.

Workaround:
None.

869361-2 : Link Controller inbound wide IP load balancing method incorrectly presented in GUI when updated

Component: Global Traffic Manager (DNS)

Symptoms:
Load balance methods for Link Controller inbound wide IP are always set to default values when the load balancing method is updated through GUI.

Conditions:
-- Multiple inbound wide IPs are configured;
-- Load balancing methods are updated through GUI once.

Impact:
Unable to manage wide IPs through the GUI.

Workaround:
Use tmsh to manage Inbound WideIPs.

869237-4 : Management interface might become unreachable when alternating between DHCP/static address assignment.

Component: TMOS

Symptoms:
When the Management IP address assignment is changed and the IP address obtained from DHCP lease is used for static interface configuration, the management port might become unreachable after the DHCP lease expiration time, even though interface has a static IP configured.

Conditions:
-- Management IP assignment is changed from dynamic (DHCP) to static.
-- The static IP address that is configured is identical to the DHCP address that was assigned.

Impact:
Remote management access is lost after the DHCP lease expires.

Workaround:
When changing the management interface configuration from DHCP to static, first delete the old configuration, then create new configuration. This can be done with TMSH:

(tmos)# modify sys global-settings mgmt-dhcp disabled
(tmos)# del sys management-ip 10.14.30.111/24
(tmos)# create sys management-ip 10.14.30.111/24 { description configured-statically }

869049-5 : Charts discrepancy in AVR reports

Component: Application Visibility and Reporting

Symptoms:
Discrepancy in AVR reports. When filtering on the 'last month' interval, a specific number of total requests per virtual server is shown. Then when filtering to the present day from a date that encompasses that month, a lower number is reported.

Conditions:
-- Number of records in database exceeds the maximum mount of data that AVR can aggregate between different table-resolutions.
-- There are metrics on the report other than the default one (hits-count).

Impact:
Stats on DB get corrupted and incorrect.

Workaround:
None.

868889-1 : BIG-IP may reset a stream with an empty DATA frame as END_STREAM

Component: Local Traffic Manager

Symptoms:
HTTP/2 defines END_STREAM flag in a frame as an end of a stream. A peer can send an empty (with no payload) DATA frame to designate a last one in a stream. When BIG-IP receives an empty DATA frame, it handles it incorrectly, sending RST_STREAM to a client.

Conditions:
-- The BIG-IP system has a virtual server configured with an HTTP/2 profile on the client side.
-- The client sends a request containing a payload over a stream, ending the stream with empty DATA frame.

Impact:
The BIG-IP system may reset the stream.

Workaround:
A client should resend the request handling more data.

868721-2 : Transactions are held for a long time on specific server related conditions

Component: Application Security Manager

Symptoms:
Long request buffers are kept around for a long time in bd.

Conditions:
-- The answer_100_continue internal parameter is turned off (non default) or the version is pre 15.1
-- The server closes the connection while request packets are accumulated.

Impact:
The long request buffers are consumed. You may see a "Too many concurrent long requests" log message and requests with large content lengths will get reset.

Workaround:
There is no workaround that can be done from ASM configuration.
If possible, change the server application settings to wait longer for the request payload in 100-continue request or change the client side application to not work with 100-continue.

868641-2 : Possible TMM crash when disabling bot profile for the entire connection

Component: Application Security Manager

Symptoms:
When using an iRule to disable bot profile, and causing it to be disabled (for the entire connection) during a CAPTCHA challenge -- TMM will crash.

Conditions:
-- Bot Defense profile is attached to the Virtual Server, with a CAPTCHA mitigation.
-- An iRule is attached to the virtual server, which disables bot profile.
-- Sending a request that is responded with a CAPTCHA, then sending (in the same connection), a request that disable the bot profile, and then answering the CAPTCHA.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
When using an iRule to disable bot defense profile on certain conditions, add an "else" clause for re-enabling the profile, taking note that all ::disable iRule commands are effective for the entire connection, and not just the transaction.

868209-2 : Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection

Component: Local Traffic Manager

Symptoms:
When BIG-IP is configured with transparent vlan-group and traffic is matching a standard or fastl4 virtual-server and traffic hitting BIG-IP does not have a destination MAC address that belongs to BIG-IP - traffic will be L2 forwarded and pool member selection will not happen.

This defect will also cause active FTP data connections over vlan-group to fail.

Conditions:
All conditions must be met:
- Traffic over transparent vlan-group.
- Standard or fastl4 virtual-server.
- Traffic has a destination MAC address that does not belong to BIG-IP.

OR

- Standard virtual server with FTP profile is configured.
- Active FTP session is in use.
- Traffic flows over vlan-group.

Impact:
Server-side connections will fail.

Workaround:
Use opaque vlan-group instead.
OR
disable db variable connection.vgl2transparent (15.0+)

868053-2 : Live Update service indicates update available when the latest update was already installed

Component: Application Security Manager

Symptoms:
When downloading and installing the latest ASU file manually the Live Update indicator located at the top left of the screen still indicates that there is a new update available.

Conditions:
-- The Live Update scheduler is not in auto mode (System :: Software Management :: Live Update :: Installation of Automatically Downloaded Updates = Disabled).
-- Upload and update the latest ASU file manually.

Impact:
The Live Update indicator continues to indicate on a new update though the latest file was installed.

Workaround:
None.

868033-2 : SSL option "passive-close" option is unused and should be removed

Component: Local Traffic Manager

Symptoms:
The SSL profile "passive-close" option is available in TMSH (but not the GUI), but is not actually used.

A side-effect of this issue is: when the "passive-close" option is configured in TMSH, if the profile is later modified in the GUI, the "passive-close" option will be removed from the profile.

Conditions:
-- Modifying a client or server SSL profile in TMSH.

Impact:
The "passive-close" option is not actually used.

Workaround:
Do not use the "passive-close" option.

867985-3 : LTM policy with a 'shutdown' action incorrectly allows iRule execution

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide manipulation tools over a connection with an LTM policy and/or iRule. LTM policy takes precedence over iRules and has an option to shutdown a connection based on satisfied conditions. When a connection is closing, an iRule should not be executed under the same conditions.

Conditions:
-- The BIG-IP system has a virtual server with an LTM policy and an iRule.
-- The LTM policy has action 'shutdown connection' under certain conditions.
-- The iRule has an event which is triggered under the same conditions.

Impact:
The iRule is executed before the connection is being reset.

Workaround:
None.

867825-3 : Export/Import on a parent policy leaves children in an inconsistent state

Component: Application Security Manager

Symptoms:
When overwriting a parent policy with import/replace, elements from the parent policy that were deleted remain in the child policies.

Conditions:
-- A parent policy exists with a child policy that inherits a section in which new configuration elements can be created in the parent policy (like ip address exceptions).
-- An element is deleted from the parent policy, and then the parent policy is exported.
-- The parent policy is then imported to replace a parent policy on a different device to perform the same changes on its children.

Impact:
The children on the different devices are left unexpectedly in different states.

867793-2 : BIG-IP sending the wrong trap code for BGP peer state

Component: TMOS

Symptoms:
When BGP peer is going down, the BIG-IP system sends the wrong 'bgpPeerState: 6(established)' with its SNMP trap.

Conditions:
-- BIG IP system is connected with a Cisco router to verify the traps.
-- BGP peer between the BIG-IP system and the Cisco router is going down.
-- Both devices release an SNMP trap.

Impact:
The BIG-IP system sends the wrong code with its SNMP trap. It should be 'bgpPeerState: idle(1)' when the peer is not connected.

Workaround:
None.

867373-3 : Methods Missing From ASM Policy

Component: Application Security Manager

Symptoms:
If the ASM http-methods are missing from the MCP configuration, importing an XML ASM policy creates a policy that has no allowed methods and will block all traffic.

Conditions:
-- BIG-IP system configuration is loaded without the required asm_base.conf.
-- An XML ASM policy is loaded.

Impact:
All traffic is blocked for the policy.

Workaround:
Recreate the required methods (GET, POST, etc.) in the policy.

867321-2 : Error: Invalid self IP, the IP address already exists.

Component: Advanced Firewall Manager

Symptoms:
When loading a configuration, the config load fails with an error:

Invalid self IP, the IP address <ip_addr> already exists.

Conditions:
-- Config contains an IPv4 SelfIP
-- Config contains an IPv4-mapped IPv6 address that is assigned to the same vlan

BIG-IP does not prevent you from creating this condition and will allow you to save it.

Impact:
During configuration load will fail:

0107176c:3: Invalid self IP, the IP address <ip_addr> already exists.
Unexpected Error: Loading configuration process failed.

Workaround:
Delete one of the SelfIP addresses and load the configuration.

867253-2 : Systemd not deleting user journals

Component: TMOS

Symptoms:
When setting "SystemMaxUse" to any value, systemd does not get honored and the specified size is exceeded

Conditions:
-- Using a Non-TMOS user account with external authentication permission.
-- Systemd-journald is configured to create a user journal for every user that logs into the BIG-IP system.

Impact:
Journald filling up file system size. These journals are allocated with a minimum size of 4MiB and are not removed when the log entries age-out.

Workaround:
Remove journal logs manually.

867181-2 : ixlv: double tagging is not working

Component: TMOS

Symptoms:
If a VLAN tag is configured on the Virtual Function in the host, and the BIG-IP guest is configured to use a tagged VLAN, packets that egress the host on this VLAN contain only the VLAN tag configured on the host (i.e. the BIG-IP's VLAN tag is lost).

Conditions:
- Using a BIG-IP VE.
- A VLAN tag is configured on both the host VF and on the BIG-IP.

Impact:
The BIG-IP's VLAN tag is lost.

867177-2 : Outbound TFTP and Active FTP no longer work by default over the management port

Component: TMOS

Symptoms:
When attempting to use TFTP or Active FTP at the BIG-IP management port to transfer files to a remote system, the connection eventually times out and the file is not transferred.

This is expected behavior resulting from the enhancement made in BIG-IP v14.1.0:
"Support for network firewall rules on the management port" :: https://techdocs.f5.com/kb/en-us/products/BIG-IP_ltm/releasenotes/product/relnote-bigip-14-1-0.html#rn_ltm-tmos_1410_new.

When attempting to use TFTP and Active FTP via tmm interfaces will work as it has the necessary Algorithm capabilities to set up return listeners.

Conditions:
- BIG-IP v14.1.0 or greater.
- Attempt to initiate TFTP or Active FTP from the BIG-IP management port through command line.

Impact:
Unable to use TFTP or Active FTP to transfer files to/from the BIG-IP system over management port

Workaround:
Consider using encrypted transport (sftp, scp, etc.) in order to avoid the exposure of sensitive data, including passwords.

Manually load connection tracking for the necessary protocol(s) from the command line with:
modprobe nf_conntrack_ftp
modprobe nf_conntrack_tftp

867013-3 : Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout

Component: TMOS

Symptoms:
You are unable to associate new ASM policies to LTM policies, due to REST timeout.

Conditions:
This can be encountered when there are a large number of policies configured in ASM.

Impact:
Unable to associate new ASM policies to LTM policies, due to rest timeout.

Workaround:
None.

865981-2 : ASM GUI and REST become unresponsive upon license change

Component: Application Security Manager

Symptoms:
When there is a license change at the same time as a security update (ex. Threat Campaigns or Attack Signatures), the system can reach a deadlock which blocks some operations, eventually leading to all the REST threads becoming blocked and unresponsive.

Conditions:
A license change occurs at the same time as a security update (ex. Threat Campaigns or Attack Signatures).

Impact:
ASM user interfaces are unresponsive.

Workaround:
Kill asm_config_server.pl or restart ASM

865461-2 : BD crash on specific scenario

Component: Application Security Manager

Symptoms:
BD crash on specific scenario

Conditions:
A brute force attack mitigation using captcha or client side challenge.

Impact:
BD crash, failover.

Workaround:
Add an iRule that removes the query string from the referrer header only for the login page POSTs.

865329-2 : WCCP crashes on "ServiceGroup size exceeded" exception

Component: TMOS

Symptoms:
Under general usage; WCCP crashes with a "ServiceGroup size exceeded" exception.

Conditions:
Have WCCP service groups configured.

Impact:
WCCP throws an exception and crashes.

Workaround:
None.

865289-2 : TMM crash following DNS resolve with Bot Defense profile

Component: Application Security Manager

Symptoms:
TMM may crash when Bot Defense is enabled and network DNS is configured.

Conditions:
This can occur when is Bot Defense enabled and network DNS is configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

865241-2 : Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"

Component: TMOS

Symptoms:
When BGP tries to print the address of the default route's peer but there is no matching address for IPv4 or IPv6 so the system returns a NULL and attempting to print results in a crash.

Conditions:
-- Running the show command: sh bgp ipv6 ::/0.
-- There is no matching IPv4 or IPv6 address for the peer.

The conditions that cause this to occur are unknown.

Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.

Workaround:
None.

865177-3 : Cert-LDAP returning only first entry in the sequence that matches san-other oid

Component: TMOS

Symptoms:
Certificate-ldap only returns the first matching oid from the certificate file even though multiple matching san-other entries exists

Conditions:
When Certificate-ladp attribute ssl-cname-field set to san-other and certificate with multiple san-other oids

Impact:
Only the first matching oid is returned.

864989-1 : Remote logger violation_details field content appears as "N/A" when violations field is not selected.

Component: Application Security Manager

Symptoms:
When remote logger is enabled and violation_details field is selected for output, but violations field is not selected - content of violation_details field appears as "N/A".

Conditions:
- Remote logger is enabled;
- violation_details field is selected for output;
- violations field is not selected for output;
- violation is detected and reported to remote logger.

Impact:
Remote logger will not contain violation_details in report.

Workaround:
Enable violations field for remote logging.

864677-2 : ASM causes high mcpd CPU usage

Component: Application Security Manager

Symptoms:
-- CPU utilization is high on the odd-numbered cores.

-- Messages appear at 60-second intervals in /var/log/ts/asm_start.log:
update_GTM_score

Conditions:
-- One or more virtual servers have FTP/SMTP/WEBSEC profiles attached to it.
-- ASM configured.

Impact:
Elevated CPU usage.

Workaround:
-- On the BIG-IP system, edit the file /etc/ts/tools/nwd.cfg to change the value EnforcerCpuReportTimeInterval from 60 to a higher value, e.g., 3600 for once an hour, or even larger.

-- Restart ASM:
bigstart restart asm

864649-3 : The client-side connection of a dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server never expires from the connection table

Component: Local Traffic Manager

Symptoms:
The client-side connection of the dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server never expires from the connection table.

Conditions:
Configure dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server.

Impact:
Even after correcting the listener to use dhcpv4 (relay) instead of dhcpv4_fwd (forwarding) profile, the client-side connection from the dhcpv4_fwd profile remains.

Workaround:
Delete the long-standing connection from the connection table.

864513-2 : ASM policies may not load after upgrading to 14.x or later from a previous major version★

Solution Article: K48234609

Component: TMOS

Symptoms:
ASM policies may not load immediately after upgrade due to SELinux policies issues relating to the upgrade process.

Conditions:
1. ASM is provisioned.
2. One or more ASM Security Policies is attached to one or more virtual servers.
3. Upgrade from v12.x or v13.x to v14.x or later.

Impact:
Traffic is not processed properly after upgrade due to failure to load ASM policies.

Workaround:
You can use either of the following workarounds.

-- Remove ASM Policies while upgrading:
  1. Prior to upgrade, remove all ASM Security Policies from all virtual servers.
  2. Upgrade.
  3. Reassociate each ASM Security Policy with its original virtual server.

-- Restore the UCS on a new boot location after upgrade:
  1. Prior to upgrade, create a UCS.
  2. Upgrade or create a new instance of the software version at the target location.
  3. Restore the UCS at the new location.

863609-3 : Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies

Component: Application Security Manager

Symptoms:
After changing a parent policy's learning mode or other learning attributes in policy-builder settings, deploying the policy will result in differences in the child policies.

Conditions:
On BIG-IP and BIG-IQ:
1. Parent policy has a policy-building section that is inherited.
2. Child policy has wildcard default (*) elements such as urls.
On BIG-IQ:
3. Change parent learning mode from manual to disabled or vice versa
4. Deploy changes

Impact:
There are differences after deploy.

Workaround:
Discover and deploy again from BIG-IQ

863165-2 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.

Component: Local Traffic Manager

Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.

Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.

Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.

Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.

862793-2 : ASM replies with JS-Challenge instead of blocking page upon "Virus detected" violation

Component: Application Security Manager

Symptoms:
When ASM detects "virus" (with help of external icap server), the response page will be JS-Challenge instead of blocking.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Anti-Virus protection enabled in ASM policy.
-- ASM finds a virus in a request.

Impact:
-- End user client gets JS-Challenge response instead of blocking page.
-- End user does not see ASM support ID.
-- Browser can run the JavaScript and resend the request to ASM, which is then forwarded to the backend server.

Workaround:
None.

862693-1 : PAM_RHOST not set when authenticating BIG-IP using iControl REST

Component: TMOS

Symptoms:
The missing PAM_RHOST setting causes the radius packet to go out without the calling-station-id avp

Conditions:
1. Configure radius server and add it to BIG-IP
tmsh create auth radius system-auth servers add { myrad }

2. modify auth source type to radius
tmsh modify auth source { type radius }

3. try to authenticate to BIG-IP using iControl REST

Impact:
Remote authentication using iControl REST is not allowed based on calling-station-id

862597-6 : Improve MPTCP's SYN/ACK retransmission handling

Component: Local Traffic Manager

Symptoms:
- MPTCP enabled TCP connection is in SYN_RECEIVED state.
- TMM cores.

Conditions:
- MPTCP is enabled.
- SYN/ACK (with MP_JOIN or MP_CAPABLE) sent by the BIG-IP is not ACKed and needs to be retransmitted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP option in the TCP profile.

862525-2 : GUI Browser Cache Timeout option is not available via tmsh

Component: TMOS

Symptoms:
In BIG-IP v10.x it was possible to change the browser cache timeout from bigpipe using the command:
bigpipe httpd browsercachetimeout

In 14.1.2.1 and newer, it is still possible to change the value in the GUI using "System :: Preferences :: Time To Cache Static Files.

However there is no tmsh equivalent in any version.

Conditions:
This is encountered when you try to configure the GUI browser cache timeout setting using tmsh.

Impact:
Unable to modify browser cache timeout except from GUI

Workaround:
Using GUI to configure this field. GUI System :: Preferences :: Time To Cache Static Files.

862413-2 : Broken layout in Threat Campaigns and Brute Force Attacks pages

Component: Application Security Manager

Symptoms:
Horizontal scroll added to the page unnecessarily.

Conditions:
This occurs when viewing the Threat Campaigns or Brute Force Attacks page in any browser

Impact:
The horizontal scroll bar breaks the intended page layout.

Workaround:
N/A

862337-1 : Message Routing Diameter profile fails to forward messages with zero length AVPs

Component: Service Provider

Symptoms:
Message Routing Diameter profile does not forward diameter messages that include an AVP with a zero (0) length data field.

Conditions:
-- A virtual server with an Message Routing Diameter Profile.
-- A diameter message containing an AVP with a zero length data field.

Impact:
Diameter messages with zero length AVPs are not forwarded as expected.

Workaround:
None.

862069-2 : Using non-standard HTTPS and SSH ports fails under certain conditions

Component: Local Traffic Manager

Symptoms:
On all versions 12.1.0 or later, if you change the HTTPS port (e.g., to 8443, as is required for '1NIC' BIG-IP Virtual Edition (VE) deployments) and then expose the management UI via a self IP in a non-zero route domain, you cannot access the system via the GUI or CLI, and the system does not pass traffic as expected.

In versions 14.1.0 and later on VE installations, attempting to manage a BIG-IP system over a self IP can fail if all these conditions are met:
-- Non-standard HTTPS port used.
-- No TMM default route configured.
-- No route to the client IP address configured.

Conditions:
-- Modify the default HTTPS and/or default SSH ports.

And either of the following:

On 12.1.0 and above:
-- Expose the management UI and/or CLI via a self IP in a non-zero route domain.

On 14.1.0 and above:
-- No TMM default route configured.
-- No route to the client IP address configured.

Impact:
-- Unable to access BIG-IP GUI on non-standard HTTPS port.
-- Unable to access BIG_IP CLI on non-standard SSH port.

Workaround:
None.

862001-2 : Improperly configured NTP server can result in an undisciplined clock stanza

Component: Local Traffic Manager

Symptoms:
There can be an undisciplined clock stanza in /etc/ntp.conf, resulting in an undisciplined clock.

NTP documentation:
http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock

Conditions:
This might occur in at least the following ways:
-- No server is specified in 'sys ntp servers {}'.
-- A server does exist, but an improper method was used to configure the NTP server.

Impact:
When the LOCAL undisciplined clock is left as a valid time-source, it delays the system synchronizing time to a real NTP server. It can also result in time being adjusted incorrectly if the the remote time-source becomes unreachable.

Workaround:
Configure a dummy server via 'ntp servers {}' that does not respond.

While this removes the undisciplined local clock, it does result in ntpd having an unreachable time source, and could be flagged in diagnostics, misdirect other troubleshooting, generate unnecessary traffic, etc.

However, if the 'dummy' source starts responding, it could become a rogue time source.

860517-2 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.

Component: TMOS

Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.

As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash

Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.

Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.

Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.

860349-2 : Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication

Component: TMOS

Symptoms:
After upgrading BIG-IP to 14.1 the LDAP/AD remote authentication will fail .

The /var/log/secure will show :

/secure:
Dec 6 15:27:44 hostname err httpd[9402]: pam_ldap(httpd:auth): error opening connection to nslcd: No such file or directory
Dec 6 15:27:44 hostname notice httpd[9402]: pam_ldap(httpd:auth): auth server unavailable, trying fallback
Dec 6 15:27:44 hostname warning httpd[9402]: pam_unix(httpd:auth): check pass; user unknown
Dec 6 15:27:44 hostname notice httpd[9402]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=192.168.227.145

/var/log/daemon.log will show ;

/daemon:
Dec 6 15:29:40 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:29:40 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:29:40 hostname warning systemd[1]: nslcd.service failed.
Dec 6 15:35:47 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:35:47 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:35:47 hostname warning systemd[1]: nslcd.service failed.

> Dec 06 15:35:47 hostname systemd[1]: Started Naming services LDAP client daemon..
> Dec 06 15:35:47 hostname systemd[1]: Starting Naming services LDAP client daemon....
> Dec 06 15:35:47 hostname nslcd[8050]: nslcd: /etc/nslcd.conf:15: usertemplate: too may arguments
> ===================== > This is the hint that user-template is at fault

Conditions:
LDAP/nslcd config , remote authentication , user-template used

The values within user-template include white spaces :

example: uid=%s,CN=my home,OU=Generic Users,OU=good Users,OU=users,DC=users,DC=org

Impact:
LDAP/nslcd process failed with "error opening connection to nslcd" when user-template includes white spaces.

Workaround:
Replace the white-space character with underscore "_" in the user-template if possible, or remove the user-template and restart nslcd daemon

860317-2 : JavaScript Obfuscator can hang indefinitely

Component: TMOS

Symptoms:
High CPU usage by obfuscator for an extended period of time.

Conditions:
Occurs very rarely, when FPS or L7 DDoS protection are enabled.

Impact:
High CPU Usage.

Workaround:
Kill the obfuscator process

860277-3 : Default value of TCP Profile Proxy Buffer High Low changed in 14.1

Component: Local Traffic Manager

Symptoms:
Version: 13.1.3.1

# tmsh list ltm profile tcp tcp proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
    proxy-buffer-high 49152
    proxy-buffer-low 32768
}

       proxy-buffer-high
            Specifies the highest level at which the receive window is closed.
            The default value is 49152.

       proxy-buffer-low
            Specifies the lowest level at which the receive window is closed.
            The default value is 32768.

Version: 14.1.2.2

# list ltm profile tcp TCP proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
    proxy-buffer-high 65535
    proxy-buffer-low 32768
}

proxy-buffer-high
            Specifies the highest level at which the receive window is closed.
            The default value is 131072.

proxy-buffer-low
            Specifies the lowest level at which the receive window is closed.
            The default value is 98304.

Conditions:
Looking at the help for proxy-buffer-high and proxy-buffer-low in tmsh

Impact:
The default value for proxy-buffer-high is 65535 and the default value for proxy-buffer-low is 32768, but the help text indicates that the defaults are 13072 and 98304 respectively.

860245-2 : SSL Orchestrator configuration not synchronized across HA peers after upgrade from 14.1.2.x

Component: TMOS

Symptoms:
The SSL Orchestrator configuration is not synced properly across the high availability (HA) configuration.

The REST framework versions are different on the devices.

Conditions:
-- BIG-IP devices configured for HA.
-- SSL Orchestrator configured.
-- Upgrading from v14.1.2 to v15.1.x or newer.

Impact:
SSL Orchestrator configuration does not sync across BIG-IP HA peers.

Workaround:
The following steps are required on all HA, first on the active and then on the standby BIG-IP devices.

1. Open a BIG-IP terminal session with admin/root level access.
2. Run the following commands, in the order specified:

bigstart stop restjavad
rm -rf /shared/em/ssl.crt/*
bigstart start restjavad
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
restcurl -X DELETE shared/gossip-conflicts
restcurl -X DELETE shared/device-certificates
restcurl -X POST -d '{"generateKeyPair": true}' shared/device-key-pair
bigstart restart restjavad restnoded

860181-2 : After sync failure due to lack of local self-IP on the peer, adding in the self-IP does not resolve the sync error

Component: TMOS

Symptoms:
If you have BIG-IPs in a Device Service Cluster, and you attempt to sync a new floating self-IP over to a standby on a VLAN that the standby does not currently have a non-floating self-IP on, you will get an error and the sync will fail. This is the correct behavior. The issue, though, is that if you subsequently create a non-floating self-IP on the standby in order to rectify this issue, the sync will still fail.

Conditions:
-- BIG-IPs configured in a Device Service Cluster.
-- Device group is configured to use Automatic Sync or Manual with Incremental sync.
-- Attempting to sync a floating self-IP to a system that does not have a non-floating self-IP on the same VLAN.

Impact:
You are unable to sync BIG-IPs. Both devices will be out of sync and you will see an error displayed:

01070355:3: Self IP <address> is declared as a floating address but there is no non-floating address defined for this network

Even after you add a non-floating self-IP on the affected device, a subsequent config sync does not fix the error.

Workaround:
If you make any other configuration change that generates a config sync, this will correct itself after the other device has added a non-floating Self-IP.

Otherwise, this can be corrected by doing a full config sync, and can be done via the GUI or via tmsh.

In the GUI, change the Sync Type for the device group to Manual with Full Sync, and then do a config sync.

In tmsh, the command is:
run cm config-sync force-full-load-push to-group <affected_device_group>

860005-2 : Ephemeral nodes/pool members may be created for wrong FQDN name

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.

Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.

The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.

Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.

Workaround:
It may be possible to mitigate this issue by one or more of the following actions:

-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.

-- Reducing the number of FQDN template nodes (FQDN names to be resolved).

-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.

859721-2 : Using GENERICMESSAGE create together with reject inside periodic after may cause core

Component: Service Provider

Symptoms:
In iRules, when "GENERICMESSAGE::message create" is called after "reject" command inside "after -periodic", it may cause core. Below is an example iRules.

when CLIENT_ACCEPTED {
    ... omitted ...
    after 1000 -periodic {
        ... omitted ...
        reject
        GENERICMESSAGE::message create "test"
    }
}

This relates to ID 859113.

Conditions:
GENERICMESSAGE::message create" is called after "reject" inside "after -periodic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event

859113-2 : Using "reject" iRules command inside "after" may causes core

Component: Local Traffic Manager

Symptoms:
In iRules, when "reject" is used inside "after -periodic" and it is followed by "GENERICMESSAGE::message create". It may trigger a tmm core. Below is an example iRule.

when CLIENT_ACCEPTED {
    ... omitted ...
    after 1000 -periodic {
        ... omitted ...
        reject
        GENERICMESSAGE::message create "test"
    }
}

This relates to ID 859721

Conditions:
- "reject" is used inside "after -periodic"
- it is followed by "GENERICMESSAGE::message create"

Impact:
Traffic disrupted while tmm restarts.

858973-2 : DNS request matches less specific WideIP when adding new wildcard wideips

Component: Global Traffic Manager (DNS)

Symptoms:
After adding a new wildcard wideip, DNS requests start matching the wildcard even if a more specific wildcard wideip should match.

Conditions:
New less specific Wildcard WideIPs are created.

Impact:
DNS request matches less specific WideIP.

Workaround:
# tmsh load sys config gtm-only
or
restart tmm

858877-2 : SSL Orchestrator config sync issues between HA-pair devices

Component: TMOS

Symptoms:
SSL Orchestrator configuration deployment across BIG-IP devices in a high-availability (HA) group may result in inconsistent state, if during deployment the connectivity between the HA peers is lost.

Conditions:
Deploying SSL Orchestrator configuration across BIG-IP devices in an HA group.

Impact:
Inconsistent SSL Orchestrator configuration on BIG-IP devices in an HA group.

Workaround:
Run the /usr/bin/ha-sync script. See ha-sync -h for help.

858769-5 : Net-snmp library must be upgraded to 5.8 in order to support SHA-2

Component: TMOS

Symptoms:
The net-snmp 5.7.2 library does not support extended key lengths for SHA and AES protocols used for SNMPv3 authentication and privacy protocols.

Conditions:
When the BIG-IP net-snmp libraries are version 5.7.2, or earlier, than only SHA and AES are available for configuring trap sessions and users in SNMPv3.

Impact:
The longer keys lengths for SNMPv3 cannot be used.

858701-2 : Running config and saved config are having different route-advertisement values after upgrading from v12.1.x★

Component: Local Traffic Manager

Symptoms:
If you upgrade a 12.1.x device with route advertisement enabled, there will be a difference between the running configuration and the saved configuration post upgrade.

-- In the running configuration, the word 'enabled' changes to 'selective'.
-- In bigip.conf, the setting is still set to 'enabled'.

Conditions:
-- Upgrading a v12.1.x device with route advertisement enabled.
-- After saving config both the running-config and bigip.conf are having same value i.e., 'selective'.
-- Load the configuration (tmsh load sys config).

Impact:
The route-advertisement setting is 'enabled' in the config file, but 'selective' in the running configuration. This has the following impact:

If you save the configuration and then reload it, the route advertisement is changed to 'selective' in the config file and 'disabled' in the running config.

Workaround:
After the running config is set to the 'disabled' value, reload the configuration again using the following command to set the running config and saved config to to 'selective':

tmsh load sys config

858549-5 : GUI does not allow IPv4-Mapped IPv6 Address to be assigned to self IPs

Component: TMOS

Symptoms:
When you try to use an IPv4-mapped IPv6 address as the self VI via GUI you get an error: '
Some fields below contain errors. Correct them before continuing.
Invalid IP or Hostname

Conditions:
Assign IPv4-mapped IPv6 address to self IPs via GUI.

Impact:
Cannot add the self IP to the BIG-IP system.

Workaround:
None.

858309-2 : Setting a self IP with an IPv6 Address with an embedded IPv4 address causes tmm to continually restart

Component: Local Traffic Manager

Symptoms:
TMM keeps restarting after setting a self IP to an IPv6 address with an embedded IPv4 address in TMSH.

Conditions:
Set self IP to an IPv6 address with an embedded Ipv4 address using tmsh.

Impact:
Tmm restarts repeatedly. Traffic disrupted while tmm restarts.

Workaround:
Set self IP to IPv4 address.

858197-3 : Merged crash when memory exhausted

Component: TMOS

Symptoms:
Merged crashes when system memory is exhausted

Conditions:
System memory is is at 0% available.

Impact:
Merged crashes, stopping stats updates

Workaround:
Reduce the configuration on the system

858189-2 : Make restnoded/restjavad/icrd timeout configurable with sys db variables.

Component: Device Management

Symptoms:
When a large number of LTM objects are configured on BIG-IP, making updates via iControl REST can result in restjavad/restnoded/icrd errors.

Conditions:
Using iControl REST/iapp to update a data-group that contains a large number of records, e.g., 75,000 or more.

Impact:
REST operations can time out when they take too long, and it is not possible to increase the timeout.

Workaround:
None.

858173-2 : SSL Orchestrator RPM not installed on HA-peer after upgrade from 14.1.2.1★

Component: TMOS

Symptoms:
With BIG-IP devices configured in high availability (HA) mode, with SSL Orchestrator configured, when upgrading from v14.1.2 to v15.1.x or newer, the SSL Orchestrator configuration is not synced properly across the high availability (HA) configuration.

This problem is caused by a REST framework sync issue between the devices in the high availability (HA) pair.

Conditions:
-- BIG-IP devices configured in high availability (HA) mode.
-- SSL Orchestrator configured.
-- Upgrading from v14.1.2 to v15.1.x or newer.

Impact:
SSL Orchestrator configuration not syncing across the BIG-IP high availability (HA) pair.

Workaround:
The following steps are required on both high availability (HA) peers, first on the active and then on the standby BIG-IP device.

1. Open a terminal session with admin/root level access.
2. Run the following commands, in the order specified:

bigstart stop restjavad
rm -rf /shared/em/ssl.crt/*
bigstart start restjavad
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
restcurl -X DELETE shared/gossip-conflicts
restcurl -X DELETE shared/device-certificates
restcurl -X POST -d '{"generateKeyPair": true}' shared/device-key-pair
bigstart restart restjavad restnoded

857845-7 : ASSERTs in hudproxy_tcp_repick() converted into an OOPS

Component: Local Traffic Manager

Symptoms:
Hudproxy_tcp_repick() asserts that no data is present.

Example of assertion in /var/log/tmm:
notice panic: ../modules/hudproxy/tcp/tcp_proxy.c:1610: Assertion "server drained" failed.

Conditions:
If data is present, then assertion fails.

Example of how to recreate ("server drained" failed):
-The virtual server uses an iRule containing both the TCP::collect and LB::detach statements.
-The LB::detach statement is not applied in a USER_REQUEST or USER_RESPONSE event.
-The server-side connection is detached before the TCP::collect has been drained.

Impact:
BIG-IP fails to process traffic when asserts fail.

Workaround:
There is no work around.
To avoid ("server drained" failed):
-Use TCP::notify to generate a USER_REQUEST or USER_RESPONSE event, and detach the server connection within the event.
For more information, refer to DevCentral iRules on TCP::notify.

857677-2 : Security policy changes are applied automatically after asm process restart

Component: Application Security Manager

Symptoms:
Changes in security policy are applied after ASM restart. This may activate unintended enforcement.

Conditions:
Restart ASM.

Impact:
Potentially unintended activation of new security entities.

Workaround:
None.

857633-1 : Attack Type (SSRF) appears incorrectly in REST result

Component: Application Security Manager

Symptoms:
After ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, a mistaken value for Attack Type (SSRF) appears incorrectly in REST query results.

Conditions:
ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, even if another ASM Signature update is installed subsequently.

Impact:
A mistaken value for Attack Type (SSRF) appears incorrectly in REST query results. This impacts BIG-IQ usage and other REST clients.

Workaround:
Workaround:
1) Install a newer ASU to reassociate the affected signatures with the correct attack type
2) Run the following SQL on the affected BIG-IP devices:

DELETE FROM PLC.NEGSIG_ATTACK_TYPES WHERE attack_type_name = "Server-Side Request Forgery (SSRF)";

857045-2 : LDAP system authentication may stop working

Component: TMOS

Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.

In /var/log/daemon.log, you may see the following:

warning systemd[1]: nslcd.service failed

Conditions:
Nslcd daemon crashed, and it fails to restart.

Impact:
System authentication stops working until nslcd is restarted.

Workaround:
Manually restart nslcd daemon:

tmsh start sys service nslcd

856953-3 : IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1

Component: TMOS

Symptoms:
In rare circumstances, TMM may core when changing the ike-peer configuration from IKEv2 to IKEv1.

Conditions:
- The BIG-IP system is attempting to establish an IKEv2 tunnel.
- The related ike-peer config is changed from IKEv2 to IKEv1.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not reconfigure the ike-peer configuration while the related IPsec tunnel is attempting to establish.

856713-2 : IPsec crash during rekey

Component: TMOS

Symptoms:
IPsec-related tmm crash and generated core file during rekey.

Conditions:
-- IPsec timeout occurs.
-- Some temporary SA's are created by racoon.

Impact:
Tmm crashes and creates core file. Traffic disrupted while tmm restarts.

Workaround:
None.

854493-4 : Kernel page allocation failures messages in kern.log

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)

Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades)
-- 48 MB (49152 KB for B4300 blades)
-- 128 MB (131072 KB for 4450 blades)

You must do this on each blade installed in the system.

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades, and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

854177-4 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality

Component: Application Security Manager

Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.

Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.

Impact:
Latency is introduced to ASM handling.

Workaround:
Set the fast changing nodes to static updates every hour.

854129-3 : SSL monitor continues to send client certificate after changes

Component: Local Traffic Manager

Symptoms:
Monitor continues to send client certificate after the SSL profile has been removed from the monitor.

Conditions:
-- In-TMM monitor configured.
-- SSL monitor configured with a server SSL profile.
-- Client certificate added and removed from the server SSL profile.

Impact:
The certificate may continue to be transmitted to the server, resulting in node continuing to be marked up or down (respectively).

Workaround:
None.

854001-3 : TMM might crash in case of trusted bot signature and API protected url

Component: Application Security Manager

Symptoms:
When sending request to a protected API URL, with a trusted bot signature, tmm tries to perform reverse DNS to verify the signature. During this process, the URL qualification might change. In this case - tmm crashes.

Conditions:
-- Bot Defense profile attached.
-- 'API Access for Browsers and Mobile Applications' is enabled.
-- A DNS server is configured.
-- Request is sent to an API-qualified URL.
-- Request is sent with a trusted bot signature.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable the 'API Access for Browsers and Mobile Applications' or remove the DNS server.

853989-2 : DOSL7 Logs breaks CEF connector by populating strings into numeric fields

Component: Application Security Manager

Symptoms:
Dosl7 remote logger messages breaks ArcSight CEF connector when using ArcSight destination format. CEF Logs are dropped.

Conditions:
- ASM provisioned
- Dos profile attached to a virtual server
- Dos application protection enabled
- Logging profile configured with ArcSight format attached to a virtual

Impact:
ArcSight server might be broken after getting dosl7 attack detection messages from the BIG-IP.

Workaround:
BIG-IP iRule or another proxy can be used to intercept ArcSight messages and strip the a string portion from ArcSight numeric type fields.

853617-2 : Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles

Component: TMOS

Symptoms:
Validation does not prevent specific configuration, but reports errors. In newer versions:

-- err tmm1[7019]: 01010008:3: Proxy initialization failed for /Common/vs_test. Defaulting to DENY.
-- err tmm1[7019]: 01010008:3: Listener config update failed for /Common/vs_test: ERR:ERR_ARG

In older versions:

-- err tmm[23118]: 01010007:3: Config error: virtual_server_profile no suitable hudchain
-- err tmm[23118]: 01010007:3: Config error: add virtual server profile error

Conditions:
Creating a virtual server with UDP, HTTP, SSL, (and OneConnect) profiles.

Impact:
Virtual server is defined and in configuration, but does not pass traffic.

On v12.1.x and v13.0.0, attempts to recover from this configuration can leave TMM in a bad state, which can then result in a TMM crash.

Workaround:
None.

853545-2 : MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event

Component: Service Provider

Symptoms:
For each message dropped during GENERICMESSAGE_INGRESS, memory is leaked.

Conditions:
Usage of GENERICMESSAGE::message drop iRule command during GENERICMESSAGE_INGRESS event will leak memory.

Impact:
As more memory is leaked, less memory is available for message processing, eventually leading to a core.

Workaround:
Use MR::message drop during MR_INGRESS event instead to drop a message.

853161-3 : Restjavad has different behavior for error responses if the body is over 2k

Component: TMOS

Symptoms:
The error Response body from iControl REST is truncated at 2048 characters. If an iControl REST response sends an error that is longer than 2048 characters, the truncated response will not contain valid JSON.

Conditions:
This occurs when iControl REST error messages are longer than 2048 characters.

Impact:
The error response body is deformed when the length of the error body is more than 2k characters

853101-1 : ERROR: syntax error at or near 'FROM' at character 17

Component: TMOS

Symptoms:
After clicking UI Security :: Network Firewall : Active Rules, /var/log/ltm reports the following error message:
--warning postgres ERROR: syntax error at or near 'FROM' at character 17.

Conditions:
Enabled turboflex-security and AFM module.

Impact:
-- Possible leak of postgres database connections.
-- A warning log message is created, but the system continues to function normally.

Workaround:
None.

852873-3 : Proprietary Multicast PVST+ packets are forwarded instead of dropped

Component: Local Traffic Manager

Symptoms:
Because the BIG-IP system does not recognize proprietary multicast MAC addresses such as PVST+ (01:00:0c:cc:cc:cd) and STP (01:80:c2:00:00:00), when STP is disabled the system does not drop those frames. Instead the system treats those as L2 multicast frames and forwards between 2 interfaces.

Conditions:
-- STP disabled
-- All platforms except 2000 series, 4000 series, i2000 series, i4000 series and i850.

Impact:
PVST+ (01:00:0c:cc:cc:cd), a proprietary multicast MAC is forwarded instead of discarded, even when STP is disabled.

Workaround:
None.

852565-4 : On Device Management::Overview GUI page, device order changes

Component: TMOS

Symptoms:
When manual device group sync is enabled, the device with the most recent change will be displayed at the top of the Device Management::Overview GUI page.

Conditions:
-- Multiple devices in a device group
-- Device group has manual config sync enabled
-- A change is made on a device

Impact:
When the list loads, the device with the most recent changes is displayed at the top. This can make the device order appear to be inconsistent, and can create confusion when doing manual config sync if you are expecting the order to be always consistent.

852437-2 : Overly aggressive file cleanup causes failed ASU installation

Solution Article: K25037027

Component: Application Security Manager

Symptoms:
Directory cleanup for for failed Attack Signature Updates (ASU) is too aggressive and may delete needed files in the middle of installation itself, which causes the update to fail.

Conditions:
An ASU runs at the same time as the file cleanup task.

Impact:
The ASU fails to complete successfully.

Workaround:
The default clean interval is 300 seconds (5 minutes).

1. Run the following command to monitor the clean activity:
#tailf /var/log/ts/asmcrond.log | grep CleanFiles

2. Watch for following message in the log:
asmcrond|INFO|Mar 20 21:54:44.389|24036|F5::PeriodicTask::Base::run,,Running Task: CleanFiles

3. Upgrade the ASU immediately.

If 5 minutes is not enough, you can increase the clean interval.

1. Adjust the interval in the /etc/ts/tools/asmcrond.cfg file:

From:
[CleanFiles]
Interval=300

To:
[CleanFiles]
Interval=3000

Important: Do not set Interval too high. 50 minutes (3000 seconds) should be enough.

2. Restart the asmcrond by killing the process. It respawns after several seconds.
ps -ef | grep asmcrond
kill <pid>

3. Monitor the asmcrond.log until you see another Cleanfiles log message.
# tailf /var/log/ts/asmcrond.log | grep CleanFiles

4. Install the ASU; the temp files can stay in the folder for 50 minutes.

5. After the ASU is installed, change the interval back to 300 and restart asmcrond.

6. Make sure asmcrond has been started correctly.
# ps -ef | grep asmcrond
# tailf /var/log/ts/asmcrond.log

852325-2 : HTTP2 does not support Global SNAT

Component: Local Traffic Manager

Symptoms:
The Global SNAT feature does not work with HTTP2.

Conditions:
-- Global SNAT is used
-- HTTP2 is used.

Impact:
Traffic uses the incorrect IP addresses when sourced from the BIG-IP system.

Workaround:
Use an explicit SNAT setting: SNAT Auto-Map or a SNAT pool.

852265-2 : Virtual Server Client and Server SSL profile list boxes no longer automatically scale for width

Component: TMOS

Symptoms:
The 'SSL Profile (Client)' and 'SSL Profile (Server)' listboxes (both 'Selected' and 'Available') now have a fixed width when viewing Virtual Server settings.

Conditions:
-- An SSL profile (client or server) with a long name.
-- Accessing the Virtual Server settings page in the GUI.

Impact:
If many SSL profiles start with the same several letters, it may be impossible to detect which one is the desired profile.

Workaround:
None.

852101-2 : Monitor fails.

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d fails external monitor SIP_monitor because GTM SIP Monitors need to be running as privileged.

Conditions:
TLS SIP monitor on pool member requiring client auth.

Impact:
Big3d fails external monitor SIP_monitor.

Workaround:
The only workaround is to allow world reading of key files in the filestore, however, this is not ideal as it exposes potentially sensitive data.

851857-2 : HTTP 100 Continue handling does not work when it arrives in multiple packets

Component: Local Traffic Manager

Symptoms:
If a 100 Continue response from a server arrives in mulitple packets, HTTP Parsing may not work as expected. The later server response payload may not be sent to the client.

Conditions:
The server responds with a 100 Continue response which has been broken into more than one packet.

Impact:
The response is not delivered to the client. Browsers may retry the request.

Workaround:
None.

851785-2 : BIG-IP 10350V-F platform reported page allocation failures in N3FIPS driver

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/13: page allocation failure: order:2, mode:0x204020

After that, a stack trace follows. The process name in the line ('swapper/16', in this example). You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the appliance 10350V-F D112.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this to 128 MB (131072 KB).

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID 851785' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID851785' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on the BIG-IP appliance and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the BIG-IP appliance and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

851745-2 : High cpu consumption due when enabling large number of virtual servers

Component: Advanced Firewall Manager

Symptoms:
Observed autodosd CPU burst

Conditions:
Enable autodosd and a large number of virtual servers

Impact:
High cpu utilization in autodosd

Workaround:
Disable autodosd

851581-2 : Server-side detach may crash TMM

Component: Local Traffic Manager

Symptoms:
TMM crash with 'server drained' panic string.

Conditions:
-- Server-side flow is detached while the proxy is still buffering data for the pool member and the client continues to send data.
-- The detach may be triggered by the LB::detach iRule commands or internally.

Impact:
TMM crash, failover, brief traffic outage. Traffic disrupted while tmm restarts.

Workaround:
-- In cases in which the detach is triggered internally, there is no workaround.

-- In cases in which the detach is triggered by LB::Detach, make sure the command is not executed when a request may still be in progress by using it in response events, for example HTTP_RESPONSE, USER_RESPONSE, etc.

851477-2 : Memory allocation failures during proxy initialization are ignored leading to TMM cores

Component: Local Traffic Manager

Symptoms:
Memory allocation failures during proxy initialization are ignored. TMM cores when trying to access uninitialized memory.

Conditions:
-- HTTP or HTTP/2 virtual server with httprouter profile.
-- Low memory or fragmented memory on the system when configuration is being loaded.

Impact:
TMM cores when accessing uninitialized memory.

Workaround:
No workaround.

851393-2 : Tmipsecd leaves a zombie rm process running after starting up

Component: TMOS

Symptoms:
After booting the system, you notice zombie 'rm' processes:

$ top -b | awk '$8=="Z"'
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm

Restarting tmipsecd will kill the zombied process but will start a new one.

Conditions:
-- IPsec is enabled.
-- Booting up the system.

Impact:
A zombie 'rm' process exists. There should be no other impact.

Workaround:
None.

851385-3 : Failover takes too long when traffic blade failure occurs

Component: Local Traffic Manager

Symptoms:
When blades 1 and 4 are disabled on the active chassis, the failover period is between 3.4 to 4.7 seconds before the next-active device starts processing messages.

If the blades are physically pulled from the chassis,
the failure occurs within 1 second.

Conditions:
-- Multi-blade VIPRION system
-- Blades 1 and 4 are connected to the network via trunks, blades 2 and 3 are CPU-only blades
-- Blades 1 and 4 are disabled via the GUI

Impact:
Significant delay before BIG-IP delivers a web page during between-cluster failover

851101-3 : Unable to establish active FTP connection with custom FTP filter

Component: Local Traffic Manager

Symptoms:
Unable to establish active FTP connection with custom FTP filter.

Conditions:
All of the following conditions are true:
-- Virtual server using custom FTP filter.
-- FTP filter has port (port used for data channel) set to 0 (zero).
-- Virtual server has source-port set to preserve-strict.
-- Using active FTP through the virtual server.

Impact:
-- The active FTP data channel is reset.
-- Commands that require data channel in active mode fail.

Workaround:
-- Change source-port to change or preserve.
-- Set port on FTP filter to be used for data channel.
-- Use passive FTP.

851045-2 : LTM database monitor may hang when monitored DB server goes down

Component: Local Traffic Manager

Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.

Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).

Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.

Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.

851021-2 : Under certain conditions, 'load sys config verify file /config/bigip.conf' may result in a 'folder does not exist' error

Component: TMOS

Symptoms:
TMSH error example:

Configuration error: Can't associate ASM device sync (/Common/testsync/staging.example.com) folder does not exist

Conditions:
The conditions under which this occurs are unknown.

Impact:
Load of config file fails with an error that the folder does not exist.

Workaround:
Use 'tmsh load sys config verify', without specifying a specific file.

850997-2 : 'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page

Component: TMOS

Symptoms:
The SNMPD daemon no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page.

Conditions:
Viewing the page at:

System :: High Availability : Fail-safe : System

Impact:
Unable to configure the high availability (HA) settings for the snmpd high availability (HA) daemon through the GUI.

Workaround:
Use TMSH to modify the snmpd high availability (HA) settings.

850873-2 : LTM global SNAT sets TTL to 255 on egress.

Component: Local Traffic Manager

Symptoms:
When using the global SNAT feature on LTM, IPv4 TTL/IPv6 Hop-Limit values may be erroneously set to 255/64 on egress.

Conditions:
Traffic is handled by global SNAT.

Impact:
TTL on egress is set to 255/; Hop-Limit on egress is set to 64.

Workaround:
None.

850777-2 : BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config

Component: TMOS

Symptoms:
After rebooting BIG-IP Virtual Edition (VE) deployed on a cloud provider, the instance enters LICENSE INOPERATIVE state.

Errors similar to one below are seen in an LTM log:

err chmand[4770]: Curl request to metadata service failed with error(7): 'Couldn't connect to server'.

Conditions:
- Static management IP address configuration.
- Instance is restarted.

Impact:
Instance is not operational after restart.

Workaround:
After instance is fully booted, reload the license with 'reloadlic'.

850677-3 : Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy

Component: Application Security Manager

Symptoms:
Non-ASCII parameter static values are garbled when created in a non-UTF-8 policy using REST.

Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII parameter static values using REST.

Impact:
Parameter static values containing non-ASCII characters are garbled when created using REST.

Workaround:
Use UTF-8.

850633-2 : Policy with % in name cannot be exported

Component: Application Security Manager

Symptoms:
Policies with characters that are encoded with urlencode in name cannot be exported in GUI

Conditions:
Policies has characters that are encoded with urlencode in name

Impact:
Policy cannot be exported in GUI

Workaround:
Most policies can be cloned, and during clone user can select name without special characters. Then cloned policy can be exported.

850349-2 : Incorrect MAC when virtual wire is configured with FastL4

Component: Local Traffic Manager

Symptoms:
Incorrect MAC is seen in the network when virtual wire is configured with a FastL4 profile.

Conditions:
Virtual wire is configured with a FastL4 profile.

Impact:
Incorrect MAC on the packets.

Workaround:
None.

850193-3 : Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues

Component: TMOS

Symptoms:
-- Uneven unic channel distribution and transmit errors (tx_errcnt) seen in /proc/unic.
-- Packet loss and increased retransmissions under load.

Conditions:
BIG-IP Virtual Edition (VE) in Hyper-V or Azure Cloud.

Impact:
-- Reduced throughput.
-- Packet loss and increased retransmissions under load.

Workaround:
None.

850145-2 : Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed

Component: Local Traffic Manager

Symptoms:
First HTTP request on a connection creates a connection to the server. Subsequent pipelined requests should be processed and use the established connection to the server. However, the requests were queued in the proxy and not processed resulting in connection hang.

Conditions:
- HTTP or HTTP/2 virtual server with httprouter profile.
- HTTP/1.1 connections with the client and server.
- Pipelined HTTP requests.

Impact:
Connection hangs and is eventually reset.

Workaround:
No workaround.

849405-3 : LTM v14.1.2.1 does not log after upgrade★

Component: TMOS

Symptoms:
After upgrading to v14.1.2.1, logs are not generated and sysstat.service is not running.

Conditions:
-- Upgrade from BIG-IP v12.1.x (which uses CentOS 6) to BIG-IP v14.1.2.1 or later (which uses CentOS 7).
-- The issue is momentary and is not always reproducible.

Impact:
Logs are not generated and sysstat.service is not running.

Workaround:
Once the BIG-IP system starts up, check for failed services:

systemctl list-units --failed

If results show sysstat.service as FAILED, run the following command:

restorecon -Rv /var/log/sa6 && systemctl start sysstat

849349-4 : Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db

Component: Application Security Manager

Symptoms:
Web app flow might fail resulting in JavaScript errors related to CSP policy

Conditions:
-- ASM provisioned.
-- Bot-Defense or DoS Application profile assigned to a virtual server.
-- The backend server sends CSP headers.

Impact:
Web application flow might fail.

Workaround:
Attach an iRule:

when HTTP_REQUEST {
    set csp 0
}
when HTTP_RESPONSE {
    if { [HTTP::header exists Content-Security-Policy] } {
        set csp "[HTTP::header values Content-Security-Policy]"
    }
}
when HTTP_RESPONSE_RELEASE {
    if { $csp != 0 } {
        HTTP::header replace Content-Security-Policy $csp
    }
    set csp 0
}

849157-1 : An outgoing SCTP connection that retransmits the INIT chunk the maximum number of times does not expire and becomes stuck

Component: TMOS

Symptoms:
The outgoing SCTP connection does not expire after attempting to INIT the maximum number of times. It then becomes stuck and does not expire when it reaches its idle-timeout, and cannot be manually deleted.

Conditions:
An outgoing SCTP connection is permitted to attempt the INIT retransmit the maximum number of times configured with no responses (accepting or aborting) from the target endpoint.

Impact:
Stale SCTP connections are left in the system and start to use up memory. Traffic may be interrupted in certain configurations, as the system thinks it is still attempting to bring up the lost SCTP connection and does not ever try to create a new one.

Workaround:
To clear the stale connections, restart tmm:
bigstart restart tmm

Note: Restarting tmm causes an interruption to traffic.

848777-2 : Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.

Component: Local Traffic Manager

Symptoms:
Shared object address-list in non-default partition in non-default route-domain does not sync to peer node. The system reports the following exceptions when such an issue occurs:

-- err mcpd[4941]: 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).

-- err mcpd[4941]: 01071488:3: Remote transaction for device group /Common/DG1 to commit id 500 6754270728594498269 /Common/bigiptest1 0 failed with error 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).

Conditions:
-- Create Custom partition.
-- Create Custom Route-domain.
-- Change custom partition.
-- Create address list in non-default route domain.
-- Create virtual server with previously created address list and any TCP port, or port list.
-- Now, try to Sync to high availability (HA) peer.

Impact:
Sync fails with error. Configuration does not sync to peer node.

Workaround:
None.

848757-2 : Link between 'API protection profile' and 'Security Policy' is not restored after UCS upload

Component: Application Security Manager

Symptoms:
Link between 'API protection profile' and 'Security Policy' created with swagger based 'API protection profile' preserved in UCS file. This link is not restored after UCS upload.

Conditions:
UCS upload.

Impact:
'API protection profile' has no link to related security policy.

Workaround:
None.

848681-6 : Disabling the LCD on a VIPRION causes blade status lights to turn amber

Component: TMOS

Symptoms:
When the LCD is disabled or turned off on a VIPRION system, the blade status lights turn amber.

Conditions:
You can cause this to occur by running the command:
tmsh modify sys db platform.chassis.lcd value disable

Impact:
Blade status lights change to amber, even if nothing is wrong with the system.

Workaround:
None.

846977-2 : TCP:collect validation changed in 12.0.0: the first argument can no longer be zero★

Component: Local Traffic Manager

Symptoms:
Validation for TCP::collect was changed in BIG-IP software v12.0.0 (with the introduction of JET specifications). Prior to 12.0.0, there were no restrictions on the values of the two arguments. As of 12.0.0, the first argument ('collect_bytes') must be a positive integer, and the second argument ('skip_bytes) must be a non-negative integer.

Occurrences of 'TCP::collect 0 0' in iRules experience issues when upgrading to a newer version, producing warnings in LTM log:

/Common/T_collect:9: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid argument 0; expected syntax spec:"136 17][TCP::collect 0 0].

Conditions:
-- Using a version of BIG-IP software earlier than 12.0.0, configure an iRule with a 'TCP::collect 0 0' command.
-- Upgrade to 12.0.0 or later.

Impact:
Warning in the LTM log file. The iRules containing 0 values do not function as expected. There is no other impact.

Workaround:
Change 'TCP::collect 0 0' to a value other than 0 (zero) in any iRules before or after upgrade.

846873-6 : Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure

Component: Local Traffic Manager

Symptoms:
Traffic fails to pass through a virtual server.

Conditions:
-- Virtual server is removed and a new one is added in a single transaction.
-- Virtual server references a plugin profile.

For example, create a CLI transaction:
- delete ltm virtual vs_http
- create ltm virtual vs_https destination 1.1.1.1:443 vlans-enabled profiles replace-all-with { http ntlm oneconnect }
- submit cli transaction

Impact:
Traffic failure on the new virtual server.

Workaround:
Create a virtual server that does not accept any traffic, but keeps the NTLM MPI plugin channel alive:

tmsh create ltm virtual workaround destination 1.1.1.1:1 profiles replace-all-with { http oneconnect ntlm } vlans-enabled vlans none && tmsh save sys config

846521-6 : Config script does not refresh management address entry properly when alternating between dynamic and static

Component: TMOS

Symptoms:
Config script does not refresh management address entry properly when alternating between dynamic (DHCP) and static configuration.

Conditions:
- Management IP assignment is changed from dynamic (DHCP) to static.
- Same IP address is configured, as previously received from DHCP server.

Impact:
Remote management access is lost after DHCP lease expires.

Workaround:
Restart BIG-IP after changing the management IP address.

846441-3 : Flow-control is reset to default for secondary blade's interface

Component: Local Traffic Manager

Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.

Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.

Impact:
The flow-control setting is reset to default (tx-rx).

Workaround:
Reload the configuration on the primary blade.

846217-2 : Translucent vlan-groups set local bit in destination MAC address

Component: Local Traffic Manager

Symptoms:
Translucent vlan-groups may set the locally-unique bit in a destination MAC address when sending traffic to a pool member/client.

Conditions:
On versions earlier than 15.0.0:
- Translucent vlan-group is in use.

On v15.0.0 and later:
-- Translucent vlan-group is in use.
-- The connection.vgl2transparent db variable is enabled.

Impact:
Traffic handled by translucent vlan-groups may not work properly.

Workaround:
On versions earlier than 15.0.0, there is no workaround.

-- On version 15.0.0 and later, you can disable the connection.vgl2transparent db variable to mitigate the problem:

tmsh modify sys db connection.vgl2transparent value disable

Note: connection.vgl2transparent is disabled by default.

846181-4 : Request samples for some of the learning suggestions are not visible

Component: Application Security Manager

Symptoms:
Learning suggestions created from single request do not show source 'request log' in the 'Suggestion' GUI section.

Conditions:
'Learning Suggestion' created from only one 'Request Log' record.

Impact:
Learning suggestions created from single request does not show source 'request log' in the 'Suggestion' GUI section

Workaround:
None.

846141-2 : Unable to use Rest API to manage GTM pool members that have an pipe symbol '|' in the server name.

Component: TMOS

Symptoms:
Rest API returns 404 'Object not found"' error when attempting direct access to pool member that has pipe symbol '|' in the server or virtual server name.

Conditions:
An iControl/REST call to a pool member that has a virtual server on the Server whose name contains a | character in the server or virtual server name.

Impact:
The iControl/REST call cannot manage a pool member associated with a virtual server or server whose name contains a | character.

Workaround:
Rename the server or virtual server to a name that does not contains the | character.

846137-2 : The icrd returns incorrect route names in some cases

Component: TMOS

Symptoms:
The icrd returns an incorrect route names when a '.' (dot, or period) is present in the subPath, as it treats the subPath as an IP address and the leaf name as a subnet and considers its name as a whole. Also the subPath field is missed in the response route object. This happens only in the case of curl request.

Conditions:
-- The subPath contains a '.' in it.
-- A curl request is made.

Impact:
Result information is not compatible with actual result.

Workaround:
None.

846057-4 : UCS backup archive may include unnecessary files

Component: Application Security Manager

Symptoms:
UCS backup archive file size is much larger than UCS files in previous releases.

Conditions:
-- UCS backup process finishes with failure and does not clean temporary files.
-- A second UCS backup is attempted.

Impact:
Those files are included in the UCS archive, which results in an unusually large UCS backup files.

Workaround:
Before running the UCS backup process, remove directories:

/var/tmp/ts_db.save_dir_*.cstmp/

845933-2 : Unused parameters remain after modifying the swagger file of a policy

Component: Application Security Manager

Symptoms:
After you update the swagger file of a policy, some parameters that are not defined in the updated swagger may remain in the policy.

Conditions:
1. Policy contains global parameters that were added manually
2. All the URL parameters are deleted in the new swagger file

Impact:
Traffic to these parameters will not raise a violation ILLEGAL PARAMETER as expected

Workaround:
The leftover parameters need to be removed manually

845333-5 : An iRule with a proc referencing a datagroup cannot be assigned to Transport Config

Component: Local Traffic Manager

Symptoms:
If you try to assign an iRule to a Transport Config, and if the iRule has a proc that references a datagroup, the assignment fails with an error:
01070151:3: Rule [/Common/test2] error: Unable to find value_list (datagroup) referenced at line 6: [class lookup "first" datagroup]

Conditions:
-- Assign an iRule to a Transport Config.
-- The iRule has a proc.
-- The proc references a datagroup.

Impact:
Validation fails. An iRule with a proc referencing a datagroup cannot be assigned to Transport Config objects.

Workaround:
Make the datagroup a Tcl variable to bypass validation.

845313-2 : Tmm crash under heavy load

Component: Policy Enforcement Manager

Symptoms:
Tmm crashes.

Conditions:
-- BIG-IP PEM is licensed and configured.
-- Heavy traffic is received by PEM virtual server.
-- The traffic pattern goes through subscriber add/delete frequently.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

844689-2 : Possible temporary CPU usage increase with unusually large named.conf file

Component: Global Traffic Manager (DNS)

Symptoms:
You might see occasional and temporary CPU usage increases when named.conf file is unusually large.

Conditions:
Unusually large named.conf file and zones are checked for updates (when the SOA expires).

Impact:
When a zone file is updated, a downstream effect is the ZoneRunner process to parse again the named.conf file. The parsing of an unusually large file may cause a temporary increase in CPU usage.

Workaround:
None.

844597-3 : AVR analytics is reporting null domain name for a dns query

Component: Advanced Firewall Manager

Symptoms:
AVR analytics is reporting null domain name for a DNS query if DNS DoS profile is attached to a virtual server, but the profile does not have the matching type vector enabled to the query type.

Conditions:
-- DNS DoS profile is attached to a virtual server.
-- The query type in the DNS query does not match an enabled DNS vector on the DNS profile.

Impact:
DNS domain name is reported as NULL

Workaround:
Enable the matching type vector on the DNS DoS profile.

844573-2 : Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret.

Component: Access Policy Manager

Symptoms:
The log message when OAuth client or resource server fails to generate the secret is assigned an incorrect log level, and is incorrectly logged at the emergency level.

Conditions:
This is encountered when this message is logged by mcpd.

Impact:
Log message cannot be grouped with messages at the correct log level.

Workaround:
None.

844569-1 : HSB transmitter failure on i2000/i4000 series

Component: TMOS

Symptoms:
The HSB experiences a transmitter failure, which is reported in the TMM log files:

F5 crit tmm3[19371]: 01010025:2: Device error: hsb hsb interface 3 DMA lockup on transmitter failure.

Conditions:
-- i2000/i4000-series platforms.
-- Other conditions under which this occurs are unknown.

Impact:
The appliance is rebooted due to triggering a nic_failsafe reboot.

Workaround:
None/Unknown.

844421-1 : Cipher ordering in cipher rules can be wrong

Component: Local Traffic Manager

Symptoms:
With a cipher string such as ECDHE:ECDH_RSA:NATIVE is used, the expansion is done in the wrong order.

Conditions:
Cipher rules are used, and some are expanded.

Impact:
Cipher ordering can changes, so unexpected cipher suites are used.

Workaround:
None.

844337-3 : Tcl error log improvement for node command

Component: Local Traffic Manager

Symptoms:
Because of the Tcl error, connection gets reset and reports an error:

err tmm[18774]: 01220001:3: TCL error: /Common/test2- bad port in node <addr> <port> cmdTCL error (line 43) (line 43) invoked from within "node 172.x.x.x IP [LB::server port]"

Conditions:
Using node command under pre-load-balancing iRule events.

Impact:
Unclear port values in Tcl error message.

Workaround:
None.

844169-3 : TMSH context-sensitive help for diameter session profile is missing some descriptions

Component: Service Provider

Symptoms:
The tmsh context-sensitive help content for the following diameter session attributes is missing:
-- respond-unroutable
-- retransmission-action
-- retransmission-queue-limit-high
-- retransmission-queue-limit-low
-- retransmission-queue-max-bytes
-- retransmission-queue-max-messages

Conditions:
When attempting in tmsh to list a diameter session profile followed by a question mark for context-sensitive help- for example:
list ltm message-routing diameter profile session <sess-name> ?

Impact:
The specified attributes are no described.

Workaround:
These are the missing descriptions:

-- respond-unroutable: When selected (enabled), messages that do not match any known route will be transformed into an error answer message and sent to the originator of the request. When disabled, unroutable request messages are routed back to the connection where they came from. The default value is disabled.

-- retransmission-action: Specifies the action performed when retransmission has been triggered for a request message. The options are:
  1) Disabled: Retransmission is disabled. This is the default action.
  2) Busy: An answer message is generated with a TOO_BUSY result code and returned to the originator of the request.
  3) Unable: An answer message is generated with an UNABLE_TO_DELIVER result code and returned to the originator of the request.
  4) Retransmit: The request message will be retransmitted.

-- retransmission-queue-limit-high: Specifies the high watermark for the retransmission queue (in percentage). If the retransmission queue exceeds this limit, the transport window will begin closing. A value of 0 will disable closing the transport window. Valid range from 0 to 100. The default value is 90.

-- retransmission-queue-limit-low: Specifies the low watermark for the retransmission queue (in percentage). If the retransmission queue drops below this limit, the transport window will reopen. Valid range from 0 to 100. The default value is 60.

-- retransmission-queue-max-bytes: Specifies the maximum number of bytes that can be stored in a connections retransmission queue. A value of 0 will disable this limit. The default value is 131072 bytes.

-- retransmission-queue-max-messages: Specifies the maximum number of messages that can be stored in a connections retransmission queue. A value of 0 will disable this limit. The default value is 1024 messages.

844085-2 : GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address

Component: TMOS

Symptoms:
With multiple virtual servers that have the same destination address, changing all of them in the GUI to use an address list as their source address will result in the last one changed failing with an error similar to:

01070344:3: Cannot delete referenced virtual address /Common/1.2.3.4.

Conditions:
-- More than one virtual server with the same destination address.
-- Changing all the virtual servers that share the same destination address to use an address list for their source address.

Impact:
Unable to change the source address of a virtual server to an address list.

Workaround:
Use TMSH to manually create a traffic-matching criteria object and assign it to the virtual server:

tmsh create ltm traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination-address-inline <destination address of virtual server> destination-port-inline <destination port of virtual server> source-address-inline 0.0.0.0 source-address-list <address list name>
}

tmsh modify /ltm virtual <virtual server name> traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination 0.0.0.0:any

843801-3 : Like-named previous Signature Update installations block Live Update usage after upgrade★

Component: Application Security Manager

Symptoms:
Signature Update installations using ASU files with the same name on versions before 14.1.0 block Live Update usage after upgrade to 14.1.0 or later.

Conditions:
The same Signature Update file is installed multiple times on the device when running a version earlier than 14.1.0.

Impact:
Signature Update cannot be installed using Live Update, and errors appear in logs.

Workaround:
1. Delete the file: /var/lib/hsqldb/live-update/live-update-import.yaml.
2. Restart tomcat:
bigstart restart tomcat

This causes pre-upgrade records for Signature Update to be lost, but does not have any other functional impact.

843661-2 : TMSH allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command

Component: TMOS

Symptoms:
TMSH currently allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command, but the option is not honored and the entire license is revoked.

Conditions:
-- BIG-IP license and add-on license are installed.
-- Attempt to revoke the system license with 'add-on-keys' as an option.

Impact:
Add-on-keys option is ignored, and the entire license is revoked instead.

Workaround:
None.

843597-2 : Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle

Component: TMOS

Symptoms:
The vmxnet3 driver cannot handle MTUs larger than 9000 bytes.

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with the vmxnet3 driver.
-- Passing packets larger than 9000 bytes.

Impact:
Either packets are dropped, or the hypervisor may crash on some platforms that do not handle this condition gracefully.

Workaround:
Modify the tmm_init.tcl file, adding the following line:

ndal mtu 9000 15ad:07b0

843317-2 : The iRules LX workspace imported with incorrect SELinux contexts

Component: Local Traffic Manager

Symptoms:
Files imported from iRules LX workspace may have incorrect SELinux contexts such as abrt_var_cache_t.

This can cause reloading the workspace to fail with errors:

01070079: failed to create workspace archive ... Return code {2}

Conditions:
Importing the iRules LX workspace.

Impact:
Workspace cannot be imported

Workaround:
As a workaround you can run the following command on the folders to restore the context:
restorecon -R -v

842989-4 : PEM: tmm could core when running iRules on overloaded systems

Component: Policy Enforcement Manager

Symptoms:
When sessions usage iRules are called on an already overloaded system it might crash.

Conditions:
Session iRule calls on heavily overloaded BIG-IP systems.

Impact:
Tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
Reduce the load on tmm or modify the optimize the irule.

842937-5 : TMM crash due to failed assertion 'valid node'

Component: Local Traffic Manager

Symptoms:
Under undetermined load pattern TMM may crash with message: Assertion 'valid node' fail.

Conditions:
This can occur while passing traffic with the Ram Cache profile enabled on a Virtual Server. Other conditions are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Refrain from using ramcache may mitigate the problem.

842901-2 : Improve fast failover of PIM-DM-based multicast traffic when BIG-IP is deployed as an Active/Standby HA pair.

Component: TMOS

Symptoms:
Although the effect differs for different topologies, in general, the multicast traffic is interrupted for 5-to-180 seconds after failover.

Conditions:
Fast failover of PIM-DM-based multicast traffic when the BIG-IP system is deployed as an Active/Standby high availability (HA) configuration.

Impact:
The multicast traffic is interrupted for 5-to-180 seconds after a failover event.

Workaround:
None. This is an improvement request.

842669-2 : Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log

Component: TMOS

Symptoms:
Systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log. Bare ')' being logged to /var/log/user.log., for example:

cat /var/log/user.log
[...]: Deleting file /shared/core/*.core.*
[...]: Deleting file /shared/core/*.core.*
[...] )
[...] )

Conditions:
This occurs when the system logs syslog messages containing embedded newlines, such as

-The cron process tries and fails to send an email because of output about a cron script.
-Modify syslog include configuration
-Apply ASM policy configuration change

Impact:
The logging subsystem accepts syslog messages with embedded newlines, and writes first part to the appropriate file, and the other lines to /var/log/user.log.

Workaround:
No known workaround.

842517 : CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails

Component: Local Traffic Manager

Symptoms:
SSL handshake fails with error in LTM logs.pkcs11d[10407]:
err pkcs11d[10407]: 01680048:3: C_Sign: pkcs11_rv=0x00000082, CKR_OBJECT_HANDLE_INVALID

Conditions:
Key created with Safenet NetHSM is used in SSL profile for virtual server. This error is seen randomly.

Impact:
SSL handshake fails.

Workaround:
Restart the PKCS11D.

842425-2 : Mirrored connections on standby are never removed in certain configurations

Component: Local Traffic Manager

Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.

Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.

Impact:
Leaking connections on the standby system.

Workaround:
You can use either of the following workarounds:

-- Use auto-lasthop with mirrored connections.

-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.

842193-2 : Scriptd coring while running f5.automated_backup script

Component: iApp Technology

Symptoms:
When the iApp, f5.automated_backup, script is terminated due to the max-script-run-time, the script still continues and finishes, sometimes with scriptd coring and posting error messages in /var/log/ltm:

-- info logger[17173]: f5.automated_backup iApp autobackup: STARTED
-- info logger[17175]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs GENERATING

-- err scriptd[13532]: 014f0004:3: script has exceeded its time to live, terminating the script <------ after 20 secs, it continues even after the scriptd core.

-- notice sod[3235]: 01140041:5: Killing /usr/bin/scriptd pid 13532.
-- warning sod[3235]: 01140029:4: high availability (HA) daemon_heartbeat scriptd fails action is restart.
-- info logger[19370]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs SAVED LOCALLY
(/var/local/ucs)
-- info logger[19372]: f5.automated_backup iApp autobackup: FINISHED

Conditions:
Configure the iApp application with f5.automated_backup template to do auto-backup at regular intervals.

Impact:
Scriptd core.

Workaround:
None.

842149-1 : Verified Accept for SSL Orchestrator

Component: Access Policy Manager

Symptoms:
You are unable to configure Verified Accept on SSL Orchestrator.

Conditions:
-- SSL Orchestrator in use .
-- A TCP profile is in use and it contains the Verified Accept flag.

Impact:
No connectivity over SSL Orchestrator.

Workaround:
None.

842137-4 : Keys cannot be created on module protected partitions when strict FIPS mode is set

Component: Local Traffic Manager

Symptoms:
When FIPS mode is set to use FIPS 140-2 Level 3 protection, new keys cannot be created in the module's protected partition

Conditions:
-- FIPS 140-2 Level 3 protection is configured on a NetHSM partition
-- You attempt to create a FIPS key using that partition

Impact:
New Keys cannot be created

Workaround:
Here are all the steps to generate a new netHSM key called "workaround" and install it into the BIG-IP config:

1.

[root@bigip1::Active:Standalone] config # fipskey.nethsm --genkey -o workaround -c module
WARNING: fipskey.nethsm will soon be deprecated for use with Thales. Please switch to using tmsh commands instead.
tmsh commands...

Generate Key:
tmsh create sys crypto key <key_name> security-type nethsm [gen-certificate|gen-csr] ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate CSR for existing key:
tmsh create sys crypto csr <csr_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate Self-Signed Certificate for existing key:
tmsh create sys crypto cert <cert_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Delete Key:
tmsh delete sys crypto key <keyname>

str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=2048 embedsavefile="workaround" plainname="workaround" digest=sha256]
key generation parameters:
operation Operation to perform generate
application Application pkcs11
protect Protected by module
verify Verify security of key yes
type Key type RSA
size Key size 2048
pubexp Public exponent for RSA key (hex)
embedsavefile Filename to write key to workaround
plainname Key name workaround
x509country Country code
x509province State or province
x509locality City or locality
x509org Organisation
x509orgunit Organisation unit
x509dnscommon Domain name
x509email Email address
nvram Blob in NVRAM (needs ACS) no
digest Digest to sign cert req with sha256

Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622
Starting synchronisation, task ID 5de83486.6e9e32d7f367eaf4
Directory listing failed: No such file or directory

2. (this is to confirm the key is present with the label "workaround"

[root@bigip1::Active:Standalone] config # nfkminfo -l

Keys with module protection:

key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622 `workaround'

Keys protected by cardsets:
...

3.
[root@bigip1::Active:Standalone] config # tmsh install sys crypto key workaround from-nethsm

4. (install public certificate)
[root@bigip1::Active:Standalone] config # tmsh install sys crypto cert workaround from-local-file /config/ssl/ssl.crt/workaround

842125-5 : Unable to reconnect outgoing SCTP connections that have previously aborted

Component: TMOS

Symptoms:
When an outgoing SCTP connection is created using an ephemeral port, the connection may appear to be open after an SCTP connection halt. This prevents new connections to the same endpoint, as the connection appears to already exist.

Conditions:
-- A virtual server configured with an SCTP profile.
-- An outgoing SCTP connection after an existing connection to the same endpoint has halted.

Impact:
New connections are unable to be created resulting in dropped messages.

Workaround:
None.

841985-4 : TSUI GUI stuck for the same session during long actions

Component: Application Security Manager

Symptoms:
The GUI becomes unresponsive when you perform an operation that takes a long time (e.g., Attack Signatures update).

Conditions:
Long-running task is performed, such as export/import/update signatures.

Impact:
GUI is unresponsive for that session.

Workaround:
If you need to continue working during long task is performed, you can log in via another browser.

841953-6 : A tunnel can be expired when going offline, causing tmm crash

Component: TMOS

Symptoms:
When the system transitions from active or next active (standby), e.g., to offline, the internal flow of a tunnel can be expired.

If the device returns to active or standby, and if the tunnel is modified, a double flow removal can cause a tmm crash.

Conditions:
-- System transitions from active or next active.
-- Tunnel is modified.
-- Device returns to active or next active mode.

Impact:
The tmm process restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

841721-1 : BWC::policy detach appears to run, but BWC control is still enabled

Component: TMOS

Symptoms:
The dynamic BWC policy can be attached from iRules but not detached. No error occurs when BWC::policy detach is run, but the detached policy continues to work.

Conditions:
-- Dynamic BWC policy for a HTTP request URI during session.
-- Running BWC::policy detach.

Impact:
The detached policy continues to work.

841649-3 : Hardware accelerated connection mismatch resulting in tmm core

Component: TMOS

Symptoms:
Tmm receives an update from the ePVA for a hardware accelerated connection that is matched to the wrong correction. This can result in a tmm core, which is reported as a segment fault in the tmm log files.

Conditions:
A FastL4 virtual server that has hardware acceleration enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable hardware acceleration.

841469-5 : Application traffic may fail after an internal interface failure on a VIPRION system.

Component: Local Traffic Manager

Symptoms:
Blades in a VIPRION system connect with one another over a data backplane and a management backplane.

For more information on the manner in which blades interconnect over the data backplane, please refer to K13306: Overview of the manner in which the VIPRION chassis and blades interconnect :: https://support.f5.com/csp/article/K13306.

Should an internal interface fail and thus block communication over the data backplane between two distinct blades, an unusual situation arises where different blades compute different CMP states.

For example, if on a 4-slot chassis, blades 2 and 3 become disconnected with one another, the following is TMM's computation of which slots are on-line:

slot1: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
slot2: slots 1, 2, and 4 on-line (cmp state 0xb / 11)
slot3: slots 1, 3, and 4 on-line (cmp state 0xd / 13)
slot4: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)

As different slots are effectively operating under different assumptions of the state of the cluster, application traffic does not flow as expected. Some connections time out or are reset.

You can run the following command to inspect the CMP state of each slot:

clsh 'tmctl -d blade -s cmp_state tmm/cmp'

All slots should report the same state, for instance:

# clsh 'tmctl -d blade -s cmp_state tmm/cmp'
=== slot 2 addr 127.3.0.2 color green ===
cmp_state
---------
       15

=== slot 3 addr 127.3.0.3 color green ===
cmp_state
---------
       15

=== slot 4 addr 127.3.0.4 color green ===
cmp_state
---------
       15

=== slot 1 addr 127.3.0.1 color green ===
cmp_state
---------
       15

When this issue occurs, logs similar to the following example can be expected in the /var/log/ltm file:

-- info bcm56xxd[4276]: 012c0015:6: Link: 2/5.3 is DOWN
-- info bcm56xxd[4296]: 012c0015:6: Link: 3/5.1 is DOWN
-- info bcm56xxd[4296]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4339]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4214]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd

And a CMP transition will be visible in the /var/log/tmm file similar to the following example:

-- notice CDP: PG 2 timed out
-- notice CDP: New pending state 0f -> 0b
-- notice Immediately transitioning dissaggregator to state 0xb
-- notice cmp state: 0xb

For more information on troubleshooting VIPRION backplane hardware issues, please refer to K14764: Troubleshooting possible hardware issues on the VIPRION backplane :: https://support.f5.com/csp/article/K14764.

Conditions:
This issue arises after a very specific type of hardware failure. The condition is very unlikely to occur and is impossible to predict in advance.

Impact:
Application traffic is impacted and fails sporadically due to a mismatch in CMP states between the blades. Failures are likely to manifest as timeouts or resets from the BIG-IP system.

Workaround:
F5 recommends the following to minimize the impact of this potential issue:

1) For all highly available configurations (e.g., A/S, A/A, A/A/S, etc.).

The BIG-IP system has functionality, in all software versions, to enact a fast failover when the conditions described occur.

To ensure this functionality will trigger, the following configuration requirements must be met:

a) The mirroring strategy must be set to 'between'.
b) A mirroring channel to the next-active unit must be up.
c) The min-up-members option must be set to the number of blades in the chassis (e.g., 4 if there are 4 blades in the chassis).

Note: It is not required to actually configure connection mirroring on any virtual server; simply choosing the aforementioned strategy and ensuring a channel is up to the next-active unit will suffice. However, note that some configurations will benefit by also configuring connection mirroring on some virtual servers, as that can greatly reduce the number of affected connections during a failover.

2) For 'regular' standalone units.

If a VIPRION system is truly standalone (no kind of redundancy whatsoever), there is no applicable failsafe action, as you will want to keep that chassis online even if some traffic is impaired. Ensure suitable monitoring of the system is in place (e.g., remote syslog servers, SNMP traps, etc.), so that a BIG-IP Administrator can react quickly in the unlikely event this issue does occur.

3) For a standalone chassis which belongs to a pool on an upstream load-balancer.

If the virtual servers of a standalone VIPRION system are pool members on an upstream load-balancer, it makes sense for the virtual servers to report unavailable (e.g., by resetting all new connection attempts) so that the upstream load-balancer can select different pool members.

An Engineering Hotfix can be provided which introduces an enhancement for this particular use-case. A new DB key is made available under the Engineering Hotfix: tmm.cdp.requirematchingstates, which takes values 'enable' and 'disable'.

The default is 'disable', which makes the VIPRION system behave as in versions without the enhancement. When set to 'enable', the VIPRION system attempts to detect this failure and, if it does, resets all new connections. This should trigger some monitor failures on the upstream load-balancer and allow it to select different pool members.

Please note you should only request the Engineering Hotfix and enable this DB key when this specific use-case applies: a standalone VIPRION system which belongs to a pool on an upstream load-balancer.

When the new feature is enabled, the following log messages in the /var/log/ltm file indicate when this begins and stops triggering:

-- crit tmm[13733]: 01010366:2: CMP state discrepancy between blades detected, forcing maintenance mode. Unable to relinquish maintenance mode until event clears or feature (tmm.cdp.requirematchingstates) is disabled.

-- crit tmm[13262]: 01010367:2: CMP state discrepancy between blades cleared or feature (tmm.cdp.requirematchingstates) disabled, relinquishing maintenance mode.

841369-2 : HTTP monitor GUI displays incorrect green status information

Component: Local Traffic Manager

Symptoms:
LTM HTTP monitor GUI displays incorrect green status when related pool is down.

TMSH shows correct information

Conditions:
LTM HTTP monitor destination port does not match with pool member port.

Impact:
LTM HTTP marks the node down, but the Instances tab of the monitor in the GUI reports the status as green

Workaround:
You can use either of the following workarounds:
-- Use TMSH to get correct info.
-- Ensure that LTM HTTP monitor destination port does match pool member port.

841341-5 : IP forwarding virtual server does not pick up any traffic if destination address is shared.

Component: Local Traffic Manager

Symptoms:
Virtual servers do not forward any traffic but the SNAT does.

Conditions:
-- Multiple wildcard IP forwarding virtual servers with the same destination address.
-- SNAT is configured.

Impact:
IP forwarding virtual server does not pick up any traffic.

Workaround:
Delete and then re-create virtual servers.

841333-6 : TMM may crash when tunnel used after returning from offline

Component: TMOS

Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.

Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

841277-6 : C4800 LCD fails to load after annunciator hot-swap

Component: TMOS

Symptoms:
After following F5-recommended procedures for hot-swapping the left annunciator card on a C4800 chassis and replacing the top bezel, the LCD screen fails to load.

Conditions:
- C4800 chassis with 2 annunciator cards.
- Hot-swap the left annunciator card and replace the top bezel.

Impact:
-- Status light on the top bezel turns amber.
-- LCD becomes unresponsive, and continuously displays 'F5 Networks Loading...'.

Workaround:
1. Run the command:
tmsh modify sys db platform.chassis.lcd value disable

2. Wait 10 seconds.

3. Run the command:
tmsh modify sys db platform.chassis.lcd value enable.

This forces the LCD to sync back up with the VIPRION system and returns it to normal operation. The top bezel status light should turn green.

840821-2 : SCTP Multihoming not working within MRF Transport-config connections

Component: Service Provider

Symptoms:
SCTP filter fails to create outgoing connections if the peer requests multihoming. The failure may produce a tmm core.

Conditions:
Usage of SCTP multi-homing with a MRF transport-config.

Impact:
The outgoing connection is aborted or tmm may core. Traffic disrupted while tmm restarts.

Workaround:
None.

840785-2 : Update documented examples for REST::send to use valid REST endpoints

Component: Local Traffic Manager

Symptoms:
The documented examples for REST::send refers to REST endpoints that are not valid.

Conditions:
Viewing the documentation at https://clouddocs.f5.com/api/irules/REST__send.html.

Impact:
Invalid examples lead to potential confusion.

Workaround:
Use valid REST endpoints, documented at https://clouddocs.f5.com/api/icontrol-rest/APIRef.html.

839361-5 : iRule 'drop' command does not drop packets when used in DNS_RESPONSE

Component: Global Traffic Manager (DNS)

Symptoms:
The iRule 'drop' command may not drop a DNS response when called under DNS_RESPONSE event.

Conditions:
iRule drop is used under DNS_RESPONSE event.

Impact:
DNS response may be improperly forwarded to the client.

Workaround:
Use DNS::drop instead.

839245-2 : IPother profile with SNAT sets egress TTL to 255

Component: Local Traffic Manager

Symptoms:
BIG-IP may set TTL to 255 on forwarded packets.

Conditions:
Virtual-server with ipother profile and SNAT configured.

Impact:
Traffic leaves with egress TTL set to 255.

Workaround:
None.

839121-2 : A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade★

Component: TMOS

Symptoms:
After upgrading, the configuration fails to load and throws an error about a profile that is located in profile_base.conf using SSLv2. However, upon inspection you will notice that there is no SSLv2 cipher in use.

Conditions:
The upgrade failure is seen when all the following conditions are met:

-- BIG-IP system with SSLv2 as the ciphers option in an SSL profile running software v12.x/v13.x.
-- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.
(1) Modified root SSL profile (such as /Common/clientssl or /Common/serverssl) is present in bigip.conf.
(2) The modified root SSL profile contains an invalid keyword 'COMPAT', 'SSLv2', or 'RC2' in its ciphers
(3) The default profiles whose ciphers inherited from the root profile are not present in bigip.conf. The error for invalid ciphers is reported against these profiles.

Impact:
Beginning in version 14.x, SSLv2 has been changed from being a warning condition, and now prevents the configuration from loading. In most cases the upgrade script properly removes this, so there is no issue. However, if this issue is encountered, the configuration fails to load after upgrading.

Workaround:
There are two possible workarounds:

-- The easiest way to work around this is to comment out the modified base profile from bigip.conf and then run the command: tmsh load sys config.

-- If you are post upgrade, you can use sed to remove the !SSLv2 entries. To do so, perform these steps on the standby device:

1. cp /config/bigip.conf /config/backup_bigip.conf
2. Run: sed -i "s/\!SSLv2://g" /config/bigip.conf
3. tmsh load /sys config

838925-6 : Rewrite URI translation profile can cause connection reset while processing malformed CSS content

Component: TMOS

Symptoms:
Malformed CSS where one of the style rules is missing a closing brace could cause LTM Rewrite profile to stop processing file or reset connection.

Conditions:
-- LTM Rewrite (URI translation) profile is attached to virtual server.
-- Content rewriting is enabled in Rewrite profile settings.
-- CSS file contains style rule with missing closing brace.

Impact:
URLs are not modified within affected files, starting from the missing closing brace. Intermittent connection resets occur.

Workaround:
Before rewriting, insert the missing symbol into CSS content either directly on the backend server or with an iRule.

838901-3 : TMM receives invalid rx descriptor from HSB hardware

Component: TMOS

Symptoms:
The HSB hardware returns an invalid receive (rx) descriptor to TMM. This results in a TMM core and can be seen as a SIGSEGV in the TMM logs. This also might result in continuous restarts of TMM, resulting in subsequent SIGSEGVs reported in the TMM logs until the unit is manually recovered.

Conditions:
The exact conditions under which this occurs are unknown.

Impact:
Traffic disrupted while tmm restarts. This may result in continuous TMM restarts until the BIG-IP system is rebooted.

Workaround:
None.

838861-1 : TMM might crash once after upgrading SSL Orchestrator★

Component: Access Policy Manager

Symptoms:
TMM might crash due to SIGABRT.

Conditions:
-- Session check agent is present in APM per-request policy.
-- APM Access Profile scope changes during SSL Orchestrator upgrade.
-- This issue can occur for SSL Orchestrator upgrades from 14.x to 15.x and above.

Impact:
TMM might crash once. Traffic disrupted while tmm restarts.

Workaround:
None.

838685-3 : DoS report exist in per-widget but not under individual virtual

Component: Application Visibility and Reporting

Symptoms:
'Undefined entity dosl7_vip was used' error message is reported on widgets whenever a 'Virtual Server' filter is selected on the 'Security :: Reporting : DoS : Custom Page' GUI page.

Conditions:
-- Navigate to Security :: Reporting : DoS : Custom Page in the GUI.
-- Filter widgets results with specific 'Virtual Server'.

Impact:
GUI widgets report errors and cannot show stats.

Workaround:
This GUI fix requires modifying a single PHP file in one location, which you can do directly on your BIG-IP system with a few bash commands:

1. Backup the file '/var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php':
   $ cp /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/

2. Change permissions to allow modifying it:
   $ chmod +w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

3. Change the file to include the fix:
   $ sed -i 's/dosl7_vip/vip/g' /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
   $ sed -i "s/ANALYTICS_MOD_DNS_DOS => 'vip'/ANALYTICS_MOD_DNS_DOS => 'dns_vip'/g" /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

4. Verify that the fix is as expected:
   $ vimdiff /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/dos_custom_overview_commons.php

   (** You should see two lines modified:
       1. ANALYTICS_MOD_DOSL7 => 'dosl7_vip' to ANALYTICS_MOD_DOSL7 => 'vip'.
       2. ANALYTICS_MOD_DNS_DOS => 'vip' to ANALYTICS_MOD_DNS_DOS => 'dns_vip')

5. Revert permissions of the file:
   $ chmod -w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

6. Log out and log back into the GUI, so that the new version of the file loads.

838405-2 : Listener traffic-group may not be updated properly when spanning is in use.

Component: Local Traffic Manager

Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.

Conditions:
Spanning is disabled or enabled on a virtual address.

Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.

Depending on the configuration, virtual server may or may not forward the traffic when expected.

Workaround:
Enable/Disable spanning together with changing a traffic-group:

> modify ltm virtual-address 0.0.0.0 traffic-group none spanning enabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled

838353-2 : MQTT monitor is not working in route domain.

Component: Local Traffic Manager

Symptoms:
MQTT monitor fails when non-default route domains are used.

Conditions:
-When a non-default route domain is configured for a pool member
-mqtt monitor in use

Impact:
Mqtt monitor does not work in route domain.

838337-2 : The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.

Component: TMOS

Symptoms:
In 2019, Brazil cancelled DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP system's time zone database needs to be updated to reflect this change.

Conditions:
None.

Impact:
BIG-IP systems configured to use "America/Sao_Paul" (or other applicable Brazilian localities) will still apply DST. Hence time will spring forward and backward on previously designated dates.

This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, etc. will use incorrect time.

Note: You can inspect the time changes your system is due to apply by running the following command from the BIG-IP system's advanced shell (bash):

zdump -v <timezone>

For example:

zdump -v America/Sao_Paulo

Workaround:
As a workaround, you can set the BIG-IP system's time zone to that of a different country with the same UTC offset and already not observing DST.

For example, instead of using "America/Sao_Paul", you could use "America/Buenos_Aires" to obtain the same result.

838305-6 : BIG-IP may create multiple connections for packets that should belong to a single flow.

Component: Local Traffic Manager

Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.

Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.

Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.

838297-3 : Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication

Component: TMOS

Symptoms:
Under certain conditions, the BIG-IP system requires you to change your password on every login.

Furthermore, the login then fails, and loops endlessly asking for the password, even though the password has not expired.

Conditions:
-- BIG-IP 14.0.0 and later.
-- LDAP authentication is used for remote users.
-- Active Directory (AD) user account has shadowLastChange attribute with a value of 0 (or anything lower than the number of days since 1-1-1970).

Impact:
Remote AD BIG-IP users are unable to login to the BIG-IP system using remote LDAP authentication

Workaround:
Clear the value of shadowLastChange within AD.

837637-6 : Orphaned bigip_gtm.conf can cause config load failure after upgrading★

Component: TMOS

Symptoms:
Configuration fails to load after upgrade with a message:

01420006:3: Can't find specified cli schema data for x.x.x.x

Where x.x.x.x indicates an older version of BIG-IP software than is currently running.

Conditions:
-- Orphaned bigip_gtm.conf from an older-version. This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade, leaving behind a bigip_gtm.conf with the old schema.

-- Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.

Impact:
Configuration fails to load after upgrade.

Workaround:
Before upgrading:

If the configuration in bigip_gtm.conf is not needed, then it can be renamed (or deleted) before upgrading:

   mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
   tmsh load sys config gtm-only

After upgrading (i.e., with the system in the Offline state) services must be restarted to pick up the change:

   mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
   tmsh restart sys service all

837617-2 : Tmm may crash while processing a compression context

Component: Local Traffic Manager

Symptoms:
Tmm crashes on segfault.

Conditions:
Conditions are unknown.

Impact:
Traffic disrupted while tmm restarts.

837481-6 : SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID

Component: TMOS

Symptoms:
SNMPv3 fails to read authenticated or encrypted messages to all but one of the members of a Config Sync group.

Conditions:
Using SNMPv3 to read or receive Traps from high availability (HA) pairs.

Impact:
SNMPv3 can only work for one member of a configsync group.
Configuring passwords on one device, makes that device work, but other members of the config sync group will now fail.

Workaround:
- check "Authoritative (security) engineID for SNMPv3" is not synced (mostly code released since 2019)
engineID needs to be unique per device

- Modify /defaults/config_base.conf to set sync to "no" and check that these do not sync
We must NOT sync these parameters as they need to match the individual device engineID

            display-name "Authoritative (security) engineID for SNMPv3"
            display-name "Authentication pass phrase for SNMPv3 messages"
            display-name "Privacy pass phrase used for encrypted SNMPV3 messages"
            display-name "User's passphrase"
            display-name "Privacy passphrase"

### Mount usr as rw see see K11302
mount -o remount,rw /usr
pico /defaults/config_base.conf
# use Control-w to search for the display names above
# change "configsyncd yes" to "configsyncd no" if necessary in each location
# use Control-x y to exit with saving
# Restore usr as ro
mount -o remount,ro /usr
tmsh load sys config

Then once they are not syncing over, you can create v3 on each device using the same pass phrase as your SNMPv3 manager is using

tmsh modify sys snmp users add { v3snmp { auth-protocol sha privacy-protocol aes username mikev3 auth-password password3 privacy-password password3} }
tmsh modify sys snmp users modify { v3snmp { security-level auth-privacy access rw } }

Then each device should respond OK to query for that same pass phrase

snmpwalk -v 3 localhost -a sha -x aes -A password3 -X password3 -u mikev3 -l authpriv

For more information about SNMP, see the following articles.
K15681: Customizing the SNMP v3 engineID
K6821: SNMP v3 fails if the SNMP engine ID is not unique
K3727: Configuring custom SNMP traps

837269-1 : Processing ICMP unreachable packets causes FWNAT/CGNAT persistence issues with UDP traffic

Component: Carrier-Grade NAT

Symptoms:
When hosts send ICMP unreachable error messages and processed by the BIG-IP system, subsequent good UDP packets do not get the persistence LSN translation address.

Conditions:
-- Virtual server with FW NAT or CGNAT configuration to accept UDP traffic.
-- Client or/and server randomly sends ICMP unreachable messages.

Impact:
LSN persistence issues. UDP packets from the same client IP address may not get the same translation address every time, even though there exists a persistence entry in the table

Workaround:
None.

837233-2 : Application Security Administrator user role cannot use GUI to manage DoS profile

Component: Advanced Firewall Manager

Symptoms:
BIG-IP GUI users configured with the Application Security Administrator role are not allowed to manage DoS profile page and settings.

Conditions:
This affects users logged in with the Application Security Administrator role

Impact:
DoS profiles cannot be edited from the GUI.

Workaround:
You can use either workaround:

-- Change the user role to one that allows managing DoS profile.
-- Have the Application Security Administrator user edit profiles from tmsh.

836661-1 : Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet.

Component: Local Traffic Manager

Symptoms:
Packet with unexpected source MAC is seen on the adjacent node to the BIG-IP system.

Conditions:
-- The BIG-IP system is configured in an L2 transparent mode using virtual wires.
-- Traffic forwarded between client and server in an asymmetric manner across virtual wires.

Impact:
Incorrect source MAC is used. Possible impacts to services on nodes adjacent to the BIG-IP system if policy decisions on those nodes are made with the source MAC of the received packet as input.

Workaround:
None.

835505-6 : Tmsh crash potentially related to NGFIPS SDK

Component: Local Traffic Manager

Symptoms:
Tmsh crash occurs rarely. The NGFIPS SDK may generate a core as well.

Conditions:
The exact conditions that trigger this are unknown.

It can be encountered when running the following tmsh command:

tmsh -a show sys crypto fips key field-fmt include-public-keys all-properties

Impact:
Tmsh may crash. You are exited from tmsh if you were using it as a shell.

Workaround:
None.

835209-2 : External monitors mark objects down

Component: Global Traffic Manager (DNS)

Symptoms:
Object to which the external monitor is attached is marked down.

Conditions:
Executing external monitors trying to access something without appropriate permissions.

Impact:
Object to which the external monitor is attached is marked down.

Workaround:
None.

834217-6 : Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.

Component: Local Traffic Manager

Symptoms:
Due to a known issue BIG-IP may advertise sub-optimal window size.

Conditions:
Result of (init-rwnd * client-mss) is greater than maximum window size (65,535).

Impact:
Degraded TCP performance.

Workaround:
Do not use init-rwnd values that might result in values higher than maximum window size (65,535).

Assuming MSS of 1480, the maximum value of init-rwnd is:
65535/1480 = 44.

833685-4 : Idle async handlers can remain loaded for a long time doing nothing

Component: Application Security Manager

Symptoms:
Idle async handlers can remain loaded for a long time doing nothing because they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a large XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.

Impact:
Depletion of memory by lingering idle async handlers may deprive other processes of sufficient memory, triggering out-of-memory conditions and process failures.

Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart asm_config_server periodically using cron, as idle handlers are soon created again.

833173-1 : SFP interfaces are flapping on 2xxx/4xxx on version 15.0.x

Component: TMOS

Symptoms:
SFP interfaces start flapping immediately after booting up 2xxx/4xxx platforms, and it takes some time to goes into an up/running state.

Conditions:
Happens on the following platforms with BIG-IP 15.0.x using the SFP interface:

2000s/2200v
4000s/4400v

Impact:
Interface are unusable until it stops flapping and goes into an up/running state.

Workaround:
There is no known mitigation except to wait for the interface to go into the up/running state.

833049-1 : Category lookup tool in GUI may not match actual traffic categorization

Component: Access Policy Manager

Symptoms:
Category Lookup agent has changed to include the IP in the categorization query. The BIG-IP TMUI does not do the same (Access Policy :: Secure Web Gateway : Database Settings : URL Category Lookup).

Conditions:
-- SWG or URLDB provisioned.
-- Run traffic with category lookup in the PRP and note the category produced.
-- Run the same URL through the GUI lookup tool or the command line tool.

Impact:
Some websites may be categorized differently depending on if the IP address is passed in or not.

Workaround:
None.

832665-3 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5

Component: TMOS

Symptoms:
Features supported in newer versions of open-vm-tools will not be available.

Conditions:
This issue may be seen when running in VMware environments.

Impact:
Features that require a later version of open-vm-tools will not be available.

Workaround:
None.

832233-2 : The iRule regexp command issues an incorrect warning

Component: Local Traffic Manager

Symptoms:
At validation time, mcpd issues a warning similar to the following:

warning mcpd[7175]: 01071859:4: Warning generated : /Common/test1:2: warning: ["\1" has no meaning. Did you mean "\\1" or "1"?][{(test) (\1)}]

Conditions:
Use arguments such as "\1", "\2", "\3" etc., in command regexp.

Impact:
A warning is generated, "\1" has no meaning, even though it is valid.

Workaround:
Ignore the warning.

832133-2 : In-TMM monitors fail to match certain binary data in the response from the server.

Component: Local Traffic Manager

Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system still marks them DOWN.

Conditions:
This issue occurs when all of the following conditions are met:

-- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).

-- One (or more) of your TCP or HTTP monitors specifies a receive string using HEX encoding, in order to match binary data in the server's response.

-- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.

Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.

Workaround:
You can use either of the following workarounds:

-- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.

-- Do not monitor the application through a binary response (if the application allows it).

831821-2 : Corrupted DAG packets causes bcm56xxd core on VCMP host

Component: TMOS

Symptoms:
On VCMP host, bcm56xxd crashes when it receives a corrupted DAG packets.

Conditions:
Unknown.

Impact:
Device goes offline, traffic disruption.

831661-1 : ASMConfig Handler undergoes frequent restarts

Component: Application Security Manager

Symptoms:
Under some settings and load the RPC handler for the Policy Builder process restarts frequently, causing unnecessary churn and slower learning performance.

Conditions:
Configure one or more policies with automatic policy building enabled and learn traffic with violations

Impact:
Control Plane instability and poor learning performance on the device.

831293-4 : SNMP address-related GET requests slow to respond.

Component: TMOS

Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.

Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.

Impact:
Slow performance.

Workaround:
None.

831161-1 : An iRule before HTTP_REQUEST calling persist none can crash tmm

Component: Local Traffic Manager

Symptoms:
During an iRule event before HTTP_RQUEST, e.g. on FLOW_INIT/CLIENT_ACCEPTED disabling persistence with 'persist none' can crash tmm.

Conditions:
An iRule event before HTTP_RQUEST, e.g., on FLOW_INIT/CLIENT_ACCEPTED disabling persistence with 'persist none'.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

829821-2 : Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured

Component: TMOS

Symptoms:
If a very large amount of pool members are configured (tens of thousands), mcpd may miss its high availability (HA) heartbeat and be killed by sod.

Conditions:
-- A large number of pool members.
-- Pool member validation occurs (such as when loading a configuration or doing a configsync operation).

Impact:
Mcpd is killed by sod. This causes a failover (when the BIG-IP is in a DSC) or outage (if standalone).

Workaround:
None.

829677-3 : .tmp files in /var/config/rest/ may cause /var directory exhaustion

Component: TMOS

Symptoms:
The /var partition might become completely full on the disk due to tmp files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemon restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open.

This issue is happening because a VIPRION process is not available because of a REST timeout.

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Manually run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

829661-1 : TCP connection fails to establish when an SFC policy is enabled

Component: TMOS

Symptoms:
TCP Connections fail to establish. Data transfer does not happen.

Conditions:
-- SFC chain is configured on the system.
-- The configured SFC chain contains legacy servers (non-SFC) as part of the chain.
-- A source port changes from one hop of the SFC chain to next hop.

Impact:
TCP Connections fail to establish. Data transfer does not happen.

Workaround:
None.

829317-4 : Memory leak in icrd_child due to concurrent REST usage

Component: TMOS

Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.

Conditions:
-- The icrd_child process is running.
-- There are multiple users accessing device via REST.

Impact:
Memory slowly leaks in icrd_child.

Workaround:
None.

829277-3 : A Large /config folder can cause memory exhaustion during live-install★

Component: TMOS

Symptoms:
- live install can fail at around 96%
- system memory can be exhausted and the kernel will kill processes as a result.

Conditions:
During live-install, if configuration roll-forward is enabled, and the uncompressed ucs size is larger than the available memory.

Impact:
The kernel will kill any number of processes; any/all critical applications could become non-functional.

Workaround:
Make sure there are no un-intended large files included in the configuration. Any file stored under /config is considered part of the configuration.

If the configuration is, as intended, on the same order of magnitude as total system memory, do not roll it forward as part of live install. Instead, save it manually and restore it after rebooting to the new software.

to turn off config roll forward; setdb liveinstall.saveconfig disable

to save/restore configuration manually; see
https://support.f5.com/csp/article/K13132

829193-3 : REST system unavailable due to disk corruption

Component: TMOS

Symptoms:
-- The iControl REST commands respond with the following:

[INFO] Text: u'{"code":200,"message":"REST system unavailable due to disk corruption! See /var/log/restjavad.*.log for errors.","restOperationId":1472895,"kind":":resterrorresponse"}'

-- The GUI indicates that iAppLX sub-system is unresponsive.

-- On the BIG-IP device, /var/config/rest/storage/LOST-STORAGE.txt exists.

Conditions:
The conditions that trigger this are unknown. It might be due to a previous catastrophic event such as power loss or out-of-memory errors.

Manually creating the file /var/config/rest/storage/LOST-STORAGE.txt can also trigger this error.

Impact:
The iControl REST system is unavailable.

Workaround:
Run the following commands at the BIG-IP command prompt:

bigstart stop restjavad restnoded
rm -rf /var/config/rest/storage
rm -rf /var/config/rest/index
bigstart start restjavad restnoded
rm -f /var/config/rest/downloads/*.rpm
rm -f /var/config/rest/iapps/RPMS/*.rpm
tmsh restart sys service tomcat

Then, reinstall any iAppLX packages that were installed.

828937-2 : Some systems can experience periodic high IO wait due to AVR data aggregation

Solution Article: K45725467

Component: Application Visibility and Reporting

Symptoms:
Systems with a large amount of statistics data collected in the local database (i.e., systems not working with BIG-IQ) can have high IO Wait CPU usage, peaking at 10 minutes, 1 hour, and 24 hours. This is caused by the data aggregation process that is running on the local database. Notice that large memory footprints, particularly for avrd might be a symptom for the phenomenon.

Conditions:
-- The BIG-IP system is collecting statistics locally (i.e., not sending data to BIG-IQ or another external device).
-- There is a large amount of statistics data.
-- May occur even if AVR is not explicitly provisioned.

Impact:
High IO can impact various processes on BIG-IP systems. Some of them can experience timeouts and might restart.

Workaround:
The most effective workaround is to lower the amount of data collected by setting the 'avr.stats.internal.maxentitiespertable' DB variable to a lower value. The recommended values are 20000 (on larger, more powerful systems with more than 16 cores) or 2148 (on smaller systems).

Note: After you lower the database value, continue to monitor the BIG-IP system for long I/O wait times and high CPU usage. If symptoms persist and the system continues to experience resource issues, you may need to reset the BIG-IP AVR statistics. For information about resetting BIG-IP AVR statistics, refer to K14956: Resetting BIG-IP AVR statistics :: https://support.f5.com/csp/article/K14956.

828873 : Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor

Component: TMOS

Symptoms:
In the deployment of BIG-IP 15.0.0 on Nutanix AHV Hypervisor, f5-label service is failing with inappropriate input device error.

Conditions:
Deployment of BIG-IP v15.0.0 on Nutanix AHV Hypervisor.

Impact:
Deployment of BIG-IP v15.0.0 is not stable to log into GUI or terminal on Nutanix AHV Hypervisor.

Workaround:
Steps:

1. Mount the drive:
mount -o rw,remount /usr

2. Add a comment below the line in the '/usr/lib/systemd/system/f5-label.service' service file:
#StandardInput=tty

3. Reload the daemon:
systemctl daemon-reload

4. Restart the service:
systemctl restart f5-label

828789-2 : Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters

Component: TMOS

Symptoms:
Certificate Subject Alternative Names are limited to 1023 characters.

Conditions:
Using a certificate with a Subject Alternative Name longer than 1023 characters.

Impact:
A certificate's Subject Alternative Name is not correct in the BIG-IP configuration.

This does not impact the BIG-IP system's ability to select the proper Client SSL profile on a virtual server that uses SNI matching to provide distinct certificates.

Workaround:
Specify fewer than 1023 character for the Certificate Subject Alternative Names.

828625-2 : User shouldn't be able to configure two identical traffic selectors

Component: TMOS

Symptoms:
Config load fails by issuing "tmsh load sys config verify"
01070734:3: Configuration error: Duplicate traffic selector is not allowed
Unexpected Error: Validating configuration process failed.

Conditions:
Duplicate IP addresses on multiple traffic-selectors attached to different ipsec-policies.

Impact:
Config load will fail after a reboot

Workaround:
Delete duplicate traffic-selectors.

828601-2 : IPv6 Management route is preferred over IPv6 tmm route

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metrics than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the management interface.

Conditions:
-- Create an IPv6 management route, which is going to be a default gateway.

-- Receive another default gateway from a configured peer using any of dynamic routing protocols (BGP, OSPF, etc.)

Impact:
The incorrect routing table sends the traffic that matches the default route to the management interface.

Workaround:
None.

827441 : Changing a UDP virtual server with an immediate timeout to a TCP virtual server can cause connections to fail

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends a TCP SYN to the back-end server, but ignores the server's SYN-ACK response.

Conditions:
A virtual server that contains a UDP profile with idle-timeout immediate is modified to replace the UDP profiles with TCP profiles.

Impact:
Connections from the BIG-IP system to backend servers fails.

Workaround:
Delete and recreate the virtual server.

827209-3 : HSB transmit lockup on i4600

Component: TMOS

Symptoms:
TMM shows HSB transmit lockup message and cored.

Conditions:
-- Using an i4600 platform.
-- Other conditions under which this occurs are unknown.

Impact:
Disruption to processing traffic on the BIG-IP system.

Workaround:
None.

827021-1 : MCP update message may be lost when primary blade changes in chassis

Component: TMOS

Symptoms:
In a VIPRION chassis, when the Primary blade is disabled (intentionally or due to an unexpected loss of functionality) and a new Primary blade is selected, there is a brief window of time during which status messages forwarded from MCPD on a Secondary blade to MCPD on the Primary blade might be dropped, possibly resulting in an incorrect view of the state of configured objects.

Conditions:
This problem may occur under the following conditions:
-- The state of a blade-local object/resources (such as a network interface or trunk) changes.
-- There is a high load on MCPD (for example, due to configuration reload on the new Primary blade) which delays processing of some MCPD actions.

Impact:
This problem may result in the state of blade-local objects (such as interfaces or trunks) being seen and reported incorrectly across the blades in the chassis, or on one or more specific blades (Primary, Secondary) in the chassis.

For example, if loss of the Primary blade results in one or more interfaces in a trunk being marked down by LACPD on a specific blade, resulting changes in trunk/member status may not be propagated correctly to the Primary blade, and from there to other Secondary blades.

Workaround:
None.

826349-1 : VXLAN tunnel might fail due to misbehaving NIC checksum offload

Component: Local Traffic Manager

Symptoms:
Some NICs, e.g., on BIG-IP 2000/4000 platforms, perform checksum offloading for UDP, and erroneously mark a 0 (zero) checksum as a checksum failure, even though the UDP header includes an optional, 16-bit one's complement checksum that provides an integrity check.

If the computed checksum is 0, it is transmitted as all ones. In this case the NIC should accept the checksum, but it does not.

Conditions:
NIC offload checksum of 0.

Impact:
VXLAN tunnel fails.

Workaround:
None.

826313-5 : Error: Media type is incompatible with other trunk members★

Component: TMOS

Symptoms:
Loading system configuration is failing after upgrade with an error message

01070619:3: Interface 5.0 media type is incompatible with other trunk members

Conditions:
-- Trunk interface created in BIG-IP version 12.3.4.
-- Trunk interfaces have different speeds (e.g. 100Mb interfaces and 1Gb interfaces)
-- Load the configuration after upgrading from v12.1.3.4 to v12.1.3.5.

Impact:
The system configuration is failing to load.

Workaround:
If you encounter this error, manually fix all trunks to only use interfaces of the same speed, and then load the configuration.

826297-2 : Address list as source/destination for virtual server cannot be changed from tmsh

Component: TMOS

Symptoms:
Address list as source/destination for virtual server cannot be changed from tmsh as it is applicable from GUI.

Conditions:
For an address created in tmsh:

# list security shared-objects address-list
security shared-objects address-list testAddressList {
    addresses {
        1.1.1.1/32 { }
        2.2.2.2/32 { }
    }
}

There is no Address list option shown in virtual server config:

# modify ltm virtual test source
Configuration Items:
  [enter address or address/prefixlen] <==!!

Impact:
Address list as source/destination for virtual server cannot be changed from tmsh.

Workaround:
Use the GUI to make changes to the Address list as source/destination for virtual server.

826265-4 : The SNMPv3 engineBoots value restarts at 1 after an upgrade

Component: TMOS

Symptoms:
Many SNMPv3 clients pay attention to the engineBoots value as part of server authentication. When the BIG-IP system is upgraded, the engineBoots value is not retained, so it restarts at 1.

Conditions:
Upgrading a BIG-IP system whose engineBoots value is greater than 1.

Impact:
The engineBoots value is reset to 1. This may look like an error condition for the SNMPv3 client.

Workaround:
1. Run the following command (where n = the value at which you want to start the engineBoots):

tmsh modify sys snmp include 'engineBoots n'

2. Restart SNMPD.

826189-1 : The WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.

Component: TMOS

Symptoms:
The input validation performed by the BIG-IP system WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.

The WebUI should allow users to specify only a prefix (for example, 2001:db8:0:0:0:0:0:0 or 2001:db8::); however, it incorrectly allows users to specify a subnet mask too (for example, 2001:db8:0:0:0:0:0:0/96 or 2001:db8::/96).

In contrast, the TMSH utility correctly enforces values for this option.

Conditions:
The BIG-IP Administrator creates or modifies a DNS profile using the WebUI, and specifies an IP/SM value for the dns64-prefix option.

Impact:
Upon performing DNS64, TMM returns incorrect DNS answers that do not use the specified prefix. For example, if the Administrator specifies 2001:db8:0:0:0:0:0:0/96 as the prefix, and if the IPv4 address of the requested resource is 198.51.100.1, DNS64 returns ::198.51.100.1 instead of 2001:db8::c633:6401. This prevents end-user clients from reaching the intended resource.

The impact described in this section only applies to BIG-IP versions 14.1.0 and later. Previous BIG-IP versions also had this WebUI validation issue, but despite this TMM still returned the correct DNS answer.

Workaround:
When configuring this option using the WebUI, do not specify a subnet mask.

825501-2 : IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.★

Component: Protocol Inspection

Symptoms:
If the IPS IM package is installed on a multi-slot device, and one slot is offline, the IM package version might be different on the offline slot when it comes back online.

It also shows different versions of the Active IM package on different slots.

Conditions:
-- Multi-bladed clustered system.
-- One of the blades is offline.
-- The IPS IM package is installed to the primary blade.

Impact:
The primary blade syncs the IM package to all of the secondary blades that are online; however, when the offline blade comes back online, it does not have the updated IM package.

As a result, traffic being processed by different blades will be using different IPS libraries and might cause inconsistency in the functionality

Workaround:
Although there is no workaround, you can prevent the issue by ensuring that all blades are online when you install an IPS IM package.

825413-3 : /var/lib/mysql disk is full

Component: Application Security Manager

Symptoms:
PRX.BRUTE_FORCE_* db tables do not have a row_limit, so they can grow to consume all available disk space in /var/lib/mysql.

Conditions:
ASM provisioned

Impact:
/var/lib/mysql can run out of disk space

Workaround:
1. Truncate the two large tables. This clears all the row in those table and should make disk space.
   Note that existing brute force username and IPs reporting data will be lost.

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_USERNAMES"

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_IPS"

2. Add row_limit for the two tables to avoid the same issue in the future.

Add following lines in the bottom of this file, /etc/ts/tools/clean_db.yaml

  PRX.BRUTE_FORCE_MITIGATED_USERNAMES:
    row_limit: 100000
    order_by: brute_force_mitigated_username_id

  PRX.BRUTE_FORCE_MITIGATED_IPS:
    row_limit: 100000
    order_by: brute_force_mitigated_ip_id

Restart clean_db process (there is no impact of restarting this process)

# pkill -f clean_db

Wait 30 sec, and make sure the process came back

# ps aux | grep clean_db

825245-3 : SSL::enable does not work for server side ssl

Component: Local Traffic Manager

Symptoms:
When SSL::enable is issued in an iRule, for example in the HTTP Request event, it will not enable the server side profile if the server side profile is disabled.

Conditions:
An HTTP profile is configured on a virtual, and the server-ssl profile on the same virtual is disabled.

Impact:
The connection will close instead of completing.

Workaround:
Do not use a disabled server-ssl profile in this situation.

824917-1 : Behavioral DoS dashboard disregards user access rights to virtual servers

Component: Anomaly Detection Services

Symptoms:
For users that have access to particular partition(s) only, the Behavioral DoS dashboard shows data for all virtual servers, including virtual servers in partitions that this user does not have access to.

Conditions:
-- logged into the GUI as a user which only has access to one partition
-- viewing the Behavioral DoS dashboard
-- The device has virtual servers on partitions to which the current user has no access.

Impact:
User can see BADOS statistics data related to restricted partitions.

Workaround:
None

824809-5 : bcm56xxd watchdog restart

Component: TMOS

Symptoms:
During initialization of very large configurations it is possible that the watchdog timer will fire and reset the bcm56xxd driver.

Conditions:
System configuration with very large number of objects being loaded.

Impact:
The driver restarts.

824437-1 : Chaining a standard virtual server and an ipother virtual server together can crash TMM.

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGFPE and restarts. The TMM logs contain the following panic message:

Assertion "xbuf_delete_until successful" failed.

Conditions:
This issue occurs when the following conditions are met:

-- The system has been configured with a standard virtual server and an Any IP (ipother) virtual server chained together. This can be done explicitly using an iRule that features the 'virtual' command to connect the two virtual servers, or implicitly with certain APM configurations.

-- The pool member on the server-side asks this specific virtual server configuration on the BIG-IP system to retransmit data.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure the target virtual server in the chain configuration does not use the ipother profile.

824433-2 : Added HTTP2 and HTTP3 request/response statistic fields to the HTTP profile

Component: Local Traffic Manager

Symptoms:
The HTTP/1.1 request/response statistic fields in the HTTP profile are incremented incorrectly when HTTP2 traffic is encountered.

There is not currently a way to view the HTTP2 and HTTP3 request/response stats on the HTTP profile.

Conditions:
-- Client or server sends HTTP2 request/response.
-- Using GUI, TMSH, iControl (SOAP), or SNMP.

Impact:
Incorrect HTTP/1.1 request/response statistic values are present in the HTTP profile when HTTP2 traffic is encountered.

Workaround:
None.

824205-2 : GUI displays error when a virtual server is modified if it is using an address-list

Component: TMOS

Symptoms:
When you modify a virtual server, the GUI returns an error similar to the following:

01b90011:3: Virtual Server /Common/vs2_udp's Traffic Matching Criteria /Common/vs2_udp_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs1_tcp destination address, source address, service port.

Conditions:
This occurs when either of the following occur:

-- When renaming the virtual server.
-- When changing the address-list attribute.

Impact:
Cannot update virtual configuration with new value.

Workaround:
None.

824101-3 : Request Log export file is not visible for requests including binary data

Component: Application Security Manager

Symptoms:
Request Log export file is not visible.

Conditions:
Request Log export file contain request with binary data

Impact:
Cannot get data from Request Log export file.

Workaround:
None.

824093-4 : Parameters payload parser issue

Component: Application Security Manager

Symptoms:
Incorrect parameter parsing occurs under some conditions. For example, in a signature violation, the 'Actual Parameter Name' value appears as 'attachment; filename'.

Conditions:
-- ASM in use.
-- Request contains multipart headers.

Impact:
Incorrect policy enforcement.

Workaround:
None.

824037-1 : Bot Defense whitelists do not apply for IP 'Any' when using route domains

Component: Application Security Manager

Symptoms:
When defining whitelists in bot defense profiles, when the IP is set to 'Any' and route domains are in use, whitelists are not applied.

Conditions:
-- Bot Defense profile is enabled.
-- Whitelist is configured for IP 'Any' (for URL or GEO),
-- Sending a request that matches the whitelist using route domains.

Impact:
Request will be mitigated.

Workaround:
For url whitelist only:
Add micro service to the bot defense profile, configure:
1. Add required URL.
2. Specify service type 'Custom Microservice Protection'.
3. Set the 'Mitigation and Verification' setting as required (relevant for logging only).
4. In 'Automated Threat Detection', set 'Mitigation Action' to 'None'.
5. Set the microservice 'Enforcement Mode' to 'Transparent'.

This causes the associated URL to never be blocked (but no 'whitelist' will be seen in reporting).

823921-1 : FTP profile causes memory leak

Component: Local Traffic Manager

Symptoms:
When a FTP profile is added to a virtual server, TMM runs with memory leak and eventually system has to terminate connections.

Conditions:
A FTP profile is installed on virtual server and the inherit-parent-profile parameter is enabled or isession is also included on the FTP virtual.

Impact:
TMM runs with memory leak and eventually system has to terminate connections.

Workaround:
Disable the inherit-parent-profile option if fastL4 data-channel is adequate.

823825-6 : Renaming HA VLAN can disrupt state-mirror connection

Component: Local Traffic Manager

Symptoms:
If the VLAN that services the state mirror connection between BIG-IP systems is renamed, it can cause a disruption of the state mirror connection. It can also lead to an eventual crash.

Conditions:
Renaming the VLAN that services the state mirror connection between BIG-IP systems in an high availability (HA) configuration.

Impact:
System might crash eventually.

Workaround:
Do not rename the VLAN that services the state mirror connection between BIG-IP systems in an HA configuration.

822253-2 : After starting up, mcpd may have defunct child "run" and "xargs" processes

Component: TMOS

Symptoms:
After starting up, mcpd may have defunct child "run" and "xargs" processes

Conditions:
Slow disk storage or large configuration files.

Impact:
Minimal; some zombie processes are created.

822245-3 : Large number of in-TMM monitors results in some monitors being marked down

Component: Local Traffic Manager

Symptoms:
Pool members are marked down from the in-TMM monitor.

Conditions:
Device has a large number of in-TMM monitors.

Impact:
Monitor target may appear down when it is actually up.

Workaround:
Disable in-tmm monitors:
tmsh modify sys db bigd.tmm value disable

821369-1 : Incomplete Action 'Deny' does not take effect for HTTP-Connect

Component: Access Policy Manager

Symptoms:
Per-request policy's incomplete-action 'Deny' does not take effect for HTTP-Connect request.

Conditions:
-- SSL Orchestrator (SSLO) or APM is licensed and provisioned.
-- Per-request policy is created and attached to a virtual server.
-- Incomplete Action value of per-request policy is set to 'Deny'.

Impact:
The BIG-IP system does not reject the HTTP-Connect request when incomplete-action is set to 'Deny'.

Workaround:
None.

821309-2 : After an initial boot, mcpd has a defunct child "systemctl" process

Component: TMOS

Symptoms:
Zombie "systemctl" process, as a child of mcpd.

Conditions:
Reboot of the BIG-IP.

Impact:
Minimal; a single zombie process is created.

Workaround:
To get rid of the process, you can restart mcpd.

820845-4 : Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.

Component: TMOS

Symptoms:
BIG-IP systems might not respond to ( ARP / Neighbour Discovery ) requests received via EtherIP tunnels on a multi-blade system.

Conditions:
Decapsulated ( ARP / Neighbour Discovery ) requests for an address owned by the BIG-IP system is processed by a secondary blade.

Impact:
Some endpoints may not be able to resolve ( ARP / Neighbour protocol ) via EtherIP tunnel.

Workaround:
Create static ARP entries on affected endpoints.

820333-2 : LACP working member state may be inconsistent when blade is forced offline

Component: Local Traffic Manager

Symptoms:
Inconsistent (out-of-sync) LACP working member state.
Incorrect trunk high availability (HA) score.

Conditions:
LACP updates while blade is going offline.

Impact:
Incorrect high availability (HA) score may prevent the unit from automatically failing over.

820213-3 : 'Application Service List' empty after UCS restore

Component: TMOS

Symptoms:
The iApps :: Applications LX list does not display anything after restoring a UCS that was taken from a different device.

Conditions:
-- Restoring a UCS from a different device.
-- UCS includes the iAppLX package.

Impact:
Cannot see anything on 'Application Service List', and you are unable to configure the application.

Workaround:
Run the following command before restoring the UCS file:

clear-rest-storage

819457-2 : LTM high availability (HA) sync should not sync GTM zone configuration

Component: TMOS

Symptoms:
LTM high availability (HA) sync group are syncing GTM zone configuration changes.

Conditions:
1. BIG-IPs has both LTM and GTM provisioned.
2. The two BIG-IPs are inside one LTM sync group.

Impact:
GTM zone files are accidentally modified.

819429-4 : Unable to scp to device after upgrade: path not allowed

Component: TMOS

Symptoms:
SCP of file to the BIG-IP system results in error:
path not allowed

Conditions:
Issue occurs when both conditions are present:
-- The BIG-IP user has shell tmsh or shell none access.
-- The scp operation is performed on a non-symlink location present under scp whitelist (/config/ssh/scp.whitelist).

For example:
scp to /var/tmp succeeds
scp to /shared/tmp fails with 'path not allowed'.

Impact:
Cannot copy files to symlinks present under whitelist.

Workaround:
None.

819421-4 : Unable to scp/sftp to device after upgrade★

Component: TMOS

Symptoms:
Users with numeric usernames are unable to log in via scp.

Conditions:
-- Logging in via scp/sftp.
-- User account with a numeric username.

Impact:
Unable to log in via scp.

Workaround:
Include alpha characters in username.

819233-4 : Ldbutil utility ignores '--instance' option if '--list' option is specified

Component: Access Policy Manager

Symptoms:
When running ldbutil utility, if the '--list' option is specified, then the '--instance' option has no effect. All the local users will be listed.

Conditions:
When both '--list' and '--instance' options are specified.

Impact:
The output lists all the local users and not limiting to the '--instance' option given.

Workaround:
None.

819009-4 : Dynamic routing daemon mribd crashes if 'mrib debug all' is enabled in high availability (HA) config with Floating Self IP configured for PIM protocol.

Component: TMOS

Symptoms:
The multicast routing protocols are implemented by pimd and mribd daemons. mribd daemon crashes in a specific configuration when debug logging is enabled for this daemon.

Conditions:
1) Dynamic Routing bundle is enabled and PIM protocol is enabled on a route domain.
2) High availability (HA) group/pair with floating self IP address is configured.
3) PIM neighbors are configured for each peer in high availability (HA) group/pair.
4) One of the peers in high availability (HA) is configured to use floating self IP address as an IP address for PIM protocol.

This is done using the 'ip pim use-floating-address' command in the PIM configuration in imish:
# ip pim use-floating-address

5) Multicast routing is configured in imish:
# ip multicast-routing

6) Debug logging for mribd is enabled:
# debug ip mrib all
# debug ipv6 mrib all
---
Note: Although steps 3 and 4 are optional, a practical configuration makes no sense without them.

Impact:
Dynamic routing daemon mribd crashes. Advanced routing not available while mribd restarts.

Workaround:
None.

818853-2 : Duplicate MAC entries in FDB

Component: Local Traffic Manager

Symptoms:
Forwarding DataBase (FDB) not updated when a MAC moves among interfaces.

Conditions:
-- Having multiple paths to a MAC in a given configuration.

Impact:
There are duplicate MAC address entries which come from multiple interfaces.

Workaround:
None.

818833-2 : TCP re-transmission during SYN Cookie activation results in high latency

Component: Local Traffic Manager

Symptoms:
Issue is reported at the following system setup:

client <-> BIG-IP <-> concentrator <-> proxy <-> BIG-IP nat gateway <-> Internet

-- SYN Cookie got activated on F5 nat gateway.
-- Latency from 'Internet' (public host) is observed at 'Proxy' device sitting before F5 nat gw.
-- During the latency issue, SYN Cookie was active and evicting connections.
-- When SYN Cookie is enabled, it switches to l7 delayed binding as expected but it is not sending ACK for HTTP request so the client sends it again and again.

Conditions:
Haredware SYN Cookie is enabled on FastL4 profile

Impact:
High latency is observed.

Workaround:
Disable the SYN Cookie on the FastL4 profile

818789-6 : Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile

Component: Local Traffic Manager

Symptoms:
With in-tmm monitoring enabled (or sys db bigd tmm set to enable) and with https monitor's ssl-profile set to none, the expected behavior is to send ciphers in ClientHello based on default serverssl profile as mentioned in GUI help for https monitor.

Conditions:
Configure HTTPS Monitor with ssl-profile "None".

Impact:
Ciphers are not exchanged as expected in the ClientHello Packets

Workaround:
Configure HTTPS Monitor without ssl-profile option, default serverssl profile will be used

818777-1 : MCPD error - Trouble allocating MAC address for VLAN object

Component: TMOS

Symptoms:
You see the following errors in /var/log/ltm:

err mcpd[8985]: 0107071c:3: Trouble allocating mac address for vlan object /Common/external.

Conditions:
Conditions under which this occurs are unknown.

Impact:
There is no known impact to the system as a result of this log message.

Workaround:
If this reoccurs, you can try force reloading mcpd.

For more information, see K13030: Forcing the mcpd process to reload the BIG-IP configuration, available at https://support.f5.com/csp/article/K13030.

818737-2 : Improve error message if user did not select a address-list or port list in the GUI

Component: TMOS

Symptoms:
In the GUI, the Virtual Server screen displays the available address-lists or port lists for source address, but there is no clarity on whether the options are selected or available.

Conditions:
-- Virtual server's source address section.

Impact:
If you do not make a selection and try to create the Virtual Server, an error occurs: An error has occurred while trying to process your request.

Workaround:
Click to select the address-list of port-list displayed as source address for Virtual Server.

818721-2 : Virtual address can be deleted while it is in use by an address-list.

Component: Local Traffic Manager

Symptoms:
-- The virtual-address (and virtual server) will no longer work.

-- The BIG-IP won't answer ARP requests for it.

-- Loading the config again or performing similar operations will not re-create the virtual-address.

Conditions:
-- A virtual address is deleted while it is in use by an address list and virtual server.
-- MCPD is restarted (or the unit rebooted, etc.).

Impact:
Traffic processing is disrupted

818505-2 : Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Component: TMOS

Symptoms:
Using an iControl PUT command to modify a virtual address will change that address's netmask to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.

Conditions:
Modifying a virtual address using an iControl PUT command.

Impact:
An unintentional change to the virtual address's netmask.

Workaround:
Two options:
-- Use a PATCH command instead of a PUT command.
-- Always specify the netmask explicitly when making changes.

818417-1 : Flowspecd starts with message: Shm segment not found in /etc/ha_table/ha_table.conf.

Component: TMOS

Symptoms:
During system boot, the flowspecd daemon emits a message 'Shm segment not found in /etc/ha_table/ha_table.conf', and heartbeat monitoring is disabled for flowspecd.

Conditions:
Flowspecd daemon is running.

Impact:
No heartbeat monitoring for flowspecd daemon.

Workaround:
Manually edit the file /etc/ha_table/ha_table.conf and insert a line at the end:
ha segment path: /flowspecd

818297-2 : OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure

Component: TMOS

Symptoms:
OVSDB-server fails to make SSL connections when Selinux is enforced.

In /var/log/openvswitch/ovsdb-server.log:

...|00012|stream_ssl|ERR|/config/filestore/files_d/Common_d/certificate_d/:Common:myCert_2468_1: stat failed (Permission denied).

Conditions:
-- Navigate to System :: Configuration : OVSDB.
-- Add cert and keys.

Impact:
Permission denied, SSL connection failure.

Workaround:
Step 1: Check openvswitch SELinux denial:
# audit2allow -w -a
Example output:
type=AVC msg=audit(1566915298.607:32958): avc: denied { search } for pid=18966 comm="ovsdb-server" name="/" dev="dm-7" ino=2 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:f5config_t:s0 tclass=dir
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

Step 2: Find openvswitch components that need Linux policy additions:
# audit2allow -a
Example output:
#============= openvswitch_t ==============
allow openvswitch_t f5config_t:dir search;
allow openvswitch_t f5filestore_t:dir search;
allow openvswitch_t f5filestore_t:file { getattr open read };

Step 3: Modify the policy to allow access to the component openvswitch_t:
# audit2allow -a -M openvswitch_t

Step 4: Apply the policy:
# semodule -i openvswitch_t.pp

818109-2 : Certain plaintext traffic may cause SSL Orchestrator to hang

Component: Local Traffic Manager

Symptoms:
After upgrading SSL Orchestrator to version 5.x, traffic gets reset, SSL Orchestrator hangs, and tcpdump analysis indicates that connections are being reset due to SSL handshake timeout exceeded.

Conditions:
-- SSL Orchestrator configured.
-- Initial plaintext traffic resembles SSLv2 hello message or has less-than-enough bytes for SSL to process.

Impact:
SSL Orchestrator hangs on that connection, unable to bypass traffic until the connection times out. Other connections handle traffic during this interval.

Workaround:
None.

818097-5 : Plane CPU stats too high after primary blade failover in multi-blade chassis

Component: Local Traffic Manager

Symptoms:
The data, control, and analysis plane stats are too high as reported by tmsh show sys performance system detail.

Conditions:
The primary blade in a multi-blade chassis fails over to another blade.

Impact:
The plane CPU stats are too high.

Workaround:
Remove the /var/tmstat/blade/statsd file on the previous primary blade and restart merged on that blade.

818069-5 : GUI hangs when iApp produces error message

Component: iApp Technology

Symptoms:
If lengthy Tcl errors are displayed in the GUI while creating an iApp, the GUI can hang.

Conditions:
-- Creating an iApp that contains a syntax error.
-- A large error message is emitted.

Impact:
GUI hangs.

Workaround:
Restart the tomcat process:
tmsh restart sys service tomcat

817089-2 : Incorrect source MAC address with hardware acceleration (ePVA) and asymmetric routing

Component: TMOS

Symptoms:
Connections that are hardware accelerated and that use asymmetric routing may use the wrong MAC address for return traffic. This can be observed by looking at a packet capture.

Conditions:
Hardware acceleration is enabled (ePVA/fastL4) with asymmetric routing.

Impact:
The return traffic has the wrong source MAC address. This may affect packet forwarding depending on the configuration.

Workaround:
Disable HW acceleration.

817085-5 : Multicast Flood Can Cause the Host TMM to Restart

Component: TMOS

Symptoms:
A vCMP host tmm is restarted.

Conditions:
The vCMP host is processing heavy multicast traffic.

Impact:
The host TMM restarts and traffic stops for the guests.

Workaround:
An adjustment to the scheduling can be made by this setting of the vCMP Host configuration:

# echo "realtime yield 90" > /config/tmm_init.tcl
# bigstart restart tmm

The bigstart restart tmm must be performed individually on all blades on the vCMP host. These changes also must be done on all vCMP hosts with guests in a high availability (HA) setup.

816529-3 : If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart.

Component: Traffic Classification Engine

Symptoms:
URLCAT lookups to Custom DB return Unknown result.

Conditions:
-- URL is being looked up against Custom DB
-- wr_urldbd is restarted at the same time

Impact:
Queries will likely fail in highly loaded environments if wr_urldbd is restarted for any reason.

Workaround:
None.

816353-2 : Unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1

Component: TMOS

Symptoms:
During re-licensing or license reload, an unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1 may be sent.

Conditions:
Occurs during license reload or reactivation.

Impact:
After a license reload, the unknown trap can be seen like the following:

run "tcpdump -ni mgmt port 162 -vvvv &":

12:01:59.883331 IP (tos 0x0, ttl 64, id 47411, offset 0, flags [DF], proto UDP (17), length 101)
10.248.136.179.55540 > 172.28.8.68.snmptrap: [bad udp cksum 0x486e -> 0xd7b8!] { SNMPv2c { V2Trap(58) R=1205683810 .1.3.6.1.2.1.1.3.0=1775555 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.2.1.47.2.0.1.0.1 } }

816229-2 : Kernel Log Messages Logged Twice

Component: TMOS

Symptoms:
You see duplicate log messages in /var/log/kern.log

Conditions:
This can be encountered when viewing /var/log/kern.log right after startup in BIG-IP versions dating back to 14.1.0

Impact:
Viewing ('cat'ing) kern.log results in duplicated log messages in the buffer.

815529-1 : MRF outbound messages are dropped in per-peer mode

Component: Service Provider

Symptoms:
When a Message Routing profile is configured with a peer consisting of an outbound virtual server, transport config, no pool, and per-peer mode, messages may be dropped when the outgoing connection is persisted to a different tmm than the message was received on.

Conditions:
-- Message Routing Profile.
-- A peer configured for outbound traffic with a virtual server and transport config in per-peer mode, no pool.
-- Persistence is enabled.
-- Multiple outbound messages with the same destination address.

Impact:
Outbound traffic with the same destination address may be dropped at random.

Workaround:
Change the peer connection mode to 'Per TMM'.

815089-2 : On a system with no VLANs, you can create virtual servers or SNATs that have identical address/port combinations

Component: Local Traffic Manager

Symptoms:
If you have a system with no VLANs configured, and you attempt to create virtual servers or SNATs that have the same address/port combinations, you will be able to do so without validation errors.

Conditions:
-- A BIG-IP system with no VLANs configured.
-- Creating virtual servers or SNATs that have identical address/port combinations.

Impact:
An invalid configuration is allowed.

Workaround:
None.

814941-3 : PEM drops new subscriber creation if historical aggregate creation count reaches the max limit

Component: Policy Enforcement Manager

Symptoms:
PEM subscriber create fails, usually seen across multiple high availability (HA) failover events

Conditions:
When the aggregate subscriber create reaches the maximum subscriber limit per tmm which is configured using sys db, sys db statemirror.mirrorsessions

Impact:
Unable to bringup any more subscribers

Workaround:
Restart tmm when the limits are reached

814585-2 : PPTP profile option not available when creating or modifying virtual servers in GUI

Component: TMOS

Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.

Conditions:
Creating or modifying a virtual server in the GUI.

Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.

Workaround:
Use TMSH to add a PPTP profile to the virtual server.

814353-5 : Pool member silently changed to user-disabled from monitor-disabled

Component: TMOS

Symptoms:
When a node (Disabled by Monitor) is updated via the member screen (no change to configuration required), the status changes from:

'Available (Disabled) pool members is available, monitor disabled'.

To:

'Available (Disabled), pool member is available, user disabled'.

Conditions:
-- A node disabled by Monitor.
-- Go to GUI LTM pool member and navigate into the monitor disabled member, then update without any configuration change.

Impact:
Pool member goes to 'user-disabled'.

Workaround:
To recover, re-enable the pool member.

814273-2 : Multicast route entries are not populating to tmm after failover

Component: TMOS

Symptoms:
Multicast route entries are not populating in tmm after failover. ZebOS has the multicast entries, but tmm does not.

Conditions:
-- High Availability (HA) configured, with multicast traffic.
-- A failover occurs.

Impact:
Multicast traffic does not pass through properly

Workaround:
Clear the multicast entries in ZebOS manually:
> clear ip mroute *
> clear ip igmp group

814097-1 : Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.

Component: Service Provider

Symptoms:
When using the Generic Message router to convert SIP messages from TCP to UDP, BIG-IP fails to raise the SERVER_CONNECTED iRule event.

Conditions:
Converting the transport of SIP messages with the Generic Message router.

Impact:
Any code that waits for the SERVER_CONNECTED event will not run.

814053-3 : Under heavy load, bcm56xxd can be killed by the watchdog

Component: TMOS

Symptoms:
bcm56xxd crashes, and the device fails over on heartbeat error:

warning sod[7244]: 01140029:4: HA daemon_heartbeat bcm56xxd fails action is restart.
notice sod[7244]: 010c006c:5: proc stat: [0] pid:12482 comm:(bcm56xxd) state:S utime:16612520 stime:879057 cutime:11 cstime:21 starttime:1601425044 vsize:2189299712 rss:527927 wchan:18446744073709551615 blkio_ticks:0 [-1] pid:12482 comm:(bcm56xxd) state:S

Conditions:
-- HA configured.
-- Programming the DAG while it is under heavy load (i.e., a large number of objects that have to be programmed into the switches).

Impact:
The bcm56xxd daemon may restart and produce a core file. It then continues trying to program the DAG.

This causes a system to go offline and stop processing traffic.

Workaround:
None.

814037-5 : No virtual server name in Hardware Syncookie activation logs.

Component: Local Traffic Manager

Symptoms:
Missing virtual server name in Hardware Syncookie activation logs. ltm/logs contains error messages:

notice tmm2[1150]: 01010240:5: Syncookie HW mode activated, server = 0.0.0.0:0, HSB modId = 2.

Conditions:
-- More than one virtual server with same Destination IP e.g., 'x.x.x.x'.
-- Port 'y' configured.
-- Hardware Syncookie activated.

Impact:
Difficult to determine which virtual server actually got the Syncookie activated.

Workaround:
None.

813969-4 : Network DoS reporting events as 'not dropped' while in fact, events are dropped

Component: Advanced Firewall Manager

Symptoms:
Logs/Tmctl shows packet dropped whereas AVR shows Action as 'Allowed' and not 'Dropped'.

Conditions:
-- AFM configured.
-- AFM passes the message to AVR for reporting.

Impact:
The operation does not update the drop flag. It appears from AVR Reporting that packets are allowed, but actually they are dropped

Workaround:
There is no workaround at this time.

813945-4 : PB core dump while processing many entities

Component: Application Security Manager

Symptoms:
PB core dump.

Conditions:
This may happen when the system is strained and PB is processing large policies (updating many entities may happen during periodic processing, response analysis).

This is a very rarely occurring scenario.

Impact:
PB core dump and restart.

Workaround:
None.

813609-1 : Multpile process consumer more memory with multiple components provisioned and causing RAM usage grow during traffic testing.

Component: Performance

Symptoms:
Different process (in this case avrd) on the BIG-IP system are killed due to OOM when most of components are provisioned and traffic testing encompasses more than 100 users. This occurs because the amount of memory is not sufficient for the provisioning of APM plus SWG, which requires 16 GB alone.

Conditions:
-- Many virtual servers configured.
-- Large number of client end users sending a lage amount of traffic.
-- Less than 16 GB, which is not sufficient with many modules provisioned.

Impact:
Excessive memory consumption reduces available RAM for other system daemons.

Workaround:
None.

813517-1 : The cron daemon not running after upgrade from pre-v14.1.0 versions to 15.0.x★

Component: TMOS

Symptoms:
After upgrading to v15.0.x, the system cron daemon is not running, which causes periodic system operations not to run.

This includes, but is not limited to:

-- SSL/TLS ephemeral key generation.
-- Log rotation.
-- SSL certificate.

Conditions:
Upgrade BIG-IP system from pre-v14.1.0 to 15.0.x.

Impact:
The crond daemon is down, making any process dependent on crond to not work on the system:

-- The SSL connection mirroring does not work as expected.
-- Script scheduling does not work.

Workaround:
Enable and start crond:

1. systemctl enable crond
2. systemctl start crond

813221-2 : Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync

Component: Global Traffic Manager (DNS)

Symptoms:
The virtual server for an LTM redundant peer is continually updated with its IP/Port changing back and forth between two values, leading to perpetual GTM configuration syncs.

Conditions:
The destination IP:port of the virtual server on the LTM is not in sync between the LTM devices in the device-group.

Impact:
The virtual server is flapping status between "blue" and 'green', and its destination IP:port is changing between a correct value and an incorrect one. Traffic will be impacted.

Workaround:
Perform a configsync on the LTM device-group that owns the virtual server.

813057-1 : False positive attack detection on DoS profile vectors for unbalanced traffic

Component: Advanced Firewall Manager

Symptoms:
DoS attack is detected on a profile vector when attack Packets Per Second (PPS) is lower than the threshold.

Conditions:
Unbalanced traffic between tmms for DoS profile vector.

Impact:
False positive attack detection.

Workaround:
None.

812993-2 : Monpd process consumes considerable amount of RAM on systems with many virtual servers

Component: Application Visibility and Reporting

Symptoms:
Monpd process consumes a considerable amount of RAM (several gigabytes). The RAM usage grows constantly within the first 24 hours. This occurs because of the collection of ADM (BADOS) real-time statistics in monpd memory for last 24 hours per virtual server.

Conditions:
Many virtual servers are defined in the system. The memory consumption depends on the number of virtual servers.

Impact:
Excessive memory consumption reduces available RAM for other system daemons.

Workaround:
None.

812705-2 : 'translate-address disabled' setting for LTM virtual server does not have any effect with iRules for NAT64 traffic

Component: Carrier-Grade NAT

Symptoms:
IPv4 Packets are forwarded to server-side with destination address changed to LTM pool member address even when 'translate-address disabled' is configured on a NAT64 virtual server.

Conditions:
-- Create iRules for LTM pool selection.
-- Configure the NAT64 virtual server with 'translate-address disabled'.
-- Send IPv6 client request accessing the NAT64 virtual server.

Impact:
Server-side IPv4 packets are forwarded with destination address modified. The server-side packets do not reach the intended destination, resulting in connection failures.

Workaround:
Use normal LTM pool selection instead of iRules-based, LTM pool selection.

812693 : Connection in FIN_WAIT_2 state may fail to be removed

Component: Local Traffic Manager

Symptoms:
If a connection that has a fully closed client-side, but a server-side still in FIN_WAIT_2, receives a SYN matching the same connflow, the idle time is reset. This can result in the fin-wait-2-timeout never being reached. The SYN will be responded to with a RST - 'TCP Closed'

Conditions:
- Client side connection has been fully closed. This may occur if a client SSL profile is in use and an 'Encrypted Alert' has been received.
- Server side has sent a FIN which has been ACK'd, but no FIN has been received from the server.
- SYN received matching the existing connflow before the FIN-WAIT-2-timeout has been reached (300 default).

Impact:
Connection may fail to be removed in a timely manner. New connection attempts are RST with 'TCP Closed'

Workaround:
You can use either of the following:
-- Ensure servers are sending FIN's so as not to leave the connection in a FIN_WAIT_2 state.

-- Mitigate the issue by lowering the FIN-WAIT-2-timeout to a smaller value, e.g., FIN-WAIT-2-timeout 10.

812493-3 : When engineID is reconfigured, snmp and alert daemons must be restarted★

Component: TMOS

Symptoms:
The engineID, engineBoots, engineTime values in SNMPv3 traps are shared by both the SNMP and the Alert daemons and are included in traps raised by both daemons. When the engineID is reconfigured then both daemons must be restarted in order to resynchronize the new values.

Conditions:
Traps issued by the SNMP and Alert daemons may not have engine values that are in sync when the EngineID is first reconfigured. This can happen both with a configuration change and an upgrade.

Impact:
This may confuse the SNMP client receiving the trap.

Workaround:
Restart the snmp daemon and then the alert daemon when the engine ID is reconfigured for the first time and the first time after a software upgrade

tmsh restart sys service snmpd alertd

812481-1 : HSL logging may work unreliably for Management-IP firewall rules

Component: Advanced Firewall Manager

Symptoms:
HSL logging related to Management-IP firewall rules can periodically freeze and corresponding log messages can be lost.

Conditions:
No special conditions, this can happen intermittently on any setup.

Impact:
HSL log messages related to Management-IP firewall rules are missed.

Workaround:
None.

812269-2 : TMM might crash with traffic while deleting a pool member

Component: Local Traffic Manager

Symptoms:
TMM might crash during an operation of deleting a pool member.

Conditions:
-- Deleting a pool member from a pool
-- The BIG-IP system is in the middle of processing a request.

One potential scenarios is running a large iRule that inserts a delay in the processing of a request. This makes it more likely to satisfy the condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

811161-3 : Tmm crash SIGSEGV - virtual_address_update() in ../mcp/db_vip.c:1992

Component: Local Traffic Manager

Symptoms:
TMM cores when creating a virtual server.

Conditions:
ISO build that includes the fix for ID 718790 or ID 783617.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

811157-1 : Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself

Component: Advanced Firewall Manager

Symptoms:
"Global Staged Default Action" message is logged into the firewall log for ICMP traffic targeted to Self-IP or Virtual Server destination address, even though this traffic can never be affected by Global Default Actions.

The "Global Staged Default Action" counter is also incremented.

Conditions:
Logging is enabled for Global Staged Default Action by setting the sys db tm.fw.stagedglobaldefaultrule.log to value "enabled" (this sys db has value "disabled" by default).

There are no special conditions for the "Global Staged Default Action" counter increment.

Impact:
Misleading messages are logged into the firewall log.
The "Global Staged Default Action" counter is incorrectly incremented.

The traffic itself is not affected and there are no other negative effects except the incorrect log message and counter update.

Workaround:
There is no workaround regarding the "Global Staged Default Action" counter increment.

For preventing the misleading log message disable logging of Global Staged Default Action by setting the sys db tm.fw.stagedglobaldefaultrule.log to value "disabled".

811053-1 : REBOOT REQUIRED prompt appears after failover and clsh reboot

Component: TMOS

Symptoms:
In rare circumstances, when a reboot immediately follows a VIPRION blade failover, a REBOOT REQUIRED prompt will appear on one blade after the system starts up again.

Conditions:
This issue can be created by doing the following:
- using a VIPRION system with at least 2 blades running
- AAM is not provisioned
- reset the primary blade
- immediately following the blade reset, run 'clsh reboot' on a secondary blade.

Impact:
Following the clsh reboot, the REBOOT REQUIRED prompt appears on one blade:
[root@vip4480-r44-s18:/S2-yellow-S::REBOOT REQUIRED:Standalone] config #

Any blade with this prompt must be rebooted again.

Workaround:
None currently known.

811041-6 : Out of shmem, increment amount in /etc/ha_table/ha_table.conf

Component: TMOS

Symptoms:
System logs error:
err sod[8444]: 01140003:3: Out of shmem, increment amount in /etc/ha_table/ha_table.conf.

Conditions:
-- Large number of traffic groups.
-- A number of devices in the device cluster.
-- Heavy traffic resulting in numerous configsync or config save operations.

Impact:
Memory leak. Future changes to the high availability (HA) table may fail or be ignored. This could result in HA events not being tracked correctly.

Workaround:
None.

811033-1 : MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used

Component: Service Provider

Symptoms:
If a message is routed from one transport protocol (for example TCP) to another transport protocol (for example UDP), messages traveling from the destination to the source of the persistence entry are incorrectly delivered to the destination.

Conditions:
-- A message is routed from one transport protocol (for example TCP) to another transport protocol (for example UDP).
-- Messages are traveling from the destination to the source of the persistence entry.

Impact:
Messages are forwarded to an incorrect endpoint.

Workaround:
None.

810821-2 : Management interface flaps after rebooting the device

Component: Local Traffic Manager

Symptoms:
The Management interface flaps after rebooting the device, which may cause a momentary active-active condition in a high availability (HA) configuration.

Conditions:
This can occur after rebooting the active or standby device in an HA configuration if the final management port configuration completes late in the startup sequence. This can be due to network conditions for the network the management port is connected to.

This problem has been observed only on hardware platforms.

Impact:
Devices go active-active for a few seconds and then resume normal operation.

Workaround:
You may be able to work around this by changing the management port speed to 100/Fixed Duplex.

For more information on changing the interface, see K14107: Configuring the media speed and duplex settings for network interfaces (11.x - 13.x), available at https://support.f5.com/csp/article/K14107.

810613-1 : GUI Login History hides informative message about max number of lines exceeded

Component: TMOS

Symptoms:
When there are more than 10000 lines in /var/log/secure* files, visiting System :: Logins :: [History|Summary] in the GUI shows 'No Entries' instead of the actual error message about the large number of lines.

Conditions:
If there are more than 10000 lines in /var/log/secure* files.

Impact:
GUI displays 'No Entries' instead of the actual error message.

Workaround:
-- Via the CLI by specifying the number of lines:
tmsh show sys log security lines 15000 | less
-- Delete the large amount of secure files from /var/log/.

810593-1 : Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade★

Solution Article: K10963690

Component: TMOS

Symptoms:
The vCMP guests go to 'INOPERATIVE' after upgrade.

Conditions:
-- Upgrading the host from v12.1.4.1.
-- Upgrading the host from v13.1.1.5.

Impact:
The vCMP guests go to the 'INOPERATIVE' state and do not pass traffic.

Workaround:
There is no workaround. You must upgrade to a Fixed version, for example, 15.1.0.

810533-3 : SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile

Component: Local Traffic Manager

Symptoms:
When the client attempts to connect, even when sending the proper SNI extension, the BIG-IP system resets the connection after the client hello.

Conditions:
-- SNI Required set to true.
-- No Server Name configured in the client SSL profile.

Impact:
SSL connections with valid SNI are closed, and the client cannot connect. With generic alerts enabled, you will see 'SSL alert number 40'. This is because the system does not read the server names from the SAN extension within the certificate.

Workaround:
Specify a valid server name in the server name field of the client SSL profile.

810445-1 : PEM: ftp-data not classified or reported

Component: Local Traffic Manager

Symptoms:
When a virtual server is configured with an FTP profile, and also a PEM or classification profile, the traffic associated with the FTP data stream is not correctly classified or reported.

Conditions:
-- Virtual server is configured with an FTP profile.
-- There is also PEM or classification profile.

Impact:
Traffic associated with ftp-data (i.e., file transfers using FTP) may not be classified or reported.

Workaround:
None.

810381-3 : The SNMP max message size check is being incorrectly applied.

Component: TMOS

Symptoms:
If the SNMP server receives an SNMPv3 request with a small max message size then, it applies that check to all requests. This can cause SNMPv1 and SNMPv2c requests time out if they are too long or if their responses are too long, for example, large get bulk requests.

Conditions:
An SNMPv3 small max message size received while processing large SNMPv1 and SNMPv2c requests.

Impact:
Responses time out.

Workaround:
Do not send SNMPv3 requests to the BIG-IP system.

810373 : Errors running 'config' command

Component: TMOS

Symptoms:
Running the 'config' command reports errors:

coapi_query failed at /usr/local/lib/perl5/F5/COAPI.pm line 215, <FH> line 3.

Conditions:
This might occur under either of the following conditions:

-- The BIG-IP Virtual Edition (VE) instance has low memory.
-- Running the command occurs before mcpd is in a running state.

Impact:
Failure to configure the management IP address.

Workaround:
Wait for the VE instance to start up and fully stabilize and have mcpd in the running state before running the config command.

809657-1 : HA Group score not computed correctly for an unmonitored pool when mcpd starts

Component: TMOS

Symptoms:
When mcpd starts up, unmonitored pools in an high availability (HA) group do not contribute to the HA group's score.

Conditions:
-- HA group configured with at least one pool.
-- At least one of the pools assigned to the HA group is not using monitoring.
-- mcpd is starting up (due to bigstart restart, or a reboot, etc.).

Impact:
Incorrect HA Group score.

Workaround:
Remove the unmonitored pools from the HA group and re-add them.

809597-4 : Memory leak in icrd_child observed during REST usage

Component: Local Traffic Manager

Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.

Conditions:
-- The icrd_child process is running.
-- There are multiple users accessing device via REST.

Impact:
The memory leak is very progressive. Eventually, the icrd_child process runs out of memory.

Workaround:
None.

809553-2 : ONAP Licensing - Cipher negotiation fails

Component: TMOS

Symptoms:
Cipher negotiation fails between the BIG-IP and a third-party license server.

Conditions:
This occurs when BIG-IP is deployed in a custom ONAP environment that uses a third-party license server.

Impact:
TLS negotiation fails.

Workaround:
Change the order of ciphers.
Enable only ECDHE ciphers.

809125-1 : CSRF false positive

Component: Application Security Manager

Symptoms:
A CSRF false-positive violation.

Conditions:
CSRF enforcing security policy.

This is a very rare scenario, but it happens due to a specific parameter in the request, so the false-positive might repeat itself many times for the same configuration.

Impact:
False-positive Blocking / Violation

Workaround:
If this happens change the csrf parameter and restart the asm daemon:

1. Change the csrf parameter name internal parameter:
/usr/share/ts/bin/add_del_internal add csrf_token_name <string different than csrt>

2. Restart the asm daemon:
restart asm

808893-1 : DNS DoS profile vectors do not function correctly★

Component: Advanced Firewall Manager

Symptoms:
Clients report that DNS TXT queries are not working. In /var/log/ltm, you see the following error:

DOS attack start was detected for vector TXT query DOS.

Conditions:
This can occur when DNS profile DoS vectors are enabled. It can be encountered after upgrading.

Impact:
DNS DoS detection and mitigation is not functioning correctly.

Workaround:
None.

808889-1 : DoS vector or signature stays hardware-accelerated even when traffic rate is lower than mitigation threshold

Component: Advanced Firewall Manager

Symptoms:
Incorrect hw_offload status for DoS vector or signature in tmctl dos_stat after the attack has stopped.

Conditions:
BIG-IP system with DoS-accelerated vectors support (SPVA support).

Impact:
DoS vector/signature stays hardware-accelerated.

Workaround:
After attack, change the state for DoS vector/signature to detect-only. Then return vector state to mitigate.

808801-3 : AVRD crash when configured to send data externally

Component: Application Visibility and Reporting

Symptoms:
AVRD can crash repeatedly when configured to send telemetry data externally.

Conditions:
-- AVR is configured to send telemetry data to an external source (like connection with BIG-IQ).
-- Large number of config objects in the system, such as virtual servers and pool members.

Impact:
AVRD process crashes, and telemetry data is not collected.

Workaround:
Split the configuration updates into smaller batches

808485-1 : Add 'virtual-server' argument to 'tmsh help sys connection' for version 14.x

Component: TMOS

Symptoms:
Virtual-server argument is not available in tmsh in versions prior to 14.x.

Conditions:
Running the command 'tmsh show sys connection'.

Impact:
Inability to filter for virtual server.

Workaround:
None.

808277-5 : Root's crontab file may become empty

Component: TMOS

Symptoms:
Under low-disk conditions for the /var/ filesystem, BIG-IP system processes may incorrectly update root's crontab file (/var/spool/cron/root). This results in the file contents being removed; i.e., the file is empty.

Conditions:
Low disk space on the /var filesystem.

Impact:
System and user entries in root's crontab file stop executing.

Workaround:
None.

808017-1 : When using a variable as the only parameter to the iRule persist command, the iRule validation fails

Component: Local Traffic Manager

Symptoms:
When using a variable as the only parameter to the iRule persist command, for example:

when HTTP_REQUEST {
set persistence none
persist $persistence
}

The iRule validation fails with the message:

Persistence mode (Cookie) called out in rule <rule name> requires a corresponding persistence profile for virtual server

Conditions:
Using a variable as the only parameter to the iRule persist command.

Impact:
Validation fails and hence the system config cannot be loaded.

Workaround:
The first parameter is one of pre-defined action keywords, so use plain text.

807945-1 : Loading UCS file for the first time not updating MCP DB

Component: TMOS

Symptoms:
MCP DB is not updated after loading a UCS file.

Conditions:
1. Save UCS with 'flow-control' default value 'tx-rx'.
2. Modify the value from 'rx-tx' to 'none'.
3. Save another UCS with modified value.
4. Load the UCS with default value, everything works fine here.
5. Load the UCS with the modified value.

Impact:
The 'flow-control' setting gets changed. The functionality does not work after the first UCS load as MCP DB is not getting updated.

Workaround:
Load the same UCS again.

The MCP DB gets updated properly.

807857-1 : TMM can leak memory under specific traffic and iRule configurations.

Component: Local Traffic Manager

Symptoms:
-- TMM leaks memory in the 'bigip_connection' component.
-- Depending on the specific iRule configuration, other components, such as 'tcl' and 'tclrule_pcb', may also leak.
-- A 'double flow removal Oops' message may be visible in the tmm and ltm log files.
-- 'TCL error' messages may be visible in the ltm log file.

Conditions:
This issue is known to occur only under rare circumstances in conjunction with specific traffic and iRule configurations.

Impact:
After a prolonged amount of time spent leaking memory, TMM may not be able to fulfill new memory allocations and crash. This results in a traffic interruption, a core file, and a failover on redundant units. Traffic disrupted while tmm restarts.

Workaround:
None.

807337-4 : Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.

Component: TMOS

Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction will attempt to 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.

Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object, such as (delete, create, modify).

Impact:
Web UI shows misleading info about pool monitor.The monitor-related object may be unchanged; or monitoring may stop for that object.

Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').

806985-2 : Installation issues when adding new blade v12.1.3 to VPR cluster v14.1.0.1 EHF★

Component: TMOS

Symptoms:
A newly inserted blade fails to upgrade on a Viprion system.

Conditions:
The issue is seen only on VIPRION chassis when the primary blade is running engineering hotfix (EHF) v14.1.0.1 EHF 0.17.7 and newly inserted blade is configured with v12.1.3.

Impact:
Unable to upgrade the new blade in VIPRION chassis.

Workaround:
Ensure the active volume on the primary blade contains a version other than an EHF, and the other volume is installed with the EHF, then insert the new blade in the chassis.

806881-1 : Loading the configuration may not set the virtual server enabled status correctly

Component: TMOS

Symptoms:
When loading the configuration, if the virtual address is disabled but the virtual server is enabled, the virtual server may still pass traffic.

Conditions:
-- Loading the configuration.
-- A virtual server's virtual address is disabled.

Impact:
Virtual servers unexpectedly process traffic.

Workaround:
Manually re-enable and disable the virtual address.

806825-2 : Align the behavior of NAT44 and NAT64 when translate-address is disabled under Virtual Configuration with LTM Pool and LSN Pool

Component: Carrier-Grade NAT

Symptoms:
Configure translate-address disabled under Virtual with LTM pool configured.

In the NAT44 case, LTM pool is used as next-hop and packets are L2 forwarded to LTM pool members without destination address translated.

In NAT64 case, packets are dropped if there is no route available to reach the IPv4 destinations (derived from original IPv6 destination). Packets are not L2 forwarded to LTM pool members.

Conditions:
-- Virtual server with LTM pool configured.
-- CGNAT LSN pool configured.
-- Translate-address disabled.

Impact:
If there is no route available to reach the destination, NAT64 packets are dropped.

Workaround:
Configure default gateways/routes to reach the IPv4 destination in NAT64 case.

806073-2 : MySQL monitor fails to connect to MySQL Server v8.0

Component: TMOS

Symptoms:
The LTM MySQL health monitor fails to connect to a MySQL server running MySQL Server v8.0.
A pool member configured for a MySQL server running MySQL Server v8.0 and using the MySQL health monitor will be marked DOWN.

Conditions:
This occurs when using the LTM MySQL health monitor to monitor a MySQL server running MySQL Server v8.0.

Impact:
BIG-IP cannot monitor the health of a MySQL server running MySQL Server v8.0 using the MySQL health monitor.

805817-3 : Distributed reports fail when management address is used for config sync in a device group

Component: Application Visibility and Reporting

Symptoms:
In system where a device group uses the management interface, reporting statistics for device group does not work. The following error appears in /var/log/avr/monpd.log:

REPORTER|ERROR|Nov 04 14:24:38.017|32640|../src/reporter/handlers/distributed/DistributedReportRunnerHandler.cpp:processCallStatusMessage:1921| Map reduce call failed. Can't collect report data from the cluster members..

Conditions:
-- Device group is used.
-- The configsync.allowmanagement DB variable is set to 'enable'.
-- Management IP address is used as the config sync address of the device group.

Impact:
AVR statistics report for device group does not work.

Workaround:
Use a self IP address for device groups instead of the management IP address.

805417-2 : Unable to enable LDAP system auth profile debug logging

Component: TMOS

Symptoms:
Beginning in version 14.1.0, LDAP debugging must be performed on nslcd logs and not pam_ldap logs; however, it is not possible to enable debug logging on nslcd via the configuration file.

Conditions:
This would be encountered only if you (or F5 Support) wanted to do troubleshooting of LDAP connections by enabling debug logging.

Impact:
LDAP system authentication 'debug' parameter does not provide sufficient levels of debug logs, but there is no functional impact to normal system operation.

Workaround:
To enable debug logging and have the system post log messages to the SSH/console window, start the nslcd process with -d option, which causes nslcd to run in the foreground until you press control-c to stop it:

   systemctl stop nslcd
   nslcd -d

Note: The -d setting does not persist, so each time you want to log debug output, you must complete this procedure.

You can increase the amount of debug output by specifying additional -d options (up to 3), e.g., '-ddd' or '-d -d -d'.

When done, stop nslcd with control-c, and then restart it with the default options via the normal systemctl daemon:

   systemctl start nslcd

805353-2 : ASM reporting for WebSocket frames has empty username field

Component: Application Security Manager

Symptoms:
When using ASM to inspect and report WebSocket frames, the username field is always reported as empty or absent.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- WebSocket profile attached to a virtual server.
-- ASM logging profile attached to a virtual server.
-- WebSocket traffic inspected by ASM and logged as event log message or remote logger message.

Impact:
Poor visibility of current logged-in user in the event log for WebSocket frames.

Workaround:
None.

805325-4 : tmsh help text contains a reference to bigpipe, which is no longer supported

Component: TMOS

Symptoms:
The 'sys httpd ssl-certkeyfile' tmsh help text contains a reference to bigpipe, which is no longer supported.

Conditions:
Viewing tmsh help for 'sys httpd ssl-certkeyfile'.

Impact:
Incorrect reference to bigpipe.

Workaround:
You can use the following command sequence to change the key:
modify httpd { ssl-certfile [string] ssl-certkeyfile [string] }

804477-5 : Log HSB registers when parts of the device becomes unresponsive

Component: TMOS

Symptoms:
Part of the HSB becomes unresponsive and there is no logging of additional registers to assist in diagnosing the failure.

Conditions:
It is unknown under what conditions the HSB becomes unresponsive.

Impact:
Limited visibility into the HSB state when it becomes unresponsive.

Workaround:
None.

804273-2 : TMM is unable to redirect RRDAG'd traffic

Component: TMOS

Symptoms:
TMM cannot redirect RRDAG traffic in vCMP guest. This can affect GTP traffic.

Conditions:
Send UDP traffic to vCMP guest using RRDAG cmp-hash.

Impact:
Traffic is pinned to tmm.0.

Workaround:
None.

803845 : When in HA, the Standby device is forwarding traffic causing a loop and subsequent network shutdown

Component: Local Traffic Manager

Symptoms:
Standby is passing traffic when a virtual wire is configured.

Conditions:
-- Virtual wire configured in high availability (HA).

Impact:
Standby device is forwarding traffic traffic when it should not, causing a loop and subsequent network shutdown.

Workaround:
None.

803833-5 : On Upgrade or UCS Restore Decryption of the vCMP Guest sym-unit-key Field Fails on the Host★

Component: TMOS

Symptoms:
An upgrade or UCS restore fails on the host with an error message:

err mcpd[1001]: 01071769:3: Decryption of the field (sym_unit_key) for object (<guest name>) failed.

Conditions:
-- An upgrade or UCS restore of the vCMP host.
-- Having a vCMP guest's sym-unit-key field populated.
-- Having changed the host's master key.

Impact:
The upgrade or UCS restore fails with an MCPD error.

Workaround:
Comment out the sym-unit-key field and load the configuration.

803813-1 : TMM may experience high latency when processing WebSocket traffic

Component: Application Security Manager

Symptoms:
Under certain conditions, TMM may experience higher than usual latency when processing WebSocket traffic.

Conditions:
-- WebSocket traffic.
-- Very long connections or large amounts traffic.
-- Platforms with many CPUs.

Impact:
Increased latency in WebSocket traffic.

Workaround:
None.

803809-3 : SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.

Component: Service Provider

Symptoms:
When MRF SIP is configured in per-client mode and preserve-strict source port is enabled on a virtual server, messages may fail to forward due to port collisions when multiple clients try to use the same port (which is expected/accepted behavior with this configuration). After the port has been freed or the configuration changed, messages continue to fail for clients that had previous port collisions.

Conditions:
-- MRF SIP configured with: Per-Client connection mode and virtual server with preserve-strict source port enabled.
-- Multiple clients try to connect using the same local port.
-- Previously failed client connections attempt to connect again after the port has been freed or configuration changed.

Impact:
Calls from one or more clients are unable to be completed.

Workaround:
You can prevent this behavior using either workaround:
-- Configure a different connection mode (Per-TMM, for example).
-- Disable preserve-strict source port on the virtual server.

803645-4 : GTMD daemon crashes

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process crashes in response to a call triggered by its own timer event.

Conditions:
The conditions under which this causes this intermittent issue are difficult to reproduce, but it might occur when the system is under heavy load when gtmd is starved of CPU cycles.

Impact:
The gtmd process restarts and produces a core file.

Workaround:
None.

803629-1 : SQL monitor fails with 'Analyze Response failure' message even if recv string is correct

Component: Local Traffic Manager

Symptoms:
For a database (mssql, mysql, postgresql or oracle) monitor type, with a 'recv' string configured, a pool member configured to use the DB monitor may be marked down even if the server is working and includes the configured response string among the response data.

Debug logging of the SQL monitor indicates the following:
... [DBPinger-3778] - Response from server: Database: 'db1'Database: 'information_schema'
... [DBPinger-3778] - Checking for recv string: information_schema
... [DBPinger-3778] - Analyze Response failure

The log shows 'Analyze Response failure' error message even when the configured 'recv' string appears within the response message from the DB server.

Conditions:
This occurs when the string matching the configured 'recv' string value does not appear in the response from the DB server in the row indicated by the 'recv-row' value configured for the monitor.

The default value of 'none' for the 'recv-row' monitor configuration value is actually interpreted as 'row 1' by the DB monitor core implementation.
Therefore, with the default configuration, any 'recv' string configured must appear in the first row of the DB server response in order to be recognized as a match.

Impact:
The DB monitor fails, and the DB server (node) is marked as down even though it is reachable and responding correctly per the configured 'recv' string.

Workaround:
You may use one of the following methods to work around this issue:
1. Configure the DB monitor's 'recv' string to match on the first row in the server response message.
2. Configure the 'recv-row' value in the DB monitor to match the row of the DB server's response which contains the configured 'recv' string.
3. Do not configure 'send' or 'recv' string for the DB monitor.

803457-1 : SNMP custom stats cannot access iStats

Component: TMOS

Symptoms:
While doing an snmpwalk, you encounter the following error:

-- tcl callback Default return string: istats: tmstat_open_read: open: /var/tmstat/istats: Permission denied.
-- istats: tmstat_read: open: /var/tmstat/istats: Permission denied.
-- ERROR opening iStats read segment '/var/tmstat/istats': Permission denied.

Conditions:
This occurs when using SNMP to access iStats.

Impact:
iStats cannot be accessed through SNMP and generates an error.

Workaround:
None.

803237-3 : PVA does not validate interface MTU when setting MSS

Component: TMOS

Symptoms:
An incorrect MSS value might be used when hardware (HW) syncookies are used, and the MTU is smaller than the MSS.

Conditions:
-- The BIG-IP system sends TCP segments, fragmented across multiple IP packets, that exceed the size of the local interface MTU.
-- This occurs when HW Syncookies are enabled.

Impact:
TCP segments larger than the local interface MTU sent towards the client. These TCP segments are transmitted as IP fragments.

Workaround:
Increase MTU size.

803233-2 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable

Component: Local Traffic Manager

Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):

1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:

-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.

2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:

-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.

Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.

Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.

Workaround:
None.

803157-2 : LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots

Component: TMOS

Symptoms:
In reboot case, the BIG-IP system buffers the shutdown sequence log messages and writes them to disk once the syslog service starts during the boot process. The boot_marker message is written before shutdown messages sync to disk. This leads to out-of-sequence log messages, making it difficult to determine when the service stop occurred.

Conditions:
Reboot the BIG-IP system.

Impact:
Log messages appear out of order. It is difficult to tell whether service stop happened as part of reboot, or any error during the subsequent boot process.

Workaround:
None.

803149-4 : Flow Inspector cannot filter on IP address with non-default route_domain

Component: Advanced Firewall Manager

Symptoms:
Flow Inspector cannot filter on IP address with non-default route_domain.

Conditions:
-- In Flow Inspector.
-- Attempting to filter results.
-- Some results use IP addresses with non-default route domains.

Impact:
Filter does not return results as expected.

Workaround:
None.

803109-1 : Source-port preserve-strict configured along with OneConnect may result in zombie forwarding flows

Component: Local Traffic Manager

Symptoms:
Source-port preserve-strict and OneConnect may result in zombie forwarding flows.

Conditions:
-- Source-port is set to preserve-strict.
-- OneConnect configured.

Impact:
Zombie forwarding flows. Over time, the the current allocation count grows and does not return to its prior level when traffic stops.

Workaround:
None.

802889-2 : Problems establishing HA connections on DAGv2 chassis platforms

Component: TMOS

Symptoms:
High availability (HA) mirroring does not work correctly on VIPRION B4400 blades.

Conditions:
- VIPRION B4400 chassis platform with multiple blades.
- HA mirroring is enabled.

Impact:
HA mirroring does not work

Workaround:
None.

802721-3 : Virtual Server iRule does not match an External Data Group key that's 128 characters long

Component: Local Traffic Manager

Symptoms:
Virtual server iRule does not match an External Data Group key that is 128 characters long.

Conditions:
-- A string type External Data Group with a key/value pair whose key is 128 characters long.

-- An iRule using [class match] to get the value from the Data Group.

Impact:
The call to [class match] returns an empty string ("").

Workaround:
None.

802449-2 : Valid GTP-C traffic may cause buffer overflow

Component: Protocol Inspection

Symptoms:
Valid GTP-C traffic may cause buffer overflow with incrementing sequence numbers.

Conditions:
Valid GTP traffic with incrementing sequence number will cause memory corruption/core when processed through IPS library.

Impact:
TMM Crash/core. Traffic disrupted while tmm restarts.

Workaround:
The only workaround is to disable protocol inspection or remove GTP service from all protocol-inspection profiles.

802421-5 : The /var partition may become 100% full requiring manual intervention to clear space

Component: Advanced Firewall Manager

Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.

Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.

802281-2 : Gossip shows active even when devices are missing

Component: TMOS

Symptoms:
Gossip appears Active even when one or more devices go missing from device group. 'restcurl shared/gossip' shows active on both devices, even when the devices are not listed in 'restcurl shared/resolver/device-groups/tm-shared-allBIG-IPs/devices'.

Conditions:
The conditions under which this issue occurs are unknown. This is an intermittent issue.

Impact:
Gossip reports that it is working when it is not.

Workaround:
-- If the missing device is the active device, run the following command on the Active DSC Device:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state

-- If the missing device is the standby device, reboot the device, make it active, and then run the following command:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state

802189-1 : iApps: Calling 'Package Require <PKG>' in a template with a manager role is not supported

Component: iApp Technology

Symptoms:
With the Manager role, when calling 'package require <PKG>' in an iApp template, following exception occurs:

Error parsing template:can't eval proc: "script::run" invalid command name "file" while executing "file join $dir $f".

Conditions:
Users can not use Manager Role when importing iApps that contain a 'package require' call.

Impact:
Cannot use Manager Role when importing iApps that contain a 'package require' call.

Workaround:
Use the Admin role to import new templates.

801705-5 : When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC

Component: Local Traffic Manager

Symptoms:
The 'HTTP::cookie attribute' irule command allows manipulation of Cookie or Set-Cookie headers in HTTP requests or responses. When this command is used to insert a cookie attribute, it appends the attribute (and a possible value) to the header without a leading space character. A leading space character is a requirement per RFC 6265. When such a header is formed with iRule command 'HTTP::cookie insert' or 'HTTP::cookie attribute insert', the leading space is not provided, violating the RFC.

Conditions:
-- A virtual server with HTTP profile is configured.
-- There is an iRule generating or updating a cookie header with 'HTTP::cookie insert' or 'HTTP::cookie attribute insert' command.

Impact:
There is no space preceding the attribute. RFC is violated.

Workaround:
When inserting a cookie attribute with iRule command, add a leading space to the name of attribute to be inserted.

801549-2 : Persist records do not expire properly if mirroring is configured incorrectly

Component: Local Traffic Manager

Symptoms:
-- TMM memory growth with improper high availability (HA) configuration.
-- New connections may be routed to the wrong pool member due to outdated persist records.

Conditions:
- The device mirror-ip is not configured properly, along with either of the following:
+ Persistence mirroring is configured.
+ Connection mirroring of a virtual server with a persistence profile.

Impact:
-- Connection limits due to memory tmm memory pressure or possible tmm out-of-memory failure.
-- New connections may be routed to the wrong pool member due to outdated persist records.

Workaround:
- Properly configure the cm device mirror-ip and/or mirror-secondary-ip. After doing this, the memory utilization should drop.

- Disable mirroring on the persistence profiles and/or virtual servers. After doing this, the memory utilization will not drop until tmm is restarted.

801541-1 : Persist records do not expire properly if HA peer is unavailable

Component: Local Traffic Manager

Symptoms:
-- TMM memory utilization growth due to persist records not expiring.
-- New connections may be routed to the wrong pool member due to outdated persist records.

Conditions:
The next-active device in the high availability (HA) configuration is down, and either of the following:
-- Persistence mirroring is configured.
-- Connection mirroring of a virtual server with a persistence profile is configured.

Impact:
-- Connection limits due to memory tmm memory pressure or possible tmm out-of-memory failure.
-- New connections may be routed to the wrong pool member due to outdated persist records.
-- If tmm out-of-memory failure occurs, traffic disrupted while tmm restarts.

Workaround:
Disable persistence and/or connection mirroring if the standby device will be down for an extended period of time.

801497 : Virtual wire with LACP pinning to one link in trunk.

Component: Local Traffic Manager

Symptoms:
A virtual-wire that uses interface trunks may use a single interface on egress.

Conditions:
Virtual-wire configured across multi-interface trunks.

Impact:
This may lead to unexpected link saturation.

Workaround:
None.

800265-3 : Undefined subroutine in bigip_add_appliance_helper message

Component: Global Traffic Manager (DNS)

Symptoms:
When using the -a switch with bigip_add (which instructs bigip_add to use bigip_add_appliance_helper), the script terminates with an error:
Undefined subroutine &gtm_env::get_unique_certs called at /usr/local/bin/bigip_add_appliance_helper line 113.

Conditions:
Use the bigip_add script with the -a switch in appliance mode.

Impact:
BIG-IP_add fails in appliance mode, reporting an error message.

Workaround:
None.

800209-2 : The tmsh recursive list command includes DDoS GUI-specific data info

Component: Advanced Firewall Manager

Symptoms:
DDoS GUI-specific data is included when running the command: tmsh recursive list. This irrelevant information might cause confusion.

Conditions:
This occurs when the AFM module is enabled

Impact:
Extra, irrelevant data is provided in output, which can cause confusion.

Workaround:
This always happens as long as AFM is enabled. You can deprovision the AFM module to disable this command.

799749-3 : Asm logrotate fails to rotate

Component: Application Security Manager

Symptoms:
ASM logrotate reports errors in /var/log/asm.:

error: error creating output file /ts/log//bd.log.1: File exists

Conditions:
Files ending with .1 exists in the logs directories.

Impact:
Logrotate does not work. May fill disk with logs over time.

Workaround:
Remove or rename all of the .1 logs.

799649-1 : TMM crash

Component: Local Traffic Manager

Symptoms:
TMM SIGSEGV crash due to memory corruption.

Conditions:
HTTP Security profile attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove the HTTP Security profile.

799001-2 : Sflow agent does not handle disconnect from SNMPD manager correctly

Component: TMOS

Symptoms:
If Sflow agent loses the connection with the SNMPD Manager, it tries to connect multiple times but fails to reconnect.

Conditions:
Sflow agent loses connection with the SNMPD Manager. The conditions that may trigger this are unknown.

Impact:
Snmpd service restarts repeatedly

Workaround:
Run 'tmsh restart sys service sflow_agent' to clear the session data in the sflow agent which results in successful re-connection with snmpd.

798885-3 : SNMP response times may be long due to processing burden of requests

Component: TMOS

Symptoms:
It is possible with large configurations to make SNMP requests that require a lot of processing to gather the statistics needed to respond to the request.

Conditions:
With large configurations, it is possible to overburden MCPD and SNMPD such that client queries time out.

Impact:
SNMP clients might think the BIG-IP system has become unresponsive.

Workaround:
If the responses to SNMP queries are taking too long, MCPD and SNMPD may overburden the control plane. It may be necessary to lengthen the timeout and retry values used by the SNMP client. It may also be helpful to trim what is queried, for example, not repetitively walking large tables like the Virtual Server or LTM Pool Member tables for statistics.

797829-1 : The BIG-IP system may fail to deploy new or reconfigure existing iApps

Component: TMOS

Symptoms:
The BIG-IP system may fail to deploy new or reconfigure existing iApps. When this happens, a long error message is displayed in the GUI that begins with:

script did not successfully complete: ('source-addr' unexpected argument while executing

The message is also logged to /var/log/audit by scriptd with a severity of 'notice'.

The unexpected argument mentioned in the error varies depending on the iApp being deployed and on the settings you configure. You may also see 'snatpool', 'ldap', etc.

Conditions:
This issue occurs when:

-- The BIG-IP system is configured with multiple users of varying roles.

-- The scriptd daemon has already spawned the maximum number (5) of allowed child processes to serve its queue, and all the processes were assigned a low 'security context'. This can happen, for instance, if a low-privileged user (such as an Auditor) has been looking at the configuration of iApps using the GUI a lot.

-- Subsequently, a high-privileged user (such as an Administrator) attempts to deploy a new iApp or reconfigure an existing one.

Note: You can inspect the number of child processes already created by scriptd by running the following command:

pstree -a -p -l | grep scriptd | grep -v grep

However, it is not possible to determine their current 'security context'.

Impact:
New iApps cannot be deployed. Existing iApps cannot be re-configured.

Workaround:
Restart scriptd. To restart scriptd, run:

bigstart restart scriptd

Running this command has no negative impact on the system.

The workaround is not permanent; the issue may occasionally recur depending on your system usage.

797221-2 : BCM daemon can be killed by watchdog timeout during blade-to-blade failover

Component: TMOS

Symptoms:
The BCM daemon deletes entries from tables during blade to blade failover. If tables are very large, the entry-by-entry deletion may take too long, such that the daemon is restarted by the watchdog timeout.

Conditions:
Very large L2 tables during blade-to-blade failover.

Impact:
There is a BCM core file on the primary blade after the failover.

Workaround:
None.

796993-5 : Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs

Component: Local Traffic Manager

Symptoms:
When a pool contains FQDN nodes as pool members, pool member state changes messages are not logged in /var/log/ltm.

Conditions:
-- Create a pool with fqdn node as it pool members
-- Apply monitor to it
-- Monitor marks the pool member up/down based on reachability

Impact:
-- Status message is not updated in /var/log/ltm logs.
-- There is no functional impact.

796985-2 : Default IPv4 IP address is assigned to Alt-Address in isolated vCMP guest; vCMP host or guest are upgraded and guest is 'Inoperative'★

Component: TMOS

Symptoms:
vCMP host or guest is upgraded, and the vCMP guest is 'Inoperative', with messages similar to the following in /var/log/ltm:

-- warning clusterd[1546]: 013a0005:4: Clusterd using /VERSION for SW specification.
-- info clusterd[1546]: 013a0023:6: Blade 1: No info received from slot: Starting up
-- err clusterd[1546]: 013a0004:3: result {
-- err clusterd[1546]: 013a0004:3: result.code 17237812
-- err clusterd[1546]: 013a0004:3: result.attribute float_mgmt2_ip
-- err clusterd[1546]: 013a0004:3: result.message 01070734:3: Configuration error: Cluster alt-address: 192.168.1.246 cannot be the same address family as cluster address: 192.168.1.246
-- err clusterd[1546]: 013a0004:3: }
-- err clusterd[1546]: 013a0004:3: Per-invocation log rate exceeded; throttling.
-- notice clusterd[1546]: 013a0006:5: Disconnecting from mcpd.
-- info clusterd[1546]: 013a0007:6: clusterd stopping...

Conditions:
-- Isolated vCMP guest.
-- Both 'Address' and 'Alt-Address' are assigned the same IPv4 address.
-- Upgrade occurs.

Impact:
Upon host/guest upgrade, vCMP guest is 'Inoperative'.

Workaround:
There are 3 workarounds:
-- Assign IPv4 management-ip for the guest PRIOR to upgrade:
tmsh modify vcmp <guest_name> management-ip <ip>/<mask>

-- Prior to upgrade, assign IPv6 'Alt-Address' within the guest:
tmsh modify sys cluster default alt-address <IP>/<mask>

-- When already upgraded and seeing the issue on a guest: execute:

> /shared/db/cluster.conf

The config loads, and /shared/db/cluster.conf is recreated:

cat /shared/db/cluster.conf
cluster default {
    alt_addr="192.168.1.246/24" ====>
    min_up_members="1"
    min_up_members_enable="disable"
    min_up_members_action="failover"
    addr 192.168.1.246/24 ====>
    members {
        1
        2
        3
        4
    }
    software HD1.1 "BIG-IP 14.1.0.3 0.0.6 0.0.6" true
    software HD1.2 " " false
    software HD1.3 " " false
}

796601-3 : Invalid parameter in errdefsd while processing hostname db_variable

Component: TMOS

Symptoms:
Errdefsd crashes, creates a core file, and restarts.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Possible loss of some logged messages.

Workaround:
None.

795965 : BIG-IP does not close connection after deception blocking response page is sent

Component: Application Security Manager

Symptoms:
Connection does not close after deception blocking page is sent.

Conditions:
Configure ASM deception iRule.

Impact:
Connections are left open until timeout occurs.

Workaround:
None.

795933-1 : A pool member's cur_sessions stat may incorrectly not decrease for certain configurations

Component: Local Traffic Manager

Symptoms:
Under certain conditions, a pool member's cur_sessions stat may increase, but not decrease when it should.

Conditions:
- The virtual server using the pool has an iRule attached that references global variables.
- The virtual server using the pool has an ASM security policy attached to it.
- Traffic flows to the pool member.

Impact:
Incorrect stats.

795685-1 : Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer

Component: TMOS

Symptoms:
If the BIG-IP system receives a BGP notification for OUT_OF_RESOURCES from its BGP peer, then displaying the peer information on the BIG-IP system causes bgpd to crash (running show ip bgp neighbor).

Conditions:
-- Receive a BGP notification for OUT_OF_RESOURCES from the BGP peer.
-- Run the 'show ip bgp neighbor' command to display the BGP peer information.

Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.

Workaround:
None.

795649-4 : Loading UCS from one iSeries model to another causes FPGA to fail to load

Component: TMOS

Symptoms:
When loading a UCS file from one iSeries model to a different iSeries model, the FPGA fails to load due to a symlink in the UCS file pointing to the firmware version for the source device.

The system will remain in INOPERATIVE state, and messages similar to the following will be seen repeatedly in /var/log/ltm:

-- emerg chmand[7806]: 012a0000:0: FPGA firmware mismatch - auto update, No Interruption!
-- emerg chmand[7806]: 012a0000:0: No HSBe2_v4 PCIs found yet. possible restart to recover Dataplane.
-- emerg chmand[7806]: 012a0000:0: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
-- err chmand[7806]: 012a0003:3: HAL exception publishing switch config: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2

Conditions:
Loading a UCS from one iSeries model onto another model, for example, from an i7800 onto an i11400-ds, or from an i2600 to an i5600.

Impact:
FPGA fails to load; the BIG-IP system becomes unusable.

Workaround:
1. Update the symbolic link /config/firmware/hsb/current_version to point to the correct firmware file for the hardware model in use. Here are some examples:

-- For the i2800:

# ln -sf /usr/firmware/hsbe2v4_atlantis/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i7800:

# ln -sf /usr/firmware/hsbe2v2_discovery/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i11400-ds:

# ln -sf /usr/firmware/hsbe2_discovery_turbo/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

2. Reboot the system

795501-4 : Possible SSL crash during config sync

Component: Local Traffic Manager

Symptoms:
During config sync, it's possible that cipher group processing will crash.

Conditions:
-- SSL is configured.
-- Config sync is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

795429-4 : Unrelated iControl REST transaction error message is returned when committing a transaction without any tasks.

Component: TMOS

Symptoms:
An unrelated iControl REST transaction error message is returned when committing an iControl REST transaction that does not contain any tasks:

Error: Missing transaction ID for this call.

Conditions:
-- Committing an iControl REST transaction.
-- The task does not contain any tasks within 120 seconds of creating the transaction.

Impact:
Unrelated error message can be confusing and increase troubleshooting time.

Workaround:
None.

795025-1 : Ssl_outerrecordtls1_0 config option is not honored

Component: Local Traffic Manager

Symptoms:
Support for the Ssl_outerrecordtls1_0 config option was intentionally removed starting 14.1.0.1. The value TRUE is assumed irrespective of the actual configured value.

Conditions:
This occurs in normal operation.

Impact:
This option must be set to FALSE for the BIG-IP system to be able to communicate with a few non-compliant SSL servers. Communication with such servers fails otherwise.

Workaround:
None.

794505-4 : OSPFv3 IPv4 address family route-map filtering does not work

Component: Local Traffic Manager

Symptoms:
Filtering IPv4 routes using route-map does not work. All the IPv4 redistributed routes fail to redistribute if the route-map is attached to the OSPFv3 IPv4 address-family.

Conditions:
1. Configure two OSPF sessions, one for the IPv4 address-family and the other for the IPv6 address family.
2. Redistribute kernel routes.
3. Check routes are propagated.
4. Add a route map to allow any IPv4 kernel route matching IP address.

Impact:
All routes fail to propagate and show that the IPv6 OSPF database external is empty. All IPv4 routes are blocked to redistribute instead of the routes mentioned in the route-map/prefix-list.

Workaround:
None.

794417-3 : Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not

Component: Local Traffic Manager

Symptoms:
On a single virtual server, when 'TLS Renegotiation' is enabled in an associated Client SSL profile, the system should prevent enabling the 'Enforce TLS Requirements' option in the associated HTTP/2 profile.

Conditions:
BIG-IP system validation does not prevent this configuration in the following scenario:

1. Disable the 'Enforce TLS Requirements' option in the HTTP/2 profile.
2. Enable 'TLS Renegotiation' in the Client SSL profile.
3. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile.

Impact:
The configuration will not load if saved.

Workaround:
Do not simultaneously disable 'Enforce TLS Requirements' in the HTTP/2 profile, and enable 'TLS Renegotiation' in the Client SSL profile on a single virtual server.

793669-2 : FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value

Component: Local Traffic Manager

Symptoms:
On a high availability (HA) paired device group configuration, where there are FQDN nodes as pool members in a pool, when the pool member is enabled or disabled on one device, and with config-sync, the other device does not fully update the peer. The template node gets updated with the new value, but the ephemeral pool member retains the old value.

Conditions:
Steps to Reproduce:
1. Configure HA, specifically a Device group (e.g., Failover) with two BIG-IP systems.
2. Create an HTTP pool (TEST_FQDN_POOL) and FQDN Pool Member on both systems.
3. Wait for the FQDN pool member to report as AVAIL_GREEN and the ephemeral node as AVAIL_BLUE on both systems.
4. Tmsh login to any of the systems.
5. Run the command:
tmsh run cm config-sync to-group Failover
6. Run the command:
tmsh modify ltm pool TEST_FQDN_POOL members modify { example.com:http { session user-disabled } }
7. Run the command:
tmsh run cm config-sync force-full-load-push to-group Failover

Impact:
FQDN pool member enabling/disabling is not being fully propagated to the other device after config-sync.

Workaround:
None.

793217-1 : HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation

Component: Advanced Firewall Manager

Symptoms:
Depending on traffic patterns, when HW DoS on BIG-IP i2800/i4800 is configured, HW DoS might mitigate up to 10% more aggressively. If the rate-limit configured is 1000pps, the device might allow only 900pps.

Conditions:
-- HW DoS on BIG-IP i2800/i4800 platforms.
-- Attack pattern is distributed evenly on all tmm threads.

Impact:
HW DoS mitigates more aggressively, which might result in seeing fewer packets than what is configured.

Workaround:
Configure the rate-limit to be 10% more than what is desired.

793149-4 : Adding the Strict-transport-Policy header to internal responses

Component: Application Security Manager

Symptoms:
Some applications requires the Strict-transport-Policy header to appear in all responses. BIG-IP internal responses do not add this header.

Conditions:
- ASM is provisioned with CAPTCHA/CSI challenge enabled
or
- DoS is provisioned with CAPTCHA/CSI enabled
or
- Bot Defense is provisioned with CAPTCHA mitigation/Browser JS verification/Device ID collection is enabled.

Impact:
Responses arrives to the browser without the Strict-transport-Policy header.

Workaround:
Create an iRule to add the header to the response.

793017-2 : Files left behind by failed Attack Signature updates are not cleaned

Component: Application Security Manager

Symptoms:
If an Attack Signature update encounters an error during installation, files that are meant to be temporary are left behind on disk and a not subject to a periodic cleanup. This can eventually lead to disk space issues.

Conditions:
Attack Signature update encounters an error during installation.

Impact:
This can eventually lead to disk space issues.

Workaround:
Old sigfile.tmp.* directories under /var/ts/var/tmp can be safely removed.

793005-2 : 'Current Sessions' statistic of MRF/Diameter pool may be incorrect

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, the LTM pool 'Current Sessions' statistics may show an unusually large number, such as 18446744073709551606.

Conditions:
There is a Diameter answer that does not match a pending request, the answer message is dropped, but BIG-IP system still decrements the 'Current Sessions' counter. If the counter is already zero, it can underflow.

Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue. When it underflows, the number becomes useless, making troubleshooting more difficult.

Workaround:
None.

792569-1 : Security URL name created from swagger file starts with double '/'

Component: Application Security Manager

Symptoms:
Open API Security policy created from swagger file has URLs with double forward slash '/' at URL name when 'basePath' has the '/' character at the end of the value.

Conditions:
The 'basePath' entry value in a swagger file has a '/' character at the end.

Impact:
Security policy URL has wrong name.

Workaround:
None.

792341-1 : Google Analytics shows incorrect stats.

Component: Application Security Manager

Symptoms:
ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.

Conditions:
Scenario 1:
-- ASM provisioned.
-- ASM policy attached to a virtual server with challenge mitigation enabled (as part of brute force protection, for example).

Scenario 2:
-- Bot defense profile attached to a virtual server with challenge mitigation enabled.

Scenario 3:
-- DoS Application profile attached to a virtual server with challenge mitigation enabled.

Impact:
Incorrect data is displayed in the Google Analytics dashboard.

Workaround:
Have an iRule that injects google-analytics.js into the challenge white page at the HTTP_RESPONSE_SENT time event.

792285-1 : TMM crashes if the queuing message to all HSL pool members fails

Component: TMOS

Symptoms:
When a system uses a High Speed Logging (HSL) configuration with the HSL pool, TMM is crashing if the queuing message to all HSL pool members fails.

Conditions:
-- Two-member pool configured as remote-high-speed-log destination.
-- Data-Plane logging using for example but not limited to: iRule HSL::send.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

792045-2 : Prevent WAM cache type change for small objects

Component: WebAccelerator

Symptoms:
Transfer stalls.

Conditions:
- AAM is provisioned.
- Small object cache is configured.
- Response is a few bytes less than the small object threshold.

Impact:
Transfer stalls.

Workaround:
None.

791365-1 : Bad encryption password error on UCS save

Component: TMOS

Symptoms:
When a user with the admin role attempts to save a UCS with a passphrase, the following error is encountered:

[resource-admin@inetgtm1dev:Active:Standalone] ucs # tmsh save sys ucs /var/local/ucs/test-ucs passphrase password
Saving active configuration...
Error: Bad encryption password. <=========
Operation aborted.
/var/tmp/configsync.spec: Error creating package

WARNING:There are error(s) during saving.
Not everything was saved.
Be very careful when using this saved file!

Error creating package
Error during config save.
Unexpected Error: UCS saving process failed.

Conditions:
1) Log into the BIG-IP system as a user with admin role that has Advanced Shell access.
2) Attempt to create a UCS with a passphrase.

Impact:
Unable to save UCS with a passphrase.

Workaround:
This affects users logged in with the Admin role; you will be able to create a UCS with a passphrase while logged in as either the root user or as a user with the resource-admin role.

791361-2 : Configured management port rules can be lost after loading UCS file and rebooting

Component: Advanced Firewall Manager

Symptoms:
Configured management port rules are missing after loading a UCS file that adds the management-ip to the failover network, and subsequently rebooting.

Conditions:
-- Load a UCS file that adds the management-ip to the failover network.
-- Reboot.

Impact:
Management port rules can be lost. This can prevent normal operation of high availability (HA) configurations.

Workaround:
There is no workaround at this time.

791337-2 : Traffic matching criteria fails when using shared port-list with virtual servers

Component: Local Traffic Manager

Symptoms:
The system reports an error:

01b90011:3: Virtual Server /Common/vs1's Traffic Matching Criteria /Common/vs1_tmc_obj illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs2 destination address, source address, service port.

Conditions:
-- Creating virtual servers with shared object port-list.
-- Using the same port in another virtual server with different protocol with overlapping sources and destination IP address.

Impact:
Config validation failure prevents configuration changes.

Workaround:
Use different IP addresses and ports.

791061-1 : Config load in /Common removes routing protocols from other partitions

Component: TMOS

Symptoms:
While loading the /Common partition, config routing protocols on other partition route-domains will be removed.

Conditions:
-- Configure route-domains on other partitions with routing-protocols.
-- Load the /Common partition config alone.

Impact:
Routing protocols config from other partitions are removed.

Workaround:
Reload the config with the command:
load sys config partitions all

790949-1 : MRF Router Profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' Do Not Match Behavior.

Component: Service Provider

Symptoms:
Default values differ between tmsh and GUI documentation, and actual behavior. The special value 0 is documented to either disable the respective limit or apply a default value. Actual behavior for 0 is to silently apply internal default values of 32768 bytes and 256 messages, regardless of the protocol. These defaults might not match the profile default values for a given MRF protocol such as Diameter, SIP, or MQTT.

For some protocols such as Diameter, there is no validation of whether the maximum pending messages value falls within the acceptable range of 1-65535, and values outside that range are silently truncated to 16-bits and then 0 is treated according to the actual behavior described above.

Some documented and actual default values have changed across releases.

Conditions:
An MRF router profile is configured with the 'Maximum Pending Bytes' or 'Maximum Pending Messages' parameter set to a non-default value or 0.

Affected MRF router profiles are: 'diameter', 'sip', 'mqtt' and 'generic'.

Impact:
Depending on the protocol, the limits might not take effect as configured.

Incorrect documentation and/or lack of validation could lead to configuring an invalid value.

Workaround:
None.

790845-3 : An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default

Component: Local Traffic Manager

Symptoms:
An In-TMM monitor may be marked down when the CMP-hash (Cluster Multiprocessing) is set to non-default value.

Conditions:
-- There is a configured In-TMM monitor (K11323537).
-- CMP-hash is set to non-default value.

Note: For information about In-TMM monitoring, see K11323537: Configuring In-TMM monitoring :: https://support.f5.com/csp/article/K11323537.

Impact:
An In-TMM monitor is falsely marked as down.

Workaround:
Use default settings for a CMP-hash.

790349-3 : merged crash with a core file

Component: Application Security Manager

Symptoms:
merged crash and restart.

Conditions:
A tmstat sync operation is occurring in the background.

Impact:
Statistical data is not available for system utilities/graphs while merged restarted. There is no other impact beside the appearance of the core file.

Workaround:
None.

790113-1 : Cannot remove all wide IPs from GTM distributed application via iControl REST

Component: Global Traffic Manager (DNS)

Symptoms:
The following tmsh command allows you to delete all wide IPs using an 'all' specifier:

modify gtm distributed-app da1 wideips delete { all }

There is no equivalent iControl REST operation to do this.

Conditions:
This can be encountered while trying to delete all wide IPs from a distributed application via iControl REST.

Impact:
iControl REST calls that should allow you to remove all wide IPs from a GTM distribution application return an error, leaving you unable to complete the task via iControl REST.

Workaround:
You can use one of the following workarounds:

-- Use the WebUI.

-- Use the tmsh utility, for example:
tmsh modify gtm distributed-app da1 wideips delete { all }

-- Invoke tmsh from within the bash iControl REST endpoint, for exmaple:
curl -u username:password -s -H 'Content-Type: application/json' -X POST -d "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'tmsh modify gtm distributed-app da1 wideips delete { all }'\"}" https://<IP>/mgmt/tm/util/bash

789857-2 : "TCP half open' reports drops made by LTM syn-cookies mitigation.

Component: Advanced Firewall Manager

Symptoms:
'TCP half open' reports drops in logs/tmctl/AVR even though it is configured in detect-only mode.

Conditions:
-- 'TCP half open' attack is being actively detected.
-- LTM syn-cookie mitigation is enabled.
-- This is triggered when LTM syn-cookies mitigation begins.

Impact:
It will appear that 'TCP half open' is doing mitigation, but it is actually LTM syn-cookies dropping the connections.

Workaround:
If LTM syn-cookies are not needed, disable the option:

modify ltm global-settings connection default-vs-syn-challenge-threshold infinite global-syn-challenge-threshold infinite

789421-3 : Resource-administrator cannot create GTM server object through GUI

Component: Global Traffic Manager (DNS)

Symptoms:
Users logged in with a role of resource-administrator are unable to create a GTM server object via GUI. The warning banner reports 'No Access'.

Conditions:
A user with a role of resource-administrator attempts to create a GTM server object.

Impact:
Unable to create GTM server object via the GUI.

Workaround:
Use tmsh or iControl/REST.

789181-4 : Link Status traps are not issued on VE based BIG-IP systems

Component: TMOS

Symptoms:
The Link Status traps, both F5 proprietary and standard LinkUp/LinkDown are issued on the BIG-IP hardware but not on BIG-IP Virtual Edition (VE) configurations.

Conditions:
This occurs when interfaces on hardware-based BIG-IP systems or VE-based BIG-IP configurations experience link status events (links go up or down, or are administratively enabled or disabled).

Impact:
Log messages are issued and SNMP traps are issued if an SNMP trap destination is configured.

On a VE-based BIG-IP system, these logs and traps do not occur.

An SNMP client waiting for a Link Status trap on an administrative enable or disable then, does not receive the trap.

Workaround:
None.

789085-4 : When executing the ACCESS::session iRule command under a serverside event, tmm may crash

Component: Access Policy Manager

Symptoms:
Executing the ACCESS::session iRule command inside a serverside event, e.g., SERVER_CONNECTED, may cause tmm to crash.

Conditions:
ACCESS::session iRule command invoked under a serverside event, for example:

when SERVER_CONNECTED {
log local0. "[ACCESS::session data get session.user.sessionid]"
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

788949-2 : MySQL Password Initialization Loses Already Written Password

Component: TMOS

Symptoms:
In some cases, the MySQL root password initialization is not complete. A re-attempt to restart MySQL fails.

Conditions:
-- MySQL startup script is interrupted.
-- Setting the root password fails.

Impact:
Processes may fail to connect to MySQL server.

Workaround:
None.

788813-2 : TMM crash when deleting virtual-wire config

Component: Local Traffic Manager

Symptoms:
Tmm crashes.

Conditions:
This can occur when deleting a virtual-wire config

Impact:
Traffic disrupted while tmm restarts.

788753-3 : GATEWAY_ICMP monitor marks node down with wrong error code

Component: Local Traffic Manager

Symptoms:
Pool state shows down when there is no route configured to node.

Conditions:
-- In-tmm gateway_icmp monitor configured for a node or pool member.
-- There is no route to the node or pool member.

Impact:
The pool member or node is marked down and the reason listed is 'timeout', instead of 'no route to host'.

Workaround:
None.

788741-1 : TMM cores in the MQTT proxy under rare conditions

Component: Local Traffic Manager

Symptoms:
TMM may core in the MQTT proxy under unknown conditions.

Conditions:
-- MQTT proxy in use.
-- It is not known what other conditions are required to cause this issue.

Impact:
TMM cores. Failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.

788645-1 : BGP does not function on static interfaces with vlan names longer than 16 characters.

Component: TMOS

Symptoms:
If a VLAN, VLAN group, or tunnel has a name with more than 15 characters, BGP does not function properly on that interface.

Conditions:
-- BGP Dynamic routing in use.
-- Interface name greater than 15 characters.

Impact:
BGP Dynamic Routing is not working.

Workaround:
1. Rename the interface using 15 or fewer characters.
2. Remove Static Binding and Bind to all interfaces.

788465-1 : DNS cache idx synced across HA group could cause tmm crash

Component: Global Traffic Manager (DNS)

Symptoms:
DNS cache idx conflicts and tmm crash.

Conditions:
-- High availability (HA) configuration.
-- DNS cache is configured and synced to the peer twice
-- A second DNS cache is configured on the peer.

Impact:
The idx conflicts will be observed. If the second DNS cache is of another type and is added to a virtual server, accessing that virtual server might cause a tmm core. Traffic disrupted while tmm restarts.

Workaround:
On the BIG-IP system that has the DNS cache idx conflicts, restart tmm:
# bigstart restart tmm

787973-2 : Potential memory leak when software crypto request is canceled.

Component: Local Traffic Manager

Symptoms:
Memory may occasionally leak when a software crypto request is cancelled before it has completed.

Conditions:
There are a number of reasons why a software crypto request may be canceled.

Impact:
Memory may leak.

Workaround:
No workaround.

787853-1 : BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system unexpectedly responds to ICMP echo requests to a virtual-address that is unavailable, or unexpectedly does not respond to ICMP echo requests to a virtual-address that is available.

The BIG-IP system fails to remove a dynamic route for a virtual-address that is unavailable or fails to add a dynamic route for a virtual-address that is available.

Conditions:
1. Create two virtual servers with multiple nodes. Set ICMP echo as all or selective/all.
2. Ping from client to virtual address.
3. Bring down nodes.
4. ping fails from client to virtual address as expected
5. Bring up nodes and make sure all virtual servers are online.
6. Start ping from client to virtual address.

Impact:
The BIG-IP system might respond incorrectly to ICMP echo requests sent to a virtual-address.

-- If the virtual-address icmp-echo is set to 'all' or 'any', the BIG-IP system may not respond correctly after a virtual-address availability change.

-- If the virtual-address route-advertisement is set to 'all' or 'any', the route for the virtual-address may not advertise properly after a virtual-address availability change.

The BIG-IP system might fail to insert or remove a dynamic route for a virtual-address. This might cause the network to direct traffic to a down virtual-address or alternatively, not direct traffic to an up virtual-address.

Workaround:
Update virtual address ICMP setting to any or selective/any.

787845-2 : Tmsh command 'show running-config' fails when Protocol Inspection is not licensed.

Component: Protocol Inspection

Symptoms:
If the Protocol Inspection feature is not licensed then tmsh command 'show running-config' fails with 'Protocol Inspection feature not licensed.' message.

Conditions:
- AFM Protocol Inspection feature is not licensed.

Impact:
'tmsh show running-config' command returns an error: 'Protocol Inspection feature not licensed.'

Workaround:
None.

786981-4 : Pending GTP iRule operation maybe aborted when connection is expired

Component: Service Provider

Symptoms:
When there is a suspended iRule operation (such as the table or after command) in GTP iRule event, the operation may be intermittently aborted when the connection is expired.

Conditions:
This occurs when a connection times out while there is still a pending iRule operation. For example, in one use case, there is a table command in GTP_SIGNALLING_INGRESS event, and the immediate idle timeout is configured in the UDP profile.

Impact:
GTP iRule may not be completely executed.

Workaround:
For the specific use case when immediate idle timeout is used, change idle timeout to some positive value. Then use the iRule to expire the connection after the GTP iRule event is done, for example, by setting 'IP::idle_timeout 0' in SERVER_CONNECTED event.

786913-1 : Upgrade failure from 13.0.x or earlier when using LTM Policies with DOSL7

Component: Application Security Manager

Symptoms:
Upgrade fails when upgrading from 13.0.x or under if the config includes an LTM Policy (CPM) which modifies a DoS Application Profile.

Conditions:
-- LTM Policy is configured to specify a DoSL7 profile name.
-- Upgrade is from version 13.0.x or earlier.

Impact:
Upgrade failure.

Workaround:
1. Manually edit the /config/bigip.conf file, and place all of the 'security dos profile' objects before any 'ltm policy' objects.
2. Load the config.

786517-4 : Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address

Component: Local Traffic Manager

Symptoms:
- Monitors are firing and are being sent to a pool-member or node address rather than a monitor's alias address.

- Running the command 'tmsh load /sys config' reports an error:
01070038:3: Monitor /Common/a-tcp address type requires a port.

Conditions:
-- Create a monitor without an alias address.
-- Modify the monitor later in the TMUI to specify an alias address.

Impact:
Monitors are sent to an incorrect IP address.

tmsh load /sys config will fail to load the configuration.

Workaround:
There are two workarounds:
-- Delete and recreate the monitor and specify the correct alias address at creation time.

-- Fix the monitor definition using tmsh.

785877-3 : VLAN groups do not bridge non-link-local multicast traffic.

Component: Local Traffic Manager

Symptoms:
VLAN groups do not bridge non-link-local multicast traffic.

Conditions:
-- VLAN groups configured.
-- Using non-link-local multicast traffic.

Impact:
Non-link-local multicast traffic does not get forwarded.

Workaround:
None.

785701-2 : Changes to a Web Acceleration profile are not instantly applied to virtual servers using the profile

Component: Local Traffic Manager

Symptoms:
Changing parameters in a Web Acceleration profile does not change the behavior of virtual servers already using the profile.

Conditions:
This issue is encountered after changing the settings of a Web Acceleration profile already in use by one or more virtual servers.

Impact:
The changes are saved correctly and are visible in the Web UI and tmsh; however, virtual servers already using the profile are not affected by the changes. This may result in some confusion and in the BIG-IP Administrator being unable to apply their desired changes.

Workaround:
After modifying the profile, remove the profile from all virtual servers and then re-add it.

785017-2 : Secondary blades go offline after new primary is elected

Component: TMOS

Symptoms:
Secondary active blades go offline.

Conditions:
-- Cluster with three or more active blades.
-- Primary blade is rebooted.

For example, on a 4-bladed system, after slot 1 (primary blade) was rebooted and slot 2 (secondary blade) takes over as primary, slots 3 and 4 both go offline due to high availability (HA) table, with the logs showing reason as 'waiting for configuration load'.

Impact:
Cluster reduced to a single blade, which may impact performance.

Workaround:
None.

783849-1 : DNSSEC Key Generations are not imported to secondary FIPS card

Component: Global Traffic Manager (DNS)

Symptoms:
When new DNSSEC Key Generations are generated by FIPS card, the Generation is not imported to secondary FIPS card.

Conditions:
BIG-IP has a GTM sync group with FIPS cards in sync. New DNSSEC Key Generation is created.

Impact:
New DNSSEC Key Generation is not imported to secondary FIPS card, but the generation is synced within GTM sync group.

Workaround:
N/A

783617-2 : Virtual Server resets connections when all pool members are marked disabled

Component: Local Traffic Manager

Symptoms:
The BIG-IP system immediately responds with a RST against a SYN when all pool members are marked disabled by a monitor.

Conditions:
All the pool members are marked disabled by a monitor or administratively.

Impact:
Cannot use iRules to respond with an HTTP 503 error to incoming traffic.

Workaround:
None.

783293-2 : Special chars < > & displayed incorrectly in BIG-IP GUI logon banner window

Component: TMOS

Symptoms:
If you try to enter any of these three characters: < > & (greater than, less than, ampersand) into GUI Preference page or TMSH sys global-settings configuration, they are displayed as escape chars in the GUI window correspondingly as: < > &.

Conditions:
Entering one of these three characters into GUI banner text settings: < > &.

Impact:
At GUI Logon page, the page displays with the following characters: < > & instead of the specified characters: < > &.

Workaround:
None.

783289-4 : PEM actions not applied in VE bigTCP.

Component: Policy Enforcement Manager

Symptoms:
If PEM virtual server is configured using bigTCP, the return traffic from the server may not return to the same TMM. PEM policies do not get applied.

Conditions:
-- BIG-IP Virtual Edition.
-- bigTCP is configured (FastL4 with PEM/GPA hudfilters).
-- Virtual server uses Source-NAT.

Impact:
PEM policies do not get applied.

Workaround:
To work around this, do the following:
-- Configure bigTCP virtual server not to use source-NAT.
-- Configure destination-IP for hashing in server-vlan (the external VLAN that has the virtual server).

783233-3 : OAuth puts quotation marks around claim values that are not string type

Component: Access Policy Manager

Symptoms:
When you define a claim to use with OAuth, and the claim-type setting is set to something other than String, the claim value is treated as a string anyway and encapsulated in quotation marks.

Conditions:
-- OAuth is configured.
-- The oauth claim value being used is not of type string (i.e. array, or boolean, or number)

Impact:
The claim value is encapsulated in quotation marks and processed as a string.

Workaround:
None.

783165-2 : Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile

Component: Application Security Manager

Symptoms:
When creating a whitelist in the Bot Defense profile with url "Any" - after modifying the Bot Defense log profile, the whitelist does not apply anymore.

Conditions:
-- Bot Defense profile is attached to the Virtual Server
-- Adding a whitelist to the Bot Defense profile with url "Any"
-- Modifying the Bot Defense profile afterwards.

Impact:
Whitelist does not apply - users from the defined IP/GEO location might be blocked.

Workaround:
Delete and add the whitelist after modifying the profile.

783145-5 : Pool gets disabled when one of its pool member with monitor session is disabled

Component: Local Traffic Manager

Symptoms:
A pool which has at least two pool members and one of its pool members associated with a monitor is disabled, the entire pool gets marked disabled-by-parent.

Conditions:
-- Monitor assigned to a single pool member.
-- That member is manually disabled.

Impact:
The pool status for the entire pool is marked disabled-by-parent.

Workaround:
None.

782613-6 : Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp

Component: TMOS

Symptoms:
If a security firewall policy is part of an iApp inside a folder created by that iApp, then when the iApp is deleted, any config sync peer will not delete the policy when it deletes the rest of the iApp.

Conditions:
-- iApp with folder and security firewall policy is deleted.
-- High availability (HA) config sync configuration.

Impact:
The security policy is gone on the system where the iApp was initially deleted, but the peer still has that object, and it can't be deleted because it's part of an iApp.

Workaround:
None.

782353-5 : SIP MRF via header shows TCP Transport when TLS is enabled

Component: Service Provider

Symptoms:
When an SSL Client Profile (TLS) is enabled on a SIP Message-Routing Virtual Server, the via header shows an incorrect transport protocol when SIP messages are sent out the client side of MRF. For example, the via header contains 'SIP/2.0/TCP' or 'SIP/2.0/UDP', when it should read 'SIP/2.0/TLS'.

Conditions:
Sending SIP messages from the client side of the SIP MRF when an SSL client profile is enabled on the SIP Message-Routing virtual server.

Impact:
The via header is not correct and violates the SIP RFC.

Workaround:
Create an iRule that replaces the incorrect via header with a correct one, for example:

when SIP_REQUEST_SEND {
    if { [clientside] } {
        SIP::header replace Via [string map [list "SIP/2.0/TCP " "SIP/2.0/TLS " "SIP/2.0/UDP " "SIP/2.0/TLS "] [SIP::header Via 0]] 0

    }
}

781985-3 : DNSSEC zone SEPS records may be wiped out from running configuration

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain circumstances, DNSSEC zone SEPS records may be wiped out from running configuration.

Conditions:
This occurs only with GTM configurations loaded by the command: tmsh load sys config gtm-only.

Impact:
SEPS records may be lost after a configuration reload.

Workaround:
None.

781849-1 : On-Demand Certificate Authentication agent for Per-Request Policy does not work with multiple Client SSL profiles that have the 'Default SSL Profile for SNI' option disabled and assigned to a single Virtual Server

Component: Local Traffic Manager

Symptoms:
After the client certificate has been provided, the browser waits for a response within a few minutes and then displays the error 'Page cannot be displayed'. At the same time you can watch the following informational messages in the /var/log/apm events log file:
info tmm[12245]: 01870000:6: /Common/app1.example.com:Common:dd1d4e4f: Executed agent (/Common/app1.example.com_On-Demand-CRLDP_ondemand_cert_auth_act_ondemand_cert_auth_ag) with return status (Need more data)

Conditions:
BIG-IP system is configured as Identity Aware Application Proxy for multiple application access, that may require On-Demand Client Certificate Authentication by using different Client SSL profiles.

The following is a sample scenario:

-- There are 3 web-application (app1.example.com, app2.example.com, app3.example.com) that are located behind the BIG-IP system configured as Identity Aware Application Proxy (by means of using Per-Request Access policy).
-- app1.example.com and app2.example.com are configured to require On-Demand Client Certificate Authentication as primary authentication method.
-- Each application requires a separate Client SSL profile with separate Client Authentication options specified.
-- Client SSL profile for app1.example.com application has 'Default for SNI' option enabled.

In this case, all authentication requests to app2.example.com fail, even if a trusted certificate is provided.

Impact:
On-Demand Certificate Authentication fail, even if a trusted client certificate is provided.

Workaround:
Use a single Client SSL profile with a single certificate, where the Subject Alternative Name extension lists fully qualified domain names of all applications, protected by Identity Aware Application Proxy.

781829-5 : GTM TCP monitor does not check the RECV string if server response string not ending with \n

Component: Global Traffic Manager (DNS)

Symptoms:
GTM TCP monitor marks resource down.

Conditions:
TCP server respond string not ending with '\n'.

Impact:
Available resources are marked down.

Workaround:
If the TCP server is sending a text response, reconfigure the server to make sure it terminates the output with '\n'.

If the TCP server can not be changed (for example if it produces binary output), it may be possible to create an external gtm monitor instead.

781753-2 : WebSocket traffic is transmitted with unknown opcodes

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not preserve WebSocket frames. Frame headers and payload may be reordered such that a header for a second frame may be sent out in the middle of a first frame's payload. Frame boundaries get skewed and payload gets interpreted as headers.

Conditions:
A request logging profile is configured on a WebSocket virtual server.

Impact:
WebSocket frames are not preserved such that traffic appears to be garbage.

-- If request logging is enabled, client frames may not be preserved.
-- If response logging is enabled, server frames may not be preserved.

Workaround:
Remove the request logging profile.

781733-1 : SNMPv3 user name configuration allows illegal names to be entered

Component: TMOS

Symptoms:
The validation of SNMPv3 user names is not strict, and allows users of both the GUI and TMSH to enter badly formed user names. When the SNMP daemon reads these user names from the snmpd.conf file, validation rejects the names.

Conditions:
Poorly formed SNMPv3 user names can be entered into configuration, for example, names with embedded spaces.

Impact:
The user names are not accepted by the SNMP daemon when it reads the configuration from the snmpd.conf file.

Workaround:
Use alphanumeric characters for SNMPv3 user names, and do not include embedded spaces in the names.

781725-1 : BIG-IP systems might not complete a short ICAP request with a body beyond the preview

Component: Service Provider

Symptoms:
An ICAP request (REQMOD or RESPMOD) body goes out to the ICAP server as far as a preview. If the server responds 100-continue, only a single chunk of the remaining payload might be sent to the server. Eventually the connection times out.

Conditions:
-- An ICAP profile is configured with a preview.
-- The HTTP request or response to be modified has a body that is more than one chunk longer than the preview length, yet short enough to be completely buffered in BIG-IP system before the preview is sent to the ICAP server.
-- The ICAP server responds with 100-continue.

Impact:
Only the first chunk of payload is sent after the preview, and eventually the connection times out.

Workaround:
None.

781425-1 : Firewall rule list configuration causes config load failure

Component: Advanced Firewall Manager

Symptoms:
'tmsh load sys config' has a syntax error.

The syntax error is reported on 'security firewall rule-list rule' configuration.

Conditions:
This occurs only if any of the rule-list rule ip-protocol contains one of the following protocols:

-- BBN-RCC-MON
-- NVP-II
-- DCN-MEAS
-- OSPFIGP
-- CRUDP

Impact:
The system fails to load the configuration.

781041-2 : SIP monitor in non default route domain is not working.

Component: Local Traffic Manager

Symptoms:
SIP pool members in non-default route domain are being marked as unavailable even though they are available.

Conditions:
SIP pool members in non default route domain.

Impact:
SIP service unavailable.

781021-1 : ASM modifies cookie header causing it to be non-compliant with RFC6265

Component: Application Security Manager

Symptoms:
When ASM strips the cookie header from the ASM cookies, it leaves the cookie header in a way that is not compliant with RFC6265 on two aspects:
-- No space after the semicolon
-- A cookie with no value is sent without the equals sign

Conditions:
-- ASM Security Policy is used.
-- Request includes an ASM cookie.

Impact:
Some web servers may refuse to handle non-compliant Cookie headers, causing the application flow to break.

Workaround:
Disable the cookie stripping by modifying the DB variable as follows:
tmsh modify sys db asm.strip_asm_cookies value false

780437-1 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.

Component: TMOS

Symptoms:
It is possible, although unlikely, for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.

As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.

The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.

Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.

Symptoms for this issue include:

-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.

-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.

-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):

qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img

qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img

-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:

info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]

Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.

-- Large configuration with many guests.

-- The VIPRION chassis is rebooted.

-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is Bug ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.

Impact:
-- Loss of entire configuration on previously working vCMP guests.

-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.

-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.

Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.

If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.

779793-1 : [LC] Error Message "Cannot modify the destination address of monitor" for destination * bigip_link monitor

Component: Global Traffic Manager (DNS)

Symptoms:
Using BIG-IP Link Controller (LC), every 10 seconds, the system logs messages similar to the following example:
-- err mcpd[5570]: 0107082c:3: Cannot modify the destination address of monitor /Common/_user_gslbMonitor_bigipLink_fast_60sec.
-- err mcpd[5570]: 01071488:3: Remote transaction for device group /Common/gtm to commit id 1 6681134264373087063 /Common/ELC002.kbn.mlit.go.jp 0 failed with error 0107082c:3: Cannot modify the destination address of monitor /Common/_user_gslbMonitor_bigipLink_fast_60sec..

Conditions:
-- A bigip_link monitor with destination * written in bigip_gtm.conf.
-- That monitor is associated with a link.
-- The following command is run on one of the sync group peers:
tmsh load /sys config gtm-only.

Impact:
LC system failing to load configuration.

Workaround:
Run this command on the LC system that is logging the error message:
tmsh load /sys config gtm-only

779769-1 : [LC] [GUI] destination cannot be modified for bigip-link monitors

Component: Global Traffic Manager (DNS)

Symptoms:
The 'destination' for BIG-IP Link Controller (LC) bigip_link monitor cannot be modified through GUI.

Conditions:
Using the LC bigip_link monitor in the GUI.

Impact:
Cannot change 'destination' for LC bigip_link monitor through GUI.

Workaround:
Use tmsh.

779137-1 : Using a source address list for a virtual server does not preserve the destination address prefix

Component: Local Traffic Manager

Symptoms:
Configuring a network virtual server with a source address list causes the system to treat the virtual server as a host.

Conditions:
-- Configure a source address list on the virtual server.
-- Configure a network address for the destination of the virtual server (not an address list).

Impact:
Traffic does not flow to the virtual server as expected.

Workaround:
None.

778841-1 : Traffic is not passing in virtual wire when Virtual server type is standard & IP profile is ipother

Component: Local Traffic Manager

Symptoms:
Traffic is not passing in virtual wire when virtual server type is configured as standard, protocol set to "All Protocols" and the IP profile is ipother.

Conditions:
-- Virtual wire is configured
-- Virtual server type is standard
-- IP profile is ipother

Impact:
Virtual wire traffic matching the virtual server is dropped.

778517-3 : Large number of in-TMM monitors results in delayed processing

Solution Article: K91052217

Component: Local Traffic Manager

Symptoms:
A monitor may continue to probe for a while after it has been removed from pool / member / node. Duplicate monitor instances may get created after associating a monitor to a server.

Conditions:
Device has a large number of in-TMM monitors.

Impact:
-- Monitor target may appear down when responding correctly.
-- Monitor may continue to run after removed from pool / member / node.
-- Increased monitoring load on server.

Workaround:
Disable in-tmm monitors:
tmsh modify sys db bigd.tmm value disable

778513-2 : APM intermittently drops log messages for per-request policies

Component: TMOS

Symptoms:
APM may intermittently drop log messages, leading to missing information on policy execution or other events.

Conditions:
Using APM per-request policies, or ACCESS::log iRule commands.

Impact:
Administrator may fail to report certain logging events, hindering troubleshooting or auditing efforts.

Workaround:
No workaround is possible. When reviewing APM logs, keep in mind that during periods of high activity (greater than 100 log messages in 1-to-2 seconds) that the system may drop some log messages.

778501 : LB_FAILED does not fire on failure of HTTP/2 server connection establishment

Component: Local Traffic Manager

Symptoms:
When the server connection fails to be established due to server being down or actively rejecting the connection, LB_FAILED should fire and allow a new destination to be selected via iRule.

Conditions:
- iRule with LB_FAILED event
- server connection establishment fails

Impact:
Selection of a new destination via LB_FAILED is not possible, thus the client connection will be aborted.

Workaround:
No workaround available.

778365-3 : dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service

Component: Global Traffic Manager (DNS)

Symptoms:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS. If there is DNS service running on the LDNS, RTT metrics should be collected successfully as expected. However if there is no DNS service on the LDNS, there should not be any RTT metrics collected. But BIG-IP still populates the RTT values giving users a "false positive" results.

Conditions:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS and there is no DNS service running on the LDNS.

Impact:
RTT metrics are collected even though no response from the DNS service is present giving users wrong impression that there is.

778317-2 : IKEv2 HA after Standby restart has race condition with config startup

Component: TMOS

Symptoms:
A restarted standby system can end up with missing SAs, if the high availability (HA) process that mirrors the SAs from persistent storage runs before the configuration of IPsec has completed.

Conditions:
The loss of mirrored SAs requires this sequence of events:
-- A system becomes standby after failover; then is restarted.
-- During restart, HA manages to run before IPsec configuration.
-- SAs unsupported by current config are lost despite mirroring.
-- After another failover, the newly active system is missing SAs.

Impact:
A tunnel outage can occur (until SAs are renegotiated) after failover, if the newly active system lost some mirrored SAs when it was restarted while still acting as the standby system.

The impact cannot be observed until standby becomes active, when the missing SAs require a new key negotiation.

Workaround:
None.

778225-2 : vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host

Component: Protocol Inspection

Symptoms:
Automatic hitless upgrade for protocol inspection fails on vCMP guests. This occurs because vCMP guest don't install f5_api_com key and certificates.

Conditions:
After licensing a vCMP guest, there is no f5_api_com key or certificate (you can run key_cache_path and crt_cache_path to determine that).

Impact:
Hitless upgrade fails for protocol inspection and traffic classification on vCMP guests.

Workaround:
Install the hitless upgrade IM package manually.

778041-2 : tcpdump fails with an unclear message when the 'epva' option is used on non-epva platforms (directly or through 'all' option)

Component: TMOS

Symptoms:
When tcpdump is invoked with the epva option on a non-epva platform (BIG-IP Virtual Edition, for example), it fails with an unclear message

errbuf:DPT Provider fatal error. Provider:ePVA Provider. No valid arguments.

Conditions:
-- Using a non-epva platform such as VE.
-- Calling the epva option:
+ Directly:
tcpdump -i 0.0 --f5 epva
+ Indirectly using 'all' (which includes epva):
tcpdump -i 0.0 --f5 all

Impact:
Unclear message does not give clear indication what the issue is, or how to get tcpdump to run with the 'all' option on non-epva platforms

Workaround:
Do not use the explicit epva option on non-epva platforms (it does not work anyway, as there is no epva debug information on those platforms).

Instead of 'all', explicitly specify other, non-epva providers on such platforms, for example, specifying 'noise' and 'ssl' providers:
tcpdump -i 0.0 --f5 n,ssl

777993-1 : Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same

Component: TMOS

Symptoms:
Egress TCP/UDP traffic with same L4 source port and destination port to an external trunk is pinned to one link only.

Conditions:
This happens on BIG-IP hardware platforms with broadcom switch chip, so BIG-IP 2000/4000 and i2000/i4000 series are not impacted.

Impact:
Performance degradation as only a portion of the trunk bandwidth is utilized.

Workaround:
None.

777389-2 : In a corner case, for PostgreSQL monitor MCP process restarts

Component: TMOS

Symptoms:
MCP expects a monitoring response from SQL server and starts polling for data continuously, resulting in infinite loop.

Conditions:
In one of the corner cases of SQL monitoring, MCP expects to read monitoring data from the PostgreSQL server, but there is no data available to read.

Impact:
MCPD goes into an infinite loop and skips the heartbeat report, resulting in its restart. While MCPD is restarting, the system is offline and does not process traffic. After restart, system operation returns to normal.

Workaround:
None.

776489-1 : Remote authentication attempts to resolve only LDAP host against the first three name servers configured.

Component: TMOS

Symptoms:
'Login failed' is displayed on the BIG-IP system's login screen.

Conditions:
-- Remote authentication is enabled.
-- There are more than three name servers configured.

Impact:
Admins may not be able to log into the BIG-IP GUI with their admin user account if the first 3 configured DNS name servers are not reachable.

Workaround:
None.

776393-1 : Memory leak in restjavad causing restjavad to restart frequently with OOM

Component: TMOS

Symptoms:
Restjavad frequently (approximately every 5 minutes) restarting due to OutOfMemory:Java heap space with no extra memory.

Conditions:
-- BIG-IP system with no extra memory given to restjavad.
-- The configuration contains a large number of configuration items related to APM access-policies, APM policy-items, APM policy agents, LTM nodes, LTM rules, DNS Requests, sys application services, LTM data-groups, LTM profiles, security bot-defense profiles, and sys file ssl-certs.

Impact:
REST API intermittently unavailable.

Workaround:
Give restjavad extra memory. This is two-step process.

1. Update memory allocated to the control plane using TMUI. System :: Resource Provisioning. The line for Management has a drop-down box for Small, Medium, or Large. The resulting sizes for restjavad is 192, 352, and 592, respectively. Set this to Large.

2. Run the following two commands, in sequence:
tmsh modify sys db restjavad.useextramb value true
bigstart restart restjavad

776229-1 : iRule 'pool' command no longer accepts pool members with ports that have a value of zero

Component: Local Traffic Manager

Symptoms:
Values of 0 (zero) are no longer accepted for pool member ports in iRule 'pool' commands. The system reports an error similar to the following in /var/log/ltm:

err tmm3[12179]: 01220001:3: TCL error: /Common/_user_script_member <CLIENT_ACCEPTED> - bad port in 'pool member <addr> <port>' cmd while executing "pool test_pool member 10.1.30.10 0"

Conditions:
-- Configure an iRule to use the 'pool' command to go to the pool member using a zero port in the CLIENT_ACCEPTED event.
-- Attach the iRule to the virtual server.
-- Run traffic through it.

Impact:
The iRule rejects traffic when the pool member's port number is 0.

Workaround:
Configure any iRule using the 'pool' command to go to apool member using a non-0 port in the CLIENT_ACCEPTED event.

775897-2 : High Availability failover restarts tmipsecd when tmm connections are closed

Component: TMOS

Symptoms:
All security associations (SAs) can be deleted when tmipsecd restarts as a result of closing tmm connections during failover from active to standby.

Conditions:
When failover happens for high availability (HA), tmipsecd aims to close tmm connections when on standby, because tmm must connect instead to the daemon running in the active system. But a side effect of this restarts tmipsecd, resulting in deletion of all SAs when tmipsecd came back up.

Impact:
tmipsecd restarts. All IPsec tunnels experience an interruption of service until new SAs are negotiated.

Workaround:
None.

775801-1 : [GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener

Component: Global Traffic Manager (DNS)

Symptoms:
'Route Advertisement' is not enabled even if you check the checkbox.

Conditions:
Creating GTM listener using the GUI.

Impact:
'Route Advertisement' is not enabled.

Workaround:
After the listener is created, modify the listener in the GUI and check the checkbox for 'Route Advertisement', and save.

775733-3 : /etc/qkview_obfuscate.conf not synced across blades

Component: TMOS

Symptoms:
By default, sensitive data, such as SSL keys, are excluded from QKView files. However, in some cases you may want to include sensitive information in the QKView file, so it must be obfuscated it for security purposes. (Note: For information on how to configure this feature, see K55559493: Obfuscating sensitive data in a QKView file :: https://support.f5.com/csp/article/K55559493.)

In high availability (HA) configurations, the /etc/qkview_obfuscate.conf file is not copied to secondary blades on chassis platforms during sync operations.

Conditions:
-- Run qkview.
-- Upload qkview file to iHealth.

Impact:
Potentially sensitive information could be uploaded to iHealth or F5 Support. This occurs because qkview acts differently if there is an obfuscate.conf on the active by automatically gathering the same information on the blades, but not obfuscating that sensitive data.

Workaround:
Manually copy /etc/qkview_obfuscate.conf to all blades.

Note: Do not upload sensitive data to iHealth or F5 Support. If you are obfuscating data, make sure to complete this step for every blade.

774617-2 : SNMP daemon reports integer truncation error for values greater than 32 bits

Component: TMOS

Symptoms:
Some values sent to SNMP can grow too large over time, causing an integer truncation error.

Conditions:
Values greater than 32 bits sent to SNMP.

Impact:
SNMP values are truncated. An error message is logged in var/log/daemon.log:

err snmpd[20680]: truncating integer value > 32 bits

Workaround:
No current workaround.

774481-1 : DNS Virtual Server creation problem with Dependency List

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use the GUI to create virtual servers with dependent virtual server.

Conditions:
This occurs when creating a virtual server that contains a dependent virtual server.

Impact:
Cannot use the GUI to create the virtual server that contains a dependent virtual server in one step.

Workaround:
You can use either of the following workarounds:

-- Use tmsh;
-- Create the virtual server through GUI without dependent virtual server first and then edit the virtual server to add dependency.

774361-4 : IPsec High Availability sync during multiple failover via RFC6311 messages

Component: TMOS

Symptoms:
After multiple failover events, BIG-IP can fail to coordinate with a remote peer via RFC6311 protocol messages, whose content can present the wrong message IDs, which are also marshalled in host byte order instead of network byte order.

Conditions:
When active and standby systems failover multiple times, and a newly active system must sync IDs with the newly standby system before exchanging messages with a remote peer to synchronize expected ID sequences.

Impact:
IPsec tunnels experience a temporary outage until new security associations are negotiated.

Workaround:
No workaround is known at this time.

774261-2 : PVA client-side current connections stat does not decrease properly

Component: Local Traffic Manager

Symptoms:
When FTP is used with bigproto, the PVA client-side current connections stat does not decrease after connections are closed.

Conditions:
-- Use an FTP virtual server.
-- End user clients connect to the virtual server.

Impact:
An incorrect stat for client-side current connections will be reported for 'tmsh show sys pva-traffic global' and 'tmctl pva_stat'.

Example:

config # tmsh show sys pva-traffic global

-------------------------------------------------
Sys::PVA
-------------------------------------------------
PVA Traffic ClientSide ServerSide
  Bits In 23.6K 219.7K
  Bits Out 219.7K 23.6K
  Packets In 40 335
  Packets Out 335 40
  Current Connections 295 0 <-----
  Maximum Connections 296 8
  Total Connections 335 40

Miscellaneous
  Cur PVA Assist Conns 0
  Tot PVA Assist Conns 335
  HW Syncookies Generated 0
  HW Syncookies Detected 0

config # tmsh show sys conn all-properties

Really display 1000 connections? (y/n) y
Sys::Connections
Total records returned: 0 <--------- No connections; this is the correct state.

Workaround:
This issue does not occur when 'inherit parent profile' is enabled on the FTP profile used by the virtual server.

774257-3 : tmsh show gtm pool and tmsh show gtm wideip print duplicate object types

Component: Global Traffic Manager (DNS)

Symptoms:
Tmsh show gtm pool and show gtm wideip commands with field-fmt will display the object type twice in the output. For example:

tmsh> show gtm pool a field-fmt
gtm pool pool emptypool:A

tmsh> show gtm wideip a field-fmt
gtm wideip wideip testwip.f5.com:A

Conditions:
This occurs when running the following tmsh commands:

tmsh show gtm pool <poolname> field-fmt
tmsh show gtm wideip <wideipname> field-fmt

Impact:
The output type is printed twice

Workaround:
None.

773577-1 : SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted

Component: TMOS

Symptoms:
On an SNMPv3 configuration, when a security-name and a username are the same but have different passwords, traps are not properly crafted.

Conditions:
security-name is the same as an SNMPv3 username.

Impact:
SNMP traps cannot be decoded

Workaround:
Delete or rename user.

773333-1 : IPsec CLI help missing encryption algorithm descriptions

Component: TMOS

Symptoms:
Encryption algorithms against IPsec help are not listed in the CLI.

Conditions:
LTM licensed on the BIG-IP.

Impact:
Unable to view the help.

Workaround:
None. The actual command line help should be:

(/Common)(tmos)# create net ipsec ike-peer test version add { v2 } phase1-encrypt-algorithm ?

Specifies the encryption algorithm used for the isakmp phase 1 negotiation. This directive must be defined. Possible value is one of following:
3des, aes128, aes192, aes256, blowfish, camellia, cast128, des

Note: The values blowfish, cast128, and camellia are v1 only.

773309-1 : API Profile: Real swagger can not be loaded with "transaction failed:incomplete command" error message

Component: Access Policy Manager

Symptoms:
When uploading a valid swagger file (OpenAPI version 2.0) to create an API Protection profile, the operation fails with an error message:
info: [AccessDeployConfigWorker] Error in submitting transaction: Error: transaction failed:incomplete command.

Conditions:
The swagger file contains quotation marks that are not escaped, e.g., the swagger file has description fields similar to the following examples.

JSON:
"description": "this quote \" will error"

YAML:
description: 'this quote " will error'

Impact:
The operation produces the error. This prevents the API Protection profile from being created using the swagger file, which is very inconvenient. This error also affects the AGC API Protection use case.

Workaround:
You can manually add the escape characters to the swagger file so that this error does not occur. Using the examples for JSON and YAML, this is how to fix them:

JSON:
"description": "this quote \\\" won't error"

YAML:
description: 'this quote \" won't error'

773253-4 : The BIG-IP may send VLAN failsafe probes from a disabled blade

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends multicast ping from a disabled blade. tmm core

Conditions:
-- There is one or more blades disabled on the VIPRION platform.
-- VLAN failsafe is enabled on one or more VLANs.
-- the VLAN failsafe-action is set to 'failover'.
-- There is more than one blade installed in the chassis or vCMP guest.

Impact:
The BIG-IP system sends unexpected multicast ping requests from a disabled blade.

Workaround:
To mitigate this issue, restart tmm on the disabled blade. This causes tmm to stop sending the multicast traffic.

Impact of workaround: Traffic disrupted while tmm restarts.

773229-1 : Replacing a virtual server's FastL4 profile can cause traffic to fail in specific circumstances

Component: Local Traffic Manager

Symptoms:
If a virtual server starts with a FastL4 profile with an idle_timeout of zero, and this profile is then replaced with one that has a non-zero idle_timeout, it can cause traffic to fail with a 'No flow found for ACK' error in the RST packet (if DB variable tm.rstcause.pkt is enabled) or logged (if DB variable tm.rstcause.log is enabled).

Conditions:
-- There is a virtual server configured with a FastL4 profile with an idle-timeout setting of zero ('immediate').
-- The FastL4 profile is replaced with one that has a non-zero idle-timeout setting.

Impact:
Traffic no longer passes through the virtual server properly.

Workaround:
To avoid this issue, if you need to change the FastL4 profile in this manner, delete and recreate the entire virtual server rather than replace the profile.

Impact of workaround: This results in a traffic disruption for that virtual server.

If the issue has already occurred, the only way to recover is to restart TMM

Impact of workaround: This also results in a traffic disruption, this time a general one.

772497-6 : When BIG-IP is configured to use a proxy server, updatecheck fails

Component: TMOS

Symptoms:
Executing Update Check fails when run on a BIG-IP system that is behind a proxy server.

Conditions:
-- A proxy server is configured on the BIG-IP system using proxy.host db variable (and associated port, protocol, etc.).
-- You run Update Check.

Impact:
The Update Check fails to connect because the script resolves the IP address prior to sending the request to the proxy server.

Workaround:
You can use either of the following workarounds:

I
=======
Modify the /usr/bin/updatecheck script to not resolve the service ip for callhome.f5.com. To do so, remove the script text 'PeerAddr => $service_ip,' from lines 336,337:

1. Locate the following section in the script:
@LWP::Protocol::http::EXTRA_SOCK_OPTS = ( PeerAddr => $service_ip,
SSL_hostname => $service_name,

2. Update the script to remove the content 'PeerAddr => $service_ip,', so that it looks like the following example:
@LWP::Protocol::http::EXTRA_SOCK_OPTS = ( SSL_hostname => $service_name,

II
=======
As an alternative, use a sed command, as follows:
1. Remount /usr as rw.
2. Run the following command:
# sed -e "s/PeerAddr => $service_ip,//" -i /usr/bin/updatecheck

772297-1 : LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade

Component: Local Traffic Manager

Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.

Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.

Impact:
LLDP-related options under 'tmsh net interface' for that secondary blade are reset to default.

Workaround:
Run 'tmsh load sys config' on the primary blade, and the LLDP-settings will reapply to the interfaces.

772117-5 : Overwriting FIPS keys from the HA peer with older config leads to abandoned key on FIPS card

Component: TMOS

Symptoms:
A key being overwritten is not removed from the FIPS card, so it becomes an abandoned key in the FIPS card, which cannot be used and properly tracked by the BIG-IP system.

An abandoned key appears similar to the following:

[root@big8:Active:Standalone] config # tmsh show sys crypto fips
-------------------------------------------
FIPS 140 Hardware Device
-------------------------------------------
=== private keys (1)
ID MOD.LEN(bits)
d3d8ecc5a489c64b8dfd731945d59950 2048 <==== properly tracked and configured key in BIG-IP
/Common/fffff.key

e35e900af8b269d2f10b20c47e517fd1 2048 <==== no name, abandoned

Conditions:
The issue is seen when all the following conditions are met:
1. High availability (HA) setup formed by multiple BIG-IP systems with FIPS cards.
2. An Administrator of one of the BIG-IP systems deletes its FIPS key, and creates another FIPS key using the same name.
3. HA sync occurs from another BIG-IP system (with the older config) back to the first BIG-IP system (i.e., the operation overwrites the newly created FIPS key with the old FIPS key).

Impact:
It leads to orphan keys on the FIPS card, meaning that the keys are not present in the BIG-IP configuration as a configured key, so the key cannot be used by the BIG-IP system.

Workaround:
Manually delete the abandoned key from the FIPS card using the following command.

tmsh delete sys crypto fips key <key-id>

For example, for the abandoned key specified earlier, use the following command:
tmsh delete sys crypto fips key "e35e900af8b269d2f10b20c47e517fd1"

771961-2 : While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core

Component: Access Policy Manager

Symptoms:
If the device is active at the time and is passing traffic, if the SSL Orchestrator configuration is deleted, tmm can core.

Conditions:
SSL Orchestrator device is active and passing traffic while being deleted.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
None.

771905-3 : JWT token rejected due to unknown JOSE header parameters

Component: Access Policy Manager

Symptoms:
JWT token rejected and OAuth Scope Agent fails.

Conditions:
When JWT access token contains unregistered JSON Object Signing and Encryption (JOSE) header parameters (e.g., nonce).

Impact:
Unregistered JOSE header parameters causes JWT access token to be rejected. OAuth Scope Agent fails.

Workaround:
None.

770477-1 : SSL aborted when client_hello includes both renegotiation info extension and SCSV

Component: Local Traffic Manager

Symptoms:
Client SSL reports an error and terminates handshake.

Conditions:
Initial client_hello message includes both signaling mechanism for secure renegotiation: empty renegotiation_info extension and TLS_EMPTY_RENEGOTIATION_INFO_SCSV.

Impact:
Unable to connect with SSL.

Workaround:
None.

769581-2 : Timeout when sending many large requests iControl Rest requests

Component: TMOS

Symptoms:
After sending hundreds of REST requests, REST requests eventually begins to time out. This is the case for applications such as an AS3, with requests with 700 services.

Conditions:
1. Download and install the AS3 iApp. This adds the /mgmt/shared/appsvcs/ endpoint to the the BIG-IP system.

2. Deploy config with AS3:
curl -X POST \
  https://<$IP_address>/mgmt/shared/appsvcs/declare \
  -H 'Content-Type: application/json' \
  -d //This should be the data from an AS3 body

3. While deployment in step 2 is happening, make a GET to the tasks:
curl -X GET \
  https://<$IP_address>/mgmt/shared/appsvcs/task \
  -H 'Content-Type: application/json'

4. Delete configuration:
curl -X DELETE \
  https://<$IP_address>/mgmt/shared/appsvcs/declare

It may take 3 or 4 times repeating steps 2 through 4 for the issue to show up. When it appears, you will start seeing messages in the AS3 task response like the following:

-- 'message': 'failed to save BIG-IP config (POST http://<$USERNAME>:<$PASSWORD>@<$IP_address>:8100/mgmt/tm/task/sys/config create task save sys config response=400 body={\"code\":400,\"message\":\"remoteSender:Unknown, method:POST \",\"originalRequestBody\":\"{\\\"command\\\":\\\"save\\\"}\",\"referer\":\"Unknown\",\"restOperationId\":6924816,\"kind\":\":resterrorresponse\"})'

Impact:
Saving new configuration data does not work. Any new transaction tasks fail.

Workaround:
1. Restart restjavad and all iControl Rest (icrd_child) instances.
2. Wait longer for large requests to finish before performing additional requests.

769385-2 : GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message

Component: Global Traffic Manager (DNS)

Symptoms:
GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message:

err mcpd[7649]: error: crypto codec New token is smaller with added values.

Conditions:
Two or more GTM devices with internal FIPS modules are configured with DNSSEC keys with 'use-fips internal' set, and GTM config sync between the devices is configured and enabled.

Impact:
DNSSEC keys are not imported into the FIPS cards of devices that receive the key via a synchronization from another device.

Workaround:
None.

769341-2 : HA failover deletes outstanding IKEv2 SAs along with IKEv1 SAs

Component: TMOS

Symptoms:
High availability (HA) failover from active to next-active device should delete existing IKEv1 SAs because the IKEv1 racoon daemon terminates on standby. But it should not also delete the IKEv2 SAs at the same time, and it does.

Conditions:
This occurs during failover.

Impact:
The deletes IKEv2 SAs mirrored for HA. In the event of rapid failover and failback, this issue might result in missing SAs on the active device.

Workaround:
None.

769145-1 : Syncookie threshold warning is logged when the threshold is disabled

Component: TMOS

Symptoms:
Setting connection.syncookies.threshold to zero disables the threshold, but the system still reports log messages similar to:

warning tmm3[18189]: 01010055:4: Syncookie embryonic connection counter 38 exceeded sys threshold 0

Conditions:
Setting connection.syncookies.threshold to zero.

Impact:
Warnings that do not provide valid information. If the threshold value is a non-zero value, it does indicate an issue. However, this message is benign when the end of the message reads 'exceeded sys threshold 0'.

Workaround:
None.

769029-4 : Non-admin users fail to create tmp dir under /var/system/tmp/tmsh

Component: TMOS

Symptoms:
The cron.daily/tmpwatch script deletes the /var/system/tmp/tmsh directory. After some time, the tmsh directory is created again as part of another cron job.

During the interval, if a non-admin accesses tmsh, tmsh creates the /tmp/tmsh directory with that user's permissions, which creates issues for subsequently non-admin user logons.

Conditions:
Try to access the tmsh from non-admin users when /var/system/tmp/tmsh is deleted.

Impact:
The first non-admin user can access tmsh. Other, subsequent non-admin users receive the following error:

01420006:3: Can't create temp directory, /var/system/tmp/tmsh/SKrmSB, errno 13] Permission denied.

After some time this /var/system/tmp/tmsh permission is updated automatically.

Workaround:
So that the script does not remove tmsh directory, but deletes 1-day old tmp files under /var/system/tmp/tmsh, update the last line of /etc/cron.daily/tmpwatch as follows:

tmpwatch --nodirs 1d /var/system/tmp

767737-1 : Timing issues during startup may make an HA peer stay in the inoperative state

Component: TMOS

Symptoms:
When two BIG-IP systems are paired, it is possible during startup for the network connection to be made too early during the boot sequence. This may leave a peer in the inoperative state.

Conditions:
This is a timing-related issue that might occur during boot up of high availability (HA) peers.

Impact:
An HA peer does not become ACTIVE when it should.

Workaround:
None.

767613-1 : Restjavad can keep partially downloaded files open indefinitely

Component: Device Management

Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client does not complete the download. Since these files remain opened, the total number of available file handles for the process decreases and the disk space for the files cannot be recovered. Symptoms may include errors like 'Too many open files', low disk space even after deleting the associated files, and items listed with '(deleted)' in lsof output.

Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.

Impact:
Various errors ('Too many open files.'), low disk space, items listed with '(deleted)' when listed using lsof.

Workaround:
To free the file handles, restart restjavad:
tmsh restart sys service restjavad

Files that were deleted now have their space reclaimed.

767341-2 : If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.

Component: TMOS

Symptoms:
Repeated TMM service crash SIGBUS with memory copy operation at the top of stack trace.

Conditions:
TMM loads filestore file and size of this file is smaller than the size reported by mcp or if this ifile store is not present at all.

This condition is possible due to
- filesystem errors/corruption or
- BIG-IP user intervention.

Filesystem error might be due to power loss, full disk or other reasons.

Impact:
TMM crash.
The program terminated with signal SIGBUS, Bus error.

Workaround:
Manual copy of the "good" ifile store and forceload on the previously bad unit. Usually trivial, but error prone.

Another workaround is clean install, if possible/acceptable

767305-1 : If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried

Component: TMOS

Symptoms:
Upon querying a sysTmmStat* SNMP OID (for example, sysTmmStatTmUsageRatio5s), you find your SNMP client returns an error message similar to the following example:

No Such Instance currently exists at this OID

The very next time you query that same SNMP OID (or any other sysTmmStat* SNMP OID), you find they all work as expected and return the correct result.

Conditions:
This issue occurs after restarting only the mcpd daemon, i.e., running bigstart restart mcpd.

Impact:
All sysTmmStat* SNMP OIDs do not work until one of them is queried at least once, and the query is allowed to fail. After that, all sysTmmStat* SNMP OIDs work as expected.

Workaround:
Restart all services together, i.e., running the command: bigstart restart.

Should the mcpd daemon happen to be restarted on its own, you can simply ignore the error message and allow your SNMP polling station to fail a single polling cycle.

If you want to ensure that this issue does not occur, for example, so that your SNMP polling station does not generate unnecessary alarms, do not restart the mcpd daemon on its own, but rather restart all services together by running the following command:

bigstart restart

767217-1 : Under certain conditions when deleting an iRule, an incorrect dependency error is seen

Component: Local Traffic Manager

Symptoms:
If an iRule is being referenced by another iRule, and the reference is then removed, attempts to delete the formerly referenced iRule will result in an error similar to the following:

01070265:3: The rule (/Common/irule1) cannot be deleted because it is in use by a rule (/Common/irule2).

Conditions:
-- An iRule referencing another iRule.
-- The referencing iRule is in use.

Impact:
Unable to delete the iRule.

Workaround:
Save and re-load the configuration.

767057-1 : In a sync-only device group, inactive policy is synced to peer, ASM is removed from virtual server

Component: Application Security Manager

Symptoms:
An ASM policy is suddenly detached from a virtual server and deactivated.

Conditions:
-- sync-only device group.
-- ASM sync enabled.
-- A policy is used on device ASM-A (attached to virtual server/device group).
-- The same policy is not used on device ASM-B (not attached to virtual server/device group).

Impact:
Inactive policy is synced to the peer, resulting in ASM being unassigned from the Virtual Server.

Workaround:
To prevent Policy Sweeper from deactivating any ASM policy, create a non-functioning device group and attach the unused ASM policies to that device group.

767045-3 : TMM cores while applying policy

Component: Anomaly Detection Services

Symptoms:
TMM core and possible cores of other daemons.

Conditions:
The exact conditions are unknown.

Occurrences have been seen during specialized internal testing and while applying a copied and edited ASM policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

767013-2 : Reboot when B2150 and B2250 blades' HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch

Component: TMOS

Symptoms:
In a rare scenario, the HSB sends a large amount and continuous pause frames to the Broadcom switch, which indicates that the HSB is in a bad state.

Conditions:
This happens when there is heavy traffic load on VIPRION B2150 and B2250 blades. The root cause of that is still under investigation. It happens extreme rarely.

Impact:
Reboot the BIG-IP system.

Workaround:
None.

766761-1 : Ant-server does not log requests that are excluded from scanning

Component: Access Policy Manager

Symptoms:
Based on Request/Response Analytics agent 'Exclude Types' settings, the requests that are excluded from scanning should log a message that states, 'Response content is in excluded content list'.

Conditions:
Response or Request Analytics agent in the Per-Request Policy.

Impact:
These particular logs are not available.

Workaround:
None.

766593-2 : RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20

Component: Local Traffic Manager

Symptoms:
RESOLVE::lookup returns empty string.

Conditions:
Input bytes array is at length of 4, 16, or 20.

For example:
[RESOLV::lookup @dnsserveraddress -a [binary format a* $host1.d1test.com]]

Impact:
RESOLVE::lookup returns empty string.

Workaround:
Use lindex 0 to get the first element of the array.

For example:
[RESOLV::lookup @dnsserveraddress -a [lindex [binary format a* $host1.d1test.com] 0]]

766405-1 : MRF SIP ALG with SNAT: Fix for potential crash on next-active device

Component: Service Provider

Symptoms:
The next active device may crash with a core when attempting to create media flows.

Conditions:
The names for the LSN pool and router profile are longer than expected.

Impact:
The TMM on the next active device may core. Traffic disrupted while tmm restarts; If the next-active device was not carrying traffic for a traffic group, traffic is not disrupted.

Workaround:
None.

766017-3 : [APM][LocalDB] Local user database instance name length check inconsistencies

Component: Access Policy Manager

Symptoms:
Tmsh accepts long localdb instance names, but ldbutil will later refuse to work with names longer than 64 characters.

The GUI will limit the instance name length to 64 characters including the partition prefix, but this is not obvious to the admin.

Conditions:
-- Create a 64 character long local user database instance using tmsh.
-- Try to add users to this instance or try to delete the instance from the GUI.

Impact:
A tmsh-created localdb instance with a name length greater than 64 characters can be created but cannot be used.

Workaround:
Delete instance from tmsh and re-create it with a shorter name.

763093-4 : LRO packets are not taken into account for ifc_stats (VLAN stats)

Component: Local Traffic Manager

Symptoms:
The ifc_stats do not correctly reflect the number of incoming octets/packets. There is a discrepancy between octets/packets in/out in the ifc_stats table, which tracks per-VLAN stats.

Conditions:
LRO is enabled and used for incoming packets.

Impact:
ifc_stats are incorrect for incoming octets and packets.

Workaround:
Disable LRO using the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable

After modifying that variable, you must restart tmm for it to take effect (traffic disrupted while tmm restarts):
bigstart restart tmm

762385-2 : Wrong remote-role assigned using LDAP authentication after upgrade to 14.1.x and later★

Component: TMOS

Symptoms:
When multiple attributes in a list match multiple roles, the wrong role may be assigned. Alternatively, authentication may fail when check-roles-group is disabled.

Conditions:
LDAP server replies with a list of attributes (e.g., list of memberOf) where more than one match existing role.

Impact:
BIG-IP assigns the user to the last attribute in the list that matches a role, potentially yielding a more restrictive set of permissions.

Authentication may fail when check-roles-group is disabled.

Workaround:
None.

762097-2 : No swap memory available after upgrading to v14.1.0 and above★

Component: TMOS

Symptoms:
After an upgrade to v14.1.0 or higher, swap memory may not be mounted. TMM or other host processes may restart due to lack of memory.

Conditions:
-- System is upgraded to v14.1.0 or above.

-- System has RAID storage.

Impact:
May lead to low or out-of-memory condition. The Linux oom killer may terminate processes, possibly affecting service.

Typically management activities may be impacted, for example, a sluggish GUI (config utility) or tmsh sessions.

Workaround:
Mount the swap volume with correct ID representing the swap device.

Perform the following steps on the system after booting into the affected software version:

1. Get the correct ID (RAID device number (/dev/md<number>)):
blkid | grep swap

Note: If there is no RAID device number, perform the procedure detailed in the following section.

2. Check the device or UUID representing swap in /etc/fstab.

3. If swap is not represented with the correct ID, modify the /etc/fstab swap entry to point to the correct device.

4. Enable the swap:
swapon -a

5. Check swap volume size:
swapon -s

If the blkid command shows there is no UUID associated with the swap RAID device, use the following procedure:

1. Generate a random UUID:
uuidgen

2. Make sure swap is turned off:
swapoff -a

3. Recreate the swap partition with UUID generated in step 1:
mkswap -U <uuid_from_step_1> <raid_device_from_step_1>

4. Run blkid again to make sure that you now have a UUID associated with the raid device:
blkid | grep swap

5. edit fstab and find the line
<old_value> swap swap defaults 0 0

6. Replace the old value, whether it was an incorrect UUID or a device name, with the UUID generated in step 1, for example:
UUID=8b35b30b-1076-42bb-8d3f-02acd494f2c8 swap swap defaults 0 0

761753-1 : BIG-IP system incorrectly flags UDP checksum as failed on x520 NICs

Component: TMOS

Symptoms:
When UDP checksum is 0 (zero), a BIG-IP device with an x520 NIC causes the packets to be marked as 'checksum failed'.

Conditions:
-- Using BIG-IP Virtual Edition (VE).
-- VE is using x520 VF.

Impact:
UDP Packets with 0 checksum are dropped.

Workaround:
None.

761621-1 : Ephemeral FQDN pool members in Partition shown as Common under Local Traffic > Pools > "Members"

Component: TMOS

Symptoms:
When Ephemeral FQDL pool members exist in non-Common partition, they are shown to be in the /Common partition on the Local Traffic : Pools : Members page. In the statistics view of the same object, they are shown appropriately with their non-Common partition.

Conditions:
-- Ephemeral FQDL pool members exist in a non-Common partition.
-- View the FQDL pool members on Local Traffic : Pools : Members page.

Impact:
No impact to configuration, however, the display is confusing and shows contradictory partition information.

Workaround:
None.

761517-2 : nat64 and ltm pool conflict

Component: Carrier-Grade NAT

Symptoms:
When a pool is assigned to a virtual server with nat64, the destination address is changed to the one of the pool, regardless if address translation is enabled or not.

Conditions:
vs with nat64 and pool configured.

Impact:
nat64 does not happen, even if the translate-address option is set to disable.

Workaround:
none

761389-2 : Disabled Virtual Server Dropping the Virtual Wire traffic

Component: Local Traffic Manager

Symptoms:
When a virtual server is disabled, it drops the traffic on the virtual wire.

Conditions:
Virtual wire is configured and corresponding virtual server is disabled.

Impact:
Virtual wire traffic which is matching the disabled virtual wire is dropped.

761345-4 : Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode

Component: Advanced Firewall Manager

Symptoms:
When manual config-sync mode is enabled for a HA setup, additional config-sync may be required after firewall blob compilation.

Conditions:
Firewall rule configuration modified on a high availability (HA) setup with manual config-sync mode enabled.

Impact:
Additional config-sync may be required after compilation completion.
A warning may be given: "There is a possible change conflict between <device1> and <device2>.", and full sync may be forced.

Workaround:
Enable auto config-sync instead of manual config-sync.

761321-1 : 'Connection Rate Limit' is hidden, but 'Connection Rate Limit Mode' is not

Component: TMOS

Symptoms:
'Connection Rate Limit' setting is hidden when it is appropriate to do so. However, the 'Connection Rate Limit Mode' setting is still visible, even when 'Connection Rate Limit' is hidden.

Conditions:
1. Create a Virtual Server with type Standard.
2. Click Configuration 'Advanced'.
3. Enter values for 'Connection Rate Limit" and "Connection Rate Limit Mode'.
4. Save the configuration.
5. Change the virtual server type to Forwarding (Layer 2).

Impact:
'Connection Rate Limit' is hidden -- which it should be, but 'Connection Rate Limit Mode' is not -- which it should be as well. Although 'Connection Rate Limit Mode' is available, the system ignores any setting specified.

Workaround:
Do not configure 'Connection Rate Limit Mode', as it has no effect.

760835-3 : Static generation of rolling DNSSEC keys may be missing when the key generator is changed

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP system may lose DNSSEC keys if the key generator is changed from rolling keys to static keys

Conditions:
DNSSEC key generation is changed from rolling to static.

Impact:
DNSSEC keys may be lost.

Workaround:
None.

760833-3 : BIG-IP GTM might not always sync a generation of a DNSSEC key from its partner

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP GTM might not always sync a generation of a DNSSEC key from its partner.

Conditions:
Generating a DNSSEC key.

Note: This is an intermittent issue.

Impact:
DNSSEC keys may not be synced.

Workaround:
None.

760740-2 : Mysql error is displayed when saving UCS configuration on BIG-IP system when MySQL is not running

Component: Protocol Inspection

Symptoms:
When saving the configuration to a UCS file, the process tries save the IPS learning information stored in the MySQL database.

MySQL runs only when particular modules are provisioned. If MySQL was previously running as a result of different provisioning, but is not currently running, saving the configuration to a UCS file succeeds, but the system reports a spurious message during the operation:

Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock.

Conditions:
-- Saving the configuration to a UCS file.
-- BIG-IP system provisioning only includes modules that do not require MySQL. These modules may include:
   + LTM
   + FPS
   + GTM (DNS)
   + LC
   + SWG
   + iLX
   + SSLo

-- BIG-IP system was previously provisioned with a module that starts MySQL, which results in the creation of the file /var/db/mysqlpw. These modules may include:
   + APM
   + ASM
   + AVR
   + PEM
   + AFM
   + vCMP

Impact:
The error message is cosmetic and has no impact on the UCS save process.

Workaround:
None.

760615-1 : Virtual Server discovery may not work after a GTM device is removed from the sync group

Component: Global Traffic Manager (DNS)

Symptoms:
LTM configuration does not auto-discover GTM-configured virtual servers.

Conditions:
-- GTM is deprovisioned on one or more GTM sync group members, or the sync group is reconfigured on one or more members.

-- Those devices remain present in the GTM configuration as 'gtm server' objects.

-- iQuery is connected to those members.

Impact:
Virtual servers are not discovered or added automatically.

Workaround:
You can use either of the following workarounds:

-- Manually add the desired GTM server virtual servers.

-- Delete the 'gtm server' objects that represent the devices that are no longer part of the GTM sync group. These can then be recreated if the devices are operating as LTM-configured devices.

760590-4 : TCP Verified-Accept with proxy-mss enabled does not honor the route-metrics cache when sending the SYN to the server

Component: Local Traffic Manager

Symptoms:
TCP Verified-Accept with proxy-mss enabled does not honor the route-metrics cache when sending the SYN to the server

Conditions:
- TCP Verified-Accept
- proxy-mss enabled
- route-metrics cache entry

Impact:
Route-metrics cache entry does not get used.

760406-2 : HA connection might stall on Active device when the SSL session cache becomes out-of-sync

Component: Local Traffic Manager

Symptoms:
You see 'SSL handshake timeout' error messages in LTM log, and high availability (HA) system performance becomes degraded.

Conditions:
This might occur in either of the following scenarios:

Scenario 1
-- Manual sync operations are performed during while traffic is being passed.
-- SSL Connection mirroring is enabled.

Scenario 2
-- Saving configuration on an HA Standby node during while traffic is being passed.
-- SSL Connection mirroring is enabled.

Impact:
-- In Scenario 1, the sync operations causes the session cache to be out-of-sync between active and standby nodes.

-- In Scenario 2, the save operation clears the session cache on the standby node. As a result, the session cache might be out-of-sync between active and standby nodes.

In either Scenario:
-- SSL Connection mirroring fails and posts the timeout message.

-- The HA system performance becomes degraded due to SSL connection timeout.

Workaround:
-- Disable SSL session caching by setting 'Cache Size' in the client SSL profile option to 0.

-- Set device management sync type to Automatic with incremental sync.

760050-1 : cwnd warning message in log

Component: Local Traffic Manager

Symptoms:
The following benign message appears in the log: cwnd too low.

Conditions:
The TCP congestion window has dropped below one Maximum Segment Size, which should not happen.

Impact:
None. TCP resets the congestion window to 1 MSS.

Workaround:
This message does not indicate a functional issue, so you can safely ignore this message. There is no action to take, but the presence of the message can be useful information for debugging other TCP problems.

759993-1 : 'License verification failed' errors occur when changing license

Component: TMOS

Symptoms:
The /var/log/ltm contains license processing errors upon license validation failure whenever a significant license event happens (such as a license change). However the system 'corrects' itself if a valid license exists, so no further log messages will be produced.

Conditions:
Whenever a significant license event happens, the internal state wipes the previous license representation, which causes some modules to report the license has failed verification.

Impact:
When a license change occurs, the system logs messages similar to the following:

-- err mcpd[11745]: 01180010:3: [license processing][error]: license verification failed.
-- err mcpd[11745]: 01180010:3: [license processing][error]: invalid input for license parsing.

If you have a valid license, there is no functional impact to the product, and you can safely ignore these messages.

Workaround:
None.

759606-1 : REST error message is logged every five minutes on vCMP Guest

Component: TMOS

Symptoms:
Guestagentd periodically logs the following REST error message for each secondary slot in /var/log/ltm:

Rest request failed{"code":502."message":"This is a non-primary slot on the Viprion. Please access this device through the cluster address.","restOperationId":6410038,"kind":":resterrorresponse"}

Conditions:
Upgrade a vCMP guest from pre-13.1.x to a 13.1.x or later version.

Impact:
There is stale stat information for vCMP guests running on secondary slots.

Workaround:
Create a Log Filter with no publisher on the vCMP guest to discard the specific error message:

sys log-config filter Filter_RestError {
    level info
    message-id 01810007
    source guestagentd
}

759590-5 : Creation of RADIUS authentication fails with service types other than 'authenticate only'

Component: TMOS

Symptoms:
RADIUS authentication can only have an initial service type of 'authenticate only'.

Conditions:
This is encountered when configuring RADIUS authentication via the GUI.

Impact:
If you change the Service Type to anything except Authenticate Only (default), Authentication creation fails, and the following error appears in /var/log/webui.log:

01020066:3: The requested RADIUS Authentication Configuration (/Common/system-auth) already exists in partition Common.

Workaround:
After configuring RADIUS authentication with 'authenticate only' as the service type, go back and change the service type to the desired option.

759564-3 : GUI not available after upgrade

Component: TMOS

Symptoms:
After installing over the top of a previous version, the Management GUI is inaccessible while SSH access works. You may see one or more of the following conditions

    Shell prompt may show logger[1234]: Re-starting named
    bigstart restart httpd fails
    bigstart start httpd fails

Conditions:
Installation over a previously used Boot Volume

Impact:
Corrupt install

Workaround:
Boot back to previous boot volume and then delete the boot volume containing the failed install.

759370-3 : FIX protocol messages parsed incorrectly when fragmented between the body and the trailer.

Component: Service Provider

Symptoms:
FIX message has successfully parsed header part (iRule event FIX_HEADER triggered), but is eventually discarded as incomplete (no iRule event FIX_MESSAGE).

Conditions:
FIX message fragmented between body part and the trailer (tag 10).

Impact:
FIX protocol messages are not forwarded.

Workaround:
Assure FIX protocol packet size does not exceed MTU value.

759258-1 : Instances shows incorrect pools if the same members are used in other pools

Component: TMOS

Symptoms:
Monitor 'Instances' tab shows incorrect pools if the same members are used in other pools.

Conditions:
Steps to Reproduce:

1. Create custom monitor or use system default.
2. Assign that monitor to a test pool.
3. Navigate to Local Traffic :: Monitors, click the test monitor, then select the Instances tab.

Impact:
The test pool is displayed, as well any other pools that use the same member or members (but with other monitors assigned).

Workaround:
None.

759172-2 : Read Access Denied: user (gu, guest) type (Certificate Order Manager)

Component: TMOS

Symptoms:
GUI guest user is supposed to see Key properties (which includes cert order manager association details) and Certificate Order Manager object itself, but reports an error:
-- General database error retrieving information.
-- err mcpd[6586]: 01070823:3: Read Access Denied: user (gu) type (Certificate Order Manager)

Conditions:
-- BIG-IP Virtual Edition (VE).
-- Guest user attempts to view Key properties (including cert order manager association details) and Certificate Order Manager object information.

Impact:
Certificate Manager role does not allow users to create certificates. They can upload and delete certificates, but when trying to create one, the GUI stays blank and the logs show a Read Access Denied error.

Workaround:
None.

758929-1 : Bcm56xxd MIIM bus access failure after TMM crash

Component: TMOS

Symptoms:
Bcm56xxd daemon running on certain BIG-IP devices might experience MIIM bus access failure after a tmm crash. The system posts a message similar to the following in the ltm log:

info bcm56xxd: 012c0016:6: MiimTimeOut:soc_miim_write, timeout (id=0xc9 addr=0x1f data=0x0000)

Conditions:
-- Heavily stressed system
-- Using one of the following platforms:
  + VIPRION B2250 Blade (A112)
  + VIPRION B2150 Blade (A113)
  + VIPRION B4300 Blade (A108)
  + BIG-IP 5250v
  + BIG-IP i5820
  + BIG-IP i7800

Impact:
The affected BIG-IP system fails to pass traffic. If configured for high availability (HA), failover occurs.

Workaround:
Reboot the affected BIG-IP platform / VIPRION blade.

758655-3 : TMC does not allow inline addresses with non-zero Route-domain.

Component: Local Traffic Manager

Symptoms:
When trying to create a traffic-matching-criteria with inline addresses with non-zero Route-domain, receive an error:

TMC(/Common/tmc333) and addresses within the address list have different route domain.

Conditions:
Attempting to creating a traffic-matching-criteria with inline address (source or destination) and non-zero route-domain, e.g.:

create ltm traffic-matching-criteria tmc333 destination-address-inline 111.111.111.194 source-address-inline 0.0.0.0 route-domain 100

Impact:
Cannot create the traffic-matching-criteria.

Workaround:
None.

758491-2 : When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys

Component: Local Traffic Manager

Symptoms:
For Thales:
The ltm/log shows SSL handshake failures with similar lines (this is for Diffie-Hellman Key Exchange):

-- warning bigip1 tmm1[28813] 01260013 SSL Handshake failed for TCP 192.0.2.1:5106 -> 192.0.2.200:5607
-- warning bigip1 tmm1[28813] 01260009 Connection error: ssl_hs_vfy_sign_srvkeyxchg:13583: sign_srvkeyxchg (80)
-- debug bigip1 tmm1[28813] 01260036 FIPS acceleration device error: fips_poll_completed_reqs: req: 4 status: 0x1 : Cancel
-- err bigip1 pkcs11d[26259] 01680002 Key table lookup failed. error.

After enabling pkcs11d debug, the pkcs11d.debug log shows:

-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_CLASS
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_CLASS matches
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_ID
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_ID does not match <===

For Safenet:
-- warning tmm1[17495]: 01260009:4: Connection error: ssl_hs_vfy_sign_srvkeyxchg:13544: sign_srvkeyxchg (80)
-- warning tmm1[17495]: 01260013:4: SSL Handshake failed for TCP 10.1.1.11:6009 -> 10.1.1.201:443
-- err pkcs11d[5856]: 01680002:3: Key table lookup failed. error.

Conditions:
1. Keys were created on earlier versions of BIG-IP software, no matter if using tmsh (Safenet) or using fipskey.nethsm (Thales, Safenet) and the device was upgraded to 14.1.0 or later.

2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm (Thales). For Safenet, fipskey.nethsm was deprecated in 14.0.0.

Impact:
SSL handshake failures.

Workaround:
There are two workarounds:
-- Re-create the keys using tmsh command.

IMPORTANT: This workaround is suitable for deployments that are new and not in production.

-- Re-import the keys from nethsm using:
tmsh install sys crypto key <key_label> from-nethsm

You can find the key_label here:
-- The rightmost string in the output of the Thales command:
nfkminfo -l

-- The string after label= in the 'cmu list' command for Safenet.

758041-2 : Pool Members may not be updated accurately when multiple identical database monitors configured

Component: Local Traffic Manager

Symptoms:
When two or more database monitors (MSSQL, MySQL, PostgreSQL, Oracle) with identical 'send' and 'recv' strings are configured and applied to different pools (with at least one pool member in each), the monitor status of some pool members may not be updated accurately.

Other parameters of the affected monitors that differ (such as 'recv row' or 'recv column' indicating where the specified 'recv' string should be found in the result set) may cause pool members using one of the affected monitors to connect to the same database to be marked UP, while pool members using another affected monitor may be marked DOWN.

As a result of this issue, pool members that should be marked UP or DOWN by the configured monitor may instead be marked according to another affected monitor's configuration, resulting in the affected pool members being intermittently marked with an incorrect state.

After the next monitor ping interval, affected pool members members may be marked with the correct state.

Conditions:
This may occur when multiple database monitors (MSSQL, MySQL, PostgreSQL, Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different pools/members.

For example:
ltm monitor mysql mysql_monitor1 {
...
    recv none
    send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
    recv none
    send "select version();"
...
}

Impact:
Monitored pool members using a database monitor (MSSQL, MySQL, PostgreSQL, Oracle) randomly go offline/online.

Workaround:
To avoid this issue, configure each database monitor with values that make the combined parameters unique by changing either the 'send' or the 'recv' parameters, or both.

For example:
ltm monitor mysql mysql_monitor1 {
...
    recv none
    send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
    recv 5.7
    send "select version();"
...
}

757722-3 : Unknown notify message types unsupported in IKEv2

Component: TMOS

Symptoms:
IKE negotiation fails when an unrecognized notify payload type is seen in a message processed by IKEv2.

Conditions:
Receiving an IKE message that contains a notify payload whose numeric type value is unrecognized by IKEv2.

Impact:
Negotiation fails with an aborted connection, preventing tunnel creation.

Workaround:
A peer can suppress notification payloads with advisory values that get rejected by IKEv2 within the BIG-IP system.

757279-2 : LDAP authenticated Firewall Manager role cannot edit firewall policies

Component: Advanced Firewall Manager

Symptoms:
The system posts the following message when the LDAP authenticated Firewall Manager role creates/modifies a firewall policy with rules or upgrading existing firewall policy:
User does not have modify access to object (fw_uuid_config).

Conditions:
-- Log in using an account with the Firewall Manager role.
-- Create/modify firewall policy with rules or upgrade existing firewall policy.

Impact:
Firewall modification operations fail with access to object (fw_uuid_config) error.

Workaround:
None.

757167-2 : TMM logs 'MSIX is not supported' error on vCMP guests

Component: TMOS

Symptoms:
On vCMP guests, logs of 'MSIX is not supported' messages apppear in /var/log/tmm.

Conditions:
This occurs only on vCMP guests.

Impact:
MSIX is not supported on vCMP guests, but system operation and traffic passing are not impacted otherwise.

Workaround:
None.

757029-1 : Ephemeral pool members may not be created after config load or reboot

Component: Local Traffic Manager

Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP system reboot operation.

Conditions:
This may occur on affected BIG-IP versions when:

-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
-- DNS queries to resolve these FQDN names occur almost simultaneously.

The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.

Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.

As a result, some pools may not have any active pool members, and do not pass traffic.

This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.

Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes:

tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.

756998-2 : DoSL7 Record Traffic feature is not recording traffic

Component: Application Security Manager

Symptoms:
Enabling 'Record Traffic During Attacks' in the DoS Application Profile does not record traffic during attacks: TCP Dump files are not being created in the /shared/dosl7/tcpdumps/ directory as expected.

Conditions:
-- Enabling 'Record Traffic During Attacks' in the DoS Application Profile.
-- DoSL7 Attacks are detected.

Impact:
Attack traffic is not being recorded as expected.

Workaround:
None.

756402-3 : Re-transmitted IPsec packets can have garbled contents

Component: TMOS

Symptoms:
Before re-transmitting a packet, it is discovered to be garbled, mainly in the form of having physical length that no longer matches the logical length recorded inside the packet.

Conditions:
Possibly rare condition that might cause packet freeing while still in use.

Impact:
Likely tunnel outage until re-established.

Workaround:
No workaround is known at this time.

756313-1 : SSL monitor continues to mark pool member down after restoring services

Component: Local Traffic Manager

Symptoms:
After an HTTPS monitor fails, it never resumes probing. No ClientHello is sent, just 3WHS and then 4-way closure. The pool member remains down.

Conditions:
-- The cipherlist for the monitor is not using TLSv1 (e.g., contains -TLSv1 or !TLSv1).
-- The pool member is marked down.

Impact:
Services are not automatically restored by the health monitor.

Workaround:
To restore the state of the member, remove it, and add it back to the pool.

756139-2 : Inconsistent logging of hostname files when hostname contains periods

Component: TMOS

Symptoms:
Some logs write the hostname with periods (eg, say for FQDN. For example, /var/log/user.log and /var/log/messages files log just the hostname portion:

-- user.log:Aug 5 17:05:01 bigip1 ).
-- messages:Aug 5 16:57:32 bigip1 notice syslog-ng[2502]: Configuration reload request received, reloading configuration.

Whereas other log files write the full name:

-- daemon.log:Aug 5 16:58:34 bigip1.example.com info systemd[1]: Reloaded System Logger Daemon.
-- maillog:Aug 5 16:55:01 bigip1.example.com err sSMTP[12924]: Unable to connect to "localhost" port 25.
-- secure:Aug 5 17:02:54 bigip1.example.com info sshd(pam_audit)[2147]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=10.14.13.20 attempts=1 start="Mon Aug 5 17:02:30 2019" end="Mon Aug 5 17:02:54 2019".
-- ltm:Aug 5 17:02:42 bigip1.example.com warning tmsh[2200]: 01420013:4: Per-invocation log rate exceeded; throttling.

Conditions:
BIG-IP hostname contains periods or an FQDN:

[root@bigip1:Active:Standalone] log # tmsh list sys global-settings hostname
sys global-settings {
hostname bigip1.example.com
}

Impact:
Hostname is logged inconsistently. Some logs write the full hostname (FQDN), while other log files write only the hostname portion. This can make searching on hostname more complicated.

Workaround:
None.

755791-1 : UDP monitor not behaving properly on different ICMP reject codes.

Component: Local Traffic Manager

Symptoms:
Unexpected or improper pool/node member status.

Conditions:
The BIG-IP system receives the ICMP rejection code as icmp-net/host-unreachable.

Impact:
The monitor might consider a server available when some type of ICMP rejection has been received that is not port unreachable.

Workaround:
You can use either of the following workarounds:
-- Use UDP monitors configured with a receive string.
-- Do not use UDP monitors.

755716-2 : IPsec connection can fail if connflow expiration happens before IKE encryption

Component: TMOS

Symptoms:
IKEv2 negotiation fails, and tmm log shows the following error:

notice [INTERNAL_ERR]: ikev2....: Invalid BIG-IP flow context

Conditions:
Unusual timing that results in connflow expiration immediately preceding Diffie Hellman generation.

Impact:
IKE Negotiation fails, so an SA cannot be established.

Workaround:
None.

755317-2 : /var/log logical volume may run out of space due to agetty error message in /var/log/secure

Component: TMOS

Symptoms:
An agetty error message is output to the /var/log/secure log fil every 10 seconds while the instance remains on:

agetty[<process_id>]: /dev/tty0 ttyS0: No such file or directory.

Conditions:
This agetty error message is an issue on all BIG-IP Virtual Edition and Cloud instances. It is not configuration-dependent.

Impact:
This may fill the /var/log/secure log file. When /var/log is full, certain system services may degrade or become unresponsive (e.g., DNS).

Workaround:
Manually extend the /var/log logical volume.

For more information, see Increase disk space for BIG-IP VE :: https://clouddocs.f5.com/cloud/public/v1/shared/disk_space.html.

755197-4 : UCS creation might fail during frequent config save transactions

Component: TMOS

Symptoms:
If 'tmsh save sys config' is run simultaneously with 'tmsh save sys ucs <file>', there is the possibility of a race condition where a file gets scheduled to be added to the UCS file, but gets deleted by the save-config before it actually gets saved.

Conditions:
-- Run 'save sys config' at the same time as 'save sys ucs <file>' in tmsh.
-- Files are getting added by one tmsh command, yet deleted by the other. For example, when deleting a file that has not been saved to the configuration, while the system tried to create a UCS that contains that to-be-deleted file.

Note: There are many operations in which 'save sys config' is performed internally, so running the 'save sys ucs <file>' operation might encounter the timing error any time, even when you are not manually running 'save sys config'.

Impact:
The UCS is not created, and system posts messages similar to the following:
-- config/bigip_base.conf/: Cannot stat: No such file or directory.
-- Exiting with failure status due to previous errors.
-- Operation aborted.

This is a rare, timing-related occurrence. Even though the 'save sys ucs <file>' aborts and logs errors, simply re-running the command is likely to succeed.

Workaround:
Re-run the 'save sys ucs <file>' after it aborts. Nothing else needs to be changed or restored.

755033-2 : Dynamic Routes stats row does not appear in the UI

Component: Service Provider

Symptoms:
From UI, when navigate to the following path:
Statistics ›› Module Statistics : Local Traffic ›› Profiles Summary : Diameter Router.
The stat for 'Current number of dynamic routes' does not appear.

Conditions:
Any condition

Impact:
Unable to view dynamic routes statistics in the GUI

Workaround:
Look at the statistics from tmsh

754989-2 : iControl REST API adds unnecessary escape character (\) to URL if the URL contains a wildcard character

Component: TMOS

Symptoms:
iControl REST API adds unnecessary escaping to URL if it contains a wildcard character.

Conditions:
-- Creating configuration using iControl REST API.
-- Configuration includes a URL containing wildcard character.

Impact:
iControl REST API adds unnecessary escape character (\) to URL. The resulting configuration may not be interpreted correctly by the data plane because the request URL does not match with the configuration.

-- One specific example:
# restcurl -u admin:<password> -d '{"name":"/vdesk/test*","type":"wildcard"}' "https://host.mgmt.siterequest.com/mgmt/tm/security/anti-fraud/profile/fps_logonpage_wildcard/urls"

-- Results in this:
urls {
        /vdesk/test\\* {
            priority 2
            type wildcard
        }
    }

-- Instead of the expected:
urls {
        /vdesk/test* {
            priority 2
            type wildcard
        }
    }

Workaround:
Use TMSH to add the configuration.

754335-2 : Install ISO does not boot on BIG-IP VE★

Component: TMOS

Symptoms:
The install ISO does not boot on BIG-IP Virtual Edition (VE).

Conditions:
Attempting to boot a BIG-IP VE from a virtual DVD-ROM drive loaded with an affected ISO file.

Impact:
The system does not fully boot and hangs, preventing you from performing an installation or using the live environment for other recovery purposes.

Workaround:
To work around this issue, boot the BIG-IP VE from an ISO file earlier than 14.1.0. If necessary, install that version, and then upgrade to 14.1.0 using the live installer.

753860-4 : Virtual server config changes causing incorrect route injection.

Component: TMOS

Symptoms:
Updating the virtual server to use a different virtual address (VADDR) does not work as expected. The old VADDR route should remove and inject the new route for the new virtual address. Instead, it injects incorrect routes into the routing protocols.

Conditions:
-- Change the VADDR on a virtual server.
-- Set route-advertisement on both VADDRs.

Impact:
Incorrect routes are injected into routing protocols.

Workaround:
None.

752228-4 : GUI Network Map to account for objects in a Disabled By Parent state

Component: TMOS

Symptoms:
When an object has a Disabled By Parent state, it is counted in the Unknown status instead of evaluating its actual Availability status.

Conditions:
Viewing objects with Disabled By Parent state in Network Map.

Impact:
The status shown in the map and summary view does not reflect the correct status.

Workaround:
Use the object list views to filter by status to see the correct status.

751924-1 : TSO packet bit fails IPsec during ESP encryption

Component: TMOS

Symptoms:
Internal error when an unexpected packet bit for TCP segment offload manages to reach crypto code for ESP in IPsec, when this is not expected.

Conditions:
Traffic passing through ESP encapsulation for an IPsec tunnel when the TSO bit (for TcpSegmentationOffload) is set on the packet involved.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

751586-4 : Http2 virtual does not honour translate-address disabled

Component: Local Traffic Manager

Symptoms:
Translate-address disabled on an HTTP/2 virtual server is ignored.

Conditions:
-- HTTP/2 virtual server configured.
-- Translate-address disabled.

Impact:
The traffic is still translated to the destination address to the pool member.

Workaround:
None.

751581-4 : REST API Timeout while queriying large number of persistence profiles

Component: TMOS

Symptoms:
When you have a large number of collections in BIG-IP, REST API seems to be timed out without any response from BIG-IP

Conditions:
When BIG-IP has large number of persistence profiles.

Impact:
REST API gets timed out when REST API queries the BIG-IP for persistence profiles. There is no response sent for given REST API.

Workaround:
When you have a large number of collections, you are recommended to use paging mechanism.

Please refer https://devcentral.f5.com/d/icontrol-rest-user-guide-version-131-246.

"iControl ® REST supports pagination options for large collections.

751103-3 : TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop

Component: TMOS

Symptoms:
Issuing the command 'tmsh save sys config' results in a question when display threshold is set and when management routes are configured. There is no prompt when no management routes are configured. This question is posted only when management-routes are configured, and does not appear when other provisioning commands are issued and the config is saved.

Conditions:
1. Set the cli preference display-threshold to a smaller value than the default.
2. Create management routes.
3. Issue the following command:
tmsh save sys config

Impact:
When there are more items configured than the threshold, the system presents a question:
Display all <number> items? (y/n)

Scripts are stopped until the prompt is answered.

Workaround:
To prevent the question from popping up, set display threshold to 0 (zero).

In the case of this script, you can also delete the management route definitions to prevent the question from being asked.

751021-5 : One or more TMM instances may be left without dynamic routes.

Component: TMOS

Symptoms:
Inspecting the BIG-IP's routing table (for instance, using tmsh or ZebOS commands) shows that dynamic routes have been learnt correctly and should be in effect.

However, while passing traffic through the system, you experience intermittent failures. Further investigation reveals that the failures are limited to one or more TMM instances (all other TMM instances are processing traffic correctly). The situation does not self-recover and the system remains in this state indefinitely.

An example of a traffic failure can be a client connection reset with cause 'No route to host'. If the client retries the same request, and this hits a different TMM instance, the request might succeed.

Conditions:
This issue is known to occur when all of the following conditions are met:

- The system is a multi-blade VIPRION or vCMP cluster.

- The system just underwent an event such as a software upgrade, a reboot of one or more blades, a restart of the services on one or more blades, etc.

Impact:
Traffic fails intermittently, with errors that point to lack of routes to certain destinations.

Workaround:
You can try to temporarily resolve the issue by restarting the tmrouted daemon on all blades. To do so, run the following command:

# clsh "bigstart restart tmrouted"

However, there is no strict guarantee this will resolve the issue, given the nature of the issue.

Alternatively, you could temporarily replace the dynamic routes with static routes.

750705-1 : LTM logs are filled with error messages while creating/deleting virtual wire configuration

Component: Local Traffic Manager

Symptoms:
LTM logs are filled with error messages when creating/deleting virtual wire config.

Conditions:
Virtual wire is created and then deleted.

Impact:
Error messages are getting logged to ltm.

750588-2 : While loading large configurations on BIG-IP systems, some daemons may core intermittently.

Component: TMOS

Symptoms:
When manually copying a large config file and running 'tmsh load sys config' on specific hardware BIG-IP platforms, multiple cores may be observed from different daemons.

Conditions:
This has been observed on i4800 platforms when the 'management' provisioning (corresponding to the provision.extramb DB key) is set to 500 MB or less.

Impact:
The mcp daemon may core and all daemons on the BIG-IP system may be restarted.

Workaround:
Set db key 'provision.extramb' to 1024 or greater.

749249-3 : IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP

Component: TMOS

Symptoms:
IPsec tunnels fail to establish and CPUs go to 100%.

Conditions:
- IPsec tunnels configured.
- System has multiple blades.

Impact:
The CPU exhaustion may cause system instability.

The tmm logs may contain large numbers of messages similar to the following:

-- notice SA is not in LARVAL state when receives PFKEY UPDATE: src=50.1.1.53 dst=40.1.1.50 spi=0xc9cd688 proto=0x32 dir=0x1:IN reqid=0.0:0:0x10c81 state=1

Workaround:
For vCMP systems, provision the Guest on one blade only. There is no workaround for bare-metal systems.

748355-3 : MRF SIP curr_pending_calls statistic can show negative values.

Component: Service Provider

Symptoms:
Certain irregular SIP message patterns may produce an erroneous curr_pending_calls value that can drop below zero and underflow.

Conditions:
Uncommon message flows like re-transmitted INVITE or OK responses can trigger the issue, which may be brought about at times by lost packets when using UDP.

Impact:
SIP curr_pending_calls may show incorrect values.

746861-2 : SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated★

Component: TMOS

Symptoms:
The SFP interfaces do not come up or flap up and down repeatedly on BIG-IP 2000/4000 on boot up when both SFP interfaces are populated.

When interface flaps state changes such as those below are logged in ltm log:
info pfmand[PID]: 01660009:6: Link: 2.1 is UP
info pfmand[PID]: 01660009:6: Link: 2.1 is DOWN

Conditions:
Both SFP interfaces, 2.1 and 2.2, on BIG-IP 2000/4000 are populated.

This is typically observed after an upgrade to an affected version.

Impact:
Traffic cannot be sent/received from these interfaces.

Workaround:
None.

746758-2 : Qkview produces core file if interrupted while exiting

Component: TMOS

Symptoms:
If, during qkview operation's exit stage, it is interrupted (with Ctrl-C for example), it produces a core file.

Conditions:
-- Qkview is exiting.
-- The qkview operation receives an interrupt.

Impact:
A core file is produced.

Workaround:
When closing qkview, or if it is closing, do not interrupt it; wait for it to exit.

746464-7 : MCPD sync errors and restart after multiple modifications to file object in chassis

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
This can be encountered when rapidly making changes to files such as creating and then deleting them while the config sync of the file creation is still in progress.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.

744743-3 : Rolling DNSSEC Keys may stop generating after BIG-IP restart

Component: Global Traffic Manager (DNS)

Symptoms:
Rolling DNSSEC Keys may stop generating when a BIG-IP system restart.

Conditions:
BIG-IP system gets restarted by calling 'bigstart restart' command.

Impact:
Rolling DNSSEC keys can stop generating.

Workaround:
None.

744280-4 : Enabling or disabling a Distributed Application results in a small memory leak

Component: Global Traffic Manager (DNS)

Symptoms:
Enabling or disabling a Distributed Application results in an 8 byte memory leak.

Conditions:
Enabling or disabling a Distributed Application.

Impact:
8 bytes of memory are leaked every time a Distributed Application is enabled or disabled. If Distributed Applications are repeatedly programmatically enabled and disabled, over time, the system might eventually exhaust all available memory.

Workaround:
None.

743946-1 : Tmsh loads schema versions 12.x and earlier which are no longer supported★

Component: TMOS

Symptoms:
BIG-IP systems support directly upgrading to a new version from the previous two major BIG-IP versions.
Thus, upgrading to BIG-IP version 15.x from BIG-IP version 13.x, 14.x or 15.x is supported.

Similarly, tmsh and iControl REST interfaces allow a previous version to be specified, to interpret commands and format responses according to the specified schema versions.
Thus, schema versions 13.x, 14.x and 15.x are supported by tmsh and iControlREST.

However:
Affected versions of BIG-IP version 15.x still load unsupported 12.x and 11.x tmsh schema versions.
Affected versions of BIG-IP version 14.x still load unsupported 11.x tmsh schema versions.

Conditions:
This occurs on affected versions of BIG-IP.

Impact:
Instances of tmsh consume more memory (averaging approximately 16MB per instance on BIG-IP version 15.1.0) due to loading unsupported 12.x and 11.x schemas.
If a large number of tmsh instances are loaded (due to a large number of users logged in, and particularly a large number of remotely-authenticated users), tmsh memory consumption can contribute to out-of-memory conditions.

Workaround:
None.

743803-6 : IKEv2 potential double free of object when async request queueing fails

Component: TMOS

Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.

Conditions:
When an async IPsec crypto operation fails to queue.

Impact:
Restart of tmm. All tunnels lost must be re-established.

Workaround:
No workaround known at this time.

743234-5 : Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons

Component: TMOS

Symptoms:
Configuring EngineID for SNMPv3 does not take effect until
the SNMP and Alert daemons are restarted.

Conditions:
Configure the EngineID for SNMPv3 using the tmsh command:
modify sys snmp include 'EngineType n'

Impact:
The SNMPv3 value does not take effect.

Workaround:
Restart the daemons after changing the EngineID:

restart /sys service snmpd
restart /sys service alertd

Note: The SNMP daemon should be restarted before the Alert daemon.

742549-4 : Cannot create non-ASCII entities in non-UTF ASM policy using REST

Component: Application Security Manager

Symptoms:
You cannot create non-ASCII entities (such as URLs and parameters) in a non-UTF-8 policy using REST.

Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII entries using REST.

Impact:
You cannot create an entity (such as a URL or parameter) which contains non-ASCII characters using REST.

Workaround:
Use UTF-8.

741676-4 : Intermittent crash switching between tunnel mode and interface mode

Component: TMOS

Symptoms:
Changing the policy mode for an IPsec tunnel can crash when switching back and forth between tunnel mode and interface mode.

Conditions:
Changing mode in ipsec-policy from tunnel to interface, or vice versa.

Impact:
A tmm restart, after a core, interrupts all IPsec tunnel service until new SAs are negotiated to replace the old ones.

Workaround:
Start with desired mode, tunnel or interface, and avoid changing the value from one to the other.

741213-1 : Modifying disabled PEM policy causes coredump

Component: Policy Enforcement Manager

Symptoms:
TMM undergoes core dump after a disabled policy has a new rule added.

Conditions:
-- Add a rule to disabled PEM policy.
-- Enable the PEM policy, and this policy is applied by PCRF.
-- Traffic is generated for this subscriber.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
Modify a PEM policy only when the policy is enabled.

739507-2 : How to recover from a failed state due to FIPS integrity check

Component: TMOS

Symptoms:
After FIPS 140-2 license is installed on FIPS-certified hardware devices, and the device rebooted, the system halts upon performing FIPS integrity check.

Conditions:
[1] Some system applications, monitored by FIPS 140-2, get routinely changed.
[2] The device was containing a FIPS 140-2 enabled license installed.
[3] The device operator installs a FIPS 140-2 enabled license
[4] The device is rebooted

Impact:
The device is halted and cannot be used.

Workaround:
Workaround:
[1] The device needs to have serial console access (Telnet).
[2] From the Telnet console, enter the GRUB menu and boot into a different partition not having a FIPS 140-2 enabled license.
[3] Examine the contents of file /config/fipserr which will show the files that were changed, leading to failure of the FIPS 140-2 license-enabled partition.
[4] Restore those files to their original ones and reboot.

If system still halts, repeat from Step [1] above, until this no longer happens.

738865-2 : MCPD might enter into loop during APM config validation

Component: Access Policy Manager

Symptoms:
Mcpd crashes after a config sync.

Conditions:
This can occur during configuration validation when APM is configured.

Impact:
Mcpd may take too long to validate the APM configuration and is killed by watchdog, causing a core

Workaround:
Use the Visual Policy Editor to configure access policy instead of tmsh commands.

The Visual Policy Editor does not allow policies to be created if they contain loops.

738045-6 : HTTP filter complains about invalid action in the LTM log file.

Component: Local Traffic Manager

Symptoms:
Payload data is collected at the HTTP_REQUEST event and finishes collecting (HTTP::release) when the NAME_RESOLVED event occurs. On releasing, data is forwarded to the serverside, triggering the HTTP_REQUEST_SEND event.

When trying to raise HTTP_REQUEST_SEND, the iRule queues it and returns IN_PROGRESS, because the system is already in the process of running TCLRULE_NAME_RESOLVED. (Nested iRules: TCLRULE_NAME_RESOLVED -> TCLRULE_HTTP_REQUEST_SEND)

Due to the IN_PROGRESS status, tcp_proxy skips forwarding HUDCTL_REQUEST to the serverside, but not the subsequent payload. So the HTTP filter considers this an invalid action.

Conditions:
-- Standard virtual server with iRules attached (for example, using the following configuration for a virtual server):

when HTTP_REQUEST {
    HTTP::collect
    NAME::lookup @10.0.66.222 'f5.com'
}
when NAME_RESOLVED {
    HTTP::release
}
when HTTP_REQUEST_SEND {
        log local0. "Entering HTTP_REQUEST_SEND"
}

-- Client sends two HTTP Post requests.
-- After the first request, the second connection is kept alive (for example, by using HTTP header Connection) so that the second request can reuse the same connection.

Impact:
The second request gets reset, and the system logs errors in the LTM log file.

Workaround:
To avoid nested iRules in this instance, simply remove the HTTP_REQUEST_SEND from the iRule.

737558 : Protocol Inspection user interface elements are active but do not work

Component: Protocol Inspection

Symptoms:
Protocol Inspection (PI) user interface options are present, but are not applied to traffic.

Protocol Inspection (PI) now requires the presence of either an add-on subscription or an AFM standalone license for any of the features to work. A 'Good' or 'Better' license does not activate the PI features. The Configuration Utility still allows you to configure inspection profiles, compliance checks, and signatures, but they are not applied to traffic. There is no feedback that they are not applied.

Conditions:
-- AFM licensed and provisioned through 'Good' or 'Better' license, but no add-on subscription license for Protocol Inspection. Alternately, AFM licensed as an add-on module to another module (typically LTM).

-- PI profile configured and applied to a virtual server or referenced in a firewall rule in an active firewall policy.

Impact:
If you previously had Protocol Inspection configured without the add-on license installed, the features are no longer applied to traffic until the add-on license is obtained. However, the GUI options remain active.

Workaround:
None.

737322-6 : tmm may crash at startup if the configuration load fails

Component: TMOS

Symptoms:
Under certain circumstances, tmm may crash at startup if the configuration load fails.

Conditions:
This might occur after a configuration loading failure during startup, when TMM might take longer than usual to be ready.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

730852-2 : The tmrouted repeatedly crashes and produces core when new peer device is added

Component: TMOS

Symptoms:
There is a tmrouted crash when new peer device is added.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Core produced. Tmrouted crashes repeatedly. Dynamic routing for all route domains is temporarily disrupted.

Workaround:
Have MCP force load as described in K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).

726900-2 : Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters

Component: Local Traffic Manager

Symptoms:
Virtual server may attempt to use syncookies on first SYN packet rather than allowing the connection to pass through to the real server.

Conditions:
Modifying a virtual server (CLI/iControl/GUI) to switch from FastL4 or TCP profiles to an 'ip-other' profile.

Impact:
The configured 'ip-other' virtual server will fail to accept all traffic. For example, a TCP or a UDP flow which should have been accepted and processed by the 'ip-other' virtual server will be dropped incorrectly, trying to enforce 'Syn Cookie' validation.

Workaround:
When switching a virtual server profile from FastL4/TCP to the 'ip-other' profile, delete the virtual server and then re-add it with the 'ip-other' profile.

726518-2 : Tmsh show command terminated with CTRL-C can cause TMM to crash.

Component: Local Traffic Manager

Symptoms:
TMM crash when running show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name]

Conditions:
-- Running the command:
show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name].
- The command is terminated by the client connection, aborting with CTRL-C.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not terminate tmsh show commands with CTRL-C.

726416-4 : Physical disk HD1 not found for logical disk create

Component: TMOS

Symptoms:
The blade error 'Physical disk HD1 not found for logical disk create' is observed when bigstart restart happens on primary blade of chassis-based systems using solid state drives (SSD).

/var/log/ltm shows messages similar to the following:

-- localhost.localdomain debug chmand[25459]: 012a0007:7: mcp_logical_disk mcp_create received
-- localhost.localdomain debug chmand[25459]: 012a0007:7: logical_disk create received: name[HD1] media[general_use_ssd]
-- localhost.localdomain err chmand[25459]: 012a0003:3: Physical disk HD1 not found for logical disk create
-- localhost.localdomain debug chmand[25459]: 012a0007:7: mcp_physical_disk mcp_create received
-- localhost.localdomain debug chmand[25459]: 012a0007:7: physical_disk create received: serial number[S3F3NX0K810723] name[HD1]

and/or

err chmand[4712]: 012a0003:3: Physical disk HD1 not found for logical disk create

ltm log implies that logical disk create is requested before physical disk creation.

Conditions:
This occurs on chassis-based systems (more than one blade) using SSD, when bigstart restart happens on primary blade.

Impact:
The system posts the following error under ltm log:
err chmand[3370]: 012a0003:3: Physical disk HD1 not found for logical disk create.

When system posts the error, it just skips executing couple of lines of code, to be precise two API calls.
These API calls are related to updating DiskInfo and disk wearout information.

This message is benign and can be safely ignored

Workaround:
There is no workaround.

726164-3 : Rolling DNSSEC Keys can stop regenerating after a length of time on the standby system

Component: Global Traffic Manager (DNS)

Symptoms:
Rolling DNSSEC Keys may stop generating when a BIG-IP system is on standby for a length of time

Conditions:
BIG-IP system is on standby for a length of time, in general, longer than twelve hours.

Impact:
Rolling DNSSEC keys can stop regenerating.

Workaround:
None.

724994-5 : API requests with 'expandSubcollections=true' are very slow

Component: TMOS

Symptoms:
Submitting an iControl REST query using the option 'expandedSubcollections=true' takes significantly longer to return than one without that option. For example, the command 'https://localhost/mgmt/tm/ltm/virtual?expandSubcollections=true' takes significantly longer than the command 'https://localhost/mgmt/tm/ltm/virtual'.

Conditions:
Submitting a query using expandedSubcollections=true.

Impact:
The response takes significantly longer to return

Workaround:
The additional processing time occurs because the 'expandedSubCollections' parameter fetches all the related associated elements. You can use the following alternative to retrieve the virtual configuration:

1. Run the following query:
GET mgmt/tm/ltm/virtual

2. Obtain the list of virtual servers by:
2a. parsing either the selfLink or the fullPath properties in the response items array, where the response is from step 1.
2b. writing an iControlLX worker that does this.

Note: Writing a worker abstracts the parsing logic into a user-defined endpoint. It provides API access to the data.

3. Iterate over the virtual servers querying each with the option 'expandSubcollections=true'.

724824-2 : Ephemeral nodes on peer devices report as unknown and unchecked after full config sync

Component: Local Traffic Manager

Symptoms:
After a Full Configuration Sync is performed in a device cluster, Ephemeral (FQDN) nodes on peers to the device initiating the Configuration Sync will report their status as Unknown with monitor status of Unchecked.

Note: The nodes are still monitored properly by the peer devices even though they are not reported as such.

Conditions:
-- Full configuration sync performed in a device cluster.
-- Ephemeral (FQDN) nodes configured.

Impact:
Monitor status on the peer devices is reported incorrectly.

Workaround:
Any of the following three options will correct reporting status on the peer devices:

-- Restart bigd

-- Cause monitoring to the FQDN nodes to fail for at least one probing interval, and then restore monitoring accessibility.

-- Disable and then re-enable the FQDN node

Each of these workarounds results in the reported status of the FQDN node on the peer reporting correctly again. The workarounds do not prevent a subsequent configuration sync from placing the FQDN nodes back into Unknown status on peers, however.

723658-4 : TMM core when processing an unexpected remote session DB response.

Component: Carrier-Grade NAT

Symptoms:
Using CGNAT or FW-NAT on a cluster may cause a TMM core if there are intra-cluster communication issues that cause CMP state transitions.

The system writes messages to /var/log/tmm* similar to the following:

   notice CDP: exceeded 1/2 timeout for PG 1
   notice CDP: PG 1 timed out
   notice CDP: New pending state 0f -> 0d
   notice Immediately transitioning dissaggregator to state 0xd
   notice cmp state: 0xd
   notice CDP: New pending state 0d -> 0f
   ...
   notice cmp state: 0xf
   notice CDP: exceeded 1/2 timeout for PG 1

Conditions:
-- A LSN pool or FW-NAT source translation that has persistence enabled.
-- Intra-cluster communication issues that cause CMP state transitions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

721740-1 : CPU stats are not correctly recorded when snapshot files have timestamps in the future

Component: TMOS

Symptoms:
One symptom is that a message similar to the following comes out in the log files frequently.

May 24 16:31:53 lusia_60.F5.COM warning merged[6940]: 011b0914:4: No individual CPU information is available.

Merged CPU stats will be 0.

Conditions:
If all of the snapshot stats files have timestamps in the future, CPU stats will not be correctly merged.

Impact:
Frequent error messages in the logs, and incorrect merged CPU stats.

Workaround:
Remove all of the stats snapshot files that have timestamps in the future and restart merged.

721020-5 : Changes to the master key are reverted after full sync

Component: TMOS

Symptoms:
Changing the master key on a device that is in a device cluster are reverted when performing a full sync of any device-group. The master key is reset to its previous value.

Conditions:
-- The BIG-IP system is in a device cluster.
-- You change the master key from within TMSH.

Impact:
Subsequent configuration loads fail on the device.

Workaround:
There is no workaround.

720440-5 : Radius monitor marks pool members down after 6 seconds

Component: Local Traffic Manager

Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.

Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.

Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.

Workaround:
There is no workaround at this time.

719589-1 : GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic

Component: Access Policy Manager

Symptoms:
GUI and CLI category lookup test tool (Access Policy :: Secure Web Gateway : Database Settings : URL Category Lookup) can return different categories compared to the actual data-plane traffic

Conditions:
Access Policy, Secure Web Gateway : Database Settings : URL Category Lookup or command line lookup using 'urldb -c' construction.

Impact:
Some websites may be categorized differently depending on whether or not the IP is passed in. Correct category may not be returned.

Workaround:
None.

719555-4 : Interface listed as 'disable' after SFP insertion and enable

Component: TMOS

Symptoms:
If an unpopulated front panel interface is disabled, then an SFP inserted and the interface re-enabled, TMSH will continue to display the interface as 'disabled' in 'tmsh show net interface output' commands.

Conditions:
-- BIG-IP appliance or blade.
-- Unpopulated front panel interface is disabled.
-- SFP inserted and the interface re-enabled.
-- Running the command: tmsh show net interface output.

Impact:
Output of the command shows the interface is disabled even though it is enabled and fully operational.

Workaround:
This issue is cosmetic; the interface is functional so it may be used.

To correctly identify the enabled/disabled state of the interface, use the following command: tmsh list net interface

718796-4 : IControl REST token issue after upgrade★

Component: Device Management

Symptoms:
When upgrading to version 13.1.0.x or later, users who previously had permissions to make calls to iControl REST lose the ability to make those calls.

Conditions:
-- Upgrading to version 13.1.0.x or later.
-- Using iControl REST.

Impact:
A previously privileged user can no longer query iControl REST. In addition, some remotely authenticated users may lose access to the Network Map and Analytics view after the upgrade.

Workaround:
You can repair the current users permissions with the following process:

   1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process:
      # restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator"
      # bigstart restart restjavad.

   2) Update shared/authz/roles/iControl_REST_API_User userReference list to add all affected users' accounts using PUT:
      # restcurl shared/authz/roles/iControl_REST_API_User > role.json
      # vim role.json and add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list
      # curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User

Now, when you create a new user, the permissions should start in a healthy state.

718790-4 : Traffic does not forward to fallback host when all pool members are marked down

Component: Local Traffic Manager

Symptoms:
Traffic does not get forwarded to fallback hosts.

Conditions:
-- HTTP Profile configured with Fallback Host.
-- All the pool members are marked administrative down.

Impact:
Traffic does not get forwarded.

Workaround:
Pick a monitor working properly for the pool.

718573-2 : Internal SessionDB invalid state

Component: TMOS

Symptoms:
TMM crashes.

Conditions:
SessionDB is accessed in a specific way that results in an invalid state.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

718405-4 : RSA signature PAYLOAD_AUTH mismatch with certificates

Component: TMOS

Symptoms:
IPsec IKEv2 negotiation with other vendors may fail to establish tunnels when certificate authentication is configured, using either RSA signature or DSS.

The value of PAYLOAD_AUTH does not match when the BIG-IP system compares it with what the remote peer sends. The same certificate works when the BIG-IP system is the initiator, but not when another vendor is the initiator.

Conditions:
Interoperating with other vendors under IKEv2 while using certificates.

Impact:
IKEv2 tunnels fail to establish, failing the second IKE_AUTH exchange in the protocol.

Workaround:
Use pre-shared key authentication.

718288-1 : MCPD might crash on secondary blades when DNSSEC client-facing SOA zone serial not updated

Component: Local Traffic Manager

Symptoms:
In certain cases, a DNSSEC client-facing SOA zone serial does not always update when DNSSEC-related resource records change. That might cause MCPD to crash on secondary blade.

Conditions:
A DNSSEC-related resource record changes.

Impact:
A DNSSEC client-facing SOA zone serial may not always update. That might cause MCPD crash on secondary blade. Traffic disrupted while MCPD restarts.

Workaround:
None.

718230-7 : Attaching a BIG-IP monitor type to a server with already defined virtual servers is not prevented

Component: TMOS

Symptoms:
In certain circumstances, attaching a BIG-IP monitor type to a non-BIG-IP server with already defined virtual servers is allowed by the system when it should not be allowed.

Conditions:
Attempting to attach a BIG-IP monitor type to a non-BIG-IP server.

Impact:
The BIG-IP monitor can be added to a non-BIG-IP server without error. This causes a configuration load error, such as after a reboot, tmm restart, or tmsh load sys config, and results in an error message such as:

-- localhost emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all gtm-only" - failed. -- Loading schema version: 12.1.3 Loading schema version: 12.1.5.1 01071033:3: Server (/Common/generic_server_object) contains monitor (/Common/bigiptest) which is an invalid type. Unexpected Error: Loading configuration process failed.

Workaround:
None.

718108-4 : It is not possible to core the icrd_child process if iControl REST requests were sent to the BIG-IP system using non-admin accounts

Component: TMOS

Symptoms:
When trying to create a diagnostic core file of the icrd_child process (for example, using the command: kill -6 <PID>), the process restarts but does not create a core file.

Conditions:
iControl REST requests are sent to the BIG-IP system using non-administrative (or resource admin) user accounts.

Impact:
This issue may hinder F5 Support efforts to diagnose memory leaks or other issues affecting the icrd_child process.

Workaround:
There are two workarounds for this issue.

Workaround #1:
The problem can be avoided by making calls to iControl REST using only User IDs that have the 'Admin' or 'Resource Admin' roles.

Note: If iControl REST calls have already been made with User IDs that have a role other than 'Admin' or 'Resource Admin', the 'restjavad' process must be restarted before core files can be created for icrd_child processes.

Workaround #2:
If iControl REST calls have already been made with User IDs that have a role other than 'Admin' or 'Resource Admin', and a core file is needed for a currently running icrd_child process, running the following two commands in the Advanced Shell (aka bash) creates the core file.

1: "echo 2 > /proc/sys/fs/suid_dumpable"
2: "pkill -6 icrd_child"

Note: The commands are shown inside quotation marks but do not include the quotations marks.

717346-6 : [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total

Solution Article: K13040347

Component: Local Traffic Manager

Symptoms:
WebSocket profile statistics for current and maximum connections are always very large, even right after restarting the system. The numbers are several orders of magnitude larger than the statistics for total connections.

Conditions:
Rarely occurring, unstable network could be one of the reasons.

Impact:
Cannot use stats for troubleshooting.

Workaround:
Reset the stats using the following command:
# tmsh reset-stats ltm profile websocket

716746-2 : Possible tmm restart when disabling single endpoint vector while attack is ongoing

Component: Advanced Firewall Manager

Symptoms:
tmm restarts.

Conditions:
-- AFM DoS single endpoint (sweep or flood) vector is configured.
-- The attack is ongoing.
-- The attack vector is being mitigated in hardware (HW).
-- The vector is manually disabled.

Impact:
tmm can crash and restart. Traffic disrupted while tmm restarts.

Workaround:
If you do not want to mitigate, set the mitigation_threshold to infinite.

Note: Do not disable the single endpoint vectors when an attack is ongoing and the vector is being mitigated in HW.

715379-4 : IKEv2 accepts asn1dn for peers-id only as file path of certificate file

Component: TMOS

Symptoms:
IKEv2 only has a very inconvenient way to specify ID for an ike-peer when using peers-id-type asn1dn. The string value of peers-id-value was understood only as a file path, and not as a representation of the asn1dn value itself. The file had to be a certificate, whose subject happened to be the ID of the remote peer as a distinguished name (DN), so this could be extracted as binary DER for asn1dn. This was both awkward and error prone, requiring what amounts to a copy of a peer's certificate before it is sent during negotiation.

Conditions:
-- Using certificate based authentication in IPsec IKEv2.
-- Configuring an ike-peer with peers-id-type as asn1dn.

Impact:
Very difficult to use asn1dn as the ID of a peer, impeding inter-operation with other vendors.

Workaround:
If you can install a local copy of the peer's certificate, with an asn1dn value inside matching what that peer will actually send in an IKE_AUTH exchange, IKEv2 can extract the asn1dn provided the value of peers-id-value is an absolute file system path to this local certificate copy.

714642-3 : Ephemeral pool-member state on the standby is down

Component: Local Traffic Manager

Symptoms:
On a standby BIG-IP system, an ephemeral pool-members state remains user-down after re-enabling an FQDN node on the primary system.

Conditions:
Re-enabling a forced-down FQDN node on the primary system.

Impact:
On the standby system, the ephemeral pool-members are in state: user-down, (forced-down in GUI).

Workaround:
None.

714502-1 : bigd restarts after loading a UCS for the first time

Component: Local Traffic Manager

Symptoms:
bigd restarts when loading a UCS for the first time, where the load succeeds; and no related messages are reported in /var/log/ltm; and no bigd core file is produced.

Conditions:
bigd loads a UCS file for the first time, such as after the command:
tmsh load sys ucs no-license keep-current-management-ip no-platform-check

Impact:
The UCS file is correctly reloaded, and bigd restarts with the loaded configuration. No bigd core is produced, and no related messages are found in /var/log/ltm. After restart, bigd performs all system functions as expected.

Workaround:
System runs as expected after the bigd restart, and the user need not take any action.

714216-3 : Folder in a partition may result in load sys config error

Component: TMOS

Symptoms:
If you run the command 'tmsh load sys config current-partition' in a partition that includes a folder, the command may return an error.

Conditions:
This occurs in the following scenario:
-- Create a partition.
-- Create a folder in that partition.
-- In the newly-created partition.
-- Save the configuration with the command 'save sys conf'.
-- In the same partition, run the following command to load the configuration: 'tmsh load sys config current-partition'.

Impact:
The load configuration process fails with an error that the folder does not exist.

Workaround:
There is no workaround at this time.

714176-2 : UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed

Component: TMOS

Symptoms:
-- UCS archive restore fails
-- The Traffic Management Shell (TMSH) and/or /var/log/ltm file show following error message:
01071769:3: Decryption of the field (privatekey) for object (9717) failed. Unexpected Error: Loading configuration process failed.

Conditions:
- Restoring configuration from UCS.
- The UCS is being restored on a different BIG-IP system with a different master key.

Impact:
-- The UCS configuration is not applied.
-- The BIG-IP is not in a fully operational state.

Workaround:
If you encounter this error and dynad is not in use (dynamic debug) you can manually edit bigip_base.conf.

1. Locate the dynad config in /config/bigip_base.conf file:

For example, the dynad config will look like:
sys dynad key {
key $M$jV$VX7HMp5q346nsTYDYFPnYdJLrBPyQSCrDTJYAz4je7KXJAC38fxtDJL35KtF66bq
}

2. Modify the dynad configuration lines to:
sys dynad key {
key "test"
}

3, Save the updated bigip_base.conf file
4. Load the configuration with command: tmsh load sys config

713614-2 : Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)

Component: TMOS

Symptoms:
Warning similar to below, referencing a non-floating self IP:
Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)

Conditions:
Virtual Server is defined using the same IP address as a non-floating self IP.

Impact:
Virtual Server does not fail over with floating traffic group as expected.

712241-4 : A vCMP guest may not provide guest health stats to the vCMP host

Component: TMOS

Symptoms:
A vCMP guest usually provides the vCMP host with some guest health statistics as a convenience to the vCMP host administrator. These stats are:
-- mgmt/tm/sys/ha-status
-- mgmt/tm/sys/software/status
-- mgmt/tm/sys/software/provision

These tables are created by the host when host vcmpd queries the guest over the vmchannel using REST.

These RESTful queries may sometimes fail, causing the queried vCMP guest to be omitted in the display of the output of the following command: $ tmsh show vcmp guest

Conditions:
-- vCMP provisioned.
-- Guests are deployed.
-- Host vcmpd queries the guest over the vmchannel using REST.

Impact:
There is no functional impact to the guests or to the host, other than these lost tables.

-- Some vCMP guests may not show up in the output of the following command: tmsh show vcmp health
-- Some guests may appear with the wrong status in the GUI. Such as being grey when it should be green.
-- Files containing guest information, kept in:
/var/run/vcmpd/<guestname>/json/(sys-ha-status.json|sys-provision.json|sys-software.json) may be missing from that directory.
-- There might be files present there named using the following structure:
/var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.

Workaround:
There is no workaround at this time.

710930-4 : Enabling BigDB key bigd.tmm may cause SSL monitors to fail

Component: Local Traffic Manager

Symptoms:
When bigd.tmm is enabled, SSL monitors may begin to fail.

Conditions:
-- The in-tmm monitoring feature is enabled via the bigd.tmm db variable (it is disabled by default)
-- The cipher string of the attached SSL profile uses keywords that are invalid with TMM.

Impact:
The cipher string will no longer be valid when bigd.tmm is enabled and the keywords will need to be modified or removed. SSL monitors begin to fail after modifying bigd.tmm.

Workaround:
Modify or remove incompatible keywords from the ciphers string; the in-tmm monitoring feature only allows ciphers that are allowed by SSL profiles.

709381-3 : iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out.

Component: Local Traffic Manager

Symptoms:
An iRules LX plugin does not properly run and messages similar to the following example are logged to the /var/log/ltm file:

err tmm[17616]: 01220001:3: TCL error: /Common/my-plugin/my-rule <HTTP_REQUEST> - ILX timeout. invoked from within "ILX::call $ilx_handle -timeout 3000 my-function"

Conditions:
An iRules LX workspace archive is imported to BIG-IP version 13.1.0 or later from a previous software version.

It should be noted this is what happens during a regular software upgrade. Therefore, you might encounter this issue when upgrading a system to BIG-IP version 13.1.0 or later.

Impact:
The affected iRules LX are not functional under the new software version, and the virtual servers utilizing them will experience various failures.

Workaround:
Change the node version from 0.12.15 to 6.9.1 and back.

705768-3 : dynconfd may core and restart with multiple DNS name servers configured

Component: Local Traffic Manager

Symptoms:
The dynconfd daemon may crash with a core and restart when processing a DNS query while multiple DNS name servers are configured or the list of DNS name servers is changed.

Conditions:
This may occur rarely when FQDN nodes are configured and multiple DNS name servers are configured, including when a name server is added to or removed from the system DNS configuration while a DNS query is active.

Impact:
Resolution of FQDN names for FQDN nodes and pool members may be briefly interrupted while the dynconfd daemon restarts. This may cause a delay in propagation of DNS zone changes to the BIG-IP configuration.

Workaround:
This issue occurs rarely. There is currently no known workaround.

705387-2 : HTTP/2, ALPN and SSL

Component: Local Traffic Manager

Symptoms:
The SSL filter will not always add the ALPN extension.

Conditions:
If the negotiated cipher is not HTTP/2 compliant, the SSL filter may not add the ALPN extension.

Impact:
The failure to add the ALPN extension may result in the failure to negotiate the proper protocol.

Workaround:
There is no workaround at this time.

705112-5 : DHCP server flows are not re-established after expiration

Component: Local Traffic Manager

Symptoms:
DHCP relay agent does not have server flows connecting to all active DHCP servers after a while.

Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds

Impact:
DHCP server traffic not load balanced.

Workaround:
None.

703090-2 : With many iApps configured, scriptd may fail to start

Component: TMOS

Symptoms:
If many iApp instances are installed, scriptd may have issues starting up, including the log message:

"script has exceeded its time to live, terminating the script"

Conditions:
This occurs when many iApp instances exist. F5's internal testing has been able to show that it occurs with 70 instances.

Impact:
The error message will show up, and some instances of the script will not run.

Workaround:
Restarting scriptd will resolve the issue.

700639-3 : The default value for the syncookie threshold is not set to the correct value

Component: Local Traffic Manager

Symptoms:
The default value for connection.syncookies.threshold should be set to 64000. Instead, this value defaults to 16384.

Conditions:
This issue may be encountered when a virtual server uses syncookies.

Impact:
The connection.syncookies.threshold value will be lower than intended, possibly resulting in lower performance.

Workaround:
Use tmsh to manually set the threshold value:
# tmsh modify sys db connection.syncookies.threshold value 64000

697421-2 : Monpd core when trying to restart

Component: Application Visibility and Reporting

Symptoms:
Monpd tries to restart and tries to access a non-initiated variable

Conditions:
Monpd tries to restart due to change of primary blade

Impact:
Monpd cores

Workaround:
N/A

696755-4 : HTTP/2 may truncate a response body when served from cache

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide a client-side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached on the BIG-IP system with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag, causing the client to ignore the rest of the response body.

Conditions:
BIG-IP system has a virtual server for which HTTP/2 and Web Acceleration profiles are configured.

Impact:
Some clients' browsers do not retry a resource, causing incorrect rendering of an HTML page.

Workaround:
Adding the following iRule causes the body to be displayed:

when HTTP_RESPONSE_RELEASE {
    set con_len [string trim [HTTP::header value Content-Length]]
    HTTP::header remove Content-Length
    HTTP::header insert Content-Length "$con_len"
}

696348-4 : "GTP::ie insert" and "GTP::ie append" do not work without "-message" option

Component: Service Provider

Symptoms:
When adding "GTP::ie insert" and "GTP::ie append" without "-message" option to iRule, there is warning message:

[The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:VALUE"1290 38]

Conditions:
Using "GTP::ie insert" or "GTP::ie append" command without "-message" option

Impact:
The commands still be executed during runtime but the warning message may confuse user.

692218-2 : Audit log messages sent from the primary blade to the secondaries should not be logged.

Component: TMOS

Symptoms:
Audit log messages sent from the primary blade to the secondaries are logged.

Conditions:
Multi-blade platform.

Impact:
Unnecessary messages in the log file.

Workaround:
None.

688231-5 : Unable to set VET, AZOT, and AZOST timezones

Component: TMOS

Symptoms:
Unable to set VET, AZOT, and AZOST timezones

Conditions:
This occurs under normal operation.

Impact:
Cannot set these timezones.

Workaround:
Use the following zones with the same offset:

The AZOT timezone is the same offset as
N – November Time Zone.

The AZOST timezone is the same offset as
Z – Zulu Time Zone,
GMT – Greenwich Mean Time,
WET – Western European Time.

The VET timezone is the same offset as
AST – Atlantic Standard Time,
CDT – Cuba Daylight Time, CLT – Chile Standard Time,
EDT – Eastern Daylight Time,
FKT – Falkland Island Time,
Q – Quebec Time Zone.

677683 : Unexpected LOP reset

Component: TMOS

Symptoms:
These symptoms can be seen on BIG-IP B2100 and B2150 blades.

When the AOM resets itself unexpectedly, these types of symptoms can be observed:

-- LED alarm light may be red.

-- Messages may be logged to /var/log/ltm.

Examples of typical messages:
-- warning chmand[6890]: 012a0004:4: getLopReg Dev error: LopDev: sendLopCmd: Lopd status: 2 packet: action=1 obj_id=67 sub_obj=0 slot_id=ff result=0 len=3 crc=0 payload=28 8 4 (error code:0x0)

-- err chmand[6890]: 012a0003:3: GET_STAT failure (status=0x2) page=0x28 reg=0x8 : File mgmtif/BourneMgmtIfSvc.cpp Line 282

-- notice chmand[6890]: 012a0005:5: Tmstat::updateMgmtIf: Lop error

-- warning chmand[6890]: 012a0004:4: getLopReg Dev error: LopDev: sendLopCmd: Lopd status: 2 packet: action=1 obj_id=67 sub_obj=0 slot_id=ff result=0 len=3 crc=0 payload=1 0 2 (error code:0x0)

-- err chmand[6890]: 012a0003:3: GET_MEDIA failure (status=0x2) page=0x1 reg=0x0 : File mgmtif/BourneMgmtIfSvc.cpp Line 376

Conditions:
This may occur on BIG-IP B2100 and B2150 blades.

Additional conditions under which this occurs are not well understood.

Impact:
These errors are effectively benign:

-- The watchdog/reset feature of the AOM controller provides resilience to recover from unexpected fault conditions.

-- The AOM re-initializes and comes back to proper operating state in the system.

-- Production traffic is not affected.

Workaround:
There is no workaround.

675911-7 : Different sections of the WebUI can report incorrect CPU utilization

Solution Article: K13272442

Component: TMOS

Symptoms:
The following sections of the WebUI can report incorrect (i.e. higher than expected) CPU utilization:

- The "download history" option found in the Flash dashboard

- Statistics › Performance › Traffic Report (section introduced in version 12.1.0)

Values such as 33%, 66% and 99% may appear in these sections despite the system being potentially completely idle.

Conditions:
HT-Split is enabled (this is the default for platforms that support it).

Impact:
Incorrect CPU utilization is reported by multiple sections of the WebUI, which can confuse BIG-IP Administrators and cause unnecessary alarm.

Workaround:
You can obtain CPU history through various other means. One way is to use the sar utility.

In 12.x and 13.x:
  sar -f /var/log/sa6/sa
or for older data
  sar -f /var/log/sa6/sa.1
The oldest data is found compressed in /var/log/sa6 and must be gunzipped before use.

In 11.x:
  sar -f /var/log/sa/sa
or for older data
  sar -f /var/log/sa/sa.1
The oldest data is found compressed in /var/log/sa and must be gunzipped before use.

Live CPU utilization also can be obtained through various other means. Including: the Performance Graphs, SNMP polling, iControl polling, various command-line utilities such as top, etc.

673573-2 : tmsh logs boost assertion when running child process and reaches idle-timeout

Component: TMOS

Symptoms:
An idle-timeout occurs while running a sub-process in interactive mode, resulting in a log message. tmsh logs a benign but ominous-looking critical error to the console and to /var/log/ltm if a tmsh command reaches idle timeout and a spawned sub-process is still running.

The errors in /var/log/ltm begin with the following text:
'boost assertion failed'

Conditions:
-- tmsh command reaches idle timeout.
-- Spawned sub-process is still running.

Impact:
Although the wording indicates a failure, the message is benign and you can safely ignore it.

Workaround:
None.

671372-6 : When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.

Solution Article: K01930721

Component: TMOS

Symptoms:
When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.

Conditions:
-- Creating a pool.
-- Modifying all of its members in a single tmsh transaction.

Impact:
The pool will be created but the members will not be modified.

Workaround:
Create a pool in one transaction; followed by modifying members in another transaction.

665117-6 : DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping

Solution Article: K33318158

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Server status flapping from red-green-red.

Conditions:
-- Two generic hosts in two different DataCenters;
-- Two generic hosts are not available through DNS;
-- Same monitor with available alias IP/port configured.

Impact:
Server status flaps from red to green and back.

Workaround:
Check Transparent for these monitors.

663925-2 : Virtual server state not updated with pool- or node-based connection limiting

Component: Local Traffic Manager

Symptoms:
Rate- or connection-limited pool members and nodes do not immediately affect virtual server status.

Conditions:
The connection count reaches the configured connection limit.

Impact:
Virtual server is automatically disabled when connection limit is reached and returns from the unavailable state after connections decrease.

The actual functionality of connection-limiting is occurring at the tmm level (you can see connections rejection after reaching the max limit in logs). The system is just not logging status in mcp as update_status is not being called automatically.

Workaround:
None.

662301-3 : 'Unlicensed objects' error message appears despite there being no unlicensed config

Component: TMOS

Symptoms:
An error message appears in the GUI reading 'This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.' Examination of the configuration and license shows that there are no configuration error or unlicensed configuration objects. The device is operational.

Conditions:
The BIG-IP system is licensed and the configuration loaded.

Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.

Workaround:
Restart mcpd by running the following command:
bigstart restart mcpd

648242-5 : Administrator users unable to access all partition via TMSH for AVR reports

Solution Article: K73521040

Component: Application Visibility and Reporting

Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).

Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.

Impact:
AVR reports via TMSH will fail when using partition based entities.

Workaround:
None.

646440-6 : TMSH allows mirror for persistence even when no mirroring configuration exists

Component: Local Traffic Manager

Symptoms:
When Mirroring is not configured in a high-availability (HA) configuration, the Configuration Utility (GUI) correctly hides the 'mirror' option for Persistence profile. However, Persistence Mirroring can still be enabled via TMSH.

Conditions:
-- Mirroring is configured in an HA configuration.
-- Persistence profile.
-- Using TMSH.

Impact:
A memory leak and degraded performance can occur when:

-- The Mirroring option of a Persistence profile is enabled.
-- Mirroring in the HA environment is not configured.

Workaround:
Always use the Configuration Utility (GUI) to configure Persistence profiles.

If you encounter this issue, complete the following procedure to locate Persistence profiles with Mirroring enabled, and then disable Mirroring for those profiles:

1. Access the BIG-IP Bash prompt.

2. List the Persistence profiles with the following command:
tmsh list ltm persistence

3. Examine the Persistence profiles to identify the ones with 'mirror enabled'.

4. Disable Mirroring for each Persistence profile, using a command similar to the following:
tmsh modify ltm persistence <persistence_type> <profile_name> mirror disabled

5. Save the changes to the Persistence profiles:
tmsh save sys config

640842-4 : ASM end user using mobile might be blocked when CSRF is enabled

Component: Application Security Manager

Symptoms:
Users report their access is blocked; when you look at the error log, you see CSRF errors.

Conditions:
-- CSRF enabled on ASM.
-- ASM client is using a mobile device.

Impact:
Client is blocked.

Workaround:
None.

636842-4 : A FastL4 virtual server may drop a FIN packet when mirroring is enabled

Solution Article: K51472519

Component: Local Traffic Manager

Symptoms:
A FastL4 virtual server may drop a FIN packet when mirroring is enabled.

Conditions:
- The virtual server uses the FastL4 profile.
- The virtual server performs mirroring.
- The tm.fastl4_ack_mirror db key is enabled (default).
- The client or the server sends a FIN packet, immediately followed by a RST packet.

Impact:
The BIG-IP system forwards the RST packet but not the FIN packet.

As the RST sent by one of the TCP endpoints would have its sequence number increased by 1 to account for the FIN packet, the other TCP endpoint may not accept the RST as the FIN packet was never seen.

This issue is exacerbated if the FIN packet also carries application data (for example, if it is actually a FIN,PSH,ACK packet). In this case, the other TCP endpoint never sees the application data contained within the packet, and the sequence number in the RST will be off by more than just 1.

Ultimately this can cause application failures and also the two connection flows to stall for some time.

Workaround:
To workaround this issue you can either:

1) Disable mirroring for the virtual server (but this comes with a loss of functionality, which may not be acceptable).

or

2) Disable the tm.fastl4_ack_mirror db key (but this would affect all FastL4 virtual servers performing mirroring on the box).

625807-4 : tmm cored in bigproto_cookie_buffer_to_server

Component: Local Traffic Manager

Symptoms:
TMM cores on SIGSEGV during normal operation.

Conditions:
It is not known exactly what triggers this, but it may be triggered when a connection is aborted in a client-side iRule iRule, this log signature may indicate that this is being triggered:

tmm3[11663]: 01220009:6: Pending rule <irule_name> <HTTP_REQUEST> aborted for <ip> -> <ip>

Impact:
Traffic disrupted while tmm restarts.

601220-2 : Multi-blade trunks seem to leak packets ingressed via one blade to a different blade

Component: TMOS

Symptoms:
When a multi-blade VIPRION deployment first starts up or recovers from a chassis-wide force-offline/release-offline event, multi-blade trunks seem to leak packets that ingressed on one blade, out the same trunk's member interfaces on other blades.

Conditions:
-- Multi-blade VIPRION deployment.
-- Chassis-wide reboot or force-offline/release-offline event occurs.

Impact:
This is a very intermittent issue that is not reproducible and happens for only a few milliseconds. This may temporarily impact the upstream switch L2 FDB and cause slight traffic redirection as the upstream switch will learn the source MAC of the gratuitous ARPing host from the same trunk the traffic was broadcast to.

Note: This is not an F5-specific problem. It occurs on every stack switch hardware under these conditions.

Workaround:
There is no workaround.

601189-5 : The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode

Component: Local Traffic Manager

Symptoms:
The BIG-IP system might send TCP packets out of order in Fastl4 in syncookie mode.

Conditions:
-- Fastl4 VS.
-- syncookie mode.

Impact:
TCP packet are sent out of order.

Workaround:
None.

593536-8 : Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations

Solution Article: K64445052

Component: TMOS

Symptoms:
Devices do not have matching configuration, but system reports device group as being 'In Sync'.

Conditions:
This occurs when the following conditions are met:
-- Device Service Cluster Device Group with incremental sync is enabled.
-- A ConfigSync operation occurs where a configuration transaction fails validation.
-- A subsequent (or the final) configuration transaction is successful.

Impact:
The BIG-IP system incorrectly reports that the configuration is in-sync, despite the fact that it is not in sync. You might experience various, unexpected failures or unexplained behavior or traffic impact from this.

Workaround:
Turn off incremental sync (by enabling 'Full Sync' / 'full load on sync') for affected device groups.

Once the systems are in sync, you can turn back on incremental sync, and it will work as expected.

587821-9 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.

Component: TMOS

Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.

In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.

Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.

Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.

Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.

Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.

583084-7 : iControl produces 404 error while creating records successfully

Solution Article: K15101680

Component: TMOS

Symptoms:
iControl produces an HTTP 404 - Not Found error message while creating the BIG-IP DNS topology record successfully.

Conditions:
Creating GTM topology record without using full path via iControl.

Impact:
Resulting code/information is not compatible with actual result.

For a post request, the create command and the list command are formed and executed, and the name in the curl request and the name in the list response are compared to verify whether or not it is the actual object. When a create command is executed with properties that are not fullPath (e.g., in iControl), it still creates the object with fullPath. So list returns the name with fullPath and compares it with the name that does not contain the fullPath, and the comparison fails because the names do not match.

Workaround:
Use the full path when creating BIG-IP DNS topology records using iControl.

579219-4 : Access keys missing from SessionDB after multi-blade reboot.

Component: Access Policy Manager

Symptoms:
Reboot a 4-blade vCMP guest. Now, only the master key for catalog remained. All subkeys are missing.

Conditions:
This can occur intermittently during a reboot in a multi-blade vCMP guest configured with APM.

Impact:
Some Access subkeys may be missing after the reboot.

Workaround:
Reboot the primary blade.

569859-6 : Password policy enforcement for root user when mcpd is not available

Component: TMOS

Symptoms:
When the mcpd configuration database is not available password policy is not enforced when changing passwords for the user 'root' using the command-line utility 'passwd' utility.

Conditions:
-- Advanced shell access
-- mcpd is not available.
-- Change root password with the 'passwd' utility.

Impact:
Root password may be set to a string that does not comply with the current password policy.

Workaround:
None.

547692 : Firewall-blocked KPASSWD service does not cause domain join operation to fail

Component: Access Policy Manager

Symptoms:
KPASSWD service runs on tcp/464 and udp/464. If both of these ports were blocked, BIG-IP would not be able to properly set the machine account password for the created machine account. However, there is a bug on BIG-IP as well, which fails to report this failure back to the administrator.

As the machine account itself was successfully created on ActiveDirectory side without the correct password, and BIG-IP's failure to report the KPASSWD failure problem, the domain join operation seems had worked perfectly.

However, since the password information is never set on ActiveDirectory side, this causes this machine account effectively unusable because BIG-IP would never be able to establish a working SCHANNEL with ActiveDirectory server because of this password mismatch.
creation is LDAP (+ Kerberos GSS-API with SASL binding), the machine account itself is generated. Furthermore, as password setting for machine account is not allowed to be performed by administrator, this situation obfuscate the fact the KPASSWD was failing as AD server never receives thus AD never logged any failure on this matter, while BIG-IP fails to detect the KPASSWD failure, and so as administrator's user experience goes, everything seems perfectly worked for domain join.

Conditions:
Out of DNS, LDAP, KERBEROS, KPASSWD services which are required for domain join operation, only KPASSWD is blocked.

Impact:
Created machine account is effectively unusable due to password mismatch, and BIG-IP would never be able to establish a working SCHANNEL, this renders NTLM authentication feature to be not working.

Workaround:
Allow KPASSWD to reach ActiveDirectory server

508302-6 : Auto-sync groups may revert to full sync

Component: TMOS

Symptoms:
If a large number of configuration changes in the same device group are being applied rapidly, device sync may start to generate full loads instead of incremental patches.

Conditions:
This only affects auto-sync device groups.

Impact:
The system may spuriously start to generate full loads instead of incremental changes.

Workaround:
You can use any of the following workarounds:

-- If a large series of syncs are expected, temporarily disable auto-sync for the device group in question.

-- Wrap all of the changes into a single transaction.

-- Add a short pause in between changes.

505037-6 : Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop

Solution Article: K01993279

Component: Local Traffic Manager

Symptoms:
Modifying a monitored pool with a gateway failsafe device might put secondary into restart loop.

Conditions:
Only occurs in clustered environments, when modifying a monitored pool to set the gateway failsafe device while the secondary is down. Symptom occurs when the secondary comes back up and attempts to update the health status of a pool.

Impact:
Secondary in a restart loop.

Workaround:
Remove the gateway failsafe device. Re-apply when the blade is up.

499348-10 : System statistics may fail to update, or report negative deltas due to delayed stats merging

Component: TMOS

Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.

The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.

Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This might occur under the following conditions:

-- The system is spawning/reaping processes on a frequent basis (e.g., when there is a large number of external monitors).

-- iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server (this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis).

Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.

Workaround:
This issue has two workarounds:

1. Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following:

-- Reduce the frequency of configuration changes.
-- Reduce the use of 'SSL::profile' in iRules.
-- Reduce the number/frequency of processes being spawned by the system.

2. Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command:
tmsh modify sys db merged.method value slow_merge.

489960-5 : Memory type stats is incorrect

Component: WebAccelerator

Symptoms:
When tmm allocates memory, it adds up stats per memory type allocated. AAM is not properly marking memory type for strings objects, affecting other types of memory stats depending on configuration and release.

Conditions:
AAM is provisioned and there are virtuals in BIG-IP configuration which have web acceleration profiles associated with one or more AAM policies.

Impact:
Stats for some types of memory can be skewed causing troubleshooting issues.

Workaround:
None.

474797-3 : Nitrox crypto hardware may attempt soft reset while currently resetting

Component: Local Traffic Manager

Symptoms:
Nitrox crypto hardware may attempt soft reset to clear a stuck condition while already engaged in a soft reset attempt.

Conditions:
Soft reset is needed to clear a stuck condition occurring in the timeframe during which another soft reset is occurring.

Impact:
The initial soft reset attempt does not complete as the process is restarted by the new attempt.

Workaround:
Correct the condition resulting in the need for the soft reset to clear the stuck condition or disable hardware-based crypto acceleration by setting db variable 'tmm.ssl.cn.shunt' to disable.

To disable hardware-based crypto acceleration issue the following command:

tmsh modify sys db tmm.ssl.cn.shunt value disable

Note: Disabling hardware-based crypto acceleration results in all crypto actions being processed in software, which might result in higher CPU and memory usage based on traffic patterns.

470916-2 : Using native View clients, cannot launch desktops and applications from multiple VMware back-ends

Component: Access Policy Manager

Symptoms:
If APM is configured to protect multiple VMware resources (VCS servers), you can launch desktops and applications only from the first resource. Attempts to launch desktop or applications from other resources result in error.

Conditions:
-- APM is configured to protect multiple VMware resources (VCS servers).
-- You attempt to launch a desktop or application using the native VMware client.

Impact:
Cannot access desktops and applications from multiple VMware back-ends.

Workaround:
Use HTML5 client instead.

431503-7 : TMSH crashes in rare initial tunnel configurations

Solution Article: K14838

Component: TMOS

Symptoms:
In rare BigIP configuration scenarios, TMM may crash during its startup process when the tunnel configurations are loaded.

Conditions:
During TMM startup, a tunnel is created, then immediately removed during the configuration load period, when TMM neighbor messages may be in flight via the tunnel. When the race condition fits, the neighbor message may land on an invalid tunnel.

Impact:
TMM crash in rare race conditions.

Workaround:
None.

385013-3 : Certain user roles do not trigger a sync for a 'modify auth password' command

Component: TMOS

Symptoms:
If users with the certain roles change their password, the BIG-IP system does not detect that it is out-of-sync with its peer and does not trigger an automatic sync:

Conditions:
-- Multiple BIG-IP devices in a Device Service Cluster that sync configurations with each other.
-- A user with one of the following roles logs in and changes their password:
  + guest
  + operator
  + application-editor
  + manager
  + certificate-manager
  + irule-manager
  + resource-admin
  + auditor

Impact:
The system does not detect that it is out of sync with its peer, and does not report this condition. If automatic sync is enabled, a sync does not automatically occur.

Workaround:
Force a full sync to the peer systems.

382363-4 : min-up-members and using gateway-failsafe-device on the same pool.

Solution Article: K30588577

Component: TMOS

Symptoms:
The system does not require setting a pool's min-up-members greater than 0 (zero) when also using gateway-failsafe-device on the same pool.

Conditions:
A pool's min-up-members is 0 when gateway-failsafe-device is set.

Impact:
Failure to set min-up-members greater than 0 when using gateway-failsafe-device might cause errors. The tmm might crash.

Workaround:
Set min-up-members greater than 0 when using gateway-failsafe-device.

291256-1 : Changing 'Minimum Length' and 'Required Characters' might result in an error

Component: TMOS

Symptoms:
When setting a value for the password policy attribute 'Minimum Length', and setting 'Required Characters' 'Numeric', 'Uppercase', 'Lowercase', and 'Other' to values whose sum is greater than 'Minimum Length' the system does not save changes, and instead reports an error:

err mcpd[1647]: 01070903:3: Constraint 'min length must be greater than or equal to the sum of all "required" types of characters' failed for 'password_policy'

Conditions:
-- Change the value of 'Minimum Length'.
-- Change the values in 'Required Characters' ('Numeric', 'Uppercase', 'Lowercase', and 'Other').
-- The sum of the values from 'Required Characters' is a greater than 'Minimum Length' value before you changed it.

Here is an example:
1. From the default of '6', change 'Minimum Length' to 10.
2. At the same time, change each of the 'Required Characters' options ('Numeric', 'Uppercase', 'Lowercase', and 'Other') to '2', for a total of 8.
3. Click Update.

(These values should be work because the value in 'Minimum Length' (10) is greater than the sum of the values in 'Required Characters' (8).)

Impact:
The changes are not saved, and an error is posted:
Constraint 'min length must be greater than or equal to the sum of all "required" types of characters' failed for 'password_policy'.

Workaround:
You can use either of the following workarounds:

-- To workaround this using the GUI, set 'Minimum Length' and 'Required Characters' separately (i.e., specify 'Minimum Length' and click Update, and then specify 'Required Characters' and click Update).

-- Use tmsh instead of the GUI.

★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade

*********************** NOTICE ***********************

For additional support resources and technical documentation, see:

The F5 Networks Technical Support web site: http://www.f5.com/support/
The AskF5 web site: https://support.f5.com/csp/#/home
The F5 DevCentral web site: http://devcentral.f5.com/

******************************************************

Subscriptions

Product Usage

Trials

Registration Keys

Downloads

Applies To:

BIG-IP AAM

BIG-IP APM

BIG-IP Link Controller

BIG-IP Analytics

BIG-IP LTM

BIG-IP AFM

BIG-IP PEM

BIG-IP FPS

BIG-IP DNS

BIG-IP ASM

Cumulative fix details for BIG-IP v15.0.1.4 that are included in this release

911629-1 : Manual upload of LiveUpdate image file results in NULL response

909237-5 : CVE-2020-8617: BIND Vulnerability

909233-5 : DNS Hardening

905905-2 : TMUI CSRF vulnerability CVE-2020-5904

904373-2 : MRF GenericMessage:Implement limit to message queues size

902485-4 : Incorrect pool member concurrent connection value

900905-2 : TMM may crash while processing SIP data

900797-3 : Brute Force Protection (BFP) hash table entry cleanup

900793-5 : APM Brute Force Protection resources do not scale automatically

900789-3 : Alert before Brute Force Protection (BFP) hash are fully utilized

900757-3 : TMUI RCE vulnerability CVE-2020-5902

898949-2 : APM may consume excessive resources while processing VPN traffic

895993-3 : TMUI RCE vulnerability CVE-2020-5902

895981-3 : TMUI RCE vulnerability CVE-2020-5902

895881-2 : BIG-IP TMUI XSS vulnerability CVE-2020-5903

895525-3 : TMUI RCE vulnerability CVE-2020-5902

892385-1 : HTTP does not process WebSocket payload when received with server HTTP response

891721-2 : Anti-Fraud Profile URLs with query strings do not load successfully

891477-2 : No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server

891457-3 : NIC driver may fail while transmitting data

890421-1 : New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers★

888493-3 : ASM GUI Hardening

888489-3 : ASM UI hardening

888417-7 : Apache Vulnerability: CVE-2020-8840

887637-3 : Systemd-journald Vulnerability: CVE-2019-3815

886689-5 : Generic Message profile cannot be used in SCTP virtual

886085-4 : TMM may crash while processing UDP traffic

883717-2 : BD crash on specific server cookie scenario

882557-3 : TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)

880753-2 : Possible issues when using DoSL7 and Bot Defense profile on the same virtual server

877145-3 : Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException

876953-3 : Tmm crash while passing diameter traffic

876077-2 : MRF DIAMETER: stale pending retransmission entries may not be cleaned up

873469-3 : APM Portal Access: Base URL may be set to incorrectly

872673-2 : TMM can crash when processing SCTP traffic

871905-3 : Incorrect masking of parameters in event log

871761-3 : Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS

871657-6 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S

870957-3 : "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage

868381-2 : MRF DIAMETER: Retransmission queue unable to delete stale entries

868097-2 : TMM may crash while processing HTTP/2 traffic

866925-4 : The TMM pages used and available can be viewed in the F5 system stats MIB

866685-2 : Empty HSTS headers when HSTS mode for HTTP profile is disabled

866161-2 : Client port reuse causes RST when the security service attempts server connection reuse.

866021-2 : Diameter Mirror connection lost on the standby due to "process ingress error"

865053-2 : AVRD core due to a try to load vip lookup when AVRD is down

864109-2 : APM Portal Access: Base URL may be set to incorrectly

863161-2 : Scheduled reports are sent via TLS even if configured as non encrypted

863069-2 : Avrmail timeout is too small

860881-2 : TMM can crash when handling a compressed response from HTTP server

859089-6 : TMSH allows SFTP utility access

858429-2 : BIG-IP system sending ICMP packets on both virtual wire interface

858301-2 : HTTP RFC compliance now checks that the authority matches between the URI and Host header

858297-2 : HTTP requests with multiple Host headers are rejected if RFC compliance is enabled

858289-2 : HTTP parsing restrictions

858285-2 : HTTP parsing of Request URIs with spaces in them has changed

858229-4 : XML with sensitive data gets to the ICAP server

858025-2 : Proactive Bot Defense does not validate redirected paths

856961-1 : INTEL-SA-00201 MCE vulnerability CVE-2018-12207

853613-3 : Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp

853329-3 : HTTP explicit proxy can crash TMM when used with classification profile

853325-2 : TMM Crash while parsing form parameters by SSO.

852373-1 : HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error